LAP 1131 Monitor mode configuration

Similar Messages

• Windows 7 Authentication Failures in Monitor Mode on ISE 1.2

  Hi Support,
  I have a configuration whereby most of my Windows endpoints are not running DOT1x yet. We eventually intend to authenticate them via AD and looking to push out the Windows DOT1x client to all live users soon. Currently users are getting network access due to the fact that all ports have "authentication open" set and the default Authz policy is set to Permit Access (we arent using MAC address endpoint tables to allow MAB etc)
  I now have my first test group of users using DOT1x and they match a specific AuthZ policy I have added that checks for their specific AD group on the AD. All is fine.
  However I have just added DOT1x to a second test group of users who currently do NOT have any specific matching AuthZ policy (they are on the same AD server but in a diffferent group which I have not defined a policy for yet), and I was expecting they would still join using the default Authz policy. However they do not and on closer observation using "ipconfig" their adapter displays "Media Unauthenticated". I researched this and found that the Windows endpoint can set this condition if you disable the "Fallback to Unauthorized Network" check-box in their dot1x settings. Now I could easily check this box but don't understand why I need to as I surely should be hitting the Default AuthZ policy. However when I debug the switch port I am getting the following:
  %DOT1X-5-FAIL: Authentication failed for client (xxxxxxxxxxx) on Interface Gi2/0/26 AuditSessionID 0A540201000064AD8FC27A96
  This appears to suggest my AuthC is failing (rather than AuthZ or is the word Authentication a bit vague here?), so here is my question:
  1. My AuthC DOT1X policy looks at the Identity Source Sequence that includes the AD server that contains specific groups for BOTH my first test group and my second test group. Users from my first  and second test group seem to be hitting this AuthC rule according to ISE.
  2. My AuthZ policy contain a specific policy for my first test group ONLY, but the final Default Rule is set to Permit Access. From the ISE persepctive ALL users in my second test group are actually successfully getting this policy. The Authentication Troubleshooting page shows them getting the DOT1X AuthC policy and the Default Rule AuthZ policy. However the message in the switch debug suggests a failure and with my Windows DOT1x client settings as above, the adapter is therefore effecitvely disabled.
  3. All this is occuring in Monitor mode, which I thought was harmless provided I dont give additional attributes (VLAN, ACL) to the profiles!
  Very confused!
  All help welcome
  Mark

  Please provide us with your Event Viewer administrative logs by following these steps:
  Click Start Menu
  Type eventvwr into Search programs and files (do not hit enter)
  Right click eventvwr.exe and click Run as administrator
  Expand Custom Views
  Click Administrative Events
  Right click Administrative Events
  Save all Events in Custom View As...
  Save them in a folder where you will remember which folder and save as Errors.evtx
  Go to where you saved Errors.evtx
  Right click Errors.evtx -> send to -> compressed (zipped) folder
  Upload the .zip file to skydrive or a file sharing service and put a link to it in your next post
  Wanikiya and Dyami--Team Zigzag

• When does an AP gets to Air-Monitor mode?

  Q: When does an AP gets to Air-Monitor mode?
  A: In a Mobility-controller AP deployment there are just 3 conditions that an AP can go into an Air-Monitor(AM) Mode:
  1. If the am-mode is configured in the "rf dot11a-radio-profile" or "rf dot11g-radio-profile"
  To see if it is configured in the radio profile please use this filter in the show running-config command
  Example:
  (Aruba) #show running-config | begin "rf dot11a-radio-profile"
  Building Configuration...
  rf dot11a-radio-profile "default"
   mode am-mode  ------------------------------------------------------------- Indicates that the Airmonitor is Enabled
  2. If Mode Aware ARM is turned on in the  ARM profile then th ap turns to AM mode when it sees excess power from the neighbor AP
  To see if mode aware arm is enabled in the arm profile please use this filter in the show running-config command
  (Aruba) #show running-config | begin "rf arm-profile"
  Building Configuration...
  rf arm-profile "default"
     mode-aware                 ------------------------------------------------- Indicates that the mode aware arm is enabled                           
  3. During the Regulatory mismatch or un-supported
  a.    When there is no channel available for the AP’s operation for the country defined on the controller.
  Use the following command to verify the allowed channels for an AP
  (Aruba-7240) #show ap allowed-channels ap-name <name-of-ap>
  b.    When AP’s has a different country with the controller’s Country.
  Compare the country defined on the controller "(Aruba) #show country" to the country defined in the "(Aruba) #show ap regulatory-domain-profile <profile-name>". The ap regulatory-domain-profile will be mapped in the ap-group to which the ap is provisioned to.

  Hi Marc,
  I have a shop system comprised of two web applications where one is for
  maintaining the shop and the other for using the shop. When I do changes
  to the shop from the one webapp they do not show up in the second, unless
  I call refresh. Also, I have to switch off the cache, it seems and do a
  flush on the changed objects. There are some questions now:
  a) when I call refresh, is the complete state reread regardless whether
  there have been changes or not or does it know, when the state has not
  changed in the DB ? it is a performance question, I guess.
  b) can I use transactional reads to do the refresh automatically ?
  c) I noticed that refresh does not do a deep refresh of all the objects
  referenced by the one to be refreshed. Is there a way to do this or do I
  have to go thru all the objects ?
  I asked some questions some time ago in another thread, which might refer
  to. I am sorry, if I am not clear enough.
  Best regards
  Wolfgang
  Marc Prud'hommeaux wrote:
  Wolfgang-
  I take the question to mean that you are wondering how you can refresh
  the state of a persistent instance to reflect changes in the data store.
  If that is the case, then you can just call
  PersistenceManager.refresh(ob) on the object, and the newer values will
  be obtained.
  If that doesn't help, can you clarify the question a little?
  In article <cj7ris$mhr$[email protected]>, Wolfgang Kundrus wrote:
  Do I have to use transactional reads for an object to get the changes done
  by another web application ?
  Thanks
  Wolfgang
  Marc Prud'hommeaux
  SolarMetric Inc.

• Global correlation / reputation filtering in monitoring mode

  We use Cisco appliances primarily in monitoring mode.  We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc).  Is it even possible to use either of these features for this purpose?  According the the following document is appears there may not be alerts for packets denied before signature analysis.  Surely that can't be???
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
  "Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

  Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet".   Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances.  Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.

• Client Servicing APs and wIPS Monitor Mode APs, and mixing AP models question???

  Customer environment in one location is a mix of 3502i and 3602i LAPs. Customer is running wIPS Monitor Mode APs (not ELM). The answer to this question may be obvious, but wanted to get some feedback. In this environment would it be better to have the 3600 APs servicing clients with the 3500 APs doing wIPS, or having the 3500 servicing clients with the 3600 APs doing wIPS?  Or a mix, both 3500 and 3600 APs serving clients as well as other 3500 and 3600 APs performing in the wIPS Monitor Mode role?
  Thank you

  It comes down to the performance required.  If it was me and I had a choice, I would use the 3602's for client access and the 3502's for wIPS.  Now does it really matter, not really.  Your client access just can ustilize the enhancement that the 3602's offer over the 3502's.  wIPS AP's don't really care and its client access that you should look at.  Heck, you can still put some of the other in local mode with wIPS sub mode to be hones.  

• How to enable a dual monitor mode

  I have a MSI FX52000 VTD-128 board which suppose to support a dual monitor mode. It has D-Sub analog, DVI and VIVO connectors.
  Would it be possible to connest primary monitor to DVI and secondary to analog output or only Video Out can be used for the secondary monitor?

  Have you installed the latest "Forceware" Drivers?...I think MSI's 52.70's are great...How you should go about setting up for two displays is to go into NVIDIA Driver Control Panel>trouble shooting>Click on the "Detect Displays" Button after you connect the other monitor ...Sean REILLY875

• System freezes when enabling monitor mode for AR9285 on 2.6.36

  EDIT: OK, sorry guys, found some more infos on the topic:
  https://bbs.archlinux.org/viewtopic.php?pid=863772
  Bug report:
  https://bugs.archlinux.org/task/21683
  I am going to downgrade my kernel to 2.6.35.
  Hey all,
  I have a severe system failure when trying to set my wlan chipset into monitor mode - works with backtrack 4, which still uses 2.6.30 I guess
  reproduce with:
  Atheros AR9285 chipset on ArchLinux w/ Kernel 2.6.36 , drivers are standard ath9k which come with Arch Linux
  airmon-ng start wlan0 <channel>
  "panic occured, switching to console mode.." or something, after a long output, which doesnt get logged, supposedly..
  might be related to:
  https://bbs.archlinux.org/viewtopic.php?id=104231
  although ifconfig wlan0 up works without any problems..
  what can I do? downgrading my kernel to 2.6.30, or installing other drivers?
  I have to admit I'm not a power user when it comes to kernel and drivers stuff.. but willing to learn.
  Thank you
  Last edited by domcobb (2010-12-25 22:24:20)

  I can't help you, but I had a problem with kernel 2.6.36.1-3, too. I got a kernel panic, when I tried to boot. Only thing I could do was to revert to kernel 2.6.35.x. That happened on my big pc, not on my netbook. Maybe he didn't like my amd cpu, who knows.

• Slideshow on 1st monitor (while in dual monitor mode)

  Apparently, Lightroom expects you to always use the second monitor for slideshows and does not allow you to use the first (no options available as far I my research went).
  My 1st monitor is bigger and would be my choice for slideshow presentations. I am sure I'm not the only person with this setup.
  (BTW: I don't quite understand why there's two shortcuts for slideshows on a Mac - "Cmd + Return" and "Shift + Alt + Cmd + Return". In dual monitor mode they do exactly the same, even though the distinction suggests they would have something to do with the target monitor...)

  me too originally! Until I remembered that LR never works like that!! The module system can sometimes get confusing trying to remember which things apply throughout LR and which things only on a module...however there is usually some way round every problem in the end,and one of the joys (or frustration dependant on  how busy I am) is discovering it.

• Open mode (monitor mode) with ise and catalyst switches

  Hi There,
  Anyone know if the following observation is correct ?
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  Regards
  Jan

  Hello Jan-
  Below is my input to your questions:
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting.
  Yes, a device is still allowed on the network even if it fails all authentication methods (MAB, 802.1x, etc). Basically you use monitor mode to perform discovery and see what would have been blocked had ISE been deployed in production.
  The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  Yes, you can use profiling to do this. Keep in mind that you will need advanced licensing for this. Otherwise, you can either use MAB with static MACs imported/entered in the local database or EAP-TLS with phone certificates
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  CDP will still work, in fact some of the profiling happens thanks to CDP, however, the device will simply not going to be allowed to get on the network and the Voice VLAN unless it passes authentication/authorization.
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  This really depends on how secure you want your network to be
  Hope this helps!
  Thank you for rating!

• Bridge cc expand to dual monitor mode when copying or deleting photos?

  why does bridge cc expand to dual monitor mode when copying or deleting photos?

  You say your running 10.5.6?  Why haven't you updated to 10.5.8?
  FWIW, I never had color issues under 10.5.X, however I have since upgrade to 10.6.
  See the thread I started in which Adobe responded:
  http://forums.adobe.com/thread/483359

• Dual monitor mode causes lag in edit response

  Has anyone seen this problem? In single monitor mode the response to edit moves is quite fast, in dual monitor mode that is a frustrating lag in response. Thanks in advance for any help you can share.

  whatisthis wrote:I had the same problem.  Fixed it by downgrading upower to version 0.9.7
  The bug has been reported
  Thanks a ton, I was trying to figure this out now and then and was getting frustrated.

• Not pleased with PreEl 11 dual monitor mode

  finally got PreEl 11 working on my PC and do not like the dual monitor mode. in previous PreEl programs i could detact the monitor and out it in to another screen and still have all the tools on the other screen. now the monitor and most of the tools move with the monitor so i have a split work space. not very handy at all. i am HOPING that someone can figure out a way to move just the monitor and not everything else with it...

  If you've got a feature request, you should contact Adobe on their web site. (They're likely developing the next version now, so it's a good time to do so!)
  This is a user-to-user help forum. We can't do anything about the interface itself. (And, yes, breaking it into a timeline and everything else is really the only option for version 11.)

• Elements 11 Preview Window not visible in dual monitor mode

  When I go to dual monitor mode the preview window is hidden. I can still hear the audio from the clip but I can't see the video window. It is still hidden when I switch back to single monitor mode. The only way to bring it back is to close out the program and reopen it. Does anyone know where it goes and how to make it visible?

  MAINEEDIT
  I have just set up for Premiere Elements 11 Dual Monitor Mode in Windows 8 64 bit computer.
  How do you have your monitors set up...Extend Across.. or other?
  I am not having any problems keeping track of what I believe you are referring to as the "Preview Window". So please excuse
  if I double check with you via the following screenshot.
  Preview Window which can be brought up
  a. double clicking the file in Project Assets
  b. double clicking the file on the Expert workspace Timeline
  I am going to go over this one more time with my Premiere Elements 11 and Windows 8 64 bt computer to see
  if I can create the situation that I am interpreting that you have.
  Thanks.
  ATR
  Add On...This especially makes me ask....
  When I reopen the program the preview window appears in its normal position.
  The Preview Window is going to close when you save/close the project. As you saying that you re-opened the project
  to find the Preview Window opened?

• Unable to Silent Monitor newly configured agent via SAD

  Unable to silent monitor newly configured agent via SAD (supervisor agent desktop).....attached is a screen shot of the error messages.
  I have verified the following -
  - agent is able to log in successfully...
  - supervisor is able to see the agent via realtime report etc...
  - agents that are being monitored successfully, has the same NIC card and are on the same vlan as the new agent...
  - I am able to see the new agent extension and mac address under VoIP monitoring device in the CDA (cisco desktop administration)... 
  Please advise, thanks -  

  There is a utility in the newer releases of UCCX that is included with CAD on the agent PCs that can help narrow down the cause of this problem.  On the agent PC, navigate to C:\Program Files\cisco\desktop\bin and you will see NICQ.exe.  Run this utility while the agent is on a call.  This utility captures packets on the NIC and verifies that the PC is receiving packets from the phone correctly.
  If this tool reports that it cannot find an RTP stream, it's best to focus on the agent PC and their phone configuration.  On some phones, you may need to disable the advertise G722 codec, because this is not supported with CAD monitoring/recording yet.  Also, even though the MAC address shows up correctly in CDA for their extension, it's important to make sure the extension is only used once in CUCM by searching the route plan report.  Otherwise, the VoIP Monitoring service may receive the wrong device's MAC address when trying to filter for the RTP stream.
  Make sure the PostInstall tool on the agent PC has the correct NIC selected to capture traffic on.  This is important when the agent PC has more than one NIC installed.  This utility is also in C:\Program Files\cisco\desktop\bin on the agent PC.
  If the phone seems OK but the problem remains, you can isolate it to a PC by connecting the agent's phone to another PC, like the PC of an agent that can be monitored.  If the non-working agent can be monitored using their own login to CAD and their own phone on the other agent's PC, then it's just a matter of finding differences between the two PCs that can lead to the problem.
  Thanks,
  Brendan

• AP monitor mode

  Hello,
  I have one question, I have wireless network with 45 APs, and I want to add some APs to use them in sniffer or monitor mode,
  would you please recommend, how many APs I need to sniff al the wireless network by design?
  Thanks in advance
  BR
  Tural L

  I just spent the last 30 minutes trying to find the document that I read that suggest 1/6 deployment for monitor aps. But unfortunately I am having little luck finding it.
  I did however, blog about this subject and conducted testing myself.
  http://www.my80211.com/home/2010/1/9/why-you-should-consider-monitor-access-points-as-part-of-you.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."