91
Routing and Switching / Re: interface state on Router
« Last post by MC on February 01, 2018, 08:30:43 PM »Glad the issue is resolved.
|
91
Routing and Switching / Re: interface state on Router« Last post by MC on February 01, 2018, 08:30:43 PM »Glad the issue is resolved.
92
Routing and Switching / Re: interface state on Router« Last post by amsa on February 01, 2018, 06:54:06 AM »Thanks MC
almost I did it that steps but I didn't upgrade IOS 93
Security / SEC0278 - ISE 2.2 BYOD Wireless Onboarding with Dual SSID (Android Issue)« Last post by tomimma on January 31, 2018, 02:16:19 PM »Hi,
Great video as always and one of my best study material is labminutes.com! I had a issue during BYOD process of an Android device. During BYOD enrollment, it ends up (failed) with "Certification Generation failed". This issue could happen if Android OS is 6 or later. Please refer to the below link of this. You are not allowed to view links. Register or Login Hope this info helps if anyone facing this issue. 94
Security / Re: ISE 2.3 CWA redirection issue« Last post by MC on January 29, 2018, 07:07:33 PM »What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL 2. ISE pushes redirect URL to switch 3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https Seems like you have most if not all of these in place. You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping cisco.com. If you manually copy redirect URL shown on switch to guest browser, do you see login page? 95
Routing and Switching / Re: interface state on Router« Last post by MC on January 28, 2018, 09:22:00 PM »Start with physical layer and check cable. You then want to make sure the line settings and config match on both sides. If the other side is a provider, you will need to work with them to confirm. Other final things you can try is trying different E1 port/module, or software upgrade.
96
Security / ISE 2.3 CWA redirection issue« Last post by walwar on January 17, 2018, 03:25:03 AM »Hello,
I am having the redirection issue. The problem is that when I copy the URL redirect from the switch port and register as a guest from another PC the guest PC only then works. Worth to mention is that the guest PC can ping cisco (both domain and IP) before the guest registration from another PC. Anyone had/have this issue? My goal is to achieve the following: 1. DOT1X for domain computers (which works fine and was pretty easy to setup) 2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me) 3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured) My concerns or questions: 1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE) My issue: CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same. I tried to debug ip http all but didn't see ANYTHING in the switch. My aaa config: aaa authentication dot1x default group ISE_GROUP aaa authorization network default group ISE_GROUP aaa authorization auth-proxy default group ISE_GROUP aaa accounting system default start-stop group ISE_GROUP aaa accounting dot1x default start-stop group ISE_GROUP aaa accounting update newinfo periodic 2880 username RADIUS-TEST-USER password 7 REMOVED ! aaa server radius dynamic-author client 172.30.1.181 server-key 7 REMOVED ! radius server KNETISE2001 address ipv4 172.30.1.181 auth-port 1812 acct-port 1813 automate-tester username RADIUS-TEST-USER probe-on key 7 REMOVED ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 10 tries 3 ! aaa group server radius ISE_GROUP server name KNETISE2001 deadtime 15 ! aaa new-model aaa session-id common ACL: ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet) permit udp any any eq domain permit udp any eq bootpc any eq bootps deny ip any any ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist) permit tcp any any eq www permit tcp any any eq 443 ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE) permit tcp any any eq www permit tcp any any eq 443 IP http config: ip http server ip http secure-server ip http secure-active-session-modules none ip http max-connections 48 ip http active-session-modules none Port config: interface GigabitEthernet1/0/1 switchport access vlan 3180 switchport mode access authentication event fail action next-method authentication event server dead action reinitialize vlan 20 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-domain authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast se-sw01-018#sh authen se int g1/0/2 d Interface: GigabitEthernet1/0/2 MAC Address: 54e1.ada3.2c1a IPv6 Address: Unknown IPv4 Address: 172.30.180.11 User-Name: 54-E1-AD-A3-2C-1A Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Restart timeout: N/A Session Uptime: 57s Common Session ID: AC1E31AA00000014003FF110 Acct Session ID: 0x00000009 Handle: 0x7E000007 Current Policy: POLICY_Gi1/0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: URL Redirect: You are not allowed to view links. Register or Login URL Redirect ACL: ACL_WEBAUTH_REDIRECT ACS ACL: xACSACLx-IP-SVKY_PREAUTH-5a5f0057 Method status list: Method State dot1x Stopped mab Authc Success This is after I copied the redirect url and registered from another PC: se-sw01-018#sh authen se int g1/0/2 d Interface: GigabitEthernet1/0/2 MAC Address: 54e1.ada3.2c1a IPv6 Address: Unknown IPv4 Address: 172.30.180.11 User-Name: llk2 Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Restart timeout: N/A Session Uptime: 1802s Common Session ID: AC1E31AA00000014003FF110 Acct Session ID: 0x0000000B Handle: 0x7E000007 Current Policy: POLICY_Gi1/0/2 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Vlan Group: Vlan: 3180 Method status list: Method State dot1x Stopped mab Authc Success I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile My dACL is at the moment permit ip any any. All inputs are welcome and thank you in advanced for stepping by. Here are the authentication, authorization policy and profile. You are not allowed to view links. Register or Login 97
Routing and Switching / interface state on Router« Last post by amsa on January 16, 2018, 02:02:48 PM »Hello all,
What is the reason for change interface state? And sometimes the router hanging and disconnect with E1 sites, then I must do reload the Router. *Jan 11 08:28:26.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to down (LOS detected) *Jan 11 08:28:28.815: %LINK-3-UPDOWN: Interface Serial4/0/1:0, changed state to down *Jan 11 08:28:29.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0/1:0, changed state to down *Jan 11 08:39:22.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to up *Jan 11 08:39:24.815: %LINK-3-UPDOWN: Interface Serial4/0/1:0, changed state to up *Jan 11 08:39:25.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0/1:0, changed state to up *Jan 11 08:39:33.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to down (RAI detected) *Jan 11 08:39:34.815: %CONTROLLER-5-UPDOWN: Controller E1 4/0/1, changed state to up 98
Security / Firepower with PBR« Last post by Jeferson Figueroa Salcedo on January 12, 2018, 07:20:49 AM »Good morning
I woul like to know if I can configure in a Firepower 2140 in Failover (active/standby or active/active) Policy-Based Routing (PBR). I would like to force the wireless traffic through internet using one of our ISP and the LAN traffic through the other ISP. 99
Security / Re: BYOD "Access Policy Set"« Last post by MC on January 02, 2018, 04:54:56 AM »There is no patch. Which attribute exactly were you looking for?
100
Security / Re: ISE 2.2 CWA Redirect Not Working« Last post by MC on January 02, 2018, 04:51:14 AM »It appears the device failed to download DACL from ISE. I don't see CoA config (aaa server radius dynamic-author) on the switch config. Also make sure MAB is listed under auth priority command under interface config.
|