User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - MC

Pages: [1] 2 3 ... 25
Security / Re: BYOD "Access Policy Set"
« on: January 02, 2018, 04:54:56 AM »
There is no patch. Which attribute exactly were you looking for?

Security / Re: ISE 2.2 CWA Redirect Not Working
« on: January 02, 2018, 04:51:14 AM »
It appears the device failed to download DACL from ISE. I don't see CoA config (aaa server radius dynamic-author) on the switch config. Also make sure MAB is listed under auth priority command under interface config.

Routing and Switching / Re: Lost Default Route in Routing Table
« on: January 02, 2018, 04:45:04 AM »
You might want to check the device where the default route was generated. If it was a redistribution, check and see if the that device default route still exist. Trace it to the furthest device where default route is still there and see if there is any route filter.

Wireless / Re: EAP/TLS User authentication
« on: October 26, 2017, 09:35:06 PM »
That's certainly unusual. How was cert installed? Was it manually or via GPO? Who issued the cert and if it was Windows CA, which template was used?

Security / Re: ISE and Cisco IP phone
« on: October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.

Security / Re: ISE 2.3 and Cisco Web Auth not working
« on: September 14, 2017, 08:34:06 PM »
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.

Security / Re: 3850 IPv4 Problem
« on: September 14, 2017, 08:30:47 PM »
You need to be in 3.7.x to see TrustSec related commands.

Security / Re: 3850 IPv4 Problem
« on: August 28, 2017, 10:16:23 PM »
You are not allowed to view links. Register or Login
Hi MC,

other Question, i can not configure the cts dot1x command in interface. How I can enable the cts dot1x with 3850 or other way to active cts dot1x?


What version of switch, code and license do you have? Can you provide 'show ver'?

Security / Re: 3850 IPv4 Problem
« on: August 28, 2017, 10:12:32 PM »
You are not allowed to view links. Register or Login
Hi MC,

I can not configure the command "ip device-tracking" in 3850 :(
is there any other command im 3850 für device tracking?

Yeah.. On 3850, device tracking is configured differently. It's in a form of policy.

Security / Re: 3850 IPv4 Problem
« on: August 26, 2017, 10:49:36 AM »
Do you have device tracking configured?

Security / Re: Lab minutes ISE 2.2 videos
« on: July 31, 2017, 09:53:07 PM »
I can't see why you would not be able to use TACACS for wired/wireless/VPN although it is not common so I have never tested them. Most people would be ok with RADIUS. But if your compliance calls for TACACS, I suggest you test them in a lab. Most config should be similar to RADIUS with differences being using TACACS server instead of RADIUS on network device config and use TACACS policy-set on ISE. MAC OSX should support PEAP with MSCHAPv2 for .1x but not VPN. Lab Minutes only have video on TACACS for device admin as part of ISE 2.0 video series. I don't recall seeing any Cisco doc on using TACACS with .1x neither. Good luck and let us know how it goes.

Security / Re: ISE for University
« on: July 17, 2017, 06:59:23 PM »
Hi Maiquel, It depends on what you want the user experience to be like. Some may not want to deal with supporting BYOD devices and just provide Guest type of access. Some may prefer to have WPA2 encryption but don't want to deal with BYOD so just have the SSID set to basic 802.1x. I personally think BYOD might cause too much support overhead so .1x along should be good enough.

I assume you already have realm configured and Domain User groups for that user downloaded, correct?

Security / Re: New PSN spun up to drop guest wirless in DMZ
« on: June 15, 2017, 11:16:03 PM »
Great.. Simple enough.. Glad it worked out  and thanks for the update.  ;)

Hi John, Is your only problem is not seeing connection log for the user while access control is being enforced correctly or user connection is not even matching your access control rules. I assume you other users work just fine matching the same rule this user supposes to match?

Pages: [1] 2 3 ... 25
SimplePortal 2.3.5 © 2008-2012, SimplePortal