ISE and Selfservice with single SSID
Hi, i have:
WLAN 2504 Controller with 7.2 Software
ISE 1.1.2
A single SSID with 802.1x Authentication
Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
- The user connects to the single SSID
- The user configures peap authentication on his device
- The user authenticates to a ldap directory with username and password
- After successfull authentication the user will be redirected to the mydevices portal
- he logs in with his ldap credentials
- the mac address of his current device is listed in the mydevice portal
- user adds his device to the known devices list
- manual reconnect to my ssid
Is this possible with ISE? Is there a howto out there with exact this scenario?
Kind regards
Hello Andreas,
WLC 2504 supports CWA, CoA & dACL.
This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Regards,
Ashok
Similar Messages
-
Can I install Adobe DC on desktop and laptop with single subscription?
Can I install Adobe DC on desktop and laptop with single subscription?
Hi ,
Single subscription of Acrobat DC permits you for two installations .You can easily install Acrobat DC on desktop and laptop .
Make sure you don't access them simultaneously .
Regards
Sukrit Dhingra -
Cisco ISE 1.1.1 - Single SSID
I'm working on our ISE implementation and these are my two goals.
1. Single SSID for BYOD users and corporate managed systems.
Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
AD login required to join this SSID, no guests allowed
2. Guest SSID
Guest login only - requires sponsor
web agent required for windows machine
AV required
Current AV definitions required
Are these goals attainable or am I better to go in a different direction is my first question.
Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
Single SSID is specifically mentioned here:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735David,
What the documentation did was that it created a condition which does the check for the ssid in the access-request:
Guest_Authz is a user-defined simple authorization condition for guests accessing the Internet via Web authentication through the WLAN corresponding to the open guest SSID. It matches the following RADIUS AV pair from the Airespace dictionary:
Airespace-Wlan-Id - [1] EQUALS 1
So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Dynamic vlan assignment with single SSID
Hi All,
I have 300 APs deployed and concurrent client associations that number 3000+ daily
at the moment I have a single subnet for all users, there is no authentication just a click through
page with email entry to gain access.
The APs are assigned to groups based upon the building zone they are in, is it possible to
assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
TIAYou can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
Sent from Cisco Technical Support iPhone App -
Dynamic SQL and Data with Single Quotes in it.
Hi There,
I have a problem in that I am using dynamic SQL and it happens that one of the columns does contain single quotes (') in it as part of the data. This causes the resultant dynamic SQL to get confused as the single quote that is part of the data is taken to mean end of sting, when in fact its part of the data. This leaves out a dangling single quote that was meant to enclose the string. Here is my dynamic SQL and the result of the parsed SQL that I have captured:
****Dynamic SQL*****
l_sql:='select NOTE_TEMPLATE_ID '||
'FROM TMP_NOTE_TEMPLATE_VALUES '||
'where TRIM(LEGACY_NOTE_CODE)='''||trim(fp_note_code)||''' '||
'and TRIM(DISPLAY_VALUE)='''||trim(fp_note_text)||''' ';
execute immediate l_sql INTO l_note_template_id;
Because the column DISPLAY_VALUE contains data with single quotes, the resultant SQL is:
******PARSED SQL************
select NOTE_TEMPLATE_ID
FROM TMP_NOTE_TEMPLATE_VALUES
where TRIM(LEGACY_NOTE_CODE)='INQ' and TRIM(DISPLAY_VALUE)='Cont'd'
And the problem lies with the single quote between teh characters t and d in the data field for DISPLAY_ITEM. How can I handle this?
Many thanks,I have been reliably informed that if one doesn't enclose char/varchar2 data items in quotes, the right indices may not be usedI am into oracle for past 4 years and for the first time i am hearing this.
Your reliable source is just wrong. Bind variables are variables that store your value and which are used in SQL. They are the proper way to use values in your SQL. By default all variables in PL/SQL is bind variable.
When you can do some thing in just straight SQL just do it. Dynamic SQL does not make any sense to me here.
Thanks,
Karthick. -
Sound Blaster Omni 5.1 - mute speaker and mic with single button push
Does anyone know if its possible configure the Omni to mute both speakers and the Omni's internal mic with a single button push using the hardware volume/mute button on the Omni. I have a scenario where i need to mute both quickly when a call comes in and its a nuisance having to mute the speakers and mic separately.
Hi Tony,
Unfortunately there is no physical button to achieve that. Neither is there a software button to disable both speakers and mic at the same time.
Regards,
Colin-CL -
HCM forms and process with single workflow
Hi Experts,
Can we use single workflow for multiple form scenarios?
Actually we have some 10 scenarios with 20 forms. We planned to combine all the scenario's in a single workflow and use it in different form scenario.
Is it possible or we need to create a separate workflow for each process?
Thanks in advance,
Helps will be appreciated.Thanks for the reply Rick.
For normal workflows its fine. I would like to know for HCM forms and process will it allow or not?
HCM forms and process framework has come limitation's. Please check the below link.
http://help.sap.com/saphelp_erp60/helpdata/en/42/f2cd04249b3268e10000000a1553f6/frameset.htm
So I doubt will it make any issues.
Thanks. -
Create and Edit with single button
Hi Experts
I am working in jdev 11.1.1.3.0
I have Employee table and i need to create Depart information for that employee. Here i am using single button for both create and edit.
Can you suggest me the approach.I tried the approcah what describe in the below link
http://www.oracle.com/technetwork/developer-tools/adf/learnmore/45-decision-based-method-outcome-169187.pdf
But in my case my task flow is
edit
Method call----> Router-------------Depart.jsff
|
|
CreateInser
<?xml version="1.0" encoding="windows-1252" ?>
<adfc-config xmlns="http://xmlns.oracle.com/adf/controller" version="1.2">
<task-flow-definition id="emp-deprtment-config">
<default-activity id="__11">navigateSrvChar</default-activity>
<input-parameter-definition id="__8">
<name id="__9">bidId</name>
<value>#{requestScope.bidId}</value>
<class>oracle.jbo.domain.Number</class>
</input-parameter-definition>
<view id="deprtment">
<page>/jsffs/emp/deprtment.jsff</page>
</view>
<method-call id="navigateSrvChar">
<method>#{DepartmentBean.editOrCreate}</method>
<outcome id="__17">
<fixed-outcome>navigateSrvChar</fixed-outcome>
</outcome>
</method-call>
<method-call id="CreateInsert">
<method>#{bindings.CreateInsert.execute}</method>
<outcome id="__28">
<fixed-outcome>CreateInsert</fixed-outcome>
</outcome>
</method-call>
<router id="router1">
<case>
<expression>#{pageFlowScope.navigation == 'edit'}</expression>
<outcome id="__18">edit</outcome>
</case>
<case>
<expression>#{pageFlowScope.navigation == 'create'}</expression>
<outcome id="__19">create</outcome>
</case>
</router>
<control-flow-rule id="__23">
<from-activity-id id="__24">navigateSrvChar</from-activity-id>
<control-flow-case id="__27">
<from-outcome id="__26">navigateSrvChar</from-outcome>
<to-activity-id id="__25">router1</to-activity-id>
</control-flow-case>
</control-flow-rule>
<control-flow-rule id="__29">
<from-activity-id id="__30">CreateInsert</from-activity-id>
<control-flow-case id="__32">
<from-outcome id="__31">CreateInsert</from-outcome>
<to-activity-id id="__33">deprtment</to-activity-id>
</control-flow-case>
</control-flow-rule>
<control-flow-rule id="__6">
<from-activity-id id="__7">router1</from-activity-id>
<control-flow-case id="__12">
<from-outcome id="__13">edit</from-outcome>
<to-activity-id id="__10">deprtment</to-activity-id>
</control-flow-case>
<control-flow-case id="__15">
<from-outcome id="__16">create</from-outcome>
<to-activity-id id="__14">CreateInsert</to-activity-id>
</control-flow-case>
</control-flow-rule>
<use-page-fragments/>
</task-flow-definition>
</adfc-config>
but i am getting error like " The ADF Controller cannot find metadata for activity '/taskflows/emp/emp-deptment-config.xml#emp-deptment-config@router1'."
any inputs could be highly appreciate
Edited by: user642703 on Oct 20, 2011 5:33 AM -
Can i instal aperture on mac pro and laptop with single licence from mac store?
when I buy aperture from mac store for 54pounds - can I install on both my mac pro and laptop?
Excellent Thank you Niel:)
-
Using multiple wireless networks with Single sign on?
The university that I currently work for has switched from one wireless SSID to 2 separate SSIDs that separate the student users from the faculty/staff users. At this time only the Faculty Staff can log into STAFF and students can only log into STUDENT...
I have a few laptop carts that were setup for student use and have single sign on configured for the STUDENT wireless connection. The laptops are on the university's domain so that students have access to the home drives.
We run into problems when Faculty try to use a laptop to teach a class. They are unable to log in because their credentials are not authorized for the STUDENT wireless network.
So...Is it possible to setup 2 wireless profiles (STUDENT and STAFF) with single sign on and give the user an option to choose from?Hi,
Based on your description, I would like to suggest you use Group Policy to configure Wireless Network Settings:
Using Group Policy to Configure Wireless Network Settings
http://technet.microsoft.com/en-us/magazine/gg266419.aspx
Please follow the information from the link above to check the issue.
If it doesn’t work, I recommend you initial a new thread in our Windows Server Forum for further assistance.
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=windowsserver
Hope it helps.
Regards,
Blair Deng
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
ISE Single SSID BYOD - Windows Endpoint user experience
We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication. On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.
12511
EAP
Unexpectedly received TLS alert message; treating as a rejection by the client
While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
Warn -
ISE 1.2 With WLC and AD
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
RegardsYou have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication). -
LWA Guest Access with ISE and WLC
Hi guys,
Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
1. Guests try to connect wifi with SSID Guest
2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
5. After that the Guest Login Page will appear, and guests input their username and password.
6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
I know it happened when guests didn't have the WLC Login Page Certificate...
My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
Thx 4 your answer and sorry for my bad English....Thx for your reply Peter, your solution is right,
i don't choose CWA, because their DNS is not stable...
i've found the problem...
the third-party CA is revoked, so there is no way it will success until it fixed...
and there is no guarantee, they will fix it soon..
so solution that we choose is by disable "HTTPS" on WLC...
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable"
thank you all... -
I created a form with Single Choice fields, 4 days with times listed. But, I want the user to only be able to choose one time, and the time chosen to be unavailable for other users. How do I do this? I have 4 blocks of Single Choice fields in order for the summary page to give me each day in the final report. But, I need the user to be able to make a selection of any day and time and that apointment to no longer be available to future users when they log in. Plus, when the user clicks on the time, they are unable to change their mind and choose another time. Here's the link if you want to see what I'm talking about: 2015-2016 Workload Apportionment Review
I'm afraid not. It's not rocket science but you need to do some coding.
You'll need to find a script (php) and save it to your local site folder. Then reference the script in your form's action attribute like so.
<form action="path/form-to-email-script.php" >
The input fields in your HTML form need to exactly match the script variables.
I'm assuming you're hosted on a Linux server which uses PHP code. Linux servers are also case sensitive, so upper case names are not the same as lower case names. It's usually best to use all lower case names in your form and script to avoid confusion.
Related Links:
Formm@ailer PHP from DB Masters
http://dbmasters.net/index.php?id=4
Tectite
http://www.tectite.com/formmailpage.php
If this is all a bit beyond your skill set, look at:
Wufoo.com (on-line form service)
http://wufoo.com/
Nancy O. -
Some albums I put on my Mac to later sync with a Touch appears as seperate tracks and not a single album. How do I get them back together again other than a playlist. I do not want the tracks showing up as albums on the Touch?
Are your tracks pat of a collection? Different artists, but still one album? Then mark them a s acollection or set the album artist. See this guide on how to group separate tracks into albums:
iTunes: Grouping Tracks Into Albums
Maybe you are looking for
-
Screen shots not showing up in WebHelp (RH7)
Hello: I'm having an issue where screenshots (all are .png) aren't showing up in WebHelp. I'm not sure what happened! I have added and edited tons of screenshots since I started my project, but I have no idea if that would affect WebHelp. Basically,
-
How to open iWeb? but it wont stop asking for a jpg
how i ask my MBP to open a Jpg with iWeb, it did not work. but now opening iWeb it go's cant find that jpg. i no where it is
-
Out of memor error in 10 inputs sampling
i'm using the PXIe-4496 to sample 10 channels at 12KS/s. I need about 3 minutes of sampling which makes 2.2MSamples. everytime i go a little higher than 1 MSamples i get error windows: "not enough memory to complete this operation" "Labview memory i
-
How to set focus on desired item on the form
i want to change the cursor focus at the hit of enter key..........from one text field to other.... plz help me
-
Problem to install scheduler schema
Hi all, I created a user (grant connect & resource privileges) on 10g database and try to configure scheduler. when I clicked "Test Connection" button, connected successfully. But when I clicked "Install Schema" button, the error message " Could not