FIDO Support in Cisco AAA solutions

Similar Messages

• Ask the Experts: Introduction to Cisco Trustsec Solution and Configuration (from Webcast)

  This is an opportunity to learn and ask more questions about Cisco Trustsec solution. The Trustsec solution is designed to flatten the network regardless of the access method but still provide fully distributed and differentiated access control no matter whether you are coming from wired or WiFi or remote access, the Trustsec solution provides a consistent access control policy.
  Ankur Bajaj is a customer support engineer from the AAA team at the Cisco Technical Assistance Center in Richardson, Texas, USA. He has 14 years of total experience. He has worked on a wide range of Cisco Security Technologies such as Cisco ASA, VPN deployments, NAC solution, ACS and ISE deployment. Ankur has CCIE # 22135 in Security.
  Mrinal Jaiswal has been with Cisco since 2007 with previous experience as a software developer.  He works with AAA and Wireless Technical Assistance. Mrinal holds a CCIE in security #31389, MCSA in 2003 track, MCAD in .net, GNIIT from NIIT.
  Beau Wallace is an engineer for the RTP AAA TAC team, supporting multiple solutions including ISE, TrustSec, 802.1x, ACS, NAC, etc. He attended East Carolina University and lives in Raleigh, NC. He holds CCNP, RHCSA, and Security+ Certifications
  This Discussion starts Dec 16th through Dec 19th, 2014
  Remember to use the rating system to let the exerts know if you have received an adequate response. 
  The experts might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community,  sub-community, AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Marvin, first, you would want to ensure the router or switch you use has support for SG-ACLs and enforcement via:
  http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
  One you know that works, you can configure SG-ACLs with a source or destination on "unknown". This keyword indicates traffic where we cannot discover what SGT should be assigned to that traffic, or in other words, outside the trustsec domain. We use a relatively common command-set on enforcement supporting platforms, take a look at the following link for command syntax:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html
  Let me know if the unknown tag was what you were looking for!
  Edits: Spelling.

• MPLS CE support on Cisco 2800 ISR router

  Hi all, could I ask you for some hints about MPLS CE support on Cisco 2800 ISR router today? I`m finding restrictions and recommendations for feature implementation. Do you have any cisco web site about them?
  Thank you for your advice and/or hints.
  Peter

  Thanks for an answer. I need to use multi-VPN model on CE router, but with QoS on one physical CE-PE connection (e.g. Frame-Relay DLCI).However, all VPNs on CE router must be secured for each one. The solution is Multi-VRF service feature, but, however, with multi-DLCI model on Frame-Relay and QoS per DLCI. Now, I`m finding a scenario to provide multi-VPN model on CE router with single-DLCI model and single QoS per one DLCI for all VPNs. And that, MPLS CE feature on C2800 could be used, if possible.
  So, I don`t know more about MPLS CE on C2800 and I don`t know make a result to propsed solution...

• No of SSID support on Cisco WLC

  Hi All,
  Can you please help me on providing below details on Cisco wireless controller?
  1. No of SSID support on Cisco WLC
  2. Is it possible to restrict SSID on AP's (e.g. I have 10 SSID's configured on controller, I want first 10 Access points use set of SSID (SSID 1-5), and rest of the AP use SSID 6-10.
  Thanks
  Jamal

  Hi Jamal,
  Just to add a touch to the great info from Robert (+5 points Robert)
  The feature you are looking for is called WLAN Override in WLC 4.x versions.
  Enabling WLAN Override
  By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.
  From this doc;
  http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40wlan.html#wp1114777
  Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN including General Policies, RADIUS Servers, Security Policies, and 802.1x Parameters.
  **Check Admin Status under General Policies to enable the WLAN. If you want the AP to broadcast the SSID in its beacon frames, check Broadcast SSID.
  Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
  From this good doc;
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3
  In 5.x versions you will use AP Groups, because in WLC 5.x versions, WLAN Override has been replaced with the "AP Groups" feature;
  Creating Access Point Groups
  After all access points have joined the controller, you can create up to 150 access point groups and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
  http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1128591
  To learn more about AP Groups check out George's excellent video
  http://www.my80211.com/cisco-labs/2009/3/22/cisco-ap-group-nugget.html
  Hope this helps!
  Rob

• What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP's?

  What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP’s?

  • PI provides visibility for autonomous  clients within the same list view as lightweight and wired clients (client list  page).
  • Rogue AP detection for autonomous AP's is not supported (it's  supported in CUWN). 
  • Alarms/events for client authentication issues (e.g.  authentication failure) are displayed in PI.
  • Config management for  autonomous AP's is via CLI template.  Config comparison and archiving  functionality in PI leverages these same features that were brought in from LMS,  so need to defer to others in terms of whether this is a cross-platform feature  in PI or is only supported on a subset of platforms.  Config comparison/archive  is supported in CUWN.PI supports both infrastructure (e.g. AP Tx Power and  Channel, busiest AP, AP utilization, etc.) and client (e.g. client count, client  sessions, etc.) reports, and there are extensive reports for CUWN

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• Is the Cisco AirSpace solution the best one out there?

  I have been evaluating WLAN solutions and have narrowed the choice down to two; AireSpace (Cisco) and Aruba. The one thing I really like about Aruba's system is that access points can be configured as IDS sensors only, which would eliminate some of the performance problems associated with AP's that also act as sensors. Can the Cisco Airespace solution enable AP's as sensor only? I am concerned that a busy access point will not be able to detect rogue devices.

  An Airespace AP can be configured to do rogue detection and sniffing/monitoring functionality only.

• Is VSS supported in Cisco Prime Infrastructure 1.2?

  Is VSS supported in Cisco Prime Infrastructure 1.2?

  VSS support (converting standalone switches into a VSS)  was introduced with LMS 3.0.1 if I remember well and it is still there in LMS 4.2 (Cisco Prime Infrastructure):
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/configuration/configvss.html
  Config Mgmt is supported, also.

• Does WAP4410N support Wireless Guest access solution?

  Does the Linksys AP (WAP4410N) support Wireless Guest access solution?

  Hi - I've got a WAP4410N which I'd like to use to provide wireless guest access, and I've had a look through the configuration pages and manual, and understand:
  1) I've got to add a virtual SSID (although I'd like to know where the DHCP settings are as I don't believe the WAP4410N has DHCP capabilities)
  2) I need to ensure that traffic can't hop across the multiple SSIDs
  What I'd like to know is whether the WAP4410N can be set up to display a terms and conditions page which users have to "OK" or whether it can host a login page that can be administered by someone to allow access - kind of like hotels use to ensure that not everyone can automatically connect?  I don't mind if there has to be a secondary piece of software hosted on a server someone, but I'd like to prevent people from being able to automatically connect straight to our connection and would also like to limit them in some way, at very least the bandwidth that the connection allows, at best the sites they can visit too.
  Any thoughts greatly appreciated,
    Andy

• If we got Nexus 1000V from VMWARE , can we add the N1K to our CCO ( Cisco Account ) to have direct support from Cisco

  Hi
  If we got Nexus 1000V from VMWARE , can we add the N1K to our CCO ( Cisco Account ) to have direct support from Cisco
  as sometimes it take some more time to get answer from VMWARE -> Cisco
  Thanks

  No.  When you purchase support from Vmware, they are your support contact and they will escalate support to Cisco on your behalf if needed.  This is the case for all OEM support.  Cisco provides support for RHEL, Microsoft and VMware.  We follow the same practice. 
  Deciding who to purchase support from is a decision of single point of contact for all VMware & N1K related issues vs. maintaining separate support contracts with each vendor individually.
  Regards,
  Robert

• EoMPLS support on Cisco ISR G2 2921?

  Hi there is saw in feature navigator that EoMPLS is a supported feature for 2921...
  - Can somebody please confirm that EoMPLS is supported with Cisco 2921?
  - Is pseudowire redundancy possible?
  Thanks
  Manuel

  Hi Manuel,
  yes it is supported (if I am not wrong since release 12(4)T) and also L2VPN PW redundancy is supported.
  Riccardo

• How many numbers of GRE Tunnels are supported on Cisco 3925 router?

  Hi...
  I would like to know that.......
  How many numbers of GRE Tunnels are supported on Cisco 3925 router?
  Thanks....

  This is what I found in my search:
  There may be factors such as memory constraints that will place practical limits on how many tunnels you can support. But there is also a hard limit on the number of tunnels that you can configure. That limit is based on the limitation of the number of IDBs supported by your router. The IDB is the Interface Descriptor Block and each interface (physical, or tunnel, or loopback, or whatever) requires an IDB. The number of IDBs will vary by platform and sometimes by release level of the code that you are running. You can use the privileged command show idb to see what the limitation is on your router. On the 1841 router that I just checked the limit on IDB is 1200 (which is a pretty large number - I believe that you would encounter other limits on performance or on size of configuration before you exhaust the IDB limit).
  https://supportforums.cisco.com/thread/2007932
  Hope it helps.
  Jatin Katyal
  - Do rate helpful posts -

• QinQ support on Cisco SUP7L-E?

  Current release note for Cisco IOS XE Release 3.2.0XO says:
  These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4500E series switch.
  •802.1q tunneling and related features are not supported.
  but in feature navigator there is 802.1q available
  - IEEE 802.1Q Tunneling
  - Selective QinQ
  Sup 6E has support also:
  Be aware that 802.1Q requires WS-C4948, WS-C4948-10GE, ME-4924-10GE, WS-C4928-10GE, WS-C4900M, WS-X4013+10GE, WS-X4516, WS-X4516-10GE, or WS-X45-SUP6-E; Layer 2 protocol tunneling is supported on all supervisor engines.

  Hi Riccardo,
  I checked the tables and for my unterstanding SUP7L-E and SUP7-E are SW feature parity…
  Out of the release note:
  Additionally, Supevisor Engine 7L-E running Cisco IOS 3.2.0XO has feature parity with Supervisor Engine 7-E running Cisco IOS XE 3.2.0SG.
  The feature set for Supervisor Engine 7L-E matches that of Supervisor Engines 7-E
  That means Q-in-Q should also work on SUP7L-E within next IOS release (March – May 2012) … or am i wrong?
  Thanks
  Manuel
  Von: rsimoni
  Gesendet: Dienstag, 10. Januar 2012 16:52
  An: Linder Manuel (CASSARiUS AG)
  Betreff: - Re: QinQ support on Cisco SUP7L-E?
  Home
  Re: QinQ support on Cisco SUP7L-E?
  created by Riccardo Simoni in Other Service Provider Subjects - View the full discussion

• Can IPV6 QOS support in Cisco 3750x switches

  Hi 
  I have tried IPv6 qos using class map in  Catalyst 3750 switches but the platform is not support.
  Can anyone configured the IPV6 qos in Cisco 3750-X switches. Does it support?
  Cisco 3750 config
  policy-map up
    class bwtest-up
    police 2048000 128000 exceed-action drop
  policy-map down
   class bwtest-down
    police 512000 128000 exceed-action drop
    trust dscp
  class-map match-all bwtest-up
   match access-group name bwup
  class-map match-all bwtest-down
   match access-group name bwdown
  ipv6 access-list bwup
   permit ipv6 2402:xxxx:x:x::/64
  ipv6 access-list bwdown
   permit ipv6 any 2402:xxxx:x:x::/64
  L3(config)#int g1/0/4
  L3(config-if)#service-policy input up
  QoS: class(bwtest-up) IPv6 class not supported on interface GigabitEthernet1/0/4 ( error)
  Please help!

  interface GigabitEthernet1/0/4
   description ##Test LAN-IPV##
   no switchport
   bandwidth 2048
   no ip address
   load-interval 30
   speed 100
   duplex full
   ipv6 address 2402:xxxx:x:x::1/64
   ipv6 enable
   ipv6 ospf 200 area 0
  end
  switch sw version
  Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2014 by Cisco Systems, Inc.
  Compiled Mon 03-Mar-14 22:45 by prod_rel_team
  Image text-base: 0x01000000, data-base: 0x02F00000
  ROM: Bootstrap program is C3750 boot loader
  BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
  Cherry uptime is 6 days, 7 hours, 23 minutes
  System returned to ROM by power-on
  System restarted at 07:04:50 IST Thu Mar 19 2015
  System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE9.bin"

• Are HTTPS probes supported in Cisco devices ?

  Hello,
  I am aware Cisco supports HTTP probe types. Are HTTPS (HTTP Secure) probes are supported in Cisco devices too ? If so from which IOS version ?
  Your comments are very much appreciated.
  Thanks.

  Hi ,
  As per my understanding there is No IOS code which support HTTPS opeartions , Only HTTP operations are supported as of now.
  Thakns
  Afroz