Based on rules of the ACS on Wireless SSID?

Similar Questions

• remove the old/renamed wireless ssid

  Hi, I renamed my SSID wireless (on my router) but my computers windows 8 keep showing the ssid again and the former (which causes the wifi connection back periodically to the 'limited' maybe / without an Internet connection).  (1 is an ACER Aspire V5 - 571P with preinstalled win8; the other is a dell inspiron 6400, upgrade of xp - not win8 course it is drops to limited connectivity.)

  My windows 7 and linux computers only see the new ssid (and I have not observed the WiFi turning to 'limited').
  Is there any solution for this?  Better, I see right now is a little drastic - reinstall os from scratch.  I could also reset the router to factory State and begin again at the end, but I suspect I'll just add a third ssid on windows machines 8 and make things worse.

  Re the wifi connection periodically a limited fall - the really annoying thing - is there a known independent issue around this or is it likely that the two problems are related.  (I've seen a few reports on this issue and other forums of wifi trouble with similar models from acer).

  Thanks for any help.

  Hello

  Thank you for the update.

  I suggest you upgrade the firmware on the router and check.

  If the problem persists, then I suggest you to remove the network profile of the registry and check. Navigate to the following location in the registry to do so.

  HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

  Note: this section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. Follow these steps to resume and restore the registry.

  a. go to start and type regedit.

  b. Select regedit and then right click on the screen.

  c. click on run as administrator.

  d. find and click on the key or the subkey that you want to back up.

  e. click on the file menu and then click export.

  f. in the area Save in , select the location where you want to save the backup copy to, and then type a name for the backup file in the file name box.

  g. click Save.

  Let us know the results.

• How have use ACS supported wireless users and the VPN user?

  I'm new to ACS and configure the following requirement:

  (1) ACS to authenticate users wireless with window AD.

  (2) once connected successfully to the radio, the user must use VPN for remote access with the ASA.

  (3) the end-user will have only 1 common username but different password.

  for example:

  username: password: cisco: cisco wireless.

  username: cisco password: 1234 for VPN.

  ACS support can this, if yes how can we do? Do I need 2 sets of ACS?

  Yes, acs should work properly according to your need.

  ACS, we have a feature called NAP "network access profile" where we can define the condition based on ip source or attributes which allow to say if the request comes from wireless device acs will forward to AD and if the request is of the acs VPN will forward to this diff of database.

  Basically, we need to use two acs database.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html

  Kind regards

  ~ JG

  Note the useful messages

• 5.3 of the ACS cannot work with two rules of service strategy

  Hello my name is Ivan

  I have a question about ACS v5.3 appliance.

  I have a v 5.3 ACS wo authenticate users wireless, as well as a cisco wlc. A profile is to business users and the second profile is invited.

  Business users must authenticate with Active Directory and the guest with WLC. Guest users to authenticate with the local database of GBA.

  I have set up two service political selection that correspond with the Radius protocol. The first rule is for users to Active Directory and the second is for users in

  the local database of ACS.

  When I try to authenticate users with active directory is OK, but when trying to authenticate users with the local database (Portal comments) GBA was trying to find the

  internal user in Active Directory, because math the first rule and the second profile cannot authenticate.

  When I change the order, first of all the State of users internal and second rule of users from Active Directory, internal users can authenticate in ACS, but

  in Active Directory users cannot authenticate.

  I think that my ACS authenticate only the first rule of the RADIUS to the Active Directory, not two rules of RADIUS at the same time. Or maybe there is a problem in the BONE of the ACS.

  Authentication separately is OK.

  Please could you help me to resolv this problem?

  I enclose my two rules

  Concerning

  Hello Ivan,.

  To solve your problem, you must configure your ACS so that the first selection policy (active directory) corresponds to only for users of the company and the other strategy of selection service (internal users) does not match.

  The second strategy selection of service must be only for guest users.

  If you use Cisco WLCs, it will be easier for you.

  Why?

  Because you can use 'End Station filter' easier to match the SSID.

  In feature selection policy, you build your game to the fine filter station (add it via the Customize button).

  Now, you must create two filters of end station, one is the ssid of comments and one corresponds to the ssid company. (tell how to create later)

  After you create the filter end station and match the selection policy of end station filter function, you have a political service selection matches corporate only guest SSID and other SSP the SSID matches.

  Now you can select different identity for the two SSP sources.

  Now for the filter end of station:

  End station filter is used (in our case) to distinguish the SSID.
  If I want to separate applications of different SSID, I use the end station filter to match what SSID I use.
  cretae end station filter to your SSID, follow the following image:

  

  on point number 4, write resounding brand (*) asteristk of your SSiD (case-sensitive), without spaces. Be sure to avoid spaces before or after.

  (I assume you are using cisco WLC. If not, the idea cannot be applied the way I described above).

  So far, we're OK, except one point. The default SSID guest is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the SSID of 802. 1 x is.

  To say the WLC to send the guest SSID, you must add this command to the WLC:

  RADIUS config callstationidtype ap-macaddr-ssid

  I hope I described correctly. Let me know if you got it or if you need more explanation.

  Greetings,

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Windows domain account to view reports / manage the ACS server.

  All,

  We have a Cisco ACS 5.2 deployment (device).  It has existing integration with Active Directory.  We use it with RADIUS to authenticate our users wireless and GANYMEDE to manage our network equipment.

  RAY reports are useful for other teams (except my own) in order to resolve account lockouts and password (everyone forgets to change the password on his phone).

  I would like to allow this team and other access to the report of RADIUS authentications.

  I want them to be able to use their domain account to do this.<-------  this="" is="" mandatory,="" based="" on="" our="" security="">

  We tried using an account local and which works very well.

  My system tells me that domain accounts cannot access the administrative parts of ACS.

  Is this true?

  We have the support to allow us to upgrade to the latest version of the ACS.

  5.4 of the ACS, it is possible to authenticate and authorize the directors of external stores, including AD accounts

• disconnecting from the ad hoc wireless network

  I have problems with the ad-hoc wireless network connection. Internet connection is not necessary, I want to just connect two laptops vista to play Civilization4. We had two laptops connected properly for a few days and enjoyed the game. But now the connection does not appear to work properly.

  Two portable computers connect to each other and then after a short perion one of them disconnects with a message saying "in waiting for other users to connect."

  It's the same no matter what either portable sets up the connection.

  We tried to establish new connections of two laptops and welcomed the connections between each of them also, the problem is the same.

  We have tried to disable the firewall without success

  There are other parameters that we should look at?

  Hi Bm_mad,

  This problem may occur if the enable IEEE 802. 1 X authentication for this network check box is selected. If this box is checked, but there is no server to authenticate the connection is interrupted. If you turn on the wireless network connection, it disconnects again after a short period.

  To resolve this issue, use one or more of the following methods in the order in which they are provided. After you complete each method, verify that the problem is resolved. If a method does not resolve the problem, continue to the next method.

  Method 1: Disable IEEE 802 authentication. 1 X

  To disable authentication IEEE 802. 1 X, follow these steps:

  1. Click Start, click run, type ncpa.cpland click OK.
  2. Right click on your wireless network connection and then click Properties.
  3. Click the wireless networks tab.
  4. Under preferred networks, click your wireless network, and then click Properties.
  5. Click the authentication tab, click to clear the enable IEEE 802. 1 X authentication for this network check box, and then click OK twice.

  Method 2: Remove and re-create the wireless network connection

  To remove and re-create the wireless network connection, follow these steps:

  1. Click Start, click run, type ncpa.cpland click OK.
  2. Right click on your wireless network connection and then click Properties.
  3. Click the wireless networks tab.
  4. Under preferred networks, click your wireless network, and then click Remove.
  5. Click view wireless networks.
  6. Under management of the network, click Refresh network list.
  7. Under choose a wireless network, click the wireless network to which you want to connect, and then click connect.

  Method 3: Solve the USB wireless network adapters

  If you have an adapter (USB) wireless universal serial bus, you may experience problems that are related to the limitations of USB. If you have several USB devices, the USB network adapter can share, bandwidth, power or both to a level that it causes, you experience the symptoms described in the Symptoms"" section. To resolve this issue, try the following suggestions:

  • If the computer has more than one USB bus, connect the wireless network adapter to its own USB bus. Connect other USB devices to a different USB port. As a general rule, two USB ports share one USB bus.
  • Disconnect all USB devices that are unused or not.
  • Use a powered USB hub to connect the adapter to your computer.

  Previous post: the result.

  Bindu S - Microsoft Support

  [If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message.] [Marking a post as answer, or relatively useful, you help others find the answer more quickly.]

• The ACS authentication

  We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.

  Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• How do .1x port based authentication access network through ACS

  How .1x port based authentication access network through ACS.

  Hello

  802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.

  In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.

  To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...

  To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

  Kind regards

  Kush

• Level of privilege of the ACS and sets of commands

  Hi all

  I was in charge of the implementation of 5.6 ACS in order to allow members of the groups of domain security MS Access of specific order to our equipment. I the area association and groups added, I have an access policy with a rule that works so my field trial account can connect to the switch and perform only the commands in my command set.

  The problem is that when I assign a Shell profile with privilege level 7 min/max to the rule and the user logs on with this level, they are unable to see the commands that I welcomed in the Set command. Is it possible to have the ACS to say IOS to automatically change the visible commands to a specific privilege level when the user connects, even if they are not at this level of privilege?

  Any help greatly appreciated,

  Chris Menuey

  Because you're using command authorization and restrict the user to some orders, why do we use privilege 7 and not 15?

  ~ Jousset

• 4.2 of the ACS and Kaspersky antivirus

  Hi all

  I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.

  It is aplicable or not?

  Thanks in advance,

  Ayman Yehia

  Hi Ayman,

  As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.

  In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.

  Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.

  As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Assignment of the ACS 5.2 VLAN dynamic - problem of vlan voice

  Hello

  When I want to configure the VoIP VLAN through ACS, I go to elements of strategy > permissions and permissions > network profiles and then on the common task page select Voice VLAN > static according to the picture below

  

  Configure then configure the VLAN ID > static > VLAN_number

  But this only allows the VLAN voice and set it to VLAN_number, the VLAN DATABASE will remain unchanged and not configured.

  So my question is, is there a way to configure both the voice (and him) AND the VLAN DATABASE?

  I tried to manually add RADIUS attributes to a second VIRTUAL LAN, but it is not allowed.

  Any idea?

  Kind regards

  Thibault.

  Hi Thibault,

  Why you want to configure the voice and data on the same permission profile?

  If this configuration should be used for an MDA (multi-domain) config on the switch, then take account of the fact that the IP phone and the customer of data must go through separate authentication sessions.

  This being said, you should instead set up two profiles different autz and configure different rules in the authorization policy that apply "voice" for IP phones profile and the profile of 'data' for data clients.

  I hope that answers your question.

  Kind regards

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• 802. 1 x with the ACS and Windows AD

  Hello

  Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

  I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

  Marco

  Hi Marco,.

  I guess you missed a mapping configuration in the Section of access policy.

  Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

  You will see the new service click on identity.

  Select the source of the identity you have created, then save.

  Click permission

  Select an access permission by default authorization rule and save.

  Create a Service access rule name 802. 1 x

  Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

  then you can try again.

  concerning

  Alex

• Replacement of the ACS 1121

  Hi people,

  I have a clarification associated with ACS 1121. Client needs a solution for the ACS function, rather than to invest on the basis of the ISE, is there any model exists in the form of ACS appliance only. In my view, ACS 1121 will be EOS and he said THAT SNS 3415 is the replacement model.

  I'm confused, it is an ISE, but also the ACS and it is separated from issuance of ISE (as a basic and advanced). What should I do, if I need to select SNS 3415 as ACS appliance? It is based, or should I need to add something more?

  Appreciate your help and your support.

  Kind regards

  SID

  You shouldn't base purchase and license in advance. You just buy the license of migration and it will work quite well for your existing users. For more details on this, you can see ordering guide attached ISE.

• change the IP address of the ACS

  Hello guys,.

  I will be soon changed the IP address of my ACS server because I will move it to a new VIRTUAL LAN. the ACS is also integrated with Microsoft Active Directory users for authentication to the wireless lan users.

  My main concern is that if I change the IP address of the ACS, I have to do something on the Active Directory Server? I have to all certificate related issues? GBA I am running is version 5-1-0-44-6.

  all opinions are very welcome and appreciated.

  Hello

  change the IP will not affect the certificate of the ACS, or join the domain,
  in the worst scenarios, where you face the problem of having to return to the field "can be secondary domain question or problem to clock" you can simply remove the entry of the machine on the side of the field and re - join the domain "I hope that you won't have to do", but even if you need it won't take more than a few minutes.

  see you soon,

  Mohammad,