ISE policy, DACLs and VLAN changes together

Similar Messages

• IP address in ISE live authentication after vlan change

  Hi all,
  on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
  But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
  Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
  session ID is the same all the time.
  so maybe ip helper or other trick?
  regards

  thx for reply.
  I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
  Meanwhile I think I must clarify what I meant
  Not all logs have IP address present in live authentication (this is MAB for test only)
  the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
  but getting back to our MAB...
  details of this entry looks like:
  so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
  nevertheless clicking the accounting details (from the 2nd screenshot)
  we see that this information is present
  so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
  maybe ISE should dynamically modify this record after each accounting newinfo message?
  regards

• What key(s) do i type to change language from english to other? i am writing s story in dual languages. i was told to click command and space bar together but it is not working.

  what key(s) do it type to change language from english to other? i am writing a story in dual languages. I was told to click command and space bar together but it is not working.

  Command Spacebar opens Spotlight as you have found out. If you want to change languages you need to say what app you are using to write the story in, I'm guessing you are using Pages or MS Word. If that's the case
  Pages: Open Inspector - Click the T tab - Click Language and change your language.
  MS Word: Tools Menu - Language - Choose your language.

• Changing VTP Setting and VLANs on CatOS

  Greetings to all...
  I'm working replacing our old 5505 Core switches running CatOS with 6509s running IOS with a new VLAN structure (VLAN 100 (5505) will be 400 (6509)). The down stream switches are 2948s running CatOS.
  My problem is that everytime I either change SC0 or port 2/1 to the new VLAN, I lose my connectivity. Anyone know of a hot command that will change both at the same time?
  Thanks,
  Tom

  Do I understand that port 2/1 is the uplink port? If so, it should not be difficult. It is not necessary for the management and the trunk native VLAN to be the same, so your should be able to do them in sequence. In fact, I have just changed the management VLAN of our 20 Cat4000 CatOS switches remotely without any problem.
  However, you will get cut off at the moment that you change the SC0, but this has nothing to do with the port 2/1 (assuming that the trunk is carrying both old and new management VLANs).
  The way I did it was to start with the management station and all the switches on the old management VLAN. On your router (or L3 switch), create the new management VLAN, give its L3 interface a junk IP address, and enable ip proxy-arp on both old and new management VLANs. Note that the router is still routing the old management subnet, say 192.168.2.0/24, to the old management VLAN.
  Now pick on an address which will be the router's IP address on the new management VLAN, say 192.168.2.254. Go into your access switch, and configure that address as the default gateway, set ip route default 192.168.2.254. Then reconfigure the SC0 interface to its new VLAN. At that point, your telnet session will get cut off because the management function of the 2948 is on the new VLAN. So, go to your router at set a host route for the access switch to the new VLAN, ip route 192.168.2.2 255.255.255.255 VLAN400. You should now be able telnet to the switch from your management station. Packets from the management station to the switch will be routed by the host route. Packets from the switch to the management station will be routed courtesy of the proxy-arp.
  Repeat this for each access switch, and once they are all done you can move your management station and give the router its proper address 192.168.2.254 on the new VLAN. You can then remove the proxy ARP and/or change the native VLAN of the trunks at your leisure. If you are changing the native VLAN of the trunks, do the remote end first ;-).
  Hope I have understood your question correctly, and hope this helps.
  Kevin Dorrell
  Luxembourg

• HT5622 Trying to load an app from the itunes store and asked to review the "Terms and Conditions and Apple Privacy Policy" as it has changed.  There is no "Agree" selection available.  Any suggestions?  This appears to be associated with the iOS7 upgrade.

  Trying to load an app from the itunes store and asked to review the "Terms and Conditions and Apple Privacy Policy" as it has changed.  There is no "Agree" selection available.  Any suggestions?  This appears to be associated with the iOS7 upgrade. Thanks

  I have the same problem with my iphone 4 . I solve it with giving permission to the cookies on safari from the settings.

• ISE Guest wired access VLAN Flip

  My guest access through ISE is working find except I can't get it to flip the VLAN and move the guest PC to the guest VLAN. I have the Guest VLAN ID in the authorization policy. Can someone point me in the right direction with this?
  Thanks,
  D

  Hi
  Are you able to get mapped the right policy? Also is change of authorizatoin (COA occuring) you should see in the monitoring logs an entry where dynamic authorization succeed message?
  I would check the ssid advanced settings to see if AAA Overide and Radius NAC are enabled. In settings page in ISE (under administration > settings > profiling) see if the COA has been set to "reauth"...something other than "not enabled".
  If you are having issues pullling a new ip address then check the operation tab in the guest portal configuration.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

  In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
  (logical) on top of Datacenter (physical).
  Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
  If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

  Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
  I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
  -kn
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

• ISE 1.2 and ACL's with multiple ports

  When creating a DACL for my groups I used the Syntax " permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl's inside the DACL and the syntax check validated it. When I pushed it to my groups it also worked but I have heard that this type of multiple port ACL in ISE is not supported. Does anyone know if this is accurate?

  Thanks for the response but it's wrong. Cisco supports stacked ports in 1.2 for wired users. They carried over 1.1documentation to 1.2 and never updated it. We have it in writing from Cisco tac. 

• ISE 1.2 and WLC 7.6.100.0 Flex Config

  I've one SSID used for both Head Office users and branch users. The problem is that branch users are using flexconnect. All the branch users are using vlan 10 as pre authC and vlan 20 after authenctication. But H.O. users are using vlan 50 to connect. Now i've make the AuthZ policy to match wlan-id and wireless 802.1x.
  The question is that how i'll make the H.O. users to match different AuthZ policy and branch users with other AuthZ policy since i need to return different vlan for them.
  Thanks and Regards,
  Zohaib

  Hi Jan,
  Thanks for the reply. I just want to know if there is any other way to identify the users in the policy since im using only default group and the network in operational. Shifting these AP to a new group will be difficult. Is there a way to put NAS-ID on flexconnect group?

• My grandsons new Apple refurbed 35g ipad keeps locking up with a black screen amd nothing else. I have reset it many times pressing the home and off buttons together but uit keeps locking up. Help,please!

  My grandsons new Apple refurbed 35g ipad keeps locking up with a black screen amd nothing else. I have reset it many times pressing the home and off buttons together but it keeps locking up. Help,please!

  Thank you for trying to help. I followed your instructions, it took 6 hours to download, and then said it could not solve the problem (something to do with error 9?). It will have to go back to Apple - its only 3 days since it came out of the package and its very disappointing for him. Looks like I have to hang around in the Apple store in Plymouth all tomorrow until they can fix it, or will change it. Thanks for your help.

• Abap and java stack together gives error message...

  I am trying to install abap stach and java stack together.
  I installed abap was without problem but when I install Java i get the error below.
  I tried SP09 and since it didnt work Sp07 also since I had it with me downloaded before.
  Any help ??? Got stuck
  I need to install together to practice webdynpro...
  E:\NW2004sSP7_Preview\SAP_NetWeaver_2004s_SR_1_Installation_Master_DVD__ID__NW05SR1_IM1\IM_WINDOWS_I386\NW04S\WEBAS\ADA\control.xml
  George
  INFO 2006-11-30 15:10:12
  An error occured and the user decided to rety the current step: "|NW_Java_OneHost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_GetSidNoProfiles|ind|ind|ind|ind|1|0|collect".
  ERROR 2006-11-30 15:10:14
  FJS-00003  TypeError: this._name has no properties (in script NW_Java_OneHost|ind|ind|ind|ind, line 8987: ???)
  INFO[E] 2006-11-30 15:10:13
  FSL-02077  File system export (share) saploc does not exist.
  ERROR 2006-11-30 15:10:14
  FCO-00011  The step collect with step key |NW_Java_OneHost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_GetSidNoProfiles|ind|ind|ind|ind|1|0|collect was executed with status ERROR .
  THis error was gone when I used the registry cleaner for removing ABAp stack But now question is How do I install BOTH????
  May be the instance number is the problem....
  In old version of ABap stack we can enter the instance number .But not in SP 9 .Can we change here too?
  E:\NW2004sSP7_Preview\SAP_NetWeaver_2004s_SR_1_Installation_Master_DVD__ID__NW05SR1_IM1\IM_WINDOWS_I386\NW04S\WEBAS\ADA\control.xml
  This file holds the Key of the errors since it checks for the instance number which is given in the log as details.. May be we can change it....
  In ABap STack install instead of files as in SP 07 they have created an image and may be this si the reason that
  we cannot customize.I have to find a way in order to install it...

  i found soltuion myslef THe lates WAS for abap is preconfigured and so its not suitable for abap-java multiple installation

• Original and current budget together with PTD,ITD,MTD and YTD labor...

  Hi experts:
  I need a Project Accounting Report that shows Original and Current budget together with PTD,ITD,MTD and YTD labor amount, labor cost, non-labor cost, and revenue on the same line for all the task_id for a project. I know these are coming from these ,PA_BUDGET_VERSIONS V, PA_RESOURCE_ASSIGNMENTS A,PA_BUDGET_LINES L, main tables. But I am unable to break down the amounts according to PA and GL periods. Can anyone help please?
  Thanks a million , in advance.

  Help you with what?
  No database version number.
  No application name or version number.
  No DDL.
  Do you, for some reason, think we have any idea what PTD and ITD are? If so why?
  Do you think we all have your version of a table named PA_RESOURCE_ASSIGNMENTS on our hard disks?
  Perhaps you have some version of e-Business Suite. Perhaps you have SAP. Perhaps you have something we've never even heard of.
  Your task is as follows:
  1. If this question relates to an Oracle product change the subject of the post to "Please Ignore" and post your question in the correct forum.
  or
  2. Provide us with sufficient information that we can duplicate those portions of your environment required to understand what you are asking.

• Cisco ISE 1.1 and IE9

  Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
  This webpage is not available
  The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
  Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

  Supported Administrative User Interface Browsers
  You can access the Cisco ISE administrative  user interface using the following browsers:
  •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
  •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
  •Windows Internet Explorer 8
  •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
  Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.