I guess it's more a Microsoft issue. I guess you login to a Domain on the client. If you block everything between the client and the LAN (except the TS session), the client won't be able to establish a Domain connection. I guess the login is still working because of cached credentials on the client. I guess the FW between client and Windows Domain Controllers has to be a little bit more open.
you`re right. It is actually an MS issue but what I needed to know is, if there is some sort of Cisco Solution to get this issue worked around. For example some sort of agent which could issue the Cerificate in the unsecure WLANs. What about the Secure ACS Agent? I could not find any information whether this could play the roll as a sub-CA.
The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
What I don't get is the following:
Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...