Dynamic vlan on ISR 8xx and other platforms...

Hi,
Whether 8xx and ISR platforms can support the dynamic vlan?.SOHO ISRs got the integrated wireless service feature. Anyone has the feature matrix?. Because, We want to implement dynamic host based access for the SOHO users using ISE.
thanks,
Ramesh

Hi,
Are you talking about the dynamic vlan assignment to the users authenticating against the ISE?
If yes , then that can be done.
Regards
Dhiresh

Similar Messages

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Dynamic vlan assignment with 1242AG and IAS not working

                       I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
    IAS and AD is running on Windows Server 2003
    Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
    PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
    Tunnel-Medium-Type > 802
    Tunnel-Pvt-Group-ID > vlanid
    Tunnel-Type > VLAN
    On the AP:
    Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
    I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
    Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

    Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
    I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
    I see I don't have that line "aaa authorization network default group rad_eap",
    So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
    Thanks,
    Jason

  • WHY SUCH AN INJUSTICE THAT BBM CANNOT BE USED ON MY CURVE 9300 OVER NORMAL DATA SERVICE AND OTHER PLATFORMS CAN USE!

    Hello,
    I am using Blackberry Curve 9300. I purchased this phone for Rs. 17,250 before some 3 years, I considered RIM to be a Company providing premium services which is unique in itself and which worth spending on them and the most important thing is those are not available to non-blackberry users! Especially in case of Blackberry Messenger, which is such a service connecting all the blackberry users around the world, making a mark of precious symbol of the users of BBM.
     Before few days I came to know about BBM being available on Android and Windows phones, my question is why this injustice with your own customers, you provide the app which they will use with their normal data plan and we people who are your real customers, who trusted in you have to spend not less than Rs.129 for just BBM!I must say RIM is the most back-stabbing company I have had ever dealt with! People are laughing at us as they are using the same service for almost free and we have to spend a huge sum for availing the same service, my question is are these non blackberry people your customers or we people who contributed in your success with hopes of trust?
    My question is not why you made available BBM usage to non-blackberry users with such flexibility but my question is why can't you be loyal to your own customers?
    I hope that RIM would have a pleasing justification.

    Thanks with the signature but I already removed it from my profile too.
    I was never under a rock when it comes to technology I know that in India before few months yoru Blackberry Z10 was Rs.44,000 and now it is Rs.21,000. I understand the ploy of making BBM cross platform to generate revenue, first in a technical sense and another by creating it advrtisement in the marker.
    Do you think that taking an undue advantage of our loyaty and enduring the mockery of your own customer would take you anywhere? Don't you think that abusing your own customer's prestige would even affect you negatively? While your customer is paying Rs.129 for just BBM the Android person sitting next to him is lauging at him for he paid you and call him fool! Profits doesn't starts only by making huge business decisions but from the loyal and satisfied customers. You may always find customers all around always complaining but deep down if you have touched their needs they will bless you with good words at your back, maybe in such a way that you will never come to kow but it will grow you more. I am not here to deliver you a marketing lecture as i am in corporate law field but let me tell you what I read during my graduation, it said something like one disatisfied customer can discourage ten potential customers from buying your product and I have started feeling the same in case of online shopping but I do not know when the company giant blackberry would come to know! 
    When you said about expanding customer base, think about a company who is expanding its base of customers by disatisfing their current customers who always took pride in you by providing them services at harsh terms and in front of their eyes others are getting benefits at a very low cost.
    Our family business is textile manufacturing, not as big as blackberry but we always knew that if we will start selling our goods by describing them as really premium goods and start charging out of lips and bounds, of course my product could be premium worth the price but one thing I could be missing would be a point of finance, there could be cheaper alternatives in market which could be selling at lower price which same usage. My concern is just to keep our eyes open.
    Now consider a phone on which I can use Whatsapp which satisfies my messaging needs, gtalk and yahoo messengers for my im needs, push mails for emails, browsing and downloading for just Rs.99 and on the other hand Blackberry services for Rs.389, it is indeed clear the reason of downfall, though it is labelled as premium service and indeed it could be, permium service as I said earlier.
    When you feel that your boat is sinking, you do not have only have to pull out the waters but on the priority basis you have to cover the hole too! Blackberry is just pulling out the water leaving the hole as it is!
    If you say that legacy mode in BBOS could bother you  from providing BBM for BB device, you know that it cannot be and even I know that, any technical person can know that as it is a little secret that I can use BB browser without BIS and many other apps are example of the same (to be a bit informal). See, I never asked this thing from last three years but now when you are making it cross platform why not to give a little benefits to those who paid you till now, if you can give it to those who are nothign to you?
    My question is that why can't you provide BBM to be used on the normal data paln for your own old and loyal customers who paid you such a handsome amount from many years for your services as how you provide on other platform, just for BBM not email and rest of your services?

  • How to publish ebook to iBookstore and other platform?

    Hi everyone,
    I new to publishing, I wanted to publish a book about origami paper monster and i think everyone will love it!
    But I live in Malaysia, what do i needed to getting started?
    What i know for now is ISBN, and tax, but i not sure about tax, because ibook require U.S tax not malaysia, which is confusing, and i just 19 year old, don't have any related to tax yet, how to I sign up? I ONLY WANT TO PUBLISH A BOOK, do i need to sign up tax too?
    Do u recommend me to buy an ISBN? or using a aggentor?(I want to self publish to reduce the cost and increase my royalty, all design n work will be done by myself)
    Also, this origami book will be more image than word, so what format should i use?If i use ePub will thing mess around? And does all platform only accept ePub?
    About software, should I use Pages only? or any other suggestion?
    Thanks everyone for helping me!!!!!

    Hi Tom, thanks for the correction,
    I tried to create a sample in pages byr put some random pictures and word inside but after export it as ePub format, everything messed and not look like  it should be,  so I searched google and a website mentioned you should finalize your ebook with sigil software, should I follow to correct my ebook or it was me doing something wrong?
    And can I prevent user to zoom the ebook because I had check some ePub book if you zoom in,all words and picture will bigger but they will not in the location of the book it should be
    -And how about taxes? Should I worry? Do iBook store kindle google play all require you to fill up the info?
    -do I need ISBN if I only publish one book and just want to make some money from it but not a business? Cheapest Price?
    -If you don't know my conditions,here is it:
    I want to self publish an ebook to teach origami, I will publish only one book only but if it success maybe two or three(this is only one of my small dream ,so I will not do it as my live job, just want to make this book to fulfill my small dream and get the money to continue to complete my big dream!), this book will be more image than word, and I want to publish it at major ebook store(iBook, kindle,google play), I want to make the book same in every ebook store with same ISBN
    Thanks for helping!

  • HREAP and Dynamic VLAN assignment (MS NPS)

    Hi All
    Just a quick rundown of what I am trying to achieve.
    We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
    The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
    I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
    Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
    Regards
    Connie

    Do you perhaps know if there are plans for this limitation being addressed in the near future?
    We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
    Thanks for the feedback, though!
    Regards
    Connie

  • Linux v/s Other Platforms

    Where can I found information about benchmarks between linux and other platforms. I need to justify because We could be select this option (Linux) and not other.

    Benchmark for Linux available at :
    http://www.oracle.com/apps_benchmark/html/index.html?0224A_Report1.html
    You can drill up/down to other benchmarks from this site.
    Check this presentation for more info : http://www.oracle.com/pls/oow/oow_user.download?p_event_id=16&p_file=P45305.ppt

  • SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

    Hello ladies and gentlemen,
    I am using several SG300-28 Switches with firmware version 1.1.2.0.
    I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
    Authentication is only based on the MAC address. (I configured that on the switches)
    On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
    I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
    In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
    The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
    If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
    This is happening randomly on nearly all my PCs.
    I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
    Thank you very much for your help!
    Regrads
    Alexander Wilke

    This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
    2147483395
    2012-Aug-09 21:40:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483396
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483397
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483398
    2012-Aug-09 21:16:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483399
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483400
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483401
    2012-Aug-09 21:04:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483402
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483403
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483404
    2012-Aug-09 20:52:02
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483405
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483406
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483407
    2012-Aug-09 20:40:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483408
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483409
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483410
    2012-Aug-09 20:16:06
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483411
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483412
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483413
    2012-Aug-09 19:28:01
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483414
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483415
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483416
    2012-Aug-09 19:15:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483417
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483418
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483419
    2012-Aug-09 19:04:00
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483420
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483421
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483422
    2012-Aug-09 18:27:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483423
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483424
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
    Any ideas ?

  • FlexConnect, EAP-TLS and dynamic VLAN assignments

    I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
    I have some questions:
    - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
    - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
    - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
    Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

    I'll give this a shot:)
    For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
    The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
    64 (Tunnel-Type) should be set to VLAN (Integer = 13)
    65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
    81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
    You can find this by searching on Google.... A lot of examples out there
    v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
    Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
    FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
    Hope this helps.
    Sent from Cisco Technical Support iPhone App

  • Dynamic VLAN assignment and DHCP

    Hello
    I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
    Before the upgrade we had our ACS returning a VLAN based on user group.  This seemed to be working without an issue.  Now that the WLC is on version 7 this is no longer working correctly.  The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
    Example configuration:
    SSID-----VLAN
    PN-CSC-----CSCVlan: Works
    PN-Others------OthersVlan: Works
    PN-Others-----CSCVlan: No DHCP
    When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
    Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

    Yes, DHCP proxy could be the culprit here.  In 4.0 it was only a CLI command to enable/disable the proxy feature.  In 5.2, I think, and later it is in the GUI
    as well.
       There is a defect filed against the behavior of the WLC DHCP funtion out there currently.  If all of your DHCP is coming from external resources than you can disable proxy.  If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled.  If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
    Sorry I can't provide the defect ID, my CCO account is acting up.
    Cheers,
    Steve
    If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

  • RDP with 802.1x, machine and user auth and dynamic VLAN

    Hi,
    we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
    When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
    With this behavior the TermDD message (ID 56) can be seen in system log. Following the response 
    http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
    , I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
    The following is TermDD message:
    +
    System
    Provider
    [  Name]
    TermDD
    EventID
    56
    [  Qualifiers]
    49162
    Level
    2
    Task
    0
    Keywords
    0x80000000000000
    TimeCreated
    [  SystemTime]
    2013-06-10T09:25:28.515308700Z
    EventRecordID
    26643
    Channel
    System
    Computer
    XTCSSPWA03.cen.csint.cz
    Security
    EventData
    \Device\Termdd
    10.190.64.208
    0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
    Binary data:
    In Words
    0000: 00040000 002C0002 00000000 C00A0038 
    0008: 00000000 C00A0038 00000000 00000000
    0010: 00000000 00000000  D0000241
    In Bytes
    0000: 00 00 04 00 02 00 2C 00    ......,.
    0008: 00 00 00 00 38 00 0A C0   ....8..À
    0010: 00 00 00 00 38 00  0A C0   ....8..À
    0018: 00 00 00 00 00 00 00 00   ........
    0020: 00 00 00  00 00 00 00 00   ........
    0028: 41 02 00 D0               A..Ð
    Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
    3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
    3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
    3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
    3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
    3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
    3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
    3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
    3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
    3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
    3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
    3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      08 06                                                .. (cimdIo.cpp 2159)
    3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  pEthTypes data follows ... (cimdIo.cpp 2273)
    3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      06 08                                                .. (cimdIo.cpp 2273)
    3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
    3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
    3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
    3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
    3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
    3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
    3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
    3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
    3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
    3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
    3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
    3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
    3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
    3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
    3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
    80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <networkStateEvent>   <sequenceNumber>19</sequenceNumber>   <groupName>Local networks</groupName>   <networkName>CS-wired-pass</networkName>   <networkState>AcquiringIpAddress</networkState>   <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName>   <serverVerifiedName>ise-2.csint.cz</serverVerifiedName>  </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
    3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
    3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
    3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)      00 00 00 00 FF FF FF FF  FF FF D4 85 64 B8 43 61     ........ ....d.Ca      08 06 00 01 08 00 06 04  00 01 D4 85 64 B8 43 61     ........ ....d.Ca      0A BE 5F 4A 00 00 00 00  00 00 0A BE 40 01 00 00     .._J.... ....@...      00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00     ........ ........ (cimdIo.cpp 2159)
    3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
    3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
    3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
    3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
    3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
    2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
    5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
    6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
    9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
    10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
    11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
    12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
    13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
    18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
    21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
    22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
    25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
    26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
    27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
    28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
    29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
    30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00)  CreateInstance calling CoCreateInstance on MS password cred prov
    31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
    36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
    37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
    38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
    39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
    3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
    3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
    3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
    3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
    3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
    3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
    3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
    89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
    If we do not change VLAN from machine to user, it works just fine.
    Have anybody seen this problem? Have anybody fixed it?
    Thanx, Martin

    Hi,
    unfortunately not.
    I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
    1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
    2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
    Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
    I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
    In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
    Martin

  • 802.1x and wired dynamic vlans on MAC addresses

    Hi All,
    I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
    I've done some reading but am really struggling to find the information I need.
    We have a Windows domain and brand new 3850 Cisco switches.
    Can anyone steer me in the right direction (or tell me how to do it!) please?
    Thanks for reading.

    Hi, 
    So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
    In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
    Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
    Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
    Tunnel-Type. Select Virtual LANs (VLAN).
    You can find more information here:
    Configure a Network Policy for VLANs
    VLAN Attributes Used in Network Policy
    802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
    HTH.

  • 5508 and dynamic vlan assignement

    Hello,
    I'm trying to setup a 5508 to work with dynamic vlan assignement using the same SSID.
    I've followed everyting in this document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    but it doesn't work, every client independent of the RADIUS group is assigned to the same VLAN.
    The only difference I have with that document is the [081] Tunnel-Private-Group-ID for which I use a string (nessesary for the LAN switches which use the same RADIUS) instead of a number.
    What I see when sniffing the RADIUS traffic, every option is sent correctly to the WLC, from the WLC side and using the debug aaa events enable option I see nothing interesting.
    Any ideas?
    Thanks
    George

    A bit more debugging gave me this:
    *Oct 15 09:31:28.491: xx:xx:xx:xx:xx:xx Received Tunnel-Group-ID Attribute -- ignoring AES Interface-Name '200' for STA xx:xx:xx:xx:xx:xx.
    *Oct 15 09:31:28.491: xx:xx:xx:xx:xx:xx Tunnel-Type 16777229 should be 13 for STA xx:xx:xx:xx:xx:xx
    (xx:xx:xx:xx:xx:xx is the client mac address)
    It seems that:
    1. WLC ignores the [14179\005] Aire-Interface-Name  parameter regardless of what the value is (I have tried the vlan number, the interface name etc)
    2. the second error is that the tunnel-type 16777229 should be 13. The tunnel-type has the value VLAN as required according to the Cisco document and in general for this to work.  Funny thing is that RFC2868 doesn't define a value of 13 but RFC3580 define VLAN as value 13 so again I've set the correct value.
    So I don't really know what to do now.  I guess I have to open a TAC ticket.

  • Tacacs+ and dynamic vlans

    Hi,
    Is there a good howto or tutorial that shows what settings are required to have dynamic vlan functionality . Using tacacs+ 802.1x/peap I can get a domain user authenticated but I don't follow how the vlan setup / switching should be done. I want all users that fail domain authentication to be put in vlan xxx and if the user does authenticate to be put into vlan yyy (I am using 802.1x PEAP and server side cert only). I am using ACS v3.3, W2k-AD, winXP supplicant , cat5000. Thx in adv.

    Yes, you can get the proper documentation at " target="_blank">www.cisco.com/techsupport--------> Products --------> Security ----------> select appropriately to go to Tacacs and click on view all.

  • Dynamic VLAN assignment and Layer 3 switching on 300 series

    I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
    So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
    I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
    I may well be confused and missing something regarding how this is typically used..

    Hello Glenn,
    Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
    The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
    Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
    The answer, although (in my opinion is terrible) would be GVRP.  But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

Maybe you are looking for

  • Unable to attach files in mail and unable to print from browser

    while trying to attach files it is not opening the path in mozilla. and uable to print directly from browser.

  • Report authorization

    The authorization check on reports based on PNP/PNPCE logical database (both SAP and custom), I think is not working as suggested by SAP.  We have reports that have information on some sensitive information on employees.  From what SAP suggests if th

  • Load Balancing 2 routers

    Hi all Can someone tell me the best way to load balance between 2 routers, can someone post a typical config ? thanks a million Carl

  • Dead lock problem occur in Ms-Sql Server

    Hi friends, I am using the 1,Tomcat server 2, jdbc-odbc-bridge driver In my applicaiton .mutli user access time its throw -deadlock exception . How to solve the dead lock problem.. please help it. Can i modify the Db connection? please help me .... H

  • I have a problem with using (hotmail)

    i have a problem with using (hotmail) , that when i try to use messenger through it , that shown many of pages can not be open , and my contacts are not available , when i contact with Windows Live team to solve the problem they inform me that the pr