WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

Similar Messages

• IPad and non-apple laptops

  can you sync an ipad with say, a dell?

  I have an iPod touch, my mom has an iPad 2, and my dad is getting a work iPad. 
  And they all run on my Windows 7.

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• I have an iPhone 4 which is synced with a non apple laptop and wish to sync it with my new iMac.  I have backed the phone up with the laptop and am not sure how to sync it with the iMac without loosing any contacts, emails or photos from my phone.

  I have an iphone 4 which is currently synced with a non apple laptop and I wish to sync it with my new imac.  I have just backed the phone up on my laptop but am not sure what I need to do now.  I do not want to loose any contacts, emails or photos from my phone when I change sync computers.  Can anyone assist with a step by step guide as to how to achieve this oucome?  Thanks in advance.

  Have you read this?
  iTunes: How to move your music to a new computer
  http://support.apple.com/kb/HT4527
  The Apple web site has lots of other guidance, for example if you are migrating from Windows to Mac, read this.
  Switch 101: Migrate your Windows files or system to your Mac
  http://support.apple.com/kb/HT2518

• Non Mac Laptop and iCal Question

  is it possible to get ical on a non mac laptop?

  Jesstears,
  No, iCal functions only with Mac OS X.
  ;~)

• PE13 on Windows 8.1 and non-admin or UAC issues?

  Before I try to evaluate Premiere Elements 13 64-bit, I want to ask if lingering problems related to UAC and non-admin user accounts were resolved since version 11.
  It's good to see a 64-bit version of Elements come out since then.

  Gordon Fecyk
  On what computer operating system is your Premiere Elements 13 running? For now I will assume Windows 7, 8, or 8.1 64 bit.
  Not sure what you mean by:
  It's good to see a 64-bit version of Elements come out since then.
  assume you mean version 11. So in that case....
  Premiere Elements Windows 10, 11, 12, and 13 are 64 bit applications when installed and run on specifically on Windows 7, 8, or 8.1 64 bit. Other Windows versions are 32 bit applications in 32 bit system or 32 bit application running in the 32 bit compatibility mode of 64 bit system. On the Mac side of things,  it is my recollection that Premiere Elements 11 Mac was the first to be a 64 bit application when run on Mac 64 bit system.
  It is my understanding that nothing has changed over the versions with regard to Premiere Elements and the matter of "UAC and non-admin accounts". Probably Microsoft would be a good source on that. Recent threads seem to suggest that Premiere Elements is not working with Domain accounts.
  This is not Adobe. Rather a user to user forum. If you want to contact Adobe about your feature requests, you could consider the Adobe Feature Request Bug Report Form.
  https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform&loc=en
  When you have specific problems with aspects of your Premiere Elements 13 purchased or tryout, we would be glad for the opportunity to be of assistance. Definitely recommend tryout before purchase to assure the compatibility of your program with your specific computer environment and your project goals.
  ATR

• ACS 5.5 and Windows 2012 AD support

  Hi All,
  previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
  and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
  authentication.
  I have now upgraded the machine's domain to 2012 and  machine authentication works fine and user authentication
  also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
  out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
  even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
  The clients are all windows 8.1
  Has anyone encountered this scenario before ?
  TIA

  I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Office Integration and non-MS browsers

  I have an 'issue' with Office Integration and non-MS browsers with our SharePoint 2013 on-prem enviroment (using SSO via ADFS).
  Background: our internal client wants to move to SharePoint sites for collaboration with external partners.  One of the selling points they're wanting to make to justify the move from their current
  external collaboration site is Office integration - specifically the ability to open/edit/save documents by clicking on the document in SharePoint, having it open in Office (PC/client) for editing.  Note they are wanting full integration with the client
  version of Office - not OWA.  The other requirement is that this work with both Firefox and Chrome.
  Issue: Office integration works fine using Internet Explorer.  When a user click on a document the document opens in Office and can be edited directly in the browser without any additional prompts. 
  But when clicking on a document via Firefox or Chrome the SSO login form pops-up when Office starts.  Once the user enters their credentials they can work with the documents as desired.  But our client does not want this second prompt.
  Question:
  Is there a way to configure SharePoint so that Firefox or Chrome open up documents for editing without a second logon prompt?  I'm assuming not based on my research on how these browsers handle
  cookies differently than IE.   Can someone confirm? 
  Is there a dev solution to this?  Note that because the users will be partners (non-employees) we are trying to avoid using a solution that would involve installing custom software on their pc's
  (such as browser extensions).

  Unfortunately you are looking at a plugin or having the users modify their browsers:
  http://yalla.itgroove.net/2011/12/firefox-friday-3-sharepoint-login-prompts-on-firefox/
  http://www.rhyous.com/2009/12/31/why-does-firefox-prompt-for-domain-ad-authentication-or-how-to-get-firefox-to-automatically-login-to-web-sites-with-domain-credentials-sharepoint-for-example/
  Brandon Atkinson
  Blog: http://sharepointbrandon.com

• IWeb and non-iWeb files @ same site?

  I have modified my CNAME at my personal domain site to forward to MobileMe, and I am not having any problems with that aspect. What I am wondering is ... can I have both iWeb files and non-iWeb files at the same site and still use MobileMe?
  Basically, I want to use iWeb for my main family web site, but still have my Wordpress blog as well as some older web pages that I don't want to convert to iWeb. Right now, anything that starts with my domain name is pointed to MobileMe, which precludes access to the non-iWeb files.
  Not sure if this is clear or not, but if anyone has any pointers, I would be very grateful.

  Thanks for the advice about putting the other files on MobileMe - I didn't know you could host non-iWeb pages there.
  Unfortunately, I actually don't want to store them there. My Wordpress blog is hosted on my own server (it's not a wordpress.com blog), and my old files are large and I don't want to burn up all the space on MobileMe. I have a ton of space and other good hosting services as my provider (doteasy). I do, however, like the features of iWeb for my main family page, so I want to be able to publish to MobileMe, but still have the domain function as well, with some pages accessible only through the domain, not MobileMe.

• VATable and non VATable in import PO??

  Hi experts
  Can anybody explain me about the import procedures and VATable and non VATable in import ???
  In short explain me over all import procedures ??
  Explain me in Domain and in SAP procedures??
  Thanks
  SAP-MM

  Hi,
  Vatable :- Means u are taking benefit of CVD
  Use condition as
  Condition For CVD in CIN :-
                           JCV1    - IN CVD e.g. 14%
                           JECV   - IN CVD Prim Edu e.g. 2%
                           J1CV  - IN CVD Sec Edu e.g. 1 %
  In general the amount BCD, CVD is submitted to Custom Office.
  So in ur PO, You must have to assigned these conditions to different Vender i.e. custom office in your PO
  in Miro, select the planned delivery cost with that PO Number and all ur values will appear.
  but it will be different case when u want take benefit of CVD in CIN.
  In addition to above Procedure, you have to uncheck GR base IV in PO and first Do the MIRO for Planned delivery cost and generate commercial Invoice Number
  after that do the GR with MIGO.
  Reagards,
  Pardeep Malik

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• WLC 4402, LAP1242AG APs and Layer 2 Switch Network Design

  Hi Every One,
  I am new designer in the Wireless technology. During design i came accros through a confusing/complex existing topology which i have to integrate with WLC 4402 as below;
  Existing:
  1: I have 12 Switches; all vtp mode server. all in single vlan 1 with single subnet 192.168.0.0/24. All users ports in this single vlan 1.
  2: All of these are old switches including 2950G, 350GXL, 4912.
  3: All the switches gateway is Pix Firewall (192.168.0.1).
  To Do:
  1: I have to implement 1 * WLC 4402, 22 *LAP1242AG Access Points.
  2: WLC will be connected to 350GXL or 4912 through Fiber.
  3: Access Points will be connected to all other 20 switches randomely.
  Confusion:
  1: In my design i created separate vlan 450 for WLC and APs management. But this is not doable in this current setup because all the switches are vtp mode server. Also the gateway is Firewall. Which will require configuration on all existing switches + Pix.(I DONT WANT TO GO FOR THIS OPTION).
  2: To make my work easy, is this possible to Put the WLC, APs in the same vlan 1 (192.168.0.0/24) that is currently used by the existing switches? The gateway for these WLC and APs will be Pix (192.168.0.1).
  3: I tried to search Cisco examples, but in every example Cisco has made a separate vlan for WLC, APs management. So will Point 2 worK?
  4: Do i require any specific changes for this?
  5: ANY OTHER DESIGN SUGGESTION?????????
  Please find the attached Diagram for more information.

  Thanks for the reply.
  1: U mean dat the switch port config will be as below;
  int g0/10
  description connected to WLAN Controller
  switch mode access
  switch access vlan 1
  int g0/23
  description connected to AP
  switchport mode access
  switchport access vlan 1
  so below wil b the sumary of config:
  All switches, WLC, APs, Wireless users and Wired users will be in the same subnet (192.168.0.0/24). Is it ok??
  2: Wat do u mean by vtp config; Please clarify???
  As i mentioned all switches are in vtp mode server. vtp domain name is configred on 12 out of 15 switch. Do i need to config same vtp domain name on all switches? I also have to check vtp pass??

• WLC + ACS (RADIUS) + MS-AD

  Hi!
  I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
  My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
  The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
  I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
  Thanks in advance for any help.

  Check out the doc below
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• Peer-Switch with vPC and non-vPC Vlan Port-Channels

  Hi,                 
  in a design guide i have noticed that it is best practice to split vPC and non-vPC vlans on different inter-switch port-channels. Now, if i want to use the Peer-Switch function, but the port-channel interface of the non-vPC-vlan channel moves into blocking state. The option spanning-tree pseudo-information has no influence. Is peer-switch possible in my kind of topology?
  Greeting,
  Stephan

  I believe absolutly possible. specifically coz peer-switch and spt pseudo-info are specific and local to cisco fabric services running as part of  vpc technology. Personally me has lab with vpc-domain compounded of 2 N5Ks. They are peer-switches with spt-pseudoinfo and they have MST running on non VPC links independantly from vpc.

• Authoritative restore and Non Authoritative restore

  Hi
  1.Whats the difference between Authoritative restore and Non Authoritative restore?Please explain with the example.
  Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help me

  Hello,
  Performing an Authoritative Restore of Active Directory Objects: http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
  Exemple: You accidentally deleted an AD user and you want to restore it. You can use an authoritative restore to perform that.
  Note that now you can do that by enabling AD recycle Bin and you don't still need a restore operation.
  Performing a Nonauthoritative Restore of a Domain Controller: http://technet.microsoft.com/en-us/library/cc784922(WS.10).aspx
  Example: You had hardware problems on a DC and you solved them after re-installing the DC OS. You can use a non-authoritative restore so that you don't delete recently made changes.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student
  Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator