collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Recent Posts

Pages: 1 ... 8 9 [10]
91
Routing and Switching / Re: interface state on Router
« Last post by MC on February 01, 2018, 08:30:43 PM »
Glad the issue is resolved.
92
Routing and Switching / Re: interface state on Router
« Last post by amsa on February 01, 2018, 06:54:06 AM »
Thanks MC

almost I did it that steps but I didn't upgrade IOS
93
Security / SEC0278 - ISE 2.2 BYOD Wireless Onboarding with Dual SSID (Android Issue)
« Last post by tomimma on January 31, 2018, 02:16:19 PM »
Hi,

Great video as always and one of my best study material is labminutes.com!

I had a issue during BYOD process of an Android device.
During BYOD enrollment, it ends up (failed) with "Certification Generation failed".
This issue could happen if Android OS is 6 or later.
Please refer to the below link of this.

You are not allowed to view links. Register or Login

Hope this info helps if anyone facing this issue.  ;)

94
Security / Re: ISE 2.3 CWA redirection issue
« Last post by MC on January 29, 2018, 07:07:33 PM »
What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping cisco.com.  If you manually copy redirect URL shown on switch to guest browser, do you see login page?
95
Routing and Switching / Re: interface state on Router
« Last post by MC on January 28, 2018, 09:22:00 PM »
Start with physical layer and check cable. You then want to make sure the line settings and config match on both sides. If the other side is a provider, you will need to work with them to confirm. Other final things you can try is trying different E1 port/module, or software upgrade.
96
Security / ISE 2.3 CWA redirection issue
« Last post by walwar on January 17, 2018, 03:25:03 AM »
Hello,

I am having the redirection issue. The problem is that when I copy the URL redirect from the switch port and register as a guest from another PC the guest PC only then works. Worth to mention is that the guest PC can ping cisco (both domain and IP) before the guest registration from another PC. Anyone had/have this issue?

My goal is to achieve the following:
1. DOT1X for domain computers (which works fine and was pretty easy to setup)
2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me)
3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured)

My concerns or questions:
1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE)

My issue:
CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same.

I tried to debug ip http all but didn't see ANYTHING in the switch.

My aaa config:
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization auth-proxy default group ISE_GROUP
aaa accounting system default start-stop group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa accounting update newinfo periodic 2880
username RADIUS-TEST-USER password 7 REMOVED
!
aaa server radius dynamic-author
client 172.30.1.181
server-key 7 REMOVED
!
radius server KNETISE2001
address ipv4 172.30.1.181 auth-port 1812 acct-port 1813
automate-tester username RADIUS-TEST-USER probe-on
key 7 REMOVED
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
aaa group server radius ISE_GROUP
server name KNETISE2001
deadtime 15
!
aaa new-model
aaa session-id common

ACL:
ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet)
permit udp any any eq domain
permit udp any eq bootpc any eq bootps
deny   ip any any

ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist)
permit tcp any any eq www
permit tcp any any eq 443

ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE)
permit tcp any any eq www
permit tcp any any eq 443

IP http config:
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http max-connections 48
ip http active-session-modules none
 
Port config:
interface GigabitEthernet1/0/1
switchport access vlan 3180
switchport mode access
authentication event fail action next-method
authentication event server dead action reinitialize vlan 20
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast


se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  54-E1-AD-A3-2C-1A

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  57s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x00000009

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

 

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Server Policies:

         URL Redirect:  You are not allowed to view links. Register or Login

     URL Redirect ACL:  ACL_WEBAUTH_REDIRECT

              ACS ACL:  xACSACLx-IP-SVKY_PREAUTH-5a5f0057

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Success

 

This is after I copied the redirect url and registered from another PC:

se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  llk2

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  1802s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x0000000B

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

 

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Server Policies:

           Vlan Group:  Vlan: 3180

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Success

I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile
My dACL is at the moment permit ip any any.

All inputs are welcome and thank you in advanced for stepping by.

Here are the authentication, authorization policy and profile.
You are not allowed to view links. Register or Login
97
Routing and Switching / interface state on Router
« Last post by amsa on January 16, 2018, 02:02:48 PM »
Hello all,

What is the reason for change interface state?
And sometimes the router hanging and disconnect with E1 sites, then I must do reload the Router.

*Jan 11 08:28:26.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to down (LOS detected)

*Jan 11 08:28:28.815: %LINK-3-UPDOWN: Interface Serial4/0/1:0, changed state to down

*Jan 11 08:28:29.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0/1:0, changed state to down

*Jan 11 08:39:22.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to up

*Jan 11 08:39:24.815: %LINK-3-UPDOWN: Interface Serial4/0/1:0, changed state to up

*Jan 11 08:39:25.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0/1:0, changed state to up

*Jan 11 08:39:33.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to down (RAI detected)

*Jan 11 08:39:34.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to up
98
Security / Firepower with PBR
« Last post by Jeferson Figueroa Salcedo on January 12, 2018, 07:20:49 AM »
Good morning

I woul like to know if I can configure in a Firepower 2140 in Failover (active/standby or active/active) Policy-Based Routing (PBR). I would like to force the wireless traffic through internet using one of our ISP and the LAN traffic through the other ISP.

99
Security / Re: BYOD "Access Policy Set"
« Last post by MC on January 02, 2018, 04:54:56 AM »
There is no patch. Which attribute exactly were you looking for?
100
Security / Re: ISE 2.2 CWA Redirect Not Working
« Last post by MC on January 02, 2018, 04:51:14 AM »
It appears the device failed to download DACL from ISE. I don't see CoA config (aaa server radius dynamic-author) on the switch config. Also make sure MAB is listed under auth priority command under interface config.
Pages: 1 ... 8 9 [10]
SimplePortal 2.3.7 © 2008-2024, SimplePortal