Securing network with ISE profiling HP devices
Hello
How can I create a profile for Hewlett Packard printers and leave them on the network without allowing any other HP device access. I want to only allow HP printers. I don't want to leave laptops HP, desktop computers, notebooks, etc..
I prefer not to leave on the network using MAB.
Thank you
Bob
It is a common use case. The profiling of ISE Design Guide (see page 76 go) presents at least a way of doing this - using a probe nmap Scan Endpoint.
Tags: Cisco Security
Similar Questions
-
I recently started using Windows 7 x 64 and I'm unable to create a network with WPA2 - Enterprise Security profile. I have a wireless card for Intel PRO/Wireless 3945ABG with 13.0.0.107 driver version. I have had no trouble to create this network in Vista Ultimate x 86 profile, and I do not know what is causing the error.
I went through the steps to create a network profile:
1 'Add' a network profile
2 ' manually create a network profile '.
3 name the profile, and then select WPA2 - Enterprise with AES encryptionWhen I click on 'Next' to complete the configuration of the profile I just get a message that says:
"An unexpected error has occurred."Has anyone experience the same problem?
Thanks to another post and help Orgwizard, followed it to Symantec Endpoint Protection. I had emigrated from laptops using the Easy Transfer Wizard and did not reinstall MS and sought instead to Microsoft Security Essentials. MSE deleted and reinstalled MS and everything is fine now!
-
Control access to the network with ACS device
Hi all!
I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?
My current config on this router is:
AAA new-model
AAA authentication login netadmins group Ganymede + line
connection ITDSEC authentication group Ganymede + line of AAA.
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
line 53
No exec
authentication of the connection ITDSEC
transport of entry all
StopBits 1
Speed 115200
line vty 0 4
exec-timeout 30 0
login timeout 120 response
login authentication netadmins
but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?
All other devices:
AAA new-model
AAA authentication login netadmins group Ganymede + line
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
Line con 0
password 7 141C015C5806
login authentication netadmins
line vty 0 4
password 7 11020A 524310
login authentication netadmins
line vty 5 15
password 7 11020A 524310
login authentication netadmins
Any help will be greatly appreciated.
Hello
In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.
The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".
If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.
Mounira
-
Printer not connecting with secure network, OK on non-secure
OfficeJet 4500 Wireless, Windows 7 64 bit, no error message
Printer works fine on the unsecured network, but doesn't connect on the secure network. Poster Network Setup page everything is OK on both configurations, wireless network Test report displays all is OK on both networks.
When I put my laptop and HP 4500 wireless to my non-secure network, they work very well together. When I put to my network all secure check them reports are fine, but printer will not see the laptop. Printer icon displays a yellow triangle but autofix does not help. No other PC running on the network.
Thanks in advance for any help.
Ken
What kind of security - WEP, WPA, WPA2? When you reconnect the printer, you must remove and re-add the printer in your control panel:
1. make sure the printer is on and connected to your network. Verify that you can access the printer's internal web page by accessing its IP address before continuing. Get his IP address for a network Test printed on the front of the printer.
2. click on > start > Control Panel > devices & Printers.
3. click on add a printer
4. Select local printer
5. Select create a new port and select Standard TCP/IP Port, and click Next.
6. under device type, select TCP/IP Device. Under the name of host or IP address, enter the IP address of the printer. Click Next.
7. Select Hewlett-Packard in the list of manufacturers and select and select your printer model. Click Next.
If your printer model is not in the list, then select disk provided, browse the CD that came with your HP printer and select the first file begins with hp and ending with INF. click Open, then OK. Select your printer model. Click Next.
8. If prompted, use the driver that is currently installed.
9. He will ask the name of the printer - enter a new name or use the one existing. This will be the name of the printer that you select from other applications.
10. we may ask you to share the printer. Choose No.
11. the printing area of Test Page is displayed. Go ahead and print it out.
12. click on finish. -
How to remove an application from a device with the Profile Manager?
I use iOS devices 9.1 in collaboration with Apple Configurator 2.1 and 5.0.15 Profile Manager. Configurator locks iPads and the Profile Manager is used for the distribution of applications. We are assigning apps in device that is a great feature. However, when I delete an application from a device with the Profile Manager, the application does not remove himself. The Profile Manager back the license and I can redistribute app for iPad one another even if the application is still installed and usable on the iPad first.
Is this a bug? It seems that it should remove the app. If I delete the management profile in distance from the unit, it removes apps.
Click on the gear box and then delete Apps and select the application you want to remove.
Initially, I did what you did probably has been to select the name of the application, then press the 'less', who pulled out of the app in the list, but it has not removed the iPad, he just removed their license. Through the gearbox and to remove it it removes of the iPad.
You may have already thought of it, but I found this post unanswered after two months, and once I found the answer, I thought I'd put it here.
-
several devices on the network with the same name
I want to install Windows 7 OS computers on a domain with Small Business SERVER 2003. Curiously, I see all the computers on the network, where I should be able to, but one of them WK02011, is not accessible from all Windows 7 systems because there are multiple devices with the same name on the network according to a diagnosticn check. WK02011 is visible and accessible from other systems on the network that are runjning XP OS. There is only one device named WK02011 on the network. I don't have this problem with any other XP system - that is - I can see and access all of the other XP machines on the network with the exception of WK02011. I can't access WK2011 from the server and the server indicates that it is multiple devices with the same ID. Rename the XP would be complicated because of having to re - set up the service to the customer and then turn around and install 7 OS in the workstation in the coming days.
How to find the ghost device double?
Hello
Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows 7 on TechNet. Please post your question in the Technet forums. You can follow the link to your question:
-
you are the network administrator for abc.com domain. All domain controllers are running windows server 2000 with the company wants to set up a more secure network server OS the company will modernize the ADS?
Please repost your request in the appropriate in the Windows Server Forum. Thank you!
-
Conflicts of addsess title: original win 7 IP
I just bought a used laptop, it has been deleted I made it mine I addminastrater pc name willards pc and whatnot, but I continue banging off the internet because address conflict IP said that there is a nother design on network with my address, I don't know how fix it can you please help me?
Hi Willard,
Please contact Microsoft Community. I've surely you will help solve this problem.
This problem could occur due to incorrect parameters TCP\IP.
Try the steps listed here:
Method 1:
I suggest you to reset TCP\IP and check if it helps.
How to reset TCP/IP using the NetShell utility
https://support.Microsoft.com/en-us/KB/299357Method 2:
If the problem persists, I suggest you try the following steps to flush the DNS and request a new IP address of the server of your ISP. Check if it helps.- Cclick on Start and type cmd in start search.
- Right click on command prompt run , then selectas administrator.
- At the command prompt, type the following commands and press enter after each command.
ipconfig/flushdns
ipconfig/registerdns
ipconfig/release
ipconfig / renew
output
Hope this information helps. Reply to the post with an up-to-date report of the issue so that we can help you further.
-
ASA 5525 X Anyconnect configuration with ISE 2.1
I have a new deployment of ISE 2.1 which is used only for the management of the devices at the moment. The intention is that it will serve as radius for authentication of our VPN server.
5525 x is a brand new ASA runs the 9.4 code. I want to configure VPN on the SAA strategy so that each user is assigned a DAP based on their Department.
I already have the designation of the Department for user accounts assigned in AD through a group membership. I don't know how to get ISE to belonging to a group at the ASA so that she can associate the user based on this correct in RAP group membership.
I succumbed to determine how this is supposed to work. Thanks for any help.
Normally we authenticate and authorize users and then push DACL or allow connection from ISE etc. of such conditions profiles that check results Posture or parts constituting the identity of the user (such as AD or another external identity store belonging to a group).
There are a couple of good guides to do so, including detailed examples:
https://communities.Cisco.com/docs/doc-68158
http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...
http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...
While they focus on the case of use of Posture, they can be adapted to add other uses. For example, ISE registration condition may be the result of not only a Posture check also membership in a given group or another if you make it a State.
I do not think we can specify to the ASA to call a given font of DAP like Hostscan module cannot be used at the same time that the module ISE Posture. However, you should be able to accomplish just about everything you used to depend on the DAP with ISE Posture Module AnyConnect (assuming you have AnyConnect 4.x Apex licenses).
If you want to stick with the ASA DAP model, you can forgo using policies and module ISE Posture and instead create an authorization profile (result) to send the ASA, a pair of RAY - V based on a correspondence (in the authorization of the ISE policy) with the ad group. He is a "Cisco-VPN-3000" A - V called "PIX7x-members-from' that can be used in ASA dynamic access policies. You can see (and all other pairs A - v supported buy ISE) here:
-
Authentication RADIUS with ISE - a wrong IP address
Hello
We use ISE for radius authentication. I have setup a new Cisco switch stack to one of our branches and set up the device network in ISE. Unfortunately, in trying to authenticate, ISE logs show a lack of "Impossible to locate device network or Client AAA" the reason for this failure is that the log shows that it comes from a bad IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show that it is 10.xxx.aaa.243. I removed and added the configs of RADIUS on ISE and the switch, but it is always so que.243. There is another switch battery location (same model, IOS etc), which works correctly.
The config of RADIUS on the switch:
AAA new-model
!
!
AAA authentication login default local
AAA authentication login Comm group local RADIUS
the AAA authentication enable default
RADIUS group AAA authorization exec default authenticated ifradius of the IP source-interface Vlanyy
10.xxx.yyy.zzz RADIUS server
10.xxx.yyy.zzz auth-port 1812 acct-port 1813 ipv4 address
abcdefg 7 keyThe journal of ISE:
Overview
5405 RAY lost event
Username
ID of the endpoint
Profile of endpoint
The authorization profileDetails of authentication
Source Timestamp 2014-07-30 08:48:51.923
Receipt 08:48:51.923 Timestamp 2014-07-30
Policy Server ise
5405 RAY lost event
11007 failure reason could not locate device network or Client AAA
Resolution check if the device network or AAA client is configured in: Administration > network resources > network devices
Root cause could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
Type of user
ID of the endpoint
Profile of endpoint
IP address
Identity store
Membership group
ID of Session verification
Authentication method
Authentication Protocol
Type of service
Network device
Type of device
Location
10.xxx.AAA.243 address IP NAS
ID of Port NAS tty2
Virtual NAS Port Type
The authorization profile
Status of the posture
Security group
Response timeOther attributes
ConfigVersionId 107
Device port 1645
DestinationPort 1812
Radius protocol
NAS-Port 2
AcsSessionID ise1/186896437/1172639
IP address of the device 10.xxx.aaa.243
CiscoAVPairMeasures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
11007 could locate no device network or Client AAA
5405As a test, I set up a device that uses the adresse.243. While ISE claims that it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to solve this problem would be appreciated. Please let me know if you need more information.
Beth
Remove your (RADIUS-server host 10.x.x.x... ect) tele-health and try this command and see if the problem goes away. The new section is the non-standard expression allows to see if that helps.
RADIUS-server host non-standard key of acct-port of the auth-port 1645 10.xxx.xxx.xxx 1646 *.
-
Compatibility of switches access with ISE
Hi all
I need some advice on models of switches buy to support almost all of the features that the ISE offeres... Mainly...
MAB, 802. 1 x, Web Auth, CoA, dACL, SGA...
Now, I've been reviewing the Cisco 2960 switches and sheets advise that they support some features, but then when I look at the compatibility of the access network Cisco ISE device list that was updated in December 2013... When you look under Cisco 2960, he advises that they support only 802.1 x, & MAB?
I'm planning for the future deployment of ISE features to access switches in our network, but need to ensure that A) existing switches support these features and B) new switches that we buy will support these features.
Is there a more accurate document available, or someone has had experience with the current Cisco 2960 switches and how they work well with the ISE?
Thank you
Mario
Take a look at this link instead:
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/compatibility/ise_sdt.html
DACL, WebAuth (both local and Central) is certainly supported. SGA/SGT isn't right...
Thanks for the note!
-
Salvation of the Forumers
I am looking for some answer about ISE profiling.
I could use ISE to test 802.1 x wireless connection to Active Directory external identity store.
Sort of ISE, after enable profiling on deployment nodes configuration, as long as the device with appropriate authentication and enter the network will then showed all MAC addresses found on the identity management > identity > endpoints
My question is:
01 can authentication 802. 1 x i made without using the identity outside stores? So far I have only test on the use of Active Directory, but not with the ISE identities > users.
02 if, in an environment that doesn't use not external identity stores for authentication, how I got to know the MAC address belongs to WHO?
Thank you
WPA - PSK ends on the drive, there is no RADIUS because the key must match on the client and the controller. It is not a Yes or a no to this question because the design of WPA - PSK is not utiilize a back-end service.
-
My error problem is with my profile. A new profile fixes this problem.
I can't switch to a new profile, it's just too much work to set. I just want to know what is this evil of it.
Video did not work in safe mode, so I can say that none of the addons are contradictory. I think that some about: config pref is bad but what. You are much more experienced. Please give me a few pointers for this very frustrating problem.
Thanks in advance.
Kind regards.Hello, try to reset your game preferences personalized starting with network on the topic: config & also security.mixed_content.block_display_content turn back to false.
I also had this problem once & could be addressed by removing the permissions.sqlite file in myprofile folder... -
Have tried just about everything I can think of. computer is connected to the front secure networks without problem.
More information would be useful. Windows XP did not support thereafter until SP3 WPA2 wireless encryption, so if you have not installed SP3 and try to authenticate on a network protected by WPA2, it may not work.
Assuming that you do not have SP3 installed, try to go into your wireless network configuration / configuration screen. (There are several different configurations of wireless, including ZeroConfig, but we do not know that you are using). All most of them save previous in a 'profile' wireless connections so that when he meets this wireless again, he knows how to configure itself. Find the section of your configuration screen profile, look for the SSID of the router you are trying to connect, and if you see it, then delete that profile. This will allow your machine to then reconnect to the router wireless with an open mind.
HTH,
JW -
Hello
I´d would like to know how to give access to users when ISE is dead.
I m requesting because I m using pre authentication ACL, so even with the order of authentication server dead action events allow vlan XX access will be limited, will it not?My pre authentication ACLs allow access only to ISE, DNS and DHCP requests.
Kind regards.
André-
I'm afraid that you don't have a lot of options here. I have encountered this problem before during my deployments. The problem is that the ISE is necessary in order to signal the switch to remove the pre authorization ACL using a DACL. However, since ISE is not available, the switch can allow endpoints to a VLAN, but not you need another method to remove the ACL of pre approval. In the past, I've accomplished this via one of the following:
1 script EEM that reconfigures the switch and sets the pre authorize "license ip any any" ACL (or remove the ACL of pre approval all together) when / if the ISE servers become unavailable. I thought that this required functionality of the IP Services, but by looking at the following doc looks like you could do with IP Base too. I guess you can give it a try and see what happens :)
example of script EEM:
2. the second method requires a switch to converged access (3850, 3650). These switches can be configured with the profiles where the pre authorization ACL can be replaced by an ACL critical interruption of the ISE.
I hope this helps!
Thank you for evaluating useful messages!
Maybe you are looking for
-
Using windows XP pro.
-
Impossible to update graphics driver on my Qosmio F750
Hello I have a problem. Can not update my graphics driver.I have a Toshiba Qosmio F750 with nvidia GT 540 m card.
-
Hello I have a HP Pavilion 7955 system P5269A (2002) with 1.49 Ghz 256 of RAM. I have a video editing software that requires 512 RAM 1 GB or more recommended. They also recommend using a separate drive that is running any operating system. I was told
-
HP mini 110 computer: failure of verification of password of HP MINI fatal error... system halted
Failure of verification of password of HP MINI fatal error... system CNU94949N4 can help anyone?
-
12 switch can charge via USB 3.1?
12 switch can be charged via USB 3.1? Some descriptions are vague and all the answers I've found are for previous models. It would be nice to have a not-so-awkward option for charging on the go.