802.1x on Alcatel Lucent IPtouch 2048 with Cisco 2960X

Similar Messages

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• 3560G and 802.1X with Cisco IP Phone

  Hi,
  We have been doing some test on our 3560G switch with 802.1X. The switch port has a Cisco IP Phone 7940 connected and at the back of the IP Phone is the PC (802.1X client).
  The PC authenticates with the computer name or the username properly without any problems. However problem is that the port stays opened/authorized even after disconnecting the Laptop from the phone. Only disconnecting the phone from the switch disables the port and enforces authentication.
  This totally defeats the purpose for us.
  IOS: 12.2(20)SE3
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet0/40
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 15
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout reauth-period 30
  dot1x max-req 1
  dot1x reauthentication
  spanning-tree portfast
  spanning-tree link-type point-to-point
  Any ideas will be appreciated.
  Thanks,
  Cheers
  Kartik

  I believe the problem should be solved with the new phone firmware:
  Ref Cisco Document:
  http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a0080461f84.html
  "Firmware release 7.2(2) provides support for the Cisco IP Phone models 7960G and 7940G to monitor IEEE 802.1X messages between an authenticating switch and a connected PC (supplicant).
  When a PC is disconnected from the Cisco IP Phone, the phone issues an EAPOL-Logoff message on behalf of the PC to the authenticating switch.
  Hope This Helps
  Jarle Steffensen

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• Is Alcatel-Lucent a strong competitor in Voice to Cisco?

  Hey
  I never worked on Alcatel-Lucent stuff before but I might be some project coming that using their gears. So just wonder if anyone had expeirience working on Alcatel-Lucent Voice/Data project?
  Thanks,
  /S    

  Hey
  I never worked on Alcatel-Lucent stuff before but I might be some project coming that using their gears. So just wonder if anyone had expeirience working on Alcatel-Lucent Voice/Data project?
  Thanks,
  /S    

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Wireless Cards compatability with Cisco ACU

  We have Lucent Orinoco PCMCIA cards in our laptops and have just purchesed some Aironet 350's, they work ok with the Orinoco drivers and client manager software,but i can't get the Cisco client ACU software to recognise the cards as i want to get the Cisco managment software working. Will the Cisco ACU software only work with Cisco cards?

  Yes, Cisco ACU is for Cisco cards only.

• PoE auto switchover with Cisco 1252 Access Point.

  Dear All
  I have a network for Managed Wireless using Cisco. This is a new network for me.
  I am in problem with Cisco Access Point 1252. My AP's are connected to a PoE Switch. And Cisco AP's are also connected Powered with also Power Adapter with UPS backup.
  But problem is if I disconnect power source of AP Power Adapter , AP is not getting up with PoE. PoE is up only when POWER PLUG of AP ADAPTER is physically pulled out from Socket.
  Question is if it is possible to make automatic Failover by PoE when Power source of AP ADAPTER is down ?? I mean no need to PULL OUT  POWER PLUG of AP ADAPTER.
  Waiting for your rely.
  It is very urgent .
  Thanking You
  Subrun.

  Hi Suburn,
  1- yes it is possible to do failover without unlupping the cable of AC adapter. When power on ACS adapter is off, then the faiolver happens.
  2- with regards to POE, if your switch supporting enhanced POE?
  Powering the Aironet 1250 Series Access Point with Cisco Enhanced PoE
  Cisco  Enhanced PoE was designed for customers who want to install new  PoE-enabled technologies that require greater than 15.4W per port to  function at full capability, such as wireless technology based on the  IEEE 802.11n standard. Cisco Enhanced PoE provides the full power  requirements for dual-radio modules and eliminates the need to run an  additional cabling drop or insert a separate power injector. Support for  Enhanced PoE is currently available on a variety of Cisco Catalyst® switching platforms. For more information on Enhanced PoE, visit http://www.cisco.com/en/US/prod/switches/epoe.html.
  Serge

• Hi Team, I wuold like to know if you have any app to make Firefox OS working with cisco Call Manager 10.5. Something like Cisco Jabber for Android or iOS.

  I'm interesting on buying a Firefox Smart Phone, but
  I would like to know if are any app to install on Firefox OS smart phone in order to work with cisco call manager 10.5.
  Something like Cisco Jabber for Android o iOS.
  Thanks,

  Hi Itech,
  If Cisco Jabber has a webapp, or mobile version of their website available, you should technically be able to access it through Firefox OS.
  You may also search Firefox Marketplace for an alternative solution:
  * [https://marketplace.firefox.com/]
  - Ralph

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Directory Caching issue with Cisco Jabber client for Windows

  Hi ,
  I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
  Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
  Is there any automated way to remove the cache file? 
  Here is the detail of CUCM,Presence and Jabber.
  CUCM version: 9.1.x
  Presence          : 9.1.X
  Jabber              : 10.5 and 10.6

  Hello
  On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
  Network Device Enrollment Service.
  Our certificate for the CUPS were generated on this Certification Authority too.
  I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
  Enterprise Trust store for the users.
  But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
  I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
  Our partner left us alone with that unfortunately.
  Florent
  EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Adaptiva Software Distribution not working with Cisco APs in Local Mode

  A worldwide customer would like to use a new Software distribution system called Adaptiva to replace SCCM within Windows environment. As far as I understand, Adaptiva is designed to work like a snowball system. A single PC at a remote side can be "infected" with new Software and will distribute the package to other PCs within the same IP-subnet, saving WAN bandwidth.
  First tests are showing that it is working well with Cisco WLAN solution as long as we are using Flexconnect WLAN APs.
  Customer locations with Local WLAN AP design create problems for this new software distribution method.
  The WLAN-PCs can be reached from outside, but the establishment of the Client/Server-model between the WLAN Clients is not working. The Port used by this software for communication between clients in each WLAN subnet is UDP Port 34329.
  Our WLCs are running at  7.4.130.0. The problem is appearing independently of AP Multicast settings or Broadcast Forwarding.  Enabling Broadcast forwarding without Reboot did not improve the situation.
  Global Multicast Mode and IGMP Snooping are also of no influence.
  P2P Blocking Action is "Disabled" within the WLAN setup.
  Who has any idea what might cause this communication problem between WLAN clients in Local Mode of APs ?
  Thank You for answers
  Wini

  I can think of two solutions. You could 1: turn the "auto-lock" to never, so that your phone never sleeps. Or, you could 2: jailbreak your iPhone and install "insomnia". I wish we had the Cisco Mobile app. I usually use wifi/insomnia and turn data off at work since we have wireless pretty much everywhere...
  Sent from Cisco Technical Support iPad App