we have ACS 5.3 and 1042 AP. So we need to authenticate client based on user certificate, and after that to put the client in specific VLAN based on membership in Active Directory group.
Is it possible to do that? We can not solve the problem of identity store, once the user is authenticated based on regular certificate, we need to authorize the same user based on the specific attribute from AD.
Im configuring a WLC 5508 ( version 7 ) with h-reap local switching.All is working , yet i wonder if the vlan mapping can be done better.Currently i need to go into each Lightweight Access point , enable h-reap, then set the native vlan , with the final step to map the vlan. This needs to be done for each AP. In an environment of 100's of APs i would take forever. ( i thought one of the main points of the WLC is centralized management).
View 1 Replies View RelatedI am running big wireless network, with 20no of 5500 with 7.0.116.0 version. I have more than 20,000 AP's. If i add some config in primary controller or do some changes or reboot all the AP's are moving to backup controller. this doesn’t have any problem, but many AP's which moved to backup controller are losing VLAN mapping. This happens every time. Primary --> backup, backup --> primary. Both controllers have same vern...same config etc..
AP model: AIR-LAP1252AG-A-K9
Controler model: AIR-CT5508-K9
I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties tab. The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
From config guide: For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
Using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
Cisco 891 does Static IP mapping and where I can get instructions how to use Static IP Mapping?Is the Static IP Mapping done throught CLI or through the CCP?
View 5 Replies View RelatedWe have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
View 1 Replies View RelatedIs it possible to Map a Network Drive over a VPN?Users in my company connect to a remote site using VPN (PPTP) and i am wondering, can i map a drive to the PC i am on from the remote network while connected to VPN?
View 10 Replies View RelatedI am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
how do you enabled multiple port mapping on asa 5505? i want to use 1 static ip address for rdp connection for 15 users, and the port will start from 3390 to 3340.
View 4 Replies View RelatedI have a medium enviroment with 2 x Cat4500 switches and 50 x Cat3650 plus few Cat3750 switches. I'm looking for a network mapping tool to map all the network equipment so I can easy to manage or trouble shoot the network. It doesn't matter if it's free or paid but something I can try first before buy.
View 1 Replies View RelatedI have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs. Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then: ip nat inside source static 10.30.1.248 81.85.199.44
View 6 Replies View RelatedWe have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
Still Can't see the WLANs under the Flexconnect tab on the AP?
According to product bulletin no 3209 for the Cisco 4400 series, the Access Point supports 802.11e WMM.
My question goes to DSCP mapping, according to IEEE and your bulletin the DSCP field in the IP header should be set to 46 (10110 00) for mapping to a 802.11 QoS voice priority 6/7.But my Wireshark trace revealed 4400N is mapping toward with 802.11 QoS is set to Priority 5 Video.
If I google DSCP mapping toward 802.11 QoS all IEEE documention I found says EF /Voice should have 46 or 101xxx in the DSCP IP field but running through Cisco and HP docs gives 46 or 48 as value, that is the correct value. [code]
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
I've been trying to map a specific domain name (say a.net) to a local (static) IP of a computer on that specific network, running Apache and used as a server.I did this by setting the Static DNS mapping configuration on my Dynalink RTA-1025W management panel.That works flewlessly on my iPhone and iPad, but does not work at all on any computer - desktop or laptop, Mac or PC, WiFi or LAN (tried a few desktop PCs, an iMac, a PC notebook and a MacBook Pro). On all of them, the browser is uncapable of resolving the DNS mapping, showing an error such us "Server Not Found".The only way I could override that behavior is modifying the hosts file, and that is not a solution for me, as the network is used by guest machines (say, as a public WiFi in an hotel).Is there a better approach for that?
View 16 Replies View Relatedif it is possible to map a network drive by IP address.
View 1 Replies View RelatedI guess i am just getting old and forgot how this works, or i have an IOS load with an undocumented feature in it.A customer of ours wishes to have their exchange server appear to the outside world on a seperate IP address as their public pool address is.in the past this has not been an issue, however in the current configuration we are unable to get the source address to appear per the NAT statement it always sources on the overloaded IP. below is the relevant NAT config, am i missing something, or have i hit a IOS feature? [code] There is a 45% chance i have forgotten everything i learned on the NOC desk and a 50% chance that it is somethine really stupid and 5% IOS is broken
View 5 Replies View RelatedUsing an rvs4000 with firmware v2.0.3.2 I am able to delete 'setup/lan/static ip mapping' entries, but I am unable to add any.After deleting an entry, hitting save (which reboots the router) and then trying to enter the same device with a different static ip address, the "add" button has no effect.
View 2 Replies View Relatedin LMS3.2.1 we have NMSRoot/log/syslog.log where syslogs are being logged actively from managed devices. i couldn't find the same in LMS4.2. I am configuring LMS4.2 from scratch and in the hope of making the trasition from old LMS3.2.1 to LMS 4.2, I am planning assigning the old LMSs IP to the new one. basically changing the IP address of LMS4.2.
View 10 Replies View Relatedi was able to configure (via SF200 web interface) a port mapping from port FE17 to FE7.i have supressed this port mapping.
when i try to reconfigure a port mapping from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44.when i was able to configure (via SF200 web interface) a port mapping from port FE17 to FE7.But after having suppressed this port mapping again, i was not able to reconfigure a new port mapping from port FE1 to FE3 (the SF200 hangs).
I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
I'm in the throes of configuring my 5520 to supply different group policies based on LDAP group membership. I'm finding that no matter what I do only the default group is applied. I'm sure it'll be a simple fix - but I just can't see it. [code]
View 4 Replies View RelatedI have a WRVS4400N router and have successfully connected via Quick VPN Client 1.3.0.3 from my laptop running XP. I can ping any IP on my network, I can access HTTP addresses and remote desktop (VNC) applications but I cannot map a network drive.
The network drive is on a PC running XP, I have tried mapping using the system name as well as the ip and neither work. There are no problems mapping the drive(s) when connected directly to the router LAN/WLAN.
I have several computers on a network hooked to a server. All of these computers are running XP and have are mapped to a drive on my server. The problem is, once in a while the mapped drive will suddenly not be there. I can manually remap them and sometimes I have to remap 2 or 3 times before it keeps.
View 5 Replies View RelatedI have never had to share an Ubuntu drive to windows before, and I never thought it would end up being this difficult. What I need to do is share my 500gb drive in ubuntu, it is a secondary drive, not the primary with the OS on it, to my windows xp and my windows 7 machines. So far I have samba installed on the ubuntu machine and I have formatted and set everything up. The issue is that I just cant figure out how to connect to it in windows becuase when i use the map network drive feature it says something about no network found.
View 1 Replies View RelatedI have w7 and the D-Link DIR-655 router.I just replaced the same router that crapped out on me.I'm online with no issues but for some reason, I can't map some of my computers to one another. At first, it seemed like it was going well on a couple of them. Others ask for the windows password.I'm not sure, but I think it's the Homegroup password?I remember one of the the homegroup passwords and all computers are joined, but the only password I recall/know isn't working on any computers.
Questions: Can't I map network drives through the router functionality and do away with the homegroups altogether? I'd really like to do that. I'm not really impressed with homegroups.
if the answer is no, how the heck to I figure out or get new passwords? This wasn't an issue in the past. Not sure if somehow, I changed a setting?While searching around, I found the "manage credentials" area. Never noticed before.
I am running XP Professional 32 bit SP3 on a Dell workstation.I am in a serviced office with internet connection via single ethernet port. This is set up as a VLAN for which I have 4 assigned IP addresses.I am using a Netgear GS605v4 switch to create a small network on my side of the port. Hooked to this is the workstation, the mybook live, and a laptop.All 3 connected components are assigned their IP addresses by DHCP. Both the workstation and the laptop can see the internet without difficulty. The networking of the components is another matter. Focusing on the workstation for the moment:On the workstation, I can ping the mybook. I have always been able to see its upnp logo in My Network Places, and double clicking always takes me to the web browser based dashboard where I can set up the device. I was initially able to see the public folder in My Network Places too, and could map a drive to this in an Explorer window. Typically after some time, the mapping would be lost (even without re-booting the machine), but I would be able to delete the connection and re-map it. After several attempts at this I could no longer map the drive or see the public folder in My Network Places anymore. After much internet searching and playing with lots of the suggested fixes (checking all required services available, matching user names between XP and the drive, playing with 'net view' etc) I was finally able to see and map the public folder yesterday by playing with the 'enable netbios' function in network connections (currently set to 'enable' from 'default' though this had not made any difference previously). I could see the drive in 'net view' though no master browser was listed, and once again map to the public folder, and access files on it.On turning on the workstation this morning I find that the mapping has again been lost. This time net view is back to reporting a system 53 error. I can ping the drive and use the dashboard, and I can see the public folder in My Network Places, but clicking it or mapping to it results in the usual 'network path not found' errors. The laptop is running Windows 7 and has not lost its mapping overnight, and can still access the public files.
View 2 Replies View RelatedAt work we have a private network set up so that any computer that is plugged into the wall is on the same network. (i.e. all ip addresses are identical except for the last block of numbers)All machines are running WinXP.We have one computer set up as a file server (computer with shared folders) that is plugged into a wall socket. We have 3 other machines that can see and access the shared folder on the server computer once they are plugged into a wall socket. The odd thing is that these 3 machines have different settings as far as I can tell. They are all on different workgroups but they have no problem finding the shared folder.However, when I go to plug my laptop into a wall socket, I am not able to map a network drive. The error msg says it cannot find the drive. I have my laptop set-up on the same workgroup as the server computer and the server computer can see my laptop. But when I double click on my laptop in the server computer workgroup I get a msg saying permission is denied.
My laptop can connect to the internet, but cannot find the shared drive. I have tried turning off my laptop firewall, the server firewall, both firewalls etc with no success. In my Local Area Connections I have the following all enabled "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks", "QoS Packet Scheduler", "Internet Protocol (TCP/IP)".
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]
View 1 Replies View Relatedthe incoming fiber on ports 9 and 10 are on different subnets. I need to map the subnet on port 9 to ethernet ports 1-9 and port 10 is on its own. I have the device IPv4 address set to a static address on the same subnet as port 9. I don't know if there's an easier approach, but I attempted to map the ports using vlans (See the attached screenshots). We don't yet have the fiber link established for port 10, so I haven't had a chance to test, but I wanted to confirm that my configuration is sound. I used the default vlan for ports 1-9, because I need to manage through that subnet. I added vlan 10 for port 10, but I don't know if I have it configured correctly.
View 4 Replies View Related