Inline Posture deployment for non Cisco Wireless Controler

Similar Messages

• NAC with NON-cisco wireless

  Hi there,
  I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
  A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
  Thanks,
  rdianat

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?

• Cisco wireless control system

  we are using cisco wireless control system i need block some MAC address or devices how can i do it

  Hi,
  Yes you can block the specific client using MAC Address filtering option in WCS
  This option is avialbe in Configure> Security >MAC Filtering
  here you can create new template as per your requirement
  Go through below link for detail knowledge.
  http://www.cisco.com/c/en/us/td/docs/wireless/wcs/7-0/configuration/guide/WCS70cg/7_0temp.html#wp1095263

• Cisco Wireless Control System need wireless Lan Controller ?

  Cisco Wireless Control System need wireless Lan Controller , for Rogue detection

  Hi Joao,
  The WCS is used in conjuntion with the WLC (Wireless Lan Controller) for Rogue Detection. It is not a must for this function but more of an add-on :)
  The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance.
  From this doc;
  http://www.cisco.com/en/US/products/ps6305/index.html
  Overview of WCS
  The Cisco Wireless Control System (WCS) is a Cisco Unified Wireless Network Solution management tool that adds to the capabilities of the web user interface and command line interface (CLI), moving from individual controllers to a network of controllers. WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points.
  WCS runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers. On both Windows and Linux, WCS can run as a normal application or as a service, which runs continuously and resumes running after a reboot.
  The WCS user interface enables operators to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 6.0 or later. Operator permissions are defined by the administrator using the WCS user interface Administration menu, which enables the administrator to manage user accounts and schedule periodic maintenance tasks.
  WCS simplifies controller configuration and monitoring while reducing data entry errors with the Cisco Unified Wireless Network Controller autodiscovery algorithm. WCS uses the industry-standard SNMP protocol to communicate with the controllers.
  From this good doc;
  http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00806b7270.html#wp1131195
  Detect and Locate Rogue Access Points
  From this WCS doc;
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806f070a.shtml#new5
  Rogue Detection under Unified Wireless Networks
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
  Hope this helps!
  Rob

• WAP200E and Cisco Wireless Control System

  Hi.
  I have a customer with a linux OS machine running Cisco Wireless Controll System.
  He needs are to add a new wireless AP with the following features :
  - compatible with most laptops
  - exterior conditions "resistant" (sun, rain...)
  - reasonnable performance (the AP would be a a roof with people on the roof itself, max distance : 15 meters, no walls)
  AND
  Which product would you recommend ?
  I saw the WAP200E but I have no idea
  - if it is compatible with Cisco Wireless Control System
  - what antenna(s) to buy

  Hi Yves,
  The WAP200E is not compatible with the WCS.
  1.  How high (in relation to the client) is the AP going to be installed?
  2.  How is the AP going to be installed?  Will it be hanging down?
  3.  Do you need Cisco CleanAir?

• ISE web auth for non-cisco switch(D-link 3528)

  Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
  And the wired users will get full network access after they pass the web auth.

  you can use ISE ln-line posture node with 3rd part switches
  RADIUS access device must supply the following RADIUS attributes:
      Calling-Station-Id (for MAC_ADDRESS)
      User-Name
      NAS-Port-Type
      RADIUS accounting message must have the Framed-IP-Address attribute
  VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

• Mapping deploy for Non-Oracle Data Source hangs

  Hi All,
  I am trying to deploy mapping for Non-Oracle Data Source and it hangs.
  Oracle version is 10.2.0.3 and OWB version is 10.2.0.1.3.1
  It would be really appreciated if you can help.
  Thanks!
  PS.

  That helpes quite a bit. I still can't get the app to retrieve data, but I am getting a more useful message in the log:
  [Error in allocating a connection. Cause: Connection could not be allocated because: ORA-01017: invalid username/password; logon denied]
  As you suggested, I removed the <default-resource-principal> stuff from sun-web.xml and modified it to match your example. Additionally, I changed the <res-ref-name> in web.xml from "jdbc/jdbc-simple" to "jdbc/oracle-dev".
  The Connection Pool "Ping" from the Admin Console is successful with the user and password I have set in the parameters. (it fails if I change them, so I am pretty sure that is set up correctly) Is there another place I should check for user/pass information? Do I need to do anything to the samples/database.properties file?
  By the way, this is the 4th quarter 2004 release of app server. Would it be beneficial to move to the Q1 2005 beta?
  Many thanks for your help so far...

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.

• Inline Posture between Cisco ISE and Wireless LAN Controller

  Hi,
  I was looking into Cisco ISE solution for deploying NAC.
  I have a question about the network topology.
  In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
  However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
  https://supportforums.cisco.com/docs/DOC-18121
  I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
  Thanks & Regards
  Sinan

  Hello,
  Please go through below mentioned links which might be helpful for you.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
  http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
  Best Regards,

• Ise inline Posture

  ..

  Understanding the Role of Inline Posture
  An Inline Posture node is a gatekeeper that enforces access policies and handles change of authorization (CoA) requests. An Inline Posture node is positioned behind the network access devices on your network that are unable to accommodate CoA, such as wireless LAN controllers (WLC) and virtual private network (VPN) devices.
  After the initial authentication of a client (using EAP/802.1x and RADIUS), the client must still go through posture assessment. The posture assessment process determines whether the client should be restricted, denied, or allowed full access to the network. When a client accesses the network through a WLC or VPN device, Inline Posture is responsible for the policy enforcement and CoA that these devices are unable to accommodate.
  Inline Posture Policy Enforcement
  Inline Posture uses RADIUS proxy and URL redirect capabilities in the control plane to manage data plane traffic for endpoints. As a RADIUS proxy, Inline Posture is able to tap into RADIUS sessions between network access devices (NADs) and RADIUS servers. NADs can open full gate to client traffic. However, Inline Posture opens only enough to allow limited traffic from clients. The restricted bandwidth allows clients the ability to have an agent provisioned, have posture assessed, and have remediation done. This restriction is accomplished by downloading and installing DACLs that are tailored for specific client flow.
  Upon full compliance, a CoA is sent to the Inline Posture node by the Policy Service ISE node, and full gate is opened by the Inline Posture node for the compliant client endpoint. The RADIUS proxy downloads the full-access DACL, installs it, and associates the client IP address to it. The installed DACL can be common for a number of user groups, so that duplicate downloads are not necessary as long as the DACL content does not change at the Cisco ISE servers.
  The Inline Posture policy enforcement flow illustrated in the figure above follows these steps:
  1. The endpoint initiates a .1X connection to the wireless network.
  2. The WLC, which is a NAD, sends a RADIUS Access-Request message to the RADIUS server (usually the Policy Service ISE node).
  3. Inline Posture node, acting as a RADIUS proxy, relays the Access-Request message to the RADIUS server.
  4. After authenticating the user, the RADIUS server sends a RADIUS Access-Accept message back to the Inline Posture node.
  There can be a number of RADIUS transactions between the Endpoint, WLC, Inline Posture node, and the Cisco ISE RADIUS server before the Access-Accept message is sent. The process described in this example has been simplified for the sake of brevity.
  5. The Inline Posture node passes the Access-Accept message to the WLC, which in turn authorizes the endpoint access, in accordance with the profile that accompanied the message.
  6. The proxied Access-Accept message triggers Inline Posture to send an Authorization-Only request to the Policy Service ISE node, to retrieve the profile for the session.
  7. The Policy Service ISE node returns an Access-Accept message, along with the necessary Inline Posture profile.
  8. If the access control list (ACL) that is defined in the profile is not already available on the Inline Posture node, Inline Posture downloads it from the Policy Service ISE node using a RADIUS request (to the Cisco ISE RADIUS server).
  9. The Cisco ISE RADIUS server sends the complete ACL in response. It is then installed in the Inline Posture data plane so that endpoint traffic passes through it.
  There may be a number of transactions before the complete ACL is downloaded, especially if the ACL is too large for one transaction.
  10. As the endpoint traffic arrives at the WLC, the WLC sends out a RADIUS Accounting-Start message for the session to the Inline Posture node.
  The actual data traffic from the endpoint may arrive at the Inline Posture untrusted side before the Accounting-Start message is received by the Inline Posture node. Upon receiving the RADIUS Accounting-Start message, the Inline Posture node learns the IP address of the endpoint involved in the session and associates the endpoint with the ACL (downloaded and installed earlier in the session). The initial profile for this client endpoint could be restrictive, to posture the client before being given full access.
  11. Assuming the restrictive ACL allows only access to Cisco ISE servers, the endpoint is only allowed actions such as agent downloading and posture assessment over the data plane.
  12. If the client endpoint is posture compliant (as part of the restricted communication with Cisco ISE services earlier), the Policy Service ISE node initiates a RADIUS Change of Authorization (CoA) with the new profile. Hence, a new ACL is applied at the Inline Posture node for the session. The new ACL is installed immediately and applied to the endpoint traffic.
  13. The endpoint is then capable of full access to the enterprise network, as a result of the new profile that was applied to Inline Posture.
  A RADIUS stop message for a given session that is issued from the WLC, resets the corresponding endpoint access at the Inline Posture node.
  Best regards,
  Mantej Mangat

• ISE inline posture limitation.

  Hi all,
  Can any one help me in configuration of ISE in inline posture mode. and What are the limitation of this mode.

  The following are known limitations for Inline Posture in Cisco ISE, Release 1.0.
  • Inline Posture is not supported in a virtual environment, such as VMware.
  • Backup and restore is not available for Inline Posture nodes in Cisco ISE, Release 1.0.
  • The Simple Network Management Protocol (SNMP) Agent is not supported by Inline Posture.
  • The Cisco Discovery Protocol (CDP) is not supported by Inline Posture.
  For more information over configuration and others you can see the attached PDF    

• Can Wireless Control System Send Alarms As Traps to a trap receiver

  Can the Cisco Wireless Control System be configured to send its alarms as SNMP traps to a specified trap receiver ? if so how is that capability configured ? is it thru Notification Receiver ?

  Yes, it can. And yes through the Notification Reciever. Pity though, it can only send traps in regards to Guest Account Activity such as guest association and authentication.
  Hopefully future versions of WCS will be more versatile in that regard.
  Cheers

• Non-Cisco WGB and H-REAP

  Anyone had success rolling out non-Cisco WGBs with H-REAP?
  My customer is using WLC 5508 with code 7.0.116.0. As per WLC config guide ( http://goo.gl/6kX0d ), Cisco has tested multiple third-party devices for compatibility. Is it possible to get that device list somewhere? My customer is using TP-Link model TL-WA901N v2. The 5508 WLC does not recognize this device as a WGB. Rather, it displays the wired client behind the non-Cisco WGB.
  Is H-REAP supported for non-Cisco WGBs? The WLC config guide says H-REAP is not supported with Cisco WGBs, but does not make a distinction for  non-Cisco WGBs.
  Regards,
  -steve w.

  Hello Stephen,
  Thanks for clarifying. Can Cisco disclose the third-party devices it has tested (non-Cisco WGB)?
  TIA,
  -steve w.

• Configuring Switch for CCA is behind non-Cisco phone, NAC OOB VGW Deployment

  Hi,
  I need to configure the edge switch port to keep serving non-Cisco IP phone on deploying NAC as OOB VGW.
  I appreciate your advise, but make sure 802.1x solution as the last option.
  Thanks
  Mike

  Hi,
  Please look at the config guide:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco ISE inline posture node Posture assessment query

  Hi all,
  i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
  "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
  they are likely to fall into one of the identity groups that already have authenticated and authorized users
  connected to the network.
  For instance, there may be an employee, executive, and guest that have been granted access through the
  outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
  groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
  and authorization uses the existing installed profiles on the Inline Posture node, unless the original
  profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
  with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
  Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
  I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
  Thanks!
  Mario

  I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
  After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
  So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
  If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
  https://communities.cisco.com/docs/DOC-30977
  HTH,
  Ryan