802.1x, eDirectory, and RADIUS
Hello all:
I hope that I am posting on the correct forum.
We currently have a Cisco ACS 3.3 which we have configured to use
eDirectory as an external LDAP directory. We are currently able to set
up access to our routers and switches via TACACs and successfully
authenticate via user names and passwords stored in eDirectory, so we
know that the LDAP access is working. eDirectory version is 8.7.3.4. OS
is Netware 6.5 sp 3.
We are now embarking on setting up wireless authentication utilizing
the AEGIS client from Meetinghouse as our supplicant. We have been
successful in authenticating to our test wireless AP (Cisco 1200) with
a user setup in an access group on the ACS using the ACS as a RADIUS
server. We are authenticating via LEAP. However, we have not been able
to authenticate using eDirectory usernames and passwords. Upon
reviewing various posts I have seen info about adding RADIUS attributes
to eDirectory to use the FreeRADIUS server. Is this necessary with the
ACS device? Do we need to change our protocol to EAP-TTLS as is
suggested in other posts or do we need to set up simple passwords? What
security considerations do we want to take into account?
If anyone has successfully implemented this configuration, please feel
free to contact me directly. We want to leverage eDirectory and our
client's experience with this platform to make wireless security as
seemless and secure as possible. This is a school district and we want
to be able to limit our user access via login names that they enter on
any machine in the district rather than via machine certificates. That
way if we want to deny a student access for disciplinary reasons, we
can implement it very easily.
I would greatly appreciate any assistance that can be provided!!!!!!
Donna Moyer
Heiti
I sent you an email regarding our situation. Have you received it yet
and if so have you had a chance to respond to the wireless
authentication questions.
Thanks
heiti@boras_nospam_.se wrote:
> Nope....the easiest way to do it, is to use eDirectory for authentication
> only and let the acs server do the other stuff.
>
> I quess that the only time when you need to to so is when you are
> connecting to netware RADIUS via PAP over EAP-TTLS tunnel.
> You can do that with freeRadius but not with ciso ACS.
> And the only clients supporting that are Intel Proset, Aegis and Odyssey
> but not the Ciscos or Microsofts supplicators.
>
>
> Whitch metod to use depends on what environment you have;
> In a school environment(or a environment where computers are shared among
> many users) and Novell Client installed, you should use PEAP (PEAPv1;GTC)
> instead of EAP-FAST and use the pre-logon stuff on the supplicator.
> And use a static user in the profile configuration(and you event dont need
> to have the user credentials in edirectory), istead of prompting the
> password and username all the time.
> (Because you are needing the IP-address before the novell Client tries to
> logon.)
> That should give, in a user point of view, a Single Sing On functionality.
>
> In a opposite environment where there is a single profile(user) on each
> computer you can use EAP-FAST(with manual PAC provisioning) or PEAP with
> eDirectory (or LDAP) as the autehticator database, and prompt for Username
> and password eatch time.
>
>
> The ultimate method would be a Novell Client supporing EAP and a Novell
> RADIUS server supporting EAP-FAST/EAP-TTLS or PEAP.
> That should ease upp everyting a bit and give a clean environment and
> Single Sing On functionality =)
>
>
> PS. PEAP gives the advantage against EAP-TLS that PEAP doesnt need a
> client certificate only a server certificate.
>
>
> Method Database Certificate
> -------------------------------------------------
> EAP-FAST LDAP/NDS/Etc. No, only PAC
> PEAPv0(MSChap) AD Server
> PEAPv1(Gtc) LDAP/NDS/Etc. Server
> EAP-TLS LDAP/NDS/Etc. Client, Server
> EAP-TTLS NW RADIUS(PAP) No
> LEAP AD No
>
>
> feel free to ask more!
>
> best regards,
> Heiti Ernits
> Network Technician
> Adk-Data
> Bors Stad
Similar Messages
-
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
I can get a PC on its own to authenticate via dot1x/tls
I can get a Cisco IP Phone on its own to authenticate via MAB.
When the two are on the same switchport, the phone will authenticate but not the PC. ISE logs EAP timeouts.
The switchport has the LowImpact port ACL of
ip access-group ACL-DEFAULT in
The IP Phone gets a dACL that allows it ok.
I assume MAB phone and dot1x PC is supported? Any ideas?
Thanks in advance.The ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client -
How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server
Hi dearI
How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!Olivier,
You can't reference WLP visitor roles in weblogic.xml, but you can
reference global roles (created using the WLS console):
- <security-role-assignment>
<role-name>PortalSystemAdministrator</role-name>
<externally-defined />
</security-role-assignment>
-Phil
"Olivier" <[email protected]> wrote in message
news:[email protected]..
>
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the securityon a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of theportal (for
exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
Label=mypage")"
by email to portal users) and need a simple mecanism of authenticationbefore
redirecting to the portal page.
Inste -
I configured my Aironet 1262N autonomous AP to authenticate and account my users against a FreeRADIUS server. In the RADIUS server database, I saw some records like:
select username, acctauthentic, acctterminatecause, acctstarttime, acctstoptime from radacct where username='xxxxxx';| xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:32 | 2014-02-22 11:15:58 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:58 | 2014-02-22 12:16:36 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:16:37 | 2014-02-22 09:22:13 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:22:14 | 2014-02-22 09:27:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:27:35 | 2014-02-22 09:33:12 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:33:14 | 2014-02-22 09:38:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:38:35 | 2014-02-22 09:43:55 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:43:57 | 2014-02-22 09:49:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:49:18 | 2014-02-22 09:54:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:54:54 | 2014-02-22 10:00:14 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:00:14 | 2014-02-22 10:00:26 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 10:00:26 | 2014-02-22 10:06:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:06:19 | 2014-02-22 10:11:39 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:11:41 | 2014-02-22 10:17:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 14:50:41 | 2014-02-22 14:50:42 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 14:50:42 | 2014-02-22 15:01:25 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:01:26 | 2014-02-22 15:06:46 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:06:48 | 2014-02-22 15:12:08 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:12:09 | 2014-02-22 15:20:24 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:20:25 | 2014-02-22 15:28:33 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:28:35 | 2014-02-22 15:33:54 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:33:55 | 2014-02-22 15:39:15 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:39:17 | 2014-02-22 15:44:37 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:44:38 | 2014-02-22 15:49:59 || xxxxxx | Local | | 2014-02-22 15:49:59 | NULL |
As you can see, the Acct-Authentic fields contains two possible values: Local and RADIUS. I didn't create any user with name 'xxxxxx' on AP, and I configure the authentication is against the RADIUS server. Why there are so many Acct-Authentic = 'Local'?
Also, this user always lost his connection and then reconnected quickly. This user login his account in multiple devices, including smart phone and computers. All of them are experiencing the same issue. Is there anyway to debug it? Any protential reasons?
Regards,
Lingfeng XiongHi,
I have exactly the same problem with my freeradius and switchs when swiths are in IOS 15.x .
You can see the log accounting :
| 5971 | 0000007E | bde8f71b768f2785 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5972 | 0000007F | 27c15b7db52213d9 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5973 | 00000080 | 8fb0d5fe41e82d65 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:18 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5974 | 00000081 | fa753225306a1a30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:35 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5975 | 00000082 | 39b6dfcf6aa90e30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:25:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5976 | 00000083 | d7766e99f09aee2f | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-03 23:26:33 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5977 | 00000084 | 7094f61110fe4eef | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:29:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5978 | 00000085 | 66ded1d410f07c51 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:00 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5979 | 00000086 | 326144c4321e0286 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:32 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5980 | 00000087 | 01d1379a4f9c3365 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:32:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5981 | 00000088 | 91164743f562dfdb | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:34:59 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5982 | 00000089 | abf1519e403f8305 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:36:21 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5984 | 0000008B | 2e199e473e646ba4 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:21:01 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5986 | 0000008C | cb4c2e11189d484c | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:10 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5987 | 0000008D | 1e928dc7eabc1e6d | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:11 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5988 | 0000008E | f1e3754a954e6863 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:15 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5989 | 0000008F | e46d377efc8a47f8 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:00:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5990 | 00000090 | e098f1dc19bdeee2 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:01:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5991 | 00000091 | 6ae3acb7d57c9c5a | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:56:25 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5992 | 00000092 | abc974156cf20e23 | | | | 10.254.1.253 | 50021 | Ethernet | 2014-04-04 03:10:56 | NULL | 1943 | Local | | | 0 | 204825 | | | | Framed-User | | | 0 | 0 | |
| 5993 | 00000093 | be822673509843a6 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 03:51:41 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5994 | 00000094 | 0a4366a6cd9eb0c5 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 07:53:42 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5996 | 00000095 | 5d289b8db37d0c8d | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5997 | 00000096 | c4ea1e813085a6d7 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6002 | 0000009A | a82ac41b1ff5f16b | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:03:12 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6004 | 0000009B | 0719718c780250c2 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:53:30 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6005 | 0000009C | c58f9c5e30b60fb7 | | | | 10.254.1.253 | 50016 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6007 | 0000009D | f78cc71528fd7898 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6008 | 0000009E | 200a1608264cc03c | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:14 | 2014-04-04 10:30:24 | 1750 | Local | | | 114654 | 93145 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6009 | 0000009F | c5ec021f0ef399c1 | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:44 | 2014-04-04 10:30:24 | 1720 | Local | | | 109122 | 86295 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6013 | 000000A4 | 042773e07781caba | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:26 | 2014-04-04 10:39:51 | 565 | Local | | | 36891 | 39077 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6015 | 000000A5 | f6b305e3f0d6aa5a | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:56 | 2014-04-04 10:39:51 | 535 | Local | | | 31698 | 32171 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6017 | 000000A6 | ef6cad3df24ccd61 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 10:42:20 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
Someone has an idea ?
Thanks,
Best regards, -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
Also, when will URL redirection to a remediation server be supported with 802.1x NAC?You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
With per-user ACLs, you'd configure a VSA like:
ip:inacl#1=deny ip any host 10.1.8.3
ip:inacl#2=permit ip any any
The "downloadable IP ACL" config would look like:
deny ip any host 10.1.8.3
permit ip any any
In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
Hope this helps, -
AEBS 802.11n, TC and APXn with 7.3.1 is very flaky indeed - cant connect -
HI Guys I think many of you on these forums have posted because you are having joyless experiences with the new APX 802.11n, the AEBSn and the TC not able to be managed via the AIRPORT UTILITY.app v5.3.2 with firmware 7.3.1 in the former devices. After a search there's many of these posts with people with the same issues.
I have these devices in my place so I have had lost of experience configuring these over the years:
1 x 802.11n AEBS, 1 x TC, 1 xUFO white AEBS, 2 x APXg's and lastly the problematic 1 x APX802.11n (one subnet and 2 x networks 2.4Ghz and 5 Ghz)
I am at my wits ends trying to get the new APXn regularly responding to the AP utility.app (error reading configuration).
I have tried most of the remedies on these forums but they do not consistently solve the problems of the APX not responding to the AP utility.None of these have consistently worked:
• trying to factory reset it using the POWER ON+RESET and waiting for the amber flashes then green - butt this procedure NEVER WORKS to factory reset!
• using the reset button in any form (it doesn't do anything)
• connection through ethernet (sometimes works ).
• takes long to power up (than the older 802.11g)
• rest APXn back to factory defaults through the AP utility then ...
• downloaded 7.3 firmware - worse and wont work
• lastly I found that RESET+POWER ON then wait for 20 secs as as it powers up DEPRESS the RESET again and then it becomes readable.
Additionally, I have been unsuccessful in getting PORT FORWARDINg to work at all for the AEBS 802.11n with and without the TC in the mix. I had this working for several years with the White UFO AEBS ... It beats me.
I think the firmware is very very flaky and i have no resolutions for these recent problems.
Hope for a fix soon.
I will be polling these forums for any clues.
wHi Guys
REgarding the APXn's (802.11N Airport express) inability to consistently be seen by the Airport Utility.
this just worked finally for me now and have tested this 7 times and all seems ok now..
Simply: when APXN in list, save configs, reset to factordeafuts, downgrade to 7.3, upgrade to 7.3 and reinstate .configs.
UPdate: a probable work instruction that seems to consistently work.
Here is the work instruction i used.
(1) turn off all other WIFI base stations where you are that you can. (important I believe)
(2) turn off airport in your mac
(3) connect troublesome APXN to mac via ETHERNET cable. Set DHCP on your mac or some address in IPV4
(4) power off and on the APXn (yes again )
(5) whilst it is powering up, use a pen of toothpick to RESET the APXn again (i think this causes something to move around inside the magic-ware)
(6) the light will flash amber (no network to connect to)
(7) launch /utilities/airport utility.app
(8) the one and only APXn appears in the list
(8.5) optional: (cross fingers and legs :))
(9) when profile comes back, use FILE/SAVE a COPY AS to the ~/desktop to save the complete profiles and settings of what you have in there currently.
(10) select the one and only APXn and perform a airport utility.app/base station/ RESET TO FACTORY DEFAULTS - and wait for 30 secs and then it will restart
(11) when complete, quit and relaunch the /utilities/airport utility.app
(12) the APXN will be as when you bought it (pristine and no stuff in it from you)
(13) connect your mac back to internet via ethernet if possible. (avoid the wireless just to be sure but at this stage you could reinstate all your exiting wireless infrastructure)
(14) select the one and only APXn AGAIN and perform a airport utility/base station/ UPLOAD FIRMWARE and select version 7.3 (back level) . THe firmware will load into APXn 0%-100% guage and then it will restart.
(15) when complete, quit and relaunch the /utilities/airport utility.app and it will warn that one of the basestations (the only on the list - the APXN) has later FIRMWARE available for it. [This is 7.3.1].
(16) reply OK to UPLOAD NEW 7.3.1 firmware. (yes yes I realise ths sounds silly but it works ok ) 7.3.1 Firmware will up load into the APXN as above and restart will take place.. so say 120 seconds.
(17) quit and relaunch the /utilities/airport utility.app. THE APXN will appear as before as now with 7.3.1.
(18) just to make sure, (we're not quite finished), remove the ETHERNET cable. If not already done form previous optional step, ENABLE the AIRPORT (WIFI) on your mac.
(19) power OFF then power ON the APXn.. wait for the usual 70 secs..
(20) Again, to be sure, QUIT and RESTART the /utilities/airport utility.app, the APX as factory default with amber icon will appear in the list [along wit the rest of your apple airport base stations).
(21) Select it in the list fo MANUAL and the configuration will be read quickly.
(22) do this (steps 18-21) 3 or 4 times to see that it is consistent. (I this it 7 before posting this).
last step...
• select the APXN (default settings) and IMPORT the save configuration file (~/desktop/nnn.baseconfig) (all it) from the ~/desktop. Ignore any errors (untick them), add a password for the base station and UPDATE!
• wait for the usual 70 secs.
• without quitting the /utilities/airport utility.app, the UPDATED APXN with your configuration will be in the list.
NOw try and selectit for manual and it should respond in time without timing out.
Test by powering off and removing from wall socket and moving around too to make sure you can SEE it in the /utilities/airport utility.app and select it for MANUAL CONFIGURATION.
After many days of frustration on weekend and over night, this appears to have worked ok for me.
(now to work out the AEBSn port forwarding issue - it wont work).
HTH
w -
Slow wireless connection 802.11n AEBS and Intel Core 2 Duo MacBook Pro
I have three Macs all currently connected wirelessly to the new 802.11n AEBS.
Mac #1 - PowerMac G5
Mac #2 - 17" MacBook Pro Intel Core Duo
Mac #3 - 15" MacBook Pro Intel Core 2 Duo
The wireless connection speed (when using the web browser) is fine for both Mac #1 and Mac #2 but noticable slower for Mac #3. All three Macs are sitting right next to each other. All three Mac are getting an excellent signal. All three Macs are running the same version of the OS. All three Macs have identical network setting (as far as I can tell).
When connecting Mac #3 to the AEBS via an ethernet cable, performance is good. I've also tried configuring the channel manually in the AEBS to channel #1 but this did not help (seemed to help others in a different thread). Additionally, I ran the 802.11n enabler and performance was bad both before and after its installation.
Any idea why the Intel Core 2 Duo MacBook Pro would be performing differently?Ok eveyone. I did some digging and was able to get the network speed back with my Core2Duo machine. I put the Airport Extreme into Bridged mode and connected the Ethernet cable to one of the LAN ports, not the WAN port. After that everything works great. for more information check out this lengthy thread...
http://discussions.apple.com/thread.jspa?messageID=3989864�
and this site mentioned...
http://www.macintouch.com/reviews/airportn/#performance
Apparently the new base stations have a few issues that need to be worked out so I'd consider this a workaround. There should be no reason to have to do this. Good luck. -
HT4259 I have an 802.11n base and extender and still cannot get a good signal 80-90 ft away . Why?
I have an 802.11n base and extender and still cannot get a good signal 80-90 ft away . Why?
Hardwire is always recommended because there is virtually no signal loss in a wire....at least up to 300 feet or so.
Another advantage of using Ethernet cable...if you can...is that you can locate the AirPort Express where it is most needed.
If it extends using wireless only, it pretty much needs to be located about half the distance from the main router and the general area that needs more coverage.
I like to use WiFi Explorer since it displays SNR (Signal to Noise) readings, which are the best way to evaluate signal quality.
Mac App Store - WiFi Explorer
If the signal is varying constantly, something is causing it to do so....assuming that the AirPorts are functioning correctly.
Cordless phones are a huge problem for wireless networks. You want to try to figure out if the phones are causing a problem as a first troubleshooting step.
That is why I suggested that you turn off the phones for an hour or two and watch the network to see how it behaves. If the signal stops fluctuating....that is a good clue that the phones are interfering with the wireless signal. -
How to draw an arc of a circle in flash pro cc,considering center and radius as parameters?
Please help to draw curves in flash pro cc,considering center and radius as parameters...
function drawArcF(sp:Sprite,centerX:int,centerY:int,radius:int,startA:int,endA:int,color:uint):voi d{
if(startA>endA){
var tempA:int=startA;
startA=endA
endA=tempA;
var degToRad:Number = Math.PI/180;
with(sp.graphics){
lineStyle(0,color);
moveTo(centerX+radius*Math.cos(degToRad*startA),centerY+radius*Math.sin(degToRad*startA)) ;
for(var i:int=startA+1;i<=endA;i++){
lineTo(centerX+radius*Math.cos(degToRad*i),centerY+radius*Math.sin(degToRad*i)); -
WPA2 and Radius server configuration
On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
is described how to setup a WPA2 and Radius server.
If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
Normal WPA2 personal, without Radius does work.
I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
The IOS version is 12.3(8)JA2.
Does anyone know what to do?
HaikHello,
I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
But even if I fill it in correctly (copy / paste) it does not work.
So what can be wrong with this configuration?
Haik -
Configure PIX to use both TACACS and RADIUS for VPN
PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?
Hi,
Unfortunately what you want to do cannot be done on the pix, let's say that you have
multiple vpn groups on your firewall, as soon as you apply the following command:
crypto map mymap client authentication partnerauth
where parnerauth can a radius, tacacs, tacacs+ or an ACS server:
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.18.124.196 cisco123
As soon as you use "crypto map mymap client authentication partnerauth" the authentication
is applied globally on the crytpmap, thus affecting all the vpn groups configured.
You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you
need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set
transform-set myset).
You can only have 1 crypto map applied to one interface, when you apply this line:
"crypto map mymap client authentication partnerauth"
The authentication is applied to ALL the clients, we cannot separate the extended
authentication based on the vpn group or ip address.
Please rate if that helps !
Regards,
~JG -
Tacacs+ for exec and radius for ppp on the same ras
Hi, I'm going to implement tacacs+ for exec control and RADIUS for ppp control in a ras router, using the same ACS for tacacs+ and radius sessions.
Is there any problem with this kind of configuration ?
thank you in advance
RenatoRenato
I have recently done something very similar at a customer site. On a remote access server we configured it to use TACACS for exec control and to use Radius for ppp. In our case we are using different servers but I do not think that would be an issue. We also are generating aaa accounting records for the ppp sessions and sending the accounting records to the TACACS server. I have not had any particular problems with getting this to work.
HTH
Rick -
How can I blur a image with two variables : degree and radius?
how can I blur a image with two variables : degree and radius?
a lot of thanks !What are the values of these variables supposed to represent?
-
I'm trying to configure a Cisco Small Business Router - WRV210 for WPA2-Enterprise wireless security. I'm currently having trouble getting Radius Authentication to work.
Our Radius Server (10.1.0.1) is in our corporate DataCenter. I've successfully configured an IPSec VPN Tunnel to connect the WRV210 to our VPN hub in the DataCenter. Successfull communication from the WRV210 across the VPN to all subnets behind the VPN has been established and tested. The VPN Works. However I can't see any attempts to communicate with our Radius Server when a client connects via WiFi to the router. The Radius Server is a Microsoft Windows 2008 R2 server. Does teh WRV210 require the Radius to be on it's local lan? If that's the case - this is a sucky product like the rest of the Linksys lineup (i've had bad experiences trying to get multiple SSIDs and Radius to work for a Authenticated/Guest access with other Linksys products). Any ideas?For WRV210, there is a known issue with configuring a Radius Server on a remote subnet over an IPsec tunnel.
A workaround is to configure a special tunnel from WRV210 to the remote subnet with the following settings on WRV210.
Local Security Group
Type: IP Address
IP Address: [WAN IP of WRV210]
Mask: 255.255.255.255
Maybe you are looking for
-
FX-55 and NEO2-FIR and poor performance
I just upgraded froma NEO-FIS2R using a Athlon 64 3200+ to a NEO2-FIR and a FX-55. I got it all working - only after finding out that the Promise controller isn't compatiible with the old Promise controller on the NEO2-FIR. First thing I did was do s
-
Backspace key doesn't work during install
I'm installing Oracle 10.2.0 under Solaris 10 05/08 I'm using PuTTY 0.6.0 and Cygwin as my X server. In the Oracle install windows, my backspace and delete keys do not work. They work fine everywhere else.
-
My iphone appears to be dead how do i get it started again
my phone will not come on. I plug it in and itunes does not register that it is plugged in. how do i get it started
-
Keeping Animation States on Item renderers when scrolling TileList
Hey all, so I have a simple custom item renderer (CustomRenderer.as) which has a FlexShape that gets tweened by TweenLite depending on the percent value in the data value object (CustomRendererData.as). So in the example below I have 8 it
-
To Add Custom Tcode in SAP Menu
Hi , I want to edit the standard SAP menu in sap easy access screen and need to add one custom transaction. Under the sap menu: Logistics --> Sales and Distribution --> Shipping and Transportation > Post Goods Issue> Custom Tcode Anyone please let m