802.1x NAC and per-user ACLs

Similar Messages

• Flex connect with a per user ACL with APs locally switched

  Hi all,
  Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
  Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
  Thanks
  Sent from Cisco Technical Support iPad App

  Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
  As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
  Sent from Cisco Technical Support iPhone App

• 802.1X and per user vlan

  hi all,
  I would like to know if i can assign one user in a vlan with 802.1X in a wireless environment ?
  if yes,Do i need a particular radius server or is this feature "basic" on ias,acs,meetinghouse funk..
  Can i have a vlan authentication policy (i.e vlan 2 no authen, vlan 3 eap-md5 )
  Can i authenticate user1 on domain1 and user2 on domain2 on the same AP with a radius ias,acs or other?.
  Thanks

  I take a stab at some of this...
  I have per user VLANS setup on my 1220 AP's and am using 2003 server IAS for the radius server. I also had it working on 2000 server.
  I have one VLAN with no authentication and others for my users that do authenticate. They are authenticating using MS PEAP and UN/PW combo.
  Here is a link on VLANS for the VXWORKS series of AP's
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html
  This one is for IOS (looks new I haven't read it yet..)
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  Finally another link -
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  I am not sure about the different user/domain combos since I only have one domain here. There are also some good posts in this forum, do a search for per user vlan, etc.
  Good Luck.
  Don

• NAC and Linux Users .

  Hello Everyone .
  i have implement NAC on Wireless Environment using OOB Methods at one of the Universities  .
  everything went smooth ,,  acept one things . NAC and student using Linux Laptops .
  issue they are facing . is they are able to to load NAC login Page , and able to use their username and passwords , and after clicking
  Submit ,, they only see a Blank Page ... it suppose to have the page where web agent ... but that is not happing .. i have checked the
  monitor  page and online users but i can't see the user id or ip address ..
  Any idea how to fix such issue ??
  Regards
  Yousef Askool

  Hello. NAC agent and web agent are not supported on Linux.

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• Mix to use Per user & Per device CALs ??

  Hi,
  I have built 2 RDS server and formed a NLB cluster.
  Is possible mix Per user and Per device CALs to use under this environment ?? How to make it ??
  Thanks

  Hi,
  Please see this similar thread which covers how to set it up and how to do tracking of licenses
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2ce9f814-822c-436b-bd12-80e1ec74c27b/combine-both-per-device-and-per-user-rds-cals-on-the-same-remote-desktop-session-host?forum=winserverTS
  Kind regards,
  Freek Berson
  The Microsoft Platform
  Twitter
  Linked-in
  Wortell company website

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• Amount of Resources CPU and Memory per user

  Hi,
  We are looking to deploy a Line of Business Application via RemoteApp and a custom template.  The application requires a significant amount of RAM and CPU, can someone tell me who much RAM and CPUs are allocated per session \ user?  I would expect
  that we would use the Standard tier if any difference to resources available.
  Thanks
  Giles

  Hi James,
  Currently there is no way to configure resources other than selecting either Basic or Standard.  If you would like a lower per-VM user density (and thus higher resources for each user) what you can do is create more collections, and only assign
  a small number of users to each.
  For example, say you only wanted to have a maximum of 4 users on each VM, providing typically at least 1 vCPU per user.  In this case you would create collections with the Basic plan, each linked
  to the same template image, and only assign a maximum of 4 user accounts on the user access tab of each.  Assuming each user uses 80+ hours a month, the total (before discounts) cost for each collection would be $228/month, making each user
  cost about $57/month, slightly less than equivalent cost under Standard plan pricing if you factor in resources per user.
  You probably already know this, but I will explain how scaling works normally for others that may read this.  Azure RemoteApp will automatically create more VMs for each collection as needed to handle user load (Scale-Out) and shut down VMs when the
  user load is reduced (Scale-In).  The key thing that affects this scaling mechanism is the maximum concurrent users allowed on each VM, which for Standard is 10.
  In your case you are asking if you can have more resources per user, hence my instructions above for creating multiple collections and limiting the number of assigned users to less than 10 each.
  Depending on your unique needs it may make more sense to create a custom RDS deployment on Azure IaaS VMs.  In this case you could control the size/type of VM used, user density, etc.  Downside is you have to set up and manage more
  RDS components than you do if you use Azure RemoteApp.
  -TP

• [Forum FAQ] Troubleshoot the error "The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode"

  Symptom
  RD License server is a key component of RDS. It licenses users to access RDS servers.
  After purchase the required RDS CALs, we need to activate the RDS License server and install the purchased RDS CALs. However, during the installation or after installation, we may face errors
  about RDS License.
  In most cases, the following error may occur.
  Error:
  The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server "Server name" does not have any installed licenses with the following
  attributes:
  Product version: Windows Server 2012
  Licensing mode: Per User
  License type: RDS CALs
  Troubleshooting
  1. Check whether the RD License Configuration is configured properly and there are no Warnings in the Event.
  2. The License Server should be part of 'RD Server License' group in Active Directory Domain Services.
  3. Check if the Licensing Mode is correct.
  - To change the Licensing Mode we can use RD Licensing diagnose, PowerShell cmdlet and Group Policy.
  Via PowerShell cmdlet:
  To change the licensing mode on RDSH/RDVH:
  $obj = get-wmiobject -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
  $obj.ChangeMode(value)
  # Value can be 2 - per Device, 4 - Per user
  Via Group Policy
  Path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  Use the specified RD license servers = FQDN of server name
  Set the Remote Desktop licensing mode =
  Per User
  However, if issue persists, please provide detailed information and post the question in the
  Remote Desktop Services (Terminal Services) forum.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi Richard,
  You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
  Thanks,
  Umesh.S.K

• Define Output type and Local destination per user

  Hi Gurus,
  Nowadays us have defined Output type by Sales Organiztion/Order Type (S_TCODE = VV11).
  Is possible define Output type and Local destination per user?. How to do?.
  thanks and best regards,
  Wilson

  Hi Wilson
  As per my understanding of requirement: you want output type and Local destination for each SAP End user (i.e. who is processing sales order) not the customer. If this is the requirement, we have two solution for it:
  1) If for a particular region/sales district customer are contacting to one particular destination, then create access sequence with output type/order type/sales district. Means for one sales district one Local destination. If sales district is big area and you have many local destination with in that, then you can divide it into regions.
  2) Ask your ABAPer to create a Z table and maintain Local destination for all Users. And amend the print program such that before saving the output entry into NAST table, based on SY-UNAME(user's id), fetch the printer (local destination) from Z table and update the NAST table accordingly.
  As per my observations, option 2 is simpler and more effective.
  try and revert.

• When to set iwtUser-role and other per user schema using custom athentication?

  I have written my own authentication module and would like to set per user schema on login. Can I write iwtUser-role, iwtCalendarProvider-calendarUserPassword, etc from the authentication class?

  Yes you can, after the authentication is complete you get the profile object and then set whatever value you want to set for particular attributes you want to set ..

• How can i save job settings in Capture Perfect per computer and not only per user?

  Hi
  I got a production computer with capture perfect 3.0
  Is there a version where the job settings are saved per computer and not per user?
  This is a problem when i am creating  scanner jobs everybody on the computer should be able to use.
  TJ

  I'm having the same problem and I use the built-in camera app.  I have and iphone 4 and my friend uses and iphone 4s and his saves as JPEG.  Mine saves as png.  How can I get mine to save as JPEG?

• ASA5515X - WSE,AVC and IPS - Application block per user

  Can I enable web applicaction blocking based on user or group of users with WSE license or do I need another type of license.?
  Thanks,
  Ivan

  WSE is always packaged, at a minimum with AVC. that combination on an ASA is all the licensing you need to block web applications per user. You will of course need to implement a scheme to identify your users in order to use their identity in a policy. That can be via local database (seldom used as it doesn't scale well) or via integration with your Microsoft AD infrastructure (via active authentication or optionally using the free Context Directory Agent (CDA) server running on a VM in your environment) or via something like the Identity Services Engine (ISE - a licensed product).

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• Can we save the printing preference of FR reporting per report per user?

  We are using Hyperion Planning and Financial Reporting version 11.1.1.1. Some of our users will generate PDF for printing (HTML format is badly printed out).
  However can we have the option to save the printing preference of each FR report? As some reports are in portrait and some are in landscape format, it is preferred users can setup the printing preference per user per report so that they can choose the paper size and printing orientation.
  Thanks in advance!

  OK; should this be submitted to http://developer.apple.com/bugreporter/?
  I'm unsure about the best setup for this, but here is some brainstorming:
  - In Workgroup Manager or Directory, an administrator can designate a user to 'auto-accept' invitations if the user is available at that time.
  - Ideally, one would be able to establish an ACL for auto-acceptance, so that a user or admin could designate a list of users/groups from whom a user should auto-accept invites.
  - If a user is set to auto-accept, it is reasonable to assume that this user is either unable to use iCal or does not regularly check their calendar, so invites that are not auto-accepted should be handled somehow. For example, a notification could be e-mailed to the user, an invitation accept/decline message could be sent to the iCal account of a designated administrator or delegate, etc.
  I am imagining this for the case of my division, in which we have one person scheduling for lots of people, but I think that the idea of being able to delegate a person to be able to add things to one's calendar without confirmation and to confirm invites from non-privileged users would be useful in other cases as well. For example, a boss wants an administrator/secretary to be able to schedule things on his/her calendar, but does not want this person to be able to see all of the details of existing items on that calendar. I suppose that in this case it would be unclear to which calendar the designate should add the event initially, but I'm sure that for many people the privacy of the boss's calendar is more important than the inconvenience of having to create a throwaway calendar for events created by the delegate.
  If anyone has any thoughts to help refine this, please let me know and I will incorporate that into my writeup.
  Thanks,
  Greg