Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

Similar Messages

• ACS 5.4 with DACL over wireless and wired network

  Hi my name is Ivan, I have a question
  I have a deployment in my network wired at this way:
  Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
  Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
  Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador
  A my deployment in the wireless network is in this way:
  Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
  SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.
  SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.
  I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
  How can I do it to my scenary?
  Please could you help me?
  Regards
  Ivan.

  Hello. To avoid confusion, let's divide the WLC based upon the operating system.
  There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
  There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
  IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
  From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
  On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
  It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
  Best regards

• IPhone and EAP-TLS with ACS & 5508

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I have a large customer that is moving into a new building and adding some
  new wireless.
  They are using a 5508 with 1142's and an ACS server.
  They will have the following SSID's
  SSID01 -> WPA-EAP-TLS
  SSID02 -> WPA2-EAP-TLS (future use)
  SSID03 -> Guest Access (internet access only)
  They currently use this design across the enterprise which has worked well.
  The problem is to get certificates pushed down to the client for the EAP-TLS
  they always connect the machine once by wire and log on to the domain so a
  GPO pushes the cert to the machine.
  This creates a problem that I don't know how to solve as they want to use
  iPhones on the new deployment.
  Does anyone have any ideas on how to get a cert down to the iPhones for use
  with the SSID's?
  Thanks in advance for any assistance.

  I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• Anyconnect VPN-Authentication multiple profiles via ACS

  Hi,
  I'm currently facing the issue, that I need to migrate a customer VPN-structure from VPN-client to the new Anyconnect.
  There is an ASA5515 and they have ACS with local users and AD-Integration.
  The problem: The old system used different profiles with PSK, so every external partner who had a VPN connection got it's own profile, which was secured by the IKEv1 PSK. The credentials for externals are saved locally on ACS. Also there is a profile for the normal employees, which authenticate via AD or RSA. The guys who implemented this did it the easy way, means when a user connects, the whole user-table is checked (AD, local, RSA). So if an external would have the .pcf from an internal user, it would be possible for him to connect to internal resources. There was no profile-to-usergroup binding.
  I should now implement a new ASA with Anyconnect and also keep up the different profiles. But in this case the problem is - there is no PSK any more. So if a smart guy changes the group in his XML-profile to e.g. "Internal", it would authenticate and grant access to all resources, since the internal pool isn't restricted by ACL's, but the externals are. 
  I'm looking for a guide, how to set up different policies on the ACS, which look up the user only in the one group, depending on the profile he connected. As far as I understand, I must somehow define already on the FW which group or policy it should look up. How can I achieve this? 
  What do I need e.g. for 10 different profiles?
  - 10  groups on ACS?
  - 1 Access-Policy? (Network Access) -> with 10 different Authorization Policy rules? 
  - Anything else?
  Where do I define the policy to use in Anyconnect?
  Thanks in advance!
  BR

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• OS Lion of Apple don't authentication in the Secure ACS

  Hello my friends!!!!
  I'm with one problem, my OS Lion don't authentication in the Secure ACS Version: 5.2.0.26.10.
  For the Mac Lion operating system to work you must put in execeção the MAC Address of your computer. I wonder how it could cause the OS to authenticate the ACS Lion.
  Thank you!

  Hi,
  Are you using wpa2 authentication, also are you using MAR (machine access restrictions) in your global dot1x configuration? If that is the case, then you will not be able to authenticate. Please describe a little bit more about your issue.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• Local Webauth WLC using radius database

  Hi all,
  I was implement local Webauth WLC not using local auth . I use radius database.
  at least I try to add on my  WLAN:
  layer 3 web auth  authentication
  layer 2 security is WPA/WPA2 PSK
  adding aaa radius server
  aaa radius "network user" check list  enabled
  web auth priority order
  radius
  LDAP
  after I Test WLAN ,I cant login using radius database.
  but, if I implement security method wpa/wpa2 dot1x  I can login using radius database.
  is there any miss in my config for implement webauth  method?
  Thanks
  ridho

  Are you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
  Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  Sent from Cisco Technical Support iPhone App

• Cisco ACS 5.1 & Cisco WLC 5508 & Cisco WCS

  I have managed to get TACACS+ working for the WLC and WCS but having trouble with Radius for management authentication and authorization.
  Anyone got and ideas or good documents on how to authenticate administrators using radius ACS 5.1 for WLC 5508 and WCS 6
  I take it that I still need to define roles?
  Many thanks.
  Jay

  You may try this with radius-ietf under shell-privelege
  For read-write privileges for the user, set the Service-Type Attribute to Administrative.
  For read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.
  Regards,
  Jatin
  Do rate helpful posts~

• How to get the data from mysql database which is being accessed by a PHP application and process the data locally in adobe air application and finally commit the changes back in to mysql database through the PHP application.

  How to get the data from mysql database which is being accessed by a PHP application and process the data locally in adobe air application and finally commit the changes back in to mysql database through the PHP application.

  If the data is on a remote server (for example, PHP running on a web server, talking to a MySQL server) then you do this in an AIR application the same way you would do it with any Flex application (or ajax application, if you're building your AIR app in HTML/JS).
  That's a broad answer, but in fact there are lots of ways to communicate between Flex and PHP. The most common and best in most cases is to use AMFPHP (http://amfphp.org/) or the new ZEND AMF support in the Zend Framework.
  This page is a good starting point for learning about Flex and PHP communication:
  http://www.adobe.com/devnet/flex/flex_php.html
  Also, in Flash Builder 4 they've added a lot of remote-data-connection functionality, including a lot that's designed for PHP. Take a look at the Flash Builder 4 public beta for more on that: http://labs.adobe.com/technologies/flashbuilder4/

• Issue on How to mimic Deski document from CMS to local machine, pass parameter, execute and save in a mutiple report format then store in a network drive.

  Post Author: usaitconsultant
  CA Forum: JAVA
  Would you know if there's a way to mimic Deski
  document from BOXI server(CMS) to local machine, pass parameter, execute and
  save in a mutiple report format then store in a local drive or network
  drive? Most examples and tutorials in BO XI R2 I've seen are scheduling while drilling report is for web intelligence only and not desktop intelligence.  Please let me know your ideas. I would really appreciate your help. Thanks.

  Post Author: usaitconsultant
  CA Forum: JAVA
  Hi Ted,
  Thanks for the reply.The file is not available in the server. Though, I checked CMS and I found an instance in history tab and the status is failed with error below. 
              Error Message:
              A variable prevented the data provider Query 1 with BANRRD30 from being refreshed. (DMA0008).When I checked my codes, I found out that the object Im using is for web intelligence data provider. However, I cannot find any documentation and example for passing parameter values in desktop intelligence data provider. Any idea on this? You think this is not suported by Report Engine SDK?Thanks.    

• No local currency found for plant and sales org.

  Hi Guru's,
  I am face to a problem that i don't understand.
  I load the standard master data 0PLANT and i have the basic issues : No local currency found for plant and sales org.
  I already saw this error so i check the basics to solve it.
  I respect the comp_code, sales_org and than plant sequence.
  i checkek the routines, no problem.
  for some plants it works. i extract 8 plants 2 works the rest not. the reason is that there is no sales org affected in my PSA table for those plants.
  But (and this is the problem) when i check the SAP source table T001W i can see that plants are corectly affecte to sales organization
  So do you have any idea of my problem ?
  do you know the transaction on ECC to maintain division and sales org affectation
  Thannks
  Cyril

  Hi,
  Pls have a look at this similar post:
  [No Local Currency found in Plant |How can I view the code for a routine in an update rule;
  Hope it helps...
  Regards,
  Ashish

• How to mimic Deski document from BOXI server to local machine, pass parameter, execute and save in a mutiple report format then store in a network drive.

  Post Author: usaitconsultant
  CA Forum: JAVA
  To Guru's, Would you know if there's a way to mimic Deski document from BOXI server to local machine, pass parameter, execute and save in a mutiple report format then store in a local drive or network drive? Most examples and tutorials in BO XI R2 I've seen are scheduling while drilling report is for web intelligence only.  Please let me know your ideas. I would really appreciate your help. Thanks. 

  Give Chronosync a go - have been using for over a year and it works great; if you like Syncback you'll like this app.

• I am using iphone 4 and planning to visit india for few months. can i buy local sim card from india and use in my iphone? i have alrady unlock my iphone.

  I am using iphone 4 and planning to visit india for few months. can i buy local sim card from india and use in my iphone? i have alrady unlock my iphone.

  Of course

• Local Administration rights for Xcelcius and Crystal Reports

  Hello Customercare,
      I am currently compiling a list of software that does and does not require local administrator rights to install and run.  
  I was wondering if you would be able to assist me, we currently use Crystal Reports version 8.5 and Crystal Xcelsius 4.5. I need to find out if these programs require local administrator rights on the computer they are to be used on to a) Install properly and B) run from that computer by a user without local administrative rights for that machine.
  Please let me know or point me in the right direction of a resource who would be able to help me with the above information.
  Many thanks for your time,
  Phil Booth
  GroupM
  Technical Support Engineer

  Hi Joseph,
  Download [Product guide/end userdocument|https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000713358&_SCENARIO=01100035870000000202&] select your product.
  For Business objects Integration kit for SAP click [here|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a00ee3b2-5283-2b10-f1bf-8c6413e0898f]
  Regards,
  Shweta