Dear all,   I'd like to ask you if you know how behaves integrated access-point in Cisco ISR 1100 series? As far as I've read in documentation there is an access-point 1815i.    What I'm not sure of, if there is ay difference how such access-point perform discovery process to locate WLC to associate with.   It is not that easy in my case, because on this ISR router, I'm running also Zone Base Firewall (ZBF). However I doubt it is a root cause for discovery process to fail to locate WLC. Reason is that router interfaces are part of Self zone and it might be that access-point is even that dedicated so not even participating with ZBF (not sure).   Based on logs in console I see: ... [*10/07/2018 00:24:14.9799] Waiting for uplink IPv4 configuration [*10/07/2018 00:24:15.9799] Resetting wired0 and restart DHCP client [*10/07/2018 00:24:22.1199] Waiting for uplink IPv4 configuration ... After some time AP restart and start loading Controller on itself. But I need it as lighweithed access-point.   Which means is unable to utilize DHCP to receive proper network settings. Before I jump into more deeper troubleshooting, is there anything special I need to be aware of about this integrated access-point in ISR router?   Any recommendation are appreaciated.   Thanks for hints!   Martin ... View more

Hi all,   I'd like to ask you if you have experinced in your setup usage of inbound and outbound ACL applied to the same interface of course in rights direction? I'm asking because usage of outbound ACL (direction out) is quite rare I would say. Let's say to have two ACLs applied in the same interface in specific direction.   access-group inside_ACL_INBOUND in interface inside access-group inside_ACL_OUTBOUND out interface inside   In logical topology you will have entering interface outside, where an ACL will simply allow any/any and you will do filtering on inside interface where you have applied noted two ACLs, therefore you control what is entering interface inside and what is leaving such interface.   Is this doable? I'm not sure in case of traffic flow and connection table, because if traffic entering outside interface (permit any/any) place traffic flow into connection table, will it be even checked by ACL configured on inside interface in OUT direction?   Just trying to understand possible drawbacks as this is not really common setup. Also in case of Service Policy (inspections) are they applied twice or only during first entering to the firewall?   It is general question and I don't have real technical setup in place. Just trying to find best suitable option.   Thanks for hint. Martin ... View more

Hi all, I'm working on migration of ACS (tacacs) to ISE 2.1 (latest release with available patches). As opportunity doing a lot of cleanups therefore ACS Migration utility is not an option I'm using. Configuration is being done from scratch. What I struggle with is actual fact to restrict access to Network devices (switches, routers, firewalls, wireless bridges, access-points,...) to only certain users based on AD group membership. I have no troubles with Authorization policies where everything works as expected and no issue in there. What I do struggle with is fact that AUTHENTICATION policy is really useless and not granular. - with current setup it looks (confirmed) that all users from all groups we have discovered from Active Directory can actually login to network devices with success because authentication policy cannot be restricted to specific AD group. Of course once such user wants to do something then Authorization is in place and basically he cannot do anything. How I can restrict authentication to prevent ALL users from successful authentication (Device Admin == Tacacs part)?? Is this even possible? I tried to configure Authentication Compound Condition to list ALL AD groups with "OR" statement to make sure only valid AD groups for Tacacs can login, however testing shows that this is NOT being accepted and only Default option is performed by policy for a user. Such compound condition I used in Authentication policy. Is this a bug/feature of ISE2.1 that Authentication cannot be used in this way? Or how you guys are using authentication policy under Device Admin (Tacacs) part? Maybe there is a different way I have not considered to use, maybe just need to be kicked to change my mind and do it in a different way. So far looks stupid that anyone can basically authentication because ISE is used as well as Radius server to authentication users for wireless connection and therefore AD group with all users is discovered to ISE therefore all can authenticate successfully. :-/ Am I missing anything? Thanks for any hints!!! ... View more

Hi all, I'd like to ask you if you would know any hint what I'm missing or was not able to get from docs. I'm trying to enable OnConnect script which would run gpupdate once VPN connection is successfully established. From configuration point of view it should be quite easy, but... My requirements is to have script locally distributed by our packaging system, basically I don't want to have script locally stored on the ASA so anyone who would connect will download it from ASA VPN. Actually this kind of distribution seems to be working fine (so far what I've tried). I got problems when script is distributed to clients by our client management system (SCCM). I have defined AnyConnect profile (.xml) - defined by VPN profile editor,  update with below and also actual script (testing one, just Hello World which is executable from CLI): - that should be enough to order anyconnect to run a script OnConnect if available (OnConnect_myscript.vbs) C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile Contains: <EnableScripting UserControllable="false">true     <TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent>     <EnablePostSBLOnConnectScript>false</EnablePostSBLOnConnectScript> </EnableScripting> We have our VPN served by ASA5540 running version 8.4(4)1 I know that there might be some delay so I added into script delay for 5s. Is there anything specific what I've missed and needs to be allowed on the ASA VPN device? Any kind of configuration etc..? What I've also seen is, that when I'm connecting to VPN with anyconnect then on client event viewer I might see some really strange behaviour. There is EventID 3010, which shows what profile and values have been loaded by AnyConnect, where at the beginning I might see it load correct profile (C:\ProgramData\Cisco...\Profile\profile.xml), but after a while I can see that such profile was loaded again, but with DEFAULT values --> scripting disabled, which I do believe is a problem that such script is not executed. Chronological order (just summary of important events): Source - acvpnagent 1)EventID-3001 9:01:21    Loading preferences for the current user from profile C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml 2)EventID-3010 9:01:21     Current Preference settings (they are taken from .xml loaded file and they match) Source - acvpnui + acvpndownloader 3)EventID1       9:01:56    Loaded profiles: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml 4)EventID3010 9:01:56    Current preference settings     --> they are default, do NOT match what is defined in loaded profile .xml Do you know what are those Source processes: acvpnagent, acvpnui, acvpndownloader   and what are differences between them or they actual impact on process of anyconnect VPN establishment? Thank you in advance for any hint. ... View more

Hello everyone, Just looking if there is any possibility to configure CSM (v4.2) to include in generated pdf  'Activity Change Report' (checking during approval process what is going to be change/added/removed...) also what commands are going to be deployed by such change? So generated PDF will have also output from "Preview Configuration" where all commands can be seen. Haven't seen such option in configuration of CSM and for someone it can be helpful to briefly review what commands are going to be added before deployment. Is there such option to include it in generated PDF or not? :-/ Thanks in advance for any advice ... View more