Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About davy.timmermans
Stats
Member since
12-09-2008
268
Posts
303
Helpful
19
Solutions
10-11-2016
12:39 PM
your authz policy looks like: Profiled_7911 & member of allowed_mac
It's normal behavior that the first time the authz rule is hit - but normally a coa should take place after a small time once ise receives new info from the sensors.
You don't see a coa action in the logging?
... View more
06-16-2016
02:13 AM
Did you test it?
object 10 not
> when the next hop is not reachable, --> true
Unless the next hop/eigrp neighbor will be reachable via the summary route.
... View more
06-08-2016
12:35 AM
Ran in this issue too after upgrading WS-C3750X-48P to c3750e-universalk9-mz.152-2.E4
no ip cef optimize neighbor resolution fixed the problem for me as well.
... View more
Created by
davy.timmermans
in Policy and Access
in Policy and Access
05-25-2016
03:46 AM
05-25-2016
03:46 AM
ISE 2.0
WLC: 8.1.131
Is the following normal behavior?
dot1x enabled on 2700i ap, ap connected to port configured with dot1x
step 1
event PAC Provisioned
authC: ok --> success
authZ: ok
authZ result: <>
result access reject
eap-fast, eap-mschapv2 innermethod
Cisco Identity Services Engine
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP - Normalised Radius.RadiusFlowType
15048
Queried PIP - Radius.NAS-Port-Type
15048
Queried PIP - Radius.Service-Type
15004
Matched rule - Wired dot1x
11507
Extracted EAP-Response/Identity
12100
Prepared EAP-Request proposing EAP-FAST with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12102
Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12808
Prepared TLS ServerKeyExchange message
12810
Prepared TLS ServerDone message
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
12812
Extracted TLS ClientKeyExchange message
12813
Extracted TLS CertificateVerify message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12131
EAP-FAST built anonymous tunnel for purpose of PAC provisioning
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
12125
EAP-FAST inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15048
Queried PIP - Radius.User-Name
15006
Matched Default Rule
15013
Selected Identity Source - < AD>
24430
Authenticating user against Active Directory - < AD>
24325
Resolving identity - <user>
24313
Search for matching accounts at join point - <AD>
24319
Single matching account found in forest - < AD>
24323
Identity resolution detected single matching account
24343
RPC Logon request succeeded - user@ < AD>
24402
User authentication against Active Directory succeeded - < AD>
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12128
EAP-FAST inner method finished successfully
12966
Sent EAP Intermediate Result TLV indicating success
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
12126
EAP-FAST cryptobinding verification passed
12200
Approved EAP-FAST client Tunnel PAC request
24423
ISE has not been able to confirm previous successful machine authentication
15036
Evaluating Authorization Policy
15048
Queried PIP - Radius.NAS-Port-Type
15048
Queried PIP - DEVICE.Device Type
24432
Looking up user in Active Directory - < AD>
24355
LDAP fetch succeeded - <AD>
24416
User's Groups retrieval from Active Directory succeeded - < AD>
15048
Queried PIP - < AD> .ExternalGroups
15048
Queried PIP - Radius.Called-Station-ID
15048
Queried PIP - CERTIFICATE.Issuer - Organization
15048
Queried PIP - EndPoints.EndPointPolicy
15004
Matched rule - AP
15016
Selected Authorization Profile -
12964
Sent EAP Result TLV indicating success
12169
Successfully finished EAP-FAST tunnel PAC provisioning/update
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11401
Prepared RADIUS Access-Reject after the successful in-band PAC provisioning
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject
Next step2
event authentication succeeded
authC: ok --> success
authZ: ok
authZ result: ok
result access accept
Cisco Identity Services Engine
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP - Normalised Radius.RadiusFlowType
15048
Queried PIP - Radius.NAS-Port-Type
15048
Queried PIP - Radius.Service-Type
15004
Matched rule - Wired dot1x
11507
Extracted EAP-Response/Identity
12100
Prepared EAP-Request proposing EAP-FAST with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12102
Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800
Extracted first TLS record; TLS handshake started
12175
Received Tunnel PAC
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
12804
Extracted TLS Finished message
12816
TLS handshake succeeded
12132
EAP-FAST built PAC-based tunnel for purpose of authentication
12125
EAP-FAST inner method started
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15048
Queried PIP - Radius.User-Name
15006
Matched Default Rule
15013
Selected Identity Source - < AD>
24430
Authenticating user against Active Directory - < AD>
24325
Resolving identity - <user>
24313
Search for matching accounts at join point - < AD>
24319
Single matching account found in forest - < AD>
24323
Identity resolution detected single matching account
24343
RPC Logon request succeeded - user@ < AD>
24402
User authentication against Active Directory succeeded - < AD>
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12128
EAP-FAST inner method finished successfully
12964
Sent EAP Result TLV indicating success
12105
Prepared EAP-Request with another EAP-FAST challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12104
Extracted EAP-Response containing EAP-FAST challenge-response
12126
EAP-FAST cryptobinding verification passed
12106
EAP-FAST authentication phase finished successfully
11503
Prepared EAP-Success
24423
ISE has not been able to confirm previous successful machine authentication
15036
Evaluating Authorization Policy
15048
Queried PIP - Radius.NAS-Port-Type
15048
Queried PIP - DEVICE.Device Type
24432
Looking up user in Active Directory - < AD>
24355
LDAP fetch succeeded - < AD>
24416
User's Groups retrieval from Active Directory succeeded - < AD>
15048
Queried PIP - < AD> .ExternalGroups
15048
Queried PIP - Radius.Called-Station-ID
15048
Queried PIP - CERTIFICATE.Issuer - Organization
15048
Queried PIP - DEVICE.Location
15004
Matched rule - AP
15016
Selected Authorization Profile - AP
11002
Returned RADIUS Access-Accept
Immediately after access accept - session terminate, re-authentication with eap-md5 as inner method which isn't supported by AD --> authZ fail
step 3 -30000
Steps
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP - Normalised Radius.RadiusFlowType
15048
Queried PIP - Radius.NAS-Port-Type
15048
Queried PIP - Radius.Service-Type
15004
Matched rule - Wired dot1x
11507
Extracted EAP-Response/Identity
12100
Prepared EAP-Request proposing EAP-FAST with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12001
Extracted EAP-Response/NAK requesting to use EAP-MD5 instead
12000
Prepared EAP-Request proposing EAP-MD5 with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12002
Extracted EAP-Response containing EAP-MD5 challenge-response and accepting EAP-MD5 as negotiated
15041
Evaluating Identity Policy
15048
Queried PIP - Radius.User-Name
15006
Matched Default Rule
15013
Selected Identity Source - <AD>
22043
Current Identity Store does not support the authentication method; Skipping it - <AD>
22064
Authentication method is not supported by any applicable identity store(s)
22058
The advanced option that is configured for an unknown user is used
22061
The 'Reject' advanced option is configured in case of a failed authentication request
12006
EAP-MD5 authentication failed
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject
// &amp;lt;![CDATA[
var djConfig = {
appConfigUrl: "/admin/js/config/xmp-configuration.json",
//isDebug: true,
//debugAtAllCosts: true,
locale: 'en-us',
parseOnLoad: true
};
// ]]&amp;gt;
// &amp;lt;![CDATA[
var djConfig = {
appConfigUrl: "/admin/js/config/xmp-configuration.json",
//isDebug: true,
//debugAtAllCosts: true,
locale: 'en-us',
parseOnLoad: true
};
// ]]&amp;gt;
// &amp;lt;![CDATA[
var djConfig = {
appConfigUrl: "/admin/js/config/xmp-configuration.json",
//isDebug: true,
//debugAtAllCosts: true,
locale: 'en-us',
parseOnLoad: true
};
// ]]&amp;gt;
... View more
Labels:
05-25-2016
03:04 AM
If you want to kick in the static route when the eigrp neighbor is not reachable - you could configure the following:
I don't know if that is what you're looking for?
ip sla 10
icmp-echo 10.128.193.125
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
track 1 list
object 1 0 not
ip route 172.16.0.0 255.255.0.0 10.128.193.49 track 1
... View more
A clean air ap detected an
in Wireless Security and Network Management
05-24-2016
01:49 PM
05-24-2016
01:49 PM
A clean air ap detected an interferer. Normally it gives you also information about the source of interference(micro wave, dect, ....).
If the interferer is persistent you could investigate with a site survey kit to localize the interferer and eliminate it if possible.
You could have a look at your controller:
Monitor> cisco cleanair>radio (a/bg)>
... View more
05-24-2016
01:34 PM
Correct,
Once in VSS there's only 1 device to manage.
I suggest also to have a look at the VSS design guide:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch1.html
... View more
05-24-2016
01:07 PM
in your design - at each access layer switch - one portchannel will be STP blocking.
Logically the two VSS switches are seen/managed as 1 logically switch. It's a best practice/valid/possible to combine the 4 links into 1 portchannel instead of two.
Let me know if you've further questions
... View more
05-24-2016
08:12 AM
When do you want the floating static to kick in? If the summary disappears? If that's case why not configuring the same subnet mask as the summary route?
There are some options - you might maybe explain what you want to achieve -
... View more
05-17-2016
07:10 AM
Hi Jan,
Sorry for the delay.
Thanks for confirming - makes sense.
Is there a direct relation between user - device? Eg. If a user is deleted - are all his registered devices deleted?
Restricted access (eg. certain hours) is not possible with this kind of flow I suppose. --> authz needed to be based on guest type?
Thx
... View more
In this case - it's a buggy
in Wireless and Mobility
05-17-2016
12:11 AM
05-17-2016
12:11 AM
In this case - it's a buggy behavior
For those two vlans - a subinterface is not created as should be.
... View more
Created by
davy.timmermans
in Policy and Access
in Policy and Access
05-11-2016
01:19 PM
05-11-2016
01:19 PM
In all examples of device self registration - authentication seems to be done only after the coa after registration?
auth:
mab : user not found - continue
authz:
if guestendpoint and ssid 'guest' => accept
if ssid 'guest' : accept + cwa
Thus once a guest device is registered - it's not required to authenticicate anymore? Unless the endpoint is deleted?
... View more
Labels:
05-10-2016
10:57 AM
A few months ago I had the same 'problem' -> license generated but unable to upload it.
It was indeed as easy as you said. Seems to be based on kind of trust.
not-in-use will change asap you register 1 AP.
... View more
04-20-2016
11:38 AM
upload worked.
Unfortunately the output when using these objects in prime are not 100% satisfying.
> clHAsecondarycontrollerusage should give back an integer --> but it doesn't return anything
>clHAPrimaryUnit --> returns 1 or 2 - should be true/false --> I'd hoped to send a trap eg. when false
see attached result
... View more
04-20-2016
01:42 AM
I would like to know when the secondary WLC in the HA cluster is active. This should be possible via CISCO-LWAPP-HA-MIB
To achieve this I've downloaded Standard-MIBS-Cisco_8.1 and MIBS_8.1 from the controller software page.
My problem is that I'm not able to upload any of the MIB (zip/individual mib) to prime>monitor tools/monitoring policies> custom mib polling:upload mib
--> reference error, unexpected token. I'm not able to read the full error message.
... View more
Labels:
10-11-2016
your authz policy looks like: Profiled_7911 & member of allowed_mac It's
normal behavior that the fi...
10-04-2016
with ISE 2.1in case enable email notifications to guests has been
disabled (unchecked)then it's stil...
06-16-2016
Did you test it? object 10 not > when the next hop is not reachable, -->
true Unless the next hop/ei...
06-08-2016
Ran in this issue too after upgrading WS-C3750X-48P to
c3750e-universalk9-mz.152-2.E4 no ip cef opti...
Created by
davy.timmermans
in Policy and Access
05-25-2016
05-25-2016
ISE 2.0 WLC: 8.1.131 Is the following normal behavior? dot1x enabled on
2700i ap, ap connected to po...
05-25-2016
If you want to kick in the static route when the eigrp neighbor is not
reachable - you could configu...
Created by
davy.timmermans
in Wireless Security and Network Management
05-24-2016
05-24-2016
A clean air ap detected an interferer. Normally it gives you also
information about the source of in...
05-24-2016
Correct, Once in VSS there's only 1 device to manage. I suggest also to
have a look at the VSS desig...
05-24-2016
in your design - at each access layer switch - one portchannel will be
STP blocking. Logically the t...
05-24-2016
When do you want the floating static to kick in? If the summary
disappears? If that's case why not c...
05-17-2016
Hi Jan, Sorry for the delay. Thanks for confirming - makes sense. Is
there a direct relation between...
05-17-2016
In this case - it's a buggy behavior For those two vlans - a
subinterface is not created as should b...
Created by
davy.timmermans
in Policy and Access
05-11-2016
05-11-2016
In all examples of device self registration - authentication seems to be
done only after the coa aft...
05-10-2016
A few months ago I had the same 'problem' -> license generated but
unable to upload it. It was indee...
Public Statistics
| Date Registered | 12-09-2008 04:16 AM |
| Date Last Visited | 08-29-2018 12:01 AM |
| Total Messages Posted | 268 |
| Total Helpful Votes Received | 303 |
Helpful Votes Given To
.jpg "Hall of Fame Cisco Employee"){kind=icon}
Helpful Votes From
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 5 |
