ISE dACL for FlexConnect AP
hello all,
I found a similar thread, but it didn't exactly answer my question:
https://supportforums.cisco.com/discussion/12114056/flex-connect-user-acl-aps-locally-switched
Should I configure a regular ACL, or Airespace ACL on ISE, to support FlexConnect mode AP's?
On the FlexConnect AP's (WLC), do I configure a regular ACL, or FlexConnect ACL?
The FlexConnect AP's are running a few SSID's, some are centrally switched, and some are locally switched.
Thanks,
Kevin
It depends which version of WLC, v 7.4.110 has a bug (Unfortunately, I don't remember the bug Id). You need to create a regular and FlexConnect using the same name. With recent version (I'm using 7.6.130), you don't need the regular ACL, just a FlexConnect ACL. So, to answer your question, with FlexConnect, you must use FlexConnect ACL.
Good links:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001110.html
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html
Similar Messages
-
ISE used for BYOD and Corporate
Hello
I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.
I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:
1. if Corporate Laptop then Permit Access
2. if BYOD then NSP
3. if Phone then Permit Access
I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?
ThanksIf we're talking purely SSIDs, you can match the name of SSID
For example here, I'm matching a SSID of "mlatosie". -
Hello Experts
i have ISE with advanced license for 1500 user , and i have WLC 2504 , and i need to integrate the WLC with the ISE to get ISE features for the Wireless users like posturing , remediation and the authentication as well .
my question : is the advanced license is enough , or shall i install the Wireless License to the ISE to have the integration...
your feedback and inputs appreciated....
ReyadHere is some information regarding the different types of licenses -
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_license.html#wp1074395
Essentially a wireless license is much like the base license if your deployment is 100 percent wireless, the wireless upgrade is the equivalent to the advanced license once again for only a wireless deployment.
Base and Advanced covers all (wired, wireless, vpn..etc). there are no restrictions to the deployment model.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE Licensing for IP Phones nodes
Hi Guys,
I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:
Switch <--> IP Phone <--> End User Device.
My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.
Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.
What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?
What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ?
Thanks,
Muayad Jallad,If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license -
Besides CAPWAP, what other ports/protocols needs to be allowed for FlexConnect
Well the title says it for itself.
Besides CAPWAP, what other ports/protocols needs to be allowed for FlexConnect?
To clear things out, I am MOSTLY concerned between the communication of the FlexConnect AP to the WLC. Besides CAPWAP what do i need to consider? I need this list since most our clients have a firewall, and of course, i need to allow certain protocols and/or ports on the firewall so that the AP and the WLC can see each other.
Any one knows?
As far as I know, I would allow:
1. CAPWAP
2. ICMP -For reachability testing
on the firewall, to/fro the devices.
Inputs would be helpful! ^_^
Thanks in Advance.Thanks Scott,
Verifies what I need or rather request clients on what ports to allow on their firewall, since this is VPN connections, ICMP, telnet, SSH wouldn't hurt to be enabled xD
A. CAPWAP
PORTS:
5246/UDP -Control Channel
5247/UDP -Data Channel
B. ICMP(Ping) -OPTIONAL/Reachability verification
C. AP Remote Access -OPTIONAL
PORTS:
22/TCP -SSH
23/TCP -Telnet -
ISE: support for IPv6 DACL's
Hi,
Does anyone know if/when ISE will be able to push out IPv6 dynamic acl's? I have not managed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dynamic-acls
Thanks,
Phill MaceyIt's not supported as of the current ISE 1.3.
I've heard it is planned for a future release but there's no announced or committed date as of yet.
If your're working with a partner or Cisco account manager, be sure to officially request it if it's important to you. Customer requests help build the business case for prioritizing the features. -
Hi,
I am trying to figure out the syntax for dACL to a switch running 12.2(55)SE7.
In the switch we have used the following static ACL:
ip access-list extended TEST
10 permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
It is to limit so only some source IP can access some destination IP on those ports. Now we want to use it dynamicly so that the ACL gets donloaded to the switch when a certain device connects the port.
I added it to ISE like this:
permit tcp 10.88.0.24 0.7.255.7 10.0.0.2 0.3.255.0 range 1025 2000
But that doesn't work. However, when I change the source to any then it works:
permit tcp any 10.0.0.2 0.3.255.0 range 1025 2000
By not working I mean that I see the dACL being downloaded, then the port state is Authz fail and after 1 min the device reauthenticates.
Why does it work with source any?
Regards,
PhilipHello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists -
On version ISE 1.2.0.899 is there a way to log the drops that the endusers DACl enforces?
Hello,
check if the IOS version and hardware platform (switch) you're using is mentioned in TrustSec document (page 6):
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
The minimum IOS version to use with ISE should be 12.2(55), but generally it's better to use 15.x.
Also, check if you have configured everything that is recommended for switch devices in TrustSec (page 59), including "ip device tracking".
There's also a very nice document for troubleshooting:
"Cisco TrustSec How-To Guide: Failed Authentications and Authorizations"
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf
If it doesn't work, can you post the output of the following commands after authorization:
show authentication session interface
sh ip access-lists interface
show running-config interface
show access-list
sh ip access-lists -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Best Practice for FlexConnect Wireless roaming in MediaNet environment?
Hello!
Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree).
In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running. Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps.
So...best practice for LAN users causes real problems for wireless users.
I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
Thanks,
DebThanks for your replies, Stephen and JSnyder.
The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites.
These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider). The 7510s are new, and are replacing older contollers at the HQ location.
The internal employee wireless users use resources both local to their site, as well as centralized resources. There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only. (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.)
(1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice. Too much bandwidth would be used. So, that implies the need to use Flex / HREAP mode instead.
(2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet. However, this breaks seamless roaming for users....
So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of.
The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site. Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in. I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work. Do you happen to know if this might be a workable solution to the overall big-picture problem?
Thanks again for taking the time and trouble to reply!
Deb -
Hello,
I want to know does ISE with Plus-License support TrustSec features ? On the TrustSec 5.0 document, it is mentioned that you must have ISE Advance-License for TrustSec support. but on other-hand on ISE Licensing-datasheet it is written Plus-License (Provides context about endpoints for more detailed access policies). as per bellow table:
ISE License Package
Focus
Perpetual/Subscription (Terms Available)
Notes
Base
Secured access
Perpetual
Plus
Provides context about endpoints for more detailed access policies
Subscription (1, 3, or 5 years)
Does not include Base services; Base licenses are required to install Plus licenses.
Advanced
Provides context and compliance details about endpoints for more detailed access policies
Subscription (1, 3, or 5 years)
Does not include Base services; Base licenses are required to install Advanced licenses
http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.html
Please let me know should I order Advanced or Plus License? if Plus has this capability will be good for me because of its License pricing
Thanks,At the beginning, there were only the Base- and Advanced licenses. There you needed Advanced for nearly everything that goes beyond basic Authentication and Authorization. In newer versions (starting 1.2.1 and one of ne newer 1.2.0 patch-levels), the plus license was introduced. And many Advanced-features were moved to Plus. As you will probably directly start with a newer version where the new licenses are used, you'll be fine with "Plus".
-
ISE Addon for Checkout or Checkins via TFS 2013
Hi
I am coordination the development of some PowerShell scripts to work against our SharePoint Farm. Now as there is more that just me developing these scripts, I think we need to start doing regular checkin and checkouts in our TFS 2013. Anyway,
I naively thought there must be an addon I could add to ISE for this; since it seems such a common requirement. However, there does seem much out there that is actively being used. Are there alternatives that are widely used such a series of PS functions
anyone knows about.
Daniel
Freelance consultantHi Daniel,
If you want to complete checkout in Powershell ISE automatically, please go through this article:
Protect Your PowerShell Scripts with Version Control
In addition, you can also refer to this script
PowerShell ISE-specific profile script, which performs a few simple things:
Checks if you have the TFS client installed (eg Team Explorer).
Registers for ISE events on each open file and any files you open later.
Upon editing of a file, if it is TFS-managed then checks it out.
The end result is the same TFS workflow experience from within the PowerShell ISE as Visual Studio provides.
Refer to:
Automatic TFS Check Out for PowerShell ISE
If there is anything else regarding this issue, please feel free to post back.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support -
ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices
Hi,
We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
Where we have created open ssid in wlc and redirect web login portal in wlc for guest users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are only able to see the username which guest user login but not the end device in monitoring log.
Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
Thanks
PranavHi Tarikh,
I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
Thanks
Pranav -
Cisco ISE protocols for ldap and Windows wireless client
Only the protocols below are supported by ise in combination with ldap identity sources.
EAP-GTC, PAP, EAP-TLS, PEAP-TLS.
Mac OS devices seem to be able to use these but Windows users seem to be having problems. How should windows users connect with ise that only uses ldap?Mathieu,
Take a look at the user guide for NAM -
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
You will see the protocols support like GTC that should allow you not to have to deploy certs.
Thanks.
Tarik Admani
*Please rate helpful posts* -
ISE : Authentication for IKEv2
Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
And is there possibly something else that I am missing which might be a solution to this design criteria ?The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
Maybe you are looking for
-
Can't open the upload window in any browser on my laptop
I can't upload fotos to my website from any browser on my laptop because the window to choose the photo in my system won't open. I tried Safari, Firefox and Camino. If I use another laptop the window to choose the photos opens fine. Please help.
-
Accept button instead of Install button when trying to reinstall iPhoto after Clean install
Hi All, I recentely did a clean install for my Lion OS. Everything works fine, except iPhoto was missing. I opened the App Store app on the mac, and was able to successfully update GarageBand and iMove. However, it didn't give me the option to update
-
Does iPhoto library have to be in pictures folder?
My external HD is getting buggy, so currently moved my iPhoto library to my documents folder, should I have placed it in my pictures folder instead? Does it matter? thanks
-
Partial accrual of vendor invoice
Hello experts, We have a request to partially accrue a vendor invoice. User wants to accrue a part of the invoice and the rest will not be accrued. For accruals, they usually user transaction ACACDATATRANS, but it seems not possible to do partial acc
-
Hello, On the MDW Disk Usage Collection Set report, I get the following error when I click on a database hyperlink. A data source has not been supplied for the data source DS_TraceEvents SQL profiler shows the following SQL statements are executed (I