Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

Similar Messages

• Cisco ISE and WLC Timeout Best Practices

  I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
  I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
  Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

  I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
  Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
  The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir

• ISE policy creation question - best practices

  Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
  I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
  As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
  Thanks ...
  Brent

  Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.
  I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
  I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
  I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

• Looking for best practice Port Authentication

  Hello,
  I'm currently deploying 802.1x on a campus with Catalyst 2950 and 4506.
  There are lots of Printers and non-802.1x devices (around 200) which should be controlled by their mac-address. Is there any "best practice" besides using sticky mac-address learning.
  I'm thinking of a central place where alle mac-addresses are stored (i.e. ACS).
  Another method would be checking only the first part of the mac-address (vendor OID) on the switch-ports.
  Any ideas out there??
  regards
  Hubert

  check out the following link, this provides info on port based authentication, see if it helps :
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde59.html

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Best Practice Mail Authentication not really possible?

  Hi All,
  In an effort to clamp down on my security a bit better, I've decided to try and remove all possible Mail auth methods besides Kerberos, Cram-MD5 and APOP. In other words, no Login, PLAIN or Clear.
  I have my own Certificate Authority that I give to my users and secure IMAP, POP and SMTP all work well. I've even turned on the submission port (587).
  Now, I was hoping that I could have an environment where Login, Plain and Clear are ALL disabled, but still permitted IF done over SSL. I don't see any way of achieving this.
  SO, I set my machine to REQUIRE SSL. While this is somewhat satisfactory for IMAP and POP, this cannot be done for SSL as it would then require all external sending mail servers to speak with my server over SSL, which next to none are willing to do.
  Last but not least, webmail of course now chokes. I've set it to use port 993 and use SSL but as I'm sure some have guessed, my certificate's common name is not "localhost" and my server is behind a NAT router, so to get webmail to work traffic would have to be routed out my network to the router and back in, otherwise the proper SSL host name doesn't match.
  All in all, it's quite a pain!!!
  Here's what I'd LIKE to see possible:
  1. Support Cram-MD5 and Kerberos from any IP with or without SSL. This will enable webmail and modern email clients to work.
  2. Support Clear ONLY IF IT IS VIA SSL ("plaintext + TLS" as my logs refer to it). This will enable Treos, PCs running Outlook [Express]. and other non-cram-md5 devices to work WITHOUT compromising on security
  3. Reject Clear, Login and Plain IF IT IS NOT VIA SSL.
  Is this possible?

  There is no way to ensure you users are completely unable to send authorization in the clear. You can only take steps to minimize the potential risks. Here are my thoughts.
  Again, my answer is sendmail specific but hopefully that points you to what to look for in postfix.
  In the m4 config file for sendmail there is the following:
  dnl # The following allows relaying if the user authenticates, and disallows
  dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
  dnl #
  define(`confAUTH_OPTIONS', `A p')dnl
  Lines with dnl at beginning are basically comments.
  What the above says that defining this option you are going to allow plain text logins but only if the connection is first encrypted with TLS/SSL. Undocumented in the comments, if you delete the "p" then you can have PLAIN text without TLS.
  I was actually testing this out this weekend just doing a verification on my server. The results:
  1. No authentication no ssl - Mail.app rejected. Log message on server stated relaying not allowed.
  2. Authentication, no ssl - Mail.app just kept asking me for my password. Server log file showed multiple entries of what amounts to a client connect/disconnect with no traffic.
  3. Authentication, plus ssl - Message sent immediately.
  Now, I did not test for number 2 whether the client was actually sending the password to the server and the server was just ignoring. I'm concerned about protecting passwords but more concerned about preventing my server from becoming an open relay. The password may have indeed left the client and traversed the network in the clear.
  Optional solutions to take to prevent users from harming themselves.
  1. VPN and two smtp servers. One smtp server that receives mail from the world. One smtp server that only can be connected to via VPN tunnel. VPN smtp server then uses the exposed smtp server as its upstream provider, (I forget the term). This assumes the user remembers to start the VPN before the email client. Without the vpn running, then you run into the possibility I mentioned in #2 above. Maybe there is a setting that could enforce vpn before sending.
  2. https webmail. Only allow access to email via web interface. SMTP authentication is not an issue then since you can have the localhost MTA of the webserver handle sending.
  3. Managed accounts of some sort. So users couldn't turn off ssl auth.
  Just some thoughts that I hope provide some ideas for you.
  Cheers
  - Mark

• Need Best practice (?) : authentication: Visual Studio - SQL 2008

  Our applications connect to our sql DBs using  sql authentication and a single account (per database). Downside is that the DB password is hardcoded in the app config files (so it is known to devs) and is rarely changed.  Here are
  two options I'm considering. What is you take on them?
  1. Use Windows authentication and AD groups. I presume that passwords would not need to be hardcoded in config files in this arrangement and that is an improvement. The downside is that users (while they should not normally have access to Management
  Studio) now have, in theory, direct
  access to the databases. That's why we used the single user sql authentication approach described above.   Also, in the past when we tried to do this we had issues when users belonged to multiple groups. We could not determine their Default
  DB.
  2. For all application to DB access only use DSNs (Data Source Name) and a sql account (per database).  (I don't want to use a Windows account in a DSN. To prevent expiration,  I'd be running around like crazy trying to update the DSN password
  before the apps breaks.)
  Your thoughts, please!
  TIA,
  edm2

  see
  http://msdn.microsoft.com/en-us/library/bb669066(v=vs.110).aspx
  Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.

• SQL Server Best Practices Architecture UCS and FAS3270

  Hey thereWe are moving from EMC SAN and physical servers to NetApp fas3270 and virtual environment on Cisco UCS B200 M3.Traditionally - Best Practices for SQL Server Datbases are to separate the following files on spearate LUN's and/or VolumesDatabase Data filesTransaction Log filesTempDB Data filesAlso I have seen additional separations for...
  System Data files (Master, Model, MSDB, Distribution, Resource DB etc...)IndexesDepending on the size of the database and I/O requirements you can add multiple files for databases.  The goal is provide optimal performance.  The method of choice is to separate Reads & Writes, (Random and Sequential activities)If you have 30 Disks, is it better to separate them?  Or is better to leave the files in one continous pool?  12 Drives RAID 10 (Data files)10 Drives RAID 10 (Log files)8 Drives RAID 10 (TempDB)Please don't get too caught up on the numbers used in the example, but place focus on whether or not (using FAS3270) it is better practice to spearate or consolidate drives/volumes for SQL Server DatabasesThanks!

  Hi Michael,It's a completely different world with NetApp! As a rule of thumb, you don't need separate spindles for different workloads (like SQL databases & logs) - you just put them into separate flexible volumes, which can share the same aggregate (i.e. a grouping of physical disks).For more detailed info about SQL on NetApp have a look at this doc:http://www.netapp.com/us/system/pdf-reader.aspx?pdfuri=tcm:10-61005-16&m=tr-4003.pdfRegards,Radek

• Cisco ISE: Error 5411 No response received ...

  Hi all,
  we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:
  No response received during 120 seconds on last EAP message sent to the client
  Steps from the detailed view:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client
  Allowed Protocol: EAP-TLS and PEAP
  Authentication Protocol : EAP-TLS
  Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?
  Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:
  interface GigabitEthernet1/0/1
  description xxx
  switchport access vlan xxx
  switchport mode access
  switchport voice vlan xxx
  srr-queue bandwidth share 10 10 60 20
  queue-set 2
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize vlan xxx
  authentication event no-response action authorize vlan xxx
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate 28800
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  macro description cisco-phone | cisco-phone
  dot1x pae authenticator
  dot1x timeout tx-period 15
  dot1x timeout supp-timeout 15
  auto qos voip cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy input AutoQoS-Police-CiscoPhone
  Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.
  Thanks in advance
  regards
  Marc

  The Global Help icon is located in the bottom left corner of the Global  Toolbar in the Cisco ISE window. You may check the ISE version there.
  To launch Global Help, complete the following steps:
  Step 1 On the global toolbar, move your cursor over the Help icon.
  Step 2 Choose Online Help from the pop-up menu.
  A new browser window appears displaying the Cisco ISE Online Help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**