Wanted to follow up on the solution. The issue is the following: management-access Inside-166 That command allows me access the 192.168.166.1 address for management purposes but the 55.5 address is not accessible. If I change the management access command to Inside instead of Inside-166 then the 55.5 address is available for icmp. Once I setup ospf on the opposite side of the 55.x then I could reah the opposing side but could not manage the 55.5 still. So Anyconnect was not broken just giving a false representation of broken based on ignorance.
... View more
I think a more detailed answer here is required. Lets go back to the basics of vlan tags and what the end devices knows. Imagine the g 0/1 is used by a laptop. That laptop has no clue as to what vlan it is on. Wjy? The switch never notifies it of the vlan. the laptop wouldnt even know what to do with it because its irrelevant to it. When packets enter the switchport they are tagged. When they leave the switchport they are untagged. The same rule applies to two switches with access ports. As the frames leave an interface the tag is stripped and as it enters its added. So by all rights both switches are performing the same function considering the other an end device. This is why they are able to communicate. As for the trunk port a trunk cannot communicate with an access port because (lets assume dot1q tagging) trunks tag packets with dot1q tags or and the access port cant interpret those. One thing to consider is, it might be possible i have not tested this, is if the access port and native vlan on the trunk port were the same (both vlan 6) I think the trunk would have to be forced into "nonegotiate" in order for this to work. Not sure never tested it or considered it till now. Trunk allowed vlans do not need to match. From a hierarchy perspective the upstream switch can limit the vlans manually and the downstream switch can be left as a default trunk. This will work.
... View more
I think you best option is to listen to tporembski. He said that fa0 is not routeable. Try using a different port on the 3560x and see if that suits you better.
... View more
I think you best option is to listen to tporembski. He said that fa0 is not routeable. Try using a different port on the 3560x and see if that suits you better.
... View more
OK I have got to point out a couple things. 1. Do you really need to use telnet? (outside of the scope of your Q but its very insecure) 2. If you are telneting in via the management IP and you make that change in that order you are going to have a bad day. By removing the management vlan that exists you effectively remove the ability to remote into the machine. I suggest the reverse. Create interface vlan 10 and IP it. Test it then remove the Ip from vlan 1. You also do not need the no shut on an SVI. By default they are not shut. CONFIG interface vlan 10 ip add 192.168.1.1 255.255.255.0 vlan 10 name management !-----TEST CONNECTIVITY default interface vlan 1 int vlan 1 shut end wr
... View more
A few troubleshooting questions.. Is that vlan accessable/reachable by ISE? Can you ping it? Are you allowing ISE to speak snmp and RADIUS to the NAD? Do the snmp passswords match?
... View more
The only thing I could find was purging data in the MNT node. The default is 90 days. This doesnt apply because the profiles are store on the policy node. I dont think you can in an automated form. You could change the MNT to purge after 210 days and then run a report to see which macs have not authc in the passed 180 days. That will require excel and some scripting.
... View more
It sounds like you are trying to do two different things. The certificate can be done through 802.1x using peap I dont know if your devices can handle dot1x so if not they can use MAB. Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB. What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices. These can be put into a custom endpoint profile that is given a specific authorization rule. The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule Does this make sense? Im shooting a little blind here without more info.
... View more
Has anybody created the High and Low level designs for the NASP? This is my first time and its always easier to have a template to work off of than to reinvent the wheel. An incomplete example is displayed below but I was hoping someone had a complete one of high and low. Employee Authorization Rule Table of Contents for Employee Security Policy: I. Members pg. xxx II. Acceptable Use Policy pg. xxx III. Windows 7 Security Requirements pg. xxx 1. Approved AV Installed & Up-to-date pg. xxx a. Security checks pg. xxx b. Security rules pg. xxx IV. Network Access Permissions pg. xxx 1. VLAN Segmentation pg. xxx a. Noncompliant Posture VLAN pg. xxx b. Access VLAN Name/ID pg. xxx 2. Access Control List pg. xxx 3. SmartPort Macro pg. xxx 4. Security Group Tag number pg. xxx ... IV. Network Access Permissions 1. VLAN Segmentation – Yes a. Noncompliant Posture VLAN = quarantine-vlan/100 b. Access VLAN Name/ID = employees/10 2. Access Control List – Yes a. Compliant ACL = permit All IP b. Noncompliant ACL = 5 Permit TCP from any to “AUP web server” equaling 80 Description: Allow anyone to access the acceptable use policy link 64 Cisco ISE for BYOD and Secure Unified Access 10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443 Description: Allow web traffic to the appropriate remediation resources 20 Permit TCP from any to “file based remediation” equaling 80 & 443 Description: Allow web traffic to the cam for remediation file distribution 30 Permit UDP from any to “dmz DNS Server” equaling DNS Description: Allow DNS only to the dmz dns server 40 Deny IP from any to any Description: Block everything else 3. SmartPort Macro – no 4. Security Group Tag number – 10
... View more
Problem resolved, The issue was as follows. I was getting the above described error however the problem was that we have a WLC that relies on ISE for authentication. It also uses AAA override. More info here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111100.html " It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server." The WLC does not not download the ACL like a switch does. ISE will send a radius response with the appropriate ACL for permissions. If there is a web redirect included that ACL will also have to be sent....thus that ACL will have to be created on the WLC as well. Keep in mind that the ACL name is all that really matters. It does not download the entire ACL. ISE merely send the ACL name and says use this ACL. If the WLC does not have it then it is forced to disconnect the client (or give no access.). This was my problem. I did not have the ACL redirect created on the WLC. So it would connect, get an ip, and attempt to redirect but it wasnt allowed to.
... View more
I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE. I dont know. Topic: Implementing (permitting) subcommands under an Authorization Set. This was somehwat difficult for me to get working for the final step that I wanted. That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet. Reasoning being is all Gigabit ports are reserved for trunking. How I was able to solve this issue. SWITCH Previous AAA settings on 3750 switch aaa new-model aaa group server tacacs+ CSACS aaa authentication login default group CSACS local aaa authentication enable default group CSACS enable aaa authorization exec default group CSACS local aaa authorization commands 15 default group CSACS local aaa accounting commands 15 default start-stop group CSACS aaa session-id common Added command on switch aaa authorization config-commands This allows you to specify individual commands (to my understanding). ACS Shell Command Authorization Set If you want to allow fastethernet and deny gigabitethernet then do the following COMMAND interface ARGUMENT permit FasEthernet (case-sensitive!!!!!!) To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk. COMMAND switchport ARGUMENT deny mode trunk permit mode access permit access vlan Items to consider: 1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.) 2. shell exec needs to be turned on for user and group 3. The five ITEMS in 4.2 that you need to look at. User Setup Advanced TACACS+ Settings TACACS+ Enable Password Shell (exec) (RIGHT ABOVE ----> Shell Command Authorization Set) Shell Command Authorization Set Good luck.
... View more
For everyone elses information the tunnel information is correct but the routes were incorrect. my default gateway was bad. route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1 route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1 route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1 I was using the outside interface and I needed to send it to the default gateway of the OUTSIDE interface not the interface itself. So in theory it would be route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.1 1 route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.1 1 route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.1 1 Hope this helps others.
... View more