Cisco AAA/Identity/Nac :: 3315 / Connect Each NIC To 4 Different Networks Without Allowing Traffic
Mar 10, 2013
I have a nac guest server 3315 appliance with 4 NICs. I want to connect each NIC to 4 different networks without allowing traffic between them. So RADIUS interface will be different from sponsor/admin interface to the NGS. how to achieve this. I have created and assigned a static IP address using system-config-network, but when i do ifconfig i dont see the remaining 3 NICs and the web interface doesnt seem to have provision to create this interfaces.
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
My site got the NAC-3315 appliance and we would like to reimage this appliance to inline posture mode (for VPN purpose)What's the proper migration process should deal with this? Is the NAC-3315 hardware comply with the Inline posture mode requirement?
I installed ise-1.1.1.268.i386.iso on a scratch to the new NAC 3315. As i check cisco download mentioned it need to patch following files :ise-patchbundle-1.1.1.268-1-60802.i386.tar.gz,But once try to patch it show like attachment message, is it mean that i no need to do the patching?Or is there any instruction need to remove and reinstall for this files.
Is it possible to add another NIC to the Cisco 3315 NAC appliance. It ships with Four ethernet interfaces, but would like to add at least 1 extra interface i.e. PCI card if possible.
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page. But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal. But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
we have a new ISE 3315 installation going on, I powered on the Appliance and appliance booted sucessfully, I run the Setup command. however after Setup is completed and appliance got a reload, it is not booting at all , booting seems to be hang up as per the snapshot attached.however Appliance is pingable, . i carried the following tasks as part of troubleshooting.
2: suspecting that Setup was corrupted, i then re-initialzied / re-installed the ISE Completely, then i run the setup command and after self reload, exactly same behaviour.
3: I tried with both Secure CRT & Putty and results are same
Whether ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting.
We are conduction a Proof Of Concept (PoC) on Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
Our Setup has ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory.Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
-MDM can be integrated to ISE ? -How the MDM can be integrated to Cisco ISE configuration or Guide to show the same? -What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ? -If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ? -Is MDM will do client provisioning or ISE should do ? -Is MDM send or update patches of Mobile Devices ?
my ISE 3315 is stuck in ISE 3315 stuck in INIT Entering runlevel: 3 when i connect a screen and keyboard i can only see this last message : ISE 3315 stuck in INIT Entering runlevel: 3 There is nothing after, i cannot login (no prompt) even after waiting 20 minutes with this message
I have no char return via serial cable depsite i was able to run initial setup from console (same cable, the DB9-DB9 provided, same serial config, same laptop)
Version ADE : ADE-OS-2.0 (2.6.18-238.1.1.el5PAE) Version ISE : 1.1.0.665
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
We want to buy a ISE-3315-K9 for 500 end-devices.In the price-list I found the ISE-3315-K9 but cannot find the base license: L-ISE-BSE-500=. (I think I need this license)Will the shipment of the ISE-3315-K9 includes a 3000 end-points base license (maximum support of the ISE-3315) or do I need to order the base 500 license seperately?
I am looking to create an office network with each person having internet access but on a private network. however everyone will need to be able to access a communal printer. would they be able to see it if they were all on a different subnet or would i need to set up vlans?
I need to allow traceroute traffic through ASA running version 8.0.2.This traffic is natted. what configuration is required on ASA to allow this natted traceroute traffic.Traffic is coming from inside and going outside.Also can we capture this traceroute traffic on asa using capture feature.
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log access-list 101 extended permit ip any any access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
I am trying to allow PPTP traffic through my Linksys WRT320n to a PPTP VPN server on my home network.The Linksys WRT320n is running firmware 1.0.05 build 002Mar 31, 2011.I have created a Port Forwarding rule on the Linksys to allow TCP & UDP port 1723 through to my internal IP of the PPTP VPN server,but everytime I try to connect with a PPTP client from outside of my network I get a connection error on the client.Checking the PPTP VPN servers logs I see the following errors (Please note all IP's have been masked) Mar 2 11:15:07 ap-01 pptpd[5300]: CTRL: Client x.x.x.x control connection startedMar 2 11:15:07 ap-01 pptpd[5300]: CTRL: Starting call (launching pppd, opening GRE)Mar 2 11:15:07 ap-01 pppd[5301]: pppd 2.4.4 started by root, uid 0Mar 2 11:15:37 ap-01 pppd[5301]: Exit.Mar 2 11:15:37 ap-01 pptpd[5300]: GRE: read(fd=8,buffer=41fe30,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logsMar 2 11:15:37 ap-01 pptpd[5300]: CTRL: PTY read or GRE write failed (pty,gre)=(8,9)Mar 2 11:15:37 ap-01 pptpd[5300]: CTRL: Reaping child PPP[5301]Mar 2 11:15:37 ap-01 pptpd[5300]: CTRL: Client x.x.x.x control connection finished
From looking at the above errors, it seems as if the Linksys isn't forwarding GRE through to my PPTP server.I have tried various settings, including enabling and disabling the PPTP Passthrough option on the Linksysbut still can't get PPTP to work.What is the correct way to get GRE traffic forwarded through the Linksys?
I posted my complaint on Amazon.com recently. My E4200 router stopped allowing traffic through ports completely. I was able to unplug the power and allow the router to cool, and the router would work for a while then stop after about 10 minutes. I assume that the unit was overheating, but I do not have the equipment of a test facility.I bought a Belkin AC 1200 router which is a bit of an upgrade from Amazon.com. I do not think that there is anything that Linksys can do for me as my warranty expired. I just thought that when I spent what was to me a lot of money the router should have lasted longer.
I have a firewall ASA 5520. In this time I have connected 3 networks (192.168.1.0 INSIDE, 192.168.2.0 INSIDE2, 10.0.1.0 OUTSIDE). I follow the article [URL] to configure my firewall, but the ASA no permit traffic (ip, udp, icmp, etc) between the networks. The configuration that i have is:
ASA Version 8.2(1) ! hostname Firewall domain-name xxxxxx.com
I've got an 1841 router acting as the firewall for a LAN. It also does NAT and acts as the dialer for a PPPoE DSL line to the internet.
All is working fine, except now I need to allow a Tivo device to connect to certain ports on the Tivo servers on the internet. I want only the Tivo to be able to do this. The problem is that NAT is happening before my outbound ACL is checked, so even though I've got rules to allow the Tivo's LAN address out on all ports, it never works. I've verified this using a syslog server, and can see my external DSL IP trying to connect to the Tivo servers and being denied.
I've done things like this at work by NATting the appropriate internal host to its own external static IP address, which allows me to write rules allowing only that external address to do stuff. But I don't have multiple external addresses to work with here.
I tried applying my outbound ACL to the LAN interface of the router in the "in" direction (and removing the same ACL from the Dialer interface in the "out" direction), but that broke other things like the router's own ability to ping out to the LAN or to see a TFTP server on the LAN. I could maybe fix all of that with rule changes and inspect statements on traffic going out toward the LAN (not sure of this, think so), but I'm wondering:
Is there a better way to let just the Tivo makes outgoing connections to certain ports?
Config pasted below:
! ! Last configuration change at 17:15:10 CDT Sun Jul 15 2012 ! NVRAM config last updated at 16:27:14 CDT Sun Jul 15 2012 by someguy !
There is a problem with my WLC, it is not allowing an specific client to connect. It gives an 802.1x failure log but I am not using it, anyways the WLC puts this client in the excluded clients list and I didn't add it manually, in fact is a new laptop.
got an old computer to use from a family member and it is not alowing me to connect to the internet. it shows all my wireless connections but wont alow me to connect and use the internet. how do i fix this problem?
I am using virginmedia superhub which is supposed to give me a max of 30mbps. I use it wireless but am often getting fluctuations in speed - sometimes 500kbps upto 20mbps, nothing consistently close over 20mbps or close to 30mbps. I have bought a powerline kit - "develo olan 200 AV Wireless N" which has improved the speed but I still get fluctuations.
I have created a RA VPN with a 5505 using Anyconnect client. My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect. To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect. how I can limit the outside access to a single host?
My internet speeds are 45 Mbps DL and 1 Mbps UL and my various wireless connections (3 laptops in my household) were achieving speeds anywhere from 25-40 Mbps DL. My router started acting up and wasn't letting anyone connect via wifi so I did a factory reset and set it up the same way I did before (as best as I could), it started working fine again but now the speeds on all the devices that are connecting to at are capped at 18 Mbps. A simple speed test shows that no matter what they won't pass 18 Mbps, I am almost 100% certain this is the router and I was wondering what I might have done wrong or what is causing this.
We recently had the Aironet 3502i APs installed in our infrastructure and are having a bad time with hosts connecting to them. The controller sees them, they have an IP, they are showing a solid green light, but you cannot get devices to connect. If you reboot the device you get about 5 seconds of connection and then it disconnects. The only cure seems to be rebooting the APs, but I am baffled why this keeps happening. The installer is blaming our devices, but it is happening to laptops, thin clients, and even cell phones. From what I've seen, everything works fine until, i believe, the device tries to refresh it's lease and is unable to do so.
EA4500 Linksys router stopped allowing vizio Internet apps to connect from two different TV's. Problem, Just got brand new EA4500 router and Motorola SURFboard DOCSIS 3.0 High-Speed Cable Modem Model: 575319-019. I have 2 new vizio big screen tv's with internet apps. All was working fine and had no problems but occasional drops or limited access.
One day BOTH TV's could no longer connect. However, The tv's will connect to another access point. therefore the problem does not exist in the TV/s and has to be a problem in my access point (I.E. Router allowing access). Additionally, all other devices connect and work fine. I have already unplugged everything for an extended period of time. Checked for updates on firmware and verified no software needed to be updated. Rebooted router... Am using wpa-psk and feel i shouldn't have to go weep as it was working fine...
I got a ISE 3315 with an IP-Plus license on it. Now I need to install a Wireless advanced license, but I got an error when trying. I've read that the wireless license doesn't need the ip-base one but I can't remove it?
I need to estimate the installation and configuration time of Cisco NAC (NAC Network Module spare for 2800, 3800 ISR) and Cisco NAC Manager(NAC Appliance 3315 Manager -max 3 Servers. There is some Cisco tool to estimate the installation and configuration time?
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
We have a distributed ACS 5.3 set up - a PR and DR replicating successfully.I've set up 4 remote syslog targets. 2 of them are at the same site as the PR ACS and 2 are at the same site as the DR ACS.The logging collector is set on the PR ACS.
The problem is that it "appears" that PR ACS is only sending PR ACS syslog info to one of the remote syslog targets out of the four.
The syslog target which does receive from the PR ACS is at the same site as the PR ACS.
"appears" means that some one has looked on the syslog targets to see what's been received / or not received.
I've been told that the syslog traffic for syslog targets is being received from the DR ACS. Which is strange as the PR ACS is the actual log collector (and is not at the same site as the DR ACS).
I've also got Alarm Syslog targets set up on the PR ACS , (2 are the same ip addresses used in the 4 remote syslog targets). IP addresses of the remote syslog targets have been double checked and can be pinged from each ACS (PR and DR).
