Restrict WLAN Clients based on device

Similar Messages

• Restrict WLAN access based upon device type

  hi,
  i have a requirement to allow only certain device types (Apple Ipad only) on WLAN. Dont want to use individual MAC filters due to administrative overheads. Any suggestions?

  The only way you can just allow one type of device is the use of a profiler. Cisco ISE has a profiler, but you will need to get the advanced license also. I don't know how you would be able to do it any other way unless you manually configure each iPad to allow that device on your network.
  Sent from Cisco Technical Support iPhone App

• Force WLAN client to renew ip on WLC with dynamic interfaces

  Hi there
  we would like to have a "two tier" authentication for the corporate WLAN clients:
  Requirements
  1. Machine Authentication
  The client gets machine authenticated based on the machine account in the Active Directory with PEAP. At this stage, the client will get a IP from VLAN A. VLAN A has limited access to the corporate infrastructure (DNS, AD, some volumes / shares, and so on). The filtering is done with an IP access list on the layer 3 VLAN interface on the core switches.
  2. User Authentication
  The users logs in on the client and gets user authenticated based on his user account in the Active Directory with PEAP - only users with a valid Machine Access Restriction (MAR) are allowed to login. Now the client is moved to another VLAN B. VLAN B has full access to the corporate infrastructure, here is no IP access list.
  Infrastructure
  We have the following:
  2 x WLC 5508 with 7.3.101.0
  2 x ACS 5.3.0.40.6
  Problem
  Now we have the problem, that the Windows client sometimes takes up to 3 minutes to connect to the WLAN after the users loggs in. In the debug, I can see that this happens because the client is stuck in DHCP renewal:
  1. After the machine has been authenticated it has an IP assigned from VLAN A. This works pretty well if the client gets rebooted.
  2. If the user loggs in the first time after the reboot, the users gets connected within 10 seconds, what is pretty good. The client has now an IP in VLAN B.
  3. Now the user logs out of Windows and I can see in the debug, that the client is putted into VLAN A (machine authentication) again, but the client still tries to DHCPREQUEST the IP address from VLAN B (user authentication). Because this request is sent out on the wrong dynamic interface on WLC, the DHCPREQUEST is not acknowleged an the client get stuck in this situation.
  4. If the user or another users logs in again shortly after the logout, the client still tries to DHCPREQUEST the IP of VLAN B and now the "3 times DHCP failure on WLC" comes into play, because WLC thinks that the DHCP server is not reachable -> but it only does not answer a wrong DHCPREQUEST.
  Question
  On ISE there is a way to force the client to renew the DHCP address (via CoA, but this has its limitations too --> need to install Active X or Java applet). I think there is now way to force the client to renew its IP with ACS, but my question is, is there a workaround and are there any others, that maybe already solved this problem?
  Alternative
  If there is now way to bring this to work with two different VLAN's, I could try to realize this with only one VLAN. After the machine authentication I could apply a WLC ACL to restrict access to the corporate infrastructure. If the user authentication happens, I could "remove" this ACL to grant full access for this user / client. But I am still interested in the other solution ;-)
  Thanks in advance for any advise and best regards
  Dominic

  Your second option is what you should do. Changing the vlan on a client that already has an IP address especially on wireless will not know it has been put in a different vlan and that's why it breaks. If There was a way to change the vlan and send something to the WLC to disassociate the client, that might work.
  Sent from Cisco Technical Support iPhone App

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• ISE Certificate Chain Not Trusted By WLAN Clients

  We are running ISE 1.1.3 using Entrust cert signed by Entrust sub CA L1C, which is signed by Entrust.net 2048, which is in all major OS stores as trusted (Windows, Android, iOS).
  We have installed a concatenated PEM file with all of the certificates from the chain, as described in the ISE User Guides. The ISE GUI shows all of the certs in the chain individually after the import (i.e. the chain works and is good). However, we are not sure if the ISE is sending the entire chain to the WLAN clients during EAP authentication or just the ISE cert because of the error message we get on ALL client types which state that the certifiicate is not trusted.
  So the question is if the ISE is really sending the whole chain or just its own cert with out the rest of the certs in the chain (which would explain why the WLAN clients complain about the certificate trust.)
  Anyone out there know if the ISE code is not up to sending the cert chain in version 1.1.3 yet or if there is some other explanation? Screenshot attached of iPhone prompting for cert verification.

  Thanks hardiklodhia, your post confirms what we are seeing - the Windows clients have no issue as long as they are set to either NOT validate the EAP server cert or they are set to trust the signing CA cert from the local store by specifically selecting the signing CA (i.e. tick next to "Validate Serverr Certificate" and then another tick next to the signing CA cert in the box below.)
  The iOS clients ALWAYS prompt for verification (thanks Apple.)
  Note: we are using 1.1.3 and the cert chain import using a concatenated PEM file with ALL of the certs in the chain works fine. We are seeing the whole chain on the clients and the ISE extracts each PEM file into its local store.
  The PEM file format is not adequately described in the user guides rather a vague description of cert order is provided.
  The file should look like this:
  -------------------------Top of page-----------------------------
  Root CA PEM FILE
  Intermediate CA 1 PEM FILE
  Intermediate CA 2 PEM FILE
  ETC
  ISE CERT PEM FILE
  ------------------------Bottom of page-------------------------
  By "PEM FILE" I mean the actual base64 encoded PEM output from openssl when you convert a .crt or .der file to PEM, including the words "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for each PEM FILE above,
  e.g.
  -----BEGIN CERTIFICATE-----
  MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
  ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
  MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
  ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
  MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
  hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
  95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
  2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX
  8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD
  gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1
  RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF
  SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
  RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
  bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
  IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
  EN551lZqpHgUSdl87TBeaeptJEZaiDQ9JifPaUGEHATaGTgu24lBOX5lH51aOszh
  DEw3oc5gk6i1jMo/uitdTBuBiXrKNjCc/4Tj/jrx93lxybXTMwPKd86wuinSNF1z
  /6T98iW4NUV5eh+Xrsm+CmiEmXQ5qE56JvXN3iXiN4VlB6fKxQW3EzgNLfBtGc7e
  mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
  wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIFKjCCBBKgAwIBAgIETB9GEzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
  VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
  Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
  KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
  yhHR/hYfdVM88hBXXypACgrxBv/JFlKzSEDwKydJeT1tcP//nG4jv1WWgLk6O2Mi
  0oE0fnGmuf9fTX4+CdapG2gTDFJ29Chv3kavJDNtB85A7CK8oWI8Qav78Rvaz7nA
  LiRMLBQ1RkqUrQFL2WHx4mJkCddPXzOeOVJlUTGJ
  -----END CERTIFICATE-----
  The last PEM output (the one directly above) is the ISE cert in PEM format. The first PEM output (the one at the top) is the Root CA cert in PEM format. The ones in the middle are intermediate signing CAs in order (from root to leaf).

• How Redirect browser(client) based on non-negotiable SSL/TLS protocol or cipher

  Hi guys,
  we have a security requirement wherein we have to  force the browsers accessing our asp.net application hosted on windows server 2012 to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request
  to a unsecured static html page with the instructions on how to get them onto tsl.
  can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family.   http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
  please help me guys..
  ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS)
  and got a reply saying that it can be done at windows kernel level(possibly).

  Hi,
  As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
  Therefore, as the way I see it, the goal cannot be achieved.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Satellite Pro L300: WLAN is not in device manager and is missing

  Hi,
  I have a Toshiba L300 which I downgraded from Vista to WXP months ago. So I decided to stick with Vista and when I installed Vista the WLAN was missing in device manger and it didn't work. I tried downloading drivers adapters from Toshiba drivers download and still didn't work. Only my Ethernet is showing in device manager....btw I have a Realtek WLAN
  Also,my VGA graphics card doesn't seem to update driver and when it does it says that the system is below minimum specs.
  It's soo weird in WXP it was working fine..... Any solutions?

  >I tried downloading drivers adapters from Toshiba drivers download and still didn't work.
  What does it mean exactly? Have you installed WLAN driver or not? Is WLAN card installed properly and listed in device manager as Realtek WLAN card?
  How to understand you?
  Have you problems to install WLAN card or to configure WLAN connection?
  If the WLAN card is installed properly enable the card with WLAN switch and then use FN+F8 key combination and be sure card is set to ON.
  Which display driver you want to install? Which version?

• Unable to activate Client Profile within Client-Based Groupware Integration

  Experts - Please help us!
  We are trying to activate a new Client Profile wiithin Client Based Groupware Integration. We are receiving an error message that 
  "Multiple profiles not allowed for same role, country, language combination."
  We believe we are receiving this message because there was an incomplete profile already saved in this table. We can not move forward without completing that record, however it is not editable for us.
  Has anyone run into this problem before? Any ideas how we can move forward? I would appreciate any information anyone is able to provide.
  Thank you!
  Jami Shircel

  I have one idea If you want to do this for your future records then you should create a specific transaction type meant only for GWI and assign it to groupware spro settings and that transaction type should not be used from SAP CRM WebUI. In this way all the appointment/task created in Outlook have that special TType and can be differentiated from others. Will that be of any use ?
  Rgds,
  Shobhit

• Restricting the values based on keyfigures.

  Hi All,
  Good Morning..
  I have a query on Bex reporting.
  I want to calculate transit aging.Just i want to find the difference between the two dates.
  I have one more field called quantity.
  I want to calculate the difference of dates only whose quantity is "ZERO". I can restrict the keyfigures based on characteristics. But for my case i want to restrict the keyfigures based on Quantity keyfigures.
  Is it possible in Query designer.
  Thanks in advance.
  Thanks,
  Siva.

  Hi,
  p.o number ______p.odate_______consimentdate______qty__aging
  87000001______01.02.2009______02.02.2009________1___ nil
  87000002______05.02.2009______07.02.2009________0____( current date - consiment date)
  Craete Two formula Variables with replacement path in columns..
  1. One is for PO date and replace with Key.
  2. Other is forconsiment date and replace with Key.
  then just drag and drop in two columns in report and see the output. Then create one formula and do substraction. In another column you craete one more formula and use If condition
  Column A = p.odate (with Replacemet variable value)
  Column B = consimentdate (with Replacemet variable value)
  Column C = B-A
  Column D =  If QTY <> 0 then C
  Thanks
  Reddy

• Restriction of client

  HI All,
        Is there possible in SAP Restriction of client.
  Ex:-Suppose in EID100 client only five user can can login.If Sixth user tries it will show a error message that U R not Authorize person to login.
  Any one help on this regards.
  Thanks.
  Singha

  Just lock the user id of the users in the clients you dont want them to logon.
  If you have 3 users A, B anc C and you dont want C to logon to a client say 100 then lock the user id C in client 100 using SU01.
  -Kiran

• Client Based Database System

  I'm trying to come out with a design for a client-based database system. i wanna create at least 20 databases all linked to one main server and i can make updates whenever i want either manually or thru the update table that will update automatically all the other databases.
  each client can look other's information on the server and get access to it as well as clients will get the ability to communicate thru the server or sub-servers within the network.
  im really confused myself how to start this and what will be the ideal shema or design to start off with.
  i d really appreciate any hints guys.
  thanks

  If the goal is disaster recovery, you want to be looking into something like DataGuard to provide a hot standby. Basically, you take archive logs from the primary, copy them to the standby database running in a physically separate data center, and apply the logs to the standby. In the event of a failure on the primary, you simply transition over to the hot standby database. You can configure DataGuard in a variety of modes, including zero data loss (though there will be perforamance and availability implications for this sort of setting).
  I don't understand the second part of your question.
  how are the tables gonna be structured? This will depend entirely on your application. You don't need anything special in your data model to use DataGuard.
  because this is a client based application...so it requires an updatable table or sourceI don't follow this at all.
  can i get some details or a shema that shows how to put these tables togetherNor do I follow this
  let's say we have one main server or source and only two other client applicationsWhat do you mean by "two other client applications"? Do you really mean applications (i.e. a collection of J2EE, .NET, PHP, etc components)? Or are you coming back to a multiple database setup with replication?
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Contact Synchronization - Client-Based Groupware Integration - SAP Library

  To add a comment, please log in or register on the top of this page and choose Reply. Please write your comment in English.
  You can also go back to the SAP help page.

  Hi Shobhit,
  Thanks for you help.
  I have the Active X settings how you say.
  I'm using Lotus Notes 8.5
  I checked the customizing, and we have the Settings for Client-Based Synchronization
  DEFAULT_APPT_PROC_TYPE = Z000
  DEFAULT_APPT_TEXTTYPE = A002
  The transaction type Z000 is a copy the 0000.
  When I create a activity in SAP CRM and press the  synchronization button, the system creates a activity at the lotus notes. But when I create a activity in lotus notes, the system doesn't create the activity at the SAP CRM.
  Best regards,

• CRM Outlook client based groupware integration

  Hello ,
  I am trying to set up client based integration between CRM and outlook ,
  I've installed groupware integration software on my computer , I defined necessary settings in CRM calendar properties in Outlook.
  Once I am trying to start synchronization ( from CRM side) I got error message :
  "The current version of software components installed on your PC(3.039) us lower that minimally required one (3.040).Would you like to update it now?"
  I press "yes"  and go through update installation wizard. Once completed I press "Synchronize" again" and I get the same error message.
  Thank you for your response,
  Rika

  Hello,
  The problem is that when you say "yes" to upgrade you would expect the system to download the newest version from the internet. Unfortunately this is not correct, the system just grabs the file from the CRM server itself. In other words, if you don't download the newest version from the internet and upload it to the CRM server it won't work.
  Check OSS note 1311110 how to put the newest sync version on the CRM server. After this you can redo the actions you described previously.
  Hope this helps,
  Kind regards,
  Joost

• Access restriction in IM52 based on company code and investment reason

  Hi,
  How can we have access restriction in IM52 based on company code and investment reason?
  thanks
  Randeep

  hi
  please check the authorization object for the transaction
  company code you can

• CRM Outlook client based synchronization

  Hello ,
  I am using CRM outlook client based synchronization,
  I am concern about moving to winter clock.
  Which steps and in which order should be performed on CRM and Exchange side?
  Rika

  Hi Neha and David,
  David, you are right ... you have to be employee responsible for a contact to be synched from SAP CRM to Outlook.
  Additionally information:
  - if more than one user wants to synchronize a contact from CRM to Outlook use the assignment block "relationships" and add a new relationship "has the employee responsible" and add yourself.
  - in transaction "GWIPROFILE" there's a GWI profile parameter called "DownloadContactsFromCRM" with three possible values: "Owned contact", "Contacts of Account" and "Both".
  If you set this parameter to "Owned contact" only the contacts of CRM with the relationship "has the employee responsible" are synched to Outlook.
  If you set it to "Contacts of Account", all contacts of an account with the relationship "has the employee responsible" are synched to Outlook.
  If you set it to "Both", you need to add the relationship to either the account or the contact to get it synched to Outlook. This is useful if you have several small accounts (only few contacts in the account) where you want to synch all contacts, so add the relationship to the account.
  And you have several big accounts (with many contacts) where you want to select the contacts to be synched by adding the relatiopnship to the corresponding contacts and not to the account itself.
  In our environment, we did set it to "Both" so we have the most flexible options which contacts have to be synched and which not.
  I hope this information is a bit helpful.
  By the way: we initialize the synchronization manually to have full control.
  Best regards,
  Karsten