Communicator and dot1x with mab
Hi,
We are running dot1x multi-domain with mab and guest vlan fallback.
But there is an issue with the Cisco communicator.
When it connects it sends a dummy mac address starting with 30ff.
This makes the ports go in to err-disable state.
Is there any workaround to solve this?
The users like the functionality of being able to make a call from their outlook contacts and use the Cisco phone.
BR
/Ola
I believe that you are hitting a bug CSCsa64171
Similar Messages
-
Which SMARTTV (SAMSUNG U46F7000 or SONY BRAVIA W8 46'') has a better communication and functionality with apple devices (i pad- iphone).
Since the above manufacturers do not give me a straight answer and it is very important reason for me to make a choice please advise!Sorry but I must correct about SONY!!!
The question was for Bravia series W9 and not W8. -
Create community and pages with my application
Hello,
Can I automatically create community and pages with my application?
Where can I find an example to create an java application to automatically create community, pages and Portel using an XML file that describes the structure?Hello,
Can I automatically create community and pages with my application?
Where can I find an example to create an java application to automatically create community, pages and Portel using an XML file that describes the structure? -
When booting up Garage Band I got error message that reads " You have an old emagic midi driver installed this can cause
unreliable midi communication and crashes. Yesterday tried installing an older Emagic Logic Version 5.5.1 with a XSKey Updater file. Decided to remove the Logic Driver and with all Emagic files. Garage Band suggests to download a newer emagic midi
driver 1.5 from "www.emagic.de" but this site no longer exist. Was trying to get Logic Big Box 5 to run in order to purchase LOGIC EXPRESS V9. Otherwise I have to spend $199 for the complete version. Any help is recommended.FBSMTWB: Fast Browser Search, Make the Web Better
See these pages and threads about Fast Browser Search (FBSMTWB in the user agent, Help > About).
* http://help.fastbrowsersearch.com/
* http://www.pccybertek.com/2009/05/remove-fast-browser-search
See also:
*https://support.mozilla.com/kb/Websites+or+add-ons+incorrectly+report+incompatible+browser
*http://kb.mozillazine.org/Resetting_your_useragent_string_to_its_compiled-in_default -
Hi, I' m new of the community and I hope I'm not asking something that has been already discussed. I have different iTunes libraries on different hard disks and I would like to merge them in an unique library - mantaining all the metadata - so that I can use this new one with iTunes Match. Could anybody help me?
PowerTunes - http://www.fatcatsoftware.com/powertunes/ (commercial software)
syncOtunes - http://homepage.mac.com/oligrob/syncOtunes/syncOtunes.html
Alison 1231, your question is not identical to the original poster's so perhaps you could start a new topic with the question since the answers will be different and not apply to the OP's post. -
Hi there, i'm new to the iPHONE community and please can someone tell me how to backup my phone to iCLOUD. How do i connect with wi-fi. Must i buy a wi-fi connetion or what.Thank you kind regards
Do you have a wi-fi network in your home ? If you do then you should be able to connect your phone to it via Settings > Wi-Fi on your phone - that should show any networks that are available, and tapping on the network that you want to use (and typing in its password if it's password protected) should connect the phone to it. If you don't have a wi-fi network then yes, you will need wifi router in your home, which is connected to the internet (e.g. via your phone line) to be able to back up your phone to iCloud.
Connecting to wifi : http://support.apple.com/kb/HT5569 (the screenshots on that page are from iOS 7, but they should be similar on iOS 6)
iCloud backup and storage overview : http://support.apple.com/kb/PH12519
You can also backup your phone to your computer's iTunes : http://support.apple.com/kb/HT1766 -
Hi,,
I am expecting that I must use a different user ID to log in to each of 'HP Enterprise Business Community' and 'Consumer Support Forums.'
However, I am logged in to both with the same user id.
Then, how to get to my subcriptions I posted in each forum?
Although I log in to the 'HP Enterprise Business Community ' and Consumer Support Forums' with same user name, when clicking on my user name while logged in to 'Consumer Support Forums'. , then I only noticed my posts posted at this forum. However, thos posted in HP Enterprise Business Community, I didn't find them. To see them, then I must click on my usename while logged in to HP Enterprise Business Community.
Could you please confirm this for me?The Enterprise and Consumer forums are separate communities. Even if you use the same username, you need to go to them separately to view your subscribed threads.
smkranz
I am a volunteer, and not an HP employee.
Palm OS ∙ webOS ∙ Android -
Plawexki wrote:
... do you know if the contacts, photos, messages etc will be wiped?
Yes... Everything will be Wiped and Replaced with what is currently on Your Mac.
SYNCING with iTunes
See here > http://support.apple.com/kb/HT1386
From Here > http://www.apple.com/support/iphone/syncing/
You may find this information of interest...
Have a read here...
https://discussions.apple.com/message/18409815?ac_cid=ha
And See Here...
How to Use Multiple iDevices with One Computer -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig -
ISE first authorization sucess and then fail (MAB)
Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip -
Macs joined to AD Domain, and 802.1x/mab authentication problems
Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?
hello,
in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
the interfaces have the following config:
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
dot1x pae authenticator
Good luck -
4500 Series Switches and 802.1x MAB
My organization has multiple 4500 series switches experiencing the same problem when attempting to authenticate devices via MAB. The issue is that the "show mab interface fax/x details" shows the Client MAC in a waiting status. The device is never sending the switch it's MAC in order to proceed with MAB authentication, so of course the port never forwards traffic. However, if we remove authentication port-control auto the port starts forwarding and the device gains connectivity. Below is the interface configuration command and the MAB details. The IOS version of this current switch is 15.0(2)SG8. Are we missing something special for a 4500 as far as configuration is concerned.
interface FastEthernet8/16
description USER
switchport access vlan 600
switchport mode access
switchport nonegotiate
duplex full
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 5
end
SWITCH-4510R#sh mab interface fa8/16 details
MAB details for FastEthernet8/16
Mac-Auth-Bypass = Enabled
MAB Client List
Client MAC = Waiting
Session ID = 841AF6D100002931AF99B827
MAB SM state = ACQUIRING
Auth Status = UNAUTHORIZEDhello,
in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
the interfaces have the following config:
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
dot1x pae authenticator
Good luck -
How do I use Qt and OpenGL with Visual Studio
Hi! I mainly want to program in C++ and I want to use Qt and OpenGL with Visual Studio.
I am currently revising C++ and later on i am going to start reading Qt and OpenGL. I have a background of
Embedded firmware design(C and Assembly).
The Visual Studio Version I have is 2013 ultimate. How do I use Qt and OpenGL with Visual Studio?
Thanks
AlexandrosHi ClassicalGuitar,
The forum supports VS setup and installation. And your issue is not about the forum. I will move the thread to off-topic forum. Thanks for your understanding.
Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click HERE to participate the survey. -
I have several old email addresses and accounts with itunes where the email is no longer working, and i have forgotten my password, how do i activate the songs
Welcome to the Apple Community.
The following article(s) may help you.
Look up your old and forgotten Apple ID -
How to I share Itune library, and movies with a different user on the same computer?
How do I share Itunes and movies with a different user on the same computer?
https://discussions.apple.com/community/itunes
Maybe you are looking for
-
RFC- Bapi - For Role Maintenance (Single and Composite)
We are in the process of developing an ASP.NET web application which will be used to raise requests for user and role creations in SAP. We will be making use of Sonic ESB to update SAP through IWAY SAP adapter. IWAY SAP adapter supports RFCs, Bapis
-
From single page to double page spreads when rotating
We've seen some publications that display as a single page when the iPad is held in portrait mode but switch to double page spreads when the iPad is rotated to landscape mode. We've searched this forum - which has been very helpful so far - but can't
-
Skype stopped working this morning, seems to be a ...
I tried loading Skype up at about 11am this morning on the 6.21 version and it was crashing every time. I uninstalled and updated skype to the latest version (6.22.81.104) but the problem persisted. I tried several known fixes including deleting IE E
-
I got my iPhone 4s screen fixed, now in my Photos it shows nothing, although in my memory usage it shows 10.5gb of photos, thats 2000 photos not showing up. What happened?! Where did all my photos go?!
-
Lightroom 4 resizing on export feature - using the "long edge" resize option - doesn't seem to work
In previous versions of Lightroom (prior to 4), when I used the resize feature while exporting, I often used the "long edge" value to resize. Previously, when I selected 2500 as the "long edge" value, I would receive exported JPGs in a size of someth