Cisco WLC and Microsoft NAP

Similar Messages

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• Mobility between Cisco WLC and Meraki(other vendor)

  Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
  They keep saying it is a IEEE feature and everone should support but I do not understand how?

  While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
  Sent from Cisco Technical Support iPad App

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco WLC and Airtight SS-300AT-C-60

  Hello Guys, I have some AirTight APs, SS-300AT-C-60, which are working standalone as WIPS. Those devices can work as AP too but
  I was wondering if a Cisco WLC can support it. I mean, is there any way to manage these AirTight devices via CAPWAP using a Cisco Controller ??

  Why not?  Because AirTight ain't owned by Cisco.  And if they are, Cisco's customer base and AirTight's customer base are two different and distinct group.

• Cisco VPN and Microsoft Virtual PC (xp mode under Windows 7)

  I've installed XP under my users Windows 7 64 bit Enterprise.  Unfortunately I set up networking for DHCP so that the host and guest (too much vmware :) )  get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to connect correctly.  I want to change networking back to bridged and try that, but for the life of me I can't find where the settings are.  I'm thinking that bridged (where
  I don't have to try the Cisco client in the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable documentation for this product. I can find online, can't find a full downloadable copy

  On Thu, 2 Sep 2010 14:34:57 +0000, Jim_St wrote:
  I've installed XP under my users Windows 7 64 bit Enterprise.=A0=20
  Unfortunately I set up networking for DHCP so that the host and guest=20
  (too much vmware :) )=A0 get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to=20
  connect correctly.=A0 I want to change networking back to bridged and =
  try=20
  that, but for the life of me I can't find where the settings are.=A0 I'm=
  =20
  thinking that bridged (where I don't have to try the Cisco client in=20
  the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking=20
  this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable=20
  documentation for this product. I can find online, can't find a full=20
  downloadable copy
  Bridged networking is what VMWare calls it and it works basically the
  same as the way you don't like here. The guest will interact with the
  NIC on the host and from the outsie it will present a second channel
  with a different MAC address. This channel will acquire an IP address
  of its own from the DHCP server.
  But no matter what you do, the host and guest will NEVER EVER get the
  same IP address!
  Additionally, Cisco VPN by design will shut down ALL other network
  interfaces when it connects the tunnel so the computer running Cisco
  VPN will be effectively disconnected from the local network and
  INSTEAD connected to the remote network. You cannot share this VPN
  tunnel to another local computer and this includes the host.
  Bo Berglund

• Cisco IPT and Microsoft System Centre Operations Manager

  Hi All
  Does anybody used Cisco IPT with System Centre Operations Manager?
  Does System Centre Operations Manager supports Cisco CallManager OS and Hardware for monitoring?
  Thanks
  VKS

  Hi David,
  Thanks for your reply. I have gone through the links which you have mentioned. As per the Overview of Operations Manager 2007 R2 section in What's New & Improved in Operations Manager 2007 R2 document it is clearly mentioned the below points:
  Delivers monitoring across Windows, Linux and Unix servers–all through a single console.
  Extend end to end monitoring of distributed applications to any workload running on Windows, Unix and Linux platforms.
  The Cisco Servers are also Windows and Linux Based.
  Thanks & Regards,
  Vaijanath

• Cisco WLC and Unsecured WLAN with redirect

  Hi Folks,
  Can someone point me in the right direction heer.
  I have a WLS box - i want to create a WLAN which will
            1.)     allow anyone to connect to without authentication.
            2.)     once connected they need to be redirected to a web server for further instructions.
  Any suggestions greatly appreciated.
  Cheers

  Hi George,
  I have downloaded those files and will have a look now.
  I have a couple of other questions in relation to this.
  When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect
  Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1
  This 1.1.1.1 address maps to a virtual interface on both controllers that we have.
  Why does it go to this page?
  Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.
  Cheers

• Cisco 5505 and Microsoft DirectAccess

  Does anyone have a complete list of what parameters need to be enabled/set on a ASA 5505 so MS Direct Access is happy?
  I can't be the only one wanting to place a 5505 in front of the DA Server.

  If you are using the ASA to perform NAT, you'll only need to allow inbound TCP 443. If you are routing to the DirectAccess server or have the ASA configured in transparent firewall mode, then you'll need to allow inbound IP protocol 41, and inbound UDP 3544. If your ASA and your DirectAccess clients are on the IPv6 Internet, you will also need to allow inbound IP protocol 50, inbound UDP 500, and all ICMPv6 traffic.
  Richard Hicks - directaccess.richardhicks.com

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Integrating Microsoft NAP with Cisco ASA

  Hello everyone,
  I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?
  Thanks in advance and kind regards

  Hello Jatin,
  thanks for your reply.
  Microsoft states that authentication via PEAP is necessary for NAP to work:
  "One security feature of PEAP is the transmission of Statement of Health (SoH) messages."
  (see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)
  However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742
  Is that true?

• Switch Cisco and Microsoft NPS

  Hi,
  I configure 802.1x wich Cisco Switch and Microsoft NPS Radius but the client cannot connect. I debug radius on switch and receive the debug attached.
  Whats the problem??
  Thanks

  Hi,
  Looks like that switch ip address is 192.168.233.250
  Please add this nas-ip-address 192.168.233.250 in the condition on the NPS server.
  Also, could you please provide me a error message from the event viewer?
  Attached is the document to configure NPS with cisco devices.
  HTH
  JK
  Plz rate helpful posts-

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."