[ISE or ACS] EAP - TLS or profiling as the same SSID
Hello
I can only configure one SSID to connect 2 types of devices:
- Devices with certificates connect on this SSID using EAP - TLS
- Devices without the ISE profiles certificates (or ACS verifies their MAC addresses)
Could this work?
How can I configure this type of SSID on WLC?
- 802. 1 X works
- 802.1 X + MacFiltering works.
- I failed to configure 802.1 X or MAC filtering...
Thanks for your help,
Patrick
Hello Patrick.
Unfortunately, I don't think that's currently possible in the world of wireless Cisco with a unique SSID. For your example, you will need two separate SSID. Something similar has been asked before:
https://supportforums.Cisco.com/discussion/11941331/isewireless-nacone-SSID-MAB-and-dot1x
I hope this helps!
Thank you for evaluating useful messages!
Tags: Cisco Security
Similar Questions
-
I knew that there are years you may have multiple profiles in Firefox, and given that Chrome is really stuffy handling games like Farmville 2 lately (don't know why, but Firefox is the browser recommended Zynga anyway), I decided to set up the profiles of boards and profile shortcuts. But there is a BIG problem. With Chrome, when I put in place of shortcuts to profiles that Chrome allows you to do in a single click, by the way, if I have a profile already open, I can open windows in all separate profiles using their shortcuts. In Firefox, I can't. If I have an open profile, the other shortcuts simply open windows in the same already open profile. This is not acceptable. It's not as if profiles are in the same directory. They are in separate directories and that there should be no problem with the opening of two or more profiles at the same time.
You can use the - No.-remote command line switch to open another instance of Firefox with its own profile and run multiple instances of Firefox at the same time.
-
How to use multiple profiles within the same instance of Thunderbird
A month ago, I got Thunderbird set up with three profiles,
and all three could be used in a start only one of
Thunderbird. That the PC is now gone. I've reconfigured the three
profiles on a new PC, but can't do all three
can be used in the same instance of Thunderbird. Can you help me?
Both computers are / were only Windows7 64 bit.Thunderbird opens on the default if a profile
or
The Profile Manager is responsible to ask at startup it will allow you to choose which profile to open if it opens the last used profile...Thus, it shows a profile at a time within a single instance of Thunderbird.
However, only one profile can have multiple e-mail accounts.
for example: I run 4 e-mail accounts in a profile. -
Can I have my documents and the user profile on the same USB as my system?
Hello
I already have my documents and the user profile on a USB key. Can I copy an Image of the system on the same unit?
Anne
I'm saving My Documents and user profile on my USB key to back up regularly. I decided to do a system recovery disc set to DVD + R I have a set of 4 drives for my laptop. A free copy of MS allowing me to do.
While it is tempting to use the DVD you already have, you could do yourself a disservice. What use would be if one of them turned out be wobbly when you need a year from now? Save the recovery image on an external hard drive would be much more reliable.
I don't understand what you mean with "a free copy.
-
Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?
I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?
Yes, you can use both. Allows you to add ASA as radius and Ganymede.
ACS-->---> aaa-client network configuration
(1) ASA---> 1.1.1.1---> authentic using Ganymede
(2) ASA1---> 1.1.1.1---> optout by radius
Don't forget the host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
Delete and re-create a Service profile using the same address (HBA WWNP) WWNP pool
Hi guys,.
I have 8 services created profiles used by esxi boot via SAN. The cause is via SAN boot is very important for me the address of WWNP HBA.
Now, I need to change the model vNIC used in these services profiles to include the option of the VM in the target.
But for this I have to delete and recreate the model vNIC.
I think that the UCS will not allow me to that I have unlink and delete the profiles of 8 services (I may be wrong)
My question is.
After I deleted a service profile, what is the best way to ensure that new services profile will be used the same address (HBA)
used by the deleted profile service. ?
Thanks in advance,
My best regards,
Hey,.
I don't know why you need to remove the 8 SPs when changes (deletion) are on the vnic/HBA model.
Address WWNP is being derived from a pool? right?
What is the order of assignment? Default or sequential
is this specific to only those 8 servers WWPN pool?
I did a quick test when I remove model HBA he doesn't remove the vHBAs configured in MS.
Thank you
-Slim
-
Sharing and control access to files in all of the different profiles on the same system
I created two accounts on a system. One is an administrator and the other is a Standard user. I shared the folder of the Administrator profile for a specific user (which is a standard user) to be able to read and write to this folder and make changes to the files contain folders. So when I make changes in the user area or the other, they are not reflected in the other area. The Standard user folder is mapped to the folder of the administrator being shared. This system is running Windows 7 Professional x 64 and Office 2007 Professional. What I am doing wrong? Need to share every file and folder? Share the top-level folder in the hope that the folders and files in the top folder would be inherent the same permissions as the top folder. Help please!
Hi Balz,
your question
>>
Need to share every file and folder? Share the top-level folder in the hope that the folders and files in the top folder would be inherent the same permissions as the top folder.
>>
You no need to share every file/folder of the top folder of the page.
You share folder with READ & WRITE permissions?
same question in this forum http://answers.microsoft.com/en-us/windows/forum/windows_7-files/how-do-i-share-files-folders-with-other-users-on/f612eab4-c159-49c4-90e9-ea3eedf3da31 please return.
http://Windows.Microsoft.com/en-us/Windows7/share-files-with-someone
Thank you
Siva
--------------------------------------------------------------------------
If this response has resolved your problem, please mark this answer as the answer.
-
I want to save my e-mail and archives. I intend to put them in my folder "Documents" for backup of 'Cloud' and also in an external hard drive that I have always used in the past and, as a child of 76 with a new computer, 8.1 instead of XP and TB instead of Outlook Express, that I feel more confident on my external hard drive! I have 31 TB and Windows 8.1. I put my computer to show the "hidden files and folders". In user/AppData/Local name there is a record of TB with 'Profiles' and there my XXXX.default folder - but it has only a limited number of files and folders (Cache/cache2...). In user/AppData/Roaming name, there is also a TB with 'Profiles' folder and there my XXXX.default folder- but it contains a completely different and much larger files and Folders collection (4 different folders and multiple files MAB and SQLITE and others). Why have I not two files with different content identical default? Do I have to register each one? Can someone please explain/help, preferably in words this 76 year-old could understand.
Windows 8 user accounts can be local or remote. It assumes that everyone has a roaming profile. Thunderbird uses mobile records as you can see, but there is only the rump in local that I don't really understand the existence of.
Thunderbird does not use it, I guess that windows creates.
-
The title is essentially the question. Woman has a profile on our computer and I finally made my own but, images/wallpapers etc I want to use/choose between are on his profile and does not show up on mine. How can I move my profile?
The title is essentially the question. Woman has a profile on our computer and I finally made my own but, images/wallpapers etc I want to use/choose between are on his profile and does not show up on mine. How can I move my profile?
In Vista, there is a Public folder.
Public folder is accessible to all users.What has your wife do is to move these images and funds of screen in the Public folder.
How to move files in the Public folder?
1. you can drag and drop on the public record.
2. you can right-click on the images and wallpapers > click Move To > put you into the Public folder > click Save.
If you do not Move To option in your context menu, here is the tutorial to add it.
The tutorial includes options as well copy to and Move To.http://www.Vistax64.com/tutorials/89196-context-menu-add-copy-folder-move-folder.html
Use method 1. This is the simplest method.
-
Unable to access Internet Explorer under two of the five profiles on the same computer
I have 5 profiles set up on my computer, one for each Member of the family. When I try to access Internet Explorer or Word in two of the profiles I am unable to run the command. Both applications work as they always have under the other three profiles. I double click on
and 'Open with' dialog box appears with "Recommended programs." The only option in this area is "Internet Explorer". I select the option and click on , but I find myself in a continuous loop with the "Open with" dialog box When I finally click I get an another dialog asking me to save or run "ssvagent.exe." I am able to cancel out, but I can't even open either application. If I select I can open the document in word, but I can't access Word from the options menu or the shortcut I used last year. I ran a virus scan today and 5 cases have been detected and removed. I ran the scan under 5 profiles, but now I can't access BitDefender (my virus scan) under either of the two affected profiles. Please notify. Henry Hello
Try scanning from the utilities included in the link, how to get rid of malware and let us know what happens.
How to get rid of malware.
Concerning
Anthony. -
Hello
We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.
I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.
EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.
Anyone can shed some light on where I'm wrong?
Thank you
Martin
Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.
Thank you
Tarik Admani
* Please note the useful messages *. -
802. 1 x EAP - TLS for wired users with ACS 5.5
Hi all
We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.
We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.
Please suggest on how to get certificates for clients both manually and automatically?
Thank you
Vijay
Hi Vijay,
for Wired 802.1 x (EAP - TLS) you must have the following certificates:
Intermediate server on ACS - Root CA, CA certificate,
The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)
I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.
In the case of Microsoft, there will be a user certificate template. You can select and create user certificate
This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:
http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...
In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user
See you soon
Mohammed (rate useful message)
-
ACS 4.0 EAP - TLS Cert does not
Hey,.
so, I have generated my certificate signature request, took it to my CA, a cert. "ACS Certification Authority Setup" I have installed on my device ACS, then 'Install ACS certificate' installed (he parked in the privkey and password so I guess he got that comes from the cert file). I then add the CA to "change CTL. All of this goes off without a hitch.
However when I try to add the "certificate revocation list" I am unable to add the two LDAP:------and http://. I confirmed that the http:// is working on the certification authority, and all the possible indications are that the ldap protocol works too but I can't test with tools.
When I go to "System Configuration"-> "Global Authentication Setup"-> "allow EAP - TLS' I get the following error.
Could not initialize the PEAP or EAP - TLS authentication protocol because the certificate authority is not installed. Install the certification authority by using the "ACS Certification Authority Setup" page.
Exactly, which is not installed on the certificate? It is on the ACS server, it is configured and the date range is correct.
I've been banging my head against this all day and could use some suggestions. :)
Hello
For EAP - TLS to work you must use external CA installation such as Microsoft or Rapid SSL etc and auto generated in ACS certificates supports PEAP support but not EAP - TLS.
HTH
Ahmed
-
Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS
I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it. 5.2 model is much more different than what I expected. We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it. I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:
1. integrated AD
2 EAP - TLS
3 certificates
4 Microsoft CA
5. the applicant is XP SP 3
6 non-Cisco 802.1 x compatible switches (switches are not the question)
I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :). Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)? Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?
Thanks in advance.
Hello, Christopher.
I'll try to give you some tips to achieve what you want.
Additional info can be found in the user guide:
1. in the identity store / Active directory, check "enable machine authentication.
2 import a certificate for ACS
Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.
Select how you want to import the certificate, and then verify the Protocol EAP
3. Add your switches as aaa clients
Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.
4-go to access policies > Access Services and click on create a new access service.
Select the selected Type of Service and network access in the list.
Verify the identity, group mapping and authorization
5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.
You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.
If all your switches RADIUS will make eap - tls, you can change the rule
Rule-1 Ray game Default network access While in the result, you choose your service of access created in step 3.
6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS
7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity
8. check that the 'Allowed access' rule is selected in the authorization to access your service
These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.
Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.
ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.
-
[Cisco ACS 5.2] EAP - TLS authentication failure
What we are e
Hello
I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.
It works well!
Now, I configured Windows 8 with the same configuration.
First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate
In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...
Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".
I found this bug
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary
It seems to be my problem but the reboot does not work in my case...
It is set at 5.3 (0.40.2).
I plan to install version 5.4.
Do you know if this fix is supported by 5.4?
Thanks for your help,
Patrick
Hi Patrick,
What is set in point 5.3 must be set in point 5.4.
Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
Maybe you are looking for
-
two connected hard drives but only see a
I have a USB splitter attached to my airport extreme, he sees a hard drive that I use for time machine, but he did not see the other. What can I do to access the 2nd hard drive?
-
When I try to install new Flush player I'm always redirected to the side of Adobe download. But there is no option to download the reader. If I click on 'Install now' a new facet appears with several Adobe products to be selected. If I select the pla
-
The video continues without musical accompaniment. This problem just started, did not happen when the computer was back in January, 2013. Recently re-activated student desk of windows that was lost when I refreshed the computer, do not know if that m
-
Suspected Trojan unauthorized sent emails
4 emails were "sebt' my account msn.com to users in my Contact list." I / others should do?
-
By mistake I bought an upgrade of windows 7 Starter and since I opened the package and threw at the reception, that I can't return it. Can I use the key to upgrade my Xp on my PC Tower? Should I winstarter 7? Where can I find a download? Thank you Mo