802.1x Authentication using Cisco Phone LSC and IAS 2003

Similar Messages

• Cisco Phone Control and Presence 8.6.1.1185 with IBM Lotus Notes 8.5.2 (Integrated Sametime Client 8.0.2) - No presence status visible

  Hi community,
  I am trying to integrate Cisco Unified Presence 8.6.1.10000-34 with IBM Lotus Notes 8.5.2 with the integrated Sametime Client version 8.0.2 via the Cisco Plugins 8.6.1.1185.
  Phone control is working fine, whereas the presence status is not shown (= no handset symbol next to the Sametime user). When I look in the preferences of the plugin, I can see that the plugin has connected successfully to the CUCM (8.6.2.20000-2),whereas the connection to the CUPS has not been established.
  The user id as well as the password are all the same on all systems. Here is a description of what I have configured via the ciscocfg.exe tool:
  Feature Control:
  - Enable Phone Status -> checked
  - Enable Dial Using Cisco IP Communicator -> unchecked (not required)
  - Enable Control Desk Phone -> checked
  - Default Mode -> Control Desk Phone
  Control Desk Phone Settings:
  - Voicemail Pilot Number -> left blank (no voicemail)
  - Cisco Unified Communications Manager
       - Servers -> IP address of CUCM
       - Read Only -> unchecked
       - Use as Default CUCM -> checked
       - Synchronize Credentials -> checked
            - Use Sametime Credentials -> checked
  Use Secure Connection: -> not required
  LDAP Phone Attributes: -> not required
  Phone Status Settings:
  - Cisco Unified Presence Servers -> IP address of CUPS
  - Read Only -> unchecked
  - Synchronize Credentials -> checked
       - Use Sametime Credentials -> checked
  - Sametime User ID Mapping
       - Use Business Card Attribute -> MailAddress
       - Remove Domain -> checked
  - Display Off-Hook Status Only -> unchecked
  At the moment I don't see an error in the configuration, but maybe I am wrong. Could anyone please tell me what the error could be?
  Thanks a lot in advance!
  Kind regards,
  Igor

  Hi all,
  here are some additions to my above post:
  Servers and clients used:
  1x CUCM 8.6.2.20000-2
  1x CUPS 8.6.1.10000-34
  1x IBM Lotus Domino Messaging Express Server 8.5.2
  1x Sametime Entry Server 8.5.2 (on top of the Domino server)
  2x IBM Lotus Notes 8.5.2 with integrated Sametime 8.0.2
  2x Cisco Phone Control and Presence with Lotus Sametime (PCAP) 8.6.1.1185
  2x Cisco Unified Personal Communicator 8.5.5.19839
  Setup:
  - CUCM, CUPS and CUPC are working fine, i.e. Desk Phone control via CUPC, as well as availability and presence status are working without issues
  - IBM Lotus Domino server is the LDAP Directory, the Sametime Entry Server is installed on top of the Domino server and uses the Domino Directory
  - User ID and password on CUCM/CUPS match the ShortName field and password in Domino
  - The PCAP plug-in has been manually deployed to both Notes clients with the following configuration:
       - Enable Phone Status -> active
       - Desk Phone Control -> active
       - no credential synchronization for CUCM and CUPS, i.e. every user must fill the user details himself
       - Sametime User ID Mapping is implemented via the LDAP Attribute uid (which is equal to the user id in CUCM)
       - LDAP configuration filled in with details of the Domino server
  Phone Control is working fine, also the connection to the LDAP server (Domino) is fine. However, when I type in the credentials for the CUPS server login, I can see (in Troubleshooting pane) that the user (pparker) is connected to the CUPS server for a short period of time and then gets disconnected. After that no connection is possible to the CUPS server, i.e. status is always disconnected.
  I have collected the Tomcat (EPASSoap00010.log and security00010.log) logs via RTMT and compared them to the logs from the PCAP plugin. The relevant time period is from 15:14 to 15:17. In the Tomcat logs I can see that the authentication is successful (see attached files), however in the log of PCAP plugin I can see the following messages:
  2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
  2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
  2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
  2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
  I don't understand why the connection is rejected although the Sametime Internal ID and CUPS User ID match. Does anyone know what the issue could be?
  All posts are very much appreciated!
  Thanks a lot in advance!
  Kind regards,
  Igor

• I tried to install the new iOs 7 on my iphone 4, but it wasn't completed (showing error 4005). Now, my iphone is stuck on the itunes' logo with the usb cord, and I can't use my phone. And itunes doesn't detect my iphone when I connect it on my computer.

  Hi everyone! I tried to install the new iOs 7 on my iphone 4, but it wasn't completed (showing error 4005). Now, my iphone is stuck on the itunes' logo with the usb cord, and I can't use my phone. And itunes doesn't detect my iphone when I connect it on my computer, so I can't put it in recovery mode or someting like that... What can I do?? I tried everything they tell me to do in the apple support but nothing seems to work. Thank you!

  No problem, glad to help!
  Update: my PC USB hub was connected to a USB 3 port, I connected the 30 pin cable directly to my PC, And the restore worked just fine. Restored phone from iCloud backup and seems to be working fine.

• I am using i phone 3GS and just upgraded it to ios 6 and it is not reading my sim..please help!!!!

  I am using i phone 3GS and just upgraded it to ios 6 and it is not reading my sim..please help!!!!

  It's maybe because your iphone was jailbroken or hacked?

• TS4268 My phone uses my email for iMessage but not my phone number, how do I get that to use my phone number and not my email?

  I can't figure out how to use my phone number and not my email for iMessage

  Settings>messages>Send & Receive> Start New Conversations From and select your phone number.

• Using i phone 4s and trying to sync on mac  for i tunes

  using i phone 4s and trying to sync on mac  for i tunes

  Yes, it will keep the music.
  Close all open apps or programs.  Open iTunes, look for Check for Updates in the menu and click on that.  Then follow the prompts.
  When the update is done.  Open iTunes and in the menu look for show sidebar and click on that, then connect your iPhone to iTunes, click on your phone's name on the Sidebar, review all the tabs to make sure your sync option are what you want them to be (music, movies, photos, books, etc.) and after that click sync or apply and wait for the sync to finish.

• I am using I Phone 5 and i am unable to catch the 3G signal on my phone but at the same time my colleague using another i phone 5 can easily catch 3G signal. We are using sim of same operator. If i go out of my office i can catch 3G coverage easily.

  I am using I Phone 5 and i am unable to catch the 3G signal on my phone but at the same time my colleague using another i phone 5 can easily catch 3G signal. We are using sim of same operator. If i go out of my office i can catch 3G coverage easily.I am tired of surfing on edge network. I have tried many tricks from changing the mode to airplane mode and then again back to normal mode.

  Hey Suvit Sharma,
  I would go through the troubleshooting suggestions in this article:
  iPhone: Troubleshooting a cellular data connection
  http://support.apple.com/kb/TS3780
  You're already on the right track with toggling airplane mode, but there are several other steps you can take to resolve the issue.
  Best,
  Delgadoh

• HT1296 i am using i phone 5S and mac book air. i unable to syncing contacts.can you help me /

  i am using i phone 5S and mac book air. i unable to syncing contacts.can you help me /

  Since the release of Mavericks, syncing contacts with a Mac using iTunes is no longer supported. The currently supported method is to use iCloud.  http://www.apple.com/icloud/setup/

• I pay used i phon 5 and need new account but i dont have visa?? how can i made new one??

  i pay used i phon 5 and need new account but i dont have visa?? how can i made new one??

  Select None for payment method.
  Instructions here >  iTunes Store: Changing account information

• Using Cisco WCS with Microsoft IAS

  Hi.
  I have two 5508 and WCS 7.0.172. I want to user Active Directory users credintals to login on ther WCS. Have a configurated NPS role on server with windows 2008 r2.
  I have read this http://zmq503o1.wordpress.com/2008/01/06/using-cisco-wcs-with-microsoft-ias/ and done the same.
  I dont't agree with "on the "Encryption" tab and clear all the checkboxes except "No encryption" - wants an encryption connection but this didn't work till in user's properites in AD permit "Reversible encryption". This is not what that I want.  Would I need to generate ssl-cert for the wcs as wroted this?http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/hard.html#wp1042471
  or doing smth else? thx

  Camera is only supported for use with CUVA. Any other application attempting to utilize the camera is not tested and is not supported.

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• 802.1x MDA with Cisco 3750, ACS and Avaya phones

  Hello,
  What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS?  I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports. 
  What i observe is :
  - phone connects
  - phone is dot1x authenticated in data VLAN and gets its DHCP address there
  - DHCP advertises (option 242) the voice vlan id
  - phone reauthenticates in voice vlan
  - phone reacquires a new DHCP address, now in voice VLAN
  so far so good ... and we start using the phone
  - pc behind phone starts and enters credentials
  - pc authenticates ok (in data vlan)
  but 3750 shuts the port down per security violation ("new mac-address found").
  The mac-address of the phone stays in the data vlan's  mac table, despite the phone moved correctly to the voice vlan.  This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port. 
  NB : "setting port-security max mac-addresses" to say 5 does not change anything to  this behavior.
  Can anybody give some hints?
  Tx.

  Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid  attributes.  So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *
  So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?
  Tx.

• Catalyst Express 500 802.1q with non-Cisco Phones

  This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
  Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?

  Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
  Please rate all posts.

• How to find which authentication used to site collection and site using powershell

  Hi,
  How to find  how-many web app, sitecollection, site used Windows authentication,claim authentication and classic, secure store authention , adfs authentication using powershell code in sharepoint 2013.
  If sites are used adfs authentication how to find which email id used for that.
  Thanks,

  Authentication is only defined at the Web Application level, and the only valid auth methods are Classic (Windows (Basic/NTLM/Kerberos)), Claims (Windows (Basic/NTLM/Kerberos)), FBA Claims, , SAML Claims (ADFS), and Anonymous.
  You can find out what authentication scheme(s) are enabled via:
  $wa = Get-SPWebApplication http://webApp1$wa.IisSettings["Default"] #replace with the zone name you're interested in
  The output will look similar to this:
  PS C:\Users\trevor> $wa.IisSettings["Default"]
  AuthenticationMode : Forms
  MembershipProvider : i
  RoleManager : c
  AllowAnonymous : False
  EnableClientIntegration : True
  ServerBindings : {Microsoft.SharePoint.Admini
  stration.SPServerBinding}
  SecureBindings : {}
  UseWindowsIntegratedAuthentication : True
  UseBasicAuthentication : False
  DisableKerberos : True
  ServerComment : SharePoint
  Path : C:\inetpub\wwwroot\wss\Virtu
  alDirectories\spwebapp180
  PreferredInstanceId : 42768054
  UseClaimsAuthentication : True
  ClaimsAuthenticationRedirectionUrl :
  UseFormsClaimsAuthenticationProvider : False
  FormsClaimsAuthenticationProvider :
  UseTrustedClaimsAuthenticationProvider : False
  UseWindowsClaimsAuthenticationProvider : True
  OnlyUseWindowsClaimsAuthenticationProvider : True
  WindowsClaimsAuthenticationProvider : Microsoft.SharePoint.Adminis
  tration.SPWindowsAuthenticat
  ionProvider
  ClaimsAuthenticationProviders : {Windows Authentication}
  ClaimsProviders : {}
  ClientObjectModelRequiresUseRemoteAPIsPermission : True
  UpgradedPersistedProperties : {}
  So on this Web Application in the Default Zone you can tell I have Windows Claims enabled, not using Kerberos (so using NTLM), and Trusted (SAML/ADFS) is not enabled, neither is Forms or Anonymous.
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.