Cisco Energywise Phase 1 and Phase 2

Hello,
In need to understand the difference between Cisco Energywise Phase 1 and Cisco Energywise Phase 2.
What I am familiar with is Phase 2 allows for power management of PCs and Laptops and Phase 1 includes power management PoE endpoints. However are there any other fundamental differences in the releases.
Regards,
George

Hi George,
One of the main parts of Phase 2 is the release of the Cisco EnergyWise Orchestrator
Check it out;
http://www.cisco.com/en/US/products/ps10797/index.html
Cheers!
Rob

Similar Messages

Ask the Expert: Overview of Cisco Prime Service Catalog and Process Orchestrator Solutions

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Prime Service Catalog and Process Orchestrator solutions.
Cisco expert Jason Davis will discuss Cisco’s network management products offered under the Cisco Prime framework. If you have questions about Cisco Prime infrastructure or data center automation with our Cisco Prime Service Catalog and Process Orchestrator solutions, join us on the Cisco Support Community.
Jason Davis is a distinguished services engineer in the Intelligent Infrastructure Practice team of Cisco Advanced Services. His role is to provide strategic and tactical consulting for hundreds of Advanced Services customers, lead service innovation, and assess new services and technologies. Jason's primary expertise areas are in network management systems, intelligent automation, virtualization, data center operations, software-defined networking, and network programmability.
Based out of the Research Triangle Park (RTP) campus, Jason is also responsible for administering the Research Triangle Park Network Management Lab, Cisco's largest network management lab.
Since joining Cisco in 1998, Jason has been a frequent speaker at Cisco's Networkers and CiscoLive conferences in the United States and Europe. In the past five years he has also been involved in the conference network setup and monitoring. He is a much sought-after resource by the field sales teams to assist with presales solutions and executive briefings. He has provided strategic and tactical network management consulting for several hundred customers.
Jason is a subject matter expert with the following products and features:
Cisco Prime LAN management solution
Cisco Prime infrastructure
CiscoSecure ACS
Cisco Prime Network Registrar
Cisco Process Orchestrator
Cisco Prime Service Catalog
Cisco IP SLA
Embedded Event Manager
SNMPv3
onePK and OpenFlow
Cisco UCS
Device instrumentation
VMware ESX, ESXi, and vCenter
ITIL
Jason received his bachelor of science degree in electrical engineering from the University of Miami (FL). He has been married for 20 years and has 4 children. His interests include providing audiovisual technical support for churches and conference venues, camping and biking with his family, remote-control helicopter piloting, paintball, and recreational shooting.
Remember to use the rating system to let Jason know if you have received an adequate response.
Because of the volume expected during this event, Jason might not be able to answer every question. Remember that you can continue the conversation in Data Center > Intelligent Automation under the subcommunity Cisco Prime Service Catalog shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Jason,
Thank you very much for welcoming me to your expert discussion :) I feel to be in the right place, at the right time. Thank you also for answering question beyond your scope here, much appreciated. The information received will help me to go further as such I have submitted a 5 start rating for your first reply.
That sounds promising about the LMS part so yes, I stay tuned and wait patiently.
Ok, now let’s revert to the actual topic discussed here. Cisco Prime Service Catalog and Process Orchestrator solutions I have briefly read up on this on CCO (where elseJ) and picked out the following quote
---- Quote from the Cisco Prime Service Catalog Data Sheet
Today’s end users want self-service and easy access to IT tools and services.
Simultaneously, organizations are seeking ways to extend their cloud management
platforms beyond self-service delivery of virtual machines and infrastructure resources
while increasing their use of cloud-based solutions to enhance business agility and effectiveness.
Cisco Prime™ Service Catalog offers tremendous benefits to organizations that want to unify the ways in
which all types of IT services are ordered and fulfilled, not just infrastructure requests
---- un quote ---
I try to understand what (at high level of course) happens in the back ground when an order is raised and which vendor solution your product can interact with.
As mentioned in the quoted text, this service catalogue goes beyond the standard infrastructure.
Let’s say, a user wants to deploy a new email services, or in your example, extends or create a new web-portal (i.e. for HR to view and manage holiday, staff absence and benefits).
Your solution will need to interact somehow with the 3rd party vendor application that is capable building such portal I believe.
Without disclosing to many information, I assume the portal is linked to backend VM,s that spin up requested resources (and more magic of course). Perhaps I am mixing this up with another cisco product where a user can go on the portal and spin up virtual Firewalls, virtual Routers can be provisioned in now time.
Out if interest; Is this product also known as Mozart? (project code within Cisco?)
I hope query is ok.
Best wishes
Markus

I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

I want to integrate SMS gateway to Cisco ISE 1.2 and my question is
SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor

I'm not sure I understand the question. Do you want to log in to the Sponsor Portal using AD credentials?
Create an Identity Source Sequence using AD as an Authentication Source. Go to Administration > Identity Management > Identity Source Sequences. Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings. Double-click Sponsor from the Left Menu and click Authentication Source. Choose the Identity Source Sequence. Click Save.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

with Cisco Expert Vinayak Sudame
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
Remember to use the rating system to let Vinayak know if you have received an adequate response.
Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

Hi Vinayak,
Output of "show cfs internal ethernet-peer database"
Switch 1
ETH Fabric
Switch WWN logical-if_index
20:00:54:7f:ee:b7:c2:80 [Local]
20:00:54:7f:ee:b6:3f:80 16000005
Total number of entries = 2
Switch 2
ETH Fabric
Switch WWN logical-if_index
20:00:54:7f:ee:b6:3f:80 [Local]
20:00:54:7f:ee:b7:c2:80 16000005
Total number of entries = 2
Output of "show system internal csm info trace"
Switch 1 in which "show cfs peers" show proper output
Mon Jul 1 05:46:19.145339 (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
Mon Jul 1 05:46:19.145280 (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
Mon Jul 1 05:46:19.145188 (CSM_T) csm_sp_handle_local_verify_commit(4291):
Mon Jul 1 05:46:19.145131 csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
Mon Jul 1 05:46:19.145071 csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
Mon Jul 1 05:46:19.145011 csm_tl_lock(737):
Mon Jul 1 05:46:19.144955 (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
Mon Jul 1 05:46:19.143819 (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
Mon Jul 1 05:46:19.143761 (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
Mon Jul 1 05:46:19.143699 (CSM_T) csm_sp_get_peer_sync_rev(315):
Mon Jul 1 05:46:19.143641 (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
Mon Jul 1 05:46:19.143582 (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
Switch 2 in which "show cfs peers" does not show proper output
Mon Jul 1 06:13:11.885354 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
Mon Jul 1 06:13:11.884992 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
Mon Jul 1 06:13:11.884932 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
Mon Jul 1 06:13:11.884872 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
Mon Jul 1 06:13:11.884811 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
Mon Jul 1 06:13:11.884750 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
Mon Jul 1 06:13:11.884690 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
Mon Jul 1 06:13:11.884630 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
Mon Jul 1 06:13:11.884568 (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
Mon Jul 1 06:13:11.884207 (CSM_EV) csm_sp_acfg_gen_handler(3011): Preparing config into /tmp/csm_sp_acfg_1733916569.txt
Mon Jul 1 06:13:11.878695 csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
Mon Jul 1 06:13:11.878638 (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
Mon Jul 1 06:12:29.527840 (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
Mon Jul 1 06:12:29.513255 (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
Mon Jul 1 06:12:29.513179 (CSM_EV) csm_sp_acfg_gen_handler(3011): Preparing config into /tmp/csm_sp_acfg_1733911262.txt
Mon Jul 1 06:12:29.508859 csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
Mon Jul 1 06:12:29.508803 (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
Mon Jul 1 05:53:17.651236 Collecting peer info
Mon Jul 1 05:53:17.651181 Failed to get the argumentvalue for 'ip-address'
Mon Jul 1 05:40:59.262736 DB Unlocked Successfully
Mon Jul 1 05:40:59.262654 Unlocking DB, Lock Owner Details:Client:1 ID:1
Mon Jul 1 05:40:59.262570 (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
Mon Jul 1 05:40:59.262513 DB Lock Successful by Client:1 ID:1
Mon Jul 1 05:40:59.262435 Recieved lock request by Client:1 ID:1
Mon Jul 1 05:40:41.741224 ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
Mon Jul 1 05:40:41.741167 ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
show cfs lock gives no output.
Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
Regards.

Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

Hi,
     I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .

Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring

Hi all,
I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
I am following all the steps that I have to do to accomplish this task at this link:
http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
And now I am arrived on this step:
Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
What will happen if some devices are configured with these capabilities and some are not?
Are the data provided from Cisco Collaboration still reliable?
Thanks in advance.
Luigi

I can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
Unfortunately there is no sample config with both feature in the same document, but it will work just fine.

Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

Dear All,
I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
Thanks
Vijay

Hi Vijay,
If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you
HTH,

VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

Hello expert,
I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
[Cisco Catalyst 3750 Switch]
interface GigabitEthernet1/0/45
description NCC-CC-1stFlr
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 101-103
spanning-tree portfast
[Cisco SF300-48P Switch]
interface fastethernet48
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 101-103
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface fastethernet29
switchport mode general
switchport general allowed vlan add 103 tagged
switchport general pvid 103
Are these are correct? Kindly advice!
Thank you very much!
Regards,
Alex

Hi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers

Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
Mohamed

Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert

Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

Hello,
We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
11027
Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - Internal Endpoints
24210
Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
24216
The user is not found in the internal users identity store
24209
Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
24211
Found Endpoint in Internal Endpoints IDStore
22037
Authentication Passed
15036
Evaluating Authorization Policy
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Guest Redirection
15016
Selected Authorization Profile - Test_Profile
11002
Returned RADIUS Access-Accept
I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
Thanks in advance.
Jay

The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
Thank you for rating helpful posts!

Cisco ACS 5.1 and MAC address identification/quarantining

A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment. For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port. If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access). What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
Please confirm, and as always, reference links/docs are appreciated.

Hi,
The goal you want to achieve is possible but not with MAB.
What you want can easily be done if you do machine authentication rather then MAB.
With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
For this to work you have to register the machines in the domain as well as the users.
Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
Then, you create a new Rule and this Condition will be available:
On the client side you need to make sure that they do dot1x machines authentication.
This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Call/video not working between Cisco jabber for Windows and VCS control C40s

Hello,
I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
Anyway here is what is happening:
When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone.
I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
Let me know if someone of you are interested in read these logs or could point me on the right direction.
Thanks!

Ok,
I have looked at both logs. I have to mentinon though that you didnt
provide the log that shows the h323 setup between cucm and the VCS. This
is most likely because the call originated from a different cucm than
the ones you provided the logs from.
The call would have orginated from the first cucm in the cucm group of
this trunk: Name=RL_TRUNK_VIDEO
The cucm ip will be : 10.252.53.10.
This is the VCS log that confirms where the h323 request originated
from:
pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="54000"
Received RAS PDU:
Having said that here is my analysis of the logs that you sent..
Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
video it can support)..
Observer that Jabber says it doesnt support G729 anexB
21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
[862370,NET]
INVITE sip:[email protected];user=phone SIP/2.0
Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
-00000e65
To: <sip:[email protected]>
Call-ID: [email protected]
Max-Forwards: 70
Date: Fri, 11 Apr 2014 01:55:16 GMT
CSeq: 101 INVITE
User-Agent: Cisco-CSF/9.4.1
m=audio 19252 RTP/AVP 0 8 18 105 104 101
c=IN IP4 10.223.20.73
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:105 G7221/16000
a=fmtp:105 bitrate=24000
a=rtpmap:104 G7221/16000
a=fmtp:104 bitrate=32000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
m=video 28878 RTP/AVP 97
c=IN IP4 10.223.20.73
++++Now lets observer the capabilites exchange during h245 negotiation
between cucm and VCS++++
Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
Note that G729A, G729AB, G729 is all advertised..
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : terminalCapabilitySet
capabilityTableEntryNumber 2,
       capability receiveAudioCapability :
g729wAnnexB : 6
       capabilityTableEntryNumber 3,
   capability receiveAudioCapability : g729AnnexAwAnnexB : 6
       capabilityTableEntryNumber 4,
       capability
receiveAudioCapability : g729 : 6
capabilityTableEntryNumber 5,
       capability receiveAudioCapability :
g729AnnexA : 6
++++++
After doing MSD (master slave determination, we move to the OLC phas e..
Here we see that the far end..c40 wants to use G729AB for media++++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
Module="network.h323" Level="DEBUG": Src-ip="10.224.114.11" Src-
port="11163"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
   forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
     dataType audioData :
g729AnnexAwAnnexB : 20,
     multiplexParameters
h2250LogicalChannelParameters :
+++Next VCS sends G729AB as the codec to use to CUCM+++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
Module="network.h323" Level="DEBUG": Dst-ip="10.252.53.10" Dst-
port="45660"
Sending H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
   forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
     dataType audioData :
g729AnnexAwAnnexB : 20,
     multiplexParameters
h2250LogicalChannelParameters :
++++The next thing we get is an OLC reject from CUCM and this is where
th call drops++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= response : openLogicalChannelReject :
forwardLogicalChannelNumber 1,
   cause dataTypeNotSupported : NULL
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="INFO": Dst-ip="10.224.114.11" Dst-
port="11163"
Detail="Sending H.245 OpenLogicalChannelRejResponse
+++We then receive a call release from cucm with cause code of 47:
resource unavailable++++
Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="50913"
Received H.225 PDU:
Q931
   Message Type: Release
Complete
   Call reference flag: Message sent from originating side
Call reference value: 0x7b
   Info Element : Cause
     Location: Usr
   Cause Value: Resource unavailable
   Info Element : User User
   Length = 22
Suggestions:
Change the region setting between the ICT trunk to VCS and Jabber to use
G711 and test again.

VPN Site-to-Site or VPN Client Server with Cisco IP Phone 8941 and 8945

Hi everyone,
I decide to deploy a CUCM (BE6K platform), SX20, and IP Phone 8941/8945 on Head Office and Cisco SX10 and IP Phone 8941/8945 for branch offices (actually 9 branch offices).
The connection will use internet connection for HO and each branch offices.
And the IT guy want to use kind a VPN client server or VPN site-to-site for the connection through internet,
what kind of VPN client server or VPN site-to-site that recommended for this deployment?
and what type of Cisco router that support that kind of VPN (the cheapest one will be great)?
So the SX10 and IP Phone 8941/8945 in branch offices can work properly through internet connection?
please advise
Regards,
Ovindo

Hi Leo,
technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.
However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones, but not 250 ipsec users and 10 phones.
If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.
Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).
hth
Herbert

Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert

Cisco 1841 SSL VPN and Anyconnect Help

I am pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks
Current configuration : 7741 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname buchanan1841
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
crypto pki trustpoint buchanan_Certificate
enrollment selfsigned
revocation-check crl
rsakeypair buchanan_rsakey_pairname
crypto pki certificate chain buchanan_Certificate
certificate self-signed 01
30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
        quit
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
crypto ipsec profile cybera
set transform-set cybera
archive
log config
hidekeys
ip ssh version 1
interface Tunnel0
description Cybera WAN - IPSEC Tunnel
ip address x.x.x.x 255.255.255.252
ip virtual-reassembly
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile cybera
interface FastEthernet0/0
description LAN Connection
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description WAN Connection
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface ATM0/0/0
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
interface Virtual-Template2
ip unnumbered FastEthernet0/0
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
password xxxxx
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint buchanan_Certificate
inservice
webvpn install svc flash:/webvpn/anyconnect-w
in-3.1.04059-k9.pkg sequence 1
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
   functions svc-enabled
   svc address-pool "LAN_POOL"
   svc default-domain "buchanan.local"
   svc keep-client-installed
   svc dns-server primary 192.168.1.2
   svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
endbuchanan1841#

Perhaps you have changed the host-/domainname after the certificate was created?
I'd generate a new one ...
Michael
Please rate all helpful posts

Cisco Energywise Phase 1 and Phase 2

Similar Messages

Maybe you are looking for