ACS Group Configuration Help Request

We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.
The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?
Confusing I know.

Hello,
you can solve your problem with the feature Network Access Profile. With this feature you can assign one user to different groups.
You must create two Network Access Profiles (profile_remote_access, profile_tacacs_admin)-
with different protocol types (radius for remote access, tacacs for administration).
Look at
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a00805e879e.html
regards
alex

Similar Messages

WLC2106 + LAP1131AG configuration help request

Greetings Everyone.
One of my customers asked me to configure a WLC 2106 and 2 LAP 1131AG (lightweight) for corporate/guest Wifi.
Basicly they want to implement a good wifi connection for internal use and a guest one with different QoS. The two lans
should both have dhcp but they must bet kept segregated so that none from the Guest wifi can access corporate resources.
Since i've never configured a WLC from scrath i lightly supposed it would be quite straigh forward as routers and switches from Cisco.
Unfortunately i was totally wrong.
I've downloaded the "Cisco Wireless LAN ControllerConfiguration Guide" (Soft.Release 6.0 June 2009) and after i red it i made up this workflow
for the configurations:
1) Configure Controller: (via serial)
     -     Set Management Interface parameters (IP- SM - Def GW - Dhcp server IP)
     -     Set Ap-Manager Interface parameters
     -     Virtual Interface parameters
     -     Set Admin Credentials
     -     Dhcp Configuration (internal and/or external)
2) Ap registration on the controller
     -     Configure vlan with dhcp request redirection to the dhcp server
3) Configure Wlan following customer's requests.
     -     Configure Wlan Auth for Corporate/Guest Wifi
     -     Configure QoS for both Wlans
Unfortunately i'm experiencing issue while trying joining the AP to the WLC.
It appers that the IT guy of my customer tried to configure one of the Ap.
In that Ap's flash i find files referring to a "mesh" configuration like:
mesh_cfg.txt - mesh_port_cfg.txt
which are not present on the other Ap.
I've tried to register both the Ap using:
1) Internal DHCP
2) External DHCP (microsoft W2k8 R2)
3) External DHCP (non cisco router)
But as a matter of fact they got the ip from dhcp but they don't show up in the WLC GUI.
So, resuming my issues sounds like:
1) Can't make Ap join the WLC
2) There are configuratin file on one Ap that i can't clear
3) DHCP configuration is probably wrong.
Since i'm quite lost, i'm ready to learn from anyone who could spare some time helping me out.
Thank you in advance!
Regards
Alessio
P.S.
Ap version is the following:
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(21a)JHB1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 11-Aug-10 15:39 by prod_rel_team
ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)

Good Day Everyone.
After a long fight, the insights of Stephen and Scott and:
https://supportforums.cisco.com/docs/DOC-13960 and
https://supportforums.cisco.com/thread/2003153
I finally managed to wipe the old configuration and to configure a LAP 1131 attached to one of the POE of the controller.
After having configured a Wlan and having set the correct DHCP redirection i'm able to connect and get an ip! (WHOA!)
I've had to set a manual ip address on the AP (let's call AP1 from now on) and to manually point it to the controller.
I was thinking about using this configuration at the customer's site getting ips from the internal DHCP and thus letting employees using the internal resources of the company.
With the same idea, i started to configure the second AP (AP2 from now on).
So i set up a dynamic interface, always on physical port 1 of the controller, gave it an ip address on another class.
Got into the antenna via console and set an ip accordingly.
I expected the controller and the antenna to communicate immediately as the AP1 did before BUT:
LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
%SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
%LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
And keep reloading itself on, and on, and guess? Yes, on.
I'm sure i took a wrong step somewhere, could someone be so kind to enlighten me about it?
Thanks in advance!
Alessio

RAID configuration help request

greetings
this is my current situation.
my k8n neo2 fx MOBO failled and my power blew up, so i had a replacement mobo and power.
i flashed the mobo to the latest firmware 1.C and continued configuring my system.
in my previous installation, i had my two western digital running on the MOBO raid with winxp sp2 + all hotfixes
i attempted to configure the raid with the same settings,
- enabled the raid device & selecting the disks that are made visible to the raid chips.
- made sure that the disks are found on boot (setting to auto thou when configuring the raid it always sets the disks to none having to set it back to auto, a bios bug that hasnt been fixed at least since version 1.9)
- made sure that the raid device is selected in the disk boot order
- recreated the raid array and made sure that it is bootable (pressing B)
now the issue is that when i hav ethe mentioned raid configuration in place, the raid does not boot
i get that disk not found ctrl-alt-del
but when i turn of the raid chip feature from the bios and boot of the first disk, it boots fine but runs lously since the
raid service deamon fails :P
any ideas on how this can be resolved? ive banged my head with this all day and i dont want to reinstall my **** OS :(
regards
Matice

i did brake and recreate the raid (not wiping the data of course ) but it didnt help, though i didnt try reordering the disks,
ill give that a try now.
as i said, when i disable the raid, the disk boot winxp fine, but xp is acting all bizare propably due to the failiure of the
raid service not running since the raid has been disabled..
Quote from: BOSSKILLER on 30-December-06, 03:13:17
can you boot from alternative location to see array is correctly assigned(etc: all data is there and so on...)
broke array and re-create it, but reverse HDD's position in array by adding into array. (1st, become 2nd, and 2nd become 1st)
re-test.

Help me configure Change request management !!!

Dear friends,
I am Going to Configure Change request Management, so just to ensure that the configuration is not erronous, i would need Expert advise..
Just want to know Clear few things before i proceed..
I am also refering SPRO and related notes
Scenario :
I have two SYSTEMS SAP ECC 6.0 with System id R03 and Soluiton manager with SYSTEM id SOL,
R03 has 3 clients, 300 600 700..
In R03 300 is the development client, 600 is quality client, 700 is the production client.
SOL has 2 clients, 100, 200
With 200 as the production client.
Q.1) Do i have to configure CHARM in both the client (100 and 200 of SOLMAN).
Q.2) Initially I had tried to set CHARM in client 100 of solman, but later on realized that it has to be set up in client 200.
When i logon to client 200 and Execute IMG activity Spro-> sap soltion manger->basic settings-> sap solution manager system->activate integration with change request management.
Then by default it take the previous client ( client 100) as the change request management client.
( as we know there are three steps in the above activity ), the other activity are executed properly, only prblem being that the default client is always set to 100, which should not be the case).
I do get the prompt saying ( "The change request clent is set to clent 100, do u want to change to client 200, on clicking yes, still it is always set the same client 100 as charm client ")
Plz let me know what do i do to set the change request client to 200??
Q.3) Regarding TMS, we have local domain controller in solman and local domain in R3.
We are planing to establish domain links between the two systems( ie both the domain controllers) ??
Is this the right strategy ??
Any other method that u can recommend ??
Q.4)One of the IMG activity says, Generate Destinations to client 000 of all the domain controllers..
Whenever i do this these, destinations are created with errors, i am not able to create trusted RFC destinations without errors.
When i logon to satellite domain controler and excecute sm59 there are 2 destinations created Trusted and BACK.
These destinations works well,
but when i logon to Solman, got to sm59 , when i test the TMW and TRUSTED rfc destinations i test these destinations using Remote Logon i get error,
" no authorization to logon as trusted system"
I went thru one note which recomended Kernel upgrades to solve the problem,
I r3 my kernel relaese is 700 with patch level 56, the note recomends to apply patch 80, did u have these problems??
what is your kernel patch levels in sateliite and solman systems.
Q.5) TO be able to raise tickets from R3 to solman we create RFC destinations.
We also create RFC destinations to client 000 of all the sateliite system,
dont u think these RFC destinations might interfere with each other??
Q.6) Is there anyone who has successfully configured CHARM. Can you plz share the configuration documents with me..
Please note :
All the contributors would be handesomely rewarded with points .

Hi,
Check this
Note 128447 - Trusted/Trusting Systems
For your Q4.
Q3.)
Establishing Domain link - That's the right way. Go ahead.
These are the steps.
1.Define Transport Routes for System Landscape
assign exactly one development system to a production system, and that these two systems are connected by exactly one unique transport track. If a development system and a production system are connected by more than one transport track, this may lead to inconsistencies within the transport distribution. This type of transport configuration cannot be supported by Change Request Management, and may cause inconsistencies within the tools involved.
2. Activate Extended Transport Control
The CTC parameter should be '1'
3.Configure Transport Strategy
Deactivate the QA Approval.
4. Activate Trusted Services.
5.Activate Domain Links.
You have to activate domain link between systems.
6. Generate RFC Destinations to Client 000
Hope this helps.
feel free to revert back.
--Ragu

Error checking transport group configuration in System BQS

Hi Everyone,
I made a client export from Production to Quality. It went successfully,, I noted the requests numbers and transported them from PRD to Quality, but while transporting there was a tp error(which i did not note), next i went to the quality import queue and saw all the 3 requests had come. But when i click the adjust queue icon im getting the following error message "Error checking transport group configuration in System BQS" . Afterwards i tried to delete the requests from quality to retransport from production but still im not able to delete those requests from quality. Can anyone help me solve this.
Regards,
Rahul

Hello Rahul,
regarding the error message:
"Error checking transport group configuration in system"
It's mostly related to the TMSADM RFC destination. Kindly follow the below mention steps:
1. Logon to client 000 with user DDIC.
2. STMS > System > Overview > Select the system in which you are logged in > Click on the menu says EXTRAS > Generate RFC Destinations
Perform the above steps in all the systems configure in your TMS. This should resolve the issue.
Best regards,
Tomas Black

OCS 2007 R2 Response Group Configuration Tool Failure

Hello there.
We are bringing back to life an old OCS installation. Customer performed a clean AD reinstall and we are in the process of re-installing OCS 2007 R2. All seems to work fine, except the RGS. When accessing the web tool we get this error:
Response Group Configuration Tool Failure
An unknown error occurred. The operation cannot complete successfully. Please contact the administrator if this problem persists.
Click here to return Home.
the Event viewer for application on the FE shows:
Event code: 3005
Event message: Excepción no controlada.
Event time: 13/05/2014 12:13:01 p.m.
Event time (UTC): 13/05/2014 06:13:01 p.m.
Event ID: a74ea242095f4e8099bca266a7a5cc83
Event sequence: 8
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/Rgs-1-130444779241580315
Trust level: Full
Application Virtual Path: /Rgs
Application Path: C:\Program Files\Microsoft Office Communications Server 2007 R2\Web Components\Acd Files\
Machine name: OCSR2-FE02
Process information:
Process ID: 6504
Process name: w3wp.exe
Account name: domain\RTCComponentService
Exception information:
Exception type: COMException
Exception message:
Request information:
Request URL: https://ocspool.domain.com:443/Rgs/Deploy/Default.aspx
Request path: /Rgs/Deploy/Default.aspx
User host address: 172.16.6.32
User: domain\user
Is authenticated: True
Authentication Type: Negotiate
Thread account name: domain\RTCComponentService
Thread information:
Thread ID: 9
Thread account name: domain\RTCComponentService
Is impersonating: False
Stack trace: en System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
en System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
en System.Management.ManagementObjectCollection.get_Count()
en Microsoft.Rtc.Acd.Management.OcsApplicationContactSetting.Select(String condition)
en Microsoft.Rtc.Acd.Web.UI.WorkflowTemplate.GetContactObject()
en Microsoft.Rtc.Acd.Web.UI.WorkflowTemplate.AddedControl(Control control, Int32 index)
en ASP.deploy_default_aspx.__BuildControl__control15(Control __ctrl)
en Microsoft.Rtc.Acd.Web.UI.TemplateHelper.InstantiateWorkflowTemplate(AcdWorkflow workflow, ITemplate template, ControlCollection controlsToAddTo, String resourceClass, String templateResourcePrefix)
en Microsoft.Rtc.Acd.Web.UI.AcdWorkflowList.CreateChildControls()
en System.Web.UI.Control.EnsureChildControls()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Control.PreRenderRecursiveInternal()
en System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details:
on the OCS logs I have:
Unhandled exception occurred in the Response Group Service Configuration Tool. The operation could not complete successfully.
Requested URL: /Rgs/Deploy/Default.aspx
User / Host making the Request: domain\user/ 172.16.6.32
Unhandled exception: System.Web.HttpUnhandledException - Se produjo una excepción de tipo 'System.Web.HttpUnhandledException'.
Inner Exception: System.Runtime.InteropServices.COMException
Cause: An unhandled exception occurred.
Resolution:
Check the exception.
Windows server is installed in spanish, if you wonder why the mix in languages.
We have been battling with this error for the last 2 weeks. Any help is greatly appreciated!
FR

Hi,
Please check the configuration of the Response Group Service with the help of the link below:
http://technet.microsoft.com/en-us/library/dd441277(v=office.13).aspx
Please check the OCS components that are required to implement the Response Group Service below:
Application Server and Response Group Service
Language pack
Administrative tools
Web Components Server
Internet Information Services
Microsoft Office Communicator 2007 R2
You can try to use the workflows that you crated to validate the deployment.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

User in a windows group - mapping to acs group appears not be working

I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
Any suggestion?

Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
1. External User Databases - Database Configuration - Windows Database - Configure
Make sure your domain is listed on moved to the Domain List section
2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
3. External User Databses - Unknown User Policy
Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
Check âThe database in which the user profile is heldâ radio dial in the Configure Enable Password Behaviour section
Hope that helps!

AP Grouping configuration

Infrastructure:
we have 3000 access point spread across 15 buildings,
we have 15 WiSMs (3no.s of 6509 controllers) catering those AP's from central locations,
we have 350 AP's in one building (3 floors) and in some 200 AP's(2 floors),
planning for ACS with EAP-FAST implementation.
Requirement:
I want to use /24 subnet for AP's as well as for WLAN Clients.
clients should have /24 subnet only
I know about the AP grouping concept and I read some document aswell on the cisco site, but in those documents didn't help me much for AP Grouping VLAN and external DHCP configuration (Client)
Could anyone help me in configuring the AP grouping with external DHCP server for clients /24 subnet IP's.

Thanks for your reply,
My Switch working as L2 in buildings and L3 only in Datacenter location.
I am Planning to use 8 SSID's,
As a best practice from Cisco 100 AP's per subnet, I would like to go with AP grouping configuration, now I would like to know how to configure clients with /24 subnet, (external DHCP Server), if you have any sample configuration steps kindly share the same, or give me idea about how to configure /24 subnet for clients.
in the WiSM I am configuring AP grouping 90 access point to one group, 150 access point to one group, remaining in the other group.
Now since I have only 3 AP group and I want to configure /24 clients keeping max. 20 users per access point. how to configure the client IP address.

ACS Group mapping and restrictions

hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.

In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
In this scenario, it is very important to understand how ACS group mapping works.
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
NOTE:
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Regards,
~JG
Do rate helpful posts

Cisco ACS Group Settings per NDG

I am trying to figure out if there is a way to make certain settings that fall under a group configuration such as:
Usage Quotas,
Time of Day Access,
Max Sessions
to apply differently depending on which network device group the user is coming from.
So for example if Jsmith belongs to group Staff and is coming from the VPN he will have one time of day access rules configured, where if he 802.1x's on a device in another NDG he gets another time of day access rule?
I know you can apply ACL's based on the NDG the user is coming from, but it seems like the other options I mentioned above should be able to be controlled by NDG as well.
We are running v3.3 of ACS.
Any suggestions?

I dont think so that is possible. You have option of NAP where in you can define what database to be used for specific user. Or if users comes from wireless use AD and if users comes for VPN use RSA DB.
Please see this link,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
Regards,
~JG
Do rate helpful posts

AD - ACS Group Mappings

I have created a group on ACS and used:
Ext User Database > Ext Grp Mappings to create mapping b/w ACS Group and AD Group. This works fine on Primary. However this information is not replicated to secondary. Would I have to recreate group mappings on each ACS Server (Primary and Backup and possibly another Backup). Is there a workaround or a more elegant method?

Hi,
The following items cannot be replicated:
IP pool definitions (for more information, see About IP Pools Server).
ACS certificate and private key files.
Unknown user group mapping configuration.
Dynamically-mapped users.
Settings on the ACS Service Management page in the System Configuration section.
RDBMS Synchronization settings.
Third-party software, such as Novell Requestor or RSA ACE client software.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sad.htm#wp756078
Hope that helps !
Jagdeep

Grouping of payment requests for Wire transfer in f110

Hi Gurus
Please let me know how to Group the payment requests which has Wire transfer as the payment method.
Actually can we group the payment requests for the Wire transfer payment method
I have to show the balance carried forward for the payment advice by grouping them.
If you know solution please let me know.
Thanks in advance
Meenkashi

Meenakshi, You can group the payment request with payment method 'wire'. For grouping them you have to fulfill the following criteria:
1. On the payment method the 'single payment' should not be checked. This is normally the case and in most situations people realize this after lot of failed efforts to find why it is not grouping.
2. On the Business Partner master data you should not have checked 'individual payment' in the 'Payment details' TAB under each company code.(BP role 'Counterparty'
3.In the FRFT screen (if you are doing bank-to-bank transfers and for which you don't need Business Partners) the 'individual payment' should not be checked
4. Onthe BP master data, if you select 'same direction' payment requests flowing in one direction (outflow or inflow) can only be grouped. sometime you would need to group both inflow and outflow (for e.g. In case of commercial paper when you invest, you have to pay only the net amount (Principal - Interest). However SAP generates two different flows - Principal which is outflow, Interest which is inflow.)
5. On the Transaction, in the Payment details TAB you have a slew of options to group - All within Treasury can be grouped, All of a Product category can be grouped, Only flows from an ID no. etc. etc.
6. On the transaction again in the payment details TAB see to it and that you have not checked 'individual payment'.
Hope this helps
Please award points if this information is useful. If you have further doubts please post your doubts and I will try to answer.

ACS group mapping

hello
we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
so we map AD groups to ACS groups and we specify access restriction in ACS groups.
now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

i can't see how NAP can resolve my issue.
suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

1941W configuration help needed

Our Deployment Scenario:-
1941W Gigabit Ethernet 0/0 is connected to the PPOE connection of the ISP.
Gigabit Ethernet 0/1 is connected to the wired LAN
I have created 2 wireless radio Cisco_Kamran_BGN which is operating at 2.4 Ghz Devices and Cisco_Kamran_A which is operating at 5Ghz Devices.
I have created 2 VLans for the Wireless.
Vlan 10 for Cisco_Kamran_A        192.168.10.x
Vlan 11 for Cisco _Kamran_BGN   192.168.11.X
The problem is the Wireless users are not getting the IP address from the respective DHCP server which has been configured on the Router.
Can please any from the community help me and show me where I am missing the configuration.
Please find my router & ap configuration below.
Router Configuration
Router#
sh run
Building configuration...
Current configuration : 3022 bytes
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable secret 5 $1$TdQt$npYeaf/W0kRElcfMggzJ31
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_A
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_BGN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 195.225.241.222 213.42.20.20
multilink bundle-name authenticated
crypto pki token default removal timeout 0
license udi pid CISCO1941W-E/K9 sn FCZ1553C1VK
hw-module ism 0
redundancy
bridge irb
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
arp timeout 0
no mop enabled
no mop sysid
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp route default
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip access-list extended DSL_ACCESSLIST
permit ip 192.168.0.0 0.0.255.255 any
control-plane
line con 0
password xxxxxx
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input all
scheduler allocate 20000 1000
end
Router#
Router#
Router#
Access Point Configuration
ap#
ap#
ap#
sh run
Building configuration...
Current configuration : 2603 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$JxdQ$a2/00bWJuhUKP9QLC94YD/
no aaa new-model
dot11 syslog
dot11 ssid Cisco_Kamran_A
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 1045081417161C5A555C7A7B
dot11 ssid Cisco_Kamran_BGN
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 020D05561907017015165949
username Cisco password 7 14341B180F0B
bridge irb
interface Dot11Radio0
description 802.11bgn radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
broadcast-key change 3600
ssid Cisco_Kamran_BGN
antenna gain 0
station-role root
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio1
description 802.11a radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid Cisco_Kamran_A
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.10
description 802.11a bridge
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0.11
description 802.11bgn bridge
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
login local
end
ap#
ap#
ap#

Hi Stepehen,
Did the configuration as per your advice but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
Home
Re: 1941W configuration help needed
created by Stephen Rodriguez in Getting     Started with Wireless - View the full discussion
conf t
interface     Dot11Radio0
no ssid     Cisco_Kamran_BGN
no encryption mode     ciphers aes-ccm
exit
interface     Dot11Radio1
no encryption mode     ciphers aes-ccm
no ssid     Cisco_Kamran_A
exit
dot11 ssid     Cisco_Kamran_A
vlan 10
dot11 ssid     Cisco_Kamran_BGN
vlan 11
exit
interface     Dot11Radio0
encryption vlan 11     mode ciphers aes
ssid     Cisco_Kamran_BGN
exit
interface     dot11radio0.1
encapsulation     dot1q 1 native
bridge-group 1
interface     dot11radio 0.11
encapsulation     dot1q 11
bridge-group 11
Configuration of     subinterfaces and main interface
within the same bridge     group is not permitted
exit
interface     Dot11Radio1
encryption vlan 10     mode ciphers aes-ccm
ssid     Cisco_Kamran_A
interface     dot11radio1.1
encapsulation     dot1q 1 native
bridge-group 1
interface     dot11radio1.10
encapuslation     dot1q 10
bridge-group 10
Configuration of subinterfaces and main     interface
within the same bridge     group is not permitted
end
wr
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home

Vpdn-group configuration

I am replacing a 2611 with a 2811, I am copying the setups from the old router, I have a question about the following.. on the old router there was no line in my config for l2tp - I do not seem to be able to find any configuration options for it - I don't nec want to get rid of it but want to mainly know how to config it and if the same options apply for pptp? I think I have gone into all of the listed options and put in "?" is l2tp missing from the help?
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
l2tp tunnel password 7

Which IOS version are you using? , if you are using lower version, need to upgrade to version 12.4(6)
Sample VPN group configuration:
vpdn-group 2
! Default L2TP VPDN group
description L2TP for Dial
accept-dialin
protocol l2tp
virtual-template 2
l2tp tunnel password xxxxx

ACS Group Configuration Help Request

Similar Messages

Maybe you are looking for