Open Authentication for Wireless Access
Hello,
The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
Thanks,
Kevin
Hi Kevin,
Using WPA we can configure either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
EAP is more secured auth compared to PSK..
Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
in the nut shel we have 3 kinds of auth..
1> open - Dot11 auth
2> Shared - Nothing but WEP
3> 802.1X suite - EAP
again, the below link may give you some insights as well!!
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra
Similar Messages
-
Radius authentication for privileged access
Hello,
I have configured Cisco 6513 for radius authentication with following commands.
aaa new-model
aaa authentication login authradius group radius line
aaa accounting exec acctradius start-stop group radius
radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
line vty 0 4
accounting exec acctradius
login authentication authradius
This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
I am using TeKRadius as Radius server.
Please help.
Thanks and Regards,
PratikHi Pratik
Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
Nick
Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry. -
IOS 6.0.1 - Problems with certificate based authentication on wireless access point
Hi all
We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure. The numbers of affected devices increased until all iOS 6.0.1 were affected.
Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
"Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
In the analysis of the issue, it turned out that the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
A comprehensive update to iOS 6.1.3 is currently excluded.
Does anyone knows this issue? What else can be done (except from updating)?I will answer my own question in case it helps anyone else.
It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
To Fix I did the following:
Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW.
I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway. I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
Created some rues on the firewall to allow...
- IMAP-SSL (port993) outbound
- SMTPS (port 465) to yahoo servers outbound
- tcp port 587 to yahoo servers outbound
- https to akamai servers
Most http and https goes through the proxy as it should, BUT...
It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway. I suspect there is a bug in the icloud app?
Hope this helps someone else.
-Bo -
Need Authentication for SMTP Access
I have this Java program (SendMail.java) for sending email; however, my ISP requires authentication for SMTP server access, i.e. I receive a 550 Authentication Required error. Does anyone know how to go about coding authentication into a program like SendMail so that the userID and password can be sent back to the server?
* SendMail.java
* Created on July 13, 2005, 8:09 PM
* To change this template, choose Tools | Options and locate the template under
* the Source Creation and Management node. Right-click the template and choose
* Open. You can then make changes to the template in the Source Editor.
* @author Owner
// SendMail by Tony Swain.
// Send mail via SMTP
// To do Appletisize it.
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.net.Socket;
import java.util.StringTokenizer;
import java.net.Authenticator;
import java.net.*;
// To do. Finish multiThreading &| write que Thread.
// this programs sends mail Via SMTP as defined in RFC 821.
// ftp://ftp.isi.edu/in-notes/rfc821.txt
public class SendMail
Object mailLock = null; //In case we want a multi-threaded mailer
public String mailServerHost = "";
public String from = "";
public String to = "";
public String replyTo = "";
public String subject = "Java is Fun";
public String mailData =
"HyperSendMail";
public String errorMsg = "";
public Socket mailSendSock = null;
public BufferedReader inputStream = null;
public PrintStream outputStream = null;
public String serverReply = "";
SendMail()
// Doesn't do anything but we need this for extension purposes.
// Server, from,to,subject, data
SendMail(String server,String tFrom,String tTo,String sub,String sendData)
mailServerHost = server;
mailLock=this; // Thread Monitor passed constructor later. Default this Monitor.
from = tFrom;
to = tTo;
if(sendData != null)
mailData = sendData;
/* Just a note to remind myself to add this for cross app./Applet & Runnable.
& Threadsafe readLine() I'm too lazy ATM
SendMail()
if(mailLock != null)
if(mailLock instanceof Applet)
Applet app = (Applet)
public void send()
if(!open()) //Yikes! get out of here.
return;
try
outputStream.println("HELO sendMail");
serverReply = inputStream.readLine();
catch(Exception e0)
e0.printStackTrace();
try
outputStream.println("MAIL FROM: "+from);
serverReply = inputStream.readLine();
// I cheat and don't look for the whole 550
// we know 5 is an error anyway. Add it in if you want.
if(serverReply.startsWith("5"))
close("FROM: Server error :"+serverReply);
return;
// Note the switch here. we could get mail from somewhere and by
// pre setting replyTo reply somewhere else :)
if(replyTo == null)
replyTo = from;
outputStream.println("RCPT TO: <"+to+">");
// Ya got me! I didn't look for any 250 OK messages. Add it in if you really want.
// A real programmer will spend 30 hours writing self modifying code in order
// to save 90 nano seconds ;) we assume if it did't give an error it must be OK.
serverReply = inputStream.readLine();
if(serverReply.startsWith("5"))
close("Reply error:"+serverReply);
return;
outputStream.println("DATA");
serverReply = inputStream.readLine();
if(serverReply.startsWith("5"))
close("DATA Server error : "+serverReply);
return;
outputStream.println("From: "+from);
outputStream.println("To: "+to);
if(subject != null)
outputStream.println("Subject: "+subject);
if(replyTo != null)
outputStream.println("Reply-to: "+replyTo);
outputStream.println("");
outputStream.println(mailData);
outputStream.print("\r\n.\r\n");
outputStream.flush();
serverReply = inputStream.readLine();
if(serverReply.startsWith("5"))
close("DATA finish server error: "+serverReply);
return;
outputStream.println("quit");
serverReply = inputStream.readLine();
if(serverReply.startsWith("5"))
close("Server error on QUIT: "+serverReply);
return;
inputStream.close();
outputStream.close();
mailSendSock.close();
catch(Exception any)
any.printStackTrace();
close("send() Exception");
close("Mail sent");
public boolean open()
synchronized(mailLock)
try
mailSendSock = new Socket(mailServerHost, 25);
outputStream = new PrintStream(mailSendSock.getOutputStream());
inputStream = new BufferedReader(new InputStreamReader(
mailSendSock.getInputStream()));
serverReply = inputStream.readLine();
if(serverReply.startsWith("4"))
errorMsg = "Server refused the connect message : "+serverReply;
return false;
catch(Exception openError)
openError.printStackTrace();
close("Mail Socket Error");
return false;
System.out.println("Connected to "+mailServerHost);
return true;
public void close(String msg)
//try to close the sockets
System.out.println("Close("+msg+")");
try
outputStream.println("quit");
inputStream.close();
outputStream.close();
mailSendSock.close();
catch(Exception e)
System.out.println("Close() Exception");
// We are closing so see ya later anyway
public static void main(String Args[])
SendMail sm = new
// * NOTE:
// Erase these values right away! Just to show you how it is done.
// Whatever you do don' release it with my mail server hardcoded.
// last thing I need is 10 million Java mail test spams :)
SendMail(
"outgoing.myISP.net", //Mail Server
"[email protected]", // sender
"[email protected]", // Recipient
"Java mail test", // Subject
"test test test!"); // Message Data
sm.send(); // Send it!
}There is no one in the forum who can shed some light on my problem?
-
User Authentication for Internet access
Hi,
Is it possible to configure authentication for internal (LAN) users to Authenticate (local/RADIUS/LDAP) for any kind of internet access through the ISA550/570? (like cut-through authentication proxy in ASA.)
And Can the ISA550/570 act as a Web proxy?
Thanks in advance.HI Sulu,
You can configure captive portal for internal LAN users to authenticate (local/Radius/LDAP) for internet
access through ISA500. (see attached screenshot)
ISA500 cannot act as a web proxy. what is your use case ?
Regards,
Wei -
Initial configuration of ACS 5.1 for EAP authentication for Wireless clients
Hi,
I have set-up with below devices :
Wireless LAN controller 5508
LAP 3302i
and ACS 5.1
since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
which EAP method to use for wireless client authentication ? what is the best practice ?
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
I need GUI based initial configuration for ACS 5.1
This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.Hi,
which EAP method to use for wireless client authentication ? what is the best practice ?
-> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
-> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
-> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
Please feel free to follow this step-by-step guide on
PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Windows 2008 R2 GPO for wireless access restriction to Windows 8/8.1
Dear All
We have windows 2008 R2 as domain controller with windows 7/8/8.1 client.
we want to restrict wireless access by SSID and allow only company wireless.
is there any templates or gpo available?
Sunil
SUNIL PATEL SYSTEM ADMINISTRATORDear SKPATEL,
Yep it is really possible, please follow these instructions:
Open Group Policy Management Console as an administrator.
In the navigation pane, open User Configuration\Administrative Templates\Network\Network Connections.
In the details pane, double-click one of the Group Policy settings described above.
Do one of the following:
To enforce the Group Policy setting on the currently logged on user, select
Enabled, click Apply, and then click OK.
To not enforce the Group Policy setting on the currently logged on user, select
Disabled, click Apply, and then click OK.
After you have modified all of the Group Policy settings you want, close Group Policy Management Console.
Enforce the changes you made and test.
More info, please check:
http://technet.microsoft.com/en-us/library/cc732613(v=ws.10).aspx
Best Regards, -
Smartcard authentication for Clean Access SSO
Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending @domain.com to the $user$ variable and so it is failing to authenticate.
Did you run KTPASS correctly?
I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
For Domain Authentication:
ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
For AD Server Authentication:
ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
Hope this helps. -
Reg Re-authentication for Tcode access
Dear All,
I want to enable Re-authentication for certain tcode access in my SAP ABAP system. The SAP as such supports this with the SSF settings. I have the SSF working but am not sure how to enable the particular tcode for Re-authentication.For example i have created a z code zAl08 out of Al08 for test purpose.When an user tries to access zAL08 he should be asked to give his credentials for authentication and then should be able to access the tcode.
1.Is this possible. (am already using a Security product working properly in my environment)
2.How to configure(Steps) the zcode for enabling Re-authentication?
Regards,
KarthikBasically, what I said was:
function auth_check_tcode.
""Lokale Schnittstelle:
*" IMPORTING
*" VALUE(TCODE) LIKE TSTC-TCODE
*" EXCEPTIONS
*" PARAMETER_ERROR
*" TRANSACTION_NOT_FOUND
*" TRANSACTION_LOCKED
*" TRANSACTION_IS_MENU
*" MENU_VIA_PARAMETER_TRANSACTION
*" NOT_AUTHORIZED
Dieser Funktionsbaustein dient als reine Kapsel für den C-Call
auth_check_tcode und ist daher im Gegensatz zu authority_check_tcode
nicht für die Prüfung vor dem Call Transaction gedacht, sondern für
die Fälle, in denen ein Start Transaction geprüft werden soll,
z.B. in der SE93.
authority_check_tcode berücksichtigt wie der Kernel die per SE97
pflegbaren Einträge in der Tabelle tcdcouples.
Berechtigungsprüfung
call 'AUTH_CHECK_TCODE'
id 'TCODE' field tcode.
if sy-subrc = 0.
auth_check_tcode enthält die Prüfungen von tcode_executable,
daher im OK-Fall keine Aufruf nötig.
else.
perform tcode_executable using tcode.
Keine Berechtigung für Transaktion &
message i077(s#) with tcode raising not_authorized.
endif.
endfunction.
FORM tcode_executable *
--> TCODE *
form tcode_executable using tcode.
call 'DY_CHECK_TRANSACTION'
id 'TX' field tcode.
case sy-subrc.
when 0. " Alles ok, return
when 1. " Parameter Error
message i274(00) raising parameter_error.
when 2. " Transaktion nicht gefunden
message i343(s#) with tcode raising transaction_not_found.
when 3. " Transaktion gesperrt
message i348(s#) with tcode raising transaction_locked.
when 4. " Transaktion ist Bereichsmenü
message i037(oz) with tcode raising transaction_is_menu.
when 5. " Bereichsmenü via Parameter-Transaktion
message i350(s#) with tcode
raising menu_via_parameter_transaction.
when 6. " Nicht berechtigt; vorgesehen, aber nicht implementiert
message i077(s#) with tcode raising not_authorized.
endcase.
endform. "tcode_executable
</pre>
Sorry, the comments are in German. But as you can see, there is no exit and the checks are in the kernel only.
My hat is safe...
Cheers,
Julius
Edited by: Julius Bussche on Jul 29, 2009 5:55 PM -
Cisco ISE 1.3 using 802.1x Authentication for wireless clients
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
Need a good NAS drive for wireless access to my multi-media
I don't know if this is the right place to post this, but I have a large collection of music, video and photo files that I want to get off my laptop and onto a network drive that can be accessed wirelessly by other macs, and my xbox. Streaming ability and speed are the main priorities. Any help and suggestions for a good setup would be appreciated!
My current network setup is as follows:
• Airport Extreme Base station directly connected to a cable modem
• Network extended by another AEBS w/ a network printer connected via USB
• Network extended by an Airport Express w/ a Skype phone connected via ethernetThanks, but it doesn't work. The device gets an IP just fine but it does not do any DHCP relaying. Even when I manually set my laptop to a LAN IP and connect it to a wired port it is unable to get to the internet. The documentation doesn't mention much about setting up a DHCP relay. Any additional help would be much appreciated.
-
I need to autheticate my clients connecting via wireless.
clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
can some one please help me with the steps.
ThanksTwo primary steps
- define the trust certificates needed to verify the clients user certificates
Users and Identity Stores > Certificate Authorities
- change result of identity policy to select a certificate authorization profile. If have the defautl config
Access Policies > Access Services > Default Network Access > Identity
by default can select the "CN Username" as a result -
ACS/ASA authentication for vpn access vs. console management access
I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.
Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
In your case it should be VPNUSERS group in ACS.
HTH
Ahmed -
Trying to choose a method for wireless access (non-Safari question)
This isn't a Safari question, but I think plenty of Safari users would hopefully know an answer to it....and I'm not sure where else to ask:
I'd like to be able to access Wi-Fi when I'm travelling-- which isn't very often, so I'm not keen on spending $1000+ on a laptop if all I'm using it for is to surf the net and check email.
I'm thinking a PSP or similar gaming device would be a solution.....and entertain me as well. What other non-laptop products would give me Wi-Fi access?
Thanks for any help!
Mac OS X (10.3.9)I'm thinking a PSP or similar gaming device would be
a solution.....and entertain me as well. What other
non-laptop products would give me Wi-Fi access?
You want a PDA or perhaps a cellphone. I don't see any Apple connection. You'd probably be better off searching Google.
Maybe you are looking for
-
Lost of Parameter file in web application
Hi, We develop a java (1.5) application running on Tomcat (5.5 and 6.0). In this application, we use a parameter file in YAML format. Everything works perfectly except when the tomcat server is restarted. At this point, the application is no more abl
-
Populating application item when updateable query report item is changed
I have been looking at the help for cascading LOVs posted here. Unfortunately, I am not able to get it to work, and so am backing up with baby steps. I have a sql updateable report. It has a column (IN_STATE) that is a LOV sql query that pulls up a l
-
Reporting Service Error Code 7403, on SCCM 2012 R2 with SQL 2012 SP1 CU6
Dear All, I am facing issue to install Reporting Services Point on SCCM 2012 R2 with SQL 2012 SP1 CU6. getting error messages id 7403. please let me know if SQL 2012 SP1 CU6 is supported with SCCM 2012 R2 or not & if you have any solution on it. Erro
-
Hi, I like to plug my iBook G4 (1,4GhZ, 14 inch) into my TV (I'm from Germany, to explain the national TV settings). With my iBook I got a DVI (or is it mini DVI? see below) to VGA adapter, can this be used to plug in an additional VGA to video adapt
-
How to protect ADF Application Source code
Hi, There is an ADF Application which needs to be given to a client. The client will deploy the application. How do i protect the source code giving to the someone from the ADF application. ?