1100 AP and ACS 3.1 with LEAP

Similar Messages

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Does N9 support 802.1x with LEAP and have Vietname...

  Hi all,
  I'm from Vietnam and using a N9 phone. I have some question:
  1. Does N9 support 802.1x with LEAP like E-series? When are you launching?
  2. Does N9 support Vietnamese language/keyboard/typing? When are you launching?
  Please inform me soon
  Thanks.

  and how about Lumia serires?

• LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?

  Hi,
  We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
  I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
  CiscoWorks LAN Management Solution 2.6
  Cisco Secure Access Control System 4.2
  Cisco Fabric Manager 1.5
  Any help is much appreciated!

  - CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
  www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
  - Cisco Secure Access Control System 4.2 - Not supported either:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
  - Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product.  However, according to the below not even version 4.2(7d) supports 2008:
  www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668

• Problem with Leap if I use Aegis Client on winCE4.2

  Hello
  With Cisco PC-Card is no problem to authenticate with leap. But I am struggeling with the meetinghouse aegis client installed on Symbol MC3000 with windwos CE 4.2.
  I tried with dyn. wep and ktip, but both failed with the aegis client. There is absolutely no entry in the cisco ACS.
  Any input is very welcome
  Oliver

  Yes, you are right. I found it out too.
  TKIP with LEAP on windows CE 4.20 is working proper only with aegis client 2.1.4 from meetinghouse.
  best regards
  Oliver

• Expired passwords with LEAP

  Hello,
  Does LEAP support expired passwords from the Active
  Directory?
  When I login with LEAP( my username and passowrd is forwarded by the ACS to the domain controller), if my password gets expired on the domain controller.
  LEAP does not give me the option to change my password.
  I am unable to login.
  Any suggestions ?
  regds

  LEAP does not support MS-CHAP v2, only MS-CHAP v1. Like the previous poster stated, they have no plans to make any changes.
  Danny

• Authenticating Unix users with LEAP

  Scenario : WLAN (AP350 V11.21) with LEAP authentication against an ACS V3.0 server (on W2K). Pre-existing Unix users with traditional Unix-crypted passwords. Usernames with their associated encrypted passwords are successfully imported on ACS database with the csutil utility.
  Authorization fails because LEAP uses a derivative of CHAP/MS-CHAP and it needs the plain password on the ACS side.
  WLANs are increasingly used on places like educational campuses where Unix is widely deployed. Has anyone found a solution to authenticate Unix users with LEAP?
  Thanks in advance

  I know it's It's not supported yet. When PEAP is added to Aironet and ACS, this problem will go away. I believe that is happening in ACS 3.1 and some future version of the Aironet software.
  An ugly workaround would be to setup User Changeable Passwords. You'd inform people with UNIX accounts that they have an ACS account created, but that wireless will not work for them until they use a LAN-based system to log in and change their ACS password. You could give them the option of using the same password, of course.

• What Non-Cisco Cards or Built-in Cards work with LEAP?

  I have just installed ACS and LEAP and have several Laptops in my office that have built in Wireless NIC's. I have read many posts that say this one or that one works with the right drivers, but none that list all the one's that will work with LEAP. Thanks for any assistance you can give.
  David Beaver

  http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
  Cisco Compatible wireless clients will feature the Cisco Wireless Security Suite, which includes the Cisco EAP (LEAP) 802.1X authentication type. Customers can implement the award-winning Cisco security solution across Cisco clients and those of other suppliers. The program provides complete support for Cisco VLANs, providing benefits such as flexible security schemes in a mixed client environment and optimized performance in Cisco VLAN deployments. And because Cisco Compatible wireless clients are IEEE 802.11 compliant and Wi-Fi certified, they are fully compatible with other Wi-Fi certified products.

• Upgrade to IOS and ACS authentication not working

  Hi. I have just upgraded my 1200AP to IOS Version 12.2(11)JA1. I am using LEAP with MAC address auth in the ACS (version 3.0). I cannot get onto LAN though. Error on ACS failed auth report says 'User Access Filtered' even though the MAC of the card is in there. I can still authenticate with AP's that are still at old version though. A debug on IOS AP shows that the ACS is replying with a FAIL auth after LEAP negotiation and the ACS interestingly gives the failed MAC address as AAAA.BBBB.CCCC (note dots between) making me think that the AP is sending it in that format instead of AAAABBBBCCCC. I cannot add the MAC to the ACS in the dotted format as it is a 12 character string. Is this a format issue with the RADIUS passthru? Has anyone any idea why this is happening? Thanks for any help in advance.

  Just thought I would let you know that I have got the cause of this. This happens if MAC authentication is enabled in the ACS. Once I turned that off it worked again. I think it is due to a format error in the data sent from ap to acs.

• Dynamic VLAN with LEAP

  Hi experts.
  I have this network:
  - 01 AP 1231
  - ACS v4.0
  I try to config dynamic VLAN with LEAP.
  SSID is WLAN map with vlan 1
  Without attribute 64,65,81, I connect this WLAN ok and users alway is connected to vlan 1.
  When I use attribute 64,65,81 and use
  attribute 64 is vlan, attribute 65 is 802
  user test1 has attribute 81 is 1
  user test2 has attribute 81 is 2,
  test1 connect WLAN successful (map to vlan 1) but test 2 can't authenticate successful with ACS Server.
  I try to follow this link ( but not use Wireless LAN Controller ):
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  help me,plz
  Thanks
  Tran Chung

  Any body help me, plz.
  I need complete this situation soon.
  Thanks

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• Can I set up new events with leaps?

  I've tried to set up some Maya calendars on iCal without success. My idea has been creating a group of calendars made up by "full day" events, in which every event represents a day, and every calendar, a count. The point is that in those calendars there are always leaps that are repeated every while, and as far as I've done, after a leap happens, I must re-start to create the same events. Am I clear?
  Let's make an example. Imaging a calendar made up by four days (too short, but its for the example). I have created an iCal calendar with four events, and each one is set up to be repeated every four days; till this point it works as desired. But there's a leap of one day that happens every year, and I haven't been able to set it up; after erasing the event of that day, I must re-start to set up the future (four, for this example) events... Can't I set events with leaps on iCal?
  I've also thought about another possible way to set a calendar like that. I found a table for finding out the correspondence between Gregorian calendar and a 260 days Maya Calendar, by making an adding. There's a number for each month of the year, and also every year has a number. You have to add the number of the month plus the number of the year plus the number of the day of the month, and only if it is higher than 260, you will need to subtract 260; thus you will know which of those 260 days is today (or another date).
  So, if I can set an iCal calendar using something like "if today is 2nd =2, of June =151,  2011 = 7; add 2+151+7; and if answer is higher than 260 subtract 260; so day number is 160". I could also set some other calendars from that one, like "if answer is 109 or 110 or 111 or 112, then "codon" number is X. Any suggestion for creating an iCal calendar like that from other way, like Developer Apps? Or if not for creating an iCal Calendar, maybe for making a Widget?
  Thanks for your attention.

  Am I not clear? I guess I got excited trying to be clear explaining details... But got dark!
  And if I just say, Can I create an iCal Calendar event, set up to be repeated every monday, but after a specific date, be repeated weekly every tuesday? If not on iCal, another advice?
  Thanks in advance!

• 1  OSX Lion Mission Control vs Snow Leopard Expose can't we combine the two (by leaving older Expose options inside) and get Apple back to leaping forward again?

  So I am a web/software developer and I am having major beef with OSX Lion's Mission Control.  While I think Mission Control and Application Windows are interesting additions to the multi-tasking nature and scheme of the OS, removing the older Expose Spaces and All Windows is a huge mistake.  Couldn't Apple have just left all of the old stuff in? Then the system would be complete.  As pretty as Mission Control and Application Windows is, the older Snow Leopard Spaces and Expose moved much faster and tamed all of my apps in a very efficient way.
  Here is why Mission Control is not as fast as Spaces and Expose:....
  1. With Spaces all of the desktops and their connected monitors were consolidated to one monitor in which you can easily see everything going on from a birds eye view.  You cloud easily drag open windows between them freely and even swap spaces.  This was huge because you could see everything.  You could even activate All Windows over Spaces and see everything..Mission Control will group everything but you can't move programs across desktops unless it's the main desktop to the little desktop.  Nor can you move windows across monitors.  This is frustrating.  Also the desktop are split to their respective monitor so I no longer have a birds-eye key-map access.
  2. All Windows is so necessary and slick. Mission Control or Application Windows can't quite keep up.  If I have a cluttered desktop and hit all windows, I can get any window at any time no matter how buried it is.  Application Windows is useful but only applies to the focused application…but what if it's buried?  I have to activate mission control first, select one of the windows from the program group, then activate Application Windows to get to that window.  Also if there are many windows open for an application, Mission Control cannot replace All Windows because they stack and you can't quite tell which of the windows you want is accessible in that stack.
  The bottom line is, put both of them together!  Keep the old functionality as an option, because truth be told, the old way of doing things is still considerably faster under heavy work loads.  I would use the Snow Leopard expose features more often.  There is still room for Application Windows and Mission Control, but even after re-training myself I feel I'm moving at 70% of the multitasking speed that I used to move at before using Snow Leopard Expose.  I mean this legitimately, I develop using multiple OS's along with video chat and instead of being a leap forward, Lion is a step backward and that just isn't like apple, everything Apple has done has been leaps and bounds forward.  Let's leap forward and not only have all the sweet new features that Lion offers, but combine with the productive features that really moved and maybe just integrate into Lion's style.  Bottle that and you have something sweeter than Yoohoo.

  I completely agree with airbnboy. I used to be able to quick organised different windows within the same app to different spaces (now "desktops" for no apparent reason). This worked very smoothly in expose/spaces. I'd use one gesture to get to spaces, then another for expose, and I'd have all my windows in all spaces visible.
  Now, I can't even see all of my windows in specific to one desktop! The best I can do is double scroll to see *some parts* of the windows on a desktop. So now, selecting a window for a specifc app is huge pain.
  Worse than this, on moving windows from a desktop to another in, Mission Control will change the ordering of the stacks (per app, not the windows in the stacks). Umm, what is the possible benefit there?
  So, now there is no use of spatial memory - e.g. Window X for App Y was in the top left of all my windows in the top left space, and I want to move it now. It's no longer possible to see all app windows in a specific "desktop", and much more effort is required to move windows around.
  Great, well done Apple. Can we please, please have Expose and Spaces back as an option? Or at the very least, some way to view all windows for a specifc app on a specific desktop - and by "view", I mean see the whole window, not just a tiny indicator of the window, or a slightly expanded stack that may not give enough context.
  The only reason I "upgraded" to Lion was to get XCode 4.2.

• ACS 4.2 with patch 4 Services restart

  I have installed ACS 4.2 with patch 4
  Scertain period after authentication failed. Giving internal error. I need to restart all the services. What could be proble and pl help me in resolving this issue. I am running short of time.

  Internal Error is very generic in error. I hope that you had your Logging set to Full, if not then you wont be able to see the exact reason in the debug logs.
  You might want to check,
  \CSAuth\Logs
  And check the debug log when you got the internal error for a particular authentication attempt.
  Also, what kind of authentication was failing ? Was it PEAP/EAP-FAST with inner method as MSCHAP machine authentication, then it could be something related to,
  CSCsq96755 : ACS needs manual restart to recover machine authentication
  Then go for Patch 5 for ACSv4.2
  Regards,
  Prem
  Please rate if it helps!