ISE for Guest Auth but need traffic logs

Similar Messages

• I don't want Adobe to open up and be selected immediately. I work with iPhoto and Ipages etc and preview which needs to be my main application for my work , but need adobe reader for other files... how can I do this please?

  I don't want Adobe to open up and be selected immediately. I work with iPhoto and Ipages etc and preview which needs to be my main application for my work , but need adobe reader for other files... how can I do this please?

  loopiloo1 wrote:
  I don't want Adobe to open up and be selected immediately.
  Sorry, I don't understand this - you don't want Adobe [Reader] not to open when doing what?  On what operating system?

• I have recently changed by email login password for my emails i have managed to change them in my setting for my iPad but need to change the settings for my MAC computer but i cannot see to do it help please

  i have recently changed by email login password for my emails i have managed to change them in my setting for my iPad but need to change the settings for my MAC computer but i cannot seem to do it help please?

  Mail/Preferences/Accounts
  Use the - and + signs to delete or add your new Accounts
  see
  http://support.apple.com/kb/PH4928
  Mac 101
  http://support.apple.com/kb/index?page=search&src=support_site.kbase.search&loca le=en_US&q=deleting%20mail%20accounts

• Ok so I have a free standing iSight Cam, is it possible to use it with my white MacBook ? and if so how do I go about it ? I've tried researching for updates, drives but need help.

  Ok so I have a free standing iSight Cam, is it possible to use it with my white MacBook ? and if so how do I go about it ? I've tried researching for updates, drives but need help. Can someone give me some direction ?

  jpatricio787 wrote: ... is it possible to use it with my white MacBook ?...
  OK so yes, but if, and only if:
  (1) your MacBook has a Firewire port (not all do)
      - and -
  (2) your old external iSight camera works (not all do)
      - and -
  (3) your MacBook is working properly.
  If you are not certain whether your MacBook model has Firewire, you can search MacBook Technical Specifications for your model.  Alternatively, check the  User Guide Manual that came with your MacBook for the information you need to be certain.
  If you are not certain that your old external iSight camera works, you can test it using the suggestions in this link.
  jpatricio787 wrote: ... if so how do I go about it ? ...
  Follow the instructions in your iSight User's Guide to connect and turn on the iSight.  Then launch the Apple app you want to use with your iSight.  If you need more information about using an app, search for "camera" (without the quote marks) in the Help menu choice for the app.
  jpatricio787 wrote:... Can someone give me some direction ?
  If you need more direction, post back the specifics of what you still need.  We will offer further direction based on the details of your reply.
  Message was edited by: EZ Jim
  Mac OSX 10.9.3

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• How to use ISE for VPN auth

  Hello
  looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
  Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
  Thanks

  We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.
  So if you have an admin user that wants to login:
  authentication: user found in ldap (or ad)
  authorization:
  -user is coming from asa ip address
  -user attribute is admin
  = user is authorized for the admin class on your asa vpn device.

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• Why does GarageBand audio work for guest user but not my account?

  Hello, I have a 15-inch MacBook Pro (2.2 GHz Intel Core i7, 4GB 1333 MHz DDR3) from late 2011 that I bought brand new in 2012. I'm running OS X Mavericks 10.9.4 and my MacBook has 500 GB of storage.
  About a month or two ago I tried to download the new GarageBand (10.0.2) but I had trouble completing the loops download. The download would stop halfway through because of a network error. So last week I decided to try to download it again, and I was able to do so after reading some discussions about the issue. I successfully completed the download in safety mode and then I restarted my MacBook. At this point I was able to open GarageBand 10.0.2 and create a new project. Unfortunately, there was no audio coming through the output and sound bar for the various audio components in GarageBand. I had no audio when previewing the loops or playing it back in an audio track. I didn't really test anything else out because I figured I needed to fix this problem first. I have read many discussion boards about audio problems with GarageBand. I have already made sure everything is set properly in the GarageBand preferences and the audio preferences in system preferences. I've tried restarting GarageBand and restarting the computer.
  This evening I found a discussion from the username icewhatice and they seemed to have had my exact problem. I'm not sure that I found the answer on this discussion though. For reference, this is what icewhatice posted: "I have no audio coming from Garageband 10.0.2. Downloaded it on Saturday and have spent the last two days trying to figure out why it won't work. I'm using a macbook pro with an Alesis QX49. GB registers keyboard when I plug it in but no sound whatsoever, not even from the onscreen keyboard. It seems to read the keyboard as if I play a C chord, it appears in the display. I've done all the obvious stuff like check preferences, restart, I've deleted and downloaded new GB several times and always with same result. Actually, it took me about four attempts to download it in the first place as I was getting an internet connection error message right at the end of the download, and I see others have had that problem. Managed to solve that by downloading in safe mode but now the no sound thing is driving me absolutely crazy because I can't play my keyboard!!!!! Also, worth noting that there is no audio level being read anywhere, I believe in the new version this appears in the volume control at the top. I've also looked into it potentially being a problem with my keyboard and it possibly needing an update but can't find any difinitive answer for that anywhere. I've stopped looking into that because the on screen keyboard doesn't even work - if that worked then I would know at least GB works and it's something to do with the keyboard. So, I am at a complete loss. If anyone has any ideas about why this is happening or what I could do to solve then I would be very grateful."
  After reading this, I realized that I am unable to create new tracks, and I realized that I have the same problems with old projects saved from the last version of GarageBand I had. I have not tried to download GarageBand again since it did not work for icewhatice. léonie ended this post by saying: "Something is certainly wrong - either the current project, some settings in your user account, or the downloaded GarageBand version. Or incompatible software may be interfering. If a new project does not work, try to test by logging into a different user account, for example the "Guest User" account. Create a new project using this account. Does GarageBand work better from this account?  Then we will need to troubleshoot your preferences."
  I have tried this and started a new GarageBand project in the "Guest User" account. GarageBand was working fine in the "Guest User" account and all of the audio was working properly. Does anyone know how I should troubleshoot my preferences?

  If an application is working in a different account, but not in your regular account,try t find out, what you configured differently in your own account, for example start-up items or preference panes you are using, applications and other helper tools, that are only installed for your regular account. As a first guess, remove GarageBands preference files from the user library in your Home folder.
  But you will have to reset all settings you did in the GarageBand preferences dialog. And GarageBand will not remember the last project. You'll have to find the file manually.
  Remove these files from your User Library to a folder on your Desktop:
  ~/Library/Containers/com.apple.garageband10/
  ~/Library/Preferences/com.apple.garageband.plist
  ~/Library/Caches/garageband
  Quit GarageBand, then remove the files to a folder on the Desktop and restart the computer, before trying again to open GarageBand.
  You user library may still be hidden, as is the default in Mavericks: To open your hidden user library:
  Select the "Home" folder icon (the little house)  in the Finder's sidebar and press the key combination ⌘J to open the "view options".
  Enable "Show Library Folder".
  Then open the Home folder and open the Library folder inside and navigate to the Preferences, Caches, or Containers folder. Remove these folders completely - don't leave anything inside:  ~/Library/Containers/com.apple.garageband10/,
  ~/Library/Caches/garageband  .

• Workaround for internet access that needs to 'log in'??

  Hi, I recently got internet service (Consolidated Smart Systems) in my apartment. The trouble is that I need to enter a username and password each time I want to use the internet. Think of it like accessing the internet in Starbucks. Of course this means that Apple TV can't access the internet.
  I was hoping there was some work around solution... I have an iMac that I leave always on and therefore I don't need to enter the username and password to keep the internet connection on. I also have an Airport Extreme. Is there someway I can setup Airport Extreme to have the login details in it so then the Apple TV won't have to log in?
  Don't know if this is clear but would appreciate any help!

  Guess not... have to get a different internet service provider!

• Asked to update but needs different log-in...

  I have a notification that I have an update in the Appstore. While logged-in with my Apple ID, I try to update but I'm asked to log-in whith a different Apple ID that is not mine.
  So far Apple Support (via Email) cannot help me.
  What should I do?
  Thanks in advance.

  The Apple Support Communities are an international user to user technical support forum. As a man from Mexico, Spanish is my native tongue. I do not speak English very well, however, I do write in English with the aid of the Mac OS X spelling and grammar checks. I also live in a culture perhaps very very different from your own. When offering advice in the ASC, my comments are not meant to be anything more than helpful and certainly not to be taken as insults.
  You have installed a pirated app on your Mac. Remove it.
  Finding a pirated app -
  When a stranger's Apple ID appears on your Mac in conjunction with an update for an app that you have never installed, you have a pirated app on your Mac. This pirated app has been cracked with the MAS receipt from a free app, often Angry Birds, acquired by the person whose Apple ID you see.
  You may not have realized that it was a pirated app when you installed it. You may have believed that it was a trail version or a "free" version.
  All MAS apps have a MAS receipt in their app bundle. Check any app acquired from the MAS. Right click on the app's icon in your Apps folder and choose Show package contents. In the Contents folder is a _MASReceipt folder and in that folder is the coded MAS receipt. It has the Apple ID of the MAS account that bought/acquired the app from the MAS. It is that receipt that the MAS uses to alert you that an app has an update. There would not be a notice of an update with someone else's Apple ID showing in the MAS on your Mac, if there was not an app with a receipt from this person's account somewhere on your Mac.
  Download the free app FindAnyFile (FAF);
  http://apps.tempel.org/FindAnyFile/
  This app is easier to use and seems to be more powerful than Spotlight. Open FAF and in the box type _MASReceipt and press Find. It should come up with a list of every app on the Mac with a MAS receipt. Compare the apps with receipts in FAF's list with your purchased apps list in the Mac App Store. The odd app out should be the pirated app.

• Using external radius with ise for guest authentication

  Hi Everyone,
  I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
  I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
  Any ideas ?

  Setting up ISE as radius  proxy server will work because NAC guest user does not support exporting user information with passwords
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The External RADIUS Servers page appears.
  Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
  Step 3 You must define whether the search should match any or all of the rules that you define on this page.
  Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
  Step 5 You can do the following:
  •To add a filter condition, click the plus sign (+).
  •To remove a filter condition, click the minus sign (-).
  •To clear all filter conditions, click Clear Filter.
  Step 6 Click Go to perform your search.
  You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

• Activate new Iphone with Wifi but need to log-in on Safari first - how do I do this?

  I have just received my new iphone 4S and would like to activate it.  I am trying to use the wifi network we have at work but on my old iphone, every day I would have to open safari which would then pick up The Cloud network and prompt me for a sign-in username and password – no problem.  Unfortunately, when I try and select this network to activate my new phone, it doesn’t allow me to open safari first to sign onto the network and thus allowing the activation to continue.  Is there any way around this??
  Many thanks

  Yes, that's the only options.  If the wi-fi network requires that you authenticate using Safari, then it's not appropriate for activating your iPhone. 
  Use your computer & iTunes to activate your device.

• Appleworks Install CD only for System 9 but need X

  My AW 6 CD was made BEFORE System 10. Was loaded originally under Classic and finally upgraded to 10 on an older G-4 . Later I transfer all to i-Mac with only System 10. After a crash I had to reinstall.
  What is the procedure to reinstall??
  Thanks

  Once you get AppleWorks reinstalled & updated to an OS X version, save a copy of the entire folder either by making an archive of it or saving it to another disk such as a CD or another hard drive. Then, should you ever need to reinstall AppleWorks again, all you have to do is copy that folder to your Applications folder.
  Peggy

• Controllers in the same WISM module in the 6500, i'm trying to make one of them anchor controller for guest internet

  I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
  there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
  -if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
  - I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
  some one please advise
    vlan192   4/1 vlan 192              int g0/0 192.168.2.201
    6500 ----- switch ---- router---------  (outside)
      |         |   |
      |        DHCP server
     WLC

  A couple of questions, is VLAN 192 allowed across the trunk link to the wlc?  Do you have an interface tagged for vlan 192, with a valid address?  What is providing the DHCP?
  Cheers,
  Steve
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• URL Logging for Guest Traffic using Guest Anchor and ISE

  Hi there all,
  I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
  I'm wondering if anyone has managed to do this using ISE?
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

  Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
  I have tried your suggestion and I cannot get the same results as you.
  I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
  i have this configuration...
  dACL
  3k-access#sh ip access-list int fa0/1
       permit udp host 10.1.10.103 any eq domain
       permit icmp host 10.1.10.103 any
       permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
       permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
       deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
       permit ip host 10.1.10.103 any
  Logging config...
  logging esm config
  logging trap debugging
  logging origin-id ip
  logging host 10.1.100.21 transport udp port 20514
  with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
  DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
  Mario