Cisco AAA/Identity/Nac :: ISE And CoA Port Bounce On WLC 7.2
Oct 4, 2012
I am trying to get a vlan change done with CoA and MAB on a WLC 7.2 but it looks like it doese't disconnect the client, hence no new dhcp request.
Everything is working except 'port bounce'. I can see the new vlan in the controller, if i do a ifconfig /renew on the client it gets the new subnet and everything works as it should. If i remove the endpoint in ISE it swaps the vlan again on the controller, but no port bounce.
View 4 Replies
ADVERTISEMENT
Aug 11, 2011
Im having some Ping / MS issues lately. My ping bounce up and down from 30 to 600 in just some seconds, and its really unstable. Im using the same internet as my neightbour ( internet cable through the wall) Is there any1 who can give me some tips so I don't need to worry about my ping anymore?,I don't know much about he's internet though.
View 3 Replies
View Related
Jun 2, 2013
We are facing a strange issue with GRE tunnel. We are using this tunnel from a branch office to Hub office. All other tunnels terminated on Hub router are working fine. Issue with this tunnel is that whenever WAN connection goes down Line protocol on tunnel interface some times comes up and sometimes not (therefore we have to reset the tunnel interface and it comes up). IOS used on this router : c2900-universalk9-mz.SPA.152-1.T2
View 5 Replies
View Related
Sep 30, 2011
I found that the domain name was hosted at enom.com and the email was gmail. The web servers are both Media Temple servers.we updated the settings on the new server using google's instructions. However, it is still not working properly. So, to be as clear as possible, here is the specifics:
Email from the outside works fine, Email internal to external works fine, email internally (from one emplyee to another internally) will bounce giving a 550 error. After researching this error, I found that several people have had this issue, however, the majority of the fixes didn't work.
View 3 Replies
View Related
Jul 30, 2012
When a client connecting to a specific AP (example AP01), after every 1800 sec uptime it will reconnect and join other unit AP (example AP02)Both AP physically installed distance is around 6 meters from each other. I conduct the testing where i get myself sitting in middle between these two APs.
01. If i disable settsion timeout this feature, or setting the seconds become higher value, what's the performance and security impact? Is it recomend to change the default 1800 seconds session timeout?
02. Is there anyway i can tweak on WLC controller to prevent the client after session timeout then associate with another AP. This will lead major performance impact as the client woudl possibility connect to the weak signal AP and effect on the performance.
These are the details for reference:Client detail
- Dell DW1520 wireless-N WLAN card, with firmware version 5.100.235.12
- CCX version 4 supported
- Layer 2 security is WPA2 personal with PSK.
- wireless radio an
Controller detail:
model is AIR-CT5508-K9
software version is 7.2.110.0
View 4 Replies
View Related
Dec 10, 2012
Have two WRT54G Wireless Routers.
-One WRT54G ver. 6, Firmware Version v1.028
-One WRT54G ver. 6, Firmware Version v2.x
With the WRT54G ver. 6, Firmware Version v1.028.When I ran the android app WiFi Analyzer, I get mixed results.On my Samsung Galaxy S3, I saw my signal on Channel 2, and others around me (two on Channel 6 and two on Channel 11).On my ASUS Transformer Prime TFT201 I see the same signals, but my router signal bounces continously between the baseline (-100dBm?) and about -35dBm.
Plugged in the WRT54G ver. 2, Firmware Version v2.x Channel 8.Hooked it up and got good steady signal strength. It Had 'WPA - Shared Key' but did not have the 'WPA - Personal' that was on the ver. 6. So, I had to go and screw things up. I've upgraded this to Firmware Version: v4.21.5 and guess what? I now have 'WPA - Personal'. I also have a signal is bouncing on BOTH units.
On my ASUS, I can see both routers. The ver. 2 AND the ver. 6 are bouncing between baseline and -35dBm, in unison. Apprently something in the ASUS does not like the later Firmwares.On my Samsung I can see the two signals - the ver. 2 on Channel 8 is stable as a rock and the ver. 6 on Channel 2 is also bouncing, but at a much slower rate! Running Speedtest.net a PC hardwired to the ver. 2 - I get 5.34 Mb/s Download and 0.47 Mb/s upload (yeah, my Internet sucks!) Running Speedtest.net through the ASUS/WiFi to the ver. 2 - I get 2.43 Mb/s Down and 0.65 Mb/s Up.Running Speedtest.net through the Samsung/WiFi to the ver. 2 - I get 5.07 Mb/s Down and 1.07 Mb/s Up.
View 6 Replies
View Related
Sep 1, 2011
Running Cisco NAC 4.1.6 OOB on the LAN. For some reason in the middle of the night, the snmp trap mac-notification added command appeared on the trunk uplink port of one of our switches.
I don't know exactly when the command was added but at 2am when the backup of the config was taken, it was there. At around 4:30am, the uplink went off-line. Is there anything within NAC that would push a change like that automatically to a switch. We do have NAC Profiler running on the network also.The problem was in a branch office so I only got the information second hand what was on the switch itself. We moved the uplink to a different port which allowed the switch to show up on the CAM again, however when I viewed it, the uplink port was set to controlled!
Does this make any sense?
how long devices will stay in the certified device list if no timer is configured to clear it out?
View 2 Replies
View Related
Jan 24, 2010
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies
View Related
Feb 24, 2013
There are two Win7 SP1 PCs (A & B), plugged in to a 3750-x (v12.2-58-SE2), on ports 33 and 41.
The ports are configured for 802.1x, auth order of MAB then Dot1x. Priority is Dot1x, MAB. The config is the same on both ports (verified at show run all).
When either PC is plugged in to port 33, everything works as I expect. Client sends an EAPoL message, gets a response, and is authenticated. When PC A is plugged in to port 41, same correct result. When PC B is plugged into port 41, the client sends an EAPoL start, and the switch never replies.
If port 41 has the authentication order changed to dot1x then MAB, PC B works fine.
View 3 Replies
View Related
May 31, 2012
I have a ACS 5.1, My mailing server does not run on standard port number of smtp (25). Need to know if i can customize the port number suiting my mailing server requirement.
View 0 Replies
View Related
Jul 7, 2010
using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
View 8 Replies
View Related
May 9, 2013
I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.
View 3 Replies
View Related
Mar 18, 2012
I am using 802.1x authentication with multi-domain ports; Phone and PC connected to phone. The phones are Nortel (Avaya) and the PCs are Dell/HP Laptops. All are configured for Certificate authentication and this works well. However we sometimes get some ports stuck in Guest mode. when a non certificated laptop connects to a phone port and fails authentication, the data port is placed in the Guest VLAN. However when the laptop disconnects the port isn't reset and remains in the guest state. When a subsequent good laptop connects and attempts to authenticate the switch ignores this and leaves the data port in the Guest VLAN. he switch is a 2960S with Version 12.2(58)SE2 IOS.
The port is configured as follows:
!
interface GigabitEthernet1/0/15
description DANS Port
switchport access vlan 1807
switchport mode access
switchport voice vlan 1855
priority-queue out
[code]....
I placed the AAA, dot1x, eap and auth debug on for all events and then connected a good laptop, the only debug message I got were as follows:
Mar 19 16:17:01.391 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:01.653 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
Mar 19 16:17:02.654 GMT: AUTH-EVENT (Gi1/0/15) dot1x_switch_is_restrictive_vlan_open_auth:Multi-Host with Guest Vlan/Auth Fail Vlan or open aut
[code]....
I would have expected the auth function to have reacted to the EAP packets sent by the good client when it connected and performed eap authentication but it didn't, all it did was say the ports in Guest mode and left the laptop in this VLAN.
View 2 Replies
View Related
Aug 14, 2011
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
Oct 6, 2012
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
View 2 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
May 11, 2012
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Aug 28, 2012
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
View 4 Replies
View Related
Apr 18, 2012
how profiling works exactly ?How intelligent is the profiling engine, meaning: Will it discover that one device has more than one different MACs and will merge the entries in the database ??
Example:This is in fact the same device, there is only one WLC-2500 in the network ....If it can discover that, what needs to be configured on the ISE to do that ?
View 2 Replies
View Related
Aug 27, 2012
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
View 6 Replies
View Related
Aug 15, 2012
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
View 4 Replies
View Related
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
May 19, 2013
After clicking on below path we are not getting option as should be reflected. Below is the snapshots for the issues.
Access Policies > Access Services > Default Device Admin > Identity
View 3 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
