Cisco Community
English
Register
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
davy.timmermans
‎08-29-2018
davy.timmermans
Member since ‎12-09-2008
Enthusiast
268
Posts
228
Helpful
19
Solutions
Recent Badges
15 Accepted Solution
1 Accepted Solution
5 Accepted Solution
50 Replies
20 Replies
View All
Recent Badges
Awards

your authz policy looks like:

Created by davy.timmermans Enthusiast in Policy and Access
‎10-11-2016 12:39 PM
‎10-11-2016 12:39 PM
your authz policy looks like: Profiled_7911 & member of allowed_mac  It's normal behavior that the first time the authz rule is hit - but normally a coa should take place after a small time once ise receives new info from the sensors. You don't see a coa action in the logging? ... View more

Did you test it?

Created by davy.timmermans Enthusiast in Switching
‎06-16-2016 02:13 AM
‎06-16-2016 02:13 AM
Did you test it? object 10 not > when the next hop is not reachable, --> true Unless the next hop/eigrp neighbor will be reachable via the summary route. ... View more

Ran in this issue too after

Created by davy.timmermans Enthusiast in Switching
‎06-08-2016 12:35 AM
‎06-08-2016 12:35 AM
Ran in this issue too after upgrading WS-C3750X-48P to c3750e-universalk9-mz.152-2.E4 no ip cef optimize neighbor resolution fixed the problem for me as well. ... View more

Cisco AP - as dot1x client -eap md5/eap...

Created by davy.timmermans Enthusiast in Policy and Access
‎05-25-2016 03:46 AM
‎05-25-2016 03:46 AM
ISE 2.0  WLC: 8.1.131 Is the following normal behavior? dot1x enabled on 2700i ap, ap connected to port configured with dot1x   step 1 event PAC Provisioned authC: ok --> success authZ: ok authZ result: <> result access reject eap-fast, eap-mschapv2 innermethod Cisco Identity Services Engine 11001 Received RADIUS Access-Request   11017 RADIUS created a new session   15049 Evaluating Policy Group   15008 Evaluating Service Selection Policy   15048 Queried PIP - Normalised Radius.RadiusFlowType   15048 Queried PIP - Radius.NAS-Port-Type   15048 Queried PIP - Radius.Service-Type   15004 Matched rule - Wired dot1x   11507 Extracted EAP-Response/Identity   12100 Prepared EAP-Request proposing EAP-FAST with challenge   12625 Valid EAP-Key-Name attribute received   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated   12800 Extracted first TLS record; TLS handshake started   12805 Extracted TLS ClientHello message   12806 Prepared TLS ServerHello message   12808 Prepared TLS ServerKeyExchange message   12810 Prepared TLS ServerDone message   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   12812 Extracted TLS ClientKeyExchange message   12813 Extracted TLS CertificateVerify message   12804 Extracted TLS Finished message   12801 Prepared TLS ChangeCipherSpec message   12802 Prepared TLS Finished message   12816 TLS handshake succeeded   12131 EAP-FAST built anonymous tunnel for purpose of PAC provisioning   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   12125 EAP-FAST inner method started   11521 Prepared EAP-Request/Identity for inner EAP method   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11522 Extracted EAP-Response/Identity for inner EAP method   11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated   15041 Evaluating Identity Policy   15048 Queried PIP - Radius.User-Name   15006 Matched Default Rule   15013 Selected Identity Source - < AD>   24430 Authenticating user against Active Directory - < AD>   24325 Resolving identity - <user>   24313 Search for matching accounts at join point - <AD>   24319 Single matching account found in forest - < AD>   24323 Identity resolution detected single matching account   24343 RPC Logon request succeeded - user@ < AD>   24402 User authentication against Active Directory succeeded - < AD>   22037 Authentication Passed   11824 EAP-MSCHAP authentication attempt passed   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response   11814 Inner EAP-MSCHAP authentication succeeded   11519 Prepared EAP-Success for inner EAP method   12128 EAP-FAST inner method finished successfully   12966 Sent EAP Intermediate Result TLV indicating success   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   12126 EAP-FAST cryptobinding verification passed   12200 Approved EAP-FAST client Tunnel PAC request   24423 ISE has not been able to confirm previous successful machine authentication   15036 Evaluating Authorization Policy   15048 Queried PIP - Radius.NAS-Port-Type   15048 Queried PIP - DEVICE.Device Type   24432 Looking up user in Active Directory - < AD>   24355 LDAP fetch succeeded - <AD>   24416 User's Groups retrieval from Active Directory succeeded - < AD>   15048 Queried PIP - < AD> .ExternalGroups   15048 Queried PIP - Radius.Called-Station-ID   15048 Queried PIP - CERTIFICATE.Issuer - Organization   15048 Queried PIP - EndPoints.EndPointPolicy   15004 Matched rule - AP   15016 Selected Authorization Profile -   12964 Sent EAP Result TLV indicating success   12169 Successfully finished EAP-FAST tunnel PAC provisioning/update   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11401 Prepared RADIUS Access-Reject after the successful in-band PAC provisioning   11504 Prepared EAP-Failure   11003 Returned RADIUS Access-Reject Next step2 event authentication succeeded authC: ok --> success authZ: ok authZ result: ok result access accept Cisco Identity Services Engine 11001 Received RADIUS Access-Request   11017 RADIUS created a new session   15049 Evaluating Policy Group   15008 Evaluating Service Selection Policy   15048 Queried PIP - Normalised Radius.RadiusFlowType   15048 Queried PIP - Radius.NAS-Port-Type   15048 Queried PIP - Radius.Service-Type   15004 Matched rule - Wired dot1x   11507 Extracted EAP-Response/Identity   12100 Prepared EAP-Request proposing EAP-FAST with challenge   12625 Valid EAP-Key-Name attribute received   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated   12800 Extracted first TLS record; TLS handshake started   12175 Received Tunnel PAC   12805 Extracted TLS ClientHello message   12806 Prepared TLS ServerHello message   12801 Prepared TLS ChangeCipherSpec message   12802 Prepared TLS Finished message   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   12804 Extracted TLS Finished message   12816 TLS handshake succeeded   12132 EAP-FAST built PAC-based tunnel for purpose of authentication   12125 EAP-FAST inner method started   11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated   15041 Evaluating Identity Policy   15048 Queried PIP - Radius.User-Name   15006 Matched Default Rule   15013 Selected Identity Source - < AD>   24430 Authenticating user against Active Directory - < AD>   24325 Resolving identity - <user>   24313 Search for matching accounts at join point - < AD>   24319 Single matching account found in forest - < AD>   24323 Identity resolution detected single matching account   24343 RPC Logon request succeeded - user@ < AD>   24402 User authentication against Active Directory succeeded - < AD>   22037 Authentication Passed   11824 EAP-MSCHAP authentication attempt passed   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response   11814 Inner EAP-MSCHAP authentication succeeded   11519 Prepared EAP-Success for inner EAP method   12128 EAP-FAST inner method finished successfully   12964 Sent EAP Result TLV indicating success   12105 Prepared EAP-Request with another EAP-FAST challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12104 Extracted EAP-Response containing EAP-FAST challenge-response   12126 EAP-FAST cryptobinding verification passed   12106 EAP-FAST authentication phase finished successfully   11503 Prepared EAP-Success   24423 ISE has not been able to confirm previous successful machine authentication   15036 Evaluating Authorization Policy   15048 Queried PIP - Radius.NAS-Port-Type   15048 Queried PIP - DEVICE.Device Type   24432 Looking up user in Active Directory - < AD>   24355 LDAP fetch succeeded - < AD>   24416 User's Groups retrieval from Active Directory succeeded - < AD>   15048 Queried PIP - < AD> .ExternalGroups   15048 Queried PIP - Radius.Called-Station-ID   15048 Queried PIP - CERTIFICATE.Issuer - Organization   15048 Queried PIP - DEVICE.Location   15004 Matched rule - AP   15016 Selected Authorization Profile - AP   11002 Returned RADIUS Access-Accept Immediately after access accept - session terminate, re-authentication with eap-md5 as inner method which isn't supported by AD --> authZ fail step 3 -30000 Steps   11001 Received RADIUS Access-Request   11017 RADIUS created a new session   15049 Evaluating Policy Group   15008 Evaluating Service Selection Policy   15048 Queried PIP - Normalised Radius.RadiusFlowType   15048 Queried PIP - Radius.NAS-Port-Type   15048 Queried PIP - Radius.Service-Type   15004 Matched rule - Wired dot1x   11507 Extracted EAP-Response/Identity   12100 Prepared EAP-Request proposing EAP-FAST with challenge   12625 Valid EAP-Key-Name attribute received   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12001 Extracted EAP-Response/NAK requesting to use EAP-MD5 instead   12000 Prepared EAP-Request proposing EAP-MD5 with challenge   11006 Returned RADIUS Access-Challenge   11001 Received RADIUS Access-Request   11018 RADIUS is re-using an existing session   12002 Extracted EAP-Response containing EAP-MD5 challenge-response and accepting EAP-MD5 as negotiated   15041 Evaluating Identity Policy   15048 Queried PIP - Radius.User-Name   15006 Matched Default Rule   15013 Selected Identity Source - <AD>   22043 Current Identity Store does not support the authentication method; Skipping it - <AD>   22064 Authentication method is not supported by any applicable identity store(s)   22058 The advanced option that is configured for an unknown user is used   22061 The 'Reject' advanced option is configured in case of a failed authentication request   12006 EAP-MD5 authentication failed   11504 Prepared EAP-Failure   11003 Returned RADIUS Access-Reject // <![CDATA[ var djConfig = { appConfigUrl: "/admin/js/config/xmp-configuration.json", //isDebug: true, //debugAtAllCosts: true, locale: 'en-us', parseOnLoad: true }; // ]]> // <![CDATA[ var djConfig = { appConfigUrl: "/admin/js/config/xmp-configuration.json", //isDebug: true, //debugAtAllCosts: true, locale: 'en-us', parseOnLoad: true }; // ]]> // <![CDATA[ var djConfig = { appConfigUrl: "/admin/js/config/xmp-configuration.json", //isDebug: true, //debugAtAllCosts: true, locale: 'en-us', parseOnLoad: true }; // ]]> ... View more

If you want to kick in the

Created by davy.timmermans Enthusiast in Switching
‎05-25-2016 03:04 AM
‎05-25-2016 03:04 AM
If you want to kick in the static route when the eigrp neighbor is not reachable - you could configure the following: I don't know if that is what you're looking for? ip sla 10 icmp-echo 10.128.193.125   track 10 ip sla 10 reachability     ip sla schedule 10 life forever start-time now   track 1 list object 1 0 not     ip route 172.16.0.0 255.255.0.0 10.128.193.49 track 1 ... View more

A clean air ap detected an

Created by davy.timmermans Enthusiast in Wireless Security and Network Management
‎05-24-2016 01:49 PM
‎05-24-2016 01:49 PM
A clean air ap detected an interferer. Normally it gives you also information about the source of interference(micro wave, dect, ....). If the interferer is persistent you could investigate with a site survey kit to localize the interferer and eliminate it if possible. You could have a look at your controller: Monitor> cisco cleanair>radio (a/bg)> ... View more

Correct,

Created by davy.timmermans Enthusiast in Switching
‎05-24-2016 01:34 PM
‎05-24-2016 01:34 PM
Correct, Once in VSS there's only 1 device to manage. I suggest also to have a look at the VSS design guide: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch1.html ... View more

in your design - at each

Created by davy.timmermans Enthusiast in Switching
‎05-24-2016 01:07 PM
‎05-24-2016 01:07 PM
in your design - at each access layer switch - one portchannel will be STP blocking. Logically the two VSS switches are seen/managed as 1 logically switch. It's a best practice/valid/possible to combine the 4 links into 1 portchannel instead of two. Let me know if you've further questions ... View more

 

Created by davy.timmermans Enthusiast in Switching
‎05-24-2016 08:12 AM
‎05-24-2016 08:12 AM
  When do you want the floating static to kick in? If the summary disappears? If that's case why not configuring the same subnet mask as the summary route? There are some options - you might maybe explain what you want to achieve - ... View more

Hi Jan,

Created by davy.timmermans Enthusiast in Policy and Access
‎05-17-2016 07:10 AM
‎05-17-2016 07:10 AM
Hi Jan, Sorry for the delay. Thanks for confirming  - makes sense. Is there a direct relation between user  -  device? Eg. If a user is deleted - are all his registered devices deleted?  Restricted access  (eg. certain hours) is not possible with this kind of flow I suppose. --> authz needed to be based on guest type? Thx ... View more

In this case - it's a buggy

Created by davy.timmermans Enthusiast in Wireless and Mobility
‎05-17-2016 12:11 AM
‎05-17-2016 12:11 AM
In this case - it's a buggy behavior  For those two vlans - a subinterface is not created as should be. ... View more

self registering guest flow - re-authen...

Created by davy.timmermans Enthusiast in Policy and Access
‎05-11-2016 01:19 PM
‎05-11-2016 01:19 PM
In all examples of device self registration - authentication seems to be done only after the coa after registration? auth: mab : user not found - continue authz: if guestendpoint and ssid 'guest' => accept if  ssid 'guest' : accept + cwa Thus once a guest device is registered - it's not required to authenticicate anymore? Unless the endpoint is deleted? ... View more

flexconnect dynamic vlan assignment

Created by davy.timmermans Enthusiast in Wireless and Mobility
‎05-10-2016 01:49 PM
‎05-10-2016 01:49 PM
Currently I'm unable to receive an IP via dynamic vlan assignment on a flexconnect ap. WLC:  8.1.131.0 AP: 2700i Client gets authorized by ISE and receives a vlan based on AD group membership. Unfortunately the client doesn't receive an IP. WLAN advanced flexconnect enable AAA override: yes NAC state: Radius NAC wireless - flexconnectgroup wlan vlan mapping: <dummy vlan> acl mapping:  AAA VLAN ACL Mapping  vlan A  vlan B When I receive dynamic vlan A from ISE, I don't receive an IP. If I do wlan vlan mapping: A --> then I receive IP from the scope. (AAA override seems not be working) When I check on the AP I notice that this settings are well inherited from the flexconnect group Group level VLAN ACL Mappin vlan A vlan B Maybe strange - but when I log on the AP and do a show run - I see there are subinterfaces (Gig0.) for the native vlan and the wlan-vlan mapping, but not for the vlan-acl mapping. Normal? Update: If I create vlan acl mapping for every other random vlan - the interface is created at the access point?  GigabitEthernet0.57 unassigned YES unset up up GigabitEthernet0.140 unassigned YES unset up up GigabitEthernet0.459 unassigned YES unset up up GigabitEthernet0.544 unassigned YES unset up up GigabitEthernet0.566 unassigned YES unset up up GigabitEthernet0.999 unassigned YES unset up up Vlan A, B are not created on the acces point,- that's why it's not working I suppose. I'm wondering why this vlans are not created. ... View more

A few months ago I had the

Created by davy.timmermans Enthusiast in Wireless and Mobility
‎05-10-2016 10:57 AM
‎05-10-2016 10:57 AM
A few months ago I had the same 'problem' -> license generated but unable to upload it. It was indeed as easy as you said. Seems to be based on kind of trust. not-in-use will change asap you register 1 AP. ... View more

upload worked.

Created by davy.timmermans Enthusiast in Network Management
‎04-20-2016 11:38 AM
‎04-20-2016 11:38 AM
upload worked. Unfortunately the output when using these objects in prime are not 100% satisfying. > clHAsecondarycontrollerusage should give back an integer --> but it doesn't return anything  >clHAPrimaryUnit --> returns 1 or 2 - should be true/false --> I'd hoped to send a trap eg. when false  see attached result ... View more
Public Statistics
Date Registered ‎12-09-2008 04:16 AM
Date Last Visited ‎08-29-2018 12:01 AM
Total Messages Posted 268
Total Helpful Votes Received 228
Helpful Votes Given To
Helpful Votes From