Compatibility of switches access with ISE
Hi all
I need some advice on models of switches buy to support almost all of the features that the ISE offeres... Mainly...
MAB, 802. 1 x, Web Auth, CoA, dACL, SGA...
Now, I've been reviewing the Cisco 2960 switches and sheets advise that they support some features, but then when I look at the compatibility of the access network Cisco ISE device list that was updated in December 2013... When you look under Cisco 2960, he advises that they support only 802.1 x, & MAB?
I'm planning for the future deployment of ISE features to access switches in our network, but need to ensure that A) existing switches support these features and B) new switches that we buy will support these features.
Is there a more accurate document available, or someone has had experience with the current Cisco 2960 switches and how they work well with the ISE?
Thank you
Mario
Take a look at this link instead:
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/compatibility/ise_sdt.html
DACL, WebAuth (both local and Central) is certainly supported. SGA/SGT isn't right...
Thanks for the note!
Tags: Cisco Security
Similar Questions
-
Guest access with ISE and WLC LWA
Hi guys,.
Our company try to implement access as guest with dan ISE WLC with the local Web authentication method. But there is problem that comes with the certificate. This is the scenario:
1. the clients are trying to connect wifi with guest SSID
2. once it connects, you can open the browser and try to open a Web page (example: cisco.com)
3, because guests didn't connect, so this link redirect to "ISE Guest Login Page" (become): url
)
4. If there is no Login to ISE not installed comments Page, no reliable connection of message message, but it will be fine is they "Add Exception and install the certificate".
5. once the Guest Login Page will appear and you can enter their username and password.
6 connection success and they will be redirected to www.cisco.com and there pop-up 1.1.1.1 (IP of the Virtual Interface WLC) with the logout button.
The problem occur in scenario 6, after the success of the opening session, the Web page with the address and the error of certificate ISE IP to 1.1.1.1 is appear.
I know that it happened when you can has no Page of Login of WLC certificate...
My Question is, is there a way of tunneling WLC certificate to EHT? Or what we can do for ISE validate certificate WLC, invited didn't need to install the certificate WLC / root certificate before you connect to the Wifi?
THX 4 your answer and sorry for my bad English...
Do not mix WLC with ISE comments Portal local Web authentication. Choose one or the other. I suggest the portal + WLC CWA.
-
ASA 5525 X Anyconnect configuration with ISE 2.1
I have a new deployment of ISE 2.1 which is used only for the management of the devices at the moment. The intention is that it will serve as radius for authentication of our VPN server.
5525 x is a brand new ASA runs the 9.4 code. I want to configure VPN on the SAA strategy so that each user is assigned a DAP based on their Department.
I already have the designation of the Department for user accounts assigned in AD through a group membership. I don't know how to get ISE to belonging to a group at the ASA so that she can associate the user based on this correct in RAP group membership.
I succumbed to determine how this is supposed to work. Thanks for any help.
Normally we authenticate and authorize users and then push DACL or allow connection from ISE etc. of such conditions profiles that check results Posture or parts constituting the identity of the user (such as AD or another external identity store belonging to a group).
There are a couple of good guides to do so, including detailed examples:
https://communities.Cisco.com/docs/doc-68158
http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...
http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...
While they focus on the case of use of Posture, they can be adapted to add other uses. For example, ISE registration condition may be the result of not only a Posture check also membership in a given group or another if you make it a State.
I do not think we can specify to the ASA to call a given font of DAP like Hostscan module cannot be used at the same time that the module ISE Posture. However, you should be able to accomplish just about everything you used to depend on the DAP with ISE Posture Module AnyConnect (assuming you have AnyConnect 4.x Apex licenses).
If you want to stick with the ASA DAP model, you can forgo using policies and module ISE Posture and instead create an authorization profile (result) to send the ASA, a pair of RAY - V based on a correspondence (in the authorization of the ISE policy) with the ad group. He is a "Cisco-VPN-3000" A - V called "PIX7x-members-from' that can be used in ASA dynamic access policies. You can see (and all other pairs A - v supported buy ISE) here:
-
Cannot access the ISE-3395-K9 CISCO Web GUI
Hello
I can't access the ISE-3395-K9 web gui interface concert 0 with ip address is 192.168.1.10. I put the ip address of my labtop to 192.168.1.20 and could ping back but am still not able to access them through a direct connection between my labtop to concert interface 0 using one of the supported web browsers. Any help would be greatly appreciated.
It is possible that the GUI was configured to restrict access to only certain IPs / subnets. If 192.168.1.x isn't one of them, then you will have access.
Are you able to connect to the shell via SSH? If so, you should check and confirm that all associated ISE services run by running the following command:
show the application status ise
Thank you for evaluating useful messages!
-
Cannot open the URL of the CWA with ISE
Hi people,
I have a problem when you perform the CWA with ISE so that I can give you access to the network for the guests.
Everything is fine except the URL of the CWA: when guests, open Explorer and enter a domain name after you have connected the SSID, they will be redirected to the URL like 'https://hostname.demo.com:8443 / guestportal /... ". " which begins with the hostname of the ISE and the domain name of the ISE, but for us, we have not any announcement and the LAN DNS for our network so that we cannot translate the hostname.demo.com in the IP address of the ISE, so can I just change the URL type of intellectual property like"https://10.10.10.70:8443 / guestportal?
Screenshot of an attached screenshot (sorry).
Basically it's in the authorization policy, allows you to use a static DNS or IP address
-
How can I switch phones with a member of the family without losing the data on a phone?
How can I switch phones with a member of the family without losing the data on a phone?
jkatts wrote:
How can I switch phones with a member of the family without losing the data on a phone?
Make a backup of each phone to iTunes or iCloud (do not forget to use your Apple ID or personal computer), then do whatever your carrier wants do you to change numbers if that's your intention, then restore these backups on the device of the "other."
-
Storm the conversion compatibility mode a moped with CAP
Hello
to make my games work on BlackBerry devices, I use CAP to convert JAR files. On touchscreen devices, I use the Canvas.pointer* events * and everything works as expected on all devices, including the storm.
So far, my game seems to work with compatibility mode off (i.e. without the virtual keyboard) when installed using the Desktop Manager. This is exactly how I want it to be, but I was just wondering if it is the case by default because that research of this forum, I always read that, by default, an application is running in compatibility mode if compiled with any older IDE (pre 4.7).
Anyone can confirm the behavior in order to release my game with support for the storm devices without using IDE 4.7 and create an additional project just for the BB Storm. Usually I don't use any IDEs as, over the years, I have developed a large number of tools and scripts to make a huge amount of work required in support of many different devices of J2ME and it would be great if I could continue to do without in the future.
Thank you very much
MichaelIt seems that midlets will run without the dreaded compatibility mode.
-
URL is not change after successful authenticate with ISE 1.1.1
Hello
I have install Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
Everything is complete, unless the redirect URL. My customer comments can join the SSID of comments and also can authenticate to ISE.
But after they success to authenticate with ISE, the URL in the browser does not alter the pre - configure. There still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is replaced by the URL that is configured as http://www.google.com/
How can I do with this cause of situation that everything works well, but only the URL of the browser that is not a change to the sits one.
Thank you
Mathias
Hello
See if this thread will help, what you can do to work around the problem, is to redirect all authentications to a single Web page.
https://supportforums.Cisco.com/message/3664154#3664154
Thank you
Tarik Admani
* Please note the useful messages *. -
I just got the CC but I can't access with me ID. "Assinatura não encontrada" (not found) how can I do?
Contact adobe during the time pst support by clicking here and, when available, click on "still need help," http://helpx.adobe.com/x-productkb/global/service-ccm.html
-
Hello, I had paid for the creative but not access, with Juliette deroche sister cloud account, thank you
A cloud subscription is linked to the Adobe ID of the person who purchased the subscription
YOU can install and activate on 2 computers, but two activations cannot be used at the same time
If you give your sister your credential, you can not both use your subscription at the same time
Cloud license allows 2 activations http://www.adobe.com/legal/licenses-terms.html
-Install on a 2nd computer http://forums.adobe.com/thread/1452292?tstart=0
-Windows or Mac has no importance... 2 on the same operating system or 1 on each
-Two activations may NOT be used at the same time (noted in the link above of the license)
-
Hello
In Windows 8, I have VMWare Player 5 installed CentOS with a Rails server.
Here is the output of the ifconfig command:
eth1 Link encap HWaddr 00: 0C: 29:60:0F:AFINET addr:192.168.118.136 Bcast:192.168.118.255 mask: 255.255.255.0ADR inet6: fe80::20c:29ff:fe60: faf / 64 Scope: linkRUNNING BROADCAST MULTICAST MTU:1500 metric: 1Dropped packets: 530695 RX errors: 0:0 overruns: 0 frame: 0Dropped packets: 626707 TX errors: 0:0 overruns: 0 carrier: 0collisions: 0 txqueuelen:1000RX bytes: 202357267 (192,9 MiB) TX bytes: 479045323 (456.8 MiB)Basis of interruption: 19 address: 0 x 2024Lo encap:Local Loopback linkINET addr:127.0.0.1 mask: 255.0.0.0ADR inet6:: 1/128 Scope: hostRACE of LOOPING 16436 Metric: 1Fall of RX packets: 79511 errors: 0:0 overruns: 0 frame: 0Dropped packets: 79511 TX errors: 0:0 overruns: 0 carrier: 0collisions: 0 txqueuelen:0RX bytes: 11402959 (10.8 MiB) TX bytes: 11402959 (10.8 MiB)In Windows 8 (PC), I can access with 192.168.118.136:3000
But I also would like to access it from another computer on the same network.
I ran the command line in windows 8 with admin rights to open the virtual network Editor: c:\Program Files (x 86) \VMware\VMware Player > rundll32.exe vmnetui.dll VMNetUI_ShowStandalone
I saved the following options (see picture):
I can not even access from another computer 192.168.118.136:3000.
Thanks in advance for your help.
That's how it should work, unless the traffic/port is blocked by the firewall on the host.
Basically, you can forward every port you want at the prompt, it doesn't have to be the same port that you used in the comments (e.g. 12345 67890 prompted port host port redirection). Just make sure that you do not use a port that is required by the host of the operating system itself.
André
-
Hi all. IAM using Adobe Document Cloud. After you save a PDF to that cloud, I am able to see my PC files as well with a navigation option. How to disable this? My PC files will also be available on other PCs to access with my Adobe ID? Please help me. Thanks in advance.
Hi indi68632954,
I can understand your concern & you need to worry about this, as the folders in your PC are not available on other PCs as this option is just to browse through files of the specific system you are working on as shown in the screenshot below.
Only the files that have been uploaded to the cloud of Document will be available over the Internet using Adobe Document Cloud service during authentication of your Adobe ID & password.
I hope this will answer your query.
In the case where if you have any other question please let us know, we will be happy to help you.
Kind regards
Nicos
-
Hello
I recently updated my site in CF5 CF9 running on a virtual server. Here are the specs.
CF Version: 9,0,0,251028
Edition: Enterprise
Operating system: Windows Server 2008
My old code worked fine except that some queries were turning slowly. My webhost has suggested that I have change the driver to "Microsoft Access" to "Microsoft Access with Unicode." As suggested, it made things much faster. However, there are some pages on my site that didn't work. I did some research and found that I had used the two words 'reserved' for table names that caused pages to fail when you use 'Microsoft Access with Unicode' as the driver. Curiously, the pages worked well with the regular driver of "Microsoft Access".
I'm now left just a mistake that I can't solve. I get the following error ONLY if you use the "Microsoft Access with Unicode" driver.
Run database query error.
Error running query of queries.
The column reference select [GetList.ItemNo] is not in the table [GetList].This is the code that it is.
<!--use QofQ to join archives interviewed against basket data-->
< CFQUERY NAME = "GetProducts" DBTYPE = "query" >
SELECTAS ItemNo GetList.ItemNo,
GetList.Item point, AS
GetList.Grades AS Grades,
Price GetList.Price AS,
Amount of GetList.OrderQty AS,
(GetList.OrderQty * GetList.Price) AS ProductSubTotal
OF GetList
< / CFQUERY >Is there a problem with "Microsoft Access with Unicode" play not with query of queries?
I would be very happy any contribution to this issue.
Thank you
Steve
... two words 'reserved' for table names that caused pages to fail when you use 'Microsoft Access with Unicode' as the driver. Curiously, the pages worked well with the regular driver of "Microsoft Access".
Different database drivers can have different reserved words.
Run database query error.
Error running query of queries.
The column reference select [GetList.ItemNo] is not in the table [GetList].This is the code that it is.
It seems very unlikely that the error has something to do with the driver used in the original request. That means the original query 'GetList' look like? It contains the "ItemNo" column OR have this column more than once?
-
DB Access with or without unicode?
Hello
When I create and connect to a db Access with Unicode, I am able to see the names of the tables in the tab database by the Committee for the selection of the DW. If I set up the db without Unicode, I get the full path to the C: folder. Can someone explain why this is happening and how this can be fixed? Thank you.
LuisThank you. I think I found the fix
http://KB.Adobe.com/selfservice/viewContent.do?externalId=kb400996I'll give it a try.
-
Hello
I´d would like to know how to give access to users when ISE is dead.
I m requesting because I m using pre authentication ACL, so even with the order of authentication server dead action events allow vlan XX access will be limited, will it not?My pre authentication ACLs allow access only to ISE, DNS and DHCP requests.
Kind regards.
André-
I'm afraid that you don't have a lot of options here. I have encountered this problem before during my deployments. The problem is that the ISE is necessary in order to signal the switch to remove the pre authorization ACL using a DACL. However, since ISE is not available, the switch can allow endpoints to a VLAN, but not you need another method to remove the ACL of pre approval. In the past, I've accomplished this via one of the following:
1 script EEM that reconfigures the switch and sets the pre authorize "license ip any any" ACL (or remove the ACL of pre approval all together) when / if the ISE servers become unavailable. I thought that this required functionality of the IP Services, but by looking at the following doc looks like you could do with IP Base too. I guess you can give it a try and see what happens :)
example of script EEM:
2. the second method requires a switch to converged access (3850, 3650). These switches can be configured with the profiles where the pre authorization ACL can be replaced by an ACL critical interruption of the ISE.
I hope this helps!
Thank you for evaluating useful messages!
Maybe you are looking for
-
There are 7 links to ebay in the upper right corner of the browser, and I can not remove them no matter what I do.
-
Return policy for the laptop. 2 questions please.
Hello world! I bought some computers laptops and desktops from HP over the years but never had back none of them until my recent order. I recently placed an order on the laptop but I found a better computer hp laptop at bestbuy, so I called and canc
-
In Yahoo Mail, when you compose an email I get a Panel "asking to leave this page. It does not matter that I choose to stay or leave, the Panel will appear again... and again... the only way is to force enough Firefox and start all over... help pleas
-
What Mac has a 64-bit operating system?
I was looking for in this Web page some Mac models but I don't know a lot about technology, so I can't say what mean the properties of devices. There are some software (such as Toon Boom Harmony) which require a "64-Bit Platform. Which of the devices
-
Battery separately bought, guarantee covered?
Six months ago, I bought a battery of an ASP here in Saudi Arabia. Now that the battery is not. I went back to that ASP. and ask if they can replace it, they said to me that he is not covered under warranty at the time wherever they have gave me the