NAC with NON-cisco wireless
Hi there,
I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
Thanks,
rdianat
So what is the solution for this scenario?
remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?
Similar Messages
-
Inline Posture deployment for non Cisco Wireless Controler
Hi all of you
I have to deploy an Inline Posture to manage non Cisco Wireless Controler ( ZoneDirecteur 1000 Ruckus), It seem easy but I don't know from where to start. All documentation I rode it's about Inline Posture for VPN. I want just to use this Inline Posture to manage Wireless user through ZoneDirector wirelss controler. Thank you.
Regards
KouassiSo what is the solution for this scenario?
remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct? -
I understand that access points can be configured to forwards all the probe requests to cisco wifi controller. cisco MSE(mobility service engine) gets the probes from wifi controller to find the location of the mobile devices.
My question, can cisco MSE(mobility service engine) be configured to work with non-cisco access points?No and the reason why is the NMSP communication from the MSE to the WLC. Other vendors don't support this so there is no communication happening.
-Scott -
Auto Smartports with non-Cisco devices
I have used auto smartports in the past and have been successful creating macros that use mac-addresses.
My question is can I create a macro that works with non-Cisco devices that are CDP capable?
We have Motorolla access points that use CDP and I would like to use auto smartports to put them on their own VLANs.
Can it be done using CDP? What version of the IOS would I need to be on? Currently the 3750-Xs are on 12.2.(55).
Are there any guides or configuration examples? I've searched but have been unsuccessful in find anything so far.
I have seen some articles that reference device sensors and device profiles, but have no idea where to begin.
Thanks in advance for your support.You may need to create a Cisco TAC case for this.
If not, then move this thread to the EEM section. If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
EEM is supported up to the 3560/3750. -
Can WAE be integrated with non-cisco devices?
So far, all documentation that I read, WAE is used in conjunction with Cisco devices. Can WAE be integrated with non-cisco devices?
I guess, In-line mode should work ok, but how about off-path mode? An example or link will be appreciated.
Thanks!
JoeHi Joe,
It should be possible to use WAAS with non-cisco routers, as long as they support WCCP.
There are no documents on this because, the configuration from WAAS point of view would be the same, and the router configuration would depend on the vendor.
Regards
Daniel -
Local RADIUS in AP1242 with non-cisco WinXP wireless clients
I'd like to configure local RADIUS in AP1242 and connect non-cisco WinXP wireless clients (for example notebook with integrated radio) with it. I did configuration (config1.txt) like in instruction: http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
But I can't connect non-cisco WinXP wireless client with AP1242 anyway. At once Cisco wireless client with Aironet Desktop Utility connects with it without any problem. I've done some other configuration (config2.txt), but with the same result. Second configuration is rather then first.
How can I connect non-cisco WinXP wireless clients with AP1242 with local RADIUS?Hi Stephen,
Thanks for the quick reply. Below is the switchport config. I am able to ping the AP from the switch and connect to its web page from any workstations.
interface GigabitEthernet0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 151
switchport mode trunk
end -
Interconnecting cisco switches with non-cisco switches
I need help concerning interconnecting two Cisco switches (3550s) using a non-Cisco switch or hub on the LAN. I have noticed that the two Cisco switches connected using a non-Cisco switch are able to communicate well, however a PC connected to the non-Cisco switch/hub can not ping any device on the LAN. The non-Cisco device is a working one. When the two Cisco switches are connected using a Cisco switch, PCs connected to the interconnecting switch are able to ping. Whats the explanation? Please help.
Building configuration...
Current configuration : 3342 bytes
! No configuration change since last restart
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
clock timezone GMT -2
ip subnet-zero
ip rcmd rcp-enable
ip rcmd remote-username cwuser
spanning-tree mode pvst
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode dynamic desirable
interface FastEthernet0/2
switchport mode dynamic desirable
interface FastEthernet0/3
switchport mode dynamic desirable
interface FastEthernet0/4
switchport mode dynamic desirable
interface FastEthernet0/5
switchport mode dynamic desirable
interface FastEthernet0/6
switchport mode dynamic desirable
interface FastEthernet0/7
switchport mode dynamic desirable
interface FastEthernet0/8
switchport mode dynamic desirable
interface FastEthernet0/9
switchport mode dynamic desirable
interface FastEthernet0/10
switchport mode dynamic desirable
interface FastEthernet0/11
switchport mode dynamic desirable
interface FastEthernet0/12
switchport mode dynamic desirable
interface FastEthernet0/13
switchport mode dynamic desirable
interface FastEthernet0/14
switchport mode dynamic desirable
interface FastEthernet0/15
switchport mode dynamic desirable
interface FastEthernet0/16
switchport mode dynamic desirable
interface FastEthernet0/17
switchport mode dynamic desirable
interface FastEthernet0/18
switchport mode dynamic desirable
interface FastEthernet0/19
switchport mode dynamic desirable
interface FastEthernet0/20
switchport mode dynamic desirable
interface FastEthernet0/21
switchport mode dynamic desirable
interface FastEthernet0/22
switchport mode dynamic desirable
interface FastEthernet0/23
switchport mode dynamic desirable
interface FastEthernet0/24
switchport mode dynamic desirable
interface GigabitEthernet0/1
switchport mode dynamic desirable
interface GigabitEthernet0/2
switchport mode dynamic desirable
interface Vlan1
ip address
ip default-gateway
ip classless
ip http server
snmp-server community
snmp-server community
snmp-server location
snmp-server system-shutdown
snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps flash insertion removal
snmp-server enable traps bridge
snmp-server enable traps stpx
snmp-server enable traps rtr
snmp-server enable traps port-security
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps MAC-Notification
snmp-server enable traps hsrp
snmp-server enable traps cluster
snmp-server enable traps copy-config
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
line con 0
line vty 0 4
login
line vty 5 15
login
ntp clock-period 17180064
end -
Can't connect to router with non airport wireless
I try again... my Imac won't connect wireless to my router. It actually connects, Imac says everything is fine, but when I connect to the internet, the colourfull little wheel is spining for hours...and nothing shows up.
With the same settings, using Airport express, wired on the router, everytihng is working fine. I can't just switch to the other network.
Any cue?You have a non-apple wireles card in the IMAC. Why would you do that?
Sounds like your wireless card is not getting an IP adddess. Check system preferences - network and verify both the ethernet and the wireless connections are getting DIFFERENT Ip addresses.You have to go to your wireless cards website to find out how to connect it to an AEBS. Linksysy has info on their site. Also your AEBS has to be set up to distribute IP addresses, otherwise, the AEBS and the IMAC may have the same IP adress and the system won't accept that. -
NAC with OOB and Wireless 802.1x
Had Anybody any experience with
integration NAC OOB and 802.1x?
I have seen that there are some issues about it.Working pretty well.
Check this out:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml -
802.1x problem with non-Cisco IP Phone, VVID enabled.
I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
interface FastEthernet1/0/2
switchport access vlan 1
switchport mode access
switchport voice vlan 2
dot1x pae authenticator
dot1x port-control auto
no mdix auto
spanning-tree portfast
end
Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
Thanks.Yes it does.
Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
I was hoping this was a quick and easy Cisco configuration error... oh well. -
Cisco Aironet FW 15.2 Does not work with Non-Cisco Media Bridges
I have a Cisco Aironet 1142i that was just updated from 12.4(23c)JY to 15.2(4)JA1 (don’t think model matters as the issue seem to be the firmware) and now I cannot get my media bridges (3 different ones) to either connect to the 1142 AP or obtain and pass the DHCP addresses to other device connected to the built in switch. If I reload the 1142 AP firmware to 12.4, than this works fine. I have not seen anything in the release notes that changed how this works or if there is I could not find it.
Does anyone know why this changed and if there is any settings that I need to enabled / disable?
Any help on this would be greatly appreciatedMore info to add to this.
AIR-AP1142N-A-K9 Hardware Version of v06 works with firmware 15.2.
AIR-AP1142N-A-K9 Hardware Version v05 does not work with firmware 15.2, but will when downgraded to firmware 12.4.
I'm also having this issue with Cisco Aironet 3602 Fw 15.2(2)JB and 3502 Fw 15.2(2)JB$ that's on a Cisco 2500 WLAN Controller Sw Ver. 7.4.100.0.
Any help on this would be greatly appreciated -
Catalyst Express 500 802.1q with non-Cisco Phones
This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
Please rate all posts. -
Using SVTI with non Cisco peers
Hello Community,
I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.
We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.
I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).
So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.
I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).
It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.
Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):
*Mar 1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx
*Mar 1 02:02:45.199: ISAKMP:(0:9:SW:1): IPSec policy invalidated proposal
*Mar 1 02:02:45.199: ISAKMP:(0:9:SW:1): phase 2 SA policy not acceptable! (local xx.xx.xx.xx remote yy.yy.yy.yy)
*Mar 1 02:02:45.199: ISAKMP:(0:9:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
In this post, https://supportforums.cisco.com/message/3052235#3052235, it is suggested that when using a setup with VTI's, both sides/peers should use the same kind of setup i.e. VTI. I can imagine this to be realistic when you manage both peers.
All Cisco docs assume both peers use (S|D)VTI.
My questions:
1. Is it possible to have a setup where PeerA (Cisco hadrware) uses SVTI with IPSEC and PeerB is unknown (can be any vendor) or uses some kind of ACL and given that all other encryption settings match
2. Does anyone has experience with such a setup ? If so can you provide me with an example configuration
3. Is there an other similair solution using a virtual interfaces or a loopback interface ?
Thank you kindly for your input.
Avinash
I hope you can help meHi there,
Here is the related info for BE3000;
Q. Does Cisco Business Edition 3000 support third-party SIP phones and shared-port-adapter (SPA) phones?
A. No.
From;
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps11370/qa_c67-697016.html
Cheers!
Rob
"Talk about a dream
Try to make it real"
- Springsteen -
AEBS Does NOT WORK correctly with non-11n wireless devices
Well i don't know what they missed in their testing, unless they assumed everyone was going to run out and replace all their macs with 802.11n versions...
So heres the deal, my wired connection (ethernet to LAN port) is blazing fast, which it should be since I have cable internet access. My Powerbook on the other hand is constantly slowing down and speeding up. One minute it's browsing just fine, and the next minute it slows to such a crawl that the HTTP request times out. I've reset it, changed configs, nada, zip, zilch. There is something wrong with this new base station and it doesn't appear to be playing nice with 802.11g...yeah, I'm frustrated. Waited weeks for this and just spent hours trying to fix it when I should be playing with my new Mac Pro instead of monkeying around with the da@# AEBS.
Anyone figure this out, or are we going to be awaiting some firmware update?I disagree, because basically Apple advertised that you could run both G and N devices at the same time on the new Extreme base station. While they said that running both on the same network would degrade the N performance, they never stated that overall performance would be WORSE than running a pure G network on the old base station.
All that said, I'm not running a mixed network; all I have are G capable devices, which according to Apple should run just fine, and should experience the same performance as they did on the previous Extreme base station. Well that has not been my experience, nor the experience of many others.
The most consistent performance I received was B level, and typically it didn't even hit the speeds of B level and could be measured in comparison to dial-up speeds. I have since gone completely ethernet to avoid the problem for now. Really, the whole reason I upgraded was not for the N speed, but for the ability to have both a printer and a network available hard drive attached to the base station.
I also want to add that I have uncovered another problem with the new Airport software: the Airport Disk extension. I was having another issue that appeared to be bad RAM. After weeks of troubleshooting, I finally determined that Apple's own Airport Disk extension was the source of the numerous kernel panics I had been experiencing on my brand new Mac Pro.
Long story short: The new Extreme base station was not ready, and they rushed it, I suspect in order to meet some financial deadline (quarter revenue, etc.). There are multiple bugs still yet to be worked out, including this new panic bug I have found.
Mac Pro Mac OS X (10.4.9) -
Yet another PEAP question...non-Cisco cards...
So, we are about to embark on building a wireless network infrastructure using 1220 AP's. So far all wireless clients use Cisco cards and Win2k.
People are interested in all sorts of wireless devices now, some including built in wireless nics or no pci or pcmcia card slots.
We have ACS 3.1.1. Can we use PEAP in our situation with a client using say a Compaq tablet PC with an integrated NIC? Or, how about a desktop PC running Win2k using something other than a Cisco card? If so, what are the required pieces? PEAP supplicants? etc?
Thanks!Hi ,
In short answer is
a) If ACS supports eap-chap ( which microsoft supports ) , you can use
non cisco card with microsoft supplicant and will work fine
I believe acs 3.2 will support is , I am not sure on acs3.1.1
b) You can buy 3rd party supplicant like meeting house etc and can use
non cisco card
http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
http://www.cisco.com/en/US/partner/products/hw/wireless/ps458/prod_bulletin09186a0080100194.html
http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_qanda_item09186a008010018c.shtml
PEAP is hybrid process ( combination of leap and eap tls )
To download server side certificate on ACS you can use eap tls doc.
Depending on AP use either of following doc
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i1224ja/i1224icg/ivicgaut.htm
You have to careful while selecting the client supplicant , you can choose Cisco peap supplicant or Microsoft peap supplicant
You can have Microsoft peap supplicant or Cisco Peap supplicant .
If you have windows 2000 OS , than if you load service pack3 , Microsoft peap supplicant is installed . On top of this if you install ACU 5.05 microsoft supplicant wil be overwritten by Cisco supplicant .
In case of XP , if you install service pack 1 , it will install microsoft peap supplicant , if you install ACU 5.05 it will be overwriteen by Cisco Peap supplicant .
Microsoft peap supplicant send eap-Chap in EAP tunnel and Cisco support EAP-GTC in eap tunnel .
with non cisco card it depends on which radius server and database you are running .
At present ACS 3.1 supports EAP-GTC so it will not interoperate with Microsoft supllicant . In later release ACS will have support for EAP-Chap so
that you can use 3rd party card with Microsoft supplicant and ACS3.2
http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
http://www.cisco.com/en/US/products/hw/wireless
Nilesh
Maybe you are looking for
-
Hey Adobe, PC's with windows 7 & 8 can still use the latest version of Adobe Story? $40 per PC? How long does it take to train someone in Adobe Story? Free training? 24hr free support from Adobe? UK user data stored in US 'Cloud'? Cheers:0) Wanda
-
I am wondering if I can upload Creative Suite 2 to my new IMac??
I am trying to figure out if I can upload my Creative Suite 2 (Cs2) to my new IMac. OSX 10.8.2 I cannot afford the newest version of Photoshop! Will this be compatible and safe to upload? Any help is greatly appreciated
-
POSSIBLE BUG on page 0 in 3.1.2 and 3.0
Hi, Could one of the APEX developers have a look into this bug for me? How to replicate it? 1. Create an application with 2 pages and one page zero 2. On page zero create a html region and create a button and select "Create a button in a region posit
-
Hi all. I'm messing around trying to make a simple 2D game. Currently, I have a few sprites on the screen and collision detection working between them. My sprites have transparent backgrounds and the collisions occur when the sprites bounding boxes c
-
Used tip in fonts wiki; wrote to wrong file, need to see the original
one night while bored i decided to use the lcd packages mentioned in our fonts wiki. wiki wrote:The "fontconfig-lcd" package enables by default the "lcddefault" filter. You can edit the /etc/fonts/conf.avail/10-lcd-filter.conf file and replace it wit