ISE web auth for other than cisco switch (D-link 3528)
Is it possible to use ISE (posture inline node) to redirect to portal comments ISE wired users?
And wired users will get full network access after they pass the web auth.
Hello
Theoretically, it could work if the switch is able to send all the attributes in accounting packets, such as IP address and mac address by asking the station id. If the attributes are missing or incorrect, the iPEP ISE will never create the session (see show pep session table).
That said, who probably never have been tested, so you may want to reconsider your design, there is no guarantee that this can still work.
Tags: Cisco Security
Similar Questions
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
For some reason, I am unable to change the location of the Cache of bridge CS5.5 outside my c:\user\ folder. Other readers of the system are not detected by bridge. This was not the case before. I used to have another dedicated drive. I have reset the preferences, delete the cache, but still they are not helping. Please help as my C: drive is an SSD with limited space and contains only BONES! There is no problem with the PS or PR, only bridge.
If it worked before that have you changed?
I know there are some problems in bridge with users placing file temp so place other than the C drive. Known bug.
Here is a link with a similar situation. http://forums.Adobe.com/thread/760369
-
WAP4410N existing other than Cisco network gateway
Hello
I was wondering if someone can quickly answer my question?
I am trying to use my WAP4410N to create a wireless bridge to an existing network that does not contain any Cisco kit. After reading the manual, I tried the bridge WDS wireless solution, which is my router wireless D-Link & MAC address, but there is no option to put in network WPA2 key, I guess I misunderstood how this feature works, & maybe it works with other products of Cisco wireless?
Thanks in advance to anyone who can shed light on my question,
Andy
Sent by Cisco Support technique iPhone App
HI Andy,.
Noramlly that configure you WDS Bridge would need to implement WPA 2 personal option under the wireless part, and then click Security.
Since the SSID and security must be the same, is that were you would enter information. As to make this set your work with a D-Link wireless router, you'll never miss that probably the question were that this wireless device must support WDS. Even then you might also encounter a question having no match wireless chipsets as well.
More than likely that this configuration will not work for you. I advise to use an other WAP4410n to establish the connection. Rely on what you are wanting to do a WET200 may also work for you since its just fill a wireless network and only use WDS, but I have never tested this connection with a D-link router so I can't 100% guaranteed if this implementation will work as well or not.
Hope this helps and let me know if you have any questions.
Thank you
-Clayton Sill
-
How can I save the preview for other than the C: drive files?
My development machine has multiple drives and network drives. The c: / drive is older, slower and more complete. I use elements, but have used the first over the years. At the time, we could make the program work better by offloading the C: files. I don't see how with P Elements 9.
Go in Edition > Preferences and change the location of the disks to remove the program.
I use a lot of FW-800 external references, to migrate my projects between computers and keep my complete set of Scratch disks on the outside.
I wouldn't choose one of the disks in a network, because of the speed.
Good luck
Hunt
-
Hello world.
I'm seting of an environment that uses Web-Auth for my cable and wireless. I followed the exact steps in this page of Cisco to run:
http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
I'm only testing environment wired right now.
I plug a PC on a port, and I try to access a Web page of randon (for example, www.cisco.com). It is automatically redirected to the authentication page. I type the user name and password, but when authentication is successful, it goes automatically to the https version of the page, which brings me to the problem. I should add an exception (more on this option on the IE Web page) to this page to continue with the authentication and gain access to the internet. I enclose the steps I must perform:
I think that it is linked to the certificate, but I'm not sure who or where. I would like to get some advice on your part to avoid this problem. I have no intention to buy all certificates, so if I could jump the https would be great.
Thanks a lot for your help
Victor Alves
If you don't want an official cert, you must go to http only. But this means that people paswords will transit in the clear on the network.
It's been long that I tried, but not is not remove 'ip http-server secure' do the trick?
-
Download Adobe CS3 Web premium for MAC from the Direct download page
Hi, I am trying to download Adobe CS3 Web premium for MAC that I switch from Windows to a Mac computer. I found the correct Direct download page but when I click the link I get this error message... ' HTTP ERROR: 404 /support/downloads/dlm/main.jsp RequestURI=/support/downloads/dlm/main.jsp ' can anyone help solve the Please this problem? Thank you very much!
Downloading using another browser, try
However if your serial number is for windows, it may not work on MAC.
CS products are platform-specific
-
Is it possible for other people to see my ID is. related to Windows Live?
Hello
Is it possible for other people to see my linked ID? So if I have a link * address email is removed from the privacy * and * address email is removed from the privacy *, anyone can see that the two pieces of identification are related? Thank you!original title: Hotmail linked ID?View all Windows Live and Hotmail questions in the appropriate forum found here:
http://windowslivehelp.com/ -
How to generate CSR on switches for web auth with NGS
Hello
I do solution dot1x with web auth on switches cisco 3750.
Once the wired customer put in the web authentication status (after dot1x and mab) and goes to a website, he receives a certificate warning. This is because as the switch cisco selfsigned certificate.
I want to use a verisign certificate to resolve this error, but I can't find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but it is also not a solution, because the customers with the help of web authentication, won't the internal certification authority.
Is it possible to fix this?
Greetings
Steven
Hi Steven,
The document below is really for IOS SSLVPN, but the part of the certificate must be the same:
Search for the 'Annex B' and it goes into the creation of a trustpoint and then a section for the self-signed and another is to generate a certificate request to send to an external certification authority.
Once created a trustpoint command to actually generate the CSR is "crypto PKI enroll."
This document goes into a bit more details on orders of the person and what they do:
Also, you can use something external to the switch as OpenSSL to generate the CSR and private key and then use it to request a certificate from your Verisign CA and then import the cert/key pair in the IOS device.
Thank you
Nate
-
Somehow my default search engine has been changed to Google to what is called "My Web Search". I want to switch to Google, but I can't figure out how. I disabled the plugin and removed my options of search engine in the top right, but nothing has changed.
You have My Web Search installed; Look under Tools > Modules > Plugins. He could have grafted in on something that you have installed. Always seek and opt-out when installing other programs and Add-ons that you install from sites other than the site of Mozilla Add-ons. My search on the Web is considered malware/adware/spyware by many. You must remove it.
Step 1. You can check if you have one of these installed ' Fun Web products ' :
Control Panel > add or remove programs: Ask.com Bar, my search bar, of the MyWay Bar speed, my search on the Web Bar, Fun Web products Easy Installer
See:
http://www.safer-networking.com/removemywebsearch.php
PC Hell: My Web search removal Instructions
http://helpint.MyWebSearch.com/intlinfo/help/toolhelp.jhtml#Q3
http://support.Mozilla.com/en-us/KB/troubleshooting+plugins#Manually_uninstalling_a_pluginStep 2 You may need to change a preference to reset your default URL/location bar search engine:
-Enter Subject: config in the URL/address bar and press the Enter key
-If you see a cautionary, accept it (promise you'll be careful)
-Filter = keyword.url
-Under the filter, right-click on the keyword. URL and choose "Reset".
-Restart Firefox (file > restart Firefox)
See: http://kb.mozillazine.org/Keyword.urlStep 3 You may need to reset your homepage. Firefox can open multiple home pages. Home pages are separated by the ' | ' symbol.
See: http://support.mozilla.com/en-US/kb/How+to+set+the+home+pageOther topics: ~ ~ Red: you have installed the plug-ins with known security issues. You must update them immediately. ~ ~
You ~ ~ Red:PEUT~ ~ need to update Adobe Reader for Firefox (aka Adobe PDF plug-in for Firefox): your worm s/o; current version 9.3.3 (updated security important release 29/06/2010; See: http://www.adobe.com/support/security/bulletins/apsb10-15.html)
~ ~ Red: check your version here ~ ~: http://www.mozilla.com/en-US/plugincheck/
See: http://support.mozilla.com/en-US/kb/Using+the+Adobe+Reader+plugin+with+Firefox#Installing_and_updating_Adobe_Reader
~ ~ Blue:you may be able to update to Adobe Reader installed on your system~ ~ instead of going on the Adobe site and download. Open the Adobe Reader software installed on your system (in Windows, start > Program Files, find and click on Adobe Reader to open the), click Help, click Find updates. Allow the download / update to occur. If you use this method, no need to proceed with the instructions below, but look at the two downstairs bulleted items ""NOTE for IE:"and" see also: "." Restart Firefox and check your new version here: http://www.mozilla.com/en-US/plugincheck/
~ ~ Blue:If you go to the Adobe site to download the Adobe Reader course:~ ~
-use Firefox to download and SAVE to your hard drive (save to the desktop for easy access)
~ ~ Red:-see the images at the bottom left of this post to see the steps on the Adobe site ~ ~
-the release of Firefox (file > exit)
-In Windows: make sure that Firefox is completely closed (Ctrl + Alt + Delete, choose Task Manager, click the processes tab, if "firefox.exe" is on the list, made a "firefox.exe" right-click and choose end process, close the Task Manager window)
-In Windows: double-click the installer for Adobe Reader you just download to install/update Adobe Reader- NOTE: under Vista and Windows 7 you may need to run the installer of plugin as an administrator by starting the installation program via the context menu if you do not get a UAC ask permission to continue (that is, nothing seems to happen). See this: http://vistasupport.mvps.org/run_as_administrator.htm
- NOTE for IE: Firefox and most other browsers use a Plugin. IE uses a version of ActiveX. To install/update the IE ActiveX version, the same instructions as above, except use IE to download the ActiveX Installer. See: ActiveX
- See also: http://kb.mozillazine.org/Adobe_Reader ~ ~ Red:AND~ ~ How to change options to add Adobe to the list of allowed sites
-
Firefox is in full screen mode. Windows 7. I can't do anything other than read the web page, I'm. There is NO button for navigation or anything else. No toolbar. Nothing. The only way I can close the program must use Ctrl-Alt-Del and use the Task Manager. No way to start Firefox in Safe Mode, no way to reset. Suggestions like hitting Alt or Alt followed by V - T - M do nothing. I've updated plug-ins. I uninstalled and reinstalled Firefox - no change. It is completely unusable.
If you are in full screen view then hover over with the mouse upward to make the bar appear Navigation and tab bar.
You can click the maximize button in the upper right to leave the mode full screen or empty space of a right-click on a toolbar and use "exit full screen" or press F11.You can check for problems with the file localstore.rdf.
-
No Option to install repair - SAD
HelloWhy Microsoft removed the ability for Windows Vista to install on herself from one location other than being inside the BONE you want to repair.
I recently had a problem where Vista Business 64-bit would only boot to a black screen with a mobile cursor - KSOD. Who, in searching the Web I found is a fairly common problem with Vista. I discovered that my only option was about to reinstall Vista CLEAN and all the other programs I had installed under it. I can't believe that Microsoft released the 'repair installation option"similar to that of Windows XP, where you can hit the"R"key during installation and we left with nothing but the"System Restore"options and"Startup Repair ". Neither of which has helped in my situation. Since then, this was a dual system boot with XP Pro, then any restore point has been removed from the partition to Vista anytime, I started another recognized problem, by Microsoft, which Microsoft has made no significant effort to fix, in addition to recommending that you hide the partion Vista in XP - a whole of XP. That beats a little the entire purpose of dual boot.
As I tried to start in safe mode, it left me at the same point as a normal boot - black screen with a cursor. I tried ctrl + alt + delete and nothing. Two Windows RE options did not help me. This left me no option but to the completely reinstall Vista. Why Microsoft did remove the ability for Windows Vista to install on herself from one location other than being inside the BONE you want to repair.. Please don't tell me that it is because Vista uses an image file instead of an installation as XP system. I see no other reason for not allowing the upgrade of outside BONE in addition to Microsofts greed and paranoia that he can transform the operating system easier to install illegally. I hope that some third party has actually changed the Vista installation routine to allow you to install Vista on itself, because as it is, it's really hard for me to even recommend Vista as the operating system or install any where else, if not the only recourse after loading OS, is to reinstall completely.
Adobe, Autodesk, and almost all other software publishers... allow you to perform a "REPAIR" of their software installation, if something prevents you to load after installation. Even MS Office has a routine repair. Ms has an internal version of the Setup routine which allows outside the OS upgrade option that you want to "Upgrade" / repair? ". If not, why?
-Todd w.
"Why Microsoft removed the ability for Windows Vista to install on herself from one location other than being inside the BONE you want to repair."
«.. . After using XP's repair function, the operating system itself would become less stable and frankly not in a good state of repair. »
As Todd, is the answer."This response does not hold water as on one of my computers I've been running Windows XP for about four years now, after a repair install.
"I thought that this area was a place to really get answers instead of the ole same"answers of bs that are on all the other forums."
If you want to have input on the future of Microsoft operating systems, then help you beta-test and provide feedback to the developers. Windows 7 and IE 8 are currently in beta.
Another possible place you could make suggestions which could see the developers would be:
https://connect.Microsoft.com/default.aspx
Brent
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
The ISE Cisco switch configuration
Hi experts,
I got the following network:
Devices-> switch access-->--> access switch central office switch-> ISE Server
All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?
Thanks for your time to read!
If all clients are non-DHCP clients, then no configuration is based or distribution at all.
But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.
Concerning
Vivek
-
Web authentication with RSA SecureID on a Cisco Switch
Hello
I recently searched by linking in our Cisco Switch of GB 2960 S with RSA SecureID via Radius
I already managed to tie in to ssh access
but I failed to make it work for http / web access to the switch
I think it's because we use 'single use' maximum security with RSA SecureID tokens
the web interface tries to authenticate several times against the Radius server RSA SecureID part
(agreement on the first authentication, but every time after that he's going to want a different code in token)
I was wondering if anyone knew a way around this? (if there is a way to get the right switch authenticate once instead of multiple times the radius server)
FYI, the switch is a WS-C2960S-24TS-L with IOS 15.0 (1) SE2
Hello Chris,
You can test the following configuration?
AAA webtac_grp radius server group
Server
expiration of cache 1
authorization cache profile httpauth
hiding authentication profile httpauth
!
AAA authentication login httpauth cache webtac_grp group webtac_grp
AAA authorization exec httpauth cache webtac_grp group webtac_grp
AAA authorization network httpauth cache webtac_grp group webtac_grp
AAA cache profile httpauth
all the
IP http server
IP http authentication aaa - authentication of the connection httpauth
IP http authentication aaa exec-authorization httpauth
RADIUS server host key *.
I know for sure the above configuration works when you use GANYMEDE + instead of RADIUS in order to avoid multiple guests due to the authentication of JAVA Applets to access the GUI of the IOS. I him have not tested against RSA acting as an authentication server.
NOTE: As "aaa authorization exec" is configured the RSA should send Service-Type attribute with administrative value for it to work as expected.
If this was helpful please note.
Kind regards.
-
5508 loading cert for web auth
I have web auth enabled on the WLC so when clients connect, they get a cert error because it uses a self signed cert. I was reading upward on obtaining a third part cert and he tells have openssl and then generate the cert and send it to a third-party CA etc.
All the links that you can share would be very useful, explaining best practices and to load a cert of third party on the WLC 5508 for web authentication.
Why can't just get a cert from them for our domain and simply load on the WLC?
Hi Mohammed,.
Here are the two links that are like the bible to generate certificates...
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a0080a77592.shtml
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Depends on whether you use Chained or chained UN CERT... Following the link above will help you to get the problem resolved!
Let me know if this answers your question!
Concerning
Surendra
Maybe you are looking for
-
How to calculate the execution time of a SCTL in FPGA VI?
Hello Can someone guide me that how to calculate the execution time of a SCTL for an iteration in the FPGA VI? Thank you and best regards, Rashid
-
Windows Update KB977165 published 3-2
The above update keeps coming back every day even if I install it every day. I can't uninstall it. How can I get this update to smoke all the days to come?
-
Forgotten password for Windows Live.
I just got the internet connected at my new address and I wanted to start playing xbox live I noticed that my old old old email address is still linked to my account live xbox now I want to change my old to my new e-mail address e-mail address BUT I
-
Is "Logmein" microsoft support service? is it a scam?
Is "Logmein" microsoft support service? I think I'm scammed me and allowed a so-called tech from Microsoft to connect to my computer and then hung up. What should I do now? How can I know if they are still connected and what they put on my computer
-
sequence right and export of settings in Premiere Pro CS6, video with still images
I am trying to run a video on my site (self hosted). This video, made with Premiere Pro CS6, consists of still images with different video effects.This video is just 50 seconds, but when I have this turn in the format mp4, webm and ogg, get large fil