Hey guys, just to add to that discussion. I made these comments some time ago. I´m talking ACS 4.2 don´t know if you are.
anyways here is the comment: "I take back what I said about the user having to be in ACS (windows database , not ACS internal database) I forgot to fail unknown attempts to external database (AD) and I deleted the internal ACS user and made ADU connection again which worked and the user was cached afterwards in ACS. I had problems in the past with EAP-TLS and CSSC client and I usually had to enter the outer identity username (same user that had the certificate) to the ACS before EAP-TLS worked. Now when I do another test with EAP-TLS and delete the ACS cached user. I still am authenticated properly. So it seems I can do without the static user entered in the ACS now. At least with ADU ! The funny thing this time the ACS does not cache the user when doing EAP-TLS as it did with EAP-FAST and inner EAP-TLS." regards. Kristjan ------------------------------ Message: 2 Date: Wed, 14 Sep 2011 12:15:16 +1000 From: Leigh Jewell <[email protected]> To: [email protected] Subject: [OSL | CCIE_Wireless] Local EAP/EAP-TLS username in local database Message-ID: <cakqywd9op8sjua20okapmqsdxxuz2_1zec7co91n0qwr6mq...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" I was doing some testing with local EAP using EAP-TLS with vendor certificates. Once difference I noticed and wanted to verify is that it appears that I didn't need a username for the client in the local database to successfully authenticate a client. As long as my CA certificate has signed the client certificate and it was valid the client would be authenticated. In contrast when I do EAP-TLS with ACS I must have the username exist either in the local database or an external database for it to be authenticated. Is this the results that other people have got ? Cheers, Leigh -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110914/0d207a17/attachment-0001.html> ------------------------------ Message: 3 Date: Tue, 13 Sep 2011 23:04:51 -0700 From: Ralph Olsen <[email protected]> To: Leigh Jewell <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] Local EAP/EAP-TLS username in local database Message-ID: <CALHzUt84CkvPmekRGb7c-1bLWpdJ=pg8CM_9RXnChM9f=5d...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 You are absolutely correct. If the certificate for LOCAL-EAP is signed by a CA you trust, you will allow that authentication. For the ACS part or direct to IAS the certificate must be assigned to a valid user account. /Ralph 2011/9/13 Leigh Jewell <[email protected]>: > I was doing some testing with local EAP using EAP-TLS with vendor > certificates. Once difference I noticed and wanted to verify is that > it appears that I didn't need a username for the client in the local > database to successfully authenticate a client. As long as my CA > certificate has signed the client certificate and it was valid the > client would be authenticated. > > In contrast when I do EAP-TLS with ACS I must have the username exist > either in the local database or an external database for it to be > authenticated. > > Is this the results that other people have got ? > > Cheers, > Leigh > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > ------------------------------ Message: 4 Date: Wed, 14 Sep 2011 07:14:39 -0700 (PDT) From: Oliver Jancevski <[email protected]> To: [email protected] Subject: [OSL | CCIE_Wireless] Lab date for v1 exam Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi all, ? I am looking for someone who needs to cancel or wants to swap lab date scheduled between Oct 1 and Nov 17 ether in US or Brussels. In case of cancellation I will cover their exam cost. If swapping I can only offer v2 date. I understand the risk and chances are slim, but I'll take my chances. ? Any information is appreciated. ? Thanks, Oliver -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110914/4f511ea0/attachment-0001.html> ------------------------------ Message: 5 Date: Wed, 14 Sep 2011 10:17:37 -0400 From: Jason Boyers <[email protected]> To: George Stefanick <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] $50 Beta v2 written Message-ID: <CAL0_Z+sq0bOOXPUaVrLo=9rojzmtlt4vredoaxv0utmgnoq...@mail.gmail.com> Content-Type: text/plain; charset="windows-1252" Good to know. Thanks George! Jason Boyers - CCIE #26024 (Wireless) Senior Technical Instructor - IPexpert, Inc. Mailto: *[email protected] * > I was informed by @CiscoMobile that the v2 beta will be released this > Friday ? > > > > > On Sep 12, 2011, at 7:34 PM, Leigh Jewell wrote: > > Referring to the 7921 deployment > guide<http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf>on > page 23 under the title: > * > Configuring Switch Ports for Wired IP Phones *... > *Ensure the following QoS policy is not applied to an interface where > wireless traffic traverses.* > > I pasted the policy at the end of this email. > > What I am not getting is why it wouldn't be applied to a interfaces > that traffic is traversing. > > Cheers, > Leigh > > > *ip access-list extended SCCP > permit tcp any eq 2000 any > permit tcp any any eq 2000 > permit tcp any eq 2443 any > permit tcp any any eq 2443 > ! > ip access-list extended RTP > permit udp any range 16384 32767 any > permit udp any any range 16384 32767 > ! > class-map match-all SCCP > match access-group name SCCP > class-map match-all RTP > match access-group name RTP > ! > policy-map Voice > class RTP > set dscp ef > ! > class SCCP > set dscp cs3 > ! > interface X > service-policy input Voice > service-policy output Voice* > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110914/72af149c/attachment-0001.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 30, Issue 9 ******************************************** _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
