I have a question, tried to seach for the correct answer and even read some material about it, but still I dont have like a full and crystal overview of how the 802.1X works
in a lot of examples of 802.1X and , they are referencing as the 802.1X as Port Based Authentication. They always put a Cisco Switch as the intermediare device between the client and the RADIUS Server, ok, thats fine, but
I want to fully understand in a Wireless Environment with ISE as RADIUS, a WLC in the middle and several APs for connecting clients,
I want to know if the WLC is acting as the 802.1X switch in the middle or if it is the ISE?
In other words, Im quite confused cause I thought the 802.1X is configurable only in a physical switch wired connected to workstation, do you see what I'm saying?
I hear a lot of the IT guys in my work about ISE and 802.1X via wireless , but I still keep thinking that they are refering to the switch where the workstation is wired connected to the switch, but in the wireless?
Is it the WLC performing the role of 802.1X like the switch in the middle or is it the ISE server doing the 802.1X?
Im confused cause I used to think that 802.1X is when you go to the interface of the switch and put the commands and bla bla bla, but in a wireless infra, who is the 802.1X guy?
Can someone please explain me?
... View more
Ok thanks. I see what youre saying.
Honestly dont know why we got a nexus 9K, 2 UCS blades chassis, one Big netapp, 2 X 6850 series switches, I will wait how they are going to deploy this infra. I thought the 6850 will not be used anymore and instead of buying and spending a lot of money, they should have acquired the nexus,
well, anyway, these people is confusing me haha, thanks for your valuable time Sir.
... View more
I first apologize if this is not the way I supposed to be handling this type of question. If so, please let me know and direct me to the right channel.
Im totally confused related to this not so young nexus, ucs, mds, FC world, etc
We have the following model (without Nexus OS)
Access Layer- workstations PCs
Distribution Layer (like aggregation layer)- 6500 series switches
Firewall protecting AD, DC, other services, etc are connected to a server switch and server switch connected to 6500 switch
UCS with iSCSI communicated with Netap for storage, UCS connected to the server switch
so thats my topology
Now my question is, if we plan to use Nexus in the Data Center, will they be replacing our 6500?
Am im understading wrong the NX model architecture?
Let say I use Nexus 9k for regular mode (not ACI mode), that will be like my Aggregation Layer or core, but thats only for Servers, I mean like UCS clustering?
The 7k or 9k will be used for connecting the workstation PCs (regular traffic, a user navigating youtube, streaming, Internet Access, Intranet)?
Or still I will need to use the 6500 for data traffic and pass it thru the nexus devices?
Im sorry, I plan to certificate about this tech, but can someone explain how really the Nexus work?
Not just tell me go to the cisco web site, it does not show real scenarios in the real world.
for my topology, do I need to use MDS devices?
I know this is very vague situation, but do you get my idea?
so when they say "Cisco Nexus Next Generation " is so powerful, it is referring to the data center but just for connecting servers, UCS, MDS?
They sell the idea of FCoE, ok, I understand the term, but can you give me an example or scenario where both data traffic and storage traffic is passing in a real infrastructure?
why would I need FCoE if I have my separate Cat 6500 series and on the other side of the DC are the NX OS devices?
Will that defeat the purpose?
Please give some ideas, all of them are welcome, I need to grasp the idea to my the up level team so they can see the real deal about this and possibly talk about migration.
I know that some are silly questions, but pardon me since I know little about the famous Nexus family products
... View more
Noted on that Claudia,
Now I understand what you mean, this is not going to replace system and network admins, but open a broader oportunities in the programming skills at some point for better customer service.
Thank you so much, I;m now more interested in this type of tech since I think even though not all enterprises even if they have the requirements to migrate to this, they are skeptical to move forward because of the young tech as ACI.
Having said that, I think its the near future pointing to cloud services as well.
I really want to thank you for this and now Im more eager to pursuit a certification in this field.
... View more
Hello Experts of ACI,
I'm having a hard time understanding the in depth the behind the scenes about this new tech, so I deciced to ask for people that have experimented and deployed this ACI infra and share with me a brief experience and get me out of the box to understand fully whats about the ACI movement.
Please apologize me if this is not the way I supposed to be doing this, if so, refer me to the right channel or url.
I have been doing a smal research about ACI, they say that cisco is evolving and making a huge evolution in the data center world.
First, we had the tranditional tier 3 model infra (indivual administrators)
Second, we had the Nexus world, with the collapse model where we unify the SAN with the LAN. (effort in knowledge of LAN/DC and SAN admins)
Third, we had the UCS where we put together and in place those techs.(systems and network knowledge I think is requiered)
Now, the trend is the ACI where they mention Aplications and provisioning, and then finally the cloud.
I know its quite new the ACI model, but is here are my questions:
Can someone give me a real example that when they say provision application and full visibility?
What type of application is talking about? Intranet sites, and web apps we mostly know we have in our enterprise?
Is that true that if we want to learn ACI, we need to develop skills for programming web apps, applications from scracth?
will be the ACI the future job killer for most system and network admins now that a web developer can simply deploy via GUI from the apps components to the server and network infra requirements?
I'm quite confused since we tradinionally start with the routing and switching curicula, then we move to either security or service provider, finally, or we decide to go to Data Center trends, but then you realize that in order to fully deploy all these pieces together, you have to have concepts of everything, R&S, WAN tech, SP tech, security tech, Data Center tech and finally development techs/
now that I have CCNP R&S and security, I have to start learning programming?
So, does that make sense? I know a lot of people do not like programming, neither start to learn how to develop a web site, since it involves data bases as well, but thats why Im asking you guys, the ones that have experimented this,
is the myth becoming true?
or am I getting the concept completely wrong?
how has been your experience with that? have you developed applications from zero and deploying south bound from a 9K?
how is that?
Please if someone can give me a slap and make me understand all the nitty gritty behind the scenes, I will really appreciate since Im totally confused with this rapid changes overall,
... View more
I have some simple questions related to the UCS Deployment. Im quite new to the DC storage, Im more oriented to Routing and Switching, so apologies for silly question,
So, we have a UCS-FI-M-6324 with 2 FIs. I guess.
Do the Fabric Interconnect is the same physical device when we talk about the I/O modules in the UCS world?
Second question: Please consider the following topology:
The topology is from the UCS connected to a 4948 switch and this 4948 switch is then connected to the physical device called: Netap for storage.
(please take in mind that this chain all have redundacy, 2 cables from the UCS to 2 4948 switches and these switches seprarately, run a cable to the individual nics of the Netap) for redundany.
So, in the UCS world, will this UCS run without the use of the FC or FCoE protocols world? We do not have any Nexus, just the UCS connected to regular Cat OS.
I guess my confusion is the fact that when we talk about UCS, it came to my mind the Nexus as well, so I co related them thinking that if you want to use UCS , then you have to have Nexus
Well, feel free to ask me if you think is not clear my questions.
... View more
Yes, I think the order of operations is what is driving me crazy. Im testing now and so far so good,
what the problem was is that the old radius was still active, so I delete the entire config without losing ssh session and start from fresh like if nothing was there about aaa
so as you guys suggested, that was the last thing and made sure everything was accepted.
... View more
I tried what you suggested, changed the name:
aaa authentication enable console ACS-SERVER LOCAL aaa authentication http console ACS-SERVER LOCAL aaa authentication ssh console ACS-SERVER LOCAL aaa authentication telnet console ACS-SERVER LOCAL
but whenever I entered :
aaa authorization command ACS-SERVER LOCAL !
aaa accounting enable console ACS-SERVER aaa accounting ssh console ACS-SERVER aaa accounting telnet console ACS-SERVER aaa accounting command privilege 15 ACS-SERVER
I got stucked and then move physically to the console port.
the method for reloading is ok, if I was not able to access via console, but for now, Im not using since I think there is no need to reload it since I have near the rack where the ASA is mounted,
... View more
Does anybody knows how to modify the settings for the AAA config on a cisco ASA ?
Currently, I have a Cisco ASA ASA5520, its configured with Radius, below is the current config:
aaa-server Radius_RSA protocol radius aaa-server Radius_RSA (inside) host 192.168.1.100 aaa authentication telnet console Radius_RSA LOCAL aaa authentication ssh console Radius_RSA LOCAL aaa authentication http console Radius_RSA LOCAL
Now, what I want is to enter the following:
aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 192.168.1.200 key cisco
aaa authentication enable console TACACS+ LOCAL aaa authentication http console TACACS+ LOCAL aaa authentication ssh console TACACS+ LOCAL aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+ aaa accounting enable console TACACS+ aaa accounting ssh console TACACS+ aaa accounting telnet console TACACS+
What I have tried:
1- I removed the previous config in the following order:
no aaa-server Radius_RSA (inside) host 192.168.1.100 no aaa authentication telnet console Radius_RSA LOCAL no aaa authentication ssh console Radius_RSA LOCAL no aaa authentication http console Radius_RSA LOCAL
As of now, Im still connected to the device,
but then when I enter the tacac+s, Im unable to connect again,
sorry if this explanation confuses more,
Basically, what I want is to be able to remove the RADIUS and apply the new script for TACACS+ being able to login next time or cause when I enter the commands I get multiple errors like: range already exists or errors like authorization fails,
then Im stuck and had to check via console.
so any advice,
... View more
I hope you have seen this behavior, if not, please share your ideas. we have a deployment of one PAN and 6 PSN nodes across multiples regions in the world.
Each location has its own WLC 8500 series and we have a ISE 2.0.
Each WLC redirect to endpoint request to the PAN, the PAN acts as the main central radius.
All sites/branches, the URL redirection portal works fine, in other words, when a endpoint user joing the open SSID Guest, it gets the DHCP settings and when they open or go to any web site, it will automatically redirect to SSL certificate warning and click on continue adn then get the Portal Credentials.
However, on Google Chrome, it does not open, instead, when they type in the address bar any web site, http or https, it will automatically open a new tab saying: gstatic.com/generate_204 and keeps trying until it says a button connect but it does not do anything.
What could be the culplrit of this crap URL redirection?
We created another WLAN, still the same behavior.
Under the same SSID, we set it up a local web aut redirection portal, the same behavior.
Please check the attach file and you will see what Im saying.
Updated Chrome and does not work on Windows 7
On Windows 10, sometimes it works and sometimes it does not work.
On Chrome books, one work and the other one does not work the first attempt.
Debug the client mac address for the endpoint that works and for the one that does not work. Checked everything and they have the same thing. TAC says that the endpoint receives the URL but for some reason the Chrome stops the process and start the redirection to the gstatic.com web site.
Did a comparison with firefox and IE and Microsoft EDge and debug and Chrome with the same and other laptops and the same config appeared as per Cisco TAC.
They could not determine right away if this was a problem with the WLC or the Chrome app. But do I know that it should be compatible with all top browsers like chrome.
Why it does not work on on WLC if the solution and design was to have the same config across all regions.
Only on on brach does not work. other ones work fine.
I regirsted one AP on another WLC and it worked fine.
other region reigisted their AP with own WLC and the first time they got the gstatic.com web site
Is it the WLC faulty or what?
Pleas help, what else could I try and prove it is the WLC config or damaged, corrupted , it is very weird cause as I mentioned before, it works fine on firefox, IE, Opera, etc, execpt Google Chrome and Chrome OS, but only on this site, but other say they have not experienced this issue.
Thank you for your help,
... View more