Cisco AAA/Identity/Nac :: ISE Profiling For Wireless Devices WLC 5508 Like Laptops
Aug 25, 2012
We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.Where we have created open ssid in wlc and redirect web login portal in wlc for guest users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are only able to see the username which guest user login but not the end device in monitoring log.
Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
View 7 Replies
ADVERTISEMENT
Apr 18, 2012
how profiling works exactly ?How intelligent is the profiling engine, meaning: Will it discover that one device has more than one different MACs and will merge the entries in the database ??
Example:This is in fact the same device, there is only one WLC-2500 in the network ....If it can discover that, what needs to be configured on the ISE to do that ?
View 2 Replies
View Related
Nov 30, 2012
I have two questions about ISE Profiling features .
•1) Does Authentication Process done after completing profiling ?
•2) Can profiling feature overcome mac spoofing issue (printer mac is used with static IP to access the network where user and printer are in same vlan ,user with 802.1x and printers with MAB auth) and deny windows user with spoofed printer mac and IP add?
View 1 Replies
View Related
Sep 25, 2012
We currently have an issue with our main ISE. When logged in using the admin account (member of superadmin group) we no longer see the Profiling button/menu and also missing oter options in the GUI. On another standalone ISE we do see al those options?
Both are running on the same software version 1.1.1.268.We are using ISE 3395-K9 appliances
View 1 Replies
View Related
Aug 10, 2012
I have a customert that needs to support 200 laptops over 16 classrooms with scalability to 400 laptops. I have a heatmap design to cover this with 22 1042 access points. Does any one know what features the 5508 has over the 2504? By reviewing the data sheets, the biggest feature difference is better support for mobility, which not a need for this deployment as they just wheel a cart of laptops into a classroom and fire them up. Also, does the 2504 support LAG across the four gig interfaces?
View 1 Replies
View Related
May 1, 2012
I have a WLC 5508, AIR-LAP1142N APs and a SSID for students to connect to who bring their own device. I am still testing this and it has not been rolled out but I am running into some serious issues with joining the network. I am authenticating them through a RADIUS server (2008 R2). Problem: many of them cannot connect because they are lacking the certificate.
1. What is a good setup for authentication in a BYOD environment
2. If my setup is good what can I do to allow kids to use their computers on the wireless either without the certificate (which I know is unlikely) or what do I need to have them do to connect. I am hoping it does not involve hard wiring and getting the certificate from the server.
View 1 Replies
View Related
Feb 20, 2013
after upgrading to 7.4.100.0 im getting this error message when trying to apply changes on the wlan id."mDNS profiling cannot be enabled with flexconnect local switching"if unselect mDNS snooping under (wlan id/advanced) i can apply the changes, but only temporary.when im looking the next time, the tick box mDNS snooping is enabled again.is this a bug or what?
View 7 Replies
View Related
Jun 14, 2012
I'm seeing a problem with Apple IOS devices connecting from one SSID and then connecting immediately to another. I've tried to replicate this fault with non Apple IOS devices, but I'm unable.
Environment:
Single 5508 WLC running 7.2.110.0 AIR-LAP1142N-A-K9 AP's
WLC is in clients head office, MPLS to their branch sites. AP's are in Flex Connect mode, with AP and Flex Connect groups for the AP's at the branch. 3 x SSIDs; Corporate (802.1X), Guest (Web-Auth) & Non-Corp (PSK).
Scenario:
Client is connected to the Corporate SSID with his iPad (new model, running iOS 5.1.1). No problem with access, he is able to roam throughout the building with good SNR/RSSI. He wants to test the other SSID's, he attempts to connect directly to the Guest or Non-Corp and gets an error message on the client saying 'Unable to Connect' or 'Unable to Join'. Debugs on the WLC for the client shows no connection attempt, no errors. I can see the client disconnect from the Corporate SSID, but nothing for the Guest or Non-Corp SSID.
If the client then disconnects and forgets the Corporate SSID from the wireless profiles on their i Pad, waits 20-30 seconds (I can see the client disconnect cleanly from the WLC) and then attempts to connect to the Guest or Non-Corp SSID's - he doesn't have a problem. He immediately associates, and is able to connect. If he then tries to connect directly to another SSID, while still associated to another from the same WLC/AP – he gets the error again. Forget/wait 20-30 seconds, attempt to connect – no problem. We've tested with several i Phones (4 & 4S), i Pads (2 & new model) - all running the same Apple IOS (5.1.1).
I unfortunately can't do much troubleshooting with TAC on this as the client is no longer onsite, and I don't have a 5508 in our lab that I can currently test with. I've tried playing with beacon intervals, etc to no avail.
View 3 Replies
View Related
Apr 5, 2013
I have a problem with MSE tracking client in my network.What we have:PI 1.3 with evaluation license (temporary)MSE 7.4.100 with 3k device licenses (hardware appliance 3355)WLC 5508 7.4.100.For now MSE is reacheble from PI and WLC, all setings are synchronized, NMSP status is active, mse assigned for maps and synchronized, on map we have 3 APs, but in Contex Aware tab we didnt see any tracking devices, all counts 0.
View 11 Replies
View Related
Jul 26, 2012
setup a WEP SSID on my 5508 controllers. THat being said, I have multiple sites with extremely old scan guns that only do 104bit wep. I plan on locally switching this SSID and using static WEP 104bit key with MAC authentication, and then ACLing to limit my inherent security issues/exposure once someone compromises my WEP key. [code]
View 4 Replies
View Related
Jan 29, 2013
I am setting up a new Guest network with a captive portal and it seems to all work fine except when Apple devices go to sleep. When they come back on it isn't just a case of logging in again as it just indicates to the client that it is still connected and won't present the login page again. The Controller will show the client as auth required. So far the quickest way has been for me to delete the network on iPads and re-enter my settings or create a new profile on a Macbook and join again. I have also had some success when doing a manual DHCP refresh on my Macbook which sometimes seems to kick the Controller into action so it presents the login page to the client again. Whether it is related to the timers on the Controller (5508 running code 7.0.235.3) or - as I just read in another post by Leo - the 20 minute timeout that all Apple devices have built in to conserve battery life
View 3 Replies
View Related
Jun 12, 2013
I have 2 x 5508 WLCs in place with around 50 APs split between the 2.
As there is currently a low uptake of using wireless devices all of which we own I have up until now been using WPA2 and MAC filtering to control access to the network.
This all needs to change as we are about to embark on the B.Y.O.x revolution. This means being able to support a wide range of OSes from Windows to Android. This in itself presents a whole series of issues but right now I'm trying to explore how much of the burden the WLCs can take.
For instance I was thinking about setting up web auth on the controllers that would authenticate against an external RADIUS server - this seems fairly straight forward.
If this was to be a bog standard windows network I could set up a Microsoft NPS server that could control and define policies to mobile devices, but as this is going to be a mixed environment that's not a solution I can use.
What other features do the controllers provide that would be useful in my situation - can you for instance automatically direct data to a specific vlan based on authentication information?
View 1 Replies
View Related
Dec 14, 2011
How Cisco Identity Service Engine (ISE) can work with WLAN controller 5508 to do the Local Web Authentication, on behalf tje guest profile is create using Cisco ISE guest management?
As i check Cisco ISE caveat wireless only support on LWA, and LWA not supported on Authorization's VLAN assignment.
what i need to concern abou the ISE authentication and authorization policy on behalf on Wireless LWA with use of ISE guest management case?
View 1 Replies
View Related
Oct 15, 2012
Is there any shut down proceedure for cisco devices in data center cisco router,switches,firewalls ASA-5580-20,ace-4710 and IPS-4260 devices.
View 4 Replies
View Related
Feb 12, 2011
I have been testing WiFi devices such as the iPhones and iPads connectivity with the following setup:
1. 3502i AP
2. WLC 5508 SW 7.0.98
3. NGS
The i-devices have iOS v4.2
My goal is to have the guest user i-devices maintain the credentials (username and password) when they login again to the wireless network. Like if the device sleep, I think definitely they would loose those IP address issued by the DHCP. Once the guest user uses them again and connect them to the wireless network the user would not need to type-in those credentials on the Web Authentication page directed by the WLC.
The credentials are issued by the sponsor who created them on the NGS. It seems that there are WiFi problems with these i-devices. But somehow, I'm looking for a solution that would automated the logins like a checkbox if you want to be kept signed in, on Yahoo or Stay signed in for GMail.
View 6 Replies
View Related
Sep 20, 2011
there seems to be a problem when I try to import a .csv file to ACS 5.1. After following the procedures for file exports and clicking finish I am left with the screenshot of the ImportAction window attached. According to documentation this window should allow you to monitor the progress of the bulk operation,but there is none of it.
View 3 Replies
View Related
Dec 15, 2011
I have an ASA 5510 on the outside with a Remote Access VPN. The user will need to get from the 5510, then go through an ASA 5540, then out to the subnet where they will be doing their work. I have a Cisco ACS version 5.2 that sits on a separte VLAN off of the 5540. I can authenticate users with Radius on the 5510 VPN and use DACLs from the ACS with no problems. However, the DACL only gets downloaded to the 5510 (as expected) and I need it to also download to the 5540. Is there a way to do this? I understand this could mean multiple authentications needed somehow. Right now when I authenticate, the DACL shows up fine in the 5510, but I get blocked from the devices I need to get to because it of course is not getting added to the 5540 as well.
Here's the basic topology I have:
remote client
|
|
(outside--internet--VPN)
5510
(vlan X)
[code]....
View 5 Replies
View Related
Sep 27, 2011
We are deploying devices with IOS XR and wondered if deploying them with TACACS authenticating to the Cisco ACS 5.x platform.
View 1 Replies
View Related
Jan 23, 2012
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
View 7 Replies
View Related
May 10, 2011
I am trying to export our network devices from ACS and I can't find out where it is exporting it. Under ACS 5.2 "Network ResourcesNetwork Devices and AAA Clients" you get the list of your network devices and at the bottom of the page there is an export button. When you click it you are given an option to password protect it which I didn't check the box and I pressed Start Export. The window flickers like it processed the request, but nothing happens. There isn't any pop-up to download the CSV. I have also tried setting up a software repo thinking it might just send it to that, but it didn't work either.
View 2 Replies
View Related
Nov 10, 2011
I am not sure what I am trying to do is possible, so I thought I would pose the question on here. In ACS 5.3, I would like to use an RSA server and AD to authenticate my network devices. So when I log into a router or switch I would enter my AD username, be prompted for my RSA token, then when I enable be prompted for my AD password, or visa versa. how to write an access policy to achive this?
View 2 Replies
View Related
Jun 11, 2012
We are using acs version 4.2.0 build 124 on windows server 2003. Our domain controller has been upgraded from 2003 to windows 2008 R2.Now we are facing following error in ACS authentication for accessing our devices.Error: AUTH 06/09/2012 11:55:40 E 1810 3316 0x8f21 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)if we restarted services of ACS server then users get authentiated fine.
View 1 Replies
View Related
Sep 1, 2011
I have a ACS 4.2 under windows, I setuped it to authenticate routers by RADIUS and TACACS+ protocols. now I have some devices whitch know only LDAP protocol. How can setup ACS as a ldap server to authenticate those devices?>
View 1 Replies
View Related
Sep 13, 2012
How many newtork devices can Cisco Secure ACSv4.1 support is there any limit on the same? How to get the Specs of Cisco Secure ACSv4.1 on the above grounds...
View 2 Replies
View Related
May 28, 2012
i have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?
View 0 Replies
View Related
Aug 20, 2012
As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x. CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?
View 5 Replies
View Related
Aug 7, 2011
We have Cisco ACS 4.2 in our network and the accounting is done for 750-1000 devices and only for level priv-15.If i want to enable accounting for all levels from priv-1 to 15. All commands executed in devices are sent to ACS. Does the ACS can that much sessions from those many devices?Am also planning to configure acs remote agent to store all the accounting history.
View 1 Replies
View Related
Aug 20, 2012
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
View 6 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
May 18, 2011
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
View 2 Replies
View Related
Sep 25, 2012
we have Cisco 6509 as a access switch in our network. Each user has an IP phone and a computer. we are going to implement 802.1X for end users by next month. I need to check all the users activity in the network like if someone plug an access point to the network or a router.I just checked Cisco NAC and how to detect those activities on the network.
I need to get more details on Cisco NAC or other products for that purpose. also what is the difference between Cisco NAC and application like Microsoft TMG?
is it agent less or I have to install something on computers? is it working as a default router for users computers?
View 1 Replies
View Related
Jan 9, 2012
Having issue with WLC 5508 using ACS 5.2 tacacs+ protocol to do device management.The problem statement is after key in the username and password on the WLC login page, it is endlessly prompt for authentication on WLC. Whilst on ACS monitoring and reporting i able to see it is successfully authenticated, shown at AAA protocol > TACACS+ Authentication.On ACS, the shell profile for this is setting role1 , value = ALL.
View 3 Replies
View Related
Jun 19, 2012
We’re currently using 5508 WLC’s and leveraging Cisco ISE for radius/authentication rule sets.I’m trying to get a splash page to flash and then redirect to a website after a successful authentication to an SSID. Everything on the wireless side works with no splash page (users connect to SSID,authenticate with AD credentials using 802.1X PEAP to our Cisco ISE box, and gain access to the network).When I enable ‘Splash Page Web Redirect’ on the WLC (under L3 security), I’m unclear on the ISE box where I set this up. When I look in the Cisco documention it says:Splash Page Web Redirect—If you select this option, the user is redirected to a particular web page after 802.1X authentication successfully completes. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server. How I specify this on the ISE box? Or am I totally off base?
View 10 Replies
View Related
