WLCM and NAC-NME configuration

Similar Messages

• Macintosh clients, 802.1x and NAC.

  I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).
  EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!
  Any ideas?

  I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).
  The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.
  With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.
  The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.
  Hope this helps someone somewhere avoid a little pain! : )

• Difference betweeen     SPRO and NACE

  HI
    What  is the difference between  SPRO  and NACE
  what is the use of thse TCODES....  and when we go  for these TCODES..and what is the difference between each other
  thansk
  Babu

  hi
  good
  Output type is used to issue a output for a business object. The output issued could be in any format.
  It coule be a printout, Fax, email, ale and so on...
  Each Output type are triggered differently and at different time.
  No its not always you use 'NEU'. It depends on the requirment.
  For more read sap help on OUTPUT CONFIGURATION
  http://help.sap.com/saphelp_46c/helpdata/en/30/c6853488601e33e10000009b38f83b/frameset.htm
  reward point if helpful.
  thanks
  mrutyun^

• NAC ILO Configuration

  We'd like to configure out NAC Manager and Server to use ILO for configuration so we can separate the management from the operations piece.  Is there any documentation on how to do this?...I've looked through the NAC documentation we have on hand and it isn't really of any help.  Thanks.
  William

  Hi William,
  iLO is supported by the HW vendor, which for NAC appliance servers is HP.
  http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/47/hi_intro.html#wp67549
  See foot notes #2 and #3 of Table 1-2:
  NAC-3310 supports iLO (Lights Out 100i Remote Management). The default iLO "Administrator" account has default username/password: admin/admin. Defaults can be changed through the BIOS setup.
  NAC-3350 and NAC-3390 support iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.
  These are redirecting to the HP's guides for Lights Out 100i Remote Management
  http://h18000.www1.hp.com/products/quickspecs/12087_na/12087_na.HTML
  and Integrated Lights Out, version 2
  http://h18013.www1.hp.com/products/servers/management/iloadv2/index.html?jumpid=reg_R1002_USEN
  Customers can choose to leverage these features to provide additional hardware monitoring and diagnostic capability, but are not directly supported by Cisco.
  In other words, Cisco does not provide support on the configuration or use of these features, but we do not deny support for NAC Appliance features and functions if customers elect to use these capabilities for hardware monitoring and diagnostic.
  Hope this helps,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC Switch Configuration

  Hi!!
       I have bought an NAC Server and a Nac Manager, to manage centraly the vlan where the users connect to based on the authentication.
       I have several sites, but the NAC server will be in the headquarters.
       When a remote user authenticates, the nac should configure the user switch port for the right vlan.
       Is this an out-of-band solution?
       Do i need an specific license for out-of-band?
  Best Regard's,
  Miguel Amaral

  Hi,
  You need at least 2 licenses:
  1 - CAM license -> This license is the one you install the first time you access the CAM WEB GUI.
  2 - CAS license -> This license needs to be installed so that you can add Clean Access Servers to the CAM.
  Did you installed the CAS license?
  If not, you need to get the Product Activation Key (PAK) you received allong with the CAs and go to the licensing web page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet, and request a CAS license. Please note that you need to enter the Clean Access MANAGER eth0 mac address for the Clean Access Server (CAS) licence.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC Redundant Configuration

  Dear Pros,
  Could anyone suggest me the solution on how to design the redundant NAC server and NAC
  Manager and configuration. We are in process to implement the Redundant NAC config for the customer (2X NAC server + 2 x NAC manager)
  swami

  Hi,
  The heart beat interface has to be on a switched network not on a routed network, therefore if you have the primary appliance on one side and the secondary appliance on the other side of the building, make sure the interfaces are connected to the same vlan belonging to the same vtp domain...
  I hope this helps, please rate if it does...
  Regards,

• I want to set up the Time Machine and I would love to use the Time  Capsule but since I already have a wireless router I need suggestions on  what other external disks Apple could recommend to use with the Time Machine and  how to configure that disk

  I want to set up the Time Machine and I would love to use the Time
  Capsule but since I already have a wireless router I need suggestions on
  what other
  external disks Apple could recommend to use with the Time Machine and
  how to configure that disk.
  A complication that I need to resolve is the fact that I am using Vmware
  Fusion to be able to use Windows on my Mac. Now it seems that Time
  Machine is not backing up my files
  on that virtual Windows without additional configuration and my question
  is whether you can advise me here or whether this is only a matter for
  the Fusion virtual machine.

  If you want to use Time Capsule you can.. you simply bridge it and plug it into the existing router.. wireless can be either turned off or used to reinforce the existing wireless.. eg use 5ghz in the TC which is much faster than your 2.4ghz.
  You can also use a NAS.. many brands available but the top brands are synology, qnap and netgear readynas  series. These will all do Time Machine backups although how well always depends on Apple sticking to a standard. There are cheaper ones.. I bought a single disk zyxel which was rebadged and sold through my local supermarket. It actually works very well for TM at least on Snow Leopard. Major changes were made in Lion and again ML so do not instantly think it will work on later versions. I haven't tried it yet with those versions.
  Any external drive can be plugged into the mac. Use the one with the fastest connection or cheapest price according to your budget. USB2 drives are cheap and plentiful. But no where near as fast as USB3 or FW800. So just pick whichever suits the ports on your Mac. Interesting Apple finally moved to USB3 on their latest computers.
  TM should exclude the VM partition file.. it is useless backing it up from Mac OS side.. and will slow TM as it needs to backup that partition everyday for no purpose.. TM cannot see the files inside it to backup just the changes.
  You need to backup windows from windows. Use MSbackup to external drive.. if you have pro or ultimate versions you can backup to network drive. But MSbackup is a dog.. at least until the latest version it cannot restore the partition without first loading windows. There are about a zillion backup software versions for windows.. look up reviews and buy one which works for you. I use a free one Macrium Reflect which does full disk backups and is easy to restore.. to do incremental backups though you have to pay for it.

• What are some of the best iOS apps can remotely played videos, audios, photos and text files from a NAS hdd connected to Airport Extreme USB port? And how to configure this setup?

  I have already set up NAS hdd as connecting it at USB port of Airport Extreme, i also want to remotely access it from iPhone, so what's the next step? What are some of the best iOS apps can remotely played videos, audios, photos and text files from the NAS hdd and how to configure this setup?

  *Edit - I am not able to connect to the NAS when hardwired to the airport extreme.

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• What's the implicit joins and how to configure it?

  Hello guys
  what's the implicit joins and how to configure it? What's the purpose of implicit and explicit joins?
  Please help
  Thank you

  Thus, on my side, I think that :
  Explicit join define the join condition between the key column from the table.
  (table1.di = table2.id)
  While
  Implicit Join define :
  * the type of join outer, inner, ...
  http://gerardnico.com/wiki/dw/join/start
  * And the relationship (one-to-many, cardinality)
  http://gerardnico.com/wiki/dw/data_quality/relationships
  And all this information are used to generate the statement (query).
  And I don't really know why you have two type of key :
  * Physical Foreign Keys
  * Logical Foreign Keys
  Regards
  Nico

• HT3546 I have been unsuccessfully trying to extend the wifi of my Time 2T Capsule with an Airport Extreme 2nd Gen. It works for a while and then loses configuration. I have done everything possible, disconnected it, reset it but it keeps failing, what to

  I have been unsuccessfully trying to extend the wifi of my Time 2T Capsule with an Airport Extreme 2nd Gen. It works for a while and then loses configuration. I have done everything possible, disconnected it, reset it but it keeps failing, what to do?

  What model and firmware is the 2TB TC?
  What firmware is the AE?
  Does the AE get good signal from the TC in its current location?
  Signal can only be extended that is received intact.
  Is it extending on 5ghz? As I remember it a Gen2 AE is only single band, although you can choose either 2.4ghz or 5ghz.
  I am fairly sure you are going to tell me your TC is AC model..
  I would do a couple of things..
  1. Fix the wireless name, make it short, no spaces and pure alphanumeric.
  2. Fix the wireless channel for 2.4ghz so it is not going to jump around.
  3. Get real results from the AE in its current location for signal strength.. this is really only possible on v5 utility. And that is a double pain with Mavericks because you cannot use it.
  Apple have removed all the useful diagnostics from the airport utility. There is next to nothing left. So you need to use the computer and its diagnostics to find signal levels in the location.
  http://support.apple.com/kb/HT5606

• Getting problem while installing Snow Leopard (10.6.3) on my Mac Mini. The following issue is showing :  "mac os x snow leopard cannot be installed on this computer"  And My Mac Configuration details:  Model Name: Mac Mini Model Identifier: Macmini2,1

  Getting problem while installing Snow Leopard (10.6.3) on my Mac Mini. The following issue is showing : 
  "mac os x snow leopard cannot be installed on this computer" 
  And My Mac Configuration details:  Model Name: Mac Mini Model Identifier: Macmini2,1
  Intel Core 2 Duo
  1.83Ghz
  l2Cache: 2mb
  Memory : 2GB
  Bus Speed: 667MHz
  Please help me......
  Thanks

  Actually i have Mac OS X 10.5.4 DVD, I need to upgrade it to Snow Loepard(OS X 10.6)...
  Please suggest me what to do???
  Thanks

• Class-Map and Policy-Map Configuration in CM Confusion

  Hi,
  I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
  I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
  Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
   ==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN        (WAN CLOUD)        ==> 61 in WAN (DC ROUTER) <== 62 in LAN
  We are using two distinct device groups, BRANCH and DATA CENTER.
  If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
  Class-Map
  Line 1: DST IP 10.1.1.1 DST Port 443
  Line 2: SRC IP 10.1.1.1 SRC Port 443
  Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
  My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
  I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
  I hope this makes sense.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Export and Import of Configuration Data

  Hi All,
  I have created a number of custom properties, structures, groups, renderers, layout sets etc and would like to move them from Dev to Test system.
  I have found the following in the help doco:
  "Export and Import of Configuration Data"
  http://help.sap.com/saphelp_nw04/helpdata/en/e1/029c414c79b25fe10000000a1550b0/content.htm
  However I am unable to see its functionality in our portal systems (namely the Actions->Export and Actions->Import functions).
  Our version of Portal is: 6.0.9.6.0
  KM: 6.0.9.3.0 (NW04 SPS09 Patch3)
  Therefore we should be able to see it? no?
  Are there any special settings to see these buttons?
  Cheers,
  Vic

  Thanks for your replies.
  OK, so in otherwords, it is not available in SP09 and only in SP12+.
  So, to "transport" this information I will have to manually reapply thes settings in the Test system!
  Message was edited by: Victor Yeoh

• HT203175 Running Windows 7 64, when installing, I get the error, 'itunes encountered an error and could not configure'.  Ideas?

  Running Windows 7 64, when installing, I get the error, 'itunes encountered an error and could not configure'.  Ideas?

  iTunes unknown error 13010