collapse

Promotion

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Recent Posts

Pages: [1] 2 3 ... 10
1
Wireless / Re: EAP/TLS User authentication
« Last post by MC on October 26, 2017, 09:35:06 PM »
That's certainly unusual. How was cert installed? Was it manually or via GPO? Who issued the cert and if it was Windows CA, which template was used?
2
Security / Re: ISE and Cisco IP phone
« Last post by MC on October 26, 2017, 09:33:07 PM »
Hi Aris, That's incorrect. For ISE to trust Phone and PC, you need to import CA cert that sign those devices cert into ISE trusted cert store (in your case the self-sign CAPF for phone and possibly your internal CA for PC). This has nothing to do with who sign ISE cert. Then for the phone to trust ISE, you need to import CA cert that sign ISE into phone CTL.
3
Security / ISE and Cisco IP phone
« Last post by aris on October 26, 2017, 02:12:31 AM »
Hello,

We would like to authenticate Cisco IP Phones with ISE with the use of certificates. From the IP Telephony for 802.1X Design Guide states that you can use X.509 certificates for phone authentication and that they can be validated by the ACS in a single authorization rule without the need to configure and maintain a database of phone usernames and/or passwords, so I guess this is true of ISE.

It also states that in an 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the certificate of the phone. The root certificates for both LSCs and MICs can be exported from the Unified CM Operating System Administration interface and imported into your AAA server.

Now the question is that we want to use a self-signed CAPF of the CUCM to sign the LSCs, so we need to export that and import it in ISE, but under system certificates in ISE in Used by we can only have one certificate selected.

So if my understanding is correct, we can not have a CA to issue PC certificates and a self-signed CAPF for the phones and both be active on ISE, right?

Thank you,

Aris.
4
Wireless / EAP/TLS User authentication
« Last post by bhatsy on October 18, 2017, 01:36:49 PM »
Hey Guys,

I am running into an issue with User authentication with Certs on WIFi. When i try connecting to wlan using User authentication windows doesnt seem to find the user certificate. Machine Certificate works just fine. When i do MMC and look at the personal directory in users i see the certificate issued to my username just fine.  Would there be a reason why Windows is not using the user cert in local store? See the attachment
5
Wireless / Re: wireless multi tenant (On behalf of Abraham D.)
« Last post by Administrator on September 18, 2017, 08:52:26 PM »
We do not specifically have a video on mentioned scenario.  However, you should be able to achieve it doing the following.
1. Create SSID per tenant
2. Point SSID to either same or different ISE RADIUS server
3. In case of same ISE server, you can identity connection based on SSID and make it authenticate against various AD join point
4. Once traffic tunneled to WLC, you can drop them into an intermediate switch and sort them into different tenant network.

Please keep in mind that WLC does not support multi-tenant management
6
Wireless / wireless multi tenant (On behalf of Abraham D.)
« Last post by Administrator on September 18, 2017, 08:48:14 PM »
hello i would like to know if you have a cisco series on wireless multi tenant design? where you have a multi dept business with some areas having shared space that requires separate SSID along with controllers and AD. would ISE be able to do this type of control? user data traffic needs to stay separate from AP to the end users own network. but AP would be broadcasting multi SSID. thank you
7
Firepower can operate without FMC so FMC can fail and FP will continue to operate. You always upgrade FMC first then follow by the sensors. FYI.. FMC take around 1-2hr to upgrade.
8
what is the impact to live network if firesight (Defense Center) got fail at the time when we upgrade it ?

kindly share the details about the risk of upgrading the Defense center(source fight) & sensors(SFR) parallel .
9
Security / Re: ISE 2.3 and Cisco Web Auth not working
« Last post by MC on September 14, 2017, 08:34:06 PM »
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.
10
Security / Re: 3850 IPv4 Problem
« Last post by MC on September 14, 2017, 08:30:47 PM »
You need to be in 3.7.x to see TrustSec related commands.
Pages: [1] 2 3 ... 10
SimplePortal 2.3.5 © 2008-2012, SimplePortal