Dear all,   I'd like to ask you if you know how behaves integrated access-point in Cisco ISR 1100 series? As far as I've read in documentation there is an access-point 1815i.    What I'm not sure of, if there is ay difference how such access-point perform discovery process to locate WLC to associate with.   It is not that easy in my case, because on this ISR router, I'm running also Zone Base Firewall (ZBF). However I doubt it is a root cause for discovery process to fail to locate WLC. Reason is that router interfaces are part of Self zone and it might be that access-point is even that dedicated so not even participating with ZBF (not sure).   Based on logs in console I see: ... [*10/07/2018 00:24:14.9799] Waiting for uplink IPv4 configuration [*10/07/2018 00:24:15.9799] Resetting wired0 and restart DHCP client [*10/07/2018 00:24:22.1199] Waiting for uplink IPv4 configuration ... After some time AP restart and start loading Controller on itself. But I need it as lighweithed access-point.   Which means is unable to utilize DHCP to receive proper network settings. Before I jump into more deeper troubleshooting, is there anything special I need to be aware of about this integrated access-point in ISR router?   Any recommendation are appreaciated.   Thanks for hints!   Martin ... View more

Hi all,   I'd like to ask you if you have experinced in your setup usage of inbound and outbound ACL applied to the same interface of course in rights direction? I'm asking because usage of outbound ACL (direction out) is quite rare I would say. Let's say to have two ACLs applied in the same interface in specific direction.   access-group inside_ACL_INBOUND in interface inside access-group inside_ACL_OUTBOUND out interface inside   In logical topology you will have entering interface outside, where an ACL will simply allow any/any and you will do filtering on inside interface where you have applied noted two ACLs, therefore you control what is entering interface inside and what is leaving such interface.   Is this doable? I'm not sure in case of traffic flow and connection table, because if traffic entering outside interface (permit any/any) place traffic flow into connection table, will it be even checked by ACL configured on inside interface in OUT direction?   Just trying to understand possible drawbacks as this is not really common setup. Also in case of Service Policy (inspections) are they applied twice or only during first entering to the firewall?   It is general question and I don't have real technical setup in place. Just trying to find best suitable option.   Thanks for hint. Martin ... View more

Hi all, I'm working on migration of ACS (tacacs) to ISE 2.1 (latest release with available patches). As opportunity doing a lot of cleanups therefore ACS Migration utility is not an option I'm using. Configuration is being done from scratch. What I struggle with is actual fact to restrict access to Network devices (switches, routers, firewalls, wireless bridges, access-points,...) to only certain users based on AD group membership. I have no troubles with Authorization policies where everything works as expected and no issue in there. What I do struggle with is fact that AUTHENTICATION policy is really useless and not granular. - with current setup it looks (confirmed) that all users from all groups we have discovered from Active Directory can actually login to network devices with success because authentication policy cannot be restricted to specific AD group. Of course once such user wants to do something then Authorization is in place and basically he cannot do anything. How I can restrict authentication to prevent ALL users from successful authentication (Device Admin == Tacacs part)?? Is this even possible? I tried to configure Authentication Compound Condition to list ALL AD groups with "OR" statement to make sure only valid AD groups for Tacacs can login, however testing shows that this is NOT being accepted and only Default option is performed by policy for a user. Such compound condition I used in Authentication policy. Is this a bug/feature of ISE2.1 that Authentication cannot be used in this way? Or how you guys are using authentication policy under Device Admin (Tacacs) part? Maybe there is a different way I have not considered to use, maybe just need to be kicked to change my mind and do it in a different way. So far looks stupid that anyone can basically authentication because ISE is used as well as Radius server to authentication users for wireless connection and therefore AD group with all users is discovered to ISE therefore all can authenticate successfully. :-/ Am I missing anything? Thanks for any hints!!! ... View more