ISE 1.3 and wireless - which certification method would be best....

Scenario:
From the firewall perspective we have two ISE nodes on the internal network running as admin/monitoring  primary and a secondary and both as PSNs. WLC is also on the inside however it has an interface for guest/untrusted device access which is going straight through to the internet, the DG being an interface on the firewall that is considered less secure. 
There are two SSIDs, one using MAB for CWA and another using dot1x for user auth against an internal AD:
The CWA SSID is using that guest interface on the WLC which goes to the firewall and DHCP is being handed out by a server on that side of the network too, the DNS server being used is public one. The Authz profile has been configured to use a static IP instead of the hostname as the public DNS will not resolve it. A rule was configured on the firewall to allow access to the ISE server on port 8443 for the guest portal. 
On the dot1xx SSID of things it's been configured to use PEAP and mschapv2 and requires an AD username and password to authenticate. 
Query
Considering the CWA SSID uses an IP address for the server and the dotx use the hostnames of the server what would be the best way to rsolve certificate trust issues and what would be best to put in the CN and SANs. one wildacard certs seems like the way to go but not sure if this is going to be the best method with the Guest CWA using an IP.
interested in what your thoughts are on this...

Thanks Mark, this is essentially what I ended up doing.  I setup a new SSID to onboard the devices which I force them to a sponsored guest type of portal.  I ask them for AD credentials and then use the native supplicant to configure an EAP-TLS connection to the proper SSID.
I did find out, from Cisco TAC, there is a new way to identify what VLAN the user should be put on. This is done in the Auth Profile.  You can use the directive "Airespace-Wlan-ID"
In the provisioning process, I profile the device and check if it's a corporate asset or BYOD then I check to see if it belongs to the proper AD group, it gets a specific provisioning profile which includes the proper SSID for the vlan they want to connect to.  I then created a wlan for each of the vlans and attached it to the right interface on the WLC.  I created appropriate ACLs on the WLC then I named those ACL's in the Authorization proile.
When the user goes through the provisioning process, they will be put on the proper WLAN based on AD membership and the type of device.  Only EAP-TLS connections are allowed on the Corp/Demo and BYOD networks.
If user1 belongs to the Demo and BYOD AD Groups, their laptop will provision on the Demo Network and their IPhone will provision on the BYOD.
The only gotcha is that if the user wants to change from one network to another, they need to re-provision their device.

Similar Messages

  • Which encryption method is the best way to secure the data tranfer

    Hi ,
    I want to configure the Encryption between two cisco Wan routers(3845 & 3825).
    We use 50MB leased line connection and transfer the data. I also configured the QOS to limit the data transfer rate to 20MB on the same pipe and it's working fine.We also use the same pipe for trading purpose too. That's why I limit 20MB for data(copy) transfer between two hosts.
    Which encryption method should I use to secure the data transfer?
    Plese kinldy advise .
    Thanks,

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    I would recommend AES256.
    I would also recommend a VTI tunnel vs. GRE/IPSec.  However, both, depending on your IOS, should support AES256.
    Encryption will demand more from your routers.  I think the 3845 should be able to support 20 Mbps encrypted, not as sure about the 3825.  (BTW, if you have 50 Mbps LL, why are you limited transfer rate to 20 Mbps?)
    Also BTW, there's much involved in setting up encrypted tunnels for optimal performance.  Also see: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

  • Which String method would be used to...

    Which string method (maybe it's not even a string method) would be used to change user input for example from:
    User input: Brandon Bell
    Changed to Bell, Brandon
    Thanks.
    Brandon Bell

    Which string method (maybe it's not even a string
    method) would be used to change user input for
    example from:
    User input: Brandon Bell
    Changed to Bell, Brandon
    Your question is very vague. What are the exact requirements? Are you assuming that the inputted string is a first name and a last name, separated by a space, and you want to change it to last name comma first name?
    If so, the methods indexOf and substring will be enough for a first, naive implementation. With that in place you might want to ask yourself:
    Will you allow the first name to have one or more spaces? Will you allow the last name to have one or more spaces? Etc, etc.

  • Just bought a new Canon Vixia HF R300.  It looks like I have basically two recording modes--either AVCHD or MP4.  I have a year old Mac Mini on Lion with increased ram.  I edit on iMovie and upload to You Tube.  Which recording mode would be best?

    Hi...
    I just bought a Canon Vixia HF R300 camcorder.  It looks like it gives me a choice of two recording modes AVCHD or MP4.  I will be uploading onto a year old Mac Mini with the Lion Operating system and increased ram.   I will be editing in iMovie '11 then uploading to You Tube.  Which recording mode should I use?  Obviously I'd like to get the best quality but I also want it to show well on You Tube.   What do you think?  Thanks for the help.  Bill

    Hi
    What program can you use to convert AVCHD to a DVD format?
    Share to File (in iMovie) - AND AS 480p - NOT Higher as DownScaling will be done badly.
    Use this file in iDVD or Roxio Toast™ or what DVD Authoring program You've got.
    To make a VIDEO-DVD You must use a DVD Authoring program - to get the right compression format AND Structure - It is a MUST.
    There are free alternatives - but resulting DVD hasve been far from what quality iDVD (and Toast™) will deliver.
    To get best possibly DVD - also this counts.
    - DVD brand used - I only Verbatim
    - DVD type used - I only DVD-R Single layer (4.7Gb)
    (DVD+R works for many and DVD-R/W usually don't work OK and Double Layer also are a problem to it self)
    - BURN SPEED - I set this as low possibly (usually x2)
    - Free Space on Start-Up Hard Disk - MATTERS - I never go less than 25Gb
    Good Luck
    Yours Bengt W

  • Which Adobe software would be best to create photo cards, Facebook templates and other?

    Looking for the best program to create things like photo cards and facebook timelines.
    I would like to be able to create a template so I can use different photos later.
    Currently learning Photoshop Elements 11.

    Flasheff is probably the most popular and glamorous
    http://www.flasheff.com/patternsshowcase/
    I have no experience using it, but the demo's look pretty cool.

  • Which Mac Pro would be best for editing?

    I'm upgrading my editing system and I was wondering what type of computer would be best. Again, the system is used almost solely for editing film in regular def and high def. I'm wondering what processor speed would be best. Whether I should get a duel core or quad core and why? What are the bells and whistles that are not needed? Price is no obstacle, but I don't want to just buy the best if it isn't necessary.

    The amount of RAM is of more influence than the difference between the processor speeds of the Mac Pro models. RAM is not that expensive, so always put as much in as you can, when using software that uses lots of memory. You're even better of using a slower processor with plenty of RAM than using on that is a little faster, but has few RAM.
    Then there is the speed of the hard disk memory that will be your next bottleneck, specially when using video or other large files. All Mac Pro 2008 models have 4(!) drivebays you can shove more SATA hd's right in. Then use the disk utility to configure them (2, 3 even 4!) as a RAID set, that is 2, 3 or 4 times as fast! Use the same type and size hd's for a set. Read up on RAID before you decide to use it. I use a striped RAID of 3 hd's and a 4th for a Time Machine backup of the RAID. They all fit nicely in the Mac Pro and hd's are not that expensive either.
    BTW Both RAM and HD's are cheaper when you buy them outside the Apple store, I'm sorry to say.

  • Which iMac config would play best with AP3

    I was in an Apple Store and a rep told me that Aperture 3 would even run great on a MacBook Air. Hmmm... I realize the Air is speedy, but really?
    I want to get a new iMac and want to purchase the machine that is configured best for things like AP3 and very occasional CS5 use. Do you think I need to buy the most expensive configuration with the 2GB graphics and i7? Obviously it would be the ideal, but like most, I'm on a budget. I don't want to end up regretting my purchase in a year either. Any thoughts from anyone?

    Whats your current setup? Do you currently have Aperture on your iMac? How old is your iMac? Most likely any of the current crop of Mac Book Pros will out perform your older iMac.
    So how best to target your money for best performance. Memory and disk can be upgraded by the user and are relatively easy procedures.  You'll get more bang for your buck if you upgrade these after you get your mac. Adding a SSD could give you a nice performance boost. While these to get be added after the fact its not as easy as the other two so I would consider having the SSD installed.
    CPU and GPU of course can't be changed once you get you're system.
    There's been some discussion of GPU performance and Aperture but nothing official. If you plane on doing any video work or gaming bumping the GPU would be a plus and may carry over to improvements  in Aperture.
    CPU would be last on my list. All the current crop of CPU's will run rings around the last generation. And Aperture (at least from my observations) is not particularly CPU intensive. If you're not also doing a lot of number crunching I'd put my money elsewhere.
    Just realized your talking  about a new iMac. You started out talking about Macbook Airs and I didn't read the read the rest of the post closelly enough
    Well it all pretty much stands except the disk isn;t really user upgradeable in the iMacs.  A  1TB internal wild be the smallest I'd go. But truthfully any of the new iMacs (even the 21.5 in 'entry level model')  blows the socks off all the current iMacs.

  • Cable and wireless - which connection is used?

    Am up/downloading a lot of large files for my clients and would like the most stable internet connection - therefore thinking about hooking my Mac Pro up to the Internet via Ethernet cable. At the same time, I'm using Time Machine and am backing-up my files wirelessly.
    If connected both via cable and Wi-Fi, what connection will the Mac Pro use? Would I need to disable Airport in order for it to solely use the cable connection, which would mean I'd need to back-up to the Time Machine manually?

    If your TM backup drive is used wirelessly, then you can be on the Internet via Ethernet and backing up wirelessly at the same time. In Network preferences you would need to set Ethernet as your primary connection choice by moving it to the top of the list.

  • I want to devolope textures, both building and clothing for a online game I play, which adobe app would be best for me to download,, I have photoship cc just purchased it yesterday and I am exploring

    I want to build textures both for building structures, and clothing for a game I play online,, I have photoshop cc, no apps,, what would be the best app to purchase and use?

    Open itunes, authorize itunes to your account, connect iphone, click File>Transfer Purchases

  • Buying new iMac, which graphics card would be best?

    I'm getting ready to buy a new iMac. I already have a 2010 27-in with a Radeon HD 5670 512 MB graphics (card? was built in as I remember). I need an additional iMac for my studio space and am deciding between the 21.5-in. w/ Intel Iris Integrated graphics and the NVIDIA GEForce graphics models. I do photography and art related video projects with music (Final Cut, Photoshop CSS, Logic Pro).
    The 2010 iMac has worked fine for me. Which of the new iMacs would you recommend? Do I need extra dedicated graphics card or is the Intel Iris pretty comparable to what I've been getting with the Radeon?
    I wouldn't mind saving a couple of hundred dollars to use on other things like a back up drive, but if it's going to be a big difference I could spend the extra $ for the NVIDIA.
    I'm not a gamer BTW.
    thanks for your input, tech-heads!
    Christine

    Although the processor speed is slower, the i5 is much more efficient
    than the i3.  In addition, the memory bus speed is faster than your
    2010.  The result is you will have a faster computer.
    Just for some performance numbers, here are the Geekbench
    scores for your current computer and the one you are considering.
    (64 bit single core test score/64 bit multi core test score)
    2010, i3, 3.2 GHz iMac ---> 2086/4491
    late 2013, 21.5", i5, 2.7 GHz ---> 3172/10255

  • Which one upgrade would work best?

    I'm running 10.4.11 on an iMac FP G4 700 mhz, 512 mb, 40GB drive. I've been getting lots of application not responding, spinning beach balls, email slow to show up in mailboxes, choppy video, etc. Short of buying a new computer, I was debating what one thing I could try that might fix some of this. I could buy additional RAM to bring it up to 1 GB, get a faster internet connection (currently 5 mb cable, could go to 10 mb), or continue in my painful efforts to free more hard drive space (currently about 6 GB free). I'd appreciate it if anyone could comment on this. Thanks.

    A RAM increase is about all you can do. With only 512MB RAM, the system is using hard drive space for virtual RAM, which causes slowness. The choppy video is caused by your processor speed, bus speed and the limitations of your graphics card. My 1.25GHz G4 MDD model barely syncs the video & audio. I don't think increasing your internet speed will help materially.
    Look at these links
    Mac Tune-up: 34 Software Speedups
    http://www.macworld.com/article/49489/2006/02/softwarespeed.html
    52 Ways to Speed Up OS X
    http://www.imafish.co.uk/articles/post/articles/130/52-ways-to-speed-up os-x/
    Tuning Mac OS X Performance
    http://www.thexlab.com/faqs/performance.html
    11 Ways to Optimize Your Mac's Performance
    http://lowendmac.com/eubanks/07/0312.html
    The Top 7 Free Utilities To Maintain A Mac.
    http://mac360.com/index.php/mac360/comments/thetop_7_free_utilities_to_maintain_amac/
    Mac OS X: System maintenance
    http://discussions.apple.com/thread.jspa?messageID=607640
     Cheers, Tom

  • Which Creative Product would be best for

    So I need a mp3 player and portable photo storage unit with very specific features. I need it for my holiday (coz I don't want to take my mac in case I loose it). I really like my creative USB mp3 player and would like to get a creative product to meet my needs.
    My requirements are below. Could anyone help me by letting me know if there is a Creative product that will do ALL of these things?
    Thanks in advance!
    - Can store photos on it without having to go through a computer. Either through and XD and Compact Flash II reader or directly from the camera through a USB input (prefer the latter option)
    - Colour screen so that I can see the pics
    - mp3 player that supports VBS rips
    - at least 30gig storage
    - Ability to charge with the cigarette lighter in a car (or have rechargeable batteries that can be charged with an in-car charger)
    - Standard headphone jack
    Also, if there is a function so that I can back up my photo files on the fly straight into my external 40GIG hard dri've (without using a computer) this would be perfect.
    Thank you!

    Hi,
    I just read your post and maybe you might consider buying a Zen Vision W. This is a 4.3" Widescreen portable video player. It has the USB Host Feature which is you connect your digital camera and transfer photos on it without requiring a computer. It's available in 30GB and 60GB capacities. It plays music and videos, has a built-in FM radio, voice recorder and some more extras and it has Compact Flash Slot so you can store your pictures from your memory card. Go to this link for the full specs of this player...
    http://www.creative.com/products/product.asp?category=23&subcategory=24&product=575 2
    hope it helped you !
    ZenMaster2628

  • Sharing iTunes between wired and wireless Macs

    Hi,
    I have a Mac laptop connected wirelessly to an Airport Express -- which is wired to a desktop Mac Mini. I'm trying to share music but cannot. I've done all the proper settings in the iTunes preferences and the same in System Preferences -- I think -- on both computers, but on neither computer is anything showing in the Sources window. It says that there are no users online.
    Is there something in the System Preferences box that I'm missing? Should I turn the firewall off (I shouldn't need to, since I've checked the iTunes Sharing box)? Is the main problem here that you can't share music between a wired and wireless computer? (This would be a bit strange to me, but you never know.)
    One other thing. I was trying out the network and I can only get access to the wired Mini's Public folder as a Guest, not as a Registered User. Is there something very badly wrong here?
    Any suggestions welcome. Thanks.

    Thanks for the rapid response. All of those preferences, however, are already set properly (i.e., as you said) on both computers. When I try to go to the Network, I can access the wired desktop Mini's hard drive, but when I try to do it on the mini to get into the laptop's it can't find the afp. It just keeps searching but then says it doesn't exist. Not sure if this network-connectivity problem is relevant or not for this particular issue of iTunes sharing. Grateful for any advice.

  • Which EAP Method to Use?

    Hi.
    We are looking to implement 802.1x on our Wireless Network.  I need to support Windows XP and above, Apple Macs (maybe iPhones, etc) and some Linux.
    I would have liked to have used PEAP with EAP-MSCHAPv2, however I am stuck with ACS 4.2 backended into LDAP (Oracle IDM) and this won't support MSCHAPv2.
    We don't really want to spend anything on supplicants, so I'd like to know what method would be best for the spread of clients we have to support.
    Thanks
    Matthew

    Matthew:
    I think you knew the answer, that is why you mentioned that you don't wana spend anything on the client side
    Unfortunately, you will need to use EAP-GTC (Generic Token Card) method in order to work with LDAP integrated withradius server.
    Cisco PEAP uses EAP-GTC although this only works in wireless environment and Microsoft PEAP uses EAP-MSCHAPv2.
    Acs supports both the methods so only option here is to use GTC supplicant on the client side.
    In order to enable EAP-GTC, you can use either one of them:
    Cisco350card
    Cisco ACU utility
    HTH
    Regards,
    JK
    Plz rate helpful posts-

  • HDMI cable and wireless router for bluray

    Hi. We just purchased a Samsung Blu-ray player, model BD-C 6500. We want to connect it to our 46" samsung LED TV  and stream movies from Netflix.  I
    was wondering which HDMI cable would be best to use to connect it? We also havea Netgear Rangemax router WPN824 v 2. Will it work  or will we need
    to get a different one? 

    Quote That information is not 100% accurate. Although the "Hz" of the cable may not change, not every HDMI can support 'ethernet' passthrough or 3D capabilities. - - - - - But not every TV supports it either. Even cheap cables like those from Blue Jeans cable can and do support ethernet passthrough. I am not sure that 3D capabilities has anything at all to do with the cable. It certainly does not require greater bandwidth or greater overhead, or it cannot be broadcast on a single channel. Also, cheaper cables will have cheaper materials which means the tips can break more often. - - - -- - - Completely irrelevant. With proper care, cheaper cables will not have a higher incidence of "broken tips". I have never had a broken tip on any of my HDMI cables. Having a gold plated tip does allow for a more secure connection along with better soldering. - - - - - Actually, unless the device they plug into has gold plated connectors, then using a gold plated cable can actually promote corrosion in high humidity areas due to the dielectric effect. I know this...I live in Hawaii. I do not use gold plated cables unless the devices at both ends have gold plated connectors. Again, this is high school level stuff. And thirdly, cheaper cables tend to be "thinner" which typically means less insulation or 'shielding'. This ofcourse is a negative side effect when running cables longer lenghts. Can you cite a specific example of "thinner"? "Less Insulation"? "less shielding"? You do realize that since it is a digital signal, crosstalk is not an issue, so therefore shielding is irrelevant (except to market more expensive cables to those that do not understand the nature of HDMI protocols. You are not to blame...it is the way you are trained to believe, even though for the most part it is all hooey. If you buy something cheap, your going to get what you pay for, end of story. - - - - - - - - True. When I buy less expensive cables, I still get an HDMI cable that delivers the full HDMI signal and HDMI experience at a lower cost, allowing me to use that money to buy movies to watch. When you buy the more expensive cables, you are paying for flashier packaging, advertising, and non-features that seem to make the cable better. Perhaps you can find a knowledgeable cable technician, a broadcast engineer, or an installation specialist who are truly knowledgeable in real world use of HDMI, who are unswayed by the advertising schtick of the "super mega hyper cable" companies who will take some time and sit with you and discuss the nature of digital signals and the HDMI protocol in particular. You might actually learn something that is real and honest. Again, it is not your fault. You are trained to believe that certain cables are "better" so that you can sell cables at higher prices and lower margins. It is just the way it is done in retail. In closing, I offer you a challenge. Connect the best Blu-ray player in the store to the best display you have in the store, but connect it through an HDMI switcher. On one side, put your most expensive super mega hyper cable, and on the other put a $9 cable from the internet or wally world. Have someone secretly switch between the two cables without your knowing which is which. You will be unable to tell a difference with your eyes or your ears. Nuff said.
    If you find my post useful or informative, please click the icon below with the plus sign and star to give kudos. Thank you!

Maybe you are looking for

  • Creation of RG23D (J1IJ)in DEPOT sales

    Hi Experts, While creating excise invoices form delievry the user by mistake has entred wrong Series group. Eventhough he is able to generate the excise invoice. After analysis i found that there is check between delivery number, plant and excise gro

  • Logic Board installation

    My genius bar diagnosis was that my flat panel G4 iMac has a problem with its logic board (diagnostic consultation at counter). If I were to acquire an old iMac that was the same could I salvage it for its logic board? Is this something that I could

  • Problem in create shipment

    Dear Sap Gurus, To create shipment i had given the transportation planning point and shipment type. the next screen i had given the shipping point , and when i give the outbound delivery number, . i try to execute it. but the system throws the error

  • How do I not import RAW files into iPhoto

    I shoot RAW + Jpeg with my cameras... Up until a recent upgrade to Mavericks... I would put the SD card in the iMac and it would import all the JPEGs, and then say something like 75 files could not be downloaded. Those were the large RAW files and I

  • No batch rename?

    I like to re-arrange photos (i.e. weddings into ceremony, reception, etc.) before renaming. The stacking feature will be excellent for this. Is import the only place in aperature to re-name files other than manually doing it in list view? I am hoping