Cisco AAA/Identity/Nac :: ISE 1.1.1 Windows NAC Client Posture Checking Loop
Jul 17, 2012
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.All logs indicate successful compliance and no errors in terms of compliance.
View 33 Replies
ADVERTISEMENT
Sep 9, 2012
it's possible to enable Posture validation on ACS 5.3. If so, could I have a link or a procedure for implementation ?
View 3 Replies
View Related
Jan 17, 2013
I have an authorization rule which verify that the AV (mcafee 12.x) is installed (NAC agent), time restriction and so, and so....The connection failed with this code :
15039 Rejected per authorization profile.
How can I obtain a some more details on that ?I mean, I'd like to know which condition is not verified and lead to a failed connection.
View 19 Replies
View Related
Oct 19, 2012
i'm stuck at registering inline posture node to primary node. I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install. AD and DNS were perfectly configure, ping using hostname able to resolve Everything set, so both PSN and iPEP generate CSR and ready to let CA server to signed. But anyway this is the outcome i get Error message "Unable to authenticate. please check server and CA certificate."
01. - What certificate template to be use primary node and inline posture node? I having problem the CA certsrv won't show computer template for inline posture node. can i use web server template and on the extension include client autthenticaiton andserver authentication on this case?
- What certficate template use for primay node CSR?
02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"
So first action is importing Root and CA certificate . my rootCA.cer import to certification operation certifcate store, while CSR generated then Bind CA certificate. question, should i check anything like "Tust for client authentication" checkbox or any other option to be check? How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?
View 3 Replies
View Related
Oct 17, 2012
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
View 10 Replies
View Related
Nov 17, 2012
I have a couple a questions answers on which i cant google for a period. BTW maybe i simly use wrong aproach to choose keywords.
1) Is it possible to assign same ip address to the same client each time it authenticated, preferably without using DHCP? Im definely sure that it possible but cant find corresponded configuration examples (my device is Cisco 1921 with IOS 15.0.1).
2) Is it possible to assign dynamic crypto map to loopback interface (the purpose to make EASY VPN Server accessible through two interfaces - maybe you recommend other approach instead?) - as i move workingcrypto map from phy int to loopback - i cant connect with reason "Phace1 SA policy proposal not accepted"
View 3 Replies
View Related
Jun 16, 2012
What is the command that can show the ACE Bundle (Like: ACE-4710-02-K9, ACE-4710-04-K9). We have ordered one ACE with 4G BW, and another one with 2G BW. But nothing shows this fact using "show hardware" and "show inventory" commands !
View 1 Replies
View Related
Apr 29, 2011
I have a Cisco Valet+ AP. I have added an Engenius Range extender, big house, (actually a B&B). The setup seems to have gone well (ranger extender linked to AP). Is there a way that I can verify that a PC in the big house away from the AP is actually connected to the Range Extender.
View 1 Replies
View Related
Apr 4, 2013
I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.ive tried the reccomended fix using this command: crypto ipsec security-association replay window-size 1024.
View 1 Replies
View Related
Apr 29, 2012
how to check compliance for only one access list in cisco works.
Example:
I want to run a compliance template that only check access-list 13 to make sure it has the following and nothing else:
access-list 13 permit 1.1.1.1
access-list 13 permit 10.1.0.0 0.0.0.127
If something else is listed, then I'll deploy the template and it will remove any other entry besided the two above.
I have tried a Global config compliance on + access-list 13 permit 1.1.1.1 and it comes back and says it's not compliant and wants to remove everything else, which is every other access list. I have tried submodes thinking that it could check under ip access-list standard 13, but that didn't work either.
View 6 Replies
View Related
Mar 3, 2012
We have branches all over the country and we take different links like fiber (Ethernet) radio links etc. Now sometimes when we ping from branch WAN ip to its gateway or to the aggregation router (ASR 1000) in this case, we see some drops, but see no problem in actual HTTP or lotus communication.
What i want to know, that now a days, should we rely on ping results to determine link quality ? or should i use tools like iperf to basically see if the link is actually treating tcp and udp packets properly, I have heard this countless times that normally network devices like Cisco routers, even without any QOS, will give low priority to ping packets.
View 1 Replies
View Related
May 23, 2012
When checking my port forwarding, it says that it is not open. Why?
View 6 Replies
View Related
Mar 5, 2013
i have the following challenge. I will try to be synthetic.
ISE 1.1.2.145
WLC 7.3
Wireless clients, dot1x eap peap, posture required.Clients should download the nac agent through redirection.the access list is correctly applied on wlc.The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
View 4 Replies
View Related
Apr 6, 2012
i have been trying to forward port 25565 for a server on a game called minecraft. I have a bt homehub 2 and i have followed everything on portforward.com and on several videos and still no luck. I have B.T net protect plus so I don't know if the firewall is blocking the port
View 1 Replies
View Related
Dec 26, 2011
I am using Cisco 1812 as EZVPN server. I want to use Active directory for VPN user authentication. I am trying from couple of days but no success.With ASA, i am able to authenticate against AD, but not with IOS router. Below are my configurationsIf kerberos authentication is not possible, I would like to know the possibility of using AD as ACS external database. I am running both AD and ACS in the same server. If i can integrate AD with ACS, i can use TACACS or RADIUS for the authentication.
View 3 Replies
View Related
May 8, 2011
I have an CS-ACS appliance with 5.2.0.0.26.3 version. There is not any direct solution for connect ldap client to server. I have 3 servers that have only ldap and for authentication I can not use radius or Tacacs+. I need a solution for this problem. How can LDAP Client connect to ACS when it has only ldap protocol?
View 1 Replies
View Related
Nov 2, 2011
I want to know is it possible to check Internet speed directly in the cisco router thru any command or activating any service in the cisco router?.As it is seen most of the times internet speed offer by ISP is different as compared to clients.and Clients most oftenly not satisfied with internet speed The problem is that our ISP has given us 100MB leaased line.But when we deployed in production network the speed is same as DSL.We have reported this issue to ISP they then carried out Iperf test by connecting laptop directly with the ISP router.They have tested the speed and it shows about 94-96 Mbps and argu that it is up to the mark and there is problem at your side(i.e our internal network).Now our internal network has cisco 1841 router connected directly to ISP 3825 cisco router.Our router has minimum configuration as required to pass traffic out and in.Our internal 1841 router is connected to switch to which different clients are connected.We have performed some online tests using different speed checking websites and also perform real time tests by uploading and downloading files.The speed is much low as compared to 100Mbps and it is nearly or slightly higher then as DSL connection. how can we check internet speed in the specified scenario?Is there any command or service available in cisco router to check internet speed as we want to check ISP connection speed directly thru 1841 router?what about authenticity of online speed checking websites?Any specialize software/tool you recommend to check Internet speed in specified scenario?
View 11 Replies
View Related
Apr 23, 2012
I have a WS-C3560G-24PS service as a distribution switch with six (6) WS-C2950T-24 connected to it. In looking at the utilization on the inter connect links no one is running close to a gig speed and this includes the link between this switch and the core. The CPU load (6%) and memory utilization (30%) on the switch do not seem bad so what else does one watch to see if it needs an upgrade?
We are starting tohave discussions about any needed upgrades on the network. I have an ocassional user that complaines about low performance but looking through the network I can find nothing glaring on a consistent basis that says an upgrade is warranted. I am however looking at things such as the above. Utilization on links, CPU, memory, etc.
View 2 Replies
View Related
Feb 6, 2012
I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old ACS v3.3 server.
Example : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
View 2 Replies
View Related
Apr 25, 2012
ISP : Charter Communications
Modem : Motorola SURFboard SB6121
Router : Linksys E1200
I started out installed on the CD and then I kept getting messages about not being set up and finally it kicked me out. So I started out with the basics, changing out ethernet cables and checking connections. I then tried cycling the modem, router, computer and still no go. As soon as I plug the modem straight back into the computer it kicks back on. So then I tried some other trouble shooting ideas on the forums with the last being MAC address clone, save changes, release renew IP, and finally another round of cycling and I still can't get it to work.
View 4 Replies
View Related
Oct 16, 2012
Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510. Users authenticate in AD. I am not sure if the problem is on the server or the ASA.
View 1 Replies
View Related
Jan 17, 2013
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
View 6 Replies
View Related
Mar 21, 2013
I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]
View 3 Replies
View Related
Jun 3, 2013
I currently have a Cisco ACS 3415 appliance with 5.4. Coming from the ACS 4.2 world, I'm have a bit of a struggle creating the following and I was hoping if I could be shown clear steps I can duplicate the rest.
I want to creat a group ie: AIRTEMP with access time from 7:00am to 5:00pm and add 2 users to the group.
Users access our site using a vpn client connecting to a ASA5550. The ASA and the ACS already communicate with each other.
The ACS 5.4 user guide has me bouncing all over different page.
View 5 Replies
View Related
Aug 26, 2009
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
View 3 Replies
View Related
Jun 17, 2010
I have upgraded Cisco ACS from 4.1 to 4.2, I have Cisco Access Control 1113 apliance, as soon as I upgraded I am getting error in failed logs "Authen session timed out: Challenge not provided by client", what is wring with this?
View 4 Replies
View Related
Jul 20, 2011
I installed on 2 different PCs (Win7 64-bit) the Cisco VPN Client 5.0.07 with the same VPN profile for 2 different users. We use an ASA5505 (8.0(5) sec plus license) as the VPN end point for the clients. The VPN Clients can connect simultaneously to the ASA, they receive the split tunnel infos but only ONE client can ping the internal network ip range. The other one has no access to the internal resources! When they separately try to connect, there is no problem. Each of them can reach the internal net.On other 2 PCs (Win 7 32-bit) the clients have no problem reaching the internal net (simultaneously connect).
View 0 Replies
View Related
Feb 16, 2013
I have a client that has a 5505 installed. They want to VPN in with their Win7 laptop, but they don't want to shell out $1000 for the 10-pack Cisco VPN client.I have successfully setup the clientless VPN, and they can, through a browser, get to their files, but they'd like to map network drives so it's just like they're in the office.I tried setting the IP Sec up on the 5505, and then using the built-in Win7 VPN network connection, but no go.I also do everything through the ASDM, but I realize some things cannot be done. I'd prefer to use the ASDM!Anyone else get this configured? 99% of what I see out here is how to connect the 5505 for site-to-site VPN.
View 4 Replies
View Related
Sep 23, 2012
Client connects to PIX 501 but cannot see the LAN in Windows Explorer.Devices can be pinged by IP and hostname (netbios name)I can navagate to a server by typing in \servername.Why can I not get a resolution from Cisco techs? [code]
View 1 Replies
View Related
Sep 18, 2011
I have just purchased and setup a vpn on my ASA5505 and now I wish to setup a Windows VPN client to use it. Does CISCO have any free vpn clients for Windows?I tried to download a client from the CISCO downloads area, but it's for some kind of purchase agreement. I would have thought that the vpn client was free to download given my ASA comes with two free vpn licenses.
View 5 Replies
View Related
Feb 14, 2012
Looking for a working Cisco VPN client for Windows 7. There seems to be an availabel download for a ver 5, but you have to be a reseller etc.. Where do I download the Windows 7 supported VPN client to access my WRVS4400N router? If none, should I use 3rd party - IF yes to 3rd party, which one would you suggest?
View 1 Replies
View Related
Mar 21, 2012
I have set up our network with an RV220W as gateway/Wifi-AP,VPN host.I am able to connect over the WWW with the windows 7 client laptops no problem, BUT ,I cannot from my office reach out to the laptops, it seems as if the tunnel is one way.The users can do anything they need, but I want to be able to connect to them to update their AVG or render remote assistance etc.Ping from client to home network no problem.Client laptop is invisible to any ping etc FROM the home network.
View 2 Replies
View Related
Sep 13, 2011
In my environment, VPN users are connecting to corparate network via ASA 5540 and using 3.5.1, 4.8, 5.0 (32 bit) and 5.0(64 bit) VPN clients.After they have built VPN connection, they use program that generates traffic to a bradcast address (x.x.x.255) inside corparate network.
There is no problem with users who are using 3.5.1 and 5.0(64 bit), but 4.8 and 5.0 (32 bit) vpn clients can not add ARP entry to Windows machines ARP table. If i add ARP entry for x.x.x.255 on VPN interface, they can work.
View 1 Replies
View Related
