ACS 5.3 Dot1x for Wired/Wireless

Similar Messages

• I would like to know what is the default timouts for wired/ wireless devices ..and how to reset it on Extreme.  Many thanks

  I would like to know what is the default timouts for wired/ wireless devices ..and how to reset it on Extreme.  Many thanks

  Wireless is "always on" with the AirPort Extreme. There are no settings to "time out" wireless on the AirPort Extreme. Those settings would be adjusted on each individual computer.

• 3750-X Dot1x for wired switch ports with ISE 1.2 doing eap-tls

  Hi,
  I currently have an authentication and authorization policy in ISE to allow machines that authenticate successfully with machine certificates to have full access.  If they fail, then they are denied.  And this works correctly.  However, the customer does not want to deny them access if they fail, but instead he would like the machines that fail authentication to have access only to the Internet.  I'm looking for some suggestions on what would be the best way to do this from a policy standpoint?  Also, this would be for devices that are IT devices, or part of the organization, as well as for devices that aren't, for example for contractors or guest and may or may not have wired dot1x services enabled on their laptop that they will be plugging in.  Any help is appreciated.
  Thanks....

  Hello. I can think of two solutions to your requirement:
  #1 (Preferred): Configure CWA (Central Web Authentication) to be your last method of authentication/authorization. That way any devices that fail both dot1x and mab would be send to the guest/web portal hosted by ISE. There users can login with either their AD credentials and/or their guest credentials. That way you can actually provide better/more access to AD type users vs true guests
  #2 (Less preferred): You can use the following command to authorize users/devices that fail dot1x to a "Guest/Internet" VLAN. Keep in mind though that if you use that then there is no "next method" so you cannot utilize mab:
    (config-if)#authentication event fail action authorize vlan  guest_vlan_id
  Thank you for rating helpful posts! 

• NAC Guest server for wired and wireless

  Hi
  My customer wants the NGS to install for both wired and wireless users. For wireless users we can integrate it with the WLC but i don't know how it will work for wired users at the same time. Pls suggest.
  Thanks

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• Best Network Settings for mostly wireless, sometimes wired?

  Folks:
  My household --4 desktops Macs, 2 MacBooks, all running 10.4.x or 10.5.x-- lives by using DSL via a Netopia router controlling a LAN, with Cat 5 strung to six desks. No problem there, everything works. Note: for historical reasons --because, mostly, I forget what they were-- all desktops have static IP addresses.
  But sometimes one of us wants to work in the house on a MacBook where there is no Cat 5 strung, that is, wirelessly. It's simple enough to set up a wireless server on one of the Airport-equipped desktops and make certain it stays awake.
  That works, too, as long as each MacBook is configured with separate Network Preference "Locations" -- one for "Wired" and one for "Wireless", and the wireless configuration is IPv4 using DHCP with IPv6 disabled. Specifically, this requires the user to switch the Location when he/she connects or disconnects a Cat 5 cable.
  My questions:
  1. Is there a way of configuring the MacBooks so they will work without the requirement switching the Location when removing or connecting a LAN cable?
  2. Can this configuration also accommodate what is needed for typical hotspots out there in "the outside world", as in coffee-shops, etc, again without switching the Network Preference Location?
  3. Bonus Questions: Would this problem be easier if I modified the wired system configuration to use DHCP instead of fixed IPs? By the way, the Netopia Router will assign addresses in the 192.168.0 to 192.168.15 range, no others.
  4. Double Bonus Questions: What are the responses to the above questions, if instead of serving the wireless from one of the desktops, we added a wired/wireless router, say, a D-LINK WBR1310B1 to the LAN? Yes, it's true, we have already tried that. (Our teenager bought and installed it without my...help.) It worked for a while, something unknown changed, and now wiring up the D-LINK brings down the entire LAN. In other words, what are the "issues" of running wired AND wirelessly, and using Airport remotes with a foreign (non-Apple) wireless router?
  TIA,
  Henry

  1. Is there a way of configuring the MacBooks so they will work without the requirement switching the Location when removing or connecting a LAN cable?
  Yes, but it's a little freaky (in other words, using the Location menu is the better solution).
  To do what you want you need to setup the wireless network on the desktop using a different subnet (e.g. 10.1.x.x) and enable internet sharing (System Preferences -> Sharing).
  Then connect the MacBook to the wireless network and make sure it's set for DHCP (the desktop Mac will act as a DHCP server for the wireless network).
  Now the kicker is to use MacBook's System Preferences -> Network -> Set Service Order to make sure the ethernet interface is above the AirPort interface. Now the MacBook will use the ethernet interface if it's there and fall back to the AirPort if the ethernet is down.
  2. Can this configuration also accommodate what is needed for typical hotspots out there in "the outside world", as in coffee-shops, etc, again without switching the Network Preference Location?
  Yes. Most hot-spots will require the use of DHCP on the client, which is the same as how it's set above.
  3. Bonus Questions: Would this problem be easier if I modified the wired system configuration to use DHCP instead of fixed IPs?
  Yes, but not significantly enough to worry about.
  What are the responses to the above questions, if instead of serving the wireless from one of the desktops, we added a wired/wireless router, say, a D-LINK WBR1310B1 to the LAN?
  The setup on the client would be the same - the main point is in setting the interface preferences so that the wired ethernet has precedence.
  However, a dedicated base station will offer other advantages such as WPA encryption (the Mac-based base station only offers the weaker WEP), and no requirement to leave the desktop Mac running.
  From a 'which base station' standpoint, the Apple base stations would be easier to run in an all-Mac environment, but most of the major brands now use web-based interfaces which make them reasonably easy to manage from a Mac. The issue with your D-Link is almost certainly one of misconfiguration rather than incompatibility, but without knowing how it was setup it's hard to advise further.

• EAP-TLS for Wireless network and PEAP for wired network

  Hello,
  it is possible to use EAP-TLS for Wireless network and PEAP for wired network on the same laptop (Windows 7).
  Thank you in advance.
  Thibault

  Yes, this is possible. You just need to properly configure each interface to use the EAP type you want.
  HTH,
  Steve
  Sent from Cisco Technical Support iPad App

• DHCP Server - Different Range for Wired and Wireless Network

  We have DHCP setup on Windows Server 2012r2 and the range given to us by the main HQ is 10.65.112.1-10.65.112.254 (there are several exclusions under this range)
  Now since the range gets exhausted quickly, they provided another one 10.65.122.1-10.65.122.254.
  What our branch would love to do is to dedicate the first range for Wired Computers and the other range for Wireless Devices (Phone,Tablets, Mobiles)
  Right now we have 2 different scopes setup in DHCP, the second one is disabled. In our network we have 6 access points and also have a CISCO SG300-52 Managed Switch. It has an inbuilt DHCP Server and also has the function for DHCP Relay. But we are not actually using any of its functionality as of now.
  So my question is how to have 2 separate ranges for wired and wireless network. People have mentioned vlans but I have no clue on how to get that done.
  Is there a simpler way avoding V-LANS or if not, would love to get step by step procedure on how to go about this. Any help will be much appreciated
  Regards,
  Sheldon

  Hi Sheldon, please read this post
  https://supportforums.cisco.com/thread/2270049
  You will need some modifications though. Steps 1-6 is very relevant. On step 6, you need to pay particular close attention to the "default router". If the SX300 handles your intervlan routing then the default router needs to be the IP of your VLAN. If you have a different device to handle VLAN routing then the default router needs to be that IP address.
  -Tom
  Please mark answered for helpful posts
  http://blogs.cisco.com/smallbusiness/

• How to control bandwidth for wired and wireless

  I have a wrtn400n dual band router and I was wondering if there is a way from the router settings that can lower internet connection for wired and wireless. Reason why its because I have 3 cousins that ALWAYS downloading music, videos, or watching a movie from an asian website. It lags me so much, that I can not even play online games. My ISP is comcast which is cable. I can barely surf on the net. Its like, they're taking up all my connection. I know there is a way to do it without cutting them off from the connection. It's a 2.4 and a 5.4ghz router and I can't find my 5.4ghz ssid on my wireless networking thing. My sister and I are wired connected while my cousins are wireless, but sometimes one of my cousins wire their laptop. The modem and router is connected to my computer. Please help me!!! I know theres a way to do this, but I just can't find out how!
  Message Edited by rayng6688 on 12-12-2009 03:38 AM

  Simple answer: it's impossible. See here.

• WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection

  Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
  I don't know if I have DMZ setup incorrectly, or if it's my settings.
  Setup as follows:
  PCX2200 modem connected via ethernet to WRT310N. 
  The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G. 
  In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
  Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest.  For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of  82ms.
  Here is an image of the results:
  http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
  Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
  For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
  "Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
  MTU: Auto, which stays at 1500 when I check under status.
  Advanced Routing: NAT routing enabled, Dynamic Routing disabled. 
  Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
  VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
  Access Restrictions: None.
  Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
  Port Range Triggering: It does not allow me to change anything in this page.
  DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:"  I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.  
  Under QoS: WMM Enabled, No acknowledgement disabled.
  Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number. 
  Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
  Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
  Web utility access via Wireless: Enabled. Remote Access: Disabled.
  UPnp: Enabled.
  Allow Users to Configure: Enabled.
  Allow users to Disable Internet Access: Enabled.
  Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
  PING 192.168.1.104 (192.168.1.104): 24 data bytes
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  --- 192.168.1.104 data statistics ---
  5 Packets transmitted, 0 Packets received, 100% Packet loss
  Also, when I do Traceroute Test for my Xbox's IP, I just keep getting: 
  traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
  1 * * * 192.168.1.1 Request timed out.
  2 * * * 192.168.1.1 Request timed out.
   As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
  To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated. 
  Message Edited by CroftBond on 02-18-2010 01:09 PM

  I own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year.  In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall.  Rebooting helps for a few minutes, but the problem returns.  All of the other fixes recommended on these forums did not help.  I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings.  If you have SPI Firewall disabled, you will never be able to ping your IP from an external address.  Turn your SPI Firewall back on and test your Ping. 
  John

• Remote can't find iTunes on mix wired/wireless network

  I am trying to control music from a iMac running iTunes using the iPhone Remote app. I've previously done this successfully with a wireless only network (using the Airport Express wifi to join my existing wifi network etc).
  However, since introducing D-Link Homeplugs into my network, I am unable to 'see' the iTunes library from the Remote app when I connect wirelessly to the airport express.
  My hardware is configured as follows:-
  *Netgear Router (wireless disabled) -> Homeplug power network -> iMac running iTunes*
  And elsewhere on the Homeplug network, I have:
  H*omeplug power network -> Airport Express [set up as wireless access point]*.
  If I connect the Express to the iTunes machine directly - leaving the wireless access details the same - it all works fine. If I move the Airport Express and reconnect over the Homeplug network, the Remote fails to 'see' the library, although I can still send music over the network (using the iTunes interface on the iMac) to the remote speakers.
  My network uses the router as a DHCP (range 192.168.0.x mask 255.255.255.0), Airport Express is connected to Homeplug ethernet with a static IP (in the same range) and provides wireless access (unsecured for now while i get this working). The iMac has a static IP (in the same range). If I swap the iMac for a PC (XP - using DHCP from the router for IP), I get the same result. If I use an iPhone network application to view the network (connected by the wifi access point on the AX) then I can see all the machines on my network as I would expect.
  To reiterate, if I cable this network directly (either AX->iMac or AX->hub->iMac) then it works. As soon as I go AX->Homeplug power network->iMac then the Remote app loses sight of the library.
  I wouldn't expect any firewall on the wired->wireless networks on my router (a Sky branded Netgear 934g). I also didn't think that the Homeplugs would block.
  So does anyone have any ideas why the Remote application loses sight of my iTunes library when connecting via Airport Express cabled into a Homeplug ethernet network ?
  Thanks for any help because I miss my music
  cheers,
  Tim

  Hello,
  This is the same for me. Impossible to find a solution after.
  Can you help us.
  Thank

• How to setup a static IP for a wireless printer

  This problem has been ongoing for several versions of OS X and the last five printers I've had and I'm finally over messing with it.  For some reson, when using a wireless printer with OS X this is a repetetive problem, and I think if I configured the printer to a static IP address instead of using DHCP, it might work better.  At least once a week, if not more often, I'll print something and get the ubiquitous Dock error of "Printer is not connected".  The printer is still in Preferences, but if I delete it, then it doesn't show up as it should for selection.
  The only way to fix this is reboot, and then the printer shows up again in Preferences.  I select it and all is well again...until a few days pass and the same thing happens again.  Using an HP LaserJet P1102w, still a current model, but it doesn't matter which printer I use.  I also have an Epson Artisan 725 and the same thing happens with it about once a week.  Also, this happens from both my Mac and my wife's Mac, so it's not an issue with just my machine.
  I've searched for documentation on how to setup a static IP address for a wireless printer with the Airport Extreme, but all I find are tutorials on how to do it with an ethernet hard-wired printer.  Any help would be greatly appreciated.

  You could set up your router to do manual assignment of IP address instead of using DHCP, but that is a PITA, because then you'd have to manually set up IP for all your devices.
  If you have AirPOrt Extreme, you could do this:
  In your Apple TV, go to the Settings >> About and write down the MAC address of your ATV
  Start up the AiPort Admin Utility
  Go to Network tab
  click + in the DHCP reservations
  Choose an IP you want for your ATV & Enter the MAC address
  From now on, this IP address will be reserved to the MAC address and only your ATV will be able to get it, no other device will.
  It is not a static IP in a true sense, but behaves just like one.
  Works great for me...
  If you don't have a AP Extreme, I'm sure other routers will allow you do reservations too.

• Multipmultiple Airport Extreme Base Stations: WDS Or "Extend Wireless Network" To Have Wired -- Wireless Bridge?

  Hello there!
  I've been looking for this info, but have as yet been unable to find it. Here's my scenario:
  I have two Airport Extreme Base Stations (both are dual band) and 3 airport expresses. The main internet connection in my house is in one room, where I have an AEBS as the main wireless router. In another room, I have a bunch of ethernet-only devices. I'd like to use the 2nd AEBS in this room, plug the ethernet devices into it and have the 2nd AEBS act as a wired <--> wireless bridge (connected to the same wireless network as the 1st AEBS). I've attempted this via "extend a wireless network," but the ethernet devices don't get past the AEBS they're plugged into. Should I instead be implementing WDS?
  I mention the airport expresses as I'd like to have airtunes & wireless signal in other areas, but would like to keep the set-up as simple as possible (i.e., not config the AXes for WDS unless it's required).
  Thanks in advance for any help!

  Unlike the 802.11n AirPort Express Base Station (AXn), the 802.11n AirPort Extreme Base Station (AEBSn) cannot be configured as a wireless Ethernet bridge.
  However, there are at least two ways to configure it to provide wired clients access:
  Connect the second AEBSn back to the first by Ethernet; reconfigure the second AEBSn as a bridge and disable its wireless radios, or
  Reconfigure both AEBSns into an extended wireless network. For 802.11n AirPorts, this would be called a dynamic WDS. The AEBSn, connected to the Internet would be the "main" base station and it would only require that you enable the "Allow this network to be extended" option in the AirPort Utility. The extending AEBSn would need to be configured with the option, Wireless Mode = Extend a wireless network, enabled.
  In both configurations, the second AEBSn's Ethernet ports would be enabled for wired clients.

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/