Cisco AAA/Identity/Nac :: WLC 5500 Deployment Just For Open Access Wi-Fi Network
Jun 6, 2013
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
View 5 Replies
ADVERTISEMENT
Feb 9, 2012
I have a question about my ACS redundancy deployment. I bought three ACS all of them came with base license. but i bought large deployment license my question is necesary to buy the large deployment license to add two seconday ACS to my Primary ACS ? now if I install the large deployment in my primary ACS it replique to other ACS or I have to install first the large deployment one by one (secondary ACS) before to join to the Primary ACS.
View 1 Replies
View Related
Jul 1, 2012
I am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how different authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?
View 10 Replies
View Related
Mar 26, 2011
i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC=
·
Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
View 1 Replies
View Related
Mar 24, 2012
I already have large deployment add-on license. I also have 3 ACS Servers. Now, my primary ACS server is now up and my two secondary ACS server will be put up soon.
Just want to ask, when should be the large deployment add-on license be loaded? Can I load it to my primary ACS server eventhough my secondary servers are still not up? Or should I load it to my primary ACS server when my two secondary servers are already up?
View 3 Replies
View Related
Dec 1, 2012
I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.
View 3 Replies
View Related
Jan 3, 2012
i'm having issues with ASDM 6.3 on my ASA 5500.When i try to add a policy under firewall --> service policy rules (Add Service Policy Rule Wizard - Rule Actions), i'm not able to add a netflow policy as I'm not presented with a dialogue box after I press "add".i've tried this from multiple computers mac os and windows.
View 9 Replies
View Related
Jan 11, 2012
I am wondering if having a Nexus 7K is mandatory to implement SGACLs within a TrustSec Infrastructure deployment or having a Nexus 5500 could be enough?
View 1 Replies
View Related
Sep 24, 2012
I am beginning to get many emails from users who have recently upgraded to OS6 and saying now they cannot connect to our open access wireless network. We use a separate server that users must agree to a user agreement page and they say they get it, but after agreeing, it goes blank and they cannot connect. I am using mostly Cisco 3502's with the 5508 controller using 7.0.112.0 IOS version. Nobody in our IT department has yet to test OS6 yet.
View 9 Replies
View Related
Apr 12, 2012
We are starting to greatly increase our access point density throughout our floors and I am wondering if we are using the correct channel assignments. We are using LAP 1140's and 3500's. We have some locations that have have anywhere from 4 to 9 floors in one location. These are consecutive floors that have 8 to 11 APs per floor. There are also other businesses in these buildings that use wireless as well. We use 802.11a/n and 802.11b/g/n. Right now the channels are set to the default, (36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161 for 802.11a) and (1, 6, 11 for 802.11b/g/n). I was wondering that since we are increasing our density whether we should enable other 802.11b/g/n channels outside of 1,6,11. I know the other channels can overlap but with correct placement I am wondering if it would improve our wireless coverage since we wouldn't have 8 to 11 APs fighting for only 3 channels. Any experience with enabling other 802.11b/g/n channels?
View 11 Replies
View Related
Jun 19, 2011
I hear a lot these days about ethernet deployment in metropolitan areas as access networks. Does this mean that there would be one big optical ethernet LAN (or MAN if you prefer) with fiber to the home connected by switches? Wouldn't this lead to massive spanning trees in large cities? One bad,configuration in the network would affect the whole network.Will all IP traffic have to travel to the core even if it is destined for an intra-MAN destination? I cannot imagine that a ARP broadcast in a large MAN is feasible.
View 1 Replies
View Related
Jun 4, 2013
I have a 5500 controller that we use to manage our lightweight access-points. We have had complaints that the 'guest' vlan in the boardroom is not usable. Our guest vlan is in fact overloaded.
I went back to the original site survey and noticed that coverage for the room is not ideal so I would like to have a new lightweight access-point installed in the boardroom and somehow limit the access to it to only a few people.
View 11 Replies
View Related
Feb 27, 2011
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
View 2 Replies
View Related
Oct 15, 2012
I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+. We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network. We are using Active Directory for the backend user database and have assigned the users to different groups in AD. We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN. The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this. Is there a policy or config change that we will need to make for this?
View 3 Replies
View Related
Feb 16, 2013
We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?
View 1 Replies
View Related
Feb 2, 2012
I understand that on ACSv5 you can use either "show udi" or "show inventory" to find out the S/N of your ACS appliance....i.e. the S/N that you will use to open a TAC case....however, this particular install is a VM install and when I type either of those commands, under S/N the only thing I see is this: Serial: Cisco-VM-SN.how can I actually locate the S/N of ACS ona VM install to open a case with TAC?
View 1 Replies
View Related
Apr 17, 2013
For ACS 5.4: In Network Access -> Authorization Profiles there is a Permit Access profile. If you try to edit it a message pop's up that says: "The profile you have selected is reserved and cannot be deleted or modified". What this profile contains in its rule base? If I wanted to create a similar profile what Common Tasks, or Radius Attributes would I need to use? The same would go for a Deny Access profile. I have looked at the Common Tasks and Radius Attributes for a new profile and it doesn't seem very intuitive.
View 2 Replies
View Related
Mar 23, 2012
How to implement certificate based 802.1x authentication network access using ACS5.3 & external identity store as AD.
View 13 Replies
View Related
Dec 26, 2011
I need to know how WLC can support ISE guest management in wireless mode. Tested and confirm by Cisco SE, Knowing that WLC currently does not support dynamic VLAN authorization for central web authentication. This limitation will be addressed in WLC 7.2 when MAB and CWA support is added to the code. On the other hand, DACLs on the other hand works and we can use that to restrict access of this guest traffic.Can ISE support on WLC LWA guest access provision? This able to view guest user login and show at ISE monitoring.
View 1 Replies
View Related
Feb 12, 2012
I am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.
View 3 Replies
View Related
May 1, 2013
I'm trying to configure ACS 5.4 as radius server for network access (PPP connections).In monitoring and reports the users have green color , but the clients cannot send data. Auth method is CHAP/MD5.
Allowed protocols are set to CHAP and PAP only.
View 5 Replies
View Related
Jan 2, 2013
I have a Cisco ASA 5510. I have configured Cisco Anyconnect to authenticate via Windows IAS. We had an outage of that server recently and I tried to remote in via anyconnect and could not. Once the IAS server came up I could get back into the network.
Is there a command that I'm missing that will let me use Anyconnect to connect into the network even if my AAA server is down?
View 2 Replies
View Related
Jun 10, 2013
when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used
View 12 Replies
View Related
Feb 6, 2011
I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2In the document [URL] Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.Is this some bug in ACS View or ACS or maybe I simply missing something?
View 1 Replies
View Related
Apr 15, 2013
I have some older devices on the network that only support RADIUS (not TACACS) for authentication and would like to have them use SecureACS 5.3
I understand that by default, ACS only supports TACACS for device administration. So I'll get this error when trying RADIUS:
11033 Selected Service type is not Network Access
Description:
RADIUS requests can only be processed by Access Services that are of type Network Access
Resolution Text: Verify that the Service Selection Policy rules are correct
However, even after adjusting the Service Selection rules and seeing hits, I still see the same message in the logs, as if it has no affect.
View 1 Replies
View Related
Mar 18, 2013
I have a 3750X set up with a number of VLANs and have connected a WLC5500 to this. I've assigned the port on the switch to the correct VLAN, given the WLC a management address on that VLAN and it has the correct gateway. I can ping to this gateway from other devices, but not from the WLC and can't ping or browse to the management address of the WLC (I can browse to it when plugged directly into the SP).
When checking the switch arp table, it shows the IP entry of the WLC as INCOMPLETE yet show cdp nei detail shows the device on the correct IP and all the device details. I have changed the port on the switch, the port on the WLC, the cable and the GBIC, cleared the arp and rebooted all devices and it hasn't made any difference. On the switch, I tried assigning the burned-in MAC to that IP statically but it didn't work - does each port have an individual MAC?
View 3 Replies
View Related
Oct 20, 2012
is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ?
here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP ( Public IP)
View 1 Replies
View Related
Jan 30, 2013
I have a Cisco aironet 3502i access point which I am using with a 5500 Wireless Controller. I was configuring the AP for flexconnect and accidentally enabled PPPoE authentication - but never set configured login details for PPPoE. Now when the AP boots up it tries to use PPPoE but fails - it never even looks for an IP address. I have no way to get the AP connected to the controller again.I tried logging into the AP via console, the AP gives me output but I never get a login, even when I hold down the Mode button during startup.I also tried holding the Mode button and waiting for the AP to boot with its default IP (10.0.0.1) and connecting to the AP via telnet, but I was unable to connect or even ping with my PC on the same network configured as 10.0.0.2.What can I do to set this AP back to defaults, to become a normal DHCP client, and reconnect to the wireless controller where I can reconfigure it?
View 9 Replies
View Related
Oct 11, 2012
I am having the peculiar issue in our ASA5500 firewall (version 8.2(5) ), where the remote access vpn is getting issue, I am unable to ping the internal resource for sometime, however without any modification the problem gets resolves.
During the issue we can see Tx count 0
Username : xxxxxx Index : 3147
Assigned IP : 172.17.254.24 Public IP : 14.99.x.x
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES AES128 Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 8764
Group Policy : EMP-VPN Tunnel Group : EMP-VPN
Login Time : 15:07:51 IST Fri Oct 12 2012
Duration : 0h:06m:34s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
View 2 Replies
View Related
Aug 8, 2012
In the ISE documentation is states that under a Guest_Activity report you must have guest access logging enabled on the NAD in the ISE network. My question is where do I enable guest access logging in the WLC that is our NAD?
View 1 Replies
View Related
Feb 16, 2011
My web server sits behind an ASA 5500.When I access the web site from outside, it works fine. When I try and access it from the server itself, I get"Internet Explorer cannot display the webpage" error. I can access other web sites, such as Yahoo.com, Google.com, etc. I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".
View 18 Replies
View Related
Mar 9, 2011
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
View 2 Replies
View Related
May 20, 2012
I have a new WLC 5500 series which i upgraded to a newer version. We got brand new AP's 1242 from Cisco. My ex-colleague had said that we can pre-image the AP's using the controller, so the new AP's get the image directly from the Controllers.
I have the following devices with me for this: A WLC 5500, 1242 AP ( 12 No.'s) and a 2960 switch. I tried to create dhcp pool in wlc so the ap get the ip and gets the image . However, i cant see the ap appearing in wireless tab.
The WLC & AP will be connected to this same switch.
What configuration needs to be done on the WLC & the Switch so that the 1242 AP's when connected physically to the ports on the switch will get the image from the WLC.
View 7 Replies
View Related
