WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)
Hi All,
I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
Am I on the right path?
Anyone done this before or have any bright ideas?
Cheers,
John
With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
1. EAP authentication
2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
For the further description and configuraiton following URL may help you :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Similar Messages
-
can you sync an ipad with say, a dell?
I have an iPod touch, my mom has an iPad 2, and my dad is getting a work iPad.
And they all run on my Windows 7. -
Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?
Hi
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
Now.. this is the tricky part...
A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
Can any expert please let me know if they think that this will be possible please??
Many thanksYes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
Thanks and I hope this helps!
Tarik Admani -
I have an iphone 4 which is currently synced with a non apple laptop and I wish to sync it with my new imac. I have just backed the phone up on my laptop but am not sure what I need to do now. I do not want to loose any contacts, emails or photos from my phone when I change sync computers. Can anyone assist with a step by step guide as to how to achieve this oucome? Thanks in advance.
Have you read this?
iTunes: How to move your music to a new computer
http://support.apple.com/kb/HT4527
The Apple web site has lots of other guidance, for example if you are migrating from Windows to Mac, read this.
Switch 101: Migrate your Windows files or system to your Mac
http://support.apple.com/kb/HT2518 -
Non Mac Laptop and iCal Question
is it possible to get ical on a non mac laptop?
Jesstears,
No, iCal functions only with Mac OS X.
;~) -
PE13 on Windows 8.1 and non-admin or UAC issues?
Before I try to evaluate Premiere Elements 13 64-bit, I want to ask if lingering problems related to UAC and non-admin user accounts were resolved since version 11.
It's good to see a 64-bit version of Elements come out since then.Gordon Fecyk
On what computer operating system is your Premiere Elements 13 running? For now I will assume Windows 7, 8, or 8.1 64 bit.
Not sure what you mean by:
It's good to see a 64-bit version of Elements come out since then.
assume you mean version 11. So in that case....
Premiere Elements Windows 10, 11, 12, and 13 are 64 bit applications when installed and run on specifically on Windows 7, 8, or 8.1 64 bit. Other Windows versions are 32 bit applications in 32 bit system or 32 bit application running in the 32 bit compatibility mode of 64 bit system. On the Mac side of things, it is my recollection that Premiere Elements 11 Mac was the first to be a 64 bit application when run on Mac 64 bit system.
It is my understanding that nothing has changed over the versions with regard to Premiere Elements and the matter of "UAC and non-admin accounts". Probably Microsoft would be a good source on that. Recent threads seem to suggest that Premiere Elements is not working with Domain accounts.
This is not Adobe. Rather a user to user forum. If you want to contact Adobe about your feature requests, you could consider the Adobe Feature Request Bug Report Form.
https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform&loc=en
When you have specific problems with aspects of your Premiere Elements 13 purchased or tryout, we would be glad for the opportunity to be of assistance. Definitely recommend tryout before purchase to assure the compatibility of your program with your specific computer environment and your project goals.
ATR -
ACS 5.5 and Windows 2012 AD support
Hi All,
previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
authentication.
I have now upgraded the machine's domain to 2012 and machine authentication works fine and user authentication
also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
The clients are all windows 8.1
Has anyone encountered this scenario before ?
TIAI would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html -
Office Integration and non-MS browsers
I have an 'issue' with Office Integration and non-MS browsers with our SharePoint 2013 on-prem enviroment (using SSO via ADFS).
Background: our internal client wants to move to SharePoint sites for collaboration with external partners. One of the selling points they're wanting to make to justify the move from their current
external collaboration site is Office integration - specifically the ability to open/edit/save documents by clicking on the document in SharePoint, having it open in Office (PC/client) for editing. Note they are wanting full integration with the client
version of Office - not OWA. The other requirement is that this work with both Firefox and Chrome.
Issue: Office integration works fine using Internet Explorer. When a user click on a document the document opens in Office and can be edited directly in the browser without any additional prompts.
But when clicking on a document via Firefox or Chrome the SSO login form pops-up when Office starts. Once the user enters their credentials they can work with the documents as desired. But our client does not want this second prompt.
Question:
Is there a way to configure SharePoint so that Firefox or Chrome open up documents for editing without a second logon prompt? I'm assuming not based on my research on how these browsers handle
cookies differently than IE. Can someone confirm?
Is there a dev solution to this? Note that because the users will be partners (non-employees) we are trying to avoid using a solution that would involve installing custom software on their pc's
(such as browser extensions).Unfortunately you are looking at a plugin or having the users modify their browsers:
http://yalla.itgroove.net/2011/12/firefox-friday-3-sharepoint-login-prompts-on-firefox/
http://www.rhyous.com/2009/12/31/why-does-firefox-prompt-for-domain-ad-authentication-or-how-to-get-firefox-to-automatically-login-to-web-sites-with-domain-credentials-sharepoint-for-example/
Brandon Atkinson
Blog: http://sharepointbrandon.com -
IWeb and non-iWeb files @ same site?
I have modified my CNAME at my personal domain site to forward to MobileMe, and I am not having any problems with that aspect. What I am wondering is ... can I have both iWeb files and non-iWeb files at the same site and still use MobileMe?
Basically, I want to use iWeb for my main family web site, but still have my Wordpress blog as well as some older web pages that I don't want to convert to iWeb. Right now, anything that starts with my domain name is pointed to MobileMe, which precludes access to the non-iWeb files.
Not sure if this is clear or not, but if anyone has any pointers, I would be very grateful.Thanks for the advice about putting the other files on MobileMe - I didn't know you could host non-iWeb pages there.
Unfortunately, I actually don't want to store them there. My Wordpress blog is hosted on my own server (it's not a wordpress.com blog), and my old files are large and I don't want to burn up all the space on MobileMe. I have a ton of space and other good hosting services as my provider (doteasy). I do, however, like the features of iWeb for my main family page, so I want to be able to publish to MobileMe, but still have the domain function as well, with some pages accessible only through the domain, not MobileMe. -
VATable and non VATable in import PO??
Hi experts
Can anybody explain me about the import procedures and VATable and non VATable in import ???
In short explain me over all import procedures ??
Explain me in Domain and in SAP procedures??
Thanks
SAP-MMHi,
Vatable :- Means u are taking benefit of CVD
Use condition as
Condition For CVD in CIN :-
JCV1 - IN CVD e.g. 14%
JECV - IN CVD Prim Edu e.g. 2%
J1CV - IN CVD Sec Edu e.g. 1 %
In general the amount BCD, CVD is submitted to Custom Office.
So in ur PO, You must have to assigned these conditions to different Vender i.e. custom office in your PO
in Miro, select the planned delivery cost with that PO Number and all ur values will appear.
but it will be different case when u want take benefit of CVD in CIN.
In addition to above Procedure, you have to uncheck GR base IV in PO and first Do the MIRO for Planned delivery cost and generate commercial Invoice Number
after that do the GR with MIGO.
Reagards,
Pardeep Malik -
ACS Group mapping and restrictions
hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
In this scenario, it is very important to understand how ACS group mapping works.
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
NOTE:
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Regards,
~JG
Do rate helpful posts -
WLC 4402, LAP1242AG APs and Layer 2 Switch Network Design
Hi Every One,
I am new designer in the Wireless technology. During design i came accros through a confusing/complex existing topology which i have to integrate with WLC 4402 as below;
Existing:
1: I have 12 Switches; all vtp mode server. all in single vlan 1 with single subnet 192.168.0.0/24. All users ports in this single vlan 1.
2: All of these are old switches including 2950G, 350GXL, 4912.
3: All the switches gateway is Pix Firewall (192.168.0.1).
To Do:
1: I have to implement 1 * WLC 4402, 22 *LAP1242AG Access Points.
2: WLC will be connected to 350GXL or 4912 through Fiber.
3: Access Points will be connected to all other 20 switches randomely.
Confusion:
1: In my design i created separate vlan 450 for WLC and APs management. But this is not doable in this current setup because all the switches are vtp mode server. Also the gateway is Firewall. Which will require configuration on all existing switches + Pix.(I DONT WANT TO GO FOR THIS OPTION).
2: To make my work easy, is this possible to Put the WLC, APs in the same vlan 1 (192.168.0.0/24) that is currently used by the existing switches? The gateway for these WLC and APs will be Pix (192.168.0.1).
3: I tried to search Cisco examples, but in every example Cisco has made a separate vlan for WLC, APs management. So will Point 2 worK?
4: Do i require any specific changes for this?
5: ANY OTHER DESIGN SUGGESTION?????????
Please find the attached Diagram for more information.Thanks for the reply.
1: U mean dat the switch port config will be as below;
int g0/10
description connected to WLAN Controller
switch mode access
switch access vlan 1
int g0/23
description connected to AP
switchport mode access
switchport access vlan 1
so below wil b the sumary of config:
All switches, WLC, APs, Wireless users and Wired users will be in the same subnet (192.168.0.0/24). Is it ok??
2: Wat do u mean by vtp config; Please clarify???
As i mentioned all switches are in vtp mode server. vtp domain name is configred on 12 out of 15 switch. Do i need to config same vtp domain name on all switches? I also have to check vtp pass?? -
WLC + ACS (RADIUS) + MS-AD
Hi!
I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
Thanks in advance for any help.Check out the doc below
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
Peer-Switch with vPC and non-vPC Vlan Port-Channels
Hi,
in a design guide i have noticed that it is best practice to split vPC and non-vPC vlans on different inter-switch port-channels. Now, if i want to use the Peer-Switch function, but the port-channel interface of the non-vPC-vlan channel moves into blocking state. The option spanning-tree pseudo-information has no influence. Is peer-switch possible in my kind of topology?
Greeting,
StephanI believe absolutly possible. specifically coz peer-switch and spt pseudo-info are specific and local to cisco fabric services running as part of vpc technology. Personally me has lab with vpc-domain compounded of 2 N5Ks. They are peer-switches with spt-pseudoinfo and they have MST running on non VPC links independantly from vpc.
-
Authoritative restore and Non Authoritative restore
Hi
1.Whats the difference between Authoritative restore and Non Authoritative restore?Please explain with the example.
Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help meHello,
Performing an Authoritative Restore of Active Directory Objects: http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
Exemple: You accidentally deleted an AD user and you want to restore it. You can use an authoritative restore to perform that.
Note that now you can do that by enabling AD recycle Bin and you don't still need a restore operation.
Performing a Nonauthoritative Restore of a Domain Controller: http://technet.microsoft.com/en-us/library/cc784922(WS.10).aspx
Example: You had hardware problems on a DC and you solved them after re-installing the DC OS. You can use a non-authoritative restore so that you don't delete recently made changes.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Maybe you are looking for
-
i have been buying music n tones for my iphone but since i change for the iphone 5 none of the old staff are in my new one eve i have safe it on icloud i just got my contact nothing else i need some one helpe wt this issue cus i spend money and thing
-
Default Background on "View Options" now white only?
It appears that choosing a color is no longer an option, unless my prefs are corrupted? Can others verify one way or the other, please?
-
How do I add contacts to VIP for IPad.
How do I add contacts to VIP for IPad?
-
I have 2 apple account ,and i want to have everything in one ,because both i by music
i have 2 apple account ,and i want to have everything in one ,because both i by music
-
Update to NW04 SP27: J2EERT file only 17KB?
Hello, we want to test SP27 for NW04 (now we have sp21) and we download all files down from SAP MP, but J2EERT file is only 17KB. Is that right? Normally file is about 350MB to 400MB. and when we use sapcar for extraction, error is shown (Package dam