WLC with ISE as radius and also external web server
Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
Mohit
Hi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
a. any to ISE
b.ISE to any
c.any to dns server
d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below ,
Similar Messages
-
Cisco WLC with ISE - need to restrict access during non-business hours
Hello,
We have a requirement to turn off our wireless during non-business hours. We have a 5508 WLC with ISE. What is the best way to accomplish this task?
Thank you in advance.
BethAside from Steve's respond, there are several methods of doing this and this will all depend on how complex your network is and how technical you want to do this.
1. As what Steve said, use PI and you can define several schedules when to turn off/on the SSID;
2. If you have corporate access, you can use AD to schedule non-business hours;
3. If you have Cisco PoE switches, you can enable EnergyWise to power off the APs;
4. If you manage your core network, you can enable time-based ACL to disable the default gateway of the dynamic interface which is attached to your SSID.
The most "destructive" method is option #3, because there are chances that your AP won't power up properly, if not power up at all. -
I have a 2006 15" Macbook Pro with a broken Superdrive and my external USB one just quit working
Why can my LG Portable Super Multi Drive (GP08NU6B) burn discs, but not read them? Right after I burn a DVD successfully, I stick it back in the drive and it says "The disk you have inserted is not readable by this computer" I have a 2006 15" Macbook Pro with a broken Superdrive, and this external disk drive is the only optical drive that worked via USB. This external drive was bought in 2010 and worked fine up until a month ago. This is supposed to be a Plug and Play device, and LG assures me the drivers are already included in Mac OSX, yet it seems somehow my Macbook lost the drivers and it won't let me watch DVDs now or recognize any discs at all!
How can I find and somehow reinstall the firmware for this optical drive?Sounds more like a hardware issue to me.
-
I am having trouble with the Jpeg icons and also now thumbnails not being visable in bith teh Apple finder and now also Adobe Bridge. Can anyone shed any light on this ?
Argh - once again, I find my solution right after posting this. Left out one modification to the SWIG script, now it runs in 29 seconds vs C 16 seconds, I can live with that.
-
Using iTunes to put my CD collection on my computer and then to my iphone5, I have an older Optiplex with 40 Gb internal and an external 1.5Tb drive. Question is can I get itunes to point to the 1.5 Tb drive to store my music, and if so how?
Looks like I solved my own problem by going to itunes, preferences, advanced, media folder location.
-
my i pod is still on a white screen after restoring with the two buttons and also restoring on i tunes and it still has a white screen
I've been struggling with mine all morning with the same issue.
Mine would not wake up from sleep (will just white screen).
It will boot using a hard reset (i.e. the power button and volume down button being held down for 8 or so secs). I restored and synced it multiple times but it still has a problem waking up and just just goes to white screen.
I saw a post suggesting a loose connection which I had my doubts about (as it will wake with hard reset) - bit BINGO! If I wake mine (with index finger) whilst applying pressure to the top of the screen area (with my thumbs) it will wake up. When I become frustrated enough I'll take it apart and see if something has become loose.
Hope this helps. -
LACP with a Cisco 2960G and an IBM I7 Server
I am attempting to get LACP working with a Cisco 2960 and an IBM I7 server.
The connection seems redundant. I can unplug GI0/8 and traffic still flows and clients are not disconnected from the IBM I7. I can do the same with GI0/9 once GI0/8 is plugged back in.
Two issues.
1. How can I change the LACP timer from slow to fast?
2. Why does my port Gi0/8 show as INDEP in the show lacp detail command?
Port: Gi0/8
Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 3 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po3
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/8 SA indep 32768 0x3 0x3 0x8 0x7D
Age of the port in the current state: 2d:17h:20m:08s
Port: Gi0/9
Port state = Up Mstr Assoc In-Bndl
Channel group = 3 Mode = Active Gcchange = -
Port-channel = Po3 GC = - Pseudo port-channel = Po3
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/9 SA bndl 32768 0x3 0x3 0x9 0x3D
Partner's information:
LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi0/9 SA 0 40f2.e95c.f433 25s 0x0 0x8102 0x1 0x3D
Age of the port in the current state: 2d:17h:27m:44s
Port-channels in the group:
Port-channel: Po3 (Primary Aggregator)
Age of the Port-channel = 365d:21h:06m:46s
Logical slot/port = 2/3 Number of ports = 1
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi0/9 Active 0
Time since last port bundled: 2d:17h:26m:07s Gi0/8
Time since last port Un-bundled: 2d:17h:25m:02s Gi0/8Hi,
With IBMi7 the support for LACP starts to my knowledge since i7.1 TR7. If that is your case will you please post the DSPLIND (with AGGRSCL option) command output.
As for the LACP fast timer setting while it can be configured on various Cisco boxes I am affraid it cannot be done with Cat2960.
Thanks & Regards,
Antonin -
Disabling Weblogic's http server port - Using an external web server
Hi,
We are using Weblogic 8.1 as application server and IWS as web server. We have
siteminder web agent configured on the web server for implementing authentication
and authorization.
All our requests first go to the web server which redirects them to the application
server.
Since Weblogic itself has a http listen port, user can still send requests directly
to the application server(which does not have any siteminder configuration on
it). Is it possible to ensure that all http requests made directly to the application
server are not processed so that the user is forced to hit the web server first.
Thanks,
AkashWhen you say redirect, do you mean you use an HTTP redirect to send it to your
WLS servers URL? Or do you mean you proxy the requests from the webserver to
the WLS instance? In the former case, you must expose WLS's HTTP server to the
clients in order to redirect them to the address and you will not be able to
stop them from going directly there. In the case of the latter, you can put
your WLS instance behind the firewall so external users can't get to it. If you
also need to protect it from internal users you should probably not use
siteminder as your authentication mechanism. You may be able to configure
siteminder so that it has to authenticate itself to send requests to weblogic
and then protect all weblogic resources with that role requirement.
Sam
[email protected] wrote:
Hi,
We are using Weblogic 8.1 as application server and IWS as web server. We have
siteminder web agent configured on the web server for implementing authentication
and authorization.
All our requests first go to the web server which redirects them to the application
server.
Since Weblogic itself has a http listen port, user can still send requests directly
to the application server(which does not have any siteminder configuration on
it). Is it possible to ensure that all http requests made directly to the application
server are not processed so that the user is forced to hit the web server first.
Thanks,
Akash -
Web Dynpro application calling external web server using HTTPS giving error
Hello,
I don't know whether this is the right question in this forum but my ABAP web-dynpro applicaiton is expected to call another HTTP application on external web server through HTTPS. Presently it is calling through plain HTTP but we want to have HTTPS.
Here are the steps that we followed based on the link from help.sap.com
1] Received the certificate files from external web server
2] Created SSL Anonymous client
3] Imported the certificate files under this client and added into the certificate list
4] Re-started ICM
5] Created RFC Destination of type HTTP to connect to external server with SSL option and basic authentication. This RFC destination was working under plain HTTP.
When tried with Test connection it gave error "ICM_HTTP_CONNECTION_FAILED".
Any idea what might be missing. Thanks in advance.
Regards
RajeevUsed proper certificate after which the error went away
-
Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7? I would like to display a simple web page, and I would like to pass to that web page the answers to all the quiz questions, quiz score, etc. In other words, instead of passing quiz results to a SCORM-compliant LMS like Moodle, I'd like to pass that data to a Drupal Webform using a URL like:
https://www.example.com/my-drupal-webform?param1=value1¶m2=value2...¶mn=valuen
Is this possible?
Thanks,
JohnYou have to make sure every step in MOS Document ID 726414.1 that is applicable to your E-Business Suite 12.1.x release is performed. Enabling ASADMIN is just one of the steps. In spite of following all the steps in this Document you continue to get the error when clicking "Generate WSDL", please log a Service Request with Oracle Support.I will check all steps again. Maybe I missed one... Thanks!
-
Help for Installing PHP and Sun One Web Server
Hi
I tried to install PHP 5.1.4 and Sun One Web Server 6.1. I am not able to complete this and got stuck. All the available materials in net seems to flow above my head.
It will be very helpful if someone could let me know the step by step configuration a bit brief for the same.
Thanks in advance
Kathirvel BalakrishnanHi Craig
I am following these steps,
1st step : Installing PHP on the WindowsNT server (NT users only)
Copy the php files on your server
Get the php zip file
Copy the php files under a directory (for example : d:php4)
(be careful don't use c:Program Filesphp because of the space between Program and Files
copy php4ts.dll to c:winnt and msvcrt.dll if you don't already have it on your system
Edit php.ini-dist
rename php.ini-dist to php.ini
Edit php.ini : Indicate in which directory you have copied youre php files. (extension_dir = d:php4extensions ; directory in which the loadable extensions (modules) reside.)
copy php.ini in winnt directory (php.ini is parsed in my config)
Matthias Kramer told me that he had to move php.ini to <path-to-netscape-server>/https-servername/config for it to be parsed
Make a file association under Windows NT
In a DOS Window, type assoc .php=PHPScript
ftype PHPScript=d:php4php.exe %1 %*
Test the 1st step
Create a C:test.php file with a single line like <? echo("Nothing to write"); ?>
Create a C:test.bat file with 2 lines test.php
pause
double-clic on test.bat
If you see something like X-Powered-By: PHP/4.0.3
Content-type: text/html
Nothing to write
then the NT association works!!
2nd step : Configuring Netscape Enterprise Server or iPlanet for PHP4 with nsapi (NT & UNIX)
Unix users only
Compile PHP as follows: ./configure --with-nsapi=/usr/local/netscape/server4 --enable-libgcc
make
make install
Add LD_LIBRARY_PATH=<libdir> to your Netscape server startup script
where <libdir> is the full path to the directory where libstdc++.so.2.10.0 is located (usually /usr/local/lib)
Add a mime-type to the Netscape Server
In the Netscape Administration console chose Preferences|Mime Types
Add a new type called magnus-internal/x-httpd-php for exts=php
Click here for screenshot
Stop your Web Server
Make a copy of obj.conf located in: <path-to-netscape-server>/https-servername/config
Modify obj.conf
There are several section in obj.conf
At the end of the Init section of obj.conf (necessarely after mime type init),
place this two lines For NT users
Init fn="load-modules" funcs="php4_init,php4_close,php4_execute,php4_auth_trans" shlib="d:/php4/sapi/php4nsapi.dll"
Init fn="php4_init" errorString="Failed to initialise PHP!"
For Unix users
Init fn="load-modules" funcs="php4_init,php4_close,php4_execute,php4_auth_trans" shlib="/usr/local/netscape/server4/bin/libphp4.so"
Init fn="php4_init" errorString="Failed to initialise PHP!"
In The < Object name="default" > section,
place this line (necessarely after all 'ObjectType' and before all 'AddLog' lines) Service fn="php4_execute" type="magnus-internal/x-httpd-php"
Add a new object called x-httpd-php <Object name="x-httpd-php">
ObjectType fn="force-type" type="magnus-internal/x-httpd-php"
Service fn=php4_execute
</Object>
Restart your Web Server
Test the 2nd step
Put the test.php file in the document root of your server
Then type http://server/test.php
If you can see "nothing to write" in your browser then it works!
AS mentioned in step 1,
I am not getting the PHP message.
I am installing it in my laptop, it has no IP, is that has to do something with this.
Please guide me from here.
Thanks in advance
Kathirvel -
Apache and Java System Web server
Is it possible to run Apache Web Server and Java System Web Server on the same computer or is one of them which has to run.
Sure it can be run simultaneously as long as they don�t share the same Socket (pair of IP-Address/TCP-Port).
But the question is does it make sense at all - what would you get from Apache which is not there in SJS WS? -
Client Exclusion Policies on WLC not working with ISE as RADIUS Server
Hi,
for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
Am I missing any settings here or do you have some tipps on how to troubleshoot this?
Thanks very much!Hi Renata,
If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
If your Guest WLAN has the following:
SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
You can try and dull the noise a few ways.
Option 1. create and ISE log filter on those alerts so they don't cluter the console.
Option 2. Stop broadcasting the SSID. This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security. You will have to include this information on their credential communication.
Option 4 - both 2 and 3
The most effective option would be 3.
Good Luck! -
Is RADIUS and other external auth unsecure?
I just finished setting up RADIUS on our database. As best as I can tell, the client is the one doing the authentication...I'm guessing this because if I have my SID setup for the RADIUS controlled database (with user identified externally) with the sqlnet.ora that has the radius settings, then I can connect.
If I try to connect from another machine that has the TNSNAMES.ORA entry for the database, but a standard sqlnet.ora (ie. no radius entries) it tells me invalid login.
To me, this says that it is not the database doing the actual RADIUS calls and authentication, but instead the client, which would then make it easy for someone to setup their own radius server with their own sqlnet.ora that would let them "authenticate" for a particular user against their own controlled passwords and trick the database server.
If this is not the case, then how come I can not just do, from anywhere with the proper tnsnames.ora, sqlplus userid/password@TNSNAME??? Should the server not also read sqlnet.ora at startup and then itself use BEQ or RADIUS for authentication methods?
Thanks for any pointers...sorry if it seems a little run on, but it's late and I'm tired.server is doing the authentication. client setup is needed because somebody needs to hint to server the connection is supposed to use radius.
-
Packet inspector and also external hard drive enquiry
I am looking for a packet inspector (measures what's going out and what's coming in via the net?) and also an external hard drive, both compatible with OS9.
Any ideas, anyone, would be greatly appreciated.Thank you I also think this it the reliable solution. I do not want to play with soe modifications or use some app for it.
Maybe you are looking for
-
I have been unable to make contact sheets in Adobe Bridge CS4. When I click on OUTPUT the field is empty. With Bridge CS3 this field had the refresh button and allowed customized contact sheets. What have I done wrong and how can I fix the problem? T
-
Sometimes my power supply gets hot
I have the newest MacBook Pro 15 with the 2.5 Ghz Intel i7. I've noticed that sometimes my power transformer gets pretty when charging the laptop. Other times it doesn't get warm at all. Why would this happen? Is there something wrong with it?
-
55TL515U Keeps Hunting for Input Resolution
I am trying to plug a Microsoft Surface into my TV to use it as a computer monitor. When I do this, the TV continuously hunts for the resolution and refresh rate. It shows it at the top of the TV (like when you first plug something in), but keeps c
-
After trying to capture footage from my XL2 with FCP, the camera acts like it has no tape in it. It displays no timecode and wont play back what was recorded on the tape. It wont record anything either. I tried taking tape out and putting it back in
-
Anyone know a way of accessing the UDA of the parent of the currently calculated member?I have UDAs attached to level 1 members which I want to use in a calculation of their level 0 children.