Cisco AAA/Identity/Nac :: 1142 How CDP Device Sensor Probe Works With ISE

Jan 24, 2013

how the CDP device sensor probe works with ISE ?What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  I have done the following so far: Configured the switch to talk to ISE via radius accounting: [code] Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ?How do the device sensors work ?

View 6 Replies


Cisco Wireless :: Aironet 1142 Device Fails

Jun 14, 2012

We have a Cisco aironet 1162N connected to a Wireless Controller (LIGHTWEIGHT mode), the device failed and it needs to be replaced.We have a Cisco aironet 1142N in stock available to use.Can we proceed with the change just with disconnect the failed AP (model: 1162N ) and connect the new one (model: 1142N)? Or there is any other task to be done before the change? since the WLC manages the configuration for each AP.

View 8 Replies View Related

Cisco Wireless :: Aironet 1142 Cannot Connect To Device With Browser

Sep 9, 2012

I am tryign to set up an Aironet 1142, I have created a reserrvation in DHCP using the MAC address, and the reservation shows as active, but I cannot connect to the device with my browser.          

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Aironet 1142 As Supplicant To 2960 Switch

Apr 23, 2013

First, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area.  This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960. 
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS.  RADIUS is sending VSA device-traffic-class=switch to the 2960.  The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB].  The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems].  The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960.  STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port.  Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs.  On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses.  Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960.  I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise.  The Aironet simply would not run dot1x [best I could tell].  The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:  
Users on the guest wireless SSID (V lan 20) say they cannot connect.  Yep, classic.  V LAN 20 is trunk and spanned to all the sufficient places.  The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server!  DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries.  I appear to have that problem.  However, the user on the Staff wireless (V LAN 10) has full access.  Am I running into a problem with "multi- host" authentication config?  Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20.  What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp          
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping

View 1 Replies View Related

Cisco :: Configure Device Discovery In LMS 4.0 Works

Aug 1, 2011

I´m getting started on ciscoworks and i trying to configure a device discovery to start but i have some questions about how configure this tool exist 5 parameters that i have to configure to start the device discovery.
•Configuring Discovery Module Settings
•Configuring Seed Device Settings


I want to add devices that found neighbors via  CDP son in the configuring discovery module setting i choice that option In the configuring seed device setting i choose DCR as seed device that means those devices already in the DCR start discovering from those devices but you can add more seed devices how i can add a seed device ? with ip addres or something like this? and this device have to be in the DCR already or not? The configuring SNMP settings, this community correspond to what device? the devices that i want to add ? and in the field target name what ip adders have to be? and if i have different community of snmp in my devices what device and snmp community have to configure in this parameter

View 1 Replies View Related

Cisco :: Rtr2900 - LMS 3.2 Device Update Didn't Works

Aug 24, 2011

I have CiscoWorks LMS3.2 with RME4.3.1 and CS 3.3.0.
When I will update the devices and I go to Common Services - Software Center Device Update and I mark Resource Manager Essential then I receive this window:

 Now I choose the Rtr2900 package (same problem for all six packages) and when I will download it, then after define the destination path for the file I see this window:
Then I have tried to download it manually with the following command: PSUCli.bat -p rme -d -dst c:psu_download -all
The six packages that are showed in the picture above were not downloaded.
I assume that there is an error on Cisco side because the size of the six packages is NA.
Or is there another possibility to download the package for the Rtr2900?

View 13 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access

Apr 14, 2011

I have ACS 5.2 running as a VM.  I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this.  If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups. 

View 1 Replies View Related

Linksys Wap54g - Cheap Extension Antenna That Works With This Device

Feb 2, 2011

Any cheap outdoor extension antenna that works with a Linksys wap54g? Not looking for anything too expensive. Just trying to bring wifi signal into a building.

View 1 Replies View Related

Cisco Switching/Routing :: C2960 USB Flash Device Works In ROMmon But Not In Normal Mode?

Aug 7, 2012

I have a 512MB USB Flash device and was able to boot the IOS on the C2960 from it.After that i tried to Copy the IOS file from the USB to the system flash, but it could not find the USB Device.At plugging in the device the systems tells me: "Transfer type 2 not supported" I configured the USB device in NTFS and FAT both are able to boot with the ROMMON, but the normal system does not accept them and i know i can do the copy over a TFTP from my laptop, but it is strange that rommon accepts the usb device and the system does not?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Rancid Works With ACS 4.2 But Not 5.3?

Jan 28, 2013

We are in the process of upgrading from ACS 4.2 to 5.3.  Most things seem to be working but we are having some major issues with the Rancid configuration tool.   I can log into devices using CLI login with the credentials that Rancid uses but Rancid fails login.
This worked fine with our 4.2 implementation but not the 5.3.  Presumably I need to make a chance in the expect scripts because the new ACS server sends a different string but I have no idea what it is supposed to be. 

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - LDAP Authentication Works / Authorization Fails

Oct 24, 2011

I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA.  In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down.  I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain.  As a condition, it shows up as DomainName:External Groups.  I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store.  I adjusted the Identity Sequence and now I receive a the following error:
15039:  Selected Authorization Profile is Deny Access.  So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.1- Shell Command Works Under User But Not Group

Jul 27, 2011

This question might actually belong under tacacs server but it's only happening with the ACE.  I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor.  If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin.  We're running ACS ver 4.1 and the ACE is A4(1.1)

View 1 Replies View Related

Cisco Application :: 4710 Way To Set Up A Probe To Look For Image On Homepage

Oct 16, 2011

We have an ACE 4710 providing load balancer functions for 2x websites.  Is there a way to set up a probe to look for an image on the homepage of the website to deem the site is available.

View 4 Replies View Related

Cisco Application :: Health Probe For RDP Farm 3389

Aug 19, 2012

I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server. Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?

View 1 Replies View Related

Cisco Application :: ACE 4710 Failed Probe And Established Connections

Jan 23, 2013

I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail. In fact rservers are still operational, but should not accept new connections. This works fine. BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true.

View 2 Replies View Related

Cisco Application :: ACE20 Module - Capture Probe Traffic?

Mar 5, 2013

I have an HTTPS probe that sometime fail, sometimes does not fail.
The probe that sometimes fails is the TEST-HTTPS. The TCP_443 probe works perfectly well.The ACE is configured in bridge mode.Is it possible to capture the PROBE traffic on the ACE side?

View 7 Replies View Related

Cisco Application Networking :: ACE20-MOD-K9 HTTPS Probe Failing Randomly

May 13, 2013

I have a physical server running behind the ACE module ACE20-MOD-K9. The Server has several virtual machines. One of that virtual machines, has a WEB SERVER running virtual https servers. For example, server with IP address, has serveral virtual HTTPs servers as of urll... So, if you nslookup the servers, they all respond with IP address. So if I do url...goes to and read the VIRTUAL SERVER config and replies back to the request.Now, I am trying to verify that the TCP connection (443) and the HTTPS server itself is up and running but only for the url... site and not for the other 2.The problem that I am facing is tha the HTTPS probe fails randomly. The TCP probe works fine.

View 1 Replies View Related

Cisco Firewall :: ASA5512-X Losing Connection To IPS Sensor?

Sep 30, 2012

I have a new 5512-X with the built in IPS sensor. The firewall is running in transparent mode with the management interface being used for both the ASA and the IPS sensor. i.e. a single interface.
Both the IPS and the ASA are configured on the same network segment ( for the firewall and for the IPS).However the IPS module keeps going off-line whilst the firewall is fine. So CSM Health and Performance Manager keeps coming up with an error.
Now the interesting bit... If I SSH to the firewall and issue a session ips I get straight into the sensor.I can then ping something from the sensor  - exit out and the sensor is visible on the network for a while.It then drops again.Is there a keep-alive that I need to configure to get this working properly?

View 6 Replies View Related

Cisco Switching/Routing :: 4507 FAN Sensor Error

May 13, 2013

I have 4507 switch and I got the error of fan sensor which is mention below [code] What the meaning of FAN Sensor both are Bad/off ?

View 4 Replies View Related

Cisco Firewall :: Add IPS Or IDS Sensor On 5510 Before Installing DMZ Zone

Oct 30, 2012

I will like to know if I need to add a IPS or IDS sensor on my firewall 5510 before  i install a DMZ zone.?

View 2 Replies View Related

Cisco Application :: ACE 4710 Prevent Failback To Primary Server When Probe Fail

Feb 26, 2011

I want to configure my ACE so that if a probe fails, it fails over to the backup rserver, BUT it won't failback to the primary rserver until manual intervention is complete. The problem is we don't want an rserver to fail and failover to secondary, then failback to primary, repeat... (flip-flopping).   I want to be able to have time to get on the server and find out what may have caused the probes to fail before it fails back.

View 4 Replies View Related

D-Link DCS-942L :: Sound Detection For Motion Sensor

Dec 11, 2011

I have been testing my new DCS-942L and found that while the motion detection works great it is sometime hindered by the audio mic setting of motion detection. I have turned down the microphone settings to the lowest (10) and the only difference is miniscule. The camera will still set off the motion detection prior to anyone being in the screen, and if the person enters the screen immediately after the noise the camera will not record the movement.

I have adjusted the sensitivity down to 25% and continued having the issue. I would like to record motion with sound. So either the microphone needs to be able to be adjusted lower, or not set off the motion detector.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Device Restrictions In ACS 5.3?

Mar 13, 2013

In our scenario, easy vpn users are being authenticated by acs 5.3 successfully. We have created seperate user group for these users. The issue is, these users are also able to access our routers using their username/password. I want to restrict this particular group so that its not able to access any device.

View 1 Replies View Related

Cisco Switching/Routing :: Inlet And Outlet Temperature Sensor In 6500

Mar 9, 2013

Below module showing inlet and outlet temperature N/o.How to find the issue related to sensor in the module or something else to troubleshoot in the module to find the issue.

View 5 Replies View Related

Cisco Wireless :: 1552E - Sensor Connected To Mesh Access Point

Jan 21, 2013

A 1552E has a temperature gauge sensor connected to its power over Ethernet port. the port status shows line protocol as down.The cable from 1552 to the sensor has been changed twice. We can see the 1552E gig1 interface is at 1000full duplex. Is there any chance the speed is causing the problem here. it seems the 1552E doesn't allow to set different speed & remains on 1000.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS (4.2) Read Only Device Access?

Sep 30, 2010

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers.  Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
Commands Added

* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings

Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access.  He can enter the enable command, config terminal command, etc.  All we want him to be able to do is to issue the show command.

View 13 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Time And Telnet Device Name?

Sep 12, 2012

This is the great place for ACS discussions , i need two more inputs from experts
Thu Sep 13 14:35:28 UTC 2012
[ CmdAV=ip tacacs source-interface FastEthernet 0/1 ]
Device Type:All Device Types:ROUTERS, Location:All Locations:NON DC DEVICES
On the above message
1. Need to chang time from UTC to IST
2.  The Device column is not showing the exact device name ; i telnet and config changed , it is showing the device group name only , how to get the exact device name i telnet on this message

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Device And Network Access

Oct 15, 2012

I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+.  We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network.  We are using Active Directory for the backend user database and have assigned the users to different groups in AD.  We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN.  The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this.  Is there a policy or config change that we will need to make for this?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Device Access Based Upon NDG Using ACS 5.2?

Mar 15, 2012

I have 2 types of network, DC & Office. I have 3 types of users NOC, Office & DC. Office network devices are in Office NDG, DC network devices are in DC NDG. Becasue of such config, Office network users can only access Office devices & DC network users can only access DC network devices....Now i have NOC users, who wants access to both Office & DC network devices. How can i achieve this?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Integration ACS 5.2 With Other Device (sandvine)

Sep 18, 2012

I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.
I have an information on the provider Sandvine with a guide to the case where only states:

TACACS + server
On a TACACS + server, each user entry must allow the service "Sandvine". Within this
service, the attribute-value pairs Following can exist:
• An attribute named "Sandvine-Group" of type string.


View 4 Replies View Related

Cisco Switching/Routing :: Nexus 5k Power Down Due To Temperature Sensor Policy Trigger

Dec 2, 2012

We have a nexus 5k, and it kind of got hung today... it is running. Version 5.1(3)N2(1b) the reset reason shows.Power down due to temperature sensor policy trigger.It doesn't look documented. What policy is it referring to? not sure if this is an IOS bug ?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?

Dec 1, 2011

my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Network Device Authentication

Apr 19, 2011

I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.

I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and  I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?

View 1 Replies View Related

Copyrights 2005-15, All rights reserved