NAC integration with WLC

Any doc on implementing inband wireless with NAC?
Lets say 2 SSIDs. 1 staff that has 30 networks based on 30 locations and 1 guest network for all locations. The Controller is trunked to the switch. How do u force the traffic to go to CAS?
Thanks in advance!

In-Band Virtual Gateway is the recommended configuration. What you have in the link is In-Band Real IP. You can use either one... with real ip you will need static routes. In IN-Band virtual gateway, the NAC will bridge the traffic from the untrusted to the trusted.
Basically the ssid is mapped to a vlan like 50 and that is passed onto a dot1q trunk to the switch. Vlan 50 is not routed and the only other port on vlan 50 is the untrusted port on the CAS. The CAS then bridges that to... lets say vlan 51 which is routed on the network.
Every time I have to deploy one of these, it still confuses me somewhat... So hope this doesn't confuse you.

Similar Messages

  • Win 2008 R2 radius integration with WLC 5508

    Requires help in integrating Win 2008 R2 Radius server with WLC 5508

    Step by Step instructions - NPS & Wireless LAN Controller
    PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
    EAP-TLS
    https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
    hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
    Please rate that post if it answers your question or helps you  to resolve the problem.

  • ISE integration with WLC 7.0 code

    Hi friends,
    i just need to get clear the douts about the features are not supporting in 7.0 code
    The features does not support in this integration are as follows:
    No support for guest clients – posture for guest user is not supported
    H-reap local switching is not supported -
    No support for WLAN(s) without 802.1x support.
    Client will go through posture during slow roam – when client is associated used 802.1x (not wpa2 or cckm) then when client roams from one WLC to other – WLC will send new session ID hence client will again go through posture validation process.
    No support for guest tunneling mobility.
    Mac auth. bypass is not supported
    VLAN pooling is not supported
    No support for AP group
    what are VLAN pooling and Mac Auth. and guest tunneling mobility can you plz explain?
    and i need to know that these features are supporting? if yes than in wich code?
    specially CWA, VLAN pooling and AP groups?
    appreciate your reply!
    Thanks

    VLAN Pooling:
    Integration of VLAN Pooling, or the VLAN Select feature, in the       7.0.116.0 release provides a solution to this restriction where the WLAN can be       mapped to a single interface or multiple interfaces using interface group.       Wireless clients associating to this WLAN will receive an IP address from a       pool of subnets identified by a MAC hashing algorithm which is calculated based       on the MAC address of the client and the number of interfaces in the interface       group. In the instance that the interface selected from the interface group by       the MAC hashing algorithm does not serve the IP address to the client for some       reason (dhcp server unreachable, dhcp scope exhausted, etc.), that interface       will be marked as dirty and a random interface is selected from the interface       group.
    Guset Tunneling:
    Mobility, or roaming, is a wireless LAN client's  ability to maintain its association seamlessly from one access point to  another securely and with as little latency as possible. For more detail you can see
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html

  • NAC Integrated with Guest Server

    Hi all,
    I encountered a problem which happened when I integrated NAC with Guest Server.
    Hope I can find solution here!
    When I create an account in Guest Server, the account will also be created in NAC as local user.
    If I chose "Time Profile - Start-End", the account will be created in NAC.
    But if I chose "Time Profile - from First Login", the account will not be created in NAC.
    So the guest can't login with this account using "Time Profile - from First Login".
    All the configuration in the document including "Radius Client and Accounting" was correctly configured.
    But I still can't find the solution.
    Please answer me if you know the answer. Thanks a lot!!!!
    Jet Li
    Taiwan SI

    Hi Jet Li,
    This should be expected since only time profiles with start-end are supported when integrating NGS with the NAC Appliance solution:
    http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063409
    "Cisco NAC Guest Server Version 2.0 supports only start/end and from creation profiles when used with Cisco NAC Appliances"
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC ADSSO with WLC 4400

    I'm setting up this scenario today and have never done that and was wondering if there are any 'gotchas' i need to watch out for, or anything any of you have done/learned while implementing this.
    I do have one specific question, the preshared key under vpn auth / vpn concentrators, where the wlc is to be added, where is the preshared key configured at the on wlc?
    NAC is running 4.1.3.1, not sure about WLC.
    I do have ADSSO working on the wired network, so at least that part is done.
    TIA

    I am currently testing NAC for wired guests and AD SSO for staff. We are planning to offer wireless guest services using Cisco infrastructure once wired is working. I was wondering about NAC and wireless guest services. We are deploying in-band as it requires for wireless so is there anything I am missing or will need to integrate wireless with NAC.

  • NAC integration with LDAP

    Is possible this integration?. The idea is that the agent will do authentication with LDAP directly

    Hi Anoop,
    To adapt an SAP Workflow, you can create a configuration. In this configuration you can redefine values for steps of the workflow definition. These values are evaluated at runtime instead of the values originally defined.
    You can configure the following step types:
    Activity
    User decision
    Document from template
    Wait
    Moreover,Features
    You can set the following data individually in the step definition of the configurable step types:
    1)Responsible agents
    2)Excluded agents
    3)Message recipient for completion
    4)Priority
    5)Requested start
    6)Indicator denoting whether the step is included in the    workflow log
    7)Activation of a latest end, a latest start, or a requested end with the reaction Send mail
    This URL privides info about various workflow codes http://help.sap.com/erp2005_ehp_02/helpdata/en/9b/572614f6ca11d1952e0000e82dec10/content.htm
    Regds,
    Krutarth
    ·        Reference date/time for latest end, latest start, and requested end
    ·        Message recipient for missed deadline
    ·        Information about the work item display

  • Guest-Anchor-WLC and NAC integration guide

    I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

    User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

  • WLC not integrating with Radius Server

    Hello world,
    I have the following situation:
    One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
    Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
    The infrastracture didn`t suffer modifications.
    What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
    There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
    The AP`s are 1242.
    I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
    I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
    The message logs recived on WLC Trap Logs:
    RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
    The message from the debug dot1x aaa enable:
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
    The messages on Windows 2003 Standard:
    User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.
    Can anyone help why i cannot log the users via 802.1x ?

    Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

  • [Fwd: Re: Integration with CM Systems ...]

    -------- Original Message --------
    Subject: Re: Integration with CM Systems ...
    Date: Thu, 10 Aug 2000 15:47:21 -0600
    From: Cindy Eldenburg <[email protected]>
    Organization: BEA Systems, Inc.
    Newsgroups: weblogic.developer.interest.personalization
    References: <398f3c55$[email protected]>
    Prashanth,
    The are a lot of differences in what the Documentum does as compared to
    Interwoven Teamsite. Comparing these items is like comparing apples and
    oranges.
    Normally in Teamsite, during the document capture process, a Teamsite
    user
    categorizes documents by specifying the documents' metadata attributes
    using
    Teamsite templates. Once the documents are captured, the Interwoven
    OpenDeploy
    workflow mechanism is used to publish the content to the WLCS database.
    Unlike Interwoven Teamsite, Documentum products manage the metadata and
    documents in their own repositories. Thus, with this integration, WLCS
    queries
    the Documentum system at runtime via a specialized JDBC driver supplied
    by
    Documentum. Once the Documentum user captures a document and tags it
    with
    metadata attributes, the document may be immediately available to WLCS
    (depending on administrative options in Documentum, such as whether
    staging is
    involved).
    Please contact your sales person for a more detailed overview of what
    these two
    products do and how they interface to WLPS.
    Cindy Eldenburg
    Prashanth A wrote:
    Can anyone explain to me clearly what does Weblogic mean when it says it
    integrated with Interwoven and Documentum. Is there any difference in the
    way it interacts with Interwoven as compared to Documentum. As in a run-time
    interaction with Documentum whereas a static integration with Interwoven

    Prashanth,
    The are a lot of differences in what the Documentum does as compared to
    Interwoven Teamsite. Comparing these items is like comparing apples and
    oranges.
    Normally in Teamsite, during the document capture process, a Teamsite
    user
    categorizes documents by specifying the documents' metadata attributes
    using
    Teamsite templates. Once the documents are captured, the Interwoven
    OpenDeploy
    workflow mechanism is used to publish the content to the WLCS database.
    Unlike Interwoven Teamsite, Documentum products manage the metadata and
    documents in their own repositories. Thus, with this integration, WLCS
    queries
    the Documentum system at runtime via a specialized JDBC driver supplied
    by
    Documentum. Once the Documentum user captures a document and tags it
    with
    metadata attributes, the document may be immediately available to WLCS
    (depending on administrative options in Documentum, such as whether
    staging is
    involved).
    Please contact your sales person for a more detailed overview of what
    these two
    products do and how they interface to WLPS.
    Cindy Eldenburg
    Prashanth A wrote:
    Can anyone explain to me clearly what does Weblogic mean when it says it
    integrated with Interwoven and Documentum. Is there any difference in the
    way it interacts with Interwoven as compared to Documentum. As in a run-time
    interaction with Documentum whereas a static integration with Interwoven

  • ISE device registration webauth with wlc 7.0 lwa

    Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
    Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
    Thanks.

    Hi,
    The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
    For your reference here is the item in the New Features section of the 7.2 WLC release notes:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • NAC Framework with TrendMicro Policy Server? External Posture Assessment?

    Hi
    I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
    I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
    What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
    https://win2k3std:4343/antibody
    And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
    I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
    Posture Validation Failure on External Policy
    Does anyone have any experience or help with this. Thanks very much.
    Jason Humes

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

  • ISE integration with Mobile Device Management ( MDM ) help required

    Dear Techies,
         Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
         We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
    Setup Brief :
    =========
          Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
         Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
    Activity Brief:
    =========
         As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
    Clarifications Required
    ================
    Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
    Wireless Scenario
    MDM can be integrated to ISE ? 
    How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
    What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
    If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
    Is MDM will do client provisioning or ISE should do ?
    Is MDM send or update patches of Mobile Devices ?
    As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
    Thanks for Reading...
    Arun

    I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
    Kindly let me know your views or any documents on the following scenarios with the current release in mind
    1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
    The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
    2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
    Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
    3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
    Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
    4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
    For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
    There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
    5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
    This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
    You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
    6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
    For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
    7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
    IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
    Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
    Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

  • Integration with CM Systems ...

    Can anyone explain to me clearly what does Weblogic mean when it says it
    integrated with Interwoven and Documentum. Is there any difference in the
    way it interacts with Interwoven as compared to Documentum. As in a run-time
    interaction with Documentum whereas a static integration with Interwoven

    Prashanth,
    The are a lot of differences in what the Documentum does as compared to
    Interwoven Teamsite. Comparing these items is like comparing apples and
    oranges.
    Normally in Teamsite, during the document capture process, a Teamsite
    user
    categorizes documents by specifying the documents' metadata attributes
    using
    Teamsite templates. Once the documents are captured, the Interwoven
    OpenDeploy
    workflow mechanism is used to publish the content to the WLCS database.
    Unlike Interwoven Teamsite, Documentum products manage the metadata and
    documents in their own repositories. Thus, with this integration, WLCS
    queries
    the Documentum system at runtime via a specialized JDBC driver supplied
    by
    Documentum. Once the Documentum user captures a document and tags it
    with
    metadata attributes, the document may be immediately available to WLCS
    (depending on administrative options in Documentum, such as whether
    staging is
    involved).
    Please contact your sales person for a more detailed overview of what
    these two
    products do and how they interface to WLPS.
    Cindy Eldenburg
    Prashanth A wrote:
    Can anyone explain to me clearly what does Weblogic mean when it says it
    integrated with Interwoven and Documentum. Is there any difference in the
    way it interacts with Interwoven as compared to Documentum. As in a run-time
    interaction with Documentum whereas a static integration with Interwoven

  • Integration between WLCS and Documentum WCM Starter  Kit

    Has anybody a successful instalation of WLCS and Documentum WCM Starter Kit?
    If you answer is yes:
    Can you share the files: weblogic.properties, weblogiccommerce.properties
    and set-environment.bat?
    TIA
    Regards
    David

    The WCM Edition Starter Kit will not install the BEA Integration with 3.2
    Commerce Server. One way to solve the problem is to go to the registry key
    HKEY_LOCAL_MACHINE/Software/BEA Systems/BEA Weblogic Commerce Server and
    look for the folder 3.2. Change the folder value from 3.2 to 3.1 after
    installing BEA WebLogic Commerce Server 3.2. Then run the install.
    Solution provided by Carmen M. DaCosta (Documentum Technical Support)
    "David Solis" <[email protected]> wrote in message
    news:[email protected]..
    Has anybody a successful instalation of WLCS and Documentum WCM StarterKit?
    >
    If you answer is yes:
    Can you share the files: weblogic.properties, weblogiccommerce.properties
    and set-environment.bat?
    TIA
    Regards
    David

Maybe you are looking for

  • 2 Iphones on same Apple/Itunes account a problem for OS6?

    My wife and I each have an Iphone as well as Ipad..(2 phones, 2 Ipads).  We have one Itunes/Apple account id, mine. So far it has not been an issue, but today I just updated all of the devices to OS6 and I'm a little concerned about the new messaging

  • OIM 9.1.0.2 Download??

    Hi All, Anyone know if 9.1.0.2 is available for download anywhere? Everywhere I look on Oracle's site I end up here: http://www.oracle.com/technology/software/products/ias/htdocs/101401.html which only has 9.1.0.1. I need the ...0.2 version as it's t

  • How to use decode to calculate sum for different date range

    I'm stuck with decode() function: I have a table like this: (project_id, approve_date, value, builder_code) I want to write a SQL query to get sum of values for different month of the approve_date, and group by builder_code) The result is like this:

  • Wizard generated table control: bug in insert line function?

    Hi, I added a table control to a dynpro using the wizard in the screen painter. Now I have an issue with the inserting line button: If I add a new line the first time, a new empty line is added to the table control before my last line. So far so good

  • Billing problems

    Hello, I am facing a billing problem with my account and i cannot undrstand why? In App Store my accouny info have a red not that ''billing probmem of your account cause problem on the last purchase''. It means that everything is blocked i can not do