ISE,AD with TLS

Similar Messages

• Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

  Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
  Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
  I can get a PC on its own to authenticate via dot1x/tls
  I can get a Cisco IP Phone on its own to authenticate via MAB.
  When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
  The switchport has the LowImpact port ACL of
  ip access-group ACL-DEFAULT in
  The IP Phone gets a dACL that allows it ok.
  I assume MAB phone and dot1x PC is supported?  Any ideas?
  Thanks in advance.

  The ISE log detailed steps are as follows:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client

• Send mail with TLS to MS exchange server

  Hi,
  last month I enabled an oracle wallet TDE for creating encription for TS.
  Today, development team needs to send mail to exchange server with TLS.
  So I found this procedure on oracle support Doc ID 1323140.1
  My question is, can I use the same wallet to send mails from db?
  The Oracle Database  11.2.0.3
  Or I need to implement a different type of wallet with certificate?
  Is there, in this case,  a procedure step by step?
  I have never implemented that and I'm very confused....
  Thanks in advanced

  Hi,
    For questions about the wallet set up you should try either -
  Database Security - General
  or
  General Database Discussions
  or perhaps the PL/SQL form as you are trying to follow one of their notes -
  PL/SQL
  Regards,
  Mike

• Synthetic Transactions Fail with TLS error

  Hi,
  Most of the test-cs cmdlets fail with the error: The operation failed due to issues with Tls. See the exception for more information.
  Inner Exception:CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043.
  Lync itself is working fine. 
  Any thoughts?

  Hi,
  Are you trying this command via remote power shell which is not exactly the lync server, if this is the case then with which user are you logged in, does this user have required permissions. also have a look in to this.
  http://social.msdn.microsoft.com/Forums/en-US/ucmanagedsdk/thread/ca0d7758-d51b-4728-be0f-ae2c222546eb and
  http://blog.greenl.ee/2009/03/25/troubleshooting-tlsexception-in-ucma-2-0-applications/
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

• What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

  Hi,
  I just want to know,
  What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
  if support already,
  how can i setting.
  plz.  help me!!! 

  The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
  by Windows) for facilitating encryption.  Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
  encryption method is used to encrypt connections between SQL Server and clients.
  http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
  So the question then becomes which versions of Windows Server support TLS 1.2.  The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
  http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
  So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate.  By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
  for connections between SQL Server and your clients:
  http://support.microsoft.com/kb/316898
  I hope that helps.

• Why is PayPal still preferring a RC4 cipher with TLS 1.2? Is RC4 with TLS secure?

  My connection with Paypal is using RC4_128 as the preferred cipher with TLS 1.2. I was under the impression that RC4 was quite vulnerable and that AES-GCM is strongly preferred with TLS 1.2 as a more secure alternative? Am I incorrect? How much of a concern is this? thanks! 

  I'm no expert here so forgive me if I do not make sense. As I understand it and as you noted, TLS 1.2 with AES GCM is really the tour-de-force of a secure connection that best mitigates the chance of victimization (but enterprise clients are still progressively adopting it.) Maybe 12-18 months back I recall reading Microsoft urging enterprise clients to work in the direction of phasing out RC4, and immediately make RC4 at the bottom at the list of preferred ciphers due to fears of growing ease in exploitation (many of which were NOT necessarily instituted in practice but more 'theoretical targeting'. However, based on what you showed me, I am guessing this was said when CBC was assumed to be more secure than it is today (as was TLS 1.0/1.1). Some of Paypal's servers support GCM and those servers make AES GCM prioritized over RC4. However, from what I can tell not all PayPal servers support GCM. Based on what you are saying, does that mean Paypal is likely prioritizing RC4 over CBC on these servers given the recent demonstrations of how CBC is also vulnerable? If that is the case, hopefully they are moving in the direction of GCM. Whether Paypal likes it or not, they are a huge target (and therefore we are too ) While it's impossible to quantify, based on what you are saying it sounds like the risk here is still relatively low? Again, I'm not an expert on this but rather a guy who does research for a living and had a financial nightmare unfold because I never gave much thought to secure connections. One website, some obsolete cryptography, and the entering of the financial data you use to make purchases, **bleep** on earth broke. (I consider myself partly at fault due to my ignorance of assuming that a secure connection was a secure connection.) https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com&s=23.203.228.56

• ISE deployment with subdomains

  Hi Experts,
  we have AD Architecture that parent domain and three subdomain as per the region, and ISE Administration/Monitoring Node will be in one subdomain and each region will have its ISE node with policy persona.
  looking for guidnace on how the ISE design will be, more precisly whic domain the PSN node will join, to their regional sub-domain?
  if yes its supported to have each PSN in their different sub-domain?
  Thanks         

  You  can palace PSN in regional sub-domain but you need to make sure that  all the regional sub-domain are are able to communicate with each other  with out any DNS and NAT issues.

• Cisco ISE integration with SMS passcode Device

  HI Experts,
  i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices 
  Currently i have my authentication configured to work with the AD 
  When my VPN users connects  its authenticates against AD and the users get the access . 
  Now as per the new requirement once the user is authenticate against AD ,  the user should be prompted for the OTP password send to the users  using SMS passcode device 
  Anyone had worked on similar requirement please help me to resolve the issue .
  Thanks in advance 
  Angus

  Hi all
  I am working exactly for a month on this topic with no success.
  I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
  I need to implement an external authentication against LDAP somewhere...
  Gunnar, do CISCO clearly says it is not able to participate to such setup?
  So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
  The flow is:
  WebApplication send login+password (LDAP) to ISE
  ISE checks the credentials and if it is OK forward the request to VASCO
  VASCO does not check for password but generate the OTP and send it via SMS
  VASCO replies with a access-challenge
  ISE forward the challenge to Web Application
  WebApplication send login+OTP response to ISE
  ISE forward to VASCO
  VASCO checks for OTP and replies to ISE with accept
  ISE forward to Web Application
  User is logged in...
  All the flow is working if the user enters a passcode
  I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
  First LDAP then VASCO...

• ISE integration with Oracle LDAP

  Does ISE integrate with Oracle OID LDAP (Version 11G)? If yes, which version?

  ISE supports any LDAPv3 compliant servers

• ISE integration with Prime Infrastructure,

  Hi Team,
    I would like to know what are the advantages and Disadvantages of the ISE integration with Prime Infrastructre.Also  how the LAN, wifi, and identity management part (guest access etc) will work together.
  Cheers!!!
  Minakshi

  Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.
  When posture profiling is enforced in the network, Prime Infrastructure talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
  Cisco ISE is assisting Prime Infrastructure to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console.

• Dreamweaver CS 5.5 not working with Godaddy FTP with TLS/SSL

  I've upgraded to CS 5.5 and tried to connect to a client's Godaddy account with FTP with TLS/SSL it fails.  Works perfectly with my mac app Transmit every time as it always has.   It doesn't work with implicit or explicit settings with authentication set to none or otherwise.
  Can someone please let me know if Dreamweaver will ever be compatible with FTP with TLS/SSL and Godaddy?  Or is there some setting I can try that will make it work now somehow?
  Been waiting years for this....

  SnakEyez02 wrote:
  First, that's a Godaddy problem if their security isn't up to par.
  That may be the case that Godaddy is also at fault, but every other FTP app I use with Godaddy works fine.  It's just Dreamweaver and has always been just Dreamweaver not working with a secure connection to Godaddy.  Considering Godaddy is the largest webhost in the USA, you'd think Adobe would have fixed this years ago.  I should also mention I'm not endorsing Godaddy and I understand there's plenty of people that don't like Godaddy for very good reasons.
  Sent you PM with FTP account with Godaddy yesterday.  Thank you for taking a look!
  UPDATE: Whoops, I see you responded via private message already.  I'll paste most of it here in hopes it helps others to understand the issue:
  via SnakEyez02 PM:
  Ok this took a lot of digging.  I won't say it's not a DW issue 100% and I will report a bug for your problem, but DW is not the problem alone Godaddy needs to share the blame here for a bad certificate.  Here is what is happening:
  I'll start with DW:
  - The settings are correct that were in the post.  Port 21, FTP explicit, and the authentication should be set to None (encyprtion only).  This is where the transmission is encrypted using SSL, but the certificate is shared and not specific to the domain owner.  That is the difference between DW's "none" and "trusted".  It's a poor choice of words I'll give them that.  However, Godaddy seems to want all connections to be trusted thus the other error you get when you turn on the None option.  Now could DW do what Transmit does, warn you and write in an unsigned certificate into the Keychain app, probably, is it best practice for security reasons to "Trust" an unsigned certificate probably not.
  Now Transmit:
  - As explained above Transmit opens up a prompt to override and create a fake-trusted signed certificate.  Thus by forcing the OS to think a legitimate certificate is there it gets you through albeit through unconventional methods.
  The problem:
  - A good portion of this problem lies with Godaddy.  Now I use a shared hosting account and set one up on an independant host for a friend of mine and both of them accept the shared certificates (SSL explicit).  The difference is the hostname of the certificate.  I ran a traceroute (from Network Utility in Utilities folder) on your website and came up with the following address: 173.201.23x.x.
  The problem is that the certificate on your server is actually not for that server which is the reason DW seems to have such an issue with it.  The SSL certificate that Godaddy put on your shared server is for host - 173.201.19x.5x.  As you can see, it's a certificate for another server.  Honestly the fact that Panic's Transmit allows this override scares me a little bit and the fact that Godaddy never noticed this issue either scares me to.  So while DW could write in a bad certificate I can see why this is happening.
  I know there is not much solice in my answer because it still doesn't alleviate the problem that you have with DW connecting.  Unfortunately I do not have a workaround despite my numerous attempts to try and gain access over a secure connection.  One alternative you could ask Godaddy for in the meantime is an SSH connection which would allow you to use SFTP instead of FTPS.  But that's a short-term solution to a long-term problem.
  If you think of anything else feel free to bounce any ideas off me I don't mind.  Good luck in getting this solved and I will post a bug report to make Adobe aware of the issue.
  Thank you for looking into this issue in depth like you have!
  I think the issue might be that Godaddy is applying cost saving measures to keep their prices down in the way they implement their certificates (but it also wouldn't surprise me to know it's simply ineptitude on Godaddy's part either).  I'm not sure I fault Panic with Transmit much at all because it clearly warns you about the certificate and it's your choice to continue.  And, as it stands now, it's much safer to continue to connect that way with Transmit than to stop and connect with no encryption at all at a public hotspot.
  As it stands now, you really shouldn't connect to Godaddy with Dreamweaver at a public hotspot unless you set up an SSH tunnel with your connection first.  But enabling SSH is an added expense in many ways including paying for the service, using more computer resources for tunneling and time setting it up and implementation... all because Dreamweaver won't just allow developers the option like Transmit does.
  Once again, thank you for looking at this and I hope someone at Adobe finally address this issue for the security of its customers who use Godaddy (which is often not their choice and was, instead, the choice of their clients to use Godaddy as a webhost).
  Just a side note, I contacted Godaddy support about this several years ago and they were unresponsive and even hostile about it  - So that's definitely another vote against Godaddy from me as well.
  Message was edited by: greenbluewave

• Cisco ISE Integrate with Airwatch

  Dears,
  I need a configuration guide or video how to integrate Cisco ISE with Airwatch. Please provide me this informations
  Thanks

  If you have a CCO ID, you may be able to see it here:
  ISE integration with AirWatch MDM
  If you cannot, you should be able to osk your Cisco AM for this.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Securing FTP with TLS

  Hi,
  I am developing a secure FTP client.
  Is there any free API available in the market which I can be reuseable in my application?
  If not please provide me some link so that I can develope such API using JSSE API.
  FYI-I am following the Internet Draft, �Securing FTP with TLS� by Ford-Hutchinson,a specification for realizing RFC2228, �FTP Security Extension� using TLS.
  Thanks.

  hi friend,
  i'm also looking for free secure ftp api's for Java...
  if u know any, do let me know....

• Outlook 2010 IMAP connection problem and not work with TLS enabled

  Dear all,
  Need your help.  5 users of my customer Outlook 2010 suddenly popped error message "Your IMAP server closed the connection".  We checked that there is no problem in IMAP connection in Exchange 2007 server (SP3) (we tested with setup new
  account in another Outlook and able to connect, send and receive email).  
  We are able to workaround the problem of that 5 users by disabling TLS in account setting for SMTP to Exchange.  The users can then connect and able to send and receive. (however, in our testing above, there is no problem with TLS).
  Could you help to enlighten me what may be the cause of this situation?  
  Best Regards,
  Rayson Wong 

  Hi,
  Please click File > Account Settings > Account Settings > Select the IMAP account and click
  Change > More Settings button > Advanced tab, and then adjust the
  Server Timeouts slider bar to a longer time to check the result.
  Also make sure the SMTP server port number is set correctly.
  Please let me know the result.
  Regards,
  Steve Fan
  TechNet Community Support

• Send mail to exchange server with TLS

  Hi,
  last month I enabled an oracle wallet TDE for creating encription for TS.
  Today, development team needs to send mail to exchange server with TLS.
  So I found this procedure on oracle support Doc ID 1323140.1
  My question is, can I use the same wallet to send mails from db?
  The Oracle Database  11.2.0.3
  Or I need to implement a different type of wallet with certificate?
  Is there, in this case,  a procedure step by step?
  I have never implemented that and I'm very confused....
  Thanks in advanced

  Hi, I have implemented a new wallet with certificates (for test SMTP.gmail.com) and i'm tryied to use this procedure:
  DECLARE
  mailhost VARCHAR2(64) := 'smtp.mydomain.it';
  sender VARCHAR2(64) := '[email protected]';
  recipient VARCHAR2(64) := '[email protected]';
  wallet_pwd VARCHAR2(64) := 'welcome1';
  wallet_loc VARCHAR2(64) := 'file:/etc/ORACLE/FRMSSYST/SMTP/';
  user_name VARCHAR2(64) := 'HDC021319';  -- alias for '[email protected]'
  user_pwd VARCHAR2(64) := 'password';  -- password of [email protected]
  mail_connection utl_smtp.connection;
  BEGIN
  -- Make a secure connection using the SSL port configured with your SMTP server
  -- Note: The sample code here uses the default of 465 but check your SMTP server settings
  mail_connection := utl_smtp.open_connection(
  host => mailhost,
  port => 25,
  wallet_path => wallet_loc,
  wallet_password => wallet_pwd,
  secure_connection_before_smtp => FALSE);
  -- Call the Auth procedure to authorized a user for access to the mail server
  -- Schemes should be set appropriatelty for your mail server
  -- See the UTL_SMTP documentation for a list of constants and meanings
  UTL_SMTP.helo(mail_connection, mailhost);
  UTL_SMTP.STARTTLS(mail_connection);
  UTL_SMTP.AUTH(
  c => mail_connection,
  username => user_name,
  password => user_pwd,
  schemes => 'LOGIN');
  -- Set up and make the the basic smtp calls to send a test email
  utl_smtp.helo(mail_connection, mailhost);
  utl_smtp.mail(mail_connection, sender);
  utl_smtp.rcpt(mail_connection, recipient);
  utl_smtp.open_data(mail_connection);
  utl_smtp.write_data(mail_connection, 'This is a test message using SSL with SMTP.' || chr(13));
  utl_smtp.write_data(mail_connection, 'This test requires an Oracle Wallet be properly configured.' || chr(13));
  utl_smtp.close_data(mail_connection);
  utl_smtp.quit(mail_connection);
  END;
  This procedure, works fine if I try to send an email to smtp.gmail.com (I tried first with gmail with appropriate certificates), but now, when I try to send an email to the local enterprise Exchange server  I get this error:
  ERROR at line 1:
  ORA-29279: SMTP permanent error: 503 5.5.2 Send hello first
  ORA-06512: at "SYS.UTL_SMTP", line 54
  ORA-06512: at "SYS.UTL_SMTP", line 140
  ORA-06512: at "SYS.UTL_SMTP", line 439
  ORA-06512: at line 35
  Thanks in adavanced