ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advance
Maybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.
Similar Messages
-
I don't want Adobe to open up and be selected immediately. I work with iPhoto and Ipages etc and preview which needs to be my main application for my work , but need adobe reader for other files... how can I do this please?
loopiloo1 wrote:
I don't want Adobe to open up and be selected immediately.
Sorry, I don't understand this - you don't want Adobe [Reader] not to open when doing what? On what operating system? -
i have recently changed by email login password for my emails i have managed to change them in my setting for my iPad but need to change the settings for my MAC computer but i cannot seem to do it help please?
Mail/Preferences/Accounts
Use the - and + signs to delete or add your new Accounts
see
http://support.apple.com/kb/PH4928
Mac 101
http://support.apple.com/kb/index?page=search&src=support_site.kbase.search&loca le=en_US&q=deleting%20mail%20accounts -
Ok so I have a free standing iSight Cam, is it possible to use it with my white MacBook ? and if so how do I go about it ? I've tried researching for updates, drives but need help. Can someone give me some direction ?
jpatricio787 wrote: ... is it possible to use it with my white MacBook ?...
OK so yes, but if, and only if:
(1) your MacBook has a Firewire port (not all do)
- and -
(2) your old external iSight camera works (not all do)
- and -
(3) your MacBook is working properly.
If you are not certain whether your MacBook model has Firewire, you can search MacBook Technical Specifications for your model. Alternatively, check the User Guide Manual that came with your MacBook for the information you need to be certain.
If you are not certain that your old external iSight camera works, you can test it using the suggestions in this link.
jpatricio787 wrote: ... if so how do I go about it ? ...
Follow the instructions in your iSight User's Guide to connect and turn on the iSight. Then launch the Apple app you want to use with your iSight. If you need more information about using an app, search for "camera" (without the quote marks) in the Help menu choice for the app.
jpatricio787 wrote:... Can someone give me some direction ?
If you need more direction, post back the specifics of what you still need. We will offer further direction based on the details of your reply.
Message was edited by: EZ Jim
Mac OSX 10.9.3 -
Class com.ibm.jsse.be configured for a TrustManagerFactory : Help needed
Hi
I am getting the following runtime error when trying for a HTTPS connection from my java code.
Runtime Error : Class com.ibm.jsse.be configured for a TrustManagerFactory: not a TrustManagerFactory Action: 4 Class: com.americanexpress.teen.common.fis.FISInterface Method: getFISTestData(String fisURL) Exception:java.net.SocketException: Class com.ibm.jsse.be configured for a TrustManagerFactory: not a TrustManagerFactory
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.b(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bs.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bs.o(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.<init>(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.a(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.b(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getInputStream(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getHeaderField(Unknown Source)
at com.ibm.net.ssl.www.protocol.http.bw.getResponseCode(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getResponseCode(Unknown Source)
at com.americanexpress.teen.common.fis.FISInterface.getFISTestData(FISInterface.java:2238)
at org.apache.jsp._fisTestPage._jspService(_fisTestPage.java:112)
at com.ibm.ws.webcontainer.jsp.runtime.HttpJspBase.service(HttpJspBase.java:89)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.ibm.ws.webcontainer.jsp.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:344)
at com.ibm.ws.webcontainer.jsp.servlet.JspServlet.serviceJspFile(JspServlet.java:669)
at com.ibm.ws.webcontainer.jsp.servlet.JspServlet.service(JspServlet.java:767)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.ibm.ws.webcontainer.servlet.StrictServletInstance.doService(StrictServletInstance.java:110)
at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet._service(StrictLifecycleServlet.java:174)
at com.ibm.ws.webcontainer.servlet.IdleServletState.service(StrictLifecycleServlet.java:313)
at com.ibm.ws.webcontainer.servlet.StrictLifecycleServlet.service(StrictLifecycleServlet.java:116)
at com.ibm.ws.webcontainer.servlet.ServletInstance.service(ServletInstance.java:283)
at com.ibm.ws.webcontainer.servlet.ValidServletReferenceState.dispatch(ValidServletReferenceState.java:42)
at com.ibm.ws.webcontainer.servlet.ServletInstanceReference.dispatch(ServletInstanceReference.java:40)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:61)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:974)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:564)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:200)
at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:119)
at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:276)
at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)
at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:182)
at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:334)
at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)
at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:618)
at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:439)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:672)
My application is trying to a https://xyz.com from java code and i am getting the above exception.
I tried connecting to "https://xyz.com " from my workspace via Websphere 5.1 server and my server is throwing the above exception. I have extened the ibmjsse provided by WAS 5.1 and using it for connecting to the HTTPS URL.
I feel the above problem might be due to network issues. Please help me in resolving the same.
Thanks in advance !!!!!Steps i have done to ensure the connectivity :
Method A :
1) I imported the pfx and CA certificates given by xyz.com in my web browser (IE)
2) After that, I tried connecting to "https://xyz.com" from browser and getting a proper response.
Method B :
1) I updated the jre cacert with CA certificate given by xyz.com
2) Loaded the pfx keystore from my java client code program and ran it as a java standalone code and got the proper response.
My java code
import java.io.*;
import java.net.*;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.*;
import java.security.*;
import java.sql.Time;
public class HTTPSConnect{
public static void main(String[] args)
URL url;
StringBuffer buffer;
String line;
int responseCode=0;
HttpsURLConnection connection = null;
InputStream input;
BufferedReader dataInput;
//FIS Sample URL
String fisURL = "https://xyz.com";
String fisResp = "";
try
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.debug", "all");
String path = "F:\\MyCertificate.pfx";
String type = "pkcs12";
String password = "abc123";
System.setProperty("javax.net.ssl.keyStoreType", type);
System.setProperty("javax.net.ssl.keyStore",path);
System.setProperty("javax.net.ssl.keyStorePassword",password);
url = new URL(fisURL);
//Create the connection
connection = (HttpsURLConnection) url.openConnection();
connection.setUseCaches(false);
//Get the response code for the HTTPS connection
responseCode = connection.getResponseCode();
if (200 == responseCode)
buffer = new StringBuffer();
//Getting the FIS Response XML using the Stream reader
input = connection.getInputStream();
dataInput = new BufferedReader(new InputStreamReader(input));
while ((line = dataInput.readLine()) != null)
buffer.append(line);
buffer.append('\n');
fisResp = (String) buffer.toString().trim();
else
System.out.println("HTTP Status-Code : " + responseCode);
catch (MalformedURLException mue)
System.out.println("Exception in URL : " + mue.getMessage() );
mue.printStackTrace();
catch (IOException ioe)
System.out.println("IO Exception : " + ioe.getMessage() );
ioe.printStackTrace();
catch (Exception e)
System.out.println("Exception : " + e.getMessage() );
e.printStackTrace();
System.out.println("FIX XML Response : " + fisResp);
System.out.println("Response Code of HTTPS Connection : " + responseCode);
Please let me know if i am missing something :) -
ISE Endpoint Identity Group assignment for 802.1x clients
Hello
I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
My questions are:
A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
Thanks
AndyErr, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter -
Radius configuration for 802.1X on Radiator
Greetings:
We are using Radiator 3.16 (http://www.open.com.au/radiator/) as our Radius server. Its working fine for VPN authentication.
We're trying to use 802.1X on our wireless network. Does anyone have a Radiator config for using EAP-PEAP? We can't seem to figure the Radiator part out.
Thanks.The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.Refer URL
http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1205506 -
ISE for Guest Auth but need traffic logs
We have guests that visit our office and connect to the Guest WiFi. We want to implement ISE for the self-sign in portal. That would help us determine the user and have them accept the legal terms without involving IT.
When a guests logs in and surfs the web, We want to track which websites they go to for legal purposes and hold that information for 18 months. I am not sure how I can achieve this second part.
The guests may visit it us 1 or 2 times every 6 months so using WSA with AD auth, for example, would not be ideal and that's why we like the ISE portal.
We are using Cisco 5500 WLC's.
Any help is appreciated.If your guests surf through an ASA firewall, you can send that firewall syslog to ise, and ise will correlate the logs with the guest users that are logged in, so you can track activity in ise. There is a report that is called something like "Guest Activity" where this will get collected.
-
Configuration for SCOT done but still the email not getting in outlook box
Hi experts,
I have done SCOT, SCIF, SU01, settings and configuration but still i cant send email from SAP to outlook,
please suggest me what i have to do. I all ways getting error _express mail cannot be send due to the
technical foult_ plz explaine me what i have to do.
Thanks,
RajeshHi Rajesh,
Port is not open that why you sap server is not able to communciate with mail server & that is why mail is not getting trigger from spa server to mail server.
Call you network guy and inform this that port 25 should be open from
Source :- you sap server ip address
destination :- mail server ip address.
Thanks
Anil -
Appleworks Install CD only for System 9 but need X
My AW 6 CD was made BEFORE System 10. Was loaded originally under Classic and finally upgraded to 10 on an older G-4 . Later I transfer all to i-Mac with only System 10. After a crash I had to reinstall.
What is the procedure to reinstall??
ThanksOnce you get AppleWorks reinstalled & updated to an OS X version, save a copy of the entire folder either by making an archive of it or saving it to another disk such as a CD or another hard drive. Then, should you ever need to reinstall AppleWorks again, all you have to do is copy that folder to your Applications folder.
Peggy -
Unable to click 'Set and save as my Active Configuration for this project'
Environment: OWB 11.1.0.6 Client running on Windows XP Pro SP3 repository and targets on AIX (IBM UNIX).
I have created a new Configuration under a specific Project and I'd like to make this configuration the default whenever I login and select this Project.
There is a check box when I right click the Configuration and select 'Open Editor' that says 'Set and save as my Active Configuration for this project' but when I select the check box and try to click on 'OK' there is no response from the popup window and I have to click 'Cancel' to get out of the popup.
Any ideas on why this is happening and how to get around it??
Thanks very much.
-garySi
Good catch!! Restarting the app???? What a waste of time!! :-(
When I went back in the box was already checked! It must have known I was pissed at it!! :-)
Thanks for the help.
-gary -
What is the recommenden access port QoS configuration for 8900/9900 video enabled phones
Hi all,
we are currently starting to roll out some video enabled 9900 and 8900 phones in our network. In the past we did not use video and configured the access ports on our Catalyst 2960 switches with "auto qos voip ciscp-phone". This however creates a policy which does not include a class-map to correctly handle the AF41 video traffic coming from those phones. I have thougth about extending the autoqos policy with a AF41 class-map but am not sure if this is the right way to do it.
That's what I have in mind:
class-map match-all AUTOQOS_VIDEO_DATA_CLASS
match ip dscp af41
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VIDEO_DATA_CLASS
set dscp af41
police 1500000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
How do you guys do it ? Is there some documentation for this ?
Thank you for your kind help
best regards
AndreasHi
You have to keep this table on your mind. Your configuration is fine if your configuration for SD video , but if for HD video , it is not ok you have to change video bandwidth at least 5M.
Traffic Type
Layer 2 CoS
Layer 3 IP Precedence
Layer 3 DSCP
Voice RTP1
5
5
EF
Voice control
3
3
AF31
Video conference
4
4
AF41
Streaming video (IP/TV)
1
1
AF13
Data
0-2
0-2
0-AF23
*Interactive Video "AF41"- Sensitive but can tolerate packet loss of about 1% and latency almost same as voice.
*Streaming Video "AF13" - Less sensitive - can tolerate about 4-5% packet loss and latency of about 4-5 seconds.
*HD video conference will require between 5M to 16M , but SD video conference will use 384K to 1 M
Note:-Video QOS , if you will assume that your video conference will use around 384K , you have to add 20% because video conference include voice so the total bandwidth 460K.
Kindly check the below link
http://www.sdcug.com/wp-content/uploads/2011/04/Campus-QoS-for-Voice-and-Video.pdf
Thanks
please rate all useful information -
Optimal configurations for webobjects using Java Monitor
Can someone please let me know the optimal configurations for webobjects? We need details on the number of instances which can be created per cpu on the application server. Please also provide information on the thread configurations per instance in java monitor.
I do need the threads to communicate. The fact is that I simplified the thing just to understand better responses from you :). The real problem is more complicated. I have a arbitrary number of threads of two different classes. These threads have to access a shared resource (I used the boolean free). Moreover I have to give precedence to one of these two classes. So, I used to integers to represent two queues. The fact is that only the first thread to be ran reaches the end. The others, I saw, reach the wait() method, but then they stops and the program does not finish.
I mean that I thought this: the first thread to reach the wait() passes. Then, this first thread starts to use the resource (free becomes false). Every other thread which reach the while(...) stops there (there is the wait()). Then the first process, at a particular time, release the resource (free = true) and communicate this to another thread which was stuck at the wait() instruction (through the notify()). The problem I see is that every thread reach the wait() and stops there. After the first one is finished, no more... The notify() does not give the monitor to another thread (which would find free = true). This is my problem. Do you understand?
Many thanks for yuor answer anyway. -
Cisco ISE for 802.1x (EAP-TLS)
I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
My email: [email protected]
Cheers,
Krishil ReddyHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
Configuring supplicant version for AP 1600
Hi,
I search CCO on setting the supplicant version for a Cisco AP1600, but so far I could not find anything about it.
So my question is; If it is possible the set the 802.1x supplicant version on a AP1600 from version3 (default) to version 1 because the other-vendor switch only supports EAPOL version 1.
Kind regards,
MichelPlease go through the guide for Configuring Authentication for Access Points:
http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01000.html#d39425e2071a1635
Maybe you are looking for
-
Capturing DVCAM in FCP 6.0.2 and encountering strange capture behavior
I have FCP 6.0.2 and OSX 10.5.2 and QT 7.3.1. I have been capturing several DVCAM cassettes using my Sony DSR-20 deck. Although I have done this countless times before in earlier versions of FCP, I am encountering some strange repetitive behavior. I
-
Deleting Photos on ipad without syncing to itunes
I have an ipad, I have pics that were synced from a computer which crash and I do not have any more - how do I delete those images from my ipad -
-
Button for iTunes scripts and iTunes Plug-Ins is gone in 7.3.x
In iTunes 7.3.x I am missing the upper button for iTunes scripts and ITunes Plug-Ins for the little add on programs like iTunes-BPM and iTunes-Lame. Does anybody know a trick how I get this button to show up again? I am talking about this button: /__
-
Major problem after trying to update to 10.3
Hi. After downloading and installing the latest software update I cannot get my mac to boot. It starts up, apple logo appears then the system shuts down. I have tried to boot from the disk but everytime I try to do this it tells me that it was unable
-
TableAdapter with Parameter generates a ORA-00936 - Visual Studio 2005
Hello everyone, I have the following SQL code in a Query of a TableAdapter in VS 2005. I want to pass the paramter to it for Name. This works in MS SQL Server. What do I have to change to make it work in Oracle. I am getting the Error ORA-00936 when