User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - MC

Pages: [1] 2 3 ... 25
Security / Re: ISE 2.3 CWA redirection issue
« on: February 01, 2018, 08:36:28 PM »
I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

You are not allowed to view links. Register or Login

Routing and Switching / Re: interface state on Router
« on: February 01, 2018, 08:30:43 PM »
Glad the issue is resolved.

Security / Re: ISE 2.3 CWA redirection issue
« on: January 29, 2018, 07:07:33 PM »
What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping  If you manually copy redirect URL shown on switch to guest browser, do you see login page?

Routing and Switching / Re: interface state on Router
« on: January 28, 2018, 09:22:00 PM »
Start with physical layer and check cable. You then want to make sure the line settings and config match on both sides. If the other side is a provider, you will need to work with them to confirm. Other final things you can try is trying different E1 port/module, or software upgrade.

Security / Re: BYOD "Access Policy Set"
« on: January 02, 2018, 04:54:56 AM »
There is no patch. Which attribute exactly were you looking for?

Security / Re: ISE 2.2 CWA Redirect Not Working
« on: January 02, 2018, 04:51:14 AM »
It appears the device failed to download DACL from ISE. I don't see CoA config (aaa server radius dynamic-author) on the switch config. Also make sure MAB is listed under auth priority command under interface config.

Routing and Switching / Re: Lost Default Route in Routing Table
« on: January 02, 2018, 04:45:04 AM »
You might want to check the device where the default route was generated. If it was a redistribution, check and see if the that device default route still exist. Trace it to the furthest device where default route is still there and see if there is any route filter.

Wireless / Re: EAP/TLS User authentication
« on: October 26, 2017, 09:35:06 PM »
That's certainly unusual. How was cert installed? Was it manually or via GPO? Who issued the cert and if it was Windows CA, which template was used?

Security / Re: ISE and Cisco IP phone
« on: October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.

Security / Re: ISE 2.3 and Cisco Web Auth not working
« on: September 14, 2017, 08:34:06 PM »
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.

Security / Re: 3850 IPv4 Problem
« on: September 14, 2017, 08:30:47 PM »
You need to be in 3.7.x to see TrustSec related commands.

Security / Re: 3850 IPv4 Problem
« on: August 28, 2017, 10:16:23 PM »
You are not allowed to view links. Register or Login
Hi MC,

other Question, i can not configure the cts dot1x command in interface. How I can enable the cts dot1x with 3850 or other way to active cts dot1x?


What version of switch, code and license do you have? Can you provide 'show ver'?

Security / Re: 3850 IPv4 Problem
« on: August 28, 2017, 10:12:32 PM »
You are not allowed to view links. Register or Login
Hi MC,

I can not configure the command "ip device-tracking" in 3850 :(
is there any other command im 3850 für device tracking?

Yeah.. On 3850, device tracking is configured differently. It's in a form of policy.

Security / Re: 3850 IPv4 Problem
« on: August 26, 2017, 10:49:36 AM »
Do you have device tracking configured?

Security / Re: Lab minutes ISE 2.2 videos
« on: July 31, 2017, 09:53:07 PM »
I can't see why you would not be able to use TACACS for wired/wireless/VPN although it is not common so I have never tested them. Most people would be ok with RADIUS. But if your compliance calls for TACACS, I suggest you test them in a lab. Most config should be similar to RADIUS with differences being using TACACS server instead of RADIUS on network device config and use TACACS policy-set on ISE. MAC OSX should support PEAP with MSCHAPv2 for .1x but not VPN. Lab Minutes only have video on TACACS for device admin as part of ISE 2.0 video series. I don't recall seeing any Cisco doc on using TACACS with .1x neither. Good luck and let us know how it goes.

Pages: [1] 2 3 ... 25
SimplePortal 2.3.5 © 2008-2012, SimplePortal