User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - MC

Pages: [1] 2 3 ... 25
Security / Re: EAP Chaining
« on: May 10, 2018, 09:44:35 PM »
Absolutely, AnyConnect NAM allows two different type of credential for user and machine. You just need to configure it accordingly with the profile editor.

The video uses ISR4K router running 16+ code so if you are using anything lower, you might have the issue. Some people have also reported the same. Some have suggested to put "crypto ikev2 authorization policy default" on the spoke side to force the hub to inject the route. Give it a try and see if that works.

Security / Re: Cisco ASA DNS
« on: February 28, 2018, 07:53:27 PM »
In that case, the ASA should have no influence on the TTL. You can try to turned off DNS inspection on the ASA too.

Security / Re: Cisco ASA DNS
« on: February 26, 2018, 09:51:47 PM »
Does your user have the ASA as the DNS server? If so, can you point it to another internal or public DNS server?

Security / Re: ISE 2.3 CWA redirection issue
« on: February 01, 2018, 08:36:28 PM »
I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

You are not allowed to view links. Register or Login

Routing and Switching / Re: interface state on Router
« on: February 01, 2018, 08:30:43 PM »
Glad the issue is resolved.

Security / Re: ISE 2.3 CWA redirection issue
« on: January 29, 2018, 07:07:33 PM »
What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping  If you manually copy redirect URL shown on switch to guest browser, do you see login page?

Routing and Switching / Re: interface state on Router
« on: January 28, 2018, 09:22:00 PM »
Start with physical layer and check cable. You then want to make sure the line settings and config match on both sides. If the other side is a provider, you will need to work with them to confirm. Other final things you can try is trying different E1 port/module, or software upgrade.

Security / Re: BYOD "Access Policy Set"
« on: January 02, 2018, 04:54:56 AM »
There is no patch. Which attribute exactly were you looking for?

Security / Re: ISE 2.2 CWA Redirect Not Working
« on: January 02, 2018, 04:51:14 AM »
It appears the device failed to download DACL from ISE. I don't see CoA config (aaa server radius dynamic-author) on the switch config. Also make sure MAB is listed under auth priority command under interface config.

Routing and Switching / Re: Lost Default Route in Routing Table
« on: January 02, 2018, 04:45:04 AM »
You might want to check the device where the default route was generated. If it was a redistribution, check and see if the that device default route still exist. Trace it to the furthest device where default route is still there and see if there is any route filter.

Wireless / Re: EAP/TLS User authentication
« on: October 26, 2017, 09:35:06 PM »
That's certainly unusual. How was cert installed? Was it manually or via GPO? Who issued the cert and if it was Windows CA, which template was used?

Security / Re: ISE and Cisco IP phone
« on: October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.

Security / Re: ISE 2.3 and Cisco Web Auth not working
« on: September 14, 2017, 08:34:06 PM »
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.

Security / Re: 3850 IPv4 Problem
« on: September 14, 2017, 08:30:47 PM »
You need to be in 3.7.x to see TrustSec related commands.

Pages: [1] 2 3 ... 25
SimplePortal 2.3.5 © 2008-2012, SimplePortal