User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - MC

Pages: [1] 2 3 ... 26
Security / Re: ISE: per user static ip address
« on: September 04, 2018, 08:20:52 PM »
You can use Frame-IP-Address RADIUS attribute to assign IP to user. That can be statically assigned or fetched from another database like AD.

Thanks for all the follow up solution. Keep in mind that all alarm notification can be turned off as well under the settings but it might be better to silent the source like you did.

Wireless / Re: Radius/Local EAP Authentication in Single SSID
« on: July 16, 2018, 08:23:09 PM »
That seems to be how it supposes to work. You can't have them work concurrently. See below excerpt from WLC config guide.

"Note: If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured."

Wireless / Re: Cisco WLC Guest Wireess Splash Page on Andriod Devices
« on: July 16, 2018, 08:18:21 PM »
There should be no reason why would stop working now that it has become a valid IP unless certain device is programmed to reject it although it is true that you should no longer use it. A safer alternative is a reserved IP like I do not recall changing the IP requires a reboot but I think updating the certificate does. You should look into using name URL instead of IP also.

Security / Re: Cisco and Microsoft PKI
« on: July 16, 2018, 06:16:21 PM »
If you check the CA, do you see any pending certificate. Can you even request  certificate manually vis the /certsrv page? Two most common issues with SCEP is usually not having automatic approval enabled and not having security challenge disabled on the CA, which of which I believe controlled via registry

Security / Re: Avaya 802.1x Deployment
« on: July 16, 2018, 06:12:14 PM »
I personally have not. When you do .1x on a hardware like that, you are at the mercy of the manufacture. Have you look into MAB or does it not meet your security requirement?

Security / Re: EAP Chaining
« on: May 10, 2018, 09:44:35 PM »
Absolutely, AnyConnect NAM allows two different type of credential for user and machine. You just need to configure it accordingly with the profile editor.

The video uses ISR4K router running 16+ code so if you are using anything lower, you might have the issue. Some people have also reported the same. Some have suggested to put "crypto ikev2 authorization policy default" on the spoke side to force the hub to inject the route. Give it a try and see if that works.

Security / Re: Cisco ASA DNS
« on: February 28, 2018, 07:53:27 PM »
In that case, the ASA should have no influence on the TTL. You can try to turned off DNS inspection on the ASA too.

Security / Re: Cisco ASA DNS
« on: February 26, 2018, 09:51:47 PM »
Does your user have the ASA as the DNS server? If so, can you point it to another internal or public DNS server?

Security / Re: ISE 2.3 CWA redirection issue
« on: February 01, 2018, 08:36:28 PM »
I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

You are not allowed to view links. Register or Login

Routing and Switching / Re: interface state on Router
« on: February 01, 2018, 08:30:43 PM »
Glad the issue is resolved.

Security / Re: ISE 2.3 CWA redirection issue
« on: January 29, 2018, 07:07:33 PM »
What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping  If you manually copy redirect URL shown on switch to guest browser, do you see login page?

Routing and Switching / Re: interface state on Router
« on: January 28, 2018, 09:22:00 PM »
Start with physical layer and check cable. You then want to make sure the line settings and config match on both sides. If the other side is a provider, you will need to work with them to confirm. Other final things you can try is trying different E1 port/module, or software upgrade.

Security / Re: BYOD "Access Policy Set"
« on: January 02, 2018, 04:54:56 AM »
There is no patch. Which attribute exactly were you looking for?

Pages: [1] 2 3 ... 26
SimplePortal 2.3.5 © 2008-2012, SimplePortal