Cisco AAA/Identity/Nac :: AP 2602 / WLC 5508 ISE 1.1.2 - Missing Field To Name Endpoint
Apr 4, 2013
Environment :AP 2602, WLC 5508 V7.4, ISE 1.1.2, Prime Infras 1.2
For a specific SSID, we use MAC address as 1 of the conditions to authorize access only for the company-owned mobiles (smartphones and tablets), the other condition being, for the mobile, to present a valid AD user/password;this way, the so-called BYODs are rejected since this is the rule within this company ;The difficulty with this approach is the fact that there is no way in ISE Identities Endpoints nor Groups to associate a user-friendly name to the MAC address of the mobiles, which makes very tedious some actions such as a search in the ISE authentication Log based on the MAC address value itself;the question is just to know if it is planned to add a new field in Identities Endpoints definition that would allow to associate a user-friendly name to a MAC address, for future ISE versions,
View 1 Replies
ADVERTISEMENT
May 1, 2013
I know that very few people have their wireless controllers on version 7.4.100. But has any one noticed that the NAT IP address field in the management interface configuration menu is missing?, although it is mentioned as being present in the WLC 7.4 configuration guide. This would definitely affect Office-Extend.
View 4 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
Jul 9, 2012
I have upgraded my new WLC to version 7.0.98.218. I noticed the N/A for the Field recovery version. On my old 4402 it is called the Emergency Image Version, and it is 5.2.157.0
How do i get a recovery version on the WLC?
View 2 Replies
View Related
Aug 7, 2012
users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?
View 44 Replies
View Related
May 9, 2013
We currently have a distributed PR and DR ACS 5.3 setup, set up with tacacs devices and one radius device.The radius device is used Opnet's AppResponse Xpert Admin. We are trying to intergrate AppResponse Xpert Admin with ACS.
The GUI for AppResponse Xpert Admin is asking for the radius server ip address - i.e our ACS , radius port - i.e 1812 and "secret" - I'm guessing this means the shared secret of the actual ACS itself (not the shared secret used by network devices) .
On our ACS 4.2 systems we have a field for a shared secret regarding the ACS server itself (to authorise replication?).
Using the search function for "Shared Secret" in pdf "User Guide for Cisco Secure Access Conrol System 5.3" has only found references to setting one for network devices and not a field for the ACS itself.Is a ACS server shared secret still relevant for the ACS 5.x system?
View 2 Replies
View Related
Apr 7, 2013
between fields in import template file (add or update) for internal users is no column for expiration date ([URL]). This field is not defined also for export file.
My question is: (How) is it possible import new users (or update existing) into internal db with expiration date field?
View 3 Replies
View Related
May 17, 2012
we have installed nac for our customer and it works fine ,but the customer want the change the version of kaspersky antivirus from 6 to 8 end point security ,when we have try this the nac agent does not find the antivrus on the the workstation . i want to know if this version of kasoersky (end point security ) is supported by nac ,if no is ther a solution to make it works with the NAC .
View 3 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Sep 25, 2012
This does seem correct. I had 2 rules and now they are gone.
View 2 Replies
View Related
Sep 25, 2012
We currently have an issue with our main ISE. When logged in using the admin account (member of superadmin group) we no longer see the Profiling button/menu and also missing oter options in the GUI. On another standalone ISE we do see al those options?
Both are running on the same software version 1.1.1.268.We are using ISE 3395-K9 appliances
View 1 Replies
View Related
Jun 23, 2011
Recently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
View 7 Replies
View Related
Feb 6, 2011
I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2In the document [URL] Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.Is this some bug in ACS View or ACS or maybe I simply missing something?
View 1 Replies
View Related
Feb 19, 2013
I have a problem converting 2602 from lightweight to autonomous. It will not boot to the autonomous IOS. The procedure below is waht I did.
ap: set IP_ADDR 10.0.0.1
ap: set NETMASK 255.255.255.0
ap: tftp_init
[Code].....
View 28 Replies
View Related
Mar 7, 2013
I have an 2602 AP. Recently I tried to move it from one controller to another, however in doing so the image must have gotten corrupted. So no I'm in AP ROMMON. I can't find any recovery procedures specifically for the 2600's, but I what I did find doesn't seem to work :
ap: set IP_ADDR 10.4.208.3
ap: set NETMASK 255.255.255.0
ap: set DEFAULT_ROUTER 10.4.208.1
[Code].....
View 1 Replies
View Related
Feb 3, 2013
We have a campus with both office and industial areas with various propagation problems. Historically I have been installing and maintaining access points in the 1200 range, the latest being the 1242. All these have a similar antenna setup based on diversity pairs.Since Cisco seems to be dropping the old series any week now I have been looking at the 2602 as a replacement.I can find no good documentation on antenna selection and mounting suggestions for these.If I want a proper omni coverage pattern with dual band antennas, do I just set them to a H form assuming the unit is sitting on a wall?
View 1 Replies
View Related
May 12, 2013
We typically use the 2602 series AP in lightweight mode, however I have a scenario where we are going to be installing one with the stand-alone software. I understand that we will not be able to utilze certain features that you get with the WLC such as RRM, rogue detection, and clean air.
We do want to utilze both the 2.4GHZ and 5GHZ bands. In order to do this with the 2602 stand-alone AP, will we have to configure 2 separate SSID's? I really do not want to do this to if I do not have to to minimize confusion for clients.
View 8 Replies
View Related
May 28, 2013
i'm configuring a standalone AP 2602 with IOS 15.2.When i connect to AP from my notebook i only get 65Mb speed, when i connect to other APs from the notebook my speed connection 150-300Mb.
What configuration(CLI) do i need to be able to connect to the AP on connection speed to 130-450Mb ? Currently I connect to SSID with WPA2 encryption and "speed default" on radio 0 interface.
View 7 Replies
View Related
Apr 3, 2013
Instead of stocking every known AP and every external connector, I would like to query which APs to stock for general site surveys....
I have 2 customers that will require surveys in the near future...one plans on using the 2602e AP, and the other a 3602e AP. I have read somewhere that the 1140 makes an excellent proxy for the 2602 and several other Cisco APs (as the RF characteristics are similar) so that I only have to stock that one AP to use for those site surveys- but I haven't seen any recommendations about the 3600 series AP yet...
What AP to stock for doing Cisco site surveys? Maybe one or two models only?
View 10 Replies
View Related
Apr 21, 2013
I have a problem, where we are installing a Cisco 2602 access piont, the AP is getting power as the lights are on (changing colors Green, White, Red). In the switch side the LED for the interface is blinking green only when I chosse PoE. Also I cannot see the AP in CDP neighbours.
It seems to be a physical problem but the cable is tested and showing connected for all pairs and parallal (straight) connection.
Access Point was connected directly to the same interface (I mean with a patch cable to the switch) and working
View 4 Replies
View Related
Apr 14, 2013
it seams, that the mounting blade for the 1142 access point and the 2602 access point are identical.
We have ordered the new 2602 with internal antennas for deploying WLAN in a new building, but I never hold this accesspoint in my hands. We have a few mounting blades in spare from the 1142 accesspoint. The question is, can I prepare the mounting of the 2602 access point with the 1142 mounting blade?
View 2 Replies
View Related
Apr 4, 2013
I have several 2602 AP's that I want to operate in FlexConnect mode. The WLC is at a central HQ and the Ap's are remote. There are central radius servers at the HQ for the wlans. At the remote lcoation, there is a local radius server we want to use for the primary radius server for these AP's. This radius server has been added to the WLC. I have setup a FlexConnect Group, designated the the primary and secondary servers, and then added the AP's to the group. It does not look like radius requests are being sent to the local controller.
For this to work, do we have to check the box under the wlan for FlexConnect Local Auth? Currently, we only have FlexConnect local switching selected.
View 8 Replies
View Related
Aug 20, 2012
As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x. CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?
View 5 Replies
View Related
Aug 20, 2012
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
View 6 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
May 18, 2011
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
View 2 Replies
View Related
Dec 14, 2011
How Cisco Identity Service Engine (ISE) can work with WLAN controller 5508 to do the Local Web Authentication, on behalf tje guest profile is create using Cisco ISE guest management?
As i check Cisco ISE caveat wireless only support on LWA, and LWA not supported on Authorization's VLAN assignment.
what i need to concern abou the ISE authentication and authorization policy on behalf on Wireless LWA with use of ISE guest management case?
View 1 Replies
View Related
Jan 9, 2012
Having issue with WLC 5508 using ACS 5.2 tacacs+ protocol to do device management.The problem statement is after key in the username and password on the WLC login page, it is endlessly prompt for authentication on WLC. Whilst on ACS monitoring and reporting i able to see it is successfully authenticated, shown at AAA protocol > TACACS+ Authentication.On ACS, the shell profile for this is setting role1 , value = ALL.
View 3 Replies
View Related
Jun 19, 2012
We’re currently using 5508 WLC’s and leveraging Cisco ISE for radius/authentication rule sets.I’m trying to get a splash page to flash and then redirect to a website after a successful authentication to an SSID. Everything on the wireless side works with no splash page (users connect to SSID,authenticate with AD credentials using 802.1X PEAP to our Cisco ISE box, and gain access to the network).When I enable ‘Splash Page Web Redirect’ on the WLC (under L3 security), I’m unclear on the ISE box where I set this up. When I look in the Cisco documention it says:Splash Page Web Redirect—If you select this option, the user is redirected to a particular web page after 802.1X authentication successfully completes. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server. How I specify this on the ISE box? Or am I totally off base?
View 10 Replies
View Related
May 24, 2011
I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Does this also require an intermediary like ACS or IAS.
View 3 Replies
View Related
Jun 21, 2012
I'm running VPN SSL on an asa 5520 (V8.2.5) with LDAP authentication and everything works fine but now the AD people changed name in the groups and they added a " " "blank" in one of the fields so when I configured the group I get an error.
for example:
map-value memberOf CN=VPN_SSL_ABC,OU=External,OU=XXX,DC=ext,DC=local ABCPolicy
but this does not:
map-value memberOf CN=VPN_SSL_ABC,OU=External Group,OU=XXX,DC=ext,DC=local ABCPolicy
Is there any way to insert a space in the OU field?
View 2 Replies
View Related
Jun 13, 2011
The URL field in the web access log has a length of 70 characters. Is there any way to increase is[INFO] Mon Jun 13 21:30:30 2011 Website1234567890012345678900123456789001234567890012345678900123456789001234567890 accessed from 192.168.xx.xx
View 2 Replies
View Related
Sep 20, 2012
We`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
Setup:
- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
The Problem:
- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.
View 4 Replies
View Related
