ISE Auth policy based on MAC OUI and SSID

I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
Anyone know how to do this on ISE?  Two questions -
1) I can match based on WLAN-ID, but not SSID.  My WLAN-IDs for the same SSID don't match between controllers.  Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller?  Or, is there a different attribute I can use that refers to the SSID?
2) What attribute do you use in ISE Authorization conditions to match OUI?  And can I match a list of OUIs?

1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

Similar Messages

  • Cisco ISE auth policy based on Active Directory domain membership

    I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership.  Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with.  Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from.  I figured I would be the first person to try this.  What have other done to solve this problem?
    I have tried using the memberOf attribute and matching to .*(domain).*  Basically looking to see if memberOf contains the domain name.  It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
    Thank you.

    Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
    Thank you for rating!

  • ISE Auth Policy with Converged Access

    Hi
    Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
    I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

    Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
    I have tried different ways to do the SSID filtering: 
    NAS port ID Equals SSID,
    Called Station ID  Equals SSID
    But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

  • ISE AuthZ policy based on FlexConnect Group

    Hi all,
    I understand that it is possible to have the WLC send different NAS-ID attributes to the CIsco ISE so that I can create specific AuthZ policies based on that NAS-ID attribute.
    The only thing is that I cannot see anywhere in the FlexConnect AP Group config that allows me to choose the format for the RADIUS request. I can only see it when adding a RADIUS server in Global Configuration.
    So how can I define the attribute that is sent to the ISE?
    Thanks
    Mario

    I don't remember there being a NAS-ID attribute for FlexConnect groups. There is one for AP Group and WLAN.

  • Introduce second default gateway into policy-based routing and optimization

    Questions:
    1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
    2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
    Address range A.B.0.0/16 represents assigned Internet-routable addresses.
    Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
    DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
    PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
    ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
    ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.

    Ok I will see if I can run out to work and try this today..
    After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
    for instance
    # Access to one of my local networks
    access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
    # Send Internet traffic to ASA/PIX
    access-list 172 permit ip 172.20.200.0 0.0.0.255 any
    route-map pix-172-20-200 permit 10
    match ip address 101
    set ip next-hop 172.20.200.1
    route-map pix-172-20-200 permit 20
    match ip address 172
    set ip next-hop 172.20.200.2
    and so on?
    I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
    I wantto make sure I can still get to the local networks I need to get to.
    I appreciate all your help, and I will test this later on today..
    Thanks
    Don Hickey

  • Graphite base station not working with my Intel Based Mac Mini and iPhone.

    My Airport Express died after 2 years of use. I had to resort to plugging in my old but still functioning Graphite Airport base station. Since the set up assisant on my Mac mini does not work with the older base station, I used my G4 400 tower to set it up. I got it working and tested the connection. On to testing my iPhone. It sees the new network. Password is entered and the wifi icon shows full signal strength, but does not connect to the web. Next I try my Mac mini out on the new network and it too sees the network, but does not connect to the web. I double check the older G4 and the connection is still strong and fast. I shut the G4 down thinking that maybe the Graphite can only support one computer at a time, and the Mac mini and iPhone still can't connect to the web. I'm not sure what to do with this one. Is there a setting that I need to use? As far as security goes, the Graphite base station was set up with a WEP password. Any help would be great
    Message was edited by: Soriano

    I suggest using AirPort Admin Utility (version 4.2) to check the base station settings and change them, if necessary. (AirPort Admin Utility should be able to configure a Graphite base station from a computer running Mac OS X 10.4, even though AirPort Setup Assistant can't.)
    In the Network pane of AirPort Admin Utility, please make sure that "Distribute IP addresses" and "Share a single IP address (using DHCP and NAT)" are checked, and that everything else is unchecked. I am assuming that the Graphite is the only router in your local network and that there are no computers connected via Ethernet.
    The Access Control pane of AirPort Admin Utility should list either all of the relevant AirPort ID's or nothing. You can find the AirPort ID of an OS X computer by looking at System Preferences>Network>Show:AirPort>AirPort.
    The Internet pane of AirPort Admin Utility should be set in accordance with your Internet provider's requirements. Most likely, it should be set to Connect Using:Ethernet and Configure:Using DHCP.
    After verifying the settings, power down the computers, base station and cable or DSL modem for a few minutes, then start them up sequentially, leaving time for each to get fully up and running: first the modem, then the base station, and finally the computers.
    The network preferences on the Mac Mini and the iPhone are also relevant. I assume that the preferences are unchanged from those that worked with the AirPort Express.
    I hope this helps.

  • WSA and Cisco Policy Based Routing

    I'm looking to convert my WSA from explicit to transparent proxy using policy based routing on a Cisco router. See the config below where xxx.xxx.xxx.xxx is the P1 interface on the WSA. Does anyone see any issues with the following in a production environment?
    access-list 110 permit tcp any any eq www
    route-map proxy-redirect permit 10
    match ip address 110
    set ip next-hop xxx.xxx.xxx.xxx
    interface ethernet0/1
    ip policy route-map proxy-redirect
    The P1 interface on the WSA is located upstream from the router so I'm not checking for it in the ACL.

    That router configuration looks good to me, but just make sure that the WSA was configured for Transparent mode during the initial System Setup Wizard configuration. If it was initially configured for explicit only, then you will need to run the wizard again to change it to transparent.
    Also, make sure to add a deny statement to the top of access-list 110 for the WSA IP address if the WSA will be going out to the Internet through the same e0/1 interface. Loops are bad. :twisted:
    Cheers,
    Jason

  • Tcl script to change access vlan based on MAC address

    Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
    I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
    Script is attached.  Any help or advice is appreciated!

    Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

  • ISE question on desktop switches, MAC replace, MAC move

    Hi all,
    few questions on authenticator NAD (example: switch) to support on these items
    01. desktop switches, how we can enable other switch to plug in and extend the network? What is this deal with Network Edge Access Topology (NEAT)?
    what must configure on ISE policy node, authenticator switch and the new plug in extended switch?
    02. How and what need to do on authenticator switch and ISE on these:
    a. MAC Replace
    b. MAC Move   
    Thanks
    Noel

    mac replace -
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1143287
    mac move -
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1481527
    Before you consider NEAT -
    If you are using a dumb switch you can enable multi-auth so that all mac  addresses forwarded up to the switch port are authenticated, dynamic  vlan assignment is not a scalable solution for this solution since you  can only assign the first authenticated mac address to the dynamic vlan,  others either inherit the vlan or error disable the port (I can't  recall), but it is documented.
    NEAT is only supported on a few access or distribution switches, so make sure you follow the release notes to see if you platform supports this design.
    ISE policy node - must have the av-pair of device-traffic-class=switch to be configured to dynamically convert the authenticator's port over to a trunk port. Your design depends on either MAB or dot1x to succeed for this av-pair to be triggered in your authorization policy...i.e. profiled endpoint group or a user group with the credentials mapped to a user group or both.
    Authenticator switch - must allow radius authentication, authorization, and for proper license tracking an accounting.
    Client switch - credentials (see reference guides and config examples), forward traffic to trigger mab if dot1x is not part of this solution.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Airport Express (Model with 802.11G +54MBPS Mac/PC and Set Up Issues

    Hi,
    We have a 4 Mac and 1 PC Household. Cable Internet Service by Roadrunner.Cable model (owned) connected to a D-Link 802.11G wi fi router (by ethernet from cable modem)in the family room , then out to a Imac (the half moon base and LCD screen with a airport card also in the family room and the closet computer to the D-Link
    router, (we did add a D-Link antenna to the router ? about 10 months ago (a D-Link ANT24-0700 (Version 1.2)and a HP 4 in 1 printer attached via USB to the Imac
    ,a eMac 1.25 ghz 1Gb ram with airpot card also connected wirelessly (no printer attached on the same floor but in a ajoinging room about 20 feet from the Router, and another eMac 1.0 Ghz 1Gb ram with airport card in the upstairs part of our house (a bedroom) and no issue with Internet connection (it has a Epson 3in 1 printer attached via USB, and a MacBook Pro with 802.11N wireless card in side , bought for a Christmas/Birthday Present and also for college.It to has no issues with the Internet where ever it may be in the house. Our sole PC a HP tower with a added D-Link WDA -2320 Range Booster Desktop Adapter (802.11G) and we added a D-Link Antenna same model as the other a ANT24-0700 to help with Internet access which it did as well as adding some ram to increase page loading time etc. It does not have a printer attached. I will get to the Topic Area now
    The Airport Express. I was not involved in the set-up as I was laid up due to a bad back and post major knee surgery , But I always (especially recently) wondered why the light was amber and blinking. I read through the manual and also
    Apple.com support and MacFixit.com (which is under construction and moved to part of Cnet.com)and then went to the Airport Express Discussion area (sorry for being so wordy) I need a Twitter account to post!) We have a network name for the D-Link and the computers all were added and it also supports a Xbox 360, a Sony PlayStation 3 and a Nintendo Wi (in online use without issue) but..
    A network was also as it appears to myself) for the Airport Express and under the half moon bars showing connection strenght (there is our D-Link network "phoenix" with security protection WPA2 I believe) as I have set up the router, We had a Apple Base station prior that was ? 802.11B (a half moon white unit) still have it in the box ) So for normal daily use, checking e-mail and internet use all of the computers use the "phoenix" or D-Link supported Router 802.11G
    and The other network calld Apple Network with numbers and letters after it (and hopefully security) password is unknown , The Airport Express is set up connected via USB to a HP B&W laser printer which has saved quite a bit of money on ink, To utilize that printer you must switch from "phoenix" The D-Link router network to the Apple Network (followed by letters and numbers) The Imac and the eMac in the family room and a ajoing room (after switching to the Apple Network
    can than print to the lasr printer. The eMac upstairs and the HP Windows XP Professional software can not print to the laser printer (yet the HP PC shows it as a individual network and a strong signal, equal to the Internet connection from the D-Link, and the eMac (after switching under the half moon (not the proper name I am sure) to get to the Apple Network to print , it will not print, yet it shows a 5 bar signal, same as the D-Link connection. I do believe we have two seperate networks (but do not understand why the two Mac's in the family room can print to the laser printer by simply switching networks and then file and print. ** One other 9probaly major item is that it states to set up the Airport Express with a Mac With OSX 10.4 or later (at the time of set up, we had the Imac and two eMac's all running Panther OSX 10.3.9 9which they continue to have installed) We obtained the HP Tower and Monitor and HP 4in 1 printer ust before Christmas in 2008 and the MacBook Pro in Mid December 2009 (current model and running Snow Leopard 10.6. The HP Tower runs Windows Xp Professional (Service Pack 3) so the MacBook Pro which is much more mobile , could be used to do the set-up, or the HP Tower coulf be moved temprarily, I do recall if Router changes (at least with The D-Link You need to be connected by Ethernet to the Mac
    that would be doing the set up/configuration of the router (and it runs OSX 10.3.9 and is a older Mac (with 80Gb Hard drive that is partioned for OS9 and OSX as well , it is under a Ghz processor wise and less than 1 Gb of ram as the last ram slot required a seal to be broken and 256mb of ram (?) could be added
    it has 768 mb of ram but knock on wood running well. We use Lacie external drives
    on the Imac and both eMac's and need to get external drives for the HP PC as well as the Mac Book Pro (15" screen)
    I apoogize if I repeated myself, and rambled but I wanted to (in one post) to explain our set up and network configuration
    Questions
    1) if indeed it is that the two networks is true and a set yp that is not correct
    can the Airport Express be configured without opening up the router (when ever that happens it seems one computer is unable to get online and each time its a differnt one a Mac or veen the PC
    The PC under My Computer and Networks clearly shows the wto distinct and seperate netwoks with strong signals and the distance is not far (it is through a floor as the other emac and the PC are upstairs and cabling by ethernet is not a option
    2) If I need to open the router would I add the Airport Express as a client as if it was one of the computers or gaming systems on the network? (adding the Mac adress or IP address (not sure how you find the Mac address) and its been while since the router was opened up for any additions or work on it.
    3) would it be on the same channel as the router or not ?
    4) Hopefully with proper configuration the light will stay on (and green) on the A/E and the eMac and HP PC will be able to print to the laser printer. Currentlt
    when anything needs printed from the PC its put on a Flasg Drive and plugged in tothe Imac and the the Apple Network is selected and data printed, The eMac upstairs has the option of using the attached Epson 3 in one or doing the Flash stick work around.
    I would be verya appreciative if some one took a look at the set up above and advised me of what is right, what is not right* and what to do to fix things up
    I would imagine after proper set up, delete the Apple Network from the PC and eMac upstairs and ? all of the computers as we should have one base station (the D-link and the spoke (the A/E connected by UBS to the A/E (it may be ethernet but the cable connection from the A/E to the HP laser printer is correct (the rest of the A/E set up ... Please , tell me where it is and where it should be
    and ? any idea why we can print to the laser printer down stairs and not up stairs ? it did mention printer set up with Panther as possible, page 43 of themanual we have un chaper 5 Tips and Troubleshooting (under whn your printer isn't responding) (we do not have the interfereance listed in the manual,
    our phones are land line, one 900 mghz and the others 5.8 ghz
    It is possible to move the A/E and laser printer if that would help the two computers (desktops) upstairs) bt the distance is way less than 150 but their is a floor and ? duct work (metal ) but I think here is a place to stop typing and let some of the experts on the discussion forums take a look.
    one lst note (as the lap top will be going off to college in the fall (runnning Snow Leopard, and the other 3 Mac's run Panther OSX 10.3.9 should the HP PC windows Xp Professional be the computer to set up the air port express and the Airport Utility proram installed & would this conflict with the current Router (set up by a Macc running OSX 10.3.9 (Panther) i.e (should both set ups be on the same computer?) but actually aThe D-Link is OSX10.3.9 compatible (and 802.11G) and set up requires ethernet connection to a Mac (You type in the numbers and . etc and password as administror and you are in, or should the admin be on the same cpmpuer for the router and A/E ?
    (and considering a Airport Extreme Base Station as well as dual frequency simulataneus and 802.11N (for the laptop now) and future, or wait. The 802.11
    in theory would broadcast farther..?? even if computers had 802.11b(our Mac Desk tops and the PC 802.11B card
    Thanks Again!!!
    Many, Many Thanks
    amnienttales

    William Boyd Jr.
    Hello again,
    D-Link Router is model DGL-4300 (along with a D-Link ANT24-0700 Omnidirectional
    7dbi Antenna . Our Cable Internet ISP (Roadrunner) provides consumers with dynamic ISP address's . All Mac's have Airport Cards and The Hp Tower XW4550 has a D-Link Rangebooster G Desktop Adapter WDA-2320 (also with a D-Link ANT24-0700 Omnidirectional 7 dbi Antenna (the PC OS is Win XP Pro Service Pack 3) The 3 desktop Mac's run OSX Panther 10.3.9 , The 15" MacBook Pro OS is OSX 10.6 Snow
    Leopard (not sure what is after the .6 (right now) D-Link's website is
    http://www.dlink.com , I have configured this router multiple times in the past.
    also added as clients on the network (Utilizing the D-Link Router) are a X-Box 360, Sony Play Station PS3, and a Nintendo Wii all of which have on line ability
    and enables online video game play with any one online.
    As mentioned prior the Airport Port Express is Model A1084 Part No. M9447OLL/A
    which is USB conected to a HP LaseJet B&W , model 1020 and some how the two computers near it can switch to the Airport Express Network from the D-Link Router based Network and print wirelessly to the A/E connected LaserJetPrinter
    I realize I will need to reconfigure the D-Link Router and add the A/E as a client. I will try first to use the Airport Utility and see if I can do anything
    Utilizing it (adding it to the D-Link network, I think its unlikely but worth a try but* the password is unknown but I have a few guess's as to what it may be.
    I do have the necessary admin and network paswwords to cconfigure the D-Link Router,
    1) * If the the A/E Utility experiment fails and I need to re-configure the router * do I need to (as per the Airport Express Set Up Guide (Use a Mac with OSX 10.4 or later or a PC with Win Xp Home or Professional (have a desk top PC that has the specs) and The Mac Book Pro meets the Mac Spec's)
    If I can not get a password to work on the A/E I would reset it using the reset button
    And before plugging in the A/E , connect the appropraite cables in our case a USB cable to the LaserJet Printer then plug in the A/E
    2) I would then connect by Ethernet from Either the Mac Laptop or The PC to the D-Link router (if not the router will not set-up correctly)
    3) The one question that puzzles me is that we are not using the A/E as a base
    but a client
    in two sections(Using Airport Express , connecting a Printer via USB
    and use Airprt Utility to create a new network or join a new newWireless computers using Mac OSX 10.2.7 (Tiger) or later or a PC with Windows XP and it then goes in to the steps of ising the printer for both a Mac and a PC (using Bonjour on the CD that came with the A/E (this appears to contradict needing to use Mac OSx 10.4 or a PC with Win Xp set the A/E up for use as a printer
    (joiing a new network or existig one)
    And in Chapter 5 Tips and Roubleshooting= Your Airport Express Status Light Flashes amber & Your Printer is not responding (it is flashing amber and the printer does not respond to the two computers upsstairs (one Mac running OSX 10.3.9 & One PC running WinXp and its states to make sure the printer is selected
    in the Printer list o client computers, to do this on a Mac using OSX 10.3 or later , open Printer Set Up Utility and follow steps and if a PC with Windows XP , Open Printers and faxes and then follow steps
    in Closing ? can I configure the A/E Utility with a Mac using 10.3.9 as above or
    ? Per Chapter 1 Getting Started use a Mac with OSX 10.4 or later or a PC with Windows Xp Home or Professional
    Perhaps I am taking the tips and trouble shooting and Printer Set up out of context or does the getting Started Computer specs contradict them or are they
    for use if the A/E was going to be a Base Station and not a client..
    Will keep at it,
    ambienttales

  • Policy based nat - can't get it right...

    Hi out there
    I need to implement some policy based nat to hide a DMZ network on a site - to avoid routing problems. This should also be faily simple by defining a route-map and then looping the traffic around a loopback-interface which is defined as outside nat.
    I define the LAN interface as inside - assign the route-map policy to it and loop the traffic around the loopback interface to get it nat'ed.
    this also works - to some extend. The traffic is correctly natted and the traffic send out of the wan interface ( f0/1) - the remote site replies and sends the traffic back - and when it then enters my R2 router - it is dropped ????
    I have ran out of ideas - please try to take a look - here is the config of R2 (I issue my test from R1 which is 80.0.0.1 and has a source-interface for 192.168.10.1)
    Config of R2:
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R2
    ip cef
    no ip domain lookup
    ip domain name lab.local
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    interface Loopback2
    ip address 192.168.20.1 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    interface FastEthernet0/0
    ip address 80.0.0.2 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map To_loop2
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 81.0.0.2 255.255.255.0
    duplex auto
    speed auto
    ip forward-protocol nd
    ip route 192.168.10.0 255.255.255.0 80.0.0.1
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Loopback2 overload
    access-list 1 permit 192.168.10.0 0.0.0.255
    route-map To_loop2 permit 10
    match ip address 1
    set interface Loopback2
    On R2:
    2#
    *Mar 1 03:48:29.491: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
    *Mar 1 03:48:29.495: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
    *Mar 1 03:48:29.499: IP: route map To_loop2, item 10, permit
    *Mar 1 03:48:29.499: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
    *Mar 1 03:48:29.503: IP: FastEthernet0/0 to Loopback2 81.0.0.1
    *Mar 1 03:48:29.507: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [204]
    R2#
    R2#
    R2#sh ip nat translations
    Pro Inside global Inside local Outside local Outside global
    icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
    on R3:
    *Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
    *Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
    *Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1

    the easiest way is constructing your menu with frame labels
    now i have no way of knowing how you are constructing it ..so
    this may not work for you ...i assume that you have created a main
    button ...that has been converted into a symbol & then
    duplicated to create all other buttons
    okay here it goes ..i hope i dont confuse you
    i will explain how to create 1 button with 4 submenu items
    with the trems that i mentioned above
    but iam not going to explain all the details of creating a
    whole nav bar
    because it just takes too much typing ...i assume you already
    know this
    sooo ! ...lets say this is the Portfoio button ...inside the
    symbol now
    create 8 layers ...the order is going from top to bottom
    actions
    labels
    submenu Logos
    submenu Illustration
    submenu Animation
    submenu Coolstuff ."you will name your button items how you
    like" ...
    main button....lets just say Portfolio !
    invisible btn for main button
    so now on with the hard stuff
    create 20 frames ...stop action on frame 1 ...frame 9
    ...frame 20
    on the labels layer now ....name frame1 "Closed" ...frame 10
    "Open"
    on the submenu Logos layer ...create a keyframe on frame 10
    all frames before the 10th frame will be blank frames
    repeat that for the rest of the submenu items
    on the main button layer you will just place the main
    Portfolio button on frame 1
    & on the invisible button layer ..the inv btn is going to
    be placed on frame 10
    all this is iam hoping your have converted everything into1
    symbol
    all you need to do know is attach code to the main Portfolio
    button & the invisible button
    so click on the Portfolio button
    on (rollOver) {
    gotoAndStop("open");
    invisible button
    on (rollOver){
    gotoAndPlay("closed");
    & that should be good ...very simple !
    then just repeat this process for every button that makes up
    your nav bar ....& it doesn't matter if your inv buttons
    overlap each other or your main nav buttons are touching each other
    peace John

  • ISE profiling policy

    hi forummers'
    i would like to ask i can create profiling policy in order to reduce overall load generate from policy service node.
    example
    Workstation
    - unique atrributes : MAC address
    - probed used        : RADIUS
    - collection method : RADIUs authentication
    Apple iPhone
    - unique atrributes : OUI
    - probed used        : RAIUS
    - collection method : RADIUs authentication
    Thanks
    Noel

    Noel,
    Can you please describle how you want to reduce the load on the policy service node? To create a profiling policy for workstations the mac address should work however for the apple iphones you will need more than just the apple OUI since the macbook, ipads and imacs all share the OUI for apple, you will need to use either the http user agent string to detect this is the OUI, and that is done by setting a default rule to the redirect page so this can happen.
    Let me know if this what you are looking for.
    Thanks,
    Tarik Admani

  • ISE authorization Policy not working

    Hi ,
    I have configured the ISE as per the belwo link 
    https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise
    but my authorization policy is not working as when user get connected to guest wlan it get authneticated but when it look for authorization
    it going to default policy it should hit on above policy created screen shot as below

    What version of ISE + patch are you running?. Could you please send an screenshot of AUTH policies including the default --- > USE part?. Are you using customized portal for the first authentication process?
    CWA is pretty straightforward. Only issues I faced was multiple VM (ISE Personas) running on one single server was not replicating properly the AUTHZ policies so I added the PSN persona into the PAN Node and everything worked fine immediately. In addition to that, I realized that I needed at least ONE ENTRY into the ISE PAN Internal Endpoints DB so I could hit the AUTH Policy for MAB & user not found condition which sent me to the AUTHZ = User Unknown + Redirect. Once I authenticated the user using the Default Portal that meant I hit the GUEST FLOW policy. If you are using customized portals for the first authentication process, check: web portal mgmt. --- > Guest --- > MultiPortal Configurations --- > Customized Portal -- > Authentication part.

  • Policy based routing to host in same vlan/subnet

    Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
    vlans 802
    172.21.1.1/24
    ip policy route-map West
    vlan 803
    172.21.17.1/24
    ip policy route-map West
    route-map West permit 10
      match vlan 802-803
      set ip default next-hop 172.21.1.237
    Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
    any help is appreciated.
    thanks, scott

    Scott
    If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
    src IP 172.21.1.10 255.255.255.0
    dst IP 172.21.1.237 255.255.255.0
    src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
    So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
    Edit - what exactly do you mean when you say -
    However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
    How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
    Jon

  • How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

    Hi Team,
    We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
    Thanks

    I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
    Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
    Hope this helps!
    Thank you for rating helpful posts! 

Maybe you are looking for