Cisco :: ACS 5.2 / NAC - Allocating Vlans To Host Ports Based Upon AD Group Membership

Jan 6, 2011

My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ?  I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2.  I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?

View 2 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco VPN :: ACS 5.3 / Assign Group Membership Attribute To DAP For Radius Logins Via SSL

May 14, 2012

Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 Does Some LDAP Attribute Mapping To Get Group Membership For DAP

Dec 21, 2012

I have a working ASA 5505 that is used for remote access.  It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP.  This is all working fine however recently I enabled IPv6 to do some testing.  I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks.  DNS client is enabled in the ASA and all the authentication servers are entered as hostnames.  The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records.  My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).

When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working.  I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers.  From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses.  When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
 
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly.  I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6.  Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this.  I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
 
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6?  Just guessing at the moment as I haven't managed to get a LAN capture. [code]

View 1 Replies View Related

Cisco Switches :: Linksys SRW248G4 And Multiple Membership In VLANs?

Jun 26, 2012

I can't figure out how to configure a port membership with multiple VLANs. My setup:

- VLAN10
- VLAN20
- port settings tab: port24 in general mode
- ports to VLANs tab: untagged everywhere, when I set port 24 membership to VLAN10 I can't set port 24 membership in VLAN20 because when I do that port 24 membership in VLAN10 dissapears and vice versa
- but I can set port 24 membership to both VLANs in VLANs to port tab, but I think it doesn't work because:
- when I connect hosts to ports 23 (port 23 is a member of VLAN10 only) and 24 (member of VLAN10 and VLAN20)
there are not any connectivity between them
- but connectivity is working when I set the same PVID for both ports 23 and 24 in port setting tab, I can't set multiple PVID in here.

So, is it possible to configure port membership for multiple VLANs on this linksys. [URL]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Group Mapping Based On (G-CRP-SEC-ENG)

Apr 30, 2012

I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
 
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Assign VLAN Based On AD Group?

Apr 18, 2011

I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
 
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
 
and selected the group name from the AD. If I understand correctly, I should now see this group under:
 
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
 
However, it does not. Am I missing something?

View 2 Replies View Related

Cisco Routers :: Host-based Port Forwarding With A RV220W?

Apr 10, 2012

I have recently separated a few sites that I operate, into multiple virtual machines, all with their own IP.Basically, site A is located on for instance www.siteA.com, Site B is located on blog.domain.com etc etc. So my question is, how do I (with the Cisco RV220W), forward port 80 based on host?[URL]

View 3 Replies View Related

Cisco AAA/Identity/Nac :: WLC 7.4 / ISE Authentication Via Active Directory Based On SSID And AD Group?

Apr 15, 2013

I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
 
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5

[code]....
 
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.

View 2 Replies View Related

Cisco Wireless :: WLC4112 Based WLAN Cannot Reach Any Host But Gateway

Oct 29, 2012

We use a WLC4112 controller with a number of AP1010s.  My controller is uplinked to a 4500, which is then connected to a number of 2950s and 4000s, which are where the APs are connected.    All switches, as well as the WLC, are connected together using gig fiber, configured as trunk, with no trunk allowed VLAN restrictions. We operate a guest network on VLAN 4 (192.168.14.0/24), which aside from the internet gateway (192.168.14.3), provides a couple other services:

     dhcp (192.168.14.50)
     print (192.168.14.49)
 
The gateway is connected to a copper port set to access vlan 4.  The DHCP is provided via an Intel nic configured for vlan 4 (among others).  The print is a Hyper-V virtual NIC set to vlan 4.  There are also hard-wire ports that access this network in various parts of the building, all as "switchport access vlan 4." I have a "guest" network set up on the WLC, operating on dynamic port "Visitor", vlan 4 (192.168.14.48).  My wireless clients get an IP from my DHCP server, but cannot ping (or otherwise communicate with) any hosts EXCEPT the gateway (192.168.14.3), so they can get on the Internet without issue.  The WLC itself can ping any of the aforementioned wired hosts, and all of the wired hosts can ping each other and the WLC.  It is only the wireless clients that refuse to communicate with anything except the gateway.  There are no routers in this network apart from the default gateway, this is a basic /24.  All hosts are masked at 255.255.255.0.  The wireless clients get an IP from 192.168.14.50, though they cannot ping it (but again, everything wired can).My other wireless network, the "corporate" network, does not display this behavior, everything can ping everything. 

View 17 Replies View Related

Cisco Wireless :: Unable To Access Web-based Configuration Using Host Name (WAP4410N)

Oct 17, 2010

I recently bought and installed a WAP4410N access point (using PoE) and it's running stable. I was able to access the web-based configuration by using the IP address of the AP (something like 192.168.0.184, coming from the DHCP of my router). However, I'm unable to access the web-based configuration using the host name of the device (mentioned next to the device name in the basic setup section of the web-based configuration). I changed the host name several times, but I can't connect to the device using the host name. Accessing the device by its IP address works, but I have to check the logging of my router to find out which IP address I have to use. Is there a way to access the device using the host name?

(I think my WAP4410N has firmware version 2.0.2.1 installed)

View 3 Replies View Related

Cisco Wireless :: 5508 AP Group VLANs Feature Enable

Apr 7, 2012

i have a WLC (5508) - trying to enable AP group vlans based on instructions from: url...however, my problem is that i don't have the 'ap group vlans feature enable' checkbox.

View 1 Replies View Related

Cisco Routers :: WRVS4400N Creating IP Based ACL For Vlans That Are Not Default

Aug 18, 2011

After a long effort I managed to get my WRVS4400N to work and provide a stable WLAN/LAN and to define all network devices in my home office. It is running the latest firmware (2.0.1).

I created a seperate SSID and a vlan for it (vlan ID is 3 and IP is 192.168.1.xxx while the default vlan IP is 192.168.0.xxx).

My plan is to use that SSID/vlan for the kids and block some bad content for them via the router there.

I want to make a ACL for that vlan but in the computer list option I can only specify ranges in the default VLAN segment (192.168.0.xxx) while in practice I need the 192.168.1.xxx segment.

I can't switch to .0.xxx as some devices are hard wired to be .1.xxx on my network.

View 1 Replies View Related

How To Configure IP Subnet-based VLANs Using Nortel 8600

May 25, 2011

How to configure dynamic VLANs (IP subnet-based) using Nortel JDM? My company is now using port based VLAN and it wastes a lot of time reconfiguring the port to its VLAN everytime their devices moved from one place to another place. So I think using IP subnet-based VLAN might solve the problem?

View 1 Replies View Related

Protocols / Routing :: Users Internet Connection Based On Their Username Or Group In A Windows Environment?

Jan 12, 2012

I'm looking into a way of routing users internet connection based on their username or group in a windows environment. Currently there's two ISP connections with their own proxy server. I want a user to be fully redirected to one of the ISPs based on who they are. I was hoping via IE proxy settings, this can be accomplished, but it looks like the primary ISP connection, is still getting most of the connections/routing.

View 1 Replies View Related

Cisco VPN :: ASA 5520 / Remote Access VPN - Allow Based On Ports

Jan 25, 2013

I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3). I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.

After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.
 
how can i allow user to access a server with defined port only and not any other service/port access for the server.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification

Jan 24, 2012

I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.

How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.

View 1 Replies View Related

Cisco Switching/Routing :: 4506e Host Flapping Between Ports

Dec 6, 2012

Two days back my entire network was behaving in unusual ways.When is connect to core switc(4506e) through console. [code]

View 11 Replies View Related

Open Up Certain Ports To Host Multiplayer Games On The Internet?

Mar 23, 2011

I am trying to open up certain ports to host multiplayer games on the internet on my computer and on Xbox 360.The only internet service provider is primecast. I am able to open the ports on my router but the ports still show closed using portforward.com portchecker. I disabled all firewalls and Anti-Virus, no luck. I even connected my computer directly to the modem, the ports are still closed. The Router is a Linksys WRT400N set to single band. The modem is an Alcatel although there is no model number (it has a fiber optic connection, coax connection and 2 ethernet port connections). The condo is cat 5 ready so the router has multiple ethernet cables which go to the ethernet wall plugs throughout the apartment which is how I connect to my desktop.

FYI:One of the games I am trying to play online IL2 1946, people simply cannot connect.In another game Company of Heroes, people cannot connect and I cannot connect to most games it says there is a NAT issue when connecting.

PS When I go into ipconfig I now see IPv4 and IPv6, I don't know if that has something to do with it but to my knowledge these sections were not here previously (before I moved).

Win 7 x64
Intel I5 750 1186
12 GB Ram
1.5 Tb HDD in Raid Striping
ATI Radeon HD 5770

View 18 Replies View Related

Cisco :: ACLs To Limit Ports With Client - Based VPN Tunnel

Jun 16, 2011

I have a customer I've built a webvpn tunnel for.Users on this tunnel need to have http access to a server at 10.1.1.12 and nothing else.That's fine, but in order for name resolution to work properly they need to be able to send DNS requests to 10.1.1.9.I'm working with two different access lists, my non access list (nat 0) and my split tunnel access list. I can't specify ports in the nat 0 access list, but I did try writing my split tunnel access list as follows:

-access-list split permit ip host 10.1.1.12 172.16.4.0 255.255.255.0
-access-list split permit udp host 10.1.1.9 eq 53 172.16.4.0 255.255.255.0

When I do that users can access the 10.1.1.9 dns server, but they can hit it on anything (ping, 3389, etc.).I'm trying to figure out how I can limit them so they will only be able to pull dns but nothing else.They have the Any connect Essentials license, so unfortunately a clientless VPN is not an option. Is there some other access list I can interpose that will limit things the way I want?

View 2 Replies View Related

Cisco Wireless :: Wlc2112-k9 802.1x Dynamic Vlans On Multiple Ports

Mar 16, 2013

I have a wlc2112-k9. I have succesfully setup a WLAN with 802.1x authentication and dynamic VLAN assignment. The issue I have (and maybe it isn't an issue and just the way the controller works) is that if the vlan interfaces I have defined are connected to different ports from which the default interface for the WLAN it doesn't work.So for instance, I create my WLAN and set the interface to the management interface (which is connected to port 1). I then define all my other vlan interfaces that could be returned by my radius server.[code]
 
Port 1 is configured on the switch on vlan 21. If the radius server returns a VLAN ID of 102, 104 or 106 my client successfully connects to the WLAN but it gets put on VLAN 21. However if I move the vlan interfaces above over to port 1 the client correctly gets put on the correct VLAN.All ports on the switch are configured as trunk with the native vlan set to the corresponding value that is set on the WLC.
 
Is this just the way the controller functions? That it can't assign a client to a different interface that is connected to a different port from the default one setup when the WLAN is created? I would have just though that if the radius server returned VLAN 102 that it would find that interface and connect the user session via that interface regardless of the port it is configured on.

View 11 Replies View Related

Cisco Switches :: SG 300-10 - Mapping Fiber To Ethernet Ports (VLans)?

Jul 25, 2011

the incoming fiber on ports 9 and 10 are on different subnets. I need to map the subnet on port 9 to ethernet ports 1-9 and port 10 is on its own.  I have the device IPv4 address set to a static address on the same subnet as port 9.  I don't know if there's an easier approach, but I attempted to map the ports using vlans (See the attached screenshots).  We don't yet have the fiber link established for port 10, so I haven't had a chance to test, but I wanted to confirm that my configuration is sound.  I used the default vlan for ports 1-9, because I need to manage through that subnet.  I added vlan 10 for port 10, but I don't know if I have it configured correctly.

View 4 Replies View Related

Cisco Switching/Routing :: 3550 - Set Up With 6 VLans And 2 Trunk Ports?

Oct 9, 2012

I have a test switch (Cisco 3550) that I want to set up with 6 Vlans and 2 trunk ports. I want to be able to access a virtual server conected to the trunk ports from the switch ports. Ports Fa0/1 to 8 are in a vlan port fa0/9 to 16 another vlan etc. Ports Fa0/47 and 48 are the trunk ports. This is a lab environment so the the switch is the only device being used.

View 4 Replies View Related

Cisco Switching/Routing :: Pass Vlans Across FE Ports On 1841 Router?

Nov 6, 2012

due to upcoming changes to our network I'd like to be able to pass vlans across the FE ports of a Cisco 1841 router.1 port would go to a managed switch and then to local devices on different VLANs.the 2nd port would go upstream to a Cisco 3825 at a different location which would then connect to the internet.due to monitoring behind the Cisco3825 we would like all NAT to occur on the 3825.
 
what I would like to happen is this example device connected to port 7 on managed switch gets an IP (10.0.7.10) from the Cisco 1841 in VLAN 7 (10.0.7.0/24).traffic from that device goes to the switch, then in f0/1 on the 1841 and out f0/0 still with the same IP info, no NAT occuring.traffic is received on the 3825 port 0/1 and then NAT occurs and out port 0/0 to the internet.

View 4 Replies View Related

Allocating IP Addresses To Network?

Aug 20, 2012

I'm planning to setup a network with more than 300 PCs. I know that using class C address is not enough to allocate number of IP addresses required. What I meant in the preceding sentence is that If I use this network address 192.168.1.0 (class C), it will allow only 256-2 = 254 IP addresses, What about other PCs in the network ?

View 3 Replies View Related

Allocating Bandwidth / ASUS WL-520GU?

Apr 13, 2011

I have an apartment with a shared internet connection with a roommate. I'm paying for all internet costs because he says he "doesn't use it as much as I do". He frequently slows my connection down by downloading movies and probably porn. Time to bottleneck this douche.

I have an ASUS WL-520GU All four slots are hardwired: my computer, his computer, PS3 in the main room, printer.Plus several mobile devices are connected via wireless throughout the day.I only want to bottleneck his computer.How do I do it?

View 4 Replies View Related

Cisco :: DHCP Not Allocating Address When Crypto Map Applied

Dec 12, 2012

I have a cisco 887 connected as temp measure to a 3g device via a fast0 port. all works fine. VPN comes up...but the moment i apply the crypto map to the vlan.. DHCP stops allocating ip address. I have remove irrelevant config ( dialer, atm etc as they not been used)

config below
p dhcp excluded-address 10.29.80.253 10.29.80.254
ip dhcp excluded-address 10.29.80.1 10.29.80.229
!

[Code]......

View 4 Replies View Related

Cisco Application :: Monitoring And Allocating Resources On ACE20-MOD-K9

May 16, 2012

We are currently running a ACE20 with 11 contexts. Recently we have seen that one of the contexts is being 'starved' of resources, especially Concurrent Connections, Bandwidth and Throughput.
 
Whilst we know how to address this situation by reallocating resources from less busy contexts, I was wondering if there was a more scientific way of looking at the resources being used and calculating the best way to allocate them across the ACE other than just looking at the 'show resource usage' and 'show resource allocated' commands?
 
Has Cisco or any other 3rd party developed a handy tool to monitor the the ACE resources which will possibly assist with calculating the optimum resource allocations across all contexts?

View 3 Replies View Related

Cisco :: HREAP Not Allocating Correct Ip Address WLC4402

Mar 20, 2011

I have two sites.Main site (local) has two Vlans: Vlan1 and Vlan2. Each has its own IP address range.VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.33.4.*VLAN 2 is for guest access to the internet IP range 10.10.10.*I have a WLC4402 on the this site with 2 WLANs: CORP on Vlan1 and GUEST on Vlan2.

Branch site (remote) which has 2 Vlans: Vlan1 and Vlan2. Each has its own IP address range.VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.125.15.*VLAN 2 is for guest access to the internet IP range 10.10.11.*I have an 1141 on this site using HREAP.

Locally, if you connect to CORP, you get a CORP ip address and access to CORP network. If you connect to GUEST, you get a guest ip address and guest access to the guest network. Simple so far....
 
Remotely, if you connect to CORP, you get a CORP ip address 10.125.15.x and access to CORP network (great). If you connect to GUEST, you get a CORP ip address 10.125.15.x and access to CORP network (not great). This is with the HREAP native vlan ID for the access point set to 2 on the controller.If I set the native vlan ID to 1 on the controller, I can not get an IP address at all.If I do not set the native vlan ID on the controller, I can not get an IP address at all.

View 2 Replies View Related

Cisco Switches :: VLAN Port Membership Via SNMP On SG300-28

Sep 4, 2011

Any snmpset commands to modify port vlan membership on SG300-28 switches? I checked [URL] however this information is apparently only valid for catalysts.
 
The latest firmware is installed and the provided MIB files are used.

View 5 Replies View Related

Cisco Switches :: VLAN Membership Lost After Reboot SG300-20

Aug 31, 2012

I have two Cisco SG300-20 switches. Both of them are configured in L3 mode. They have several VLAN's configured.
 
When I reboot my switches some VLAN membership settings are lost! I have already saved the settings over and over before rebooting, and even tried to save it to the backup memory and so on. Say for example I have changed port 9 to 14 from VLAN 101 to VLAN 105. I save the configuration, reboot the switch. And then the changes are lost. This is a big problem, because servers and my iSCSI network loose connectivity. They already have the latest firmware. This issue was there three firmwares before.
 
This issue pop-ups when I have a power loss, or I need to reboot/shutdown them manually. It may be off-topic but I also have the feeling that the performance of the switches goes down during uptime. A reboot solves the performance issue. I don't have a performance benchmark, but I can notice it on the performance transfer rate between clients and servers.

View 4 Replies View Related

Cisco :: 3700 Layer 3 Switch - Cannot Find VLAN Membership Command

Nov 8, 2012

I cant find the v LAN-membership command on my 3700 layer 3 switch, I've searched Google on whether the command has upgraded to a new syntax to no avail, I'm using GNS3 and the IOS is c3725-adventerprisek9-mz.124-25d.bin

View 4 Replies View Related

Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?

Jul 31, 2012

I try to map LDAP Group to ASA Group policy following documentation:
 
[URL] 
 
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
 
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved