Cisco sns-3415 configuration
Hi Team
we brought new Cisco sns-3415 ACS configuration somebody please help to configure this on first time. I am simply first time on this device so I look forward first level configuration guide. find below the configuration details.
SNS-3415-K9
Small Secure Network Server for ISE NAC & ACS Applications
CON-SNT-SNS3415
SMARTNET 8X5XNBD Small Secure Network
CSACS-3415-K9
ACS application & BASE license for SNS-3415-K9 appliance
CSACS-5-BASE-LIC
Cisco Secure ACS 5 Base License
CSACS-ACCYKIT
Accessory Kit for Access Control System SW on 3415-appliance
SFS-250V-10A-ID
SFS Power Cord - 250V 10A India
SNS-4GBSR-1X041RY
4GB 1600 Mhz Memory Module
SNS-600GB-HDD
600 GB Hard Disk Drive
SNS-650W-PSU
650W power supply for C-series rack servers + cord (configur
SNS-CPU-2609-E5
2.4 GHz E5-2609/80W 4C/10MB Cache/DDR3 1600MHz
SNS-N2XX-ABPCI01
Broadcom 5709 Dual Port 10/100/1Gb NIC w/TOE iSCSI
SNS-RAID-ROM5
Embedded SW RAID 0/1/10 8 ports SAS/SATA
SNS-UCS-TPM
Trusted Platform Module for UCS servers
Thanks
Sreejesh S
check Cisco how to guides for step by step configuration just follow the instruction and you can easily configure the setup also when you first open the ISE there is an option for express setup (Auto config) but i would suggest for the guide (link given below)
https://www.cisco.com/en/go/trustsec.
**********Do rate Helpful posts************************
Similar Messages
-
ISE 1.2 SNS-3415 NIC Bonding / Teaming
Hello,
I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless interface
My purpose is to connect it to my twins core switches and have a full high availability deployment.
- I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
ThemisISE 1.2 does not support NIC teaming. Especially on appliances. There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Hi. We recently purchased an ISE 1.2 appliance (SNS-3415 hardware). It installed fine, but I am unable to access the GUI. When I login to the box and run the following command on the CLI
ISE-12-NS-SD-2/admin# show application status ise
I see the following output:
ISE Database listener is running, PID: 7737
ISE Database is running, number of processes: 38
ISE Application Server process is not running.
ISE Profiler DB is running, PID: 9090
ISE M&T Session Database is running, PID: 8959
ISE M&T Log Collector is running, PID: 9294
ISE M&T Log Processor is running, PID: 9376
% ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE
% HARDWARE RNG INTEGRITY CHECK HAS FAILED!
Can anyone help me? What can I do to ensure that the hardware RNG integrity check succeeds. Is it a license issue? Is it faulty hardware? Please advise. I would be very greatful.
Thanks in advance.I worked with a TAC engineer on this and he said one other customer had this issue and the only recourse was reimaging the appliance with the ISE 1.2 ISO image.
I did reboot, restarted services, reset to factory default and none of that worked. It is possible that the issue happened because during setup of the appliance I didn't have network connectivity and went ahead with the setup and configuration of the ISE application anyway. I later had network connectivity but by that time ISE manifested this fault.
Reimaging and ensuring network connectivity during setup the next time around fixed the problem. -
Hi guys,
I saw the HW specs of the 3415.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/data_sheet_c78-726524.pdf
There is a spare part for the disk and for the power supply. Does anyone has the experience if the ISE software will check for the HW. The SNS server has a hardware raid controller. I want to know if I can use the raid controller just for mirroring for HW redundancy.
The SNS 3415 has two power slots. So i suspose this can be easily done without breaking the 'service' requiremtents for TAC.
regards,
SanderHi Ravi,
For the OS disk, I'm pretty sure we will run into problems. Like you said the UNIX distri will check for the HW bases on the system ID (3415 will have only 1 disk like the specs of Cisco). So sure I don't want to run into problems with my service agreement.
But for the PSU it would be a nice to know if I can install this without any issues. Maybe you got the HW in the LABs?
regards,
Sander -
Hi All,
We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
Can you please guide me how to take license? Base lances are really required for wireless end points??
Your early response will be highly appreciated.
Regards,
Satish.If you are purchasing Wireless license then Base license is not required, it would support the below services
Device onboarding/provisioning
AAA
Guest provisioning
Link encryption policies
Device profiling and feed service
Host posture
Cisco Security Group Access
Integrated vendor MDM support
Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html -
Cisco ISE migration from VM to SNS 3415 Appliance
HI Experts,
My customer is running a ISE VM ( os is 1.1.1 ) with base license used only for guest authentication . As per the requirement we need to migrate the existing setup to the ISE hardware (1.2 ).
Can anyone please help me in the best way to do .
I am planning to install a new ISE setup rather than migration but confused regarding the ISE Licensing .
Thanks in advance
Regards
AgnusAngus,
First and foremost, you must have a current, non-expired license.
The best way to accomplish this is to log in to the Licensing Portal:
https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#
Click on Licenses. Choose the license you would like top transfer to the new 3415 Appliance.
Note that I have selected two licenses, Base and Advanced. You can only select ONE LICENSE at a time. To Re-Host a Base and an Advanced License, you must do this twice.
Then click Actions > Rehost/Transfer...
A new window will appear requesting the information from your new 3415 Appliance (you must have already installed ISE on the appliance):
You can find this information on the new 3415 by going to Administration > Licensing and clicking on the name of your node.
This is all found in the ISE Admin Guide.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#concept_E664BCA9F4164C7F8DE590B7C2C4AD99
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Hi,
I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
Here is my configuration:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.48 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name processia.com
access-list outside_access_in extended permit ip any any
access-list icmp_out_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group icmp_out_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain xxxxxxxxxxxxxxxxx interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
: end
Thank you for your helpHi Sylla,
The static route you have configured for Internet access needs to be corrected:
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
-Mike -
Cisco ASA 5505 Configurations. Help... Beyond Frustrated
Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga -
Cisco Wireless AP configuration as DHCP
I have 10 Cisco 1242 wireless Ap in my Office. 04 of them will be relocated in a different place where we dont have any DHCP server. I would like to configure those AP's as DHCP provider for their associated clients.
Is it possible I know but I dont know how to accomplish that.
Is there anyone who can answer this? If yes please let me know this from which option CLI or Web view I can configure those AP's?
Regards,
Sayeed.Hi,
Here is the link which tells us how to accomplish the task.. But make sure.. the IP addresses will be leased by the AP in the management ip subnet only.. please check the below doc before implementing..
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap5-admin.html#wp1090319
Lemme know if this answered your question!!
Regards
Surendra -
Cisco ISE managing configuration
Is there a built-in mechansim for revision control in Cisco ISE? If not built-in, then what is the other way? I have been trying to look for documentation online but didn't find any.
Just to explain what I am looking for:
A way to properly manage all the configuration changes to ISE node. Changes are usually identified by a number or letter code, termed the "revision number". For example, an initial set of files is "revision 1". When the first change is made, the resulting set is "revision 2", and so on. Each revision is associated with a timestamp and the person making the change. Revisions can be compared, restored, and with some types of files, merged.
I ask this because "show run" output in ISE CLI does not give all the configuration details. How can we maintain the history of configurations?
PS: I rate useful posts
Thanks,
KashishThere is not a way to track which version a specific ISE configuration is on. The ADE-OS configuration, or cli configuration typically is static once the repositories, dns info...etc is all set and done. For the application database you can setup a timer where an automatic backup is generated, from there you can manage what dates a backup is good for.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Cisco ISE log configuration commands enetered on routers
Hello,
I am trying to migrate from Cisco ACS to ISE.
I want to log configuration commands entered on routers.
I have configured the routers to send accounting radius to ISE but ISE sees the messages as:
"22003 Missing attribute for authentication
11014 RADIUS packet contains invalid attribute(s)"
Can I configure ISE to receive radius accounting messages ?
Is there another way to configure ISE to log configuration commands ?
Another way would be to send syslog messages using the archive configuration on routers, but I cannot find the syslog mesages on ISE.
Regards,
BogdanYou should post your question on the AAA forum
https://supportforums.cisco.com/community/netpro/security/aaa
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Re: Help on Cisco UC 520 Configuration
Dear All,
I am new to UC 520 Call Manager Express and Cisco Unity Express. I would like help in solving the following problems encountered during the config of the latter:
1. Call Transfer
- When I transfer a call, I need to know if the other person to whom the call will be transferred is available or not,
- if possible i should be able to put the current person on hold and call the other person and see if he is available or not before doing the transfer
- if ever a call is being transferred and the other person is busy or unavailable, the call should be reverted back or forwarded to another number instead of going to voicemail.
2. Configuring phones for call conferencing.
Please note the following details:
Unity Express Version being used: 3.0
Thanks in advanceHi
1. In order to get transfers working the way you like, ensure you create ephone-dns as 'dual-line' - this allows one call to be on hold whilst a 'transfer' call is made outbound. Also ensure transfer-system full-consult is configured under 'telephony-service' mode. Basically transfers then are two-step - whilst on a call, hit transfer then dial the target extension. If they answer, announce the caller and hit 'transfer' again, or hit 'end call' to go back to the original caller.
2. You can enable three-party conferences by setting 'max-conferences' under telephony-service. It works the same way as transfer; hit 'Confrn' to start whilst on a call, dial another phone, and then when they answer Confrn again to set up the conference.
Regards
Aaron
Please rate helpful posts.. -
Cisco WLC 2125 configuration help
So in a nutshell, from My computer I can ping all VLANS - everything seems to in workding order.
when telnet to the HP 5406zl core routing switch I can ping all VLANs and other parts of the network
But when logged into the Cisco wireless Lan Controller I cant ping VLAN 108 gateway IP (172.24.156.2 ) from the neighbour switch or other services on this VLAN
for example cant ping the DHCP on this vlan from WLC.
The neighbour switch can ping IP of the management interface created on the WLC
WLC cant ping VLAN 108
WLC can ping all other VLAN 102,104,106
Not sure where the problem is ??
Configure Dynamic Interfaces on the WLC for the Guest and Internal Users - DONE
Create WLANs for the Guest and Internal Users - DONE
Configure the 5406zl Layer 2/3 Switch Port that Connects to the WLC as Trunk Port allowing the relevant vlans i.e. management vlan, vlan 102 and Vlan 108 - DONE
Configure the Switch Port that Connects to the AP to VLAN 102 - DONE
configure virtual interface IP 1.1.1.1 - DONE
Configure the Router for the WLANs - DONE
LAP is registered to the WLC - DONE
WLAN and SSID broadcast - OKNot at present it is not, the port on the 5406zl that the WLC is connected was setup as a trunk group and All VLAN tagged. When I tried this I lost all connectivity to the WLC. Is there something on the WLC that need changing also?.
-
Cisco Standalone AP configuration
Hi All,
Ap 1600 radios are automatically disabled if i configure WEP for Shared authentication.What can be the issue..?See whether your configurations is done correctly. Below documents may helps you
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c1e263.shtml
As you know this is not a good security mechanism & you should not configure it unless client only supporting WEP
HTH
Rasika
**** Pls rate all useful responses **** -
Hi All,
I am trying to find the guide on how to configure the SSO for the two supervisor engines. I am trying to recall if secondary ip addresses were required for the secondary supervisor for the SSO to work. Can someone guide me on this?Hi,
There is no need for any secondary IP address. When one sup fails, the back up sup will take over all the functionally of the primary sup.
here is the configs:
make sure you have the same exact IOS in both sups.
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# redundancy
Router(config-red)# mode sso
Router(config-red)# end
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/nsfsso.html#wp1119694
HTH
Maybe you are looking for
-
My iphone 4s is no longer making sound when i have an incoming call or message after installing ios7.... any help? It still vibrates but no calling sounds or message sounds. It's not on mute and the speakers are working... I can hear music etc. Oh ye
-
How do I get song back that I just bight on my I phone
I bought songs on my iPhone and the screen messed up so I sent it in to warrenty and they sent me a different one is there any way to redownload them with out haveing to pay for them again
-
What is wrong with Separation Preview SLOW SLOW SLOW V2
In Acrobat 7 I could toggle colors on off on off on off to see what my seps would do, check K.O., traps, builds etc. I cannot even toggle on off on off in 9. I have a horrid delay between the spot color clicks and the entire production comes to a ha
-
My 4s is now out of contract but very cracked how much to replace in Perth Australia?
How much to replace with new/refurbished 4s in perth Australia?
-
CFTRANSACTION across multiple methods??
I have a couple of question around CFTRANSACTION 1) Can I use it around several component calls? eg <cftransaction> <cfinvoke component="myComponent" method="InsertTable1"> <cfinvokeargument ........ /> </cfinvoke> <cfinvoke component="myComponent" m