ISE IOS CLI Authentication Quandry
Im trying to push the limits of ISE, since tacacs+ isnt supported yet. The goal is to authenticate switches and routers using radius against ISE. I think I am on the right track, since I can login against ISE. However, when I login to enable the ISE Authorizations log shows Radius status fail, with a failed attempt from user $enabl15$.
I have my device added to ISE. An authorization profile has been created for each privilege level, I am using policy sets and have the correct authz and autht policies. Below are the examples of my ISE configuration and router configuration. Hopefully it helps fix my problem, or it may help the next troller with success of their own configuration.
Auth Profile: When choosing priv-lvl=15 after hitting save, web auth is automatically selected.
Policy Set:
router configuration
aaa group server radius Rad_AUTH1
server name Rad_Auth
aaa authentication login CONSOLE local
aaa authentication login Rad_Auth group Rad_AUTH1 local none
aaa authentication enable default group Rad_AUTH1 enable none
aaa authorization exec default none
aaa authorization exec Rad_Auth group Rad_AUTH1 if-authenticated
aaa accounting exec default start-stop group radius
radius server Rad_Auth
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 3
key 7 052F302B3B7E491B41
line vty 0 4
session-timeout 30
exec-timeout 30 0
authorization exec Rad_Auth
login authentication Rad_Auth
transport input ssh
Thanks for the reply Neno. I got it worked out and will be submitting a new document for future trollers. There were a couple things I had to change in both ISE and in IOS.
In IOS
aaa authentication login default group radius local none
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable none
aaa authorization exec default group radius local
In ISE the AuthZ and AuthT policies worked, but didnt give the results I wanted. For example, since radius uses the $enabl$ as a username for the privilege level I had to put a deny at the end of each policy. Without it, enable would go to the next default rule, it also allowed a priv 5 to type in enable and get priv 15 access.
Similar Messages
-
What is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli
I would like to see an implementation of an ISR IOS cli:
ip tcp synwait-time 10
on an ASA cli. thank you much in advance.Hi Oscar,
this is supported but you need a class-map type management:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296
TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log
class-map type management CONTROL
match access-list CONTROL_ACL
policy-map global_policy
class CONTROL
set connection conn-max 1
service-policy global_policy global
In my tests, it worked for SSH but not for HTTPS:
ciscoasa(config)# sh conn all
2 in use, 2 most used
TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB
After other sessions:
%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22
%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside
ciscoasa(config)# sh conn all
4 in use, 5 most used
TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB
TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB
TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB
Somehow, 0 hitcount on HTTPS ACL...
ciscoasa(config)# sh access-list
access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c
access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c
ciscoasa(config)# sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 2
First TCP packet not SYN (tcp-not-syn) 49
Connection limit reached (conn-limit) 2
FP L2 rule drop (l2_acl) 48
Flow drop:
SSL bad record detected (ssl-bad-record-detect) 3
ciscoasa(config)# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: CONTROL
Set connection policy: conn-max 1
current conns 1, drop 2
you can also control each feature timeouts seperately via:
telnet/ssh timeout 1
http server idle-timeout/session-timeout 1
Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...
Patrick -
ISE Admin Access Authentication to RADIUS Token Server
Hi all!
I want to use an External RADIUS Token Server for ISE Admin Access Authentication and Authorization.
Authentication works, but how do I map the users to Admin Groups? Is there a way to map a returned RADIUS Attribute (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
Thanks in advance,
Michael LangerreiterISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
Last Modified
Nov 25, 2014
Product
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases
1.3(0.876)
Description (partial)
Symptom:
ISE 1.3 RBAC fails with shadow user & Radius token
Operations > Reports > Deployment Status > Administrator Logins report shows
Authentication failed due to zero RBAC Groups
Conditions:
RBAC with shadow user & Radius token
View Bug Details in Bug Search Tool
Why Is Login Required?
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract. -
ISE 1.2 Authentication Failures at First time Connection
Hi,
I have a trouble with ISE 1.2 when trying to authenticate for first time an end-device, this device might be either a Workstation or IP Phone or Printer,etc. it fails or staying in running mode. The result is the same it can not access the network. hopefully I'm still in open mode :)
As i described in the beginning everything has status Running or Authz Failed. and after a time of period usually one day finally succeeds.
This happens mostly for workstations and printers, but in case of phones does not have the same behavior. I unplug plug the phones or I shut/ no shut the ports in order to trigger it to succeed. For some phones worked but other obstinately declined.
The phones which are not Cisco phones authenticated with MD5 (a simple username and pass ) i think the problem should not related with the auth protocol.
Below are some logs from one phone. For me coming to a short conclusion this must be related with the switches which are 3750e (15.02 SE 4 IOS)
or with the same the ISE, why because i have almost the same behavior for all end-devices.
I kindly remain your comments...
2169669: Apr 16 18:02:20.573 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169670: Apr 16 18:02:20.783 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
2169671: Apr 16 18:02:20.791 EEST: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5E8855C01DE
S301#
2169672: Apr 16 18:02:20.992 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3ddf) on Interface Gi1/0/34 AuditSessionID 0A114D0D0000D5F0855DE0EF
2169673: Apr 16 18:02:21.580 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
S301#
2169674: Apr 16 18:02:24.289 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
S301#
2169675: Apr 16 18:02:25.288 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to down
2169676: Apr 16 18:02:26.269 EEST: %AUTHMGR-5-START: Starting 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169677: Apr 16 18:02:26.294 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169678: Apr 16 18:02:26.294 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169679: Apr 16 18:02:26.303 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169680: Apr 16 18:02:26.303 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169681: Apr 16 18:02:26.319 EEST: %DOT1X-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169682: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169683: Apr 16 18:02:26.319 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169684: Apr 16 18:02:26.319 EEST: %AUTHMGR-5-START: Starting 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169685: Apr 16 18:02:26.328 EEST: %MAB-5-FAIL: Authentication failed for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169686: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169687: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
2169688: Apr 16 18:02:26.328 EEST: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169689: Apr 16 18:02:26.336 EEST: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0080.9f7d.3e6f) on Interface Gi1/0/35 AuditSessionID 0A114D0D0000D5F1855DF3BE
S301#
2169690: Apr 16 18:02:27.737 EEST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/35, changed state to up
2169691: Apr 16 18:02:28.744 EEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to up
Regards
T.CI'm not using authentication method with certificates for none end-devices
Workstations with the windows default authentication protocol EAP/MSCHAPv2
In front of them there are non Cisco IP-phones with auth. method EAP/MD5
Finally I also have some printers again with option EAP/MD5
For all of these devices I received the same behavior, after many hours finally the authenticated with ISE. But is this the expected behavior?
What I understand is that if the devices finally authenticated then it means that there isn’t anything wrong with the method.
The misunderstanding points are 3
Why there is so much delay for all devices to authenticate?
Why some devices, mostly IP phones (not all) continuing to fail to the authentication method. All my devices are identical with the same software / patch, same model etc.
I have noticed randomly some devices one moment to succeed and the next moment to failed
So for my understanding there is an abnormal behavior and i cannot find the way /pattern to correct it or to understand the reason :)
Port config
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
no cdp enable
spanning-tree portfast
result template
Switch#sh auth sess int g1/0/46
Interface: GigabitEthernet1/0/46
MAC Address: xxxx.xxxx.xxxx
IP Address: xx.xxx.xx.xxx
User-Name: xxxxxxxxxxxx
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A114D0A00001972016208E1
Acct Session ID: 0x00001BB7
Handle: 0x6D0009B6
Runnable methods list:
Method State
dot1x Failed over
mab Failed over -
I am using a stange issue in my environment. I use ISE 1.2 fo as radius server for device management/authentication(Not NAC usage). I am having Cisco c6509E VSS as core device. The device was added to ISE and aaa auth was working fine. I changed IP address of switch during my DC migration. Since then AAA fail for thsi device. ISE report and TCPdump shows old IP. My wireshard capture(SPAN port) also showing old IP in packet header irrespective of radius source interface I use in switch. Debug (radius/aaa) output in switch showing the correct interface addres whcih I use in 'ip radius source-interface'.
Unfortunatly I am unable to restart switch as it is core device in a critical place. It looks like a stange IOS issue. Did any one faced this kind of issues? Please advise how to resolve without restart. Don't know why the switch is always using its old IP to frame radius packet.These have been virified. I tried difference source interfaces and even changed MAC addresses of SVIs. I am sniffing interface of ISE appliance to capture radius packets. I wondering how C6509E switch can frame a IP packet with source address not belonging to it. MAC address belongs to the switch but source IP address not belonging to the switch(Its old IP address).
-
ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation
We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
Is there any requirements or configurations change needs to be done to make it success?Use the license that is currently on your ISE. If your account has access to download the software, then you are good. The license will not change during the upgrade. If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model.
If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE Admin Access Authentication against multiple AD/LDAP Identity Sources
Hi all!
We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
Any ideas how to solve this problem?
Thanks in advance!
Kind regards,
Michael LangerreiterI did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
Jatin Katyal
- Do rate helpful posts - -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
ISE admin access, authentication against external radius
Please don't ask me why,
the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server
is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?
thank you in advance for whatever may helpAccording to Cisco:
External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.
For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:
External Authentication + Internal Authorization
When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
You do not need to specify any particular external administrator groups for the administrator.
You must configure the same username in both the external identity store and the local Cisco ISE database.
To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
The Administrators window appears, listing all existing locally defined administrators.
Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
Step 3 Click Save . -
ISE and machine authentication
Hi
I have ISE 1.1 : user authentication is working fine
Now I need to implement machine authentication
But I have 2 requirement
1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
2- I must not install any software or client applicatin on the computer
Is there any method of machine authentication that respect thise 2 requirements above
RegardsI guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
https://supportforums.cisco.com/message/4044276#4044276
~BR
Jatin Katyal
**Do rate helpful posts** -
Cisco ISE multiple EAP authentication methods question
With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
Thanks in advance.Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
Sent from Cisco Technical Support iPad App -
ISE - Machine + user authentication
I've searched forum, community but I couldn't find exactly what I need:
I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
NAM is already refused by client, so I need something that will work on plain Windows 7.
Thanks.Hello Align-
In your post you are referring to two completely separate and independent solutions:
1. MAR
2. EAP-Chaining
MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
I hope this helps!
Thank you for rating! -
ISE wireless web authentication for guest management not redirecting
Hi forumers'
I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
Whilst on workstation it's working well.
attach the snapshot of what happen on the iPhone.
Any clue to torubleshoot? Thanks
NoelHi
I still fail whilst i testing on my iPhone.
I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
Can please suggest more troubleshooting guide?
Thanks
This is how the outcome for the safari broswer
Noel -
Configuring ISE to proxy Authentications based on email address
Hi
I'm looking for a little help configuring ISE to proxy requests to external radius servers based on email address and password. I want to configure eduroam on our WLAN. Eduroam allows students connect to the WIFI of other Campuses using their local credentials
Workflow:
User associates to SSID (eduroamTest)
Prompted for username & password (802.1x)
User puts in username and password in the form [email protected] (UPN)
If the user is part of our local institution they are authenticated using our local radius server (ISE)
If the user is a member of a partner institution the request is proxied to an external radius server (National Gateways).
The National Gateways passes the request to the relevant institution based on the UPN (eg @ucd.ie will be passed to ucd radius servers)
The institution authenticates the user and passes the request back to the National Gateways
The National Gateways passes this request back to our ISE server and the external user is authenticated
The user can browse the web
What I have done:
Setup the National Gateways as external proxy servers
Created firewall rules to allow the traffic
Configured the proxy sequence with these servers
Created a policy to proxy requests to the proxy sequence
What I need to figure out:
How to get ISE to authenticate/proxy requests, for the SSID eduroamTest, based on UPN eg (if username = *@rcsi.ie then use local ISE otherwise use proxy service)
Any help with this configuration would be greatly appreciated as I am new to ISE.
If you need any more info please let know.
Kind regards
JohnSounds like you did most of the work already. To get ISE to direct certain requests based on attributes in the request to another radius server, all you need to do, is create a new authentication rule, where you check for the following attributes ;
radius/called-station-id contains "eduroam"
and
radius/username ends with "rcsi.ie"
Then you can select the radius server sequence you created instead of the normal "Allowed protocols" list.
If you want to be in control of the authorization, there is a flag you must set in the radius server sequence in ISE, this will let you control what rights the client is given locally, while still authenticating the user remotely. -
IOS CLI for WPA2 needed..
Hi,
I can't get my 871w to enable WPA2 for it. I found a reference to "wpa version 2" as CLI which my rather new IOS doesn't seem to understand.
So how to enable WPA2 via CLI commands? And by the way do you have a link to the wireless CLI reference?
Ciao, BerndHi Jeff,
thanks for message and the help - I appreciate that!
Yes my router shows the option:
CiscoKunr(config)#int Dot11Radio 0
CiscoKunr(config-if)#encryption mode ciphers ?
aes-ccm WPA AES CCMP
tkip WPA Temporal Key encryption
wep128 128 bit key
wep40 40 bit key
And I set it to aes-ccm, but my client (Macbook) says it's still WPA and not WPA2 like my D-Link wireless. Is the message of the Mac OSX wrong or do I miss something else in the setting for WPA2?
Ciao, Bernd
Maybe you are looking for
-
Video and audio files hosted on your site
It would be great to be able to host your own video and audio files and not have to rely on YouTube or Vimeo. Design a widget to for ease of use.
-
Efficient searching in a large XML file for specific elements
Hi How can I search in a large XML file for a specific element efficiently (fast and memory savvy?) I have a large (approximately 32MB with about 140,000 main elements) XML file and I have to search through it for specific elements. What stable and p
-
Trouble downloading attachments in gmail/Firefox-IE
Since this morning, I cannot download attachments in gmail using Firefox or IE (I did not try out Chrome). Since I have this problem in multiple browsers, the issue seems to stem from my computer, but still I'd appreciate any suggestions...
-
Hello, I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges. When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error mes
-
IMovie for IOS Cannot export 60p despite iPhone 6 capability to shoot 60p
Hi, iMovie for IOS Cannot export 60p despite iPhone 6 capability to shoot 60p I am obliged to use Pinnacle Studio for IOS 8 I have bought a superb iPhone 6 Plus, shooting in 1080/60p, I cannot edit my clips to build a 60p Master. I understand the cho