Cisco SA520 Max # of users?

Similar Messages

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Successmaker program not working behind Cisco SA520

  My customer is a small school in British Columbia. They have used the Successmaker program (written by Pearson Education) to teach numeracy and literacy skills. Since installing a SA520 the teachers are saying that Successmaker does not work properly.
  I am at my wits end.
  I have disabled content filtering for the SA520, I have disabled IDS on the SA520. I am using the default outbound firewall rule allowing inside addresses access anywhere on the Internet, and I have created an inbound firewall rule allowing all traffic and all services from the Successmaker server IP address that their tech support gave us.Their app is still unable to work properly.
  What am I missing?
  Before the SA520 was installed the school was using PAT to map different ports on the public IP on the school cable modem to inside addresses. The whole school was a big DMZ, and any port scanning would have reached into their network. The port mappings were never communicated to the Successmaker folks, so I doubt they were ever relevant to the issue. The Successmaker App is web based, and according to their tech support uses "transfer encoding:chunked" technology. I read up on this and it dates back pre Web 2.0 (pre flash, pre silverlight, pre basically the silicon chip). It is discussed in RFC 2616, the SA520 is Linux based, not IOS based. Does that mean that it does not understand RFC2616? I doubt it, and even if it didn't understand RFC 2616 surely all the steps I have taken above would blow a hole the size of a barn door through the firewall?
  If this weren't a school would not be as emotionally connected as I am to their situation. Without this firewall they will be without much protection at all.
  Can you help?
  Message was edited by: dirkventer - I added the feedback received from Successmaker tech support. It suggests that the Cisco SA520 may be a problem, something I don't want to believe.

  Hi Quendale
  I'm sorry to say that putting a student computer in the DMZ didn't resolve the issue.
  In setting up the DMZ I made the following changes -
  1) I confirmed that the Option interface was in DMZ mode, and that it had a static IP on a new subnet.
  2) We also configured the DMZ DHCP to assign addresses in the subnet, using the firewall DMZ IP as default gateway, and using the firewall DMZ IP as DNS server.
  3) I created a default firewall rule allowing all outbound traffic from the DMZ to the Internet, and created a firewall rule allowing all inbound traffic from the Successmaker server on the Internet (insecure) zone to the DMZ.
  4) I confirmed that IPS was off for the DMZ (Default) and that the content filter exception for the DMZ was still disabled.
  The same problem occurred, which makes me believe that the reason for the application not working in the LAN zone had nothing to do with IPS or content filtering. As far as the firewall rule goes, the impact of the inbound rule seems to have been the same - i.e. ineffectual.
  Connecting the PC running successmaker directly to the school cable modem works.
  The possibility that the application in question has traffic blocked because of a RFC (2616?)  governing the way get and post requests should be formatted would still exist so long as integrity/compliance checking of packets is something that cannot be bypassed via the firewall configuration. Suffice it to say that the application appears dated and uses nothing of web 2.0. One of the options available to my customer is the purchase of the Web 2.0 version of successmaker ($600/seat), but they are only prepared to explore this option if the indications are that the older application, not the firewall is at fault. Pearson Education support swears blindly that thousands of BC school children continue to use the old app behind Cisco firewalls. I don't deny that the possibility exists that the Pearson support technician is stretching the truth, having an older application that has ceased to function with more sophisticated firewalls because RFC violations in packet formatting have become significant would doubtless present a solid easy-sell for their upgraded version, which is expensive, especially for a school.

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Cisco SA520 IP alias broken after FW upgrade

  We have a Cisco SA520 running on a Comcast 5 IP block. We just recently upgraded the firmware from 1.1.42 to 2.1.51 and now we are unable to use our IP aliases that we setup to route one server's traffic to a particular WAN IP Alias which is different from the rest of the network. Here is what we are trying to accomplish, and yes, it was working fine before the firmware upgrade:
  "Server A"-> "External IP Alias A" (Email server)
  "All other traffic on same subnet" -> "Default WAN IP" (computers and other servers)
  Right now I have the WAN IP setup on the router to be the same IP as the alias we were using before, just to get the server on the right IP. Unfortunately that means all other traffic is on that IP now too.
  I'd really like to separate the traffic on the network so we can keep all email traffic on its own WAN IP, and all other network traffic on its own WAN IP too.
  What do I need to do to fix this? We originally had an IPV4 Rule in place which worked great. See the attached picture for an example of what worked before.
  Thanks for your help!!
  Kevin Cantrell

  Hi,
  I have exactly the same problem ! Although on a AS5350 running c5350-js-mz.123-4.T2.bin.
  tried "isdn map address . plan isdn type national" on the serial interface. Did not work.
  Also tried adding "isdn calling number ........" (8 digits). Did not work.
  When debugging on SIP the CLID is being received from the SIP client.
  Interesting that we have the same problem on the same software ? hopefully someone will give pointer as to which software that works or a workaround command.
  Regards
  Lasse

• Cisco Unified MeetingPlace web user portal

  All,
  Someone could say me what is the URL of the "Cisco Unified MeetingPlace web user portal"?
  My design is MeetingPlace / WebEx with MeetingPlace Scheduling.
  Thanks a lot,
  Luciane de Medeiros

  RC,
  This behavior is stemming from a change in MP 7.0 MR2 to disable the MPWeb login for system profiles.  This was an internal change made by the developers to restrict the log on to the MPWeb page by the default accounts created in MeetingPlace upon installation.  The change now displays this error when the admin account is attempted to be used for MPWeb login, as you experienced-
  Error:[22953] You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles.
  You should be able to log into MPWeb using any other user profile that you have either created manually or pulled in from LDAP/Active Directory.  You just cannot use the admin account.  This is reserved for login to the MP Application Server Administration page only.  I am going to work to get this information added to the MP 7.0 documentation with a note for changed behavior in MR2 and above.  Here is the note from MP 8.0 documentation-
  Note: You cannot use this preconfigured admin profile to access the Cisco Unified MeetingPlace Web Server interface. Instead enter the User ID and password information from one of the other user profiles that have system administrator privileges to sign in to the Web Server.
  Please let me know if you have any further questions.
  Thank You,
  Gerry

• Cisco Jabber for Windows User Photos

  CUPS 8.6.3
  Jabber Client for Windows Version 9.0.1 Build 8802
  I noticed that the Cisco Jabber for Windows Client does not automatically update with the photos that updated in Active Directory.
  I had updated a user's photo in AD and noticed that it would not change. I browsed to "C:\Users\<user name>\App Data\Local\Cisco\Unified Communications\Jabber\CSF\Photos" and had to manually delete the user photos in this folder. I exited out of the Jabber Client and restarted the program. When I did this, the Jabber Client crashed, I saved the crash report, and re-opend the Jabber client. This time the client opened properly, and the updated photos were now appearing!
  Seems like Cisco would not have set the photos to Cache to the local computer....
  Any thoughts?

  Yes, Here is a sample .xml script.
  <?xml version="1.0" encoding="utf-8"?>
    http://www.cisco.com/CiscoJabberSetup.msi
            Cisco
            http://www.cisco.com/web/fw/i/logo-open-graph.gif
            http://www.cisco.com
            Cisco Jabber for Windows
            http://server_name.cisco.com/jabber.png
            http://www.cisco.com/en/US/customer/products/ps12511/tsd_products_support_series_home.html
            Cisco Jabber
            http://server_name.cisco.com/jabber.png
            http://www.cisco.com/web/products/voice/jabber.html
    EDI
    1
    YOURDOMAINCONTROLLER
    389
    0
    ldapaccount
    ldapaccountpassword
    dc=XXXXXXX,dc=XXXXXXX,dc=com
    ipPhone
    True
    sAMAccountName
    http://www.yourinternalwebserver.com/User%20Photos/Profile%20Pictures/sAMAccountName.jpg
    true
    true
    .exe;.msi;.rar;.zip;.mp3
    false
    presence
  The bold is how we pulled photos from a directory on a web server
  If you don't have IIS running on a server you can replace
  http://www.yourinternalwebserver.com/User%20Photos/Profile%20Pictures/sAMAccountName.jpg
  with
  \\Your server\c$\PhotoFolder\sAMAccountName.jpg

• Cisco SA520 - Unable to block all torrents and Poor Performance

  Hi, I have installed a Cisco SA520W Appliance at a Client who has about 40-50 PC's, the device has the latest firmware 2.1.7 and latest IPS signature (17) installed, the client is quite disappointed about the performance of the device as he believes Internet browsing access has slowed down substantially.
  The main problem the client is encountering is that, he is unable to block Utorrent P2P software and this is not allowing him to retain Internet control from the SA520 appliance.
  He had also commented on the fact that there does not appear to be a status monitor on IP usage of Internet access to pinpoint who at that time would be hogging up the bandwidth.
  Any feedback, same encounters scenarios and possible fixes to the above issues would be appreciated.
  Thanks
  Shawn

  You might find this thread interesting regarding the router's performance with IPS turned on.  An SA540, and an access point, would yield slightly better performance.  That's what we use.
  https://supportforums.cisco.com/thread/2022832?tstart=60
  There are some older threads regarding the SA500 series router's ability to detect torrent activity.  You might want to dig them up and respond to them.  The Cisco folks were working diligently at optimizing the IPS engine's ability to detect different types of torrent activity.
  There is no way to monitor Internet access usage at the individual IP level that I am aware of.  I suggest turning on network logging (to a syslog server as there will be a lot of data to capture) and monitor traffic that way.  Kiwi Syslog Server has a free version that your client could use.
  http://www.solarwinds.com/register/kiwi_registration.aspx?Program=874&c=70150000000EIV7

• MacBookPro - Suddenly can't connect to Cisco WAP while Windows Users Can

  Hi,
  My partner and I, both consulants, use MBP's. At one of our client's sites, our MBP's suddenly stopped being able to connect to the wireless network there. We believe this started happening shortly after installing a regular security update last February.
  The odd thing is, we can go to another building where there is another access point, same make and model, same SSID, which we can connect to with no problem.
  Meanwhile, since we are the only Mac users, and are mere consultants, the local IT guys don't bother to check it out.
  We get the "There was an error joining the Airport network "<network name>" error message. We have double checked and know we have the right WEP keys. I don't remember off hand the strength of the WEP, but it's pretty simple and straight forward, and must be the same as the other WAP since all the Windows users can go between locations without having to reconfigure.
  I've been to the genius bar, and they haven't seen any reference to this any where in the KB or on any of the forums.
  If anyone has any ideas, please let me know.
  Thanks,
  -ktb

  My partner called Apple Support today after downloading a security update he hoped would address the problem (but to no avail). He managed to reach someone who knew something about the problem.
  The support staffer indicated that there was a known issue connecting with some Linksys WAPs (and since Cisco now owns Linksys, they are probably using the same chip sets in some products). Even though the staffer acknowledged that the problem was caused by a security update, and thus was a software problem (confirmed by the fact that we can connect when we boot windows in Boot Camp and are able to connect), they said there was nothing they could do - not even offer a way to downrev our airport firmware.
  This is the kind of support I expect from the Evil Empire in Redmond, not Steve and company. Feh - success breeds contempt.
  MacBook Pro Mac OS X (10.3)

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ISE and Fast User Switching

  Greetings,
  In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality.   After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
  We are currently using ISE 1.2 Patch 4.
  Thank You for any assistance.
  David

  The  NAC Agent for Cisco ISE does not support Windows Fast User Switching  when using the native supplicant. This is because there is no clear  disconnect of the older user. When a new user is sent, the Agent is hung  on the old user process and session ID, and hence a new posture cannot  take place. As per the Microsoft Security policies, it is recommended to  disable Fast User Switching.
  Source:
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• CISCO ISE ISSUE 24206 User disabled

  Hi there,
      We have here an issue with Cisco ISE. When I create a guest account with the sponsor portal We can´t access the Wlan. On tne Cisco ISE Operations \ Authentications returns the error message  Event "Authentication"  Faulure Reason "24206 User Disabled"  Auth Method "PAP_ASCII"  Authentication Protocol "PAP_ASCII"
    In order to fix this issue, what can I do?  I don´t understand why because I can create the user withou error message.
    At the sponsor portal the user that I have created doens´t show at the list... 
    Any help??
   Regards
   Adriano

  Select the affected account and click Reinstate.
  It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:
  - Go to Administration > Guest Management > Sponsor Groups.
  - Click the Sponsor Group your sponsor account is a member of to edit.
  - Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.
  ref: https://supportforums.cisco.com/discussion/11431386/ise-guest-user-problem

• Cisco WLC Local Net user Authentication

  Hi,
  I have a Controller configured with local net users. Web policy with authentication has been configured for Layer 3 security. When the user tries to access the Wireless, they will be redirected to a web authentication screen, where they need to enter the pre-configured credentials to gain access.
  Now, the requirement is: users shall have to provide login credentials only upon initial access (one time) and shall not have to accept an Acceptable Use Agreement when their systems connect to the wireless network. The next time user tries, they should be provided access automatically.
  We have configured the following setting on Windows 7 client:
  1. Connect automatically when the network is in range is selected
  2. Please refer the attached screenshots for further configuration for Windows 7 Clients.
  On WLC: SSID --> Advanced Options --> We have disabled the “Enable Session Timeout” setting, but we still have "Client Exclusion" Enabled.
  When a computer is shutdown and brought back up within a few minutes the wireless credentials seem to stick, however, when the computer is shutdown for a period of overnight, the credentials are no longer cached and we have to re-authenticate to the wireless.
  Is this issue because of  "Client Exclusion" Enabled on the SSID/WLAN ?
  If not, can someone share the complete procedure to make sure that users local net user credentials will be cache.
  Thanks,
  Jagan

  Well you only can keep it connected for an x number of minutes. You will not be able to set it longer than a day. This means, I can't configure the WLC/Client to cache the credentials permanently? And everyday, they have to enter the credentials to access SSID?You can extend it up to 30 days, but you have to run v7.5.  After that, they will have to login again.Change the idle timer to about 2-4 hours and that should keep the client on the WLC DB. This will allow the client to go away for the number set and come back without having to login again. As you said, if I configure the WLC Idle Time for 2-4 hours, do the client have to provide credentials the next day when they access Wireless?Yes.  See my previous answerIs there any other way via which this can be achieved? (The limitation is : client should be authenticated only with the WLC.)If you are looking for clients to login once and then never again, the answer is no.  You have two choices, you can use the new v7.5 and use the sleeping client feature which gives you max of 720 hours (30 days), or you use th eidle timer and after the idle timer expires, the user will have to login.Thanks,Jagan
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"