802.11x with 2008 R2 NPS
Here's what I'm using for attempt at 802.11x:
-2008 R2 NPS
-AIR-AP1142N-A-K9
-Lenovo T510 Laptop
Here is what I followed:
1. http://techblog.mirabito.net.au/?p=87&cpage=1#comment-26452
2. http://blog.laurence.id.au/2010/03/running-peap-with-cisco-aeronet-1231g.html
Here is my config on the AP, radius related:
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -4
dot11 syslog
dot11 ssid IPC02-AP
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
encryption mode ciphers aes-ccm tkip
interface BVI1
ip address 192.168.1.7 255.255.255.0
no ip route-cache
ip radius source-interface BVI1
radius-server local
nas 192.168.1.38 key 7 *
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key 7 *
Here is my part of my debug:
RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed
I get a "connection failed" on my laptop. I don't see any logs/events relating to a failure of credentials on my 2008 server.
Any ideas?
I have not gotten any other feedback and I have not been ablet to identify anything on technet about it. It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings. It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.
Similar Messages
-
WCS Radius Authentication issue with 2008 R2 NPS
OK, so I have my MPS working. I am authenticating all sorts of Cisco devices and I can even authenticate the admin login from the WCS server. UNLESS I add more than 27 of the custom settings in the Cisco-AV-Pair that the WCS uses to define the logged in user rights. Anything after the 27th setting the login times out and the WCS denies access. I go back to 27 and it logs in fine. There are 73 settings for the default admin user.
Anyone have any ideas why this is happening or better yet, how to get around it?
I have been searching through the MS technet to see if there is a limitation built in to the NPS, but I have yet to find anything.
Thanks,
RodI have not gotten any other feedback and I have not been ablet to identify anything on technet about it. It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings. It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.
-
HT4718 wpa2 enterprise 802.11x protocol with pap authentication. Lion Reformat
My school has only wpa2 enterprise 802.11x protocol with pap authentication. Due to this I can not reinstall lion as a fresh copy. I realized that I can download lion again from the app store. Can it do a fresh install?
I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks
-
2008 R2 NPS wont connect to Cisco 1841 via Cisco VPN 5.0.03.0560
I am migrating our IAS server from 2003 R2 to 2008 R2 NPS that we use to authenticate VPN conenctions through AD. Currently works without issue on 2003 R2 server. Does not want to work on 2008 R2 NPS server.
We are using Cisco VPN client 5.0.03.0560 as the VPN client. Below is the log file when I try to connect. Can someone tell me what needs to be done on NPS to get this working? If more info is needed please ask and will supply.
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 10:55:10.906 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
2 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
3 10:55:10.921 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
4 10:55:10.921 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
5 10:55:10.937 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
6 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
7 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
8 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
10 10:55:11.203 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
11 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
12 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
14 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
15 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
16 10:55:11.140 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
17 10:55:11.140 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x078F, Remote Port = 0x1194
18 10:55:11.140 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
19 10:55:11.140 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
20 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
21 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
22 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
23 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
24 10:55:11.203 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
25 10:55:11.203 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
26 10:55:11.203 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
28 10:55:11.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 10:55:15.484 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
30 10:55:15.484 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
31 10:55:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 10:55:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 10:55:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 10:55:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 10:55:52.593 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
36 10:55:52.593 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
37 10:55:52.609 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
38 10:55:52.593 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
39 10:56:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 10:56:07.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
41 10:56:07.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
42 10:56:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 10:56:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 10:56:22.656 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
45 10:56:22.656 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
46 10:56:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 10:56:37.765 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
48 10:56:37.765 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
49 10:56:41.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 10:56:51.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 10:56:52.812 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
52 10:56:52.812 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
53 10:57:01.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 10:57:07.562 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
55 10:57:07.562 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
56 10:57:11.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 10:57:21.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 10:57:31.218 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
59 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
60 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
61 10:57:33.046 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
62 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
63 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
64 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
65 10:57:33.046 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
66 10:57:33.046 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
67 10:57:33.062 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
68 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 10:57:33.218 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
72 11:00:54.656 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
73 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
74 11:00:54.671 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
75 11:00:54.687 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
76 11:00:54.703 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
77 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
78 11:00:54.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
79 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
80 11:00:54.953 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
81 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
82 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
83 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
84 11:00:55.015 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
85 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
86 11:00:54.953 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
87 11:00:54.953 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
88 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
89 11:00:54.968 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
90 11:00:54.968 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0798, Remote Port = 0x1194
91 11:00:54.968 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
92 11:00:54.968 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
93 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
94 11:00:55.000 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
95 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
96 11:00:55.000 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
97 11:00:55.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
98 11:00:55.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
99 11:00:55.015 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
100 11:00:58.765 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
101 11:00:58.765 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
102 11:01:05.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
103 11:01:15.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
104 11:01:25.250 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
105 11:01:30.312 06/05/14 Sev=Info/6 GUI/0x63B0000D
Disconnecting VPN connection.
106 11:01:30.312 06/05/14 Sev=Info/4 CM/0x63100006
Abort connection attempt before Phase 1 SA up
107 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
108 11:01:30.312 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
109 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
110 11:01:30.328 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
111 11:01:30.328 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
112 11:01:30.328 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
113 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
114 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
115 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
116 11:01:30.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
117 11:01:44.875 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
118 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
119 11:01:44.890 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server ".com"
120 11:01:44.906 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
121 11:01:44.921 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
122 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
123 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
124 11:01:45.296 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
125 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
126 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
127 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
128 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
129 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
130 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
131 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
132 11:01:45.234 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 11:01:45.234 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079B, Remote Port = 0x1194
134 11:01:45.234 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
135 11:01:45.234 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
136 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
137 11:01:45.250 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
138 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
139 11:01:45.281 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
140 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
141 11:01:45.281 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
142 11:01:45.296 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
143 11:01:45.296 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
144 11:01:45.296 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
145 11:01:53.625 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
146 11:01:53.625 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
147 11:01:53.640 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
148 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
149 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
150 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
151 11:01:53.640 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
152 11:01:53.640 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
153 11:01:53.640 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
154 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
155 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
156 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
157 11:01:53.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
158 11:02:00.406 06/05/14 Sev=Info/4 CM/0x63100002
Begin connection process
159 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100004
Establish secure connection
160 11:02:00.421 06/05/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "com"
161 11:02:00.421 06/05/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
162 11:02:00.437 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
163 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
164 11:02:00.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
165 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
166 11:02:01.015 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
167 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
168 11:02:01.109 06/05/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
169 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
170 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
171 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
172 11:02:01.015 06/05/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
173 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
174 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
175 11:02:01.031 06/05/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
176 11:02:01.031 06/05/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x079E, Remote Port = 0x1194
177 11:02:01.031 06/05/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
178 11:02:01.031 06/05/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
179 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
180 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
181 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
182 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
183 11:02:01.078 06/05/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
184 11:02:01.078 06/05/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
185 11:02:01.078 06/05/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
186 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100017
xAuth application returned
187 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
188 11:02:06.406 06/05/14 Sev=Info/4 CM/0x63100018
User does not provide any authentication data
189 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
190 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
191 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
192 11:02:06.406 06/05/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
193 11:02:06.406 06/05/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
194 11:02:06.421 06/05/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
195 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
196 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
197 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
198 11:02:06.750 06/05/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stoppedI am using 2008 R2 NPS as radius server. 1841 ISR as VPN device. Here are debug loghs from Cisco 1841
1430434: .Jun 9 2014 12:06:59.187 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430435: .Jun 9 2014 12:06:59.187 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/140
1430436: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430437: .Jun 9 2014 12:06:59.191 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430438: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430439: .Jun 9 2014 12:06:59.191 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430440: .Jun 9 2014 12:06:59.191 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430441: .Jun 9 2014 12:06:59.191 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430442: .Jun 9 2014 12:06:59.191 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430443: .Jun 9 2014 12:06:59.191 PDT: RADIUS: Response (140) failed decrypt
1430444: .Jun 9 2014 12:07:05.246 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430445: .Jun 9 2014 12:07:05.246 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430446: .Jun 9 2014 12:07:05.250 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
1430447: .Jun 9 2014 12:07:05.250 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430448: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430449: .Jun 9 2014 12:07:05.250 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430450: .Jun 9 2014 12:07:05.250 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430451: .Jun 9 2014 12:07:05.250 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430452: .Jun 9 2014 12:07:05.250 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430453: .Jun 9 2014 12:07:05.254 PDT: RADIUS: Response (140) failed decrypt
1430454: .Jun 9 2014 12:07:08.574 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp x.x.9.47(21303) -> x.x.109.122(5038), 1 packet
1430455: .Jun 9 2014 12:07:09.826 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430456: .Jun 9 2014 12:07:09.826 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
1430457: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Received from id 1645/140 10.1.x.x:1645, Access-Reject, len 20
1430458: .Jun 9 2014 12:07:09.830 PDT: RADIUS: authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
1430459: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430460: .Jun 9 2014 12:07:09.830 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
1430461: .Jun 9 2014 12:07:09.830 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
1430462: .Jun 9 2014 12:07:09.830 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
1430463: .Jun 9 2014 12:07:09.830 PDT: RADIUS: request authen: 2669BD0BEF3749C79C551EABB4B4D105
1430464: .Jun 9 2014 12:07:09.830 PDT: RADIUS: Response (140) failed decrypt
1430465: .Jun 9 2014 12:07:14.210 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
1430466: .Jun 9 2014 12:07:14.210 PDT: RADIUS: No response from (10.1.4.7:1645,1646) for id 1645/140
Log Buffer (4096 bytes):
6E7C
1430534: .Jun 9 2014 12:09:50.586 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430535: .Jun 9 2014 12:09:50.586 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430536: .Jun 9 2014 12:09:50.590 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430537: .Jun 9 2014 12:09:50.590 PDT: RADIUS: Response (141) failed decrypt
1430538: .Jun 9 2014 12:09:51.902 PDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 12 packets
1430539: .Jun 9 2014 12:09:55.638 PDT: %SEC-6-IPACCESSLOGP: list 112 denied tcp x.x.245.x(1602) -> x.32.x.x(445), 1 packet
1430540: .Jun 9 2014 12:09:55.974 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430541: .Jun 9 2014 12:09:55.974 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430542: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Received from id 1645/141 10.1.4.7:1645, Access-Reject, len 20
1430543: .Jun 9 2014 12:09:55.978 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430544: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430545: .Jun 9 2014 12:09:55.978 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430546: .Jun 9 2014 12:09:55.978 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430547: .Jun 9 2014 12:09:55.978 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430548: .Jun 9 2014 12:09:55.978 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430549: .Jun 9 2014 12:09:55.978 PDT: RADIUS: Response (141) failed decrypt
1430550: .Jun 9 2014 12:09:58.070 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp 27.x.x.x(33281) -> 12.x.x.x(80), 1 packet
1430551: .Jun 9 2014 12:10:00.326 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430552: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.x.x:1645,1646 is not responding.
1430553: .Jun 9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.x.x:1645,1646 is being marked alive.
1430554: .Jun 9 2014 12:10:00.326 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/141
1430555: .Jun 9 2014 12:10:00.330 PDT: RADIUS: Received from id 1645/141 10.1.x.x:1645, Access-Reject, len 20
1430556: .Jun 9 2014 12:10:00.330 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430557: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430558: .Jun 9 2014 12:10:00.330 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430559: .Jun 9 2014 12:10:00.330 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430560: .Jun 9 2014 12:10:00.330 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430561: .Jun 9 2014 12:10:00.330 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430562: .Jun 9 2014 12:10:00.334 PDT: RADIUS: Response (141) failed decrypt
1430563: .Jun 9 2014 12:10:01.713 PDT: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 175.x.x.x -> x.x.x.104 (3/3), 1 packet
1430564: .Jun 9 2014 12:10:05.841 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
1430565: .Jun 9 2014 12:10:05.841 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
1430566: .Jun 9 2014 12:10:05.845 PDT: RADIUS: Received from id 1645/141 10.x.x.x:1645, Access-Reject, len 20
1430567: .Jun 9 2014 12:10:05.845 PDT: RADIUS: authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
1430568: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
1430569: .Jun 9 2014 12:10:05.845 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
1430570: .Jun 9 2014 12:10:05.845 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
1430571: .Jun 9 2014 12:10:05.845 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
1430572: .Jun 9 2014 12:10:05.849 PDT: RADIUS: request authen: E39E7226C93AFEDCAF03A49F11FDA193
1430573: .Jun 9 2014 12:10:05.849 PDT: RADIUS: Response (141) failed decrypt -
WLC 2504 - Issue with using Microsoft NPS for Radius Management Login
Hello,
In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it?
Thanks,Hi Kyujin,
I wish I had finished my guide. Didn't realize it would take this long.
But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
If you use NCS, you have to add the role, all the tasks, and the virtual domain.
See the screenshots and see if that helps explain it. Not sure how TACACS will work as I'm not familiar with it.
Microsoft NPS - Attributes for NCS
Microsoft NPS - Attributes for PI -
ASK THE EXPERTS - Update on 802.11n with Fred Niehaus
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on 802.11n with Cisco expert Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
Remember to use the rating system to let Fred know if you have received an adequate response.
Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Mobility Subjects discussion forum shortly after the event. This event lasts through March 25, 2011. Visit this forum often to view responses to your questions and the questions of other community members.So there are two parts of this question, the latter part I cannot address as it is a future question. Cisco does not comment on products that have not been released or on the strategy of next generation products.
That said, Cisco was first to market with an 802.11n Access Point and well (we didn't all go on vacation after we did that)
So let's talk a little about spatial streams in general and how it relates to what customers are doing today.
The Cisco 1040, 1140, 1250, 1260 and 3500 Series Access Points are all two spatial streams (2SS).
As of the time of this writing, a critical mass of 3SS and 4SS compatible clients have yet to be deployed, and the vast majority of WiFi clients that will be deployed over the next 18 months will be 1SS and 2SS clients.
The higher SS clients are likely only show up in some higher end notebooks -- Why? well it is a given that smartphones and tablets are likely to continue to be 1SS and in some rare cases 2SS.
This is because additional radios used in this technology consume battery life, add to the physical size of the device and increase the cost. Also many devices leverage the same single antenna for cellular as well as WiFi. Therefore, it is my opinion that 3SS Access Points provide little if any performance benefit for smartphones or tablets in the enterprise today, and any real throughput gain is likely to occur with high end notebooks in close proximity to the Access Point and those are rolling out very slowly and we are monitoring this.
Now we get to my favorite part of this.. I get to ask myself a question and then answer it..
So Fred are you saying that there is no value in 3SS and 4SS?
Of course not, 3SS performs similar to 2SS beyond a short distance, and with any multi-SS product RF interference must be addressed to capture the performance benefits of higher SS Access Points. Actual throughput in any WiFi environment is highly dependent on the presence of interferers and obstacles.
Without the ability to mitigate the impact of interference, 3SS solutions will "downshift" to 2SS of 1SS and lose all the performance benefits anyway IMHO.
I don't want to sound like a commercial, but you really do need Cisco cleanair technology in the AP and Cisco innovations deliver more and will go beyond the simple 3SS aspects of the 802.11n standard.
IMHO it's more about CleanAir, good RF system design, and what we put into the AP with regard to performance "in the environment" and not what is on some spec sheet today.
For more on Cisco CleanAir see the following URL http://www.cisco.com/en/US/netsol/ns1070/index.html
Fred -
Cisco ip phones authenticate 802.1x with cisco ise 1.3
Dear all,
I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate.
How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ?
Thanksfollowing are ISE 802.1x sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)
-
Connecting WRT300N to internet using 802.11x
My service provider requires 802.11x authentication to connect to Internet. Is there any way to get my WRT300N to act as a 802.11x client on it's internet connection?
no...the linksys router's cannot be used as wireless clients..they only act as a wireless access point ..
-
802.11x device drivers in Solaris 10
Can any one point me to a list of 802.11x devices supported by Solaris 10
Thanks
Enzohttp://www.sun.com/bigadmin/hcl/
-
I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
Setup:
C3750 switch - Cisco ACS 3.2 - Windows AD
Sequence of events:
1. 802.1x machine authentication
2. User logs in to domain
3. 802.1x with user credentials
But, I have the following issues:
i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
Any solution for this?
Tks2 issues here:
*Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
* Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well. -
Cisco ip phones authenticate 802.1x with cisco ise
Dears,
I want to configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
Thanks.802.1x configuration for IP Phones
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217 -
Wireless 802.1x with Window 7
I have a WLC 6.0, ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication. The clients are using Windows 7 to connect to wireless. To get the clients connected they have to go into there network properties if the wireless card, configure the client to use PEAP, uncheck validate server certificate, and also uncheck use computer name to login into windows. This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password. The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect. If wireless could also be setup to use there windows username and password would be a bonus. I'm basically looking for a solution that is simple but is also secure as well. I know that's an oxymoron. Is there anything I could do to make the wireless process simpler. Either by going with a different security authentication or by doing something different on the clients computers. Thanks for any help and suggestions.
This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
https://sourceforge.net/projects/su1x/
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
Features include:
- Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
- Can set EAP credentials without additional user interaction (avoids tooltip bubble)
- Installation of a certificate (silent)
- Checks for WPA2 compatibility and falls back to a WPA profile
- Third party supplicant check -SSID removal and priority setting
- Support tab: (checks: adapter, wzc service, profile presence, IP)
- Outputs check results to user with tooltip and/or to file
- Printer tab to add/remove networked printer
This tool is very cleverly written by Gareth Ayres at Swansea University -
802.1x with ACS and Windows AD
Hi
Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
MarcoHi Marco,
i guess you've missed a mapping configuration in the Access Policy Section.
Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
You'll see the new service click Identity.
Select the identity source you've created then save.
Click on authorization
Select a default authorization rule permit access and save.
Create a Service Access Rule name it 802.1x
Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
then you can try again.
regards
alex -
[WLAN] Use 802.1x with PEAP without Certificates?
Hello there,
is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable itOn whitch device? You can set the autorithy certifacte to none or choose one from the list.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
802.1x with Vlan assignment and IP phone and PC
I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
However I have read that I can not enable 802.1x on a trunk port.
How could I configure this?
I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
ThanksYou should configure the port as an access port with an aux-vlan. Here's an example:
interface GigabitEthernet2/2
switchport access vlan 701
switchport mode access
switchport voice vlan 702
load-interval 30
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
Hope this helps,
Maybe you are looking for
-
How do I use new Photos to autoscan for faces like iPhoto did?
iPhoto used to have a feature to auto scan for faces. On Photos, I seem to have to go through photos one by one, or identify "unidentified" faces 1 by 1, then it will auto detect just a few more, which is HUGELY inefficient with 1000s of photos.(a lo
-
FORCED DATA PACKAGE WITH PHONE UPGRADE
I have been a verizon customer since cell phones were cool. I started with a bag phone in my car. I have 5 verizon phones. Four on a family plan and one through a work plan. My son wanted to upgrade his phone today which is eligible for early
-
Problem in Installing Oracle 10g on Linux Enterprise Edition RHEL 3
Hi All, I am trying to install Oracle10g Rel 2 on RHEL 3, but the installer fails for some OS packages (rpms I think) for being of older edition like gcc etc. Whats the workaround for this or do I need to install for a more latest Version of Red Hat
-
BAM 11g - creating new report - More options not active
I am creating new reports in BAM 11g. 11.1.1.3.0 Build 8553 I can select the Data Object and Data Fields, but.... When I select any of the More options.... such as Create a filter or Create a calculated fied etc... I get the View Prompts screen and I
-
CS4...How do you draw/paint in pure black & white?
Sorry for the dumb questions but I'm absolutely new to this stuff and I'm getting a lot of great info here which I'm keeping meticulous notes of... I've figured out how to paint with CS4 in colors and "near" black/grey/ white (by going to the extreme