Cisco AAA/Identity/Nac :: ISE 1.1.1 Sponsor Portal - Change The Rule Which Checks The Fields For Illegal Characters?
Oct 16, 2012
Regarding our international subsidiaries there are many names that contain the character "-" (i.e. Pierre-Pascal)When trying to create an new Guest Account the ISE refuses it because of an invalid character in the "First Name" field.In other formular fields i.e. Email Address - the character "-" is allowed.Is it possible to change the rule which checks the fields for illegal characters? (Is it a Bug?)
View 3 Replies
ADVERTISEMENT
Aug 8, 2012
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page. But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal. But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
View 3 Replies
View Related
Mar 28, 2013
We have users using a GPRS connection authenticating against ACS :
Fields received in radius package : Username & Calling-line_id
We have an ldap directory containing the same 2 fields : userPrincipalName & TelephoneNumber
1)Is it possible to match the 2 fields received in the radius package against the 2 fields in LDAP, and based on that granting/denying access ? (some sort of mulitple key).
2)Is it possible to match the calling-line-id against an ldap attribute (authorization section) ?
The issue is that we have 3000+ GPRS users, and creating 3000+ entries in the end user filter is not really an option.
View 1 Replies
View Related
Nov 19, 2012
so I have my router that's connected to outside world (internet) and it's also connected to my company.I want to create a nat rule that basically says when I go to my company don't nat but when I go on the internet nat.now I do this with this statement [code] I want to do the same thing but this time with this rule. ip nat inside source static tcp 10.181.20.84 22 interface FastEthernet4 2222 this rule doen't work from the company to my router but it works from the internet to my router...
I just can't find the way to change this ip nat rule and use my same 110 ACL.basically with this last rule when I try to connect to my router from the company it tries to nat it back to the ip of the router interface ... it should not nat when I go from the company but nat when I connect from the outside internet.
View 5 Replies
View Related
Jul 24, 2012
WLC - 7.2.110.0
ISE - 1.1.1
I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: [URL]
At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to understand how access requests are processed?
View 10 Replies
View Related
Apr 8, 2013
Managed to guest LWA working with ISE for wireless guest portal access? I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.All guest portal examples seem to be CWA which only works on 7.2 code.Am I without hope getting this working on 7.0 code?
View 3 Replies
View Related
Aug 1, 2011
Is it possible to have email notification when a rule is hit on the ACS(5.1)?
Ive had a look around and cannot see any options, the server team seem to think its not possible to have this triggered from AD either on a side note, where are the SMTP settings on the ACS?
View 2 Replies
View Related
Apr 14, 2011
I just installed a new ACS 5.1 to authenticate wireless PEAP users, so I created an Access policy "WirelessUsers" with identity store being Windows Active directory and all domain users are selected, and create a service rule that dictates that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "WirelessUsers", so this part worked perfectely, all domain users are able to gain wireless access via their DOMAIN/usernames and domain passwords. Now I want ACS local indentity store users (those local usernames can be the same or different from their AD usernames) to be able to manage those controllers, so I created another access policy "DeviceAdminUsers" with identity store being local users, another service rule which says that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "DeviceAdminUsers". The problem is that with the setup, whenenve when I try to SSH to WLC, ACS always put me in "WirelessUsers" access policy, even the login name does not have DOMAIN pre-pended or the login name simly does not exist in AD. if I put the second rule in front of first rule, I am able to authenticate with ACS local username/password and gain access to WLC, but wireless users will fail to authenticate, because ACS is trying to put regular wiress users in "DeviceAdminUsers" access policy. I would expect if username does not exist in AD, ACS should proceed with next rule. Similar requirement was easily achieved in ACS 3.3.
View 5 Replies
View Related
Nov 7, 2011
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
View 2 Replies
View Related
Feb 11, 2013
I'm setting a Wireless Guest with a WLC 5508 (7.3) and ISE (1.1.2) -- (no anchor).It appears to work (still some adjustments are required), but I found when the guest user log in, it receives the successful login screen and inmediately the guest portal again. If another browser window or tab is open, the user can browse properly.
View 5 Replies
View Related
Jun 10, 2013
when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used
View 12 Replies
View Related
Jan 18, 2011
what is the purpose of the "Permint all traffic to less secure networks".
Well I know the purpose and the technique to handle some sercurity level is nice. when I cannot add add a rule without deleting this implicit rule?
The technique of security level is then obsolete?
View 8 Replies
View Related
Aug 18, 2011
I am configuring Clientless SSL VPN on ASA5505 with 8.2(2)17. After the login, default page should be "Home", but if activating "Anyconnect". it always goes to Anyconnect as a first page. If disabling "Anyconnect" using SSL VPN Customization Editor --> Portal --> Application, it always goes to the other one. Never get "Home" as a first page, can I set the first page manually?
View 3 Replies
View Related
Aug 14, 2012
Is there any other way to configure the checks using the hash value of an application instead of register key ??? I have read and confirmed that the hash value does not change never. Its the same value....But I did not find a way to configure the rule on the CAM.... ? By the way I am using Cisco NAC 4.8.2
View 3 Replies
View Related
Jul 27, 2011
I accidentally setup two schedule rules both with the name of "Log". When I highlight either rule, and try to delete either, I get error "The rule is being used by another rule and cannot be deleted" How do I delete?
View 1 Replies
View Related
Mar 4, 2013
I am trying to simply erase infomation from certain configuration fields in an RV042G router. However, once an IP address has been entered, atempting to simply save a blank field results in the message "Please input IP address" and the empty field will not be saved.For example, we had a WINS server, but now we don't. I want to remove it from DHCP, but simply deleting the IP generates the above message.Likewise, atempting to remove an IP from the DMZ Host address returns an error. How can I reset these fields to be blank?
View 1 Replies
View Related
Jul 20, 2011
I have a webcam set up on my website that feeds from my router here.
Is there a way to track who checks in and for how long? I have a few folks that have decided to park their butts on the cameras all day long, I want to block them.
I set up a port forward, I think I have everything set up correctly. The cam works fine, just can't seem to find the log where they came from
View 1 Replies
View Related
Oct 31, 2012
I upgraded to ASA 9, and asdm 7, everything went perfect except AnyConnect IKEV2 doesnt work anymore, I have a lot of errors under my event viewer:
When it goes to install I get this error: Failed to perform required client update checks. Contact your system administrator
Under Eventviewer I find:
Function: CDownloadTask::Run
File: .DownloadTask.cpp
Line: 413
[Code].....
View 3 Replies
View Related
Jun 19, 2012
Is there anything I can set up on a network which would alert the company who own the network if certain kinds of file, such as large avi movie files or mp3s, were being shared by users on the network (whether that be with each other or externally, using third party file storage services etc)?
View 5 Replies
View Related
Apr 18, 2011
Cisco has recently released firmware 2.0.4.0 for the WAP2000 wireless access point. This firmware has two annoying bugs in new JavaScript code which validates SSID names on the "Basic Wireless Settings" page.
First of all, this firmware does not allow SSID names to contain spaces, even though a space is a legal character in a SSID name!
Secondly, this firmware only allow the first SSID name to be 31 characters longs, even though the maximum allowed SSID name length is 32 (and the input field even allows 32 characters to be entered in the first place!)
If either case you will get an "Illegal SSID Name!" alert message (the developer could apparently not be bothered to make the message more specific and tell the user WHY the SSID name is supposedly illegal), and you will not be able to add additional SSIDs, or configure these existing SSID's on new access points that have this firmware.
The workaround is to revert back to firmware 2.0.0.5. You can upgrade to 2.0.4.0 after adding the "illegal" SSID names, they will remain after upgrading.
The new firmware does have an interesting new feature: it can download its configuration from a TFTP server (either through DHCP or by specifying the server), but I have not been able to find the documentation on how to get this working.
View 2 Replies
View Related
Feb 23, 2011
subnet mask address is illegal cisco linksys?
View 1 Replies
View Related
Dec 11, 2012
I just ran into an interesting issue. VG Cisco 3825 crashes regularly with the following message in a crashinfo.
%ALIGN-1-FATAL: Illegal access to a low address 16:26:07 CET Tue Dec 11 2012
addr=0x0, pc=0x603EFF38z , ra=0xFFFFCC41z , sp=0x702E3C28
%ALIGN-1-FATAL: Illegal access to a low address 16:26:08 CET Tue Dec 11 2012
addr=0x0, pc=0x603EFF38z , ra=0xFFFFCC41z , sp=0x702E3C28
16:26:08 CET Tue Dec 11 2012: TLB (store) exception, CPU signal 10, PC = 0x603F32F8
Router: Cisco 3825
IOS: c3825-spservicesk9-mz.151-3.T3.bin
View 1 Replies
View Related
Jan 10, 2012
I am trying to update the SGE2000v1.0 with 24ports to 3.0.1.0: url...I got the error "illegal software format" using tftp.
View 2 Replies
View Related
Dec 22, 2008
I typed confreg 0x2124 and reset my 2811 and now the characters are not recognizable.
View 4 Replies
View Related
Apr 16, 2012
I took a SANS 401 class a few years back, and I remember them showing us how you could break PING (buffer- overflow? memory stack?)by pinging things you wouldn't normally.This was on WinXP I can't duplicate this on Win7, and have forgotten what exactly it was we typed in....I think it was some ALT-code characters, or a tick, 0x33 or something....I realize PING can take octal, decimal, and hexadecimal values?
View 5 Replies
View Related
Mar 19, 2011
My customer has to change the ip address of one of the ACS server that is in production. In my opinion change in ip address would cause AAA client information in ACS gui to update and point to new ip address automatically.
2nd I do not see any download image available on CCO for ACS4.2. There was only clean access utility and patches. where can I get the ACS4.2 complete software image
View 1 Replies
View Related
Jun 25, 2012
I have 2811 router and tried to login through AUX port. I am using multitech modem to dial. When i try to login i am getting all special characters in the screen. I have changed the cable but still the same result. I have tried with different link speed also.
When i checked the router , it is showing AUX user is logged in at the time if issue(with show user command).But i am getting only junk character and some times blank screen.
View 1 Replies
View Related
May 11, 2012
We're running ISE 1.1 for guest services. We use Active Directory for Sponsor Portal login, as well as for administration of the ISE itself. Our corporate policy requires a password change for service accounts, and the service account password we use for ISE to connect into AD expires in a few days. So I changed the password on the account, but how do I tell this to ISE? I don't see anything in the documentation, only some references to only use non-expiring accounts to connect to AD. This made me laugh. If our corporate policy was that lax, we'd never have purchased ISE.
1) Is there a way to communicate this to ISE? Or is leave and then join the only way? Will that even work?
2) I see that after the password change, ISE continues to work fine. Does it only synch with AD periodically? On reboot, or every X hours? Right now things are working, but I'm afraid as soon as I turn my back it will stop.
View 2 Replies
View Related
May 30, 2011
How can I change the IP Address of cisco ACS 5.2 itself through the web?
View 3 Replies
View Related
Jul 31, 2011
I'm trying to change the management IP for ACS 5.2 in GUI, but failed to find it.
Is there any way to change the IP address in ACS GUI?
View 3 Replies
View Related
Jul 16, 2011
I have always used netgear routers in the past. After a series of issues regarding configurations not working correctly I invested in what appeared to be a semi pro router, the cisco linksys e4200.
I have a centralized server which I use to access a mass of different services such as mail, dns, VPN, FTP, Kerberos, http and many more. While I am not a massive networking ****, this server setup is like my garage project. To access these services externally to my LAN as far as I understand I would need to configure port forwarding for each service to my server. Unfortunately the control panel for the linksys E4200 only offers about 15 custom port fields for forwarding, and some documentation I have read shows that with it's basic install my server could be using up to 60 ports at once.
Is this router just not suitable for this sort of network. If so I will be very disappointed because I have spent a quarter of the price on netgear routers with more control than this.
View 1 Replies
View Related
Sep 20, 2011
After trying for several hours to configure ldap attribute to cisco attribute mapping, I found that special characters are not supported by ldap attribute-map at least on 8.4
Here is the problematic configuration:
ldap attribute-map ldap_memberof_map
map-name memberOf Group-Policy
map-value memberOf
[Code].....
View 1 Replies
View Related
Apr 8, 2013
I was asked to performe upgrade from acs 5.3 to 5.4 (vm), but i noticed that someone installed it on 80gb partition and there is 500gb as one of the requriments in upgrade and install procedure. What is strange to me is that "dir disk:" command shows such an output: 5165345067 bytes available.And under ESX i see 80gb partition. Anyway, is there any way to extend partition size to 500gb? Can I just change it under ESX? Is there any procedure to take under ACS console?
View 1 Replies
View Related
