802.1x access points using ISE for trigger

Similar Messages

• Scale out file server client access point using public nic

  Thoughts on this one.
  I have a Scale Out File Server cluster with a Client Access Point. Whenever i talk to the Client Access Point it uses the public nics.
  If i talk to the Scale Out File Server directly it uses the private like i want it to. How can i get the Client Access Point using the private nics?

  Hi JustusIV,
  Could you tell us why you want to modify the CAP use the “private” network, the CAP is used for client access, your clients may can’t access your cluster if modify your CAP
  use private network, if you want know how to modify the CAP of a cluster you can refer the following KB:
  Modify Network Settings for a Failover Cluster
  http://technet.microsoft.com/en-us/library/cc725775.aspx
  More information:
  Understanding Access Points (Names and IP Addresses) in a Failover Cluster
  http://technet.microsoft.com/en-us/library/cc732536.aspx
  Windows Server 2008 Failover Clusters: Networking (Part 4)
  http://blogs.technet.com/b/askcore/archive/2010/04/15/windows-server-2008-failover-clusters-networking-part-4.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• How to use ISE for VPN auth

  Hello
  looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
  Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
  Thanks

  We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.
  So if you have an admin user that wants to login:
  authentication: user found in ldap (or ad)
  authorization:
  -user is coming from asa ip address
  -user attribute is admin
  = user is authorized for the admin class on your asa vpn device.

• AP541 Access Point Best config for multiple VAPS Advice

  Hi
  I have several AP541 (on different site locations) which I have currently configured for WPA enterprise using windows 2008 as the Radius server. This works fine for staff members who use the wireless when roaming around the offices.
  I would also like to setup another VAP for guests to allow them to access our internet but nothing else on the network. I was wondering what approach would be the best one to adopt to achieve this. Would I be best to setup a WPA Personal VAP and allow guests to access the wireless this way. Or is there a better approach? If we did adopt this approach I presume this would mean that we have to log onto each AP in turn and then change the WPA key on each one everytime we decide to change the key? Or is there some clever software I could use to change them all in one go.
  Any help would be appreciated
  Thanks
  Colin

  Hello Simon,
        I would keep them all in Access Point mode if you are planning on having them all hardwired into your network. That is the best setup.
       As for Wireless WDS repeater or Wireless Client/Repeater, you would use these features if you are trying to extend your wireless signal at a certain location in your building but you are not able to run a ethernet cable to that location. So all you would do is power up the WAP4410n and it will help increase the wireless signal in that location if set in repeater mode. The draw back to this is it will cut your througput by half.
  Wireless WDS bridge, you would use this feature if you are wanting to extend your network to a location were you are not able to run a ethernet cable to. Once you set up the bridge you would place it in the location were you are wanting to extend your hardwire network. If you plug a PC into the ethernet port on the Bridged WAP then you should be able to pull a IP address from the main network. When set in this mode it will not broadcast a wireless signal.. so you will not be able to connect wirelessly to the device once it is in Wireless Bridge mode.
  Wireless Monitor.. not sure about this feature.. never used it.
  This keep in mind that these devices will usually only bridge or use repeater with themselves and not other devices.
  If you are wanting to start adding VLANs in the future you will need to stick to Access point mode since that mode will allow you to set up more than one VLAN the WAP can look out for. If you use repeater or bridge mode feature you will only be able to use 1 vlan.
  I hope that helps you out!
  Thanks,
  Clayton Sill

• Which access point is better for hospital environments?

  Folks,
  I have a customer in hospital, who requires to have wireless deployed everywhere. The fact is , customer is budget concious, so I designed in such a way to place it in corridors , so that wireless coverage could get inside the rooms, but the doors are fire-proof which blocks RF .
  What are the best practices in deploying AP's in hospital, for eg: is it safe to install AP's next to Medical Imaging Room or other devices which may cause interference
  Which model is suitable for this sort of installation?
  Thanks,
  SID

  Hi SID,
  Please consider in your budget for a Wireless LAN Site Survey. WLAN Site Survey will allow you to better understand WHERE to deploy your AP's and HOW MANY AP's to deploy. When deploying an AP, also bear in mind for AP failures. You can address this issues with either keeping "spare" stocks or putting additional AP's per floor so when an AP would fail, the WLC will calculate and increase the transmission power to cover the loss of an AP.
  In regards to what models to buy, I'd recommend looking at the 1140 or the 1250. These AP's are geared up for Draft N (2.0 Ratified).
  For AP's that are geared up for 802.11N (Draft 2.0):
  Data Sheet Cisco Aironet 1140 Series Access Point
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10092/datasheet_c78-502793.html
  Data Sheet Cisco Aironet 1250 Series Access Point Data Sheet
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/ps8382/product_data_sheet0900aecd806b7c5c.html
  If you are going to choose the 1250, note that the Antennaes are optional. Here's some information regarding them.
  Antenna Product Portfolio for Cisco Aironet 1250 Series Access Points
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-513837.pdf
  The AP1250, when operating with 2 radio modules on Autonomous IOS, requires a minimum of 18.5 watts (ePoE). So you'll need either a Power Injector or PoE switch that will support enhanced PoE such as the 3560-E or 3750-E.
  Cisco Nurse Connect Solution
  http://www.cisco.com/web/strategy/docs/healthcare/nurse_connect_aag.pdf
  Hope this helps.

• How to add second access point using coax

  I have FIOS with the coax line split out of the main fios box. One split goes to room A that has the Actiontec router and a STB.   The other line goes into room B where there is just a STB. I have poor wireless signal in room B and I would like to add a second access point.  I've read up on the devices that try to amplify your signal and see that they tend to reduce speeds, so this does not seem like a viable option. Because of my building arrangement, I can't do any sort of new wiring. 
  I'd like to try to minimize how much configuration I have to do and even if it means paying a bit more to do so. From what I can tell, I could split the coax in Room B and plug in an ActionTEC ECB2200.  But, this would only give me a ethernet connection. If I plug in a second router via that ethernet connection, would that give me a second access point? Would I need to set up the second router in bridge mode? If this is the case, would it just make sense to plug the second router in without the ActionTEC ECB2200 in bridge mode from the coax input? 
  Thanks in advance.
  BT
  Solved!
  Go to Solution.

  sabretd wrote:
  Actually I just came across this link, which I think explains what I need to do as item 2:
  http://www.dslreports.com/faq/15984
  Yes, this is Section 3.2 in the link I provided earlier.
  sabretd wrote:
  My only question is, when starting the process and performing the following:
  2.1) You will need to reconfigure the remote router, BEFORE you connect it to the coax.
  Perform a hard reset on the Actiontec to restore factory defaults.
  Connect a PC to a LAN port of the Actiontec.
  By default, DHCP server should be enabled on the Actiontec, so no need to set a static IP address on the PC.
  Login to the router at 192.168.1.1 
  How do I connect the primary and secondary actiontec? Do I disconnect the primary and plug the secondary into coax and do all this, and then when finished plug the primary back in? Or, do i Ieave the primary plugged in the whole time?
  First you set up the secondary router by connecting it to any computer using an Ethernet cable.  Assuming you have reset the device, go to 192.168.1.1 and make the necessary changes in router number two.
  Leave the primary router alone (unless you decide on a scheme with a fixed IP for the second router) and it will supply an IP to router two, which will serve as a simple wireless access point.  Detailed settings and a step-by-step cookbook procedure are provided in the references given above.  Good luck.

• E71 Access Point Choice Mail for Exchange

  I am used to using the iPhone where whenever you go somewhere, the phone detects available networks and you choose the one you want to connect to. I don't understand why in Mail for Exchange you must define an access point. Is there a way to have the access point selected whenever you enter a new area? And when there is no wireless network available, should it automatically use the GPRS network?
  Thank you.

  I would have to agree with you on that, it's my one and only complaint about the current S60 software.. Just about all other plaforms offer this function and Nokia used to with connection groups.

• How to set WNDR4000 as an access point using Linksys EA8500

  New member.I have looked through the messages and found quite a few on access points but either I don't understand them or the topic is not the same.I had a Netgear R7000 which died and I now have a Linksys EA8500. I am getting good speed through it and am on Comcast cable.The WDNR4000 was set up as a access point on my Netgear and worked fine. It is hard wired to my router through a switch.I can see it on my Linksys network but can't understand how to allow it as an access point / internet access. I can connect a device to the WNDR4000 but there is no internet.I have the MAC address for the WNDR4000. Thanks in advance to the group. rick

  Thanks again.Here are more details.My Linksys router's IP is 192.168.1.1. No problem logging in to it.IP range is 192.168.1.100 192.168.1.14950 max connectionsNo static DNSNetgear AP is 192.168.1.100 and it is static.(I can change the range per other reply to start at 101) NAT is enabledDynamic routing not enabledNo static routingVLan off Internet settingsDHCP auto configOptional Name: badMTU > AutoMac Address Clone: not enabled Cable info:Linksys router - port 4 connected to my Airlink 101 1000M switch. Airlink 101 > plugged into port 15 x 10/100/1000Mbps Auto MDI/MDI-X Gigabit Ethernet portNetgear WNDR400 > plugged into Internet port When I try to connect to the Netgear using 192.3168.1.100 it cannot connect.Not Found > Web Server at airlink101.comI may need to connect the netgear directly to my laptop and try to access its UI. As I mentioned it shows up in my Network on the Linksys. I was able to connect a laptop wirelessly to it but it has no internet. I hope this helps.thanks againrick  

• Access Point Switchport configuration for OOB NAC

  Hello.
  Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
  Greettings.

  Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Installing a Linksys Access Point using a Mac

  I apologize for this topic being irrelevant to AirPort, but I am hoping someone can help...
  I am a University student and trying to help my friend who lives in a dorm. At school there is a high speed local network and internet connection (I'm guessing massive amounts of T1s or T3s)... Left behind by a previous roommate is a Linksys WAP54G v2.0 which is a wireless access point NOT a router...I am told that it used to work, but one day stopped...
  I have already reset the WAP (as they call it not to be confused with cell phone browsers)...now the name displays the default "linksys" title. I plug it in to the ethernet jack and "You are not connected to the internet" according to Safari...
  my question is... how do you access the settings for the WAP.... on MY DSL modem and gateway, for example i type in 192.168.0.1 and I have also set this up with Mac OS X for a gaming adapter but i simply cannot figure out the IP address for this router and the Network Preferences to use when I plug the Linksys WAP into my computer. (I tried the default suggestion in my browser 192.168.1.245 but no luck, do I need to enter this in the Network panel of my System Prefs?)
  I do not have the original setup and install CD available, and if I did, we only use Mac OS X... so does anyone have any ideas? Also... is it even possible to use a "Wireless Access Point" as opposed to a Router on a University campus (High speed LAN connected to WAN)? I don't know how it works with the DHCP... I would like for 3 people to be able to use this access point simultaneously.
  Thank you for any help in advance!

  Linksys WAP54G v2.0 which is a wireless access point NOT a
  router...I am told that it used to work, but one day
  stopped...
  It may be dead so this may be futile...
  From the Linksys product page it doesn't seem to support web configuration and the only way is with their PC utility. That means if you don't have VirtualPC you will need a PC.
  I have already reset the WAP (as they call it not to
  be confused with cell phone browsers)...now the name
  displays the default "linksys" title. I plug it in to
  the ethernet jack and "You are not connected to the
  internet" according to Safari...
  The WAP will need to get an IP from the campus DHCP bridged to your laptop and they probably changed the system to not allow wireless bridges. Does the laptop work when plugged into the dorm jack with ethernet? Did you have to register the MAC address? Can you register the MAC address of the wireless card instead of the ethernet?
  is it even
  possible to use a "Wireless Access Point" as opposed
  to a Router on a University campus (High speed LAN
  connected to WAN)?
  It all depends on their policy. Have you asked them?
  I don't know how it works with the
  DHCP... I would like for 3 people to be able to use
  this access point simultaneously.
  Usually they allow one MAC address per ethernet jack and keep control of it so you can't share it! Depending on their sophistication they may also detect rogue access points. If not you might be able to use a wireless router like an Airport Express. Ask them. There may be a hackers way around but that answer won't be found here.

• Access Point 1240 Support for BBSM5.3

  Hello,
  I have 3 ap 1240 for install with bbsm 5.3, but when I add the access-point to the bbsm , the bbsm does not recognise has a valid access-point.
  Does any one know in what version of bbsm is supported ap1240.
  Thanks

  Hello there,
  I have a customer who has a BBSM 5.3A which is running the latest patch (5332) and it cannot discover 1242 series AP's as valid network elements. They get the following:
  2009/01/07 12:01:53 Pinging X.X.X.X...
  2009/01/07 12:01:53 X.X.X.X is ACTIVE
  2009/01/07 12:02:18 X.X.X.X: not a Network Element or SNMP password is not ******
  2009/01/07 12:02:18
  2009/01/07 12:02:18 Pinging X.X.X.X...
  2009/01/07 12:02:23 X.X.X.X: no response
  2009/01/07 12:02:23
  2009/01/07 12:02:23 Pinging X.X.X.X...
  2009/01/07 12:02:23 X.X.X.X is ACTIVE
  2009/01/07 12:02:47 X.X.X.X: not a Network Element or SNMP password is not ******
  2009/01/07 12:02:47
  2009/01/07 12:02:47 Pinging X.X.X.X...
  2009/01/07 12:02:47 X.X.X.X is ACTIVE
  2009/01/07 12:03:12 X.X.X.X: not a Network Element or SNMP password is not ******
  2009/01/07 12:03:12
  2009/01/07 12:03:12 Pinging X.X.X.X...
  2009/01/07 12:03:12 X.X.X.X is ACTIVE
  2009/01/07 12:03:37 X.X.X.X: not a Network Element or SNMP password is not ******
  They have assured me that the SNMP info is correct as they have checked it several times but the BBSM still doesn't recognise the 1242's. I know that the document link above specifies that 1200's are supported but don't Cisco class the old 1200's, 1230's and 1242's as different? Also, the BBSM didn't recognise some of their 2960-24 switches as valid network elements either but they selected the object type themselves from the list.
  Thanks in advance.
  Leigh

• Cannot determine MAC address of connected Access Point using Access Connections version 5

  I recently installed the newst version of Access Connections (version 5) and discovered I am unable to determine the MAC address of the connected access point.  The 'Graphical' screen shows the SSID, IP address of client etc - but does not show the MAC address of the access point.  The 'Details' screen shows the MAC address of the access points - but the radial button on the left does not indicate the cfurrently associated access point.

  Is it the switch where the node is directly connected ?
  Is the NIC at node side, working fine ?
  Another fact to consider is, a mac will wipe itself out after the MAC-age timeout.
  Parvesh

• Is Netgear WPN 802 wireles access point mac compatible

  For two days I have been trying to configure my iMac G5 to the Netgear WPN 802 wireless router for internet access. I've had no success. I'm not really sure if I'm doing it correctly. Netgear tells me to plug the system via the ethernet cable supplied into the iMac, open a web browser and type in the given IP address. I've tried that and it keeps timing out (after 40secs). I am a beginner with networking but even a call to my internet provider proved fruitless as they couldn't give me any help.
  I tried to set it up manually through system preferences and network and created a new network. I activated airport and connect it to the netgear and this comes up "AirPort is connected to NETGEAR and has the IP address 10.xxx.x.xx" Does that mean I'm in? I try to access the internet and it says I'm not connected.
  Did I mention I'm a relative newbie?
  Any help or clarification would be greatly appreciated...

  If you've been messing with it, your best bet to start with is to restore the router to factory presets by pressing its reset button for at least 5 seconds.
  First off, how are you connecting to your ISP? Cable modem or DSL? If it's a cable service you may need to talk to your ISP to find out if there's anything you need to do. If it's DSL, you will need the log in details, again from your ISP.
  How are you connecting to the internet at the moment? Do you have a cable/DSL modem?
  From the manual I found online for your router it states that you need to configure the network settings on the computer for ethernet to have a static IP address of 192.168.0.210 and 255.255.255.0 as the Subnet Mask first.
  Open System Preferences/Network and select the Ethernet section on the left. In the 'Configure' dropdown on the right select 'Manually' and enter the IP address and subnet mask above into the relevant boxes. Put the router to 192.168.0.231. Click apply.
  Plug in the ethernet cable from the computer to the router and switch it on. Give it a minute and then fire up your web browser of choice.
  Enter http://192.168.0.231 into the address field and hit return.
  At the prompt enter 'admin' as the username and 'password' as the password.
  Hopefully you should now be connected to the router and can set up the settings for your system.
  First off, under the basic settings you need to enable the DHCP client which is off by default. Click the Enable button then 'Apply' at the bottom. You don't need to change anything else at the moment.
  If you now go to your computer and select the Airport section in System Preferences/Network go into the Advanced section, under the TCP/IP tab at the top, you should have 'Configure IPv4' set to 'Using DHCP'. This should be all you need to be able to connect from the computer wirelessly to the router.
  To set up the router to connect to the internet, you may need to enter the settings that your ISP will provide you with, and I can't help with that without knowing more about your connection.
  Hope this helps