Access switch and ap's for BYOD
good day,
i'm reading the BYOD document and found out that the switch and ap's below are the only listed on their designed, does it mean normal 3560's and 11xx AP's series can't support BYOD solution using ISE? could someone confirm please?
cat switches:
Catalyst 3750-X
Catalyst 3560-X
Catalyst 4500E Sup7-E
AP's
AP3502
AP3602
thanks in advance for your input.
cheers,
mhon
The 3560s that can run the code specified in this chart should be able to support ISE -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
The APs that can support the controller code in the above guide show work as well, however if you want to run the AP in standalone mode, and they do not support features such as CoA then you will have to dedicate an inline posture node in order to get the full features of Cisco ISE.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
In a Carrier Ethernet domain,Could someone please help me understand what's the basic difference between Access Switch and Aggregation Switch both in terms of s/w and h/w functionalities. MEF deals OAM,CFM, EVC provisioning only at the access edge switches. Do we need to repeat all these at the aggregation level? or is it just used for routing purpose? Do we have a separate Fault Management at the aggregation level?
Duplicate posts. :P
Go here: https://supportforums.cisco.com/discussion/12137156/what-are-major-differences-between-access-switch-and-aggregation-switch-wrt -
HSRP between 2 access switches and 2 core switches
Hi I am looking for running HSRP between 2 access switches and 2 core switches for client PC and Server network’s next-hop redundancy as per attached setup.
As you can see I have used one /29 network for connecting CORE & ACCESS switches & configure Interface VLAN10 (Layer 3 SVI) with shown IPs and standby IP (VIP).G0/1 on Access Switches & G2/1 on Core Switches are access ports for VLAN10.
There is a L2 Trunk interconnecting Core-Main/Backup & as well as Access-Main/Backup Switches allowing VLAN10 to allow VLAN10’s HSRP packets to pass through (apart from other HSRP instances).
Below are the HRSP & Trunk configuration on Core and Access Switches please have a look and suggest if they are correct in term of HSRP implementation, as I can see on both side HSRP master & standby status are fine as desired, but I can’t ping VIP of ACCESS Switch from CORE switch, but the VIP of CORE switch I can ping from ACCESS switch.
Access-Main
interface GigabitEthernet0/1
description ***Connected to CR-SW-01 PORT G2/1***
switchport access vlan 10
switchport mode access
load-interval 30
interface GigabitEthernet0/2
description ***Connected to AC-SW-01 & AC-SW-02 for HRSP***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,40
switchport mode trunk
load-interval 30
interface Vlan10
description ***Connected to CR-SW-01 PORT G2/1***
ip address 10.10.11.1 255.255.255.248
standby 1 ip 10.10.11.2
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication accvlan10
Access-Backup
interface GigabitEthernet0/1
description ***Connected to CR-SW-02 PORT G2/1***
switchport access vlan 10
switchport mode access
load-interval 30
interface GigabitEthernet0/2
description ***Connected to AC-SW-01 & AC-SW-02 for HRSP***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,40
switchport mode trunk
load-interval 30
interface Vlan10
description ***Connected to CR-SW-02 PORT G2/1***
ip address 10.10.11.3 255.255.255.248
standby 1 ip 10.10.11.2
standby 1 priority 10
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication accvlan10
Core-Main
interface GigabitEthernet2/1
description ***Connected to AC-SW-01 PORT G0/1***
switchport access vlan 10
switchport mode access
load-interval 30
interface GigabitEthernet2/2
description ***Connected to CR-SW-01 & CR-SW-02 for HRSP***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
switchport mode trunk
load-interval 30
interface Vlan10
description ***Connected to AC-SW-01 PORT G0/1***
ip address 10.10.11.4 255.255.255.248
standby 1 ip 10.10.11.5
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication crvlan10
Core-Backup
interface GigabitEthernet2/1
description ***Connected to AC-SW-02 PORT G0/1***
switchport access vlan 10
switchport mode access
load-interval 30
interface GigabitEthernet2/2
description ***Connected to CR-SW-01 & CR-SW-02 for HRSP***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
switchport mode trunk
load-interval 30
interface Vlan10
description ***Connected to AC-SW-02 PORT G0/1***
ip address 10.10.11.6 255.255.255.248
standby 1 ip 10.10.11.5
standby 1 priority 10
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication crvlan10Hi Rick thanks once again, so I am assuming I should use to configure as below and still one /29 subnet I can use to connect these Switches with the above static routings.
Access Switch-Main
interface Vlan10
description ***Connected to CR-SW-01 PORT G2/1***
ip address 10.10.11.1 255.255.255.248
standby 2 ip 10.10.11.2
standby 2 timers msec 200 msec 750
standby 2 preempt delay minimum 180
standby 2 authentication accvlan10
ip route 192.168.20.0 255.255.255.0 10.10.11.5
Access Switch-Backup
interface Vlan10
description ***Connected to CR-SW-02 PORT G2/1***
ip address 10.10.11.3 255.255.255.248
standby 2 ip 10.10.11.2
standby 2 priority 10
standby 2 timers msec 200 msec 750
standby 2 preempt delay minimum 180
standby 2 authentication accvlan10
ip route 192.168.20.0 255.255.255.0 10.10.11.5
Core Switch -Main
interface Vlan10
description ***Connected to AC-SW-01 PORT G0/1***
ip address 10.10.11.4 255.255.255.248
standby 1 ip 10.10.11.5
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication crvlan10
ip route 192.168.40.0 255.255.255.0 10.10.11.2
Core Switch -Backup
interface Vlan10
description ***Connected to AC-SW-02 PORT G0/1***
ip address 10.10.11.6 255.255.255.248
standby 1 ip 10.10.11.5
standby 1 priority 10
standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180
standby 1 authentication crvlan10
ip route 192.168.40.0 255.255.255.0 10.10.11.2 -
Hello,
I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
- User ID.
- Successful and unsuccessful attempts to access security files
- Date and time of the event.
- Type of event.
- Success or failure of event.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
I know how to enable audit trial with OS or DB, EXTENDED levels. However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.2687254 wrote:
Hello,
I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
- User ID.
- Successful and unsuccessful attempts to access security files
- Date and time of the event.
- Type of event.
- Success or failure of event.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
I know how to enable audit trial with OS or DB, EXTENDED levels. However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
Think about that. If the port or terminal (client ip address) is blocked, then the communication never got to the database. So how would the database be able to audit an action that never got there? -
Setting up Access Manager and Directory Server for Failover.
I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R -
please help
Try to force your phone into recovery mode. Disconnect it from the computer's USB cord. Turn it off if you can by holding the sleep/wake switch until you see the red slide to off. If you can't turn it off, please continue. Press and hold the home button while plugging it into the computer's USB cord. Continue holding the Home button while iPhone starts up. While starting up, you will see the Apple logo. When you see "Connect to iTunes" on the screen, you can release the Home button and iTunes will display the recovery mode message. http://support.apple.com/kb/HT1808
Then you can restore your phone: http://support.apple.com/kb/HT1414 -
High Latency and Patket drop towards Access Switches.
Hi,
My network Infrastructure consists of 2 core switches(cisco 3950, 24 port) and 3 access switches (cisco 2960G, 48port). No distribution layer.Both Core switches are connected to the BVI of a VPN router.PVST is running in all switches. The STP results are all good. We have 3 VLAN's in the LAN an IP routing is enables in the core switch. The network diagram is attached.
The issue we are facing is that , we get intermittent packet drops while pinging towords the access switches, and there is always a higher latency towords these assess switches.These issues are present even with no other users using the LAN. But these issues are not present while pinging towards the GW.
I guess, it is because of this, we have issues the accessing file server in the LAN. How do we go ahead with the troubleshooting. Will upgrading the IOS help resolve this.The present version details is..
WS-C2960G-48TC-L 12.2(44)SE6 C2960-LANBASEK9-M
Thanks in advance for the help.Hi,
Do you still have this problem of is it solved?
i have the same kind of issue, so any help or information is welcome!
Tom -
My iPad 3 will not change the orientation to landscape mode. I have checked the orientation switch and turned off for a reset. Neither fixes the problem. What can I do?
Is it lock in the Control Center? (tap to enlarge)
-
Catalyst Express 500 Switch and wlan roaming problem.
Hi everybody.
We are using Catalyst Express switches and air-1121G for a wlan network covering a hotel. When we set the smartport-setting on switch to "access-point" users cannot move from one access-point to another. Setting the smartport-role to "other" solves the problem.
Has anybody made the same experience ?Hi
This is a known issue and the workaround you have used is the best but
this issue has been solved in the new IOS release
i would suggest you to upgrade the IOS for the Catalyst 500 and this should solve the problem
the IOS code is CE500 IOS 12.2.20.SEG
Hope this help
Sayed Abdelrahman -
Output determination and Printer determination for both PO and GR
Dear all,
Can anyone please help me in congiguring the output determination and printer determination for both PO and GR. please give me detailed configuration including the paths as i am stuck with the configuration.
Thanks & Warm Regards
Somashekar Anandhi Somashekar
follow he steps
Output of Purchase Order
1. Condition Table
SPRO > Material Management> Purchasing -> Message -> Output Control->Condition Tables->Define Condition Table for Purchase Order
Select:
Purchasing Doc. Type,
Purch. Organization,
Vendor
2. Access Sequences
SPRO -> Material Management-> Purchasing -> Message -> Output Control->Access Sequences->Define Condition Table for Purchase Order
3. Message Type
SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Types->Define Message Type for Purchase Order
*4. Message Determination Schemas*
4.1. Message Determination Schemas
SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Maintain Message Determination Schema
4.2. Assign Schema to Purchase Order
SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Assign Schema to Purchase Order
5. Partner Roles per Message Type
SPRO -> Material Management-> Purchasing -> Message -> Output Control-> Partner Roles per Message Type ->Define Partner Role for Purchase Order
6. Condition Record
Navigation Path: SAP Menu-> Logistics -> Material Management -> Purchasing-> Master data->Messages-> Purchase Order-> MN04-> Create
Now you create PO (ME21N) and save it. Go to ME22N and print the PO by giving output type.
Output of GR
After setting table, access sequence and output type for GR,run MB02 transaction, enter material document number. Double click one line item and select messages. Separate screen will be opened to configure outputs. Give the required fields and save the document. Now Run MB90, you can take printout. Output Type: WE03 or WE01 or WE02
Reward points if helpful
Thanks and regards
Ravikant Dewangan -
Shared folders (Windows file shares) show access denied and do not prompt for credentials
Scenario:
Like other admins, I log on and work as a 'standard user' (usera) with no admin rights anywhere in the domain, to perform admin tasks I have another account (userb) which I authenticate with as and when required. userb has been allocated/delegated permissions
as required.
Problem:
When trying to connect to shared folders on servers (2008 R2) using a UNC patch via Windows Explorer (Win 7 Ent.), I see an access denied error and do not get an option to supply alternative credentials.
If I try to connect to the admin shares on the same server (\\server\C$ or \\server\e$) I get an access denied message AND get prompted for credentials. I supply my admin account and gain access as expected.
If I check share and storage management when attempting to connect, I see that Windows is trying to connect me to each share as usera (which has no access). I understand why I get access denied at this point, but not why it can't just prompt me to supply an
account that does have access. When trying the admin shares I also see the usera account, but I get a prompt to supply a user who does have access.
Share permissions on the folders are for example 'Everyone' Full Control. NTFS permissions are 'userb' has modify (read, execute, list, traverse etc) via a 'Server Admins' AD Universal security group.
Note: If I do a NET USE from CMD and use the /USER switch, I can access the shares fine. But this is not great for accessing shared folders on the fly from various computers.
How can I get the other shares on the server to prompt me, rather than just say access denied?
Many thanks.Try to disable guest user from the server
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY
suggestion in a test environment before implementing! -
Has anyone deployed converged access with 3850 switches and 5760 WLCs?
Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
Pros
With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
Less hops for voice calls from user A to user B as data control traffic is dropped locally.
Cons
Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
Can someone convince me why would a customer choose converged access?
Sent from Cisco Technical Support iPad AppThey choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
Sent from Cisco Technical Support iPhone App -
Dear All,
I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html
-
FlexConnect local/central switched and Access-Accept Packets
For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
• Full network access, local switched.
• Limited network access, central switched:
◦ To isolate traffic from the branch’s LAN.
◦ To force traffic through a firewall at the central site.
▪ To ease access rules management.
◦ Internet access only by default.
▪ Internet access is located at the central site.
▪ We expect to manage some exceptions to the rule.
We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
Authentication Attributes Honored in Access-Accept Packets (Airespace)
VAP ID
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
Source:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
We then made an assumption that the following was possible:
• Create a second SSID
◦ Broadcast not enabled
◦ Central Switched
• Users would authenticate using the first SSID
• In it’s access-accept packet, the RADIUS server would return an
Airespace-WLAN-Id attribute with the value of the second SSID.
• The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
So far, our tests showed no results.
• Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
• If not, what would you recommend?
For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
Thank you very much,Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value. AAA attributes can change a users vlan, acl and QoS. The other attributes are intended to use for rules... example:
Is the user part of this AD group and is this user on WLAN ID=1.
You will not be able to go from centrally switched to locally swithed and vice versa. I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest. -
[solved] DHCP snooping in environment with core and access switches
Hello,
I'd like to know what steps are needed to configure DHCP snooping in my environment:
1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
2) access switches Catalyst 3750: clients connected here
Access switches are connected to core ones via trunk ports (fiber optics).
How many snooping databases are required? One for core and next for each stack?Hi Marian,
If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
I am not sure if this answers your question so please feel welcome to ask further.
Best regards,
Peter
Maybe you are looking for
-
[CRM 5.0] How to add file attachements to created ticket (transaction)
Hi! I have to do engancement and need to add file attachements to tickets (transaction) documents. I made ticket creation but I don't know how to add file attachements to it. Could someone help? Mayby some function module name? Thanks for response! K
-
Hi Archers, I have many windows and Linux servers to manage so that I want to have a program like mRemote so that I can SSH, Remote desktop, etc to access the server. it is very sad that mRemote is supported only in Microsoft Windows. Do you guys kno
-
I just got my Team membership and everything opened except Muse. It keeps saying my membership expired. We joined for a year. What's going on?
-
Whatsapp for Mac mini through bluestacks
how to download a new version of whatsapp.app to run in my macmini through bluestacks.plese someone help me sending a download link.
-
Safari crashes since upgrade from OS 10.2 to OS 10.4.7
Immediately upon upgrading OS software I have been unable to open Safari. I get the following dialogue box each time: The application Safari quit unexpectedly. Mac OSX and other applications are not affected. Click Reopen to open the application agai