ISE 1.1.1 cisco-av-pair:Wireless-WCS

Similar Messages

• Cisco ISE with cisco-av-pair

  Hi All
  I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
  Thanks a lot!
  Leo

  Thanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
  In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal.

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?

  Hi.
  I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
  I was wondering which was the most recommended solution.
  1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
  or
  2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
  This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
  Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
  Could someone please explain and suggest their preferred option.
  Thanks.

  You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.

• Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

  I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
  https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
  But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

  I did configure the Server 2008 R2 RADIUS Server using this video below: 
  https://www.youtube.com/watch?v=g-0MM_tK-Tk
  I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
  I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

• Error in Cisco 2500 series Wireless Controller

  I have this error in Cisco 2500 series  Wireless Controller 
  The AP type Cisco AIR-CAP35021-A-K9
  I cann't connect the client to AP when i try to connect i get this error on Cisco 2500 series  Wireless Controller  But the AP get ip .
  Please can any on help me . 
  Client Excluded: MACAddress:Base Radio MAC : Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 

  Duplicate posts.  
  Go here:   http://supportforums.cisco.com/discussion/12142556/cisco-2500-series-wireless-controller

• Cisco serie 5500 wireless controller

  Hi,
  We got a cisco serie 5500 wireless controller, software 7.4.110.0. our ssl certicate expired into 2 weeks, we purchase a new one but the SH1 fingerprint is not any more supported and now we must apply SH2. does our controller support SH2?
  Thanks and kind regards

  Yes, WLC supports SH2.
  If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2 disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is enabled

• Cisco-av-pair

  Hi all,
  i'm trying to configure ACS Radius and a Pix to work as Proxy Cut-Through.
  i wanna set up some acl to have a certain type of traffic for some users and another one for some others.
  I tried by downloadable acl but it doesn't work (could it be caused from a bug on IOS?), now i'm tring to set up cisco-av-pair and i have another problem...
  if i write
  ip:inacl#1=permit tcp any any
  ip:inacl#2=permit udp any any
  ip:inacl#3=permit ip any any
  ip:inacl#4=permit icmp any any
  ip:inacl#5=deny tcp any any
  it works fine... but if i configure with this one
  ip:inacl#1=permit tcp any any eq 20
  ip:inacl#2=permit udp any any eq 20
  ip:inacl#3=permit ip any any eq 20
  ip:inacl#5=permit tcp any any eq 21
  ip:inacl#6=permit udp any any eq 21
  ip:inacl#7=permit ip any any eq 21
  ip:inacl#8=permit tcp any any eq 80
  ip:inacl#9=permit ip any any eq 80
  ip:inacl#101=deny tcp any any
  ip:inacl#102=deny ip any any
  ip:inacl#103=deny udp any any
  the pix denies everything.
  which is the mistake?
  thanks in advaces.

  Try...
  ip:inacl#101=permit tcp any any eq 20
  ip:inacl#102=permit udp any any eq 20
  ip:inacl#103=permit ip any any eq 20
  ip:inacl#104=permit tcp any any eq 21
  ip:inacl#105=permit udp any any eq 21
  ip:inacl#106=permit ip any any eq 21
  ip:inacl#107=permit tcp any any eq 80
  ip:inacl#108=permit ip any any eq 80
  ip:inacl#109=deny tcp any any
  ip:inacl#110=deny ip any any
  ip:inacl#111=deny udp any any

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel

• Does Cisco NAC support Wireless LAN?

  Hi There
  I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
  However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
  Regards,
  Ram
  +6012-2918870

  Hi Ramraj,
  You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
  The guide below goes through most of the configuration:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  Thanks,
  Nate

• Cisco Aeronet 1400 Wireless Bridge

  Shanky and other NetPros,
  Good Morning. Shanky, I read your review of the Aeronet 1300, and I was quite impressed. Have you or anyone else done a review of the Aeronet 1400 Wireless Bridge?
  I am putting myself into a position to attend the Wireless course offered by my local CNAP College. Until I can get into that class, would someone point me in the direction of some good whitepapers or extended documentation (200+ pages) to bring me up to speed with administration and support of these devices? At my organization, we had a very competent vendor do the install, and we are bringing the management company that will be managing our lease for Cisco Routers and Switches into the
  management of the 1400s. I will obviously not be alone. I would like to understand these devices at the level of those folks that I will be calling to troubleshoot. I suspect that I will be fully managing these devices when our lease expires in three years.
  Furthermore, does anyone have information on the evolution of the CNAP Wireless course? The Cisco Wireless LAN Support Specialist designation (WLANFE) appears to be discontinued. Does anyone know of the future of any of the CNAP Wireless programs or if a new program is in development? Thank you, and I hope to continue learning from your experience and knowledge.
  Regards,
  John

  Thank you, Beth. Your post was very helpful. I have printed the first two documents and added them to my documentation. Cisco has some very detailed documentation (200+ pages) for other pieces of hardware (switches and routers), and I was hoping there was similar documentation on how to implement, manage, and troubleshoot Aironet Bridges, Routers, and APs. I was looking for something to read that was newer that the Textbook used in the Cisco Networking Academy Wireless class, since the models described in the that text are several generations older. Thank you for your assistance.

• ZBF: Assign zone to interface via Cisco AV Pair

  Hello,
  I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
  I am assigning VRFs like so:
  Cisco-AVpair+=ip:vrf-id=<vrf-name>
  I have tried assigning a zone with the following configuration but with no luck:
  Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
  Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
  I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
  Any help appreciated.
  Thanks.

  For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
  lcp:interface-config=zone security <zonename>
  I also had to add:
  aaa policy interface-config allow-subinterface
  Once I did this it worked a treat.

• ACS - cisco-av-pair

  Hi Sir,
  I have some doubts about the attribute in ACS: cisco-av-pair. I setup some ACLs in this attribute and hope this attribute can be sent from ACS to my PIX/ASA for future filtering usage if an user passes the first authentication attempt. I found that this attribute can not be installed in the PIX (when I checked the PIX using 'show access-list') even though the user passes the authentication. What is the reason?

  Hello,
  I am using ASA8.0 software. I also tried to use 'downloadable ACL' attribute, this attribute does the job as its name says. But cisco-av-pair cannot. Is there another possible reason?
  Thanks.

• Cisco Prime for Wireless presentation

  Hi all,
  Does anyone have a power point slide for Cisco Prime in wireless? It would be great if i had something official to present.
  TIA,
  Nicos Nicolaides       

  There  is a pretty comprehensive presentation on ciscloive365.com (free registration required). Have a look at session BRKEWN-2011 - Managing an Enterprise WLAN with Cisco Prime Infrastructure (2013 Orlando)