The ISE Cisco switch configuration

Hi experts,

I got the following network:

Devices-> switch access-->--> access switch central office switch-> ISE Server

All switches are capable IOS for the 802. 1 X and configurations of AAA for ISE to manage network devices. However, I read in the guide on the configuration of the switches in preparation for the deployment of the ISE of CIsco, but I wonder what should I configure switches for access and basic switches or only configure the switches for access to EHT?

Thanks for your time to read!

If all clients are non-DHCP clients, then no configuration is based or distribution at all.

But you may need to search different options of profiling, if the customers are not active DHCP. Access switch supports the function of detection IOS? Would be very useful to have such a that it would send important profiling information at ISE. You may need to use the right options for ISE of profiling to determine the details of the endpoint.

Concerning

Vivek

Tags: Cisco Security

Similar Questions

Configs ISE Cisco switch

I guess Cisco ISE sends a redirect to URL to the switch and switch, it presents to the customer in the case of access comments get a redirect URL with acceptance of the user (guests and not wired) Page.

My question is, do we need to configure the server http and https on the switches (both pleading and authenticator)?

I don't know that it will take a confirmation, but just wanted to...

I checked the configuration for the supplicant and authenticator of ISE switches, and there no where not mentioned this part of the config.

http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_troubleshooting.html (a redirect to URL and possible cause problem is mentioned) - make sure that the config is necessary.

http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html

(the begging and authenticator switch configuration) - mentioned anywhere in the configuration of http/https for the two switches.

Yes, his need. The http/s server in the swtich is used to retrieve the user http traffic and redirect the traffic to the CWA portal, or a registration portal device or even for the portal of integrated Mobile Device Management (MDM). .

IP http server

IP http secure server

The info below, I caught Cisco ISE for BYOD and book secure access unified.

"Organization many want if ensure that this referral process to aid internal HTTP Server switch is dissociated from the management of the switch itself, in order to limit the risk of the user interacts with the intervace plan a switch of control and management." This can be accomplished by connecting the two following commands in global configuration mode:

active session modules IP http no

"IP http secure-active-session-modules no".

GANYMEDE + with 3560 cisco switch configuration issue

Hi Forum,

Here's my setup GANYMEDE + on my cisco 3560 switch and my question is, how can I configure the switch, if I would not type enable after I put the user name and password? with configs below, users will need to type activate whenever they connect to the switch in order to enter the user exec mode. Please let me know if there is something missing in my configs to help me avoid typing 'enable '.

Thanks in advance,

MacBookAir: ~ MacBook$ ssh [email protected]/ * /.

Password:

Switch > en

Switch #show run | include the aaa

AAA new-model

AAA server Ganymede group + mpcc

AAA authentication login default group Ganymede + local

activate the default AAA authentication no

AAA authorization exec default group Ganymede + authenticated if

AAA authorization commands 1 default group Ganymede + authenticated if

AAA authorization commands 15 default group Ganymede + authenticated if

start-stop radius group AAA accounting dot1x default

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

AAA accounting system default start-stop Ganymede group.

AAA server RADIUS Dynamics-author

AAA - the id of the joint session

Switch #.

Hello

Add the level of privilege 15 control VTY line configuration.
```
 line vty 0 4 [..] privilege level 15 ! 
```
Concerning

Check the ISE for the VPN Cisco posture

Hello community,

first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?

Thank you!

The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.

The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.

http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-Appliance-ASA-software/117693-configure-ASA-00.html

Adding the iSCSI network switch

Hello

We have an iSCSI network for guests of vSphere 5.1 EQL boxes. The network is 192.168.0.0/24, we use the switches PC5548 and we have three groups EQL. Everything is configured following best practices from DELL, and everything is kind of okay job.

Since we are affected by the poor performance of our SQL servers virtualized and troubleshooting led switches as a guilty suspect I want to try to use other switches to know.

So I intend to add a pair of parallel to the PC5548 cisco switches and connect a host and a group of PS to those (where the SQL VM reside) and see the difference, but my question is that I can use the same network 192.168.0.0. / 24 although cisco and dell switches are not physically connected. VMotion work?

You shouldn't use the entry level switches with 10 tables. The interlink trunk has 80% of eql bandwidh. You can consider buying Dell Force10 switches with buffers of large size and low latency.

Kind regards

Joerg

Cisco ISE and the fast user switching

Greetings,

In our deployment, we are interested in using the "fast user switching" which lies in the functionality of Windows. After searching for a while, I see that the native Windows supplicant is not compatible with the fast user switching. It does not appear that Anyconnect is either. Can you please inform me as to what suppluicant, I need research to enable the functionality of Switchign user?

We currently use ISE 1.2 Patch 4.

Thank you for any assistance.

David

Cisco EHT NAC Agent does not support Windows fast user change when you use the native supplicant. This is because there is not clearly the older user disconnecting. When a new user is sent, the Agent is hung on the ID process and the old user session and therefore a new posture cannot take place. According to Microsoft Security policy, it is recommended to disable the fast user switching.

Source:

http://www.Cisco.com/en/us/docs/security/ISE/1.2/user_guide/ise_pos_pol.html

Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

Setup

Cisco Catalyst 2960-S running 15.0.2 - SE8

Under Centos freeRadius 6.4 RADIUS server

Client (supplicant) running Windows 7

When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...

Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
end

interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20

Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

line "aaa dot1x group service radius authentication" and this by using instead:

"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.

The Switch configuration and Wi - fi router in the same network

Hi team,

I have here is the configuration currently as below in the image. To describe the same internet cable is connected to a Cisco switch, which is connected to the PC in LAN (wired). A switch output is connected to the entrance of the wireless router Netgear Nighthawk AC 1900 Smart model of WiFi router # R6900. Wireless devices (laptop) are connected by the router.

Each device has internet access. However, I am unable to run software LAN or unable to share any file of devices connected to the switch to the connected wireless devices. I can't ping any device the device wireless wired.

Can anyone suggest what are the settings that I should do or what are the steps I should follow that will make wireless and wired devices in the same network.

PS Plus early I tried the internet connection to the wireless router and then out of the router to pass, which has solved this problem. But slowing down my internet speed in wired devices. So, is it possible to have all devices in the network even with the current configuration?

Thanks in advance.

Best,

Hardik

I made wi - fi router reset hardware and configured in Access Point mode, that solved my problem.

To the main unit Infrastructure Cisco switch port

Hello.

I had a doubt as to the Port of the Switch in my Cisco Switch for a camera of the first Infrastructure.

This port must be a Switchport to access or a Switchport Trunk?

What is your recommendation on this subject? What is best practice?

Thank you very much.

Access port should work fine. You do not configure a VLAN on the device itself, just the IP address / subnet and default gateway.

Thank you

Ric

Configuration Wireless 3G as online backup with cisco switch layer 3?

Hi all

We have an existing GPRS modems for data transfer between 2 different sites, this connection is a bit slow to no more than approximately 114 Kbps, the idea is to add a 3G modem, so the solution will be based on a two-way communication lines which are 3G network and the GPRS network.

The line GPRS will be the main and 3G will be secondary, this redundancy offers a high level of availability of communication between the two sites.

is it possible to configure this redundancy with a cisco switch layer 3? If this is the case do you have a tutorial or a link which explain how to do this work with a layer switch 3 ciso?

all information will be useful for me, thanks

Hello

The config is one provided by anisaini, but you need to change your NAT like this:

IP nat inside source MAIN interface map route x/x main interface

IP nat inside source route-map interface o/o interface secondary SCHOOL

Interior int z/z interface

IP nat inside

int x/x

NAT outside IP

int y/y

NAT outside IP

access-list 99

permit x.x.x.x y.y.y.y where x.x.x.x is your home subnet addresses and y.y.y.y is the corresponding generic mask

PRIMARY route map

match ip add 99

match interface x/x

SECONDARY route map

match ip add 99

game interface y/y

Concerning

Alain

Remember messages useful rate.

The 300 series switches are compatible with detection of PoE before standard in old phones Cisco?

The 300 series switches are compatible with detection of PoE before standard in old phones Cisco? They don't seem to be (7902G don't turn on when it is connected to a SF302-08MP with firmware version 1.1). What no need special configuration on the switch to enable this detection?

Please note that the switches of the series 200 and 300 are now supported POE Legacy Cisco from September 2011, to provide power to 7960, 7940 and other phones standard pre and APs. Details on the following link:

https://supportforums.Cisco.com/docs/doc-18337

The incomplete 1941W Cisco router configuration

Good day all.

I was running a business of small ecommerce for the last 5 years on a Linksys wireless router. Now that I have more than 14 posts and 6 networked printers, it was time to take a step towards the top.

I bought a 1941W SRI CISCO to take us to the Gigabit speed in the next decade with a CISCO switch. I assume that the 1941W, although robust with scalability, would provide the installation of it, simple as the product Linksys (Cisco) or at least a simple 1-2-3 How to get basic connections made. I was wrong and now I find that I have some difficulty to negotiate Internet on the router again.

Included below is my config NVRAM. I hope someone could tell where I can have a few gaps in my config.

Please note: this config is derived from an example on the net that seemed simple enough, so if you find yourself asking, "why did do that?", I hope that this provides the perspective.

TEST router configuration
28/07/2010

Objective: Complete the basic configuration to connect (and ping) to the internet
Problem: Cannot conect to the internet; Incomplete suspected configuration; Maybe bad config NAT or DNS issue
Comments: In the process.

TEXT OF HYPERTERMINAL CONNECTION TO THE CONSOLE:

User access audit

User name: admin
Password:

TESTROUTER > activate
Password:
TESTROUTER #ping 8.8.8.8

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
.....
Success rate is 0% (0/5)

TESTROUTER #show config
With the help of 2615 off 262136 bytes
!
! 01:33:34 CST configuration was last modified Thursday, July 29, 2010 by admin
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec show-time zone
horodateurs service log datetime msec show-time zone
encryption password service
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
recording console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
the AAA authentication enable default
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone CST - 6
Service-module wlan-ap 0 autonomous bootimage
!
No ipv6 cef
no ip source route
inaccessible 2000 IP icmp rate-limit
IP icmp rate-limit unreachable DF 2000
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name of the IP-server 209.18.47.61
name of the IP-server 209.18.47.62
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
ISM HW-module 0
!
!
!
admin password username 7 XXXXXXXXXXXX
!
!
!
!
!
!
interface GigabitEthernet0/Wlan-0
Description interface connecting to the AP the switch embedded internal
Shutdown
!
interface GigabitEthernet0/0
Description of connection to the internet to transfer Ethernet/fiber TWC (ISP)
address IP AA. BB. CC.149 255.255.255.0
IP access-group 115 to
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
no ip address
ARP timeout 0
No mop enabled
No mop sysid
!
interface GigabitEthernet0/1
Internal description of the connection to the local network
IP 10.10.10.1 255.255.255.0
IP access-group 116 to
no ip proxy-arp
IP nat inside
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
No mop enabled
!
interface Vlan1
no ip address
Shutdown
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 AA. ABM CC.1
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 115 deny ip 127.0.0.0 0.255.255.255 everything
!
not run cdp

!
!
control plan
!
!
Line con 0
line to 0
line 67
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
line vty 0 4
password 7 XXXXXXXXXXXXXX
!
Scheduler allocate 20000 1000
end

TESTROUTER #.

END OF HYPERTERMIAL TO THE TEXT OF THE CONSOLE

Thanks in advance to those who consider a response.

Daniel

Daniel

You have a LCD 115 on the external interface and it is just a line in this acl which is a refusal. Be aware that an acl has implicit deny all the end anyway so basically that this acl blocking all incoming which responses return icmp (ping) traffic. Because you run the command ping to the router using an IP address not not a DNS then NAT or DNS name is a problem at present.

I suggest that rewrite you the acl - 115

access-list 115 permit icmp host 8.8.8.8 entire echo response

and test again with your ping. If it works then it's the acl that is the problem and you need to write your acl so that is what you want to allow before that you want to deny.

Jon

Turn on the mtu on cisco switch and cisco user server

Hi all
someone got bad luck turning on the mtu on their cisco switch? I guess I need to turn it on for all because the command is for all ports on cisco catalyst and my server switch is nearby to my user of switches and a broadband bandwidth 6 G or 6 ports, I need to turn it on for all user ports?
Thanks for any comments, that you can add.

I assume you mean Jumbo frame support! You shouldn't have any problems with that. Please take a look at for example http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml for more details and the configuration of the different switches. According to the model, the parameters are for dedicated ports only or the entire switch. In the case of the switch everything you will need to reload (reboot) switch, so be careful.

André

The virtual switch configuration

Hello
I configured Vswitch on ESX4.0 connected with a teddy bear.
There are Cisco catalyst 4503 L3 switch configured with several VLANS at the other end. I have configured the switch port trunk with dot1q encap mode that ends on the ESX4.0 server. Service console is configured with IP default VLAN, which is accessible from the other VIRTUAL networks. One of the virtual machine with Win2k3 OS is installed, but after configuration, I am not able to ping default gateway of VLAN respective or any other property intellectual VLAN.
Can anyone guide me where I go wrong and how to correct the problem?

Set the Group of ports to the VLAN specific you want the virtual machine to be on. Do not put any VLAN ID in the virtual machine, just plug it into the port group. If you have other virtual machines, or other on this virtual machine network interface cards that need to connect to the other VLAN create other Port groups for each VIRTUAL local area network required.

IviSwitch loses value when sending, "configure the switch" configuration = TRUE

Hi all

We are currently assessing Teststand 4.1 with a multimeter keithley 3706 switch system.

After a first enthusiasm, thinking this tool with the meter switch fits perfectly our needs, real life seems difficult.

Between several other problems, we must say to the device, the channel "s1com1" and "s1com2" are strings of configuration.

Configure the teststand step: change the switch step IVI-> IVI, switching, configuration switch: channels "s1com1" Configuration = True

led to observable in both actions in Ni Spy:

GetAttributeViBoolean (..., "s1com1", _IS_CONFIGURATION_CHANNEL, VI_FALSE)

SetAttributeViBoolean (..., "s1com1", _IS_CONFIGURATION_CHANNEL, VI_FALSE)

manually call to this function of the interactive a CVI fp class works as expected (the VI_TRUE updated)

Is there any hint that we could do wrong? Currently, we are just before writing wrappers in cvi and jump all the wonderful Types of IVIStep in teststand.

Looking forward to any comments

David Clus

David-

This would have the same problem we discovered recently in our internal tests. For the problem that we found, we will probably include our fix in a next corrective patch. You can check if the problem persists if you change your locale in English in the control panel? If the problem no longer occurs, can you use this as a workaround for now?

The ISE Cisco switch configuration

Similar Questions

Maybe you are looking for