Access switch and ap's for BYOD

good day,
i'm reading the BYOD document and found out that the switch and ap's below are the only listed on their designed, does it mean normal 3560's and 11xx AP's series can't support BYOD solution using ISE? could someone confirm please?
cat switches:
Catalyst 3750-X
Catalyst 3560-X
Catalyst 4500E Sup7-E
AP's
AP3502
AP3602
thanks in advance for your input.
cheers,
mhon

The 3560s that can run the code specified in this chart should be able to support ISE -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
The APs that can support the controller code in the above guide show work as well, however if you want to run the AP in standalone mode, and they do not support features such as CoA then you will have to dedicate an inline posture node in order to get the full features of Cisco ISE.
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • What are the major differences between a Access Switch and Aggregation Switch w.r.t Carrier Ethernet domain?

    In a Carrier Ethernet domain,Could someone please help me understand what's the basic difference between Access Switch and Aggregation Switch both in terms of s/w and h/w functionalities. MEF deals OAM,CFM, EVC provisioning only at the access edge switches. Do we need to repeat all these at the aggregation level? or  is it just used for routing purpose? Do we have a separate Fault Management at the aggregation level?

    Duplicate posts.  :P
    Go here:  https://supportforums.cisco.com/discussion/12137156/what-are-major-differences-between-access-switch-and-aggregation-switch-wrt

  • HSRP between 2 access switches and 2 core switches

    Hi I am looking for running HSRP between 2 access switches and 2 core switches for client PC and Server network’s next-hop redundancy as per attached setup.
    As you can see I have used one /29 network for connecting CORE & ACCESS switches & configure Interface VLAN10 (Layer 3 SVI) with shown IPs and standby IP (VIP).G0/1 on Access Switches & G2/1 on Core Switches are access ports for VLAN10.
    There is a L2 Trunk interconnecting Core-Main/Backup & as well as Access-Main/Backup Switches allowing VLAN10 to allow VLAN10’s HSRP packets to pass through (apart from other HSRP instances).
    Below are the HRSP & Trunk configuration on Core and Access Switches please have a look and suggest if they are correct in term of HSRP implementation, as I can see on both side HSRP master & standby status are fine as desired, but I can’t ping VIP of ACCESS Switch from CORE switch, but the VIP of CORE switch I can ping from ACCESS switch.
    Access-Main
    interface GigabitEthernet0/1
     description ***Connected to CR-SW-01 PORT G2/1***
     switchport access vlan 10
     switchport mode access
     load-interval 30
    interface GigabitEthernet0/2
     description ***Connected to AC-SW-01 & AC-SW-02 for HRSP***
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 10,40
     switchport mode trunk
     load-interval 30
    interface Vlan10
     description ***Connected to CR-SW-01 PORT G2/1***
     ip address 10.10.11.1 255.255.255.248
     standby 1 ip 10.10.11.2
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication accvlan10
    Access-Backup
    interface GigabitEthernet0/1
     description ***Connected to CR-SW-02 PORT G2/1***
     switchport access vlan 10
     switchport mode access
     load-interval 30
    interface GigabitEthernet0/2
     description ***Connected to AC-SW-01 & AC-SW-02 for HRSP***
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 10,40
     switchport mode trunk
     load-interval 30
    interface Vlan10
     description ***Connected to CR-SW-02 PORT G2/1***
     ip address 10.10.11.3 255.255.255.248
     standby 1 ip 10.10.11.2
     standby 1 priority 10
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication accvlan10
    Core-Main
    interface GigabitEthernet2/1
     description ***Connected to AC-SW-01 PORT G0/1***
     switchport access vlan 10
     switchport mode access
     load-interval 30
    interface GigabitEthernet2/2
     description ***Connected to CR-SW-01 & CR-SW-02 for HRSP***
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 10,20
     switchport mode trunk
     load-interval 30
    interface Vlan10
     description ***Connected to AC-SW-01 PORT G0/1***
     ip address 10.10.11.4 255.255.255.248
     standby 1 ip 10.10.11.5
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication crvlan10
    Core-Backup
    interface GigabitEthernet2/1
     description ***Connected to AC-SW-02 PORT G0/1***
     switchport access vlan 10
     switchport mode access
     load-interval 30
    interface GigabitEthernet2/2
     description ***Connected to CR-SW-01 & CR-SW-02 for HRSP***
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 10,20
     switchport mode trunk
     load-interval 30
    interface Vlan10
     description ***Connected to AC-SW-02 PORT G0/1***
     ip address 10.10.11.6 255.255.255.248
     standby 1 ip 10.10.11.5
     standby 1 priority 10
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication crvlan10

    Hi Rick thanks once again, so I am assuming I should use to configure as below and still one /29 subnet I can use to connect these Switches with the above static routings.
    Access Switch-Main
    interface Vlan10
     description ***Connected to CR-SW-01 PORT G2/1***
     ip address 10.10.11.1 255.255.255.248
     standby 2 ip 10.10.11.2
     standby 2 timers msec 200 msec 750
     standby 2 preempt delay minimum 180
     standby 2 authentication accvlan10
    ip route 192.168.20.0 255.255.255.0 10.10.11.5
    Access Switch-Backup
    interface Vlan10
     description ***Connected to CR-SW-02 PORT G2/1***
     ip address 10.10.11.3 255.255.255.248
     standby 2 ip 10.10.11.2
     standby 2 priority 10
     standby 2 timers msec 200 msec 750
     standby 2 preempt delay minimum 180
     standby 2 authentication accvlan10
    ip route 192.168.20.0 255.255.255.0 10.10.11.5
    Core Switch -Main
    interface Vlan10
     description ***Connected to AC-SW-01 PORT G0/1***
     ip address 10.10.11.4 255.255.255.248
     standby 1 ip 10.10.11.5
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication crvlan10
    ip route 192.168.40.0 255.255.255.0 10.10.11.2
    Core Switch -Backup
    interface Vlan10
     description ***Connected to AC-SW-02 PORT G0/1***
     ip address 10.10.11.6 255.255.255.248
     standby 1 ip 10.10.11.5
     standby 1 priority 10
     standby 1 timers msec 200 msec 750
     standby 1 preempt delay minimum 180
     standby 1 authentication crvlan10
    ip route 192.168.40.0 255.255.255.0 10.10.11.2

  • Can oracle audit logs keep info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action?

    Hello,
    I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
    - User ID.
    - Successful and unsuccessful attempts to access security files
    - Date and time of the event.
    - Type of event.
    - Success or failure of event.
    - Successful and unsuccessful logons.
    - Denial of access resulting from excessive number of logon attempts.
    - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    - Activities that might modify, bypass, or negate safeguards controlled by the system.
    I know how to enable audit trial with OS or DB, EXTENDED levels.  However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.

    2687254 wrote:
    Hello,
    I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
    - User ID.
    - Successful and unsuccessful attempts to access security files
    - Date and time of the event.
    - Type of event.
    - Success or failure of event.
    - Successful and unsuccessful logons.
    - Denial of access resulting from excessive number of logon attempts.
    - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    - Activities that might modify, bypass, or negate safeguards controlled by the system.
    I know how to enable audit trial with OS or DB, EXTENDED levels.  However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    Think about that.  If the port or terminal (client ip address) is blocked, then the communication never got to the database.  So how would the database be able to audit an action that never got there?

  • Setting up Access Manager and Directory Server for Failover.

    I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
    How do I make sure both Access Managers are patched to the same version?
    I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
    On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
    Please help !!!

    I'll answer what bits I can:
    Q: AM showing the same version?
    A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
    Q: How do I resolve re-authentication on failover?
    A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
    http://docs.sun.com/app/docs/doc/820-2278
    Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
    http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
    Q: "You have already logged in" warning
    A: No idea. Sorry.
    R

  • I pressed and held the sleep/wake switch and home buttons for about 15 seconds until the apple logo appears on the screen but it is stuck and wont go any further

    please help

    Try to force your phone into recovery mode. Disconnect it from the computer's USB cord. Turn it off if you can by holding the sleep/wake switch until you see the red slide to off. If you can't turn it off, please continue. Press and hold the home button while plugging it into the computer's USB cord. Continue holding the Home button while iPhone starts up. While starting up, you will see the Apple logo. When you see "Connect to iTunes" on the screen, you can release the Home button and iTunes will display the recovery mode message.  http://support.apple.com/kb/HT1808
    Then you can restore your phone:  http://support.apple.com/kb/HT1414

  • High Latency and Patket drop towards Access Switches.

    Hi,
      My network Infrastructure consists of 2 core switches(cisco 3950, 24 port) and 3 access switches (cisco 2960G, 48port). No distribution layer.Both Core switches are connected to the BVI of a VPN router.PVST is running in all switches. The STP results are all good. We have 3 VLAN's in the LAN an IP routing is enables in the core switch. The network diagram is attached.
    The issue we are facing is that , we get intermittent packet drops while pinging towords the access switches, and there is always a higher latency towords these assess switches.These issues are present even with no other users using the LAN. But these issues are not present while pinging towards the GW.
      I guess, it is because of this, we have issues the accessing file server in the LAN. How do we go ahead with the troubleshooting. Will upgrading the IOS help resolve this.The present version details is..
    WS-C2960G-48TC-L   12.2(44)SE6           C2960-LANBASEK9-M
    Thanks in advance for the help.

    Hi,
    Do you still have this problem of is it solved?
    i have the same kind of issue, so any help or information is welcome!
    Tom

  • My iPad 3 will not change the orientation to landscape mode. I have checked the orientation switch and turned it off for a reset neither of which fixes the problem.

    My iPad 3 will not change the orientation to landscape mode. I have checked the orientation switch and turned off for a reset. Neither fixes the problem. What can I do?

    Is it lock in the Control Center? (tap to enlarge)

  • Catalyst Express 500 Switch and wlan roaming problem.

    Hi everybody.
    We are using Catalyst Express switches and air-1121G for a wlan network covering a hotel. When we set the smartport-setting on switch to "access-point" users cannot move from one access-point to another. Setting the smartport-role to "other" solves the problem.
    Has anybody made the same experience ?

    Hi
    This is a known issue and the workaround you have used is the best but
    this issue has been solved in the new IOS release
    i would suggest you to upgrade the IOS for the Catalyst 500 and this should solve the problem
    the IOS code is CE500 IOS 12.2.20.SEG
    Hope this help
    Sayed Abdelrahman

  • Output determination and Printer determination for  both PO and GR

    Dear all,
    Can anyone please help me in congiguring the output determination and printer determination for  both PO and GR. please give me detailed configuration including the paths as i am stuck with the configuration.
    Thanks & Warm Regards
    Somashekar Anand

    hi Somashekar
    follow he steps
    Output of Purchase Order
    1. Condition Table
    SPRO > Material Management> Purchasing -> Message -> Output Control->Condition Tables->Define Condition Table for Purchase Order
    Select:
    Purchasing Doc. Type,
    Purch. Organization,
    Vendor
    2. Access Sequences
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Access Sequences->Define Condition Table for Purchase Order
    3. Message Type
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Types->Define Message Type for Purchase Order
    *4. Message Determination Schemas*
    4.1. Message Determination Schemas
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Maintain Message Determination Schema
    4.2. Assign Schema to Purchase Order
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Assign Schema to Purchase Order
    5. Partner Roles per Message Type
    SPRO -> Material Management-> Purchasing -> Message -> Output Control-> Partner Roles per Message Type ->Define Partner Role for Purchase Order
    6. Condition Record
    Navigation Path: SAP Menu-> Logistics -> Material Management -> Purchasing-> Master data->Messages-> Purchase Order-> MN04-> Create
    Now you create PO (ME21N) and save it. Go to ME22N and print the PO by giving output type.
    Output of GR
    After setting table, access sequence and output type for GR,run MB02 transaction, enter material document number. Double click one line item and select messages. Separate screen will be opened to configure outputs. Give the required fields and save the document. Now Run MB90, you can take printout. Output Type: WE03 or WE01 or WE02
    Reward points if helpful
    Thanks and regards
    Ravikant Dewangan

  • Shared folders (Windows file shares) show access denied and do not prompt for credentials

    Scenario:
    Like other admins, I log on and work as a 'standard user' (usera) with no admin rights anywhere in the domain, to perform admin tasks I have another account (userb) which I authenticate with as and when required. userb has been allocated/delegated permissions
    as required.
    Problem: 
    When trying to connect to shared folders on servers (2008 R2) using a UNC patch via Windows Explorer (Win 7 Ent.), I see an access denied error and do not get an option to supply alternative credentials.
    If I try to connect to the admin shares on the same server (\\server\C$ or \\server\e$) I get an access denied message AND get prompted for credentials. I supply my admin account and gain access as expected.
    If I check share and storage management when attempting to connect, I see that Windows is trying to connect me to each share as usera (which has no access). I understand why I get access denied at this point, but not why it can't just prompt me to supply an
    account that does have access. When trying the admin shares I also see the usera account, but I get a prompt to supply a user who does have access.
    Share permissions on the folders are for example 'Everyone' Full Control.  NTFS permissions are 'userb' has modify (read, execute, list, traverse etc) via a 'Server Admins' AD Universal security group.
    Note: If I do a NET USE from CMD and use the /USER switch, I can access the shares fine. But this is not great for accessing shared folders on the fly from various computers.
    How can I get the other shares on the server to prompt me, rather than just say access denied?
    Many thanks.

    Try to disable guest user from the server
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY
    suggestion in a test environment before implementing!

  • Has anyone deployed converged access with 3850 switches and 5760 WLCs?

    Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
    Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
    Pros
    With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
    Less hops for voice calls from user A to user B as data control traffic is dropped locally.
    Cons
    Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
    Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
    Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
    Can someone convince me why would a customer choose converged access?
    Sent from Cisco Technical Support iPad App

    They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
    Sent from Cisco Technical Support iPhone App

  • Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

    Dear All,
    I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

  • FlexConnect local/central switched and Access-Accept Packets

    For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
    •  Full network access, local switched.
    •  Limited network access, central switched:
    ◦       To isolate traffic from the branch’s LAN.
    ◦       To force traffic through a firewall at the central site.
    ▪       To ease access rules management.
    ◦       Internet access only by default.
    ▪       Internet access is located at the central site.
    ▪       We expect to manage some exceptions to the rule.
    We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
    However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
    Authentication Attributes Honored in Access-Accept Packets (Airespace)
    VAP ID
    This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
    Source:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
    We then made an assumption that the following was possible:
    •  Create a second SSID
    ◦       Broadcast not enabled
    ◦       Central Switched
    •  Users would authenticate using the first SSID
    •  In it’s access-accept packet, the RADIUS server would return an
    Airespace-WLAN-Id attribute with the value of the second SSID.
    •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
    So far, our tests showed no results.
    •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
    •  If not, what would you recommend?
    For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
    Thank you very much,

    Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
    Is the user part of this AD group and is this user on WLAN ID=1.
    You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

  • [solved] DHCP snooping in environment with core and access switches

    Hello,
    I'd like to know what steps are needed to configure DHCP snooping in my environment:
    1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
    2) access switches Catalyst 3750: clients connected here
    Access switches are connected to core ones via trunk ports (fiber optics).
    How many snooping databases are required?  One for core and next for each stack?

    Hi Marian,
    If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
    If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
    I am not sure if this answers your question so please feel welcome to ask further.
    Best regards,
    Peter

Maybe you are looking for

  • [CRM 5.0] How to add file attachements to created ticket (transaction)

    Hi! I have to do engancement and need to add file attachements to tickets (transaction) documents. I made ticket creation but I don't know how to add file attachements to it. Could someone help? Mayby some function module name? Thanks for response! K

  • Program similar to mRemote

    Hi Archers, I have many windows and Linux servers to manage so that I want to have a program like mRemote so that I can SSH, Remote desktop, etc to access the server. it is very sad that mRemote is supported only in Microsoft Windows. Do you guys kno

  • Muse application won't open

    I just got my Team membership and everything opened except Muse. It keeps saying my membership expired. We joined for a year. What's going on?

  • Whatsapp for Mac mini through bluestacks

    how to download a new version of whatsapp.app to run in my macmini through bluestacks.plese someone help me sending a download link.

  • Safari crashes since upgrade from OS 10.2 to  OS 10.4.7

    Immediately upon upgrading OS software I have been unable to open Safari. I get the following dialogue box each time: The application Safari quit unexpectedly. Mac OSX and other applications are not affected. Click Reopen to open the application agai