Authentication on device

Hi everybody,
Please help me.
I'm using actionscrip 2 and FlashLite 2.x. I write an application which connect to server to login and use authentication. I use addRequestHeader function of XML object as the following:
     var xml:XML = new XML();
     var str:String = "user:pass";
     str = Base64.Encode(str);
     xml.addRequestHeader("Authorization", "BASIC " + str);
     var result:XML = new XML();
     result.onLoad = function(){
     xml.sendAndLoad(link, result, "POST");
when I copy this login.swf on device, it displays an alert dialog box which ask to login username and password. How can remove this dialog box or can get value inputed in dialog box?
Thanks.

do a google search for "perl cgi get mac address"
in short:  no
here is a question: (i don't know the answer)
would you see the actual MAC address of the device?
or would you see the 'virtual' MAC address created by the VPN connection?
(my guess is the 'virtual' one)
IMHO - You would be better off implementing the "limitation of access" within the VPN "server".
MK

Similar Messages

  • ISE - AAA radius authentication for NAD access

    Hi ,
    I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
    for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
    While testing the login access to the switches we've come up with 2 results :
    1.A domain user can indeed login to the switch as intended.
    2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
    So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
    of the IT_department only .
    I haven't been successfull , would appreciate any ideas on how to accomplish this .
    Switch configurations :
    =================
    aaa new-model
    aaa authentication login default group radius local
    ISE Authentication policy
    ==================
    Policy Name : NADs Authentication
    Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
    Allowed Protocol : Default Network Access
    use identity source : AD1

    Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
    Rule Name : Nad Auth
    Conditions
    if: Any
    AND : AD1:ExternalGroups EQUALS IT_Departments
    Permissions , then PermitAccess
    What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
    How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

  • Authentication on 1300 Series

    I´ve already installed a couple of these device, one as a root and the other as non-root, i´m authenticating the devices with mac address over the root-brigde but i have some troubles with some devices one of error is here: Interface Dot11Radio0, Deauthenticating Station 000c.f14c.9e08 Reason: Disassociated because sending station is leaving (or has left) BSS. i hope anyone knows about it. and i want to know too if i can authenticatink devices over the not-root.
    Thanks a lot

    Enhanced authentication servicesSet up non-root bridges to authenticate to your network like other wireless client devices. After you provide a network username and password for the non-root bridge, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys.
    http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a008024a923.html

  • Alternatives to MS workstation authentication certificates for 802.1x?

    I found out recently the hard way that the Certificate Authority bundled with Windows Server 2008 won't load the 'workstation authentication' certificate template.  (You need 2008 Enterprise/Datacentre or 2008 R2, or any edition of 2008 R2).
    Does anyone know of alternative ways of authenticating a device using 802.1x?
    thanks,
    David.

    Hi Kirbus,
    we open a TAC and we were advised for now to do the following changes:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
    2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
    3.       on the WLC general configuration , can you please disable aggressive load balancing
    4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
    5.       on the AP network configuration please disable short preamble the original standard was long preambles
    6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
    7.       apply these modification on the WLC CLI
    Config advanced eap identity-request-timeout 20
    Config advanced eap identity-request-retries 10
    Config advanced eap request-timeout 20
    Config advanced eap request-retries 10
    Save config, and see if you still face the problem.
    We are still monitoring the solution, but until now we didn't face the problem again.
    Let me now how it goes for you.
    Thank you.
    Best regards,

  • Blackberry ID - forgot password, forgot password recovery info, exceeded login attempts, why can't BB send me email to reset password.

    THE ISSUES ARE:
    1. FORGOT PASSWORD
    2. FORGOT PASSWORD RECOVERY INFO
    3. EXCEEDED ATTEMPTS TO LOGIN
    I HAVE READ OTHER PEOPLES FORUM PROBLEMS THAT ARE THE SAME. WHEN I FOLLOWED LINKS THAT SUPPORT GAVE THERE IS NO SOLUTION TO ACTUALLY FIX THE PROBLEM. 
    What I need is simply this: Blackberry to send me a RESET PASSWORD link to the email I have registered with Blackberry WITHOUT HAVING TO PROVIDE PASSWORD RECOVERY INFO. This will enable me to bypass unknown recovery password info and access my Blackberry ID account. 
    Why haven't I been able to find a solution to fix the problem?
    BECAUSE IT DOESN'T APPEAR TO EXIST........ ANYWHERE..... EVEN ON YOUTUBE BLACKBERRY ARE RUNNING AN OUT OF DATE SOLUTION CENTRE.
    When looked online to Blackberry youtube video it shows a solution that doesn't exist! WHY? BECAUSE IT WAS UPLOADED IN 2011. DUH. http://www.youtube.com/watch?v=lvdRb4qNG1M
    If I can't remember my password or recovery password info there is NO other option available that will send me a reset password via email so I can keep my current BB ID. 
    KB34776 - does not apply because you HAVE TO BE ABLE TO REMEMBER YOUR RECOVERY PASSWORD!
    CHECKED THIS OUT... 
    Workaround
    If the BlackBerry ID password has been forgotten but the answer to the password recovery question is known, select Forgot Password on the smartphone and answer the recovery question to generate a password reset email. Follow KB28685 to complete this process.
    If the BlackBerry smartphone user knows the email address used for the BlackBerry ID login but is unable to remember the associated password then it is possible to reset the password using the steps below:
    Note: If the BlackBerry ID account is not confirmed, it is necessary to provide the answer to the password recovery question as part of the web based password reset flow.
    To see if a BlackBerry ID account is confirmed, log in to the BlackBerry ID account, select Account Details and locate the Email Status field.  For instructions on confirming the BlackBerry ID account follow KB34137.
    Browse to the following URL using a desktop browser, the BlackBerry Browser on the BlackBerry smartphone, or the Browser on the BlackBerry PlayBook: http://blackberryid.blackberry.com/bbid/recoverpassword
    Enter the BlackBerry ID Username (email address) and the CAPTCHA characters, then clickSubmit.
    Enter the Answer to the Password Recovery Question, then click OK.
    Note: Answering the recovery question is only required if the BlackBerry ID account is not confirmed.
    A confirmation message will be displayed A password reset email has been sent to [email protected], at which point, a reset email will be delivered to the associated email address inbox.
    Log in to the email account associated to the BlackBerry ID using the desktop browser, BlackBerry Browser on the smartphone, or the Browser on the BlackBerry PlayBook.
    Locate the password reset email and select the Change your BlackBerry ID password link.
    Note: The BlackBerry ID reset email will come from [email protected]. If the email is not found in the inbox, check the mailbox's Spam or Junk folder.
    When the password reset page loads, enter the Answer to the Password Recovery Question, enter the New Password, Confirm Password, then click Submit.
    A confirmation message will display once the changes have been saved successfully.
    Moving forward use the newly created password whenever logging into BlackBerry ID.
     If the BlackBerry smartphone user does not know the email or password that was used for the BlackBerry ID, the BlackBerry ID will be locked out after 10 unsuccessful login attempts. See KB24157 for BlackBerry ID lockout behavior.
    THEN CHECKED KB24157......
    Overview
    BlackBerry ID is the master key to BlackBerry smartphone products, sites, services and applications, including BlackBerry Protect and the BlackBerry App World storefront.
    To prevent unauthorized access to the account, the BlackBerry ID will become locked out after a number of failed attempts. See the information below for an outline on the expected behavior:
    Local Authentication Lockout 
    On BlackBerry PlayBook and BlackBerry smartphones if the user enters their BBID password incorrectly 10 times on the BBID sign in screen, verify password screen, or BBID Edit screens, they are LOCKED OUT of all the following functions on that BlackBerry device for 15 minutes:
    Authenticating with their BlackBerry ID on the sign in screen
    Authenticating with their BlackBerry ID on the verify password screen
    Authenticating with their BlackBerry ID on the BBID edit screens 
    Note: The user can still log in on the web or any other devices associated with their BlackBerry ID. They are only locked out on the device where the 10 incorrect attempts occurred.  On the locked out device, after 15 minutes, they get 1 try to provide the correct password on the sign in and/or verify password screens. If they fail to enter the correct password, they are locked out for an additional 15 minutes on that device.
    Account Server Lockout
    Users have total of 10 attempts to enter their password correctly against the BlackBerry ID Account Server.
    The scenarios that increment the Account Server lockout counter are as follows:
    Providing an incorrect password anywhere on the BlackBerry ID web portal (blackberry.com/blackberryid)
    Providing an incorrect password within the BlackBerry ID Edit feature on any BlackBerry device or BlackBerry PlayBook
    Note: if a user provides an incorrect password 5 times on the BlackBerry ID web portal (blackberry.com/blackberryid), and then 5 more times on the BlackBerry ID Edit feature on their BlackBerry PlayBook, the cumulative number of failed attempts is 10. Once the user has made 10 incorrect attempts to provide their password against the Account Server, they are locked out of the Account Server PERMANENTLY until they reset their password.
    See KB26361 for information to reset a BlackBerry ID password
    Note: The Account Server Lockout does NOT prevent the user from local authenticating on devices  (the user can still authenticate on the sign in and verify password screens on their BlackBerry devices).
    Forgot Password Lockout
    If the user answers their Security Question incorrectly 10 times, they are locked out for 15 minutes of Forgot Password functionality on all interfaces such as:
    BlackBerry website (blackberry.com/blackberryid)
    BlackBerry PlayBook
    BlackBerry smartphone
    Note: After 15 minutes, they get 1 try, and if they fail to answer the question correctly, they are locked out for an additional 15 minutes.
    THAT DIDN'T WORK SO NOW ITS BACK TO..... KB26361
    Overview
    To change the BlackBerry ID password, complete the steps below for the specific device:
    From the BlackBerry 10 smartphone:
    Swipe down from the top bezel on the home screen and select Settings.
    Scroll down and select BlackBerry ID.
    Select Change Password.
    Enter the current password in the Current BlackBerry ID Password field.
    Enter the new password in the New BlackBerry ID Password and Confirm New Passwordfields.
    Select Submit to complete the password change.
    To confirm the change You have changed your password will be displayed.
    Also, if the BlackBerry ID password has been forgotten, select Forgot Password on the smartphone and answer the recovery question to generate a password reset email. Follow KB28685 to complete this process.
    Note: When using the recovery question password reset method, the generated email will be delivered to the BlackBerry 10 smartphone if the BlackBerry ID email address has been setup via Settings >Accounts
    From a computer:
    Visit http://www.bbid.com/ from a PC or BlackBerry smartphone browser.
    Click Log in.
    Enter the BlackBerry ID Username (email address) and password, then click Sign In.
    Click Account Details.
    Next to Password, click Edit.
    Enter in the current password, followed by the new password. Enter the new password again in the confirm password field, then click Save.
    Click Done to exit from the BlackBerry ID account information screens.
    From the BlackBerry smartphone running BlackBerry 6:
    Navigate to Options > Third Party Applications > BlackBerry ID.
    Click on Change next to BlackBerry ID Password.
    Enter in the current password, followed by the new password. Enter the new password again in the confirm password field, then click OK.
    A confirmation message will display Your password has been successfully changed.
    Click OK.
    From the BlackBerry smartphone running BlackBerry 7:
    Navigate to Options > Device > BlackBerry ID.
    Click on Change next to BlackBerry ID Password.
    Enter in the current password, followed by the new password. Enter the new password again in the confirm password field, then click OK .
    A confirmation message will display Your password has been successfully changed.
    Click OK.
    From the BlackBerry Playbook tablet:
    Navigate to the Options icon.
    Select BlackBerry ID.
    Click on the Edit button next to Change Password.
    Enter in the current password, followed by the new password. Enter the new password again in the confirm password field, then click Submit.
    A confirmation message will display You have changed your password.
    Click OK.
    If the password for a BlackBerry ID account has been forgotten and the login is unsuccessful, use the following process to reset the password.
    Note: If the BlackBerry ID account is not confirmed, it is necessary to provide the answer to the password recovery question as part of the web based password reset flow.  To see if a BlackBerry ID account is confirmed, login to the BlackBerry ID account, select Account Details and locate the Email Status field.  For instructions on confirming the BlackBerry ID account follow  KB34137.
    To generate a password reset email, complete the following:
    Browse to the following URL using a desktop browser, the Browser on the BlackBerry smartphone or the Browser on the BlackBerry PlayBook: http://blackberryid.blackberry.com/bbid/recoverpassword
    Enter the BlackBerry ID Username (email address) and the CAPTCHA characters, then clickSubmit.
    Enter the Answer to the Password Recovery Question, then click OK. (Answering the recovery question is only required if the BlackBerry ID account is not confirmed)
    A confirmation message will be displayed A password reset email has been sent to [email protected] , at which point, a reset email will be delivered to the associated email address inbox.
    Login to the email account associated to the BlackBerry ID using the desktop browser, BlackBerry Browser on the BlackBerry smartphone or the browser on the BlackBerry PlayBook.
    Locate the password reset email and select the Change your BlackBerry ID password link.
    Note: The BlackBerry ID reset email will come from [email protected] If the email is not found in the inbox, check the Spam or Junk folder.
    When the password reset page loads, enter the Answer to the Password Recovery Question, enter the New Password, Confirm Password, then click Submit.  
    Note: Answering the recovery question is only required if the BlackBerry ID account is not confirmed. 
    A confirmation message will display once the changes have been saved successfully.
    Moving forward use the newly created password whenever logging into BlackBerry ID.
    Note: If the BlackBerry ID email address is a BlackBerry mail address (e.g. <username>@tmo.blackberry.net), the BlackBerry ID password reset email will not be received on the BlackBerry smartphone. Since the BlackBerry mail address is not accessible from a computer, the steps outlined in KB28111 will need to be performed.
    IT ALL LEADS BACK TO THE SAME UNHELPFUL NON-SOLUTION OF USE THE PASSWORD RECOVERY QUESTION.... 
    Can the tech department of Blackberry please sort out this ridiculous unhelpful system by sending customers a direct email if password is forgotten so they can reset without having to go through the above without finding a solution. 
    THANK YOU.

    Hi and Welcome to the Community!
    Please see this "sticky" post, along with the threads to which it links, for helpful information to guide you as you proceed:
    http://supportforums.blackberry.com/t5/Social-Lounge/How-This-Site-and-Formal-Support-Work/td-p/2540...
    Hopefully, this information will be of use to you.
    That said, it sounds like you have exhausted all of the automatic recovery methods...but just in case, please see this "sticky" post for helpful information concerning your BBID situation:
    http://supportforums.blackberry.com/t5/BlackBerry-World/How-to-regain-access-to-your-BBID/td-p/25467...
    Hopefully, this information will be of use to you.
    But do please keep in mind that security is a 2-way street...the human element play an equal part in that security, and you have failed at that in this situation, yet desire for the automated methods to still recover for you. Such just isn't possible, because your failure has exceeded the capabilities of the automated methods.
    Hence, you likely need human intervention from an actual BB representative, which is not available in this forum (as discussed in the first link I gave you above). But, the methods to attempt to seek human intervention are posted within the 2nd link I gave you.
    Cheers, and Good Luck!
    Occam's Razor nearly always applies when troubleshooting technology issues!
    If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
    Join our BBM Channels
    BSCF General Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • User account question

    I am wanting to use contribute to allow a client to create a new page to update a 'customer page' that tells the status of his clients projects.
    I have considered InContext, but i need for him to be able to create a whole new page from scratch with a separate url. i set him up with another program that password protects the url for client login.
    I could not tell from the description page if this is the right program or not. Or is Contrribute jysust for web developers? I was looking for something like GoLive used to have for CMS function, where a client can login and create a page and edit it.
    Or if anyone has a better solution, i'm all ears.
    Thanks!

    Hi Burgessf,
    To view all user accounts locally created on ASA , go to ASDM--->Device Management--->Configuration-->Users/AAA-----> User Accounts.
    Also if Active Directory is integrated for user authentication, then see which OU is specified under base DN attributes. ASA can query only that OU for user authentication.
    Device Management-->Configuration----->AAA server Group--->Servers in the selected Group--->Select AD server------>Edit----> Base DN----->OU= what ever OU specified there.
    All users specified in that OU can login to the device but they may have different level of authorization.

  • This computer is already associated with an Apple ID

    I'm trying to download music I've purchased (in the past) via iTunes into my iMac. The past purchases were made [principally] via my iPad and, as a consequence, the actual music media is resident on my iPad. Since these music purchases, I've purchased an iMac. And, since the purchase of the iMac, I've received an iPod Nano as a gift (Christmas). The iMac is shared between my family members, each with their own Apple-ID and associated account. When I try to download the music I've purchased (in the past) via the "cloud icon" in iTunes, the iTunes store indicates "This computer is already associated with an Apple ID" and I need to wait "90 days" until I can download the rest of my music. So, I cannot download ANY music into the iMac under my personal user account and Apple-ID.
    However, the aforementioned problem has disabled downloading music to my recently acquired iPod Nano (a Christmas gift), because the iPad Nano *can only obtain music via iTunes, via an iMac" (the IPod Nano lacks WiFi, so sync'ing can only be achieved via a USB-v2.0 port). So, my options are:
    Buy another iMac desktop computer to download music to my iPod,
    Wait until my birthday after March 2014 to actually use the iPod Nano I received on Christmas 2013.
    Coordinate my iTunes purchases and potential gifts to occur on three (3) month boundaries and ensure that my iMac computer is NOT assoicated to any other Apple ID during this three (3) month period.
    If option (3) get violated, implement Option (1) for any Apple device purchase.
    Just as an aside, I'm a systems engineer and a software programmer of ~30 years. Honestly, the aforementioned options are the only options I have at this time to load purchased music into my iPod Nano (without hacking into my iMac to modify its MAC address). To me the whole iTunes thing seems a bit impetuous (being naive, unsophisticated, excessive, ridicilous). But maybe I don't understand the DCMA rights, media purchases, and Apple's marketing and sales strategies. But, REALLY?! c'mon Apple! Why not use the customer's Apple-ID *and* MAC address to verify authentication per device? Just using the MAC address would be OK if I were the only user of the *family's* iMac desktop computer. But, then, maybe that's an Apple sales strategy, only one user per iMac desktop computer? f this is the case, I will be visiting my local Apple Store to *DEMAND* a refund for all purchased Apple products (phones, tablets, laptops, desktop computers, and my iPod Nano Christmas gift) and I'm going back to Android, Linux, and Amazon-MP3s.

    Same issue here.
    It's not an error. It's a purposeful, arbitrary restriction put in place by content owners to prevent law-abiding citizens from organizing, sharing and using media that they purchased. Never mind that a nefarious pirate can circumvent these restrictions with 17 keystrokes.
    It's the equivalent of the TSA: They're very good at finding Grandma Gertrude's nail clippers, but not so good at catching a shoe bomber.
    God forbid that my wife has access to a file I downloaded with my iTunes account on a computer associated with my Apple ID. So let's prevent the converse by preventing her from signing in to the same computer using her Apple ID.
    Pretty obscene--and pretty much useless--restriction.

  • Windows 8 will not connect to jetpack

    Our new windows 8 computer will connect just fine to public wifi, like Starbucks, Zaxbys, etc but will not with my jetpack 890L. I had it set to WPA2-PSK, it would not even hook to it, then I changed it to no security and it would hook up but limited and not go to any webpages. Everything else in the house has no problem with either setting. Also the software on the Jetpack is up to date.

        Hi TorreyS,
    This a very unique issue. If everything else connects properly to your Jetpack, it must be some compatibility issue with your Windows 8 computer. Can you run your computer in previous Windows version compatibility mode? Check with your computer manufacturer for instructions on this. This can also be an authentication issue. Try authenticating your devices via Mac filtering. See link below for instructions. Keep us posted.
    http://support.verizonwireless.com/clc/devices/knowledge_base.html?id=50189&lid=sayt&sayt=mac
    AntonioC_VZWSupport
    Follow us on Twitter at www.twitter.com/VZWSupport

  • ISE 1.2 & AD & Meraki - Per User Group Policy ?

    I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
    1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
    2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
    I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
    Thanks,
    Nathan

    Please find the Meraki_ISE integration doc. in attachment.
    When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
    In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
    MAC-based access control (no encryption)
    WPA2-Enterprise with 802.1x authentication
    A per-user VLAN tag can be applied in 3 different ways:
    The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
    The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
    On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

  • I'm trying to find all references to a domain in ISE

    We've renamed our internal domain and I'm looking for a way to find all references to our old domain so I can delete it.  I've gone through all of the authorization/authentication/etc. and it still says "Error One or more of the groups being deleted are referred to by another component..." I don't know where it's being referenced to update/remove it.
    Anyway to locate all references to an object? 

    Hello David, unfortunately there isn't such a feature in ISE. I used to do voice for a while and CallManager has a nice feature called "dependency records" which would do exactly that :)
    Here are a few places you can check and see if the AD configuration is being referenced:
     - Identity Store Sequences
     - Guest portal authentication
     - Sponsor portal authentication
     - My Device Portal
     - ISE administrative access via AD
     - Client Provisioning rules
     - Posture Assessment rules
     - Custom created authentication and authorization conditions that were saved to the library
     - Default authentication/authorization conditions in policy sets
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE and AAA configuration

    Hi Guys,
    I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.
    I used the ACS earlier and want to configure the same functions on it.
    Authentication of devices from ISE when remote login to router/switches/firewalls.
    Authorization of commands form ISE based on user login
    Accounting of command and login and logout details of user.
    I have very basic knowledge in ISE but i used ACS througly.
    Please Help  in the above issue.
    Thanks in Advance
    Regards

    Can you give any link where is shows TACACS is not supported.
    You find that amongst others in the Q&A:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
    Can you tell where need to enable these settings for AAA services.
    That's a quite complex thing ... Best you start with the ISE policies:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html
    Then look at the ACS migration-tool:
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html
    But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

  • ISE BYOD Error: "We are unable to determine access privileges" on redirect

         I am running ISE 1.1.1 and have gone through the design guide and setup the certificate based wireless authentication and device registration process using the ISE as a SCEP proxy for handing out certificates.  On the device registration portal instead of showing the device MAC the policy services node MAC shows up and I get an error that says "We are unable to determine access privileges in order to access the network. Please contact your adiminstrator."
    The an hour later I can connect just fine. The authentication logs on ISE are exactly the same in both cases. So it seems like a bug I opened a TAC case but am also posting here.

    I havent opened a TAC case and havent seen this issue since when i first set this up.
    Can you go to your devices portal (https://ipofise:8443/mydevices) login using your credentials and see if the device is registered or the status is set to lost. I would suggest deleting if it is there and try going through the process again.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • 802.1x with dACL - invalid attribute prefix: "ACS"

    Dear All,
    I've spent half a day traying to solve this without success, I hope you could help me.
    I've configured a simple 802.1x solution on a pilot PC that have to authenticate via PEAP-MSCHAPv2 users against my ACS Internal User database.
    Switch version:
    Model number                    : WS-C3750V2-48PS-S
    Software:     c3750-ipbasek9-mz.122-52.SE.bin
    ACS:
    C1121 with version 5.3.0.40
    The problem occurs when the ACS sends within the Authentication-Accept radius packet the following attribute:
    cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-AUTH-4eb90704
    At the switch side I see the following debug log:
    002558: Nov  8 14:31:35.586: %AUTHMGR-5-START: Starting 'dot1x' for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19
    002559: Nov  8 14:31:35.703: AAA/ATTR: invalid attribute prefix: "ACS"
    002560: Nov  8 14:31:35.703: %DOT1X-5-FAIL: Authentication failed for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19
    002561: Nov  8 14:31:35.703: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (0022.680b.da7b) on Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19
    802.1x switch related config:
    GLOBAL:
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    radius-server host 172.31.254.140 auth-port 1645 acct-port 1646
    radius-server host 172.31.254.141 auth-port 1645 acct-port 1646
    radius-server key 7 123415ASFASFAS55512
    radius-server vsa send accounting
    radius-server vsa send authentication
    ip device tracking
    ip access-list extended DEFAULT-ANY
    permit ip any any
    PORT SPECIFIC
    interface FastEthernet1/0/1
    description 802.1x Template Port
    switchport access vlan 244
    switchport mode access
    ip access-group DEFAULT-ANY in
    authentication event fail action next-method
    authentication open
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    end
    The authentication at ACS side is successfully completed but for some reason the switch cannot understand the attribute sent to him by the ACS:
    Why the authentication results in 'server-dead' ?
    I've hereby attached the authorization profile, the downlodable ACL and the RADIUS authentication detail for the request...
    Any idea?
    Thanks a lot!

    Yes, I came across the same issue and ended up as a bug with the 3750
    CSCtj28883 dACL attribute parsing failed when 'aaa author' debug turned ON
    description is
    DACL processing fails when the following debugging parameters are turned on.
    1. debug aaa attr
    2. debug aaa authorization
    The same works fine when they are turned down. Attaching the switch log.
    I believe was resolved in version 3750-Build 12.2(55) as from the following note attached to the bug since was found to be unreproducable on later builds
    Submitter has confirmed that the bug is not seen on 55SE image.
    The issue is only seen in 53SE
    can also try and switch debugs off

  • Roaming between APs causes reauthenticaion w/ CCKM

    I have a small set up with a 2106 controller and two 1252AG access points.
    Each AP is on a side of a floor less than 100' from each other. But with columns and partitions in the way they just barely overlap one another.
    I have 2 WLANs configured with [WPA + WPA2][Auth(802.1X + CCKM)] (One is for N and one is for B/G). Testing is being performed with a MacBook Pro. When I roam from one AP to the other I am still prompted to reauthenticate.
    Does the MBP not support CCKM? Perhaps the fact we are using token based auth?

    CCKM-authenticated client devices can roam from one AP to another without any perceptible delay during reassociation. An AP on the network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The WDS APs cache of credentials dramatically reduces the time required for re-association when a CCKM-enabled client device roams to a new AP. When a client device roams, the WDS AP forwards the client's security credentials to the new AP. The re-association process is reduced to a two-packet exchange between the roaming client and the new AP. Roaming clients reassociate so quickly that there is no perceptible delay in voice or other time-sensitive applications.

  • ISE licenses and Profiling service

    Hi,
    I tried to find proper explanation of how ISE licenses are used but I am still not sure of one thing.
    With the Plus license, when the profiling service is turned on; is the number of endpoints consumed from the Plus license for every endpoint that has been profiled and successfully authenticated or the number will be consumed from Base license first ?

    A successfully Authenticated device draws from the Base License.
    A Profiled device draws from the Plus License.
    A successfully Authenticated profiled device draws from both. 
    This is why you need at least as many Base as Plus or Apex Licenses.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

Maybe you are looking for

  • JRockit JVM Crashed with the following dump

    I am using JRockit VM as the JVM for the Integrated Weblogic Server with JDeveloper. I got this dump, when I was debugging my application. Just thought of sharing it here. [JRockit] ERROR: The JVM has crashed. Writing crash information to /scratch/xx

  • Geforce 6800 Ultra - output only video to TV

    I just bought a new Geforce 6800 Ultra and I'm a little confused about the settings for TV output via the s-video cable. Is it possible to have only the video I'm watching zoomed full screen on the TV? Currently I'm only able to get the desktop shown

  • Macbook Pro air port or ethernet not working.

    I one of the original macbook pro with the glossy screen, its not reading the Airport or ethernet port? what would be causing this? its not showing up in system preferences or anything. the only thing that shows up is firewhire and bluetooth. any sug

  • Two same reports showing different output ??

    Hi Irregularity in two reports I developed a vendor liabilities aging report with lfa1-lifnr not maindatory, lfb1-bukrs obligatory , bsik-budat obligatory & report is working fine with total & all months total are displayed . I want to display por or

  • Problem with Acrobat and word

    Hi  eveybody. I am going to become mad with acrobat 9.0.0 Pro Extended e world 97.  (win xp pro service pack 3) When I go to produce the acrobat document, the background become wrong, as the images added. I selected print backgroung both in acrobat a