ISE machine authentication - only plug in to the network after booting

Similar Messages

• 802.1X Machine Authentication ONLY!

  Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
  I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
  Has anyone implemented this? Is it a feasible design?
  Thanks
  Darren

  Hi Darren,
  good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
  * ACS 5.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
  * ACS 4.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
  As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
  Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
  If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Authentication is required to set the network proxy used for downloading packages

  hello all,
  we bought a Sun X3-2 and our reseller installed OL6.5 and SRS 5.4.2. When user logs in, a window occurs regularly, displaying this message.
  Authentication is required to set the network proxy used for downloading packages
  After click on Cancel, the window re-appears then minutes after. It seems that it is related to polkit:
  /usr/libexec/polkit-gnome-authentication-agent-1
  Can i stop this service? Are there any hints to tune Oracle Linux when using sunrays? users don't need to update packages because the server is managed.
  thanks in advance for help,
  gerard

  i'm not fully agree with you, this problem arises because i'm using sunray. But you're right, i found the solution when searching on the net, not in oracle forums.
  The solution is to create
  .config/autostart/*.desktop
  with:
  X-GNOME-Autostart-enabled=false
  it seems ok, even if i have other problems, for instance, firefox and thunderbird crashing regularly, even if i'm up to date with packages (uln too).
  In the past, i used to use sunrays with solaris 10, it existed a document to tune gnome when using sunrays, i don't find the same thing with oracle linux.
  thanks for your reply,
  gerard

• The word "flash" pops up before watching a video, I am only able to watch the video after clicking on Flash

  the word "flash" is seen on the screen before watching a video on the internet or Youtube, I am only able to watch the video after clicking on Flash

  You installed the ClickToFlash or ClickToPlugin Safari Extension. It's one of the few such things that is actually beneficial. It intercepts Flash Player or other plugins before they load so that you can control them.
  http://hoyois.github.io/safariextensions/clicktoplugin/
  Most Flash content consists of intrusive advertisements that you probably do not want. ClickToFlash prevents them from loading and slowing down your browser, burdening your Mac's resources, and draining its battery. In many cases those advertisements will just annoy you with popups that often fraudulently proclaim your Mac to be infected with some ick, offering the "cure". Many people fall victim to those scams. Don't be one of them.
  ClickToFlash allows you to create a whitelist to allow Flash Player to load for sites that you specify such as YouTube - read the above link for instructions. Otherwise, ClickToFlash will block Flash content by default. Click the grey box to allow the content to load.
  Go to the Safari menu > Preferences > Extensions. If you don't want ClickToFlash, simply click the Uninstall button and it will be gone.
  While you're there look for other Extensions that may be present. If you see any that you do not recognize or do not want, get rid of them the same way. Toggling the "on/off" switch to "off" disables all Extensions.

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• ISE Machine authentication

  Hi
  i enabled machine authentication for windows machine but i have some MAC OSX laptop that authenticate with MS AD that i need to exclude form MAR , i tried to apply specific auhz policy but every time it fails because of MAR  , any idea ?  

  One way you could do this is to utilize profiling. You can then create a policy that authorizes MACs without forcing them to go against the MAR check.
  On the other hand, if your MACs are joined to your domain then you can eliminate MAR and simply perform PEAP (machine) based authentication for both your MACs and Windows machines. 
  You could also create a special rule for MACs that authenticate via PEAP (User) based authentication
  Hope this helps!
  Thank you for rating helpful posts! 

• Private network issue - Windows 7 machine not restricting Windows 8 on the network

  I have 2 machines at my home, a windows 7 home premium and a new machine with windows 8.1.  The windows 8 machine can get to anything, regardless of user account, regardless of directory, including
  hidden files and folders, on my windows 7 machines without requiring any kind of authentication.  This is not the case for a 2nd windows 7 machine that I can connect to the same network - it can't see the first windows 7 machine on the network at all. 
  I've validated that the advanced sharing options on my windows 7 machine are set to the following (in all the network profiles):
  Network discovery is turned off
  file and printer sharing is turned off
  public folder sharing is turned off
  media streaming is blocked
  file sharing encryption is enabled for 40- and 56-bit encryption (to allow a Vista laptop to share files)
  password protected sharing is turned on
  I'm not using Homegroup, and have ensured that even the names of each not-used Homegroup on each machine is different, and the passwords for each homegroup is different just in case.
  I can go to the File Explorer on the windows 8 machine, and in the network section, the windows 7 machine is visible (why since it is not discoverable?).  If I go to Windows Explorer on the windows 7 machine, I get an error message that network
  discovery must be enabled for me to view other devices on the network....
  From File Explorer on my windows 8 machine, I can select the C: drive on the windows 7 machine, and see any folder, any file without any restriction.  There is no prompt for userid / password, and the userid I'm using on the windows 8 machine
  does not exist on the windows 7 machine.  I can READ anything, I can copy any file from the windows 7 machine to the windows 8 machine, but I do get an error message that I need permission from SYSTEM to save some changes directly to the windows 7 machine
  (for example, renaming a file in the windows\winSxS directory.
  I really want to have the windows 7 machine discoverable so I can get to the windows 8 machine too.  I would like to force userid/password authentication on each machine (both have multiple user accounts) when accessed from a network.  But
  my primary problem is the lack of blocking any access from the windows 8 machine to the windows 7 machine....  Any help appreciated.

  Hi,
  "I'm not using Homegroup, and have ensured that even the names of each not-used Homegroup on each machine is different, and the passwords for each homegroup is different just in case."
  I am confused about this sentence. Did you use HomeGroup on earth?
  In addition, I suspect the Windows 7 and Windows 8 computer have the same local administrator user account and password. Both UNC access and Windows log on use the SLA authentication. The LSA handles user logon and authentication on the local computer,
  and if the authentication package processing the logon request supports pass-through authentication, the LSA can also log users on to other computers on the network. So, using the same administrator account with same password will bypass the authentication
  in UNC.
  Please change the local administrator user password which you used to access the Windows 7 for Windows 8 machine for test.
  Karen Hu
  TechNet Community Support

• Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network

  Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2

  In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.

• Cisco NAC: Issue for the Wireless Users being assigned "Un-Authenticated Role" to stop accessing the Network !!!

  Hi,
  I am looking for a solution to deal with the wireless NAC users being authenticating (Web Login Only) from a particular AD group. The mapped users gets into a particular role and access VLAN but un-mapped users get the default role which is "Un-Authentication Role" but also gets the same Access VLAN. So, the un-wanted users gets also the same access which is undesired.
  I tried with one solution which is, i put those users into a role named as "Deny_Role" and Enable a Timer of 1 minute (least Time) on it, which seems working but i can see that user is disconnecting (session timeout) after 3 or 5 minutes. I want to limit this but again, i do not find this as an appropriate solution.
  We could deal with wired users easily, bounce the port and get them again in "Unauthenticated Role" and VLAN will be "Un-Auth VLAN" with no network access or rediect them into a particular role with a specific VLAN. But, this is not valid in case of "Wireless Users".
  So, I am looking for a solution to deal with the wireless users in this situation...
  Please advise or give an idea.
  BR,
  Mubasher Sultan

  Hi,
  Any idea or suggestion...
  BR,
  Mubasher Sultan

• Can see and recognize my wireless network and Internet is working, but I can't connect with ANY computers/iPad/iPod/air TV, etc. I have reset the time machine several times, and can see the network, but cannot access it with any device. PLEASE HELP!

  I have Comcast Internet and have it connected to a Motorla Surfboard modem and have that running directly to a 2TB Time Capsule. The TC is serving as our time machine as well as our wireless router. We lost power in a storm a week ago and can no longer connect to my wireless network I can see the network and sign into it via password, but cannot connect with any device(iMac, MacBook, iPhones, iPod touches, air tv, etc.). ALL of these devices worked gat before the power went out. I reset both modem and TC and still can't connect. I can connect to the Internet through Ethernet cord directly from the modems dn have confirmation(per Comcast service) that the Internet is working and we have a good connection.
  The TC is less than six months old so I'm not sure what is wrong. I have reset settings with TC to no avail. I have reset the TC SEVERAL times and have no idea what could be wrong and what is prohibiting me from connecting. Anyone that has ANY suggestions or ideas as to how to fix this, PLEASE HELP!!!  I'm going crazy using iPad 3G and not being able to connect to our wifi. THANKS FOR YOUR TIME AND I LOOK FORWARD TO GETTING BACK TO THE 21ST CENTURY! 

  Anyone have any ideas or information to help with this?  Any help and consideration is MUCH appreciated.

• Windows 7 fails when authenticating to another computer on the network

  In Windows 7 (home premium, 64 bit), I am attached to a VPN (Using OpenVPN). Then, whenever I try to either:
  - Use explorer to look at the file system of another computer 
  - Use the remote desktop connection on another computer
  - Map a folder on another computer as a network drive
  ... in all of these cases, I get the authentication dialog and once I send my username and password, it crashes. For example, when I use explorer, it hangs, and then comes back with the message: "Explorer has stopped working"
  I have elsewhere seen a proposed solution for similar symptoms, of deleting this key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling 
  However, this is not applicable in my case, as the key is not present.
  I don't think that this can be a problem with the network, because:
  a) this works fine from a different computer, running XP,
  b) I have in fact seen this working on this computer, but just once, straight after a system restore, and I can't replicate the success by doing another system restore.
  c) If it were a problem with the network, you would expect Windows to fail gracefully.
  Additionally:
  - Disabling the firewall doesn't help.
  - Disabling the antivirus software (AVG) doesn't help.
  - Doing a clean boot doesn't help.
  I'd be grateful for any suggestions.

  try changing windows authentication levels
  http://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking
  http://technet.microsoft.com/en-us/library/jj852207.aspx

• Time Machine backup to another Mac on the network

  Hi, my wife is getting a new iMac. I was wondering if I partitioned the new drive in the iMac, one for the iMac OS X installation & the other for backing up my MacBook Pro over the network. Would this work?
  So it would be:
  iMac backed up to exteral firewire drive
  MacBook Pro backed up to second partition on iMac over local network
  My network uses a 8 port gig switch & an Airport Extreme router.
  Any ideas or help would be great, thanks.

  Check out this article:
  http://lowendmac.com/zisman/08az/time-machine-shared-backup.html

• Office 2013 can't open word, excel files from the network after upgrade to 8.1

  Hello,
  Recently, I upgraded all PCs from WIN 8 to Win 8.1. After the upgrade I noticed that I can't open any word documents and excel files. Before the upgraded I have no problem opened any files. All PCs have over 500GB free space on hard drive. Other PCs that
  run Win 7 have no problem open them only the one with Win 8.1. This is what I got:
  I right click--> property and there is no unblocked. All files resided on the network server.
  Please help.
  Jimmy

  Hi Jimmy,
  Did you get any error message when you try to open an Excel file/Word document?
  If so, you can post the error message and  event log here.Also ,if you had antivirus software installed, try to disable them to test this issue.
  In addition, what happens if you add the network server location as a trusted location?
  Wind Zhang
  TechNet Community Support

• Officejet 4620 drops off the network after the first operation

  HP 4620 drops off the network soon after one operation is performed. I have to turn it off and on again to bring it on line and then it repeats. The message is " unable to communicate with printer".  I have run all the diognostics and they say your printer is operating normally.  I have down loaded the latest drivers. Running Win 7 (64 bit). My only clue is that I have a new router, Netgear.

  Hi LennieZup
  I understand you can print over the network one time and then you have to turn the printer off and on again to continue to print.
  I will be happy to assist you with this.
  It may not be the printer, it may be your router's inability to wake the printer.
  Disconnect the power cable on the router for 10 seconds, then reconnect the power cable again. You might need to check to see how many devices can be setup on the router at the same time. Depending on each router.
  I would recommend updating the printers firmware. HP Officejet Firmware.
  I have included a document for Printer Does Not Maintain Wireless Connection. Try Step six: Assign your HP product a static IP address.
  If you need more assistance just let me know.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos Thumbs Up" on the right to say “Thanks” for helping!
  Gemini02
  I work on behalf of HP

• HP 200 MFP M276nw not seen in the network after changing router

  Printer:  LaserJet Pro 200 color MFP M276nw
  LAN: two PC's (Windows 7) and the printer wired to the router.  Other devices connect wireless.  Internet service is cable.
  I installed this printer when a Linksys E2500 router was in use.  The network configuration after installation of the printer was:
  IPv4 address: 192.168.1.120
  Subnet Mask: 255.255.255.0
  Default Gateway: 192.168.1.1
  IP Configured By: DHCP
  I  replaced the Linksys router with a Netgear WNDR4500 (N900) router one month ago.  Everything worked fine for about two weeks.  Suddenly, the jobs sent to the printer started to take a very long time to begin printing, until they stopped printing altogether.  The printer did not appear as an attached (wired) device in the router's Web-based interface.  Not even the HP printer software or the HP Print and Scan Doctor could find a printer attached.
  I unisntalled and reinstalled the printer, but was not successful until I changed the Ethernet cable connecting the printer to the router.  The difference is that the old cable is Cat5e and the replacement a Cat6 ???  It is printing and scanning now but the printer is still absent as a wired device, and I am afraid that it will stop working once again.
  I noticed that the printer's network configuration after reinstallation is:
  IPv4 address: 169.254.230.140
  Subnet Mask: 255.255.0.0
  Default Gateway: 169.254.230.140
  IP Configured By: AUTOIP
  Searching the Web, I found an article saying that AUTOIP might be a sign of router or cable problems.  My suspicion is that the printer's IP address is changing constantly and that's the reason for the printing delay.
  My questions to the experts are: could I assign a manual IP address to the printer so I can add in the router -it provides for doing so-, and how is this done?   In the HP Device Toolbox, under IPv4 Configuration, there is a drop-down menu with different options -DHCP, BOOTP, AUTOIP, and Manual- but I don't know if changes are done here, or if it is a more complex undertaking.
  Thank you very much.
  Cordially,
  Miguel Iturralde
  This question was solved.
  View Solution.

  I fixed the problem the same day I posted the help request.
  I shut everything down -including the cable modem and router-  but left the printer on.  Went to the printer's panel and changed toe IPv4 configuration from AutoIP to Manual.  I already had picked an IP address starting with 192, since I've read that IP's starting with 169 are associated with AutoIP settings.  From there, the printer presented valid Subnet Mask addresses, I picked one, as well as a Default Gateway address.  Then I shut down the printer.
  I turned back on the modem, router, pc's, and printer.  The router then showed the printer as an attached device with its newly assigned IP address.
  I suspected the cable was not a problem here, so I put back the Cat5e Ethernet cable.  What baffles me is why the printer changed to AutoIP because it was not done by any user.  Checking the reports printed when the printer was first installed, I see that the IP adress method as DHCP.  After putting in the new router, changes consisted in SSID name and password in the wireless devices, and a firmware uodate of the router.
  This was learning by trial since I am not a computer expert, but so far, we are to print and scan documents.
  Thanks to everyone who took the time to read the post and offered help.