Cisco 5512-x v9.1 help
Hi Guys,
I need some help/advise on the configuration below. As I want to configuration port forwarding to separate devices internally to serve external parties. I have only one WAN IP which already assigned to the firewall outside interface...
External User ---->ASA------>Server, NAS
Pls help i having difficulties to make it working..
Hi Eddy,
Thanks for reply. I tried the above command but it's not working...do i have to add any acl?
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group gcmjp
ip address pppoe setroute (1.1.1.1)
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet0/2
nameif WiFi
security-level 50
ip address 192.168.3.1 255.255.255.0
interface GigabitEthernet0/3
nameif Phoneline
security-level 90
ip address 192.168.4.1 255.255.255.0
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network JP_LAN
subnet 192.168.2.0 255.255.255.0
object network SG_LAN
subnet 192.168.1.0 255.255.255.0
object network Synology1
host 192.168.2.155
object network Synology2
host 192.168.2.243
object network BackupServer
host 192.168.2.11
object network JP
subnet 192.168.2.0 255.255.255.0
object network WiFi
subnet 192.168.3.0 255.255.255.0
object network NAS5006
host 192.168.2.155
object network Server3389
host 192.168.2.11
object service RDP3389
service tcp source eq 3389 destination eq 3389
object service NAS5003
service tcp source eq 5003 destination eq 5003
object-group service RDP tcp
port-object eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
object network Synology1
nat (inside,outside) static interface service tcp 5003 5003
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
Similar Messages
-
Hi Guys,
Here is my basic setup
I have an ASA 5512 gig0 connects to the internet
G1 connects to the inside on 192.168.35.254 then plugs direct into a switch.
I'm confused on the setup to get the IPS running. do i need to set the IPS in the same range as my inside interface? and also what do i set the IPS gateway to 192.168.35.254 my inside ASA interface?
Once this is done done a need to setup a rule within the MPF to foward all traffic to it?
Thanks
James.Also check these helpful ASA IPS config links
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/modules_ips.pdf
http://itzecurity.blogspot.co.uk/2013/12/configuring-cisco-asa-ips-module.html
p://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/modules_ips.pdf
http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_asa_ips.html -
Cisco ASA 5505 Configurations. Help... Beyond Frustrated
Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga -
How to implement XP Cisco VPN client. Please help!!!
Hi,
I am trying to configure remote access for XP desktops using CVPN client software and a Cisco 805 router with IOS IPSec capable( authentication should be local). The remote desktops are behind adsl router wich does nat translations but allow IPSes passthrough.
I have configured it but does not working.
Can you please help me?
Thanks in advance
DavidHi guys, Solved.
This very useful link:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7d54c/0
David -
Hi,
Ina company which uses cisco call manager express with ip phones 7931, 7945 ,7975, 7911,7962…….
1- i want the configuration in which the user dial a pin code befor doing an outside call...?
2- i want to change the defalt configuration for the ip phones of days backlight not active to thursday and friday and the backlight in duration to 1:30.?
i did the followings commands but it doesn`t take an effect.
Router(config)# telephony-service
Router(config-telephony)# service phone daysBacklightNotActive 6
Router(config-telephony)# service phone backlightOnDuration 1:30
Router(config-telephony)# service phone backlightIdleTimeout 01:00
Router(config-telephony)# create cnf-files
Router(config-telephony)# reset all
3- i have ringtones files in the flash (sh flash attached) , i want all the ringtones appear on all the ip phones when i press settings then user prefrences and then rings- i can only see two ring tones.
thanks for your helpMy reply may be too late to be of any help to you, but for the benefit of others:
Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
All the best,
John -
Cisco catalyst 2960 booting garbage, help on restore IOS
Dear All,
This is my first time on terminal access of Cisco Catalyst 2960 (2960TC-L), normally would use the web configuration for most task.
Now the switch has an issue with the web interface and when I try to access through terminal, I was greeted with garbage upon the booting of the switch, I searched for the terminal boot process and it wasn't what I was expected for my switch. I was a bit dumbfound now of how can I recover the firmware to its default stage, now that I cannot even boot through its terminal console.
Any help is highly appreciated. Thank you for your time.Hi,
I just verified with my colleague of whom have done quite a few bits before I took over his task.
His reply was he actually did an IOS flash before, though I'm not sure how he did it, but according to him, it was actually a success and the web interface still works for few times before it become like this.
As I tried another time to goes into root mode (or Admin mode??) for the switch, the steps as I performed below:
1. Refer to cisco-2960-putting-setting.jpg for the settings. I press Open and it does display the console Window, no issue there.
2. I hold the "mode" button on the switch and turn on the switch power, and after few seconds the screen display as such (refer to cisco-2960-putty-output2.jpg), the SYST L.E.D. did flash with following pattern: Green (blink ~15 times) then Orange-Green (repeat blink twice) then Green (stable light), for this I was expecting it to goes off after few seconds but it didn't, I wait about a minute before I let go the "mode" button.
3. After I let go the "mode" button, it goes to the screen (refer cisco-2960-putty-output3.jpg), and the SYST still blinking, possibly infinitely... with the console output screen stays like that... and whatever I entered display weird/garbage characters instead, I can't do anything on it.
Each tries display different weird characters, as the SYST still blinking infinitely.
I'm unsure if I'm giving enough details for online troubleshooting, I'll try my best to give as per instructed.
Thank you for your time. -
Cisco Aironet ap1141n-e-k9 help configuration
Hi all,
i have just got a brand new aironet access point belonging to 1140 series (1141n-e-k9), it has been a while since i worked last time with cisco devices and i really need few help to configure this AP. (also useful link is appreciated)
I've an existing (wired) network with a dhcp server that provides IPs for the following class: 192.168.1.0/24 (default gw 192.168.1.254)
I would like to configure this new AP with ip 192.168.1.253 on gigabit ethernet while radio interface would have ip 192.168.2.1 and act as a dhcp server for following class: 192.168.2.0/24
Maybe it could be configured in another way but it's important for me to have client connected to ap in a subnet (i.e. 192.168.2.0/24) different from existing one (192.168.1.0/24), is it possible?
I read the manual with the title: "Cisco IOS Software Configuration Guide for Cisco Aironet Access Points" but i really can't figure out how to accomplish this simple(i guess) task.
Any help (links,tips or tricks) would be really appreciated (since my brain is about to blow up )
TIA,
AntonioHi Scott,
thanks for your answer and for links you provided , however i have a problem with that.
is it possible to find a solution for this problem internally to the AP? (sorry if my question would sound stupid)
atm i can't "put my hands" on the device the ap is connected to (it's a customer's requirement, unfortunately) and i don't know either if the switch would be a cisco device, is there a solution (maybe without vlan) to solve my problem?
since ap has an gigabitethernet interface and a radio one, couldn't i setup an ip belonging to class 192.168.1.0 to ethernet and an ip belonging to class 192.168.2.0 to radio dot11 and setup a bridge between this two interfaces?
thanks for your answer and your time,
Antonio -
Cisco MDS Kernel Error -- Need Help
#Booting bootflash:/m9100-s2ek9-kickstart-mz.4.1.3a.bin ... #
#Automatic boot of image at addr 0x00000000 #
#Starting kernel... #
# Entered kgdb_console_init:1960 #
#Oops: Exception in kernel mode, sig: 4 [#1] #
#wdt_log_count = 0: Exception in kernel mode (sig 4) #
# wdt_log_non_blocking is not defined #
How can i solve that ???Not sure what actions have been done on this switch. downgrading/upgrading may help. Better to let Cisco TAC work on that if the problem has not been solved yet
-
How to implement Cisco best Pratice with the help of Ciscoworks
Hi:
We have received a large number of required changes to various Cisco routers and switches of different models. For example we need to configure
"no IP unreachables" under more then 1000 cisco devices and under every interface in each device. Is there some method using Ciscowrks where I provide the command to be entered , and Ciscoworks looks at every router and switch and alone know to make the change under every interface in the equipment? Any given device can have a number of interfaces which I don't know ahead of time and which is of different types ( fast, giga, tera , etc) so I can't create a general job or a template. Going manually is endless but it seems that the requirements of Ciscoworks are also very restrictive so as not to enable a general job to be created.
I thank anyone for any help
We have RME, CS and CM installed , so the tools are here.
MickeyYou can use RME's baseline compliance feature for this. This feature can be found under RME > Config Mgmt > Archive Mgmt. The exact location will depend on your version of RME. A template like the following will do what you want.
Sub-mode: interface [INTF]Body:+ no ip unreachables
When deployed, that will add "no ip unreachables" to all interfaces that do not already have the command. -
I setup a Cisco Home Network and Need help Logging into It
Hello, I have four 2521 routers and three 2954 switches. I connected my ISPs modem from the ethernet port and plugged it into port 24 of one of my switches. I also configured the switch for VTY access and gave it a login password. I would like to log into the switch to configure it and telnet into all the other devices from a remote location. But I am unable to ping the public address assigned to me by my ISP. So I can't even telnet to the switch. Help
With help from elsewhere, I have learned how to change the colors and figured out a few other things. I have another question, though.
I want to put a Twitter widget and a comment box on my website. I have the widget code from Twitter, but it is HTML and javascript or something. Can I just put these codes into the modules of the flash template? If you look at the template, you should see that it has modules that have editable HTML text areas, but I don't know if it is limited to text or something, or if it will function correctly if I put other HTML codes in it such as script codes, etc in it.
Also, if that works, does anyone know where I can get a code to put the comment box in one of the modules? I don't mean a contact box, I mean a widget where people can leave comments and the comments display on the page, like on a myspace profile. Just something simple that allows a visitor to leave a name and a text-only comment. I would also like to be able to selectively delete comments in case of spammers, etc.
I found this, which might be what I am looking for, just a simple comment box, but this one is flash:
http://activeden.net/item/commenting-with-no-database/69183?sso?WT.ac=search_item&WT.seg_1 =search_item&WT.z_author=flashBrian
Message was edited by: ESJoeProductions -
Cisco router wrt54gs2 v1 need help
bought router at wal mart. girlfreind thru box away but have disc. we installed disc on her new laptop and we left my desk top hard wired. i ve got dsl. so i thought thats all we had to do. do i have to install disc on my desk top for router to work??? it worked for alil while that but now its not. and when it did work it wasnt working well. cuss i was in trouble because her game. (W.O.W) wasnt working. now im no techno guy. so i really need some help with this.
Well it seems that your router is not configured properly.
Who is your internet service provider?
In case if you are uisng cable connection then follow this link and for DSL connection follow this link . -
Cisco ASA 5512, IP NVR port forwarding
Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise -
Cisco Jabber for Windows Voicemail issue
At this I'm in processing of implementation Cisco Jabber UC solution for big Company.
I use CUCM 9.1.2, Cisco IM and Presence 9.1.2, CUC 9.1.2, Cisco Jabber for Windows 9.6.1.
I have issue in Cisco Jabber with VoiceMail Integration - when I leave voice message for any user,
than this message is arrived only him Cisco IP Phone, but not in him Cisco Jabber.
From Cisco Jabber Connectivity status in help menu I see that VoiceMail service is successfully connected
and I see VoiceMail button in Cisco Jabber.
How can I resolve this issue?Have you configured the UC Service profile on CUCM with both Voicemail server and mailbox servers?
-
Cisco Jabber for Windows - Anti-Virus Software
Hello,
Cisco Jabber for Windows could not resolve outlook contacts, when a client has installed McAffee Anti-Virus Software.
Is there any documentation available, how to setup a Anti-Virus Software, to get Cisco Jabber for Windows running?
Cisco Jabber for Windows Version 9.2.4 Build 4528
Outlook 2013
Thanks
Alexthis is all what we mention about antivirus; http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_2/JABW_BK_J6915A59_00_jabber-windows-server-setup/JABW_BK_J6915A59_00_jabber-windows-server-setup_chapter_00.html
Some antivirus or firewall applications, such as Symantec EndPoint Protection, block inbound CDP packets, which disables desk phone video capabilities. You should configure your antivirus or firewall application to allow inbound CDP packets. See the following Symantec technical document for additional details about this issue: Cisco IP Phone version 7970 and Cisco Unified Video Advantage is Blocked by Network Threat Protection.
with that being said; we probably would like to get the jabber process excluded from the antivirus list so that it allows for inbound MAPI communication as that is what is used for quering for the outlook contact.
The only process that ever runs from Jabber for windows is "CiscoJabber.exe" which is located in the following path:
C:\Program Files (x86)\Cisco Systems\Cisco Jabber
i hope this helps. -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig
Maybe you are looking for
-
Oracle 8.1.7 on Redhat linux 7.3
I know that on Linux 7.1 there was a patch (p2062423) to get the installation going but I can not seem to find the patch for linux 7.3 Please help
-
Moving iTunes files to External Hard Drive
Folks: I just purchased an external hard drive to store iTunes songs and pictures, etc., and get those files off my laptop hard drive to create some room. Truth is, I really don't need to travel with my iTunes files. I've copied the files to the new
-
Usb stick not working (solved)
I copied some files to my usb stick and made sure it was working. Then I copied a open office file from my wifes computer running vista. After placing the usb stick back into my computer I got the following message A security policy in place prevents
-
How do I ping a URL in Java?
All I wanna do it ping a URL. Can I do it? Like, have the user input a URL, then make the URL object, then ping it, then display the results. Can I do this?
-
Why does my phone say no sim card? How do i fix?
I dropped my phone and now it says No Sim in the upper left. I cannot use the phone. how do i fix?