802.1X and per user vlan

Similar Messages

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,

• 802.1x and wired dynamic vlans on MAC addresses

  Hi All,
  I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
  I've done some reading but am really struggling to find the information I need.
  We have a Windows domain and brand new 3850 Cisco switches.
  Can anyone steer me in the right direction (or tell me how to do it!) please?
  Thanks for reading.

  Hi, 
  So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
  In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
  Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
  Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
  Tunnel-Type. Select Virtual LANs (VLAN).
  You can find more information here:
  Configure a Network Policy for VLANs
  VLAN Attributes Used in Network Policy
  802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
  HTH.

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• Mix to use Per user & Per device CALs ??

  Hi,
  I have built 2 RDS server and formed a NLB cluster.
  Is possible mix Per user and Per device CALs to use under this environment ?? How to make it ??
  Thanks

  Hi,
  Please see this similar thread which covers how to set it up and how to do tracking of licenses
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2ce9f814-822c-436b-bd12-80e1ec74c27b/combine-both-per-device-and-per-user-rds-cals-on-the-same-remote-desktop-session-host?forum=winserverTS
  Kind regards,
  Freek Berson
  The Microsoft Platform
  Twitter
  Linked-in
  Wortell company website

• 802.1X and automatic vlan assignment

  Hello,
  I'm testing a 802.1X infrastructure :
  Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
  Radius Server  : Microsoft NPS
  DHCP Relay for address assignement by Vlan
  I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
  All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
  The DHCP works fine and the 2 users have an IP.
  When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
  There are some specifics parameters to add for enable vlan on Mac OS X ?
  Thanks for reply
  Ben

  Edit : It's for wired connections

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• Amount of Resources CPU and Memory per user

  Hi,
  We are looking to deploy a Line of Business Application via RemoteApp and a custom template.  The application requires a significant amount of RAM and CPU, can someone tell me who much RAM and CPUs are allocated per session \ user?  I would expect
  that we would use the Standard tier if any difference to resources available.
  Thanks
  Giles

  Hi James,
  Currently there is no way to configure resources other than selecting either Basic or Standard.  If you would like a lower per-VM user density (and thus higher resources for each user) what you can do is create more collections, and only assign
  a small number of users to each.
  For example, say you only wanted to have a maximum of 4 users on each VM, providing typically at least 1 vCPU per user.  In this case you would create collections with the Basic plan, each linked
  to the same template image, and only assign a maximum of 4 user accounts on the user access tab of each.  Assuming each user uses 80+ hours a month, the total (before discounts) cost for each collection would be $228/month, making each user
  cost about $57/month, slightly less than equivalent cost under Standard plan pricing if you factor in resources per user.
  You probably already know this, but I will explain how scaling works normally for others that may read this.  Azure RemoteApp will automatically create more VMs for each collection as needed to handle user load (Scale-Out) and shut down VMs when the
  user load is reduced (Scale-In).  The key thing that affects this scaling mechanism is the maximum concurrent users allowed on each VM, which for Standard is 10.
  In your case you are asking if you can have more resources per user, hence my instructions above for creating multiple collections and limiting the number of assigned users to less than 10 each.
  Depending on your unique needs it may make more sense to create a custom RDS deployment on Azure IaaS VMs.  In this case you could control the size/type of VM used, user density, etc.  Downside is you have to set up and manage more
  RDS components than you do if you use Azure RemoteApp.
  -TP

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• 802.1x and Voice VLAN

  I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
  I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
  interface GigabitEthernet9/48
  description temporary port
  switchport
  switchport access vlan 12
  switchport mode access
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  CIG01-ENT-SW1(config-if)#switchport voice vlan 14
  Command rejected: Gi9/48 is Dot1x enabled port.

  Using IEEE 802.1x Authentication with Voice VLAN Ports
  A voice VLAN port is a special access port associated with two VLAN identifiers:
  ?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
  ?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
  In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
  A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
  When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
  Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
  interface FastEthernet0/1
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  end
  Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
  under the interface configure "dot1x host-mode multi-host"
  Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

• [Forum FAQ] Troubleshoot the error "The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode"

  Symptom
  RD License server is a key component of RDS. It licenses users to access RDS servers.
  After purchase the required RDS CALs, we need to activate the RDS License server and install the purchased RDS CALs. However, during the installation or after installation, we may face errors
  about RDS License.
  In most cases, the following error may occur.
  Error:
  The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server "Server name" does not have any installed licenses with the following
  attributes:
  Product version: Windows Server 2012
  Licensing mode: Per User
  License type: RDS CALs
  Troubleshooting
  1. Check whether the RD License Configuration is configured properly and there are no Warnings in the Event.
  2. The License Server should be part of 'RD Server License' group in Active Directory Domain Services.
  3. Check if the Licensing Mode is correct.
  - To change the Licensing Mode we can use RD Licensing diagnose, PowerShell cmdlet and Group Policy.
  Via PowerShell cmdlet:
  To change the licensing mode on RDSH/RDVH:
  $obj = get-wmiobject -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
  $obj.ChangeMode(value)
  # Value can be 2 - per Device, 4 - Per user
  Via Group Policy
  Path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  Use the specified RD license servers = FQDN of server name
  Set the Remote Desktop licensing mode =
  Per User
  However, if issue persists, please provide detailed information and post the question in the
  Remote Desktop Services (Terminal Services) forum.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi Richard,
  You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
  Thanks,
  Umesh.S.K

• Define Output type and Local destination per user

  Hi Gurus,
  Nowadays us have defined Output type by Sales Organiztion/Order Type (S_TCODE = VV11).
  Is possible define Output type and Local destination per user?. How to do?.
  thanks and best regards,
  Wilson

  Hi Wilson
  As per my understanding of requirement: you want output type and Local destination for each SAP End user (i.e. who is processing sales order) not the customer. If this is the requirement, we have two solution for it:
  1) If for a particular region/sales district customer are contacting to one particular destination, then create access sequence with output type/order type/sales district. Means for one sales district one Local destination. If sales district is big area and you have many local destination with in that, then you can divide it into regions.
  2) Ask your ABAPer to create a Z table and maintain Local destination for all Users. And amend the print program such that before saving the output entry into NAST table, based on SY-UNAME(user's id), fetch the printer (local destination) from Z table and update the NAST table accordingly.
  As per my observations, option 2 is simpler and more effective.
  try and revert.

• When to set iwtUser-role and other per user schema using custom athentication?

  I have written my own authentication module and would like to set per user schema on login. Can I write iwtUser-role, iwtCalendarProvider-calendarUserPassword, etc from the authentication class?

  Yes you can, after the authentication is complete you get the profile object and then set whatever value you want to set for particular attributes you want to set ..

• How can i save job settings in Capture Perfect per computer and not only per user?

  Hi
  I got a production computer with capture perfect 3.0
  Is there a version where the job settings are saved per computer and not per user?
  This is a problem when i am creating  scanner jobs everybody on the computer should be able to use.
  TJ

  I'm having the same problem and I use the built-in camera app.  I have and iphone 4 and my friend uses and iphone 4s and his saves as JPEG.  Mine saves as png.  How can I get mine to save as JPEG?

• Users VLAN and Management VLAN

  is it possible to separate two VLANs:
  one is running for the users VLAN connects to the clients
  one is for management purpose.
  Is there a sample code available for access points, bridges, and switches?
  I am really appreciated that

  Hi,
  You can configure VLANs on enterprise access points.
  What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
  Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
  As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
  Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices.