ACS with wireless 802.1x

We have some AP1100 using 802.1x authentication with a ACS server, that is then looking up users on a windows domain, that is working fine.
I would like to be able to have a specific group on the ACS that is then maped to a windows group, and when the wireless users try to get authenticated they are only allowed access if they belong to that group.
In our situation the users could possibly belong to other groups on the ACS, but should not be authenticated when they are in those groups.
just the one specific to the wireless.
any ideas ?
Arni

You can implement it through NAR OR do dynamic vlan assignment for only one group, all others can fall into guest vlan or restricted vlan
Following whitepapar can help with NAR:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Remember for wireless CLI/DNIS NAR work.
~Rohit

Similar Messages

Acs with wireless

Hi Folks
my wireless users already autheticated via AD using EAP through acs , now i wanna shutdown this acs for 1 hours,will these users already authenticated affected by the shut down?

Hi,
With only authentication configured, shutting down ACS should not affected already authenticated users until reauthentication is required.
Paps

[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA

Hello,
We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
We tested the other certificate functions and that went fine too.
But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
We recreated the wireless policy but also no success.
We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
It looks like that older versions of Windows do not work with newer certificate servers?
Do we miss something? Can someone confirm this.
We already looked for these forum posts, but with no success
http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\NB80W7$
Account Name:
host/NB80W7.domainname.local
Account Domain:
domainname
Fully Qualified Account Name: domainname\NB80W7$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
EAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
48
Reason:
The connection request did not match any configured network policy.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\Username
Account Name:
domainname\Username
Account Domain:
domainname
Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
WLC5500
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
PEAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Hi,
Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
More information:
Renew a Certificate
http://technet.microsoft.com/en-us/library/cc730605.aspx
NPS Server Certificate: Configure the Template and Autoenrollment
http://msdn.microsoft.com/en-us/library/cc754198.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Problems connecting on Wireless 802.11n with my T61 with Intel Wireless AGN

Hi, I live in Thailand and have a similar problem as others with my Intel Wireless AGN connection as others. I have a D-Link Model DSL-2740B Rangebooster N ADSL2/2+ Modem Router. It is supposed to support 802.11n draft wireless connections of up to a maximum of 270 MBPS versus 54 MBPS for 802-11G wireless. Of course, I don't expect it to reach the maximum transfer speed, particularly here in Thaiand, however I would expect it to produce results better than the 54 MBPS rate for 802-11G. I first tried it on my ThinkPad T61 which incorporates Intel® Wireless WiFi Link 4965AGN. When connected, it shows a speed of 54MBPS (802-11G) instead of higher wireless 802-11n speeds. I've upgraded my router to the latest firmware and have tried different configurations with no improvement in performance. One think I have noted is that when I make an on-line configuration change to my router configuration then select "apply", immediately my ThinkPad rate changes to 150 MBPS momentarily then my connection is lost (to be expected as the router changes are being implemented), followed by reconnection of wireless signal only to return at 54 MBPS again. I also have an older ThinkPad model without built-in wireless capability so I purchased a Belkin wireless 802.11n USB adapter to connect to my router. Again, the maximum connection is at 54 MBPS. When I repeat configuration changes to my router as I did above, my ThinkPad connection momentarily changes to only 1 MBPS instead of 150 MBPS as in my other T61 ThinkPad then reverts back to 54 MBPS once the configuration changes have been completed. Has anyone successfully used wireless 802.11n successfully at the higher transfer rates (above 54 MBPS)? Is it possible that my TOT Goldcyber connection speed is artificially limited? I notice that my rated speed for my desktop computer connected to my same D-Link DSL-2740B only indicates a rated speed of 100 MBPS. I use Vista Home Premium 64-bit on my destop, Vista Home Premium 32-bit on my ThinkPad T61, but us Windows XP Professional on my older ThinkPad. I feel that my problem is either with my ADSL carrier (TOT) or compatibility with my D-Link DSL-2740B Modem Router and my ThinkPad T61 internal wireless card and/or Belkin wireless n USB adapter. IT-City is letting me swap out the Belkin USB for the D-Link Rangebooster n DWA-140 USB adapter next week when they restock. The only other think that I can think of is that wireless n just doesn't work in Thailand and that maybe I should just stick with wireless G and go with a higher powered wireless USB model such as the business rated EmGenius EUB 362 EXT. Has anyone used this model and had good success with it; I've heard that it is a long range model and has the capability of reaching 108 MBPS through some sort of magic? Looking forward to reading your replies and possible solution.
Pattayadavid

Hi!
Intel Wi-Fi cards support full 802.11n speed of 300 Mb/s working at 5 GHz range only. Your D-Link DSL-2740B works only in 2.4 GHz range. So to get 300 Mb/s you have to get another wi-fi router that supports 802.11n in both 2.4 and 5 GHz, for instance Lynksys WRT610N or Apple Airport Extreme or whatever.

Cisco ACS 5.1 802.1x auth fails on LAN when WLAN connected

I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan.
A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution
This is an intermittent fault and only effects users with both LAN and WLAN enabled.
Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.
Certificates are issues by group policy and only using computer authentication.
any help would be greatly appreciated
Thanks

After a long TAC case with Cisco we discovered that the Mitel phone was not sending the EAPoL-Logoff packet so the switch still thought that the device off the back of the phone was connected.
There are no EAPoL-Logoff messages seen on switch when laptop is disconnected/port is shut down.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386903
This feature is supported by most IP phones - I do not know if Mitel phones support that but we cannot see this message in the debugs you sent.
As a workaround we can configure inactivity timer (by default it is infinity):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11888691
This did resolve all our issues,
Aaron

Deskjet 3050 can't connect now that i'm with Qwest isp with wireless modem

had it connected no problem with comcast and my netgear wireless modem. I now have a qwest PK5000Z wireless modem and can't get my desk jet 3050 online. someone at qwest said there is a driver update is that true?
i ran my HP network confi page and the active connection type says None. Network status says OFFLINE
wireless 802.11 says status: Disconnected
Network name SSID found FAIL
every time i press the window buttons on my printer in the wireless dept. it says either pin or push. and now matter which i push it comes back wps timed out try again or cancel. the trouble shooter test said no trouble detected. i tried inserting my disk that came with my printer but once starting it says already installed. i give up. is there a driver i can dowload? i set up my profile on HP to request this stuff weekly. about an hour ago.
i need to get this printer running. i have resumes to print out. hope someone can help. Thank you

PROBLEM SOLVED. I DELETED MY HP PRINTER INFO FROM MY PROGRAMS AFTER GOING INTO CONTROL PANEL.
THEN STARTED UP MY DISK THAT CAME WITH MY PRINTER AND FOLLOWED THE DIRECTIONS. TURNS OUT I HAD TO GO INTO A WEBPAGE THAT I VISITED BEFORE BUT FAILED TO WRITE IT DOWN. THE QWEST REP LED ME TO IT AGAIN AND THIS TIME I WROTE IT DOWN. I'M SO LAME. I FINALLY LOOKED ON THE DARN QWEST pk5000z MODEM TO FIND THE SSID NUMBER AND ALL THAT. TURNS OUT I FORGOT MY SETTINGS ENTIRELY. PRINTER WORKING...
GOOD NIGHT

Problem with wireless rt3090

hello, I bought a laptop 'hp pavilion dv5-2133la' with wireless card rt3090 Ralink
i have tried 3 forms for install the drivers, all failed.
1.- compile the drivers provided by Ralink. here the link http://www.ralinktech.com/support.php?s=2
but it give me this error:
make -C tools
make[1]: se ingresa al directorio `/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/tools'
gcc -g bin2h.c -o bin2h
make[1]: se sale del directorio `/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/tools'
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/tools/bin2h
cp -f os/linux/Makefile.6 /home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/Makefile
make -C /lib/modules/2.6.36-ARCH/build SUBDIRS=/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux modules
make[1]: se ingresa al directorio `/usr/src/linux-2.6.36-ARCH'
CC [M] /home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../common/rtmp_mcu.o
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../common/rtmp_mcu.c: En la función 'RtmpAsicLoadFirmware':
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../common/rtmp_mcu.c:352:2: aviso: ISO C90 prohíbe mezclar declaraciones y código
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../common/rtmp_mcu.c:355:2: aviso: el paso del argumento 1 de 'writel' crea un entero desde un puntero sin una conversión
/usr/src/linux-2.6.36-ARCH/arch/x86/include/asm/io.h:64:1: nota: se esperaba 'unsigned int' pero el argumento es de tipo 'ULONG *'
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../common/rtmp_mcu.c:356:2: aviso: el formato '%d' espera el tipo 'int', pero el argumento 2 es de tipo 'ULONG'
CC [M] /home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.o
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:679:2: aviso: se declaró 'enum tx_power_setting' dentro de la lista de parámetros
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:679:2: aviso: su ámbito es solamente esta definición o declaración, lo cual probablemente no es lo que desea
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:678:29: error: el parámetro 2 ('Type') tiene tipo incompleto
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:676:12: aviso: la declaración de la función no es un prototipo
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:1355:2: aviso: inicialización desde un tipo de puntero incompatible
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:1388:2: aviso: inicialización desde un tipo de puntero incompatible
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c: En la función 'CFG80211_SupBandInit':
/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.c:2594:2: aviso: el formato '%d' espera el tipo 'int', pero el argumento 2 es de tipo 'long unsigned int'
make[2]: *** [/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux/../../os/linux/cfg80211.o] Error 1
make[1]: *** [_module_/home/moguri/Downloads/20101216_RT3090_LinuxSTA_V2.4.0.4_WiFiBTCombo_DPO/os/linux] Error 2
make[1]: se sale del directorio `/usr/src/linux-2.6.36-ARCH'
make: *** [LINUX] Error 2
2.- packages from AUR.
but rt3090 and rt2860-firmware are out of date and not work.
3.-instal a deb.
but dpkg give me this error:
dpkg: warning: 'update-rc.d' not found in PATH or not executable.
dpkg: 1 expected program not found in PATH or not executable.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.
lshw:
description: Wireless interface
product: RT3090 Wireless 802.11n 1T/1R PCIe
vendor: RaLink
physical id: 0
bus info: pci@0000:08:00.0
logical name: wlan0
version: 00
serial: 70:f3:95:6e:2a:04
width: 32 bits
clock: 33MHz
capabilities: bus_master cap_list ethernet physical wireless
configuration: broadcast=yes driver=rt2800pci driverversion=2.6.36-ARCH firmware=N/A latency=0 multicast=yes wireless=IEEE 802.11bgn
resources: irq:17 memory:f1000000-f100ffff
iwconfig:
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
ppp0 no wireless extensions.
when I make the command "iwlist wlan0 scanning" give me this output:
wlan0 Failed to read scan data : Network is down
wicd and networkmanager don't recognize any network.
and I'm sure that the wifi card is fine because win7 recognize the network of my neighbors xD
please help me! i wanna conect via commands if its posible, i don't want to conect via wicd or networkmanager because they modify the file /etc/hosts, and i wanna conect to adsl via pppoe-start.
right now i am conected via adsl rj45 ethernet.
sry 4 my english xD
Last edited by vincegeratorix (2010-12-28 17:03:13)

Hi,
on my ProBook surprisingly rt2860sta could not connect anywhere, let alone with WPA, and the opensource driver rt2800pci did. With moderate success I might add because it caused a kernel panic a few times - I found Monitor mode triggered it, in kernel 2.6.36 (have not tried 2.6.37 yet). Note that rt2860sta was known to cause them as well, when disconnecting from networks.
Several things to mind to make it work. Quoting from my article about installing Arch on it:
The only way to get your card working is to make sure to unblock RF-Kill on all devices; the Wireless (and Bluetooth since they are combined in this model). In Arch Linux a simple startup service takes care of it, part of the rfkill package. You also have to make sure one or the other driver is blacklisted. Having them both loaded leads to connection failures.
As for actual connecting, with rt2800pci, you can take a look at my connection script. It includes sample wpa_supplicant configuration as well. See rt-connect.sh: http://sysphere.org/~anrxc/j/articles/p … connect.sh
Last edited by anrxc (2011-01-09 00:23:11)

Photosmart C7250 wireless 802.11b fails

My new C7250 works well with USB and wired ethernet, but fails miserably (prints slowly, if at all) on my wireless 802.11b network. All other devices work well on my wireless network. I've spent many hours with HP and exhausted their first line support. They supposedly have opened a case but I have heard nothing in a week. Meanwhile, I took a network trace using WireShark and it shows a large number of retransmissions. (I'm expert with application/network performance profiling.) All you have to do is browse to http://192.168.1.xxx/ to test transmission -- don't even need to install drivers or printers to see the errors. This problem appears to be with wireless support on the C7250.
Has anyone experienced problems or success with 802.11b on this device? How about 802.11g? I would be willing to upgrade my wireless if I knew that it would resolve the problem.
What does it take to escalate a probem with HP for resolution?

All 2004 and newer wireless HP Inkjet printers are compatible with 802.11g and 802.11b networks (otherwise we couldn't get 802.11g Wi-Fi certification). Besides testing for interoperability, we test for a minimum wireless throughput at the TCP layer.
I'd like to see the internal connectivity report that you can generate by pressing the <setup> and <#> buttons simultaneously. Scan the report to a memory card, copy it to your PC and post the image here.
It will tell me information about your wireless network and other networks in the area.
I have a couple of other questions:
Does the slow printing go away after a power cycling the printer and then does it return later?
Does the slow printing go away after a power cycling the wireless-router and then does it return later?
Are you seeing retransmissions of TCP, 802.3 (ethernet) frames or 802.11 frames? I wasn't sure at what layer you are sniffing the data at?
What make and model 802.11b wireless-router are you using?
Do you have encryption enabled? Does disabling encryption change the speed of printing?
How many wireless PC's (Macs?) to you have on your network? Do they all exhibit slow printing?
Have you changed the default fragmentation settings of your wireless-router?
At home, I routinely get 1.5 Mbytes/sec transfer rates between my 802.11g wireless-routers and my HP printers and about 700 Kbytes/sec in 802.11b mode.
One other thing you can try is to go to the printers internal web page, browse over to the Networking, Wireless, Advanced page and enable the configuration "In an infrastructure network use 802.11b behavior".
Regards / Jim B
Regards / Jim B / Wireless Enthusiasts
( While I'm an embedded wireless systems engineer at work, on this forum I do not represent my former employer, Hewlett-Packard, or my current employer, Microsoft )
+ Click the White Kudos star on the left as a way to say "thank you" for helpful posts.

In Snow Leopard, is there a way to import a wireless 802.1x System Profile via Terminal? If so how?

I am trying to deploy a Snow Leopard image via Casper running on a Lion server. Everything works fine but I'd like to be able to have the image include a wireless 802.1x system profile without having to do it manually post. I had it as part of my base image but for whatever reason it breaks during the process so I'd like to be able to create a task sequence to deploy it during the image process. What's the best way to do this? Thanks in advance!

Hey SchenkerBob,
It is possible to disable non-system fonts temporarily for all applications using the Font Book application. This article explains how to do so -
Mac Basics: Font Book - Apple Support
In particular -
Disable and enable specific fonts
In situations where you'd like to prevent a font from being available in applications, but you don't want to completely remove the font from your Mac, you can use Font Book to disable the font.
In Font Book, click "All Fonts" in the Collection column.
Click the name of the font in the Font column.
Choose Disable "Font Name" Family from the Edit menu.
Since it might be problematic to have to disable each font individually, you can create a collection of fonts and disable the collection. See the article for how to create a font collection -
Organize fonts as collections
When working with fonts, you may discover that you use certain fonts frequently, but rarely use others. To make it easier to find the font you are looking for, you can organize your fonts into collections.
From the Font Book File menu, choose New Collection.
Type in a name for the new collection.
Click "All Fonts" in the Collection column.
Drag the fonts that you want from the Font column onto the name of your new collection in the Collection column.
You can then disable collections of fonts -
You can also disable or enable all fonts in a collection: Click the name of the collection in the Collection column, then choose Disable "Collection Name" or EnableCollection Name" " from the Edit menu.
Thanks for using Apple Support Communities.
Happy computing,
Brett L

Getting Started with Wireless: Wireless configuration on 877W router - STUC

Just letting you know that I've already posted an identical post under "Getting Started with Wireless" but don't feel that I'm getting any attention so I made another post. Thank you.
Hi all
I have a Cisco 877W router running IOS v 12.4(15)T3. Have been trying to configure wireless to run WPA-PSK and is stuck at the final stage. Spent a lot of time configuring the router using CLI but ended up using the Web GUI interface. I was able to configure the wireless settings (I think) but failed when connecting to the router from WinXP-SP2 and was wondering if you have any suggestion for me. I've ran the following debugs on the router:
VNRouter#sho debug
DHCP server event debugging is on.
dot11:
802.1X module WPA/WPA-PSK/CCKM key management debugging is on
dot11 Syslog debugging is on
Below is the error message when connecting wirelessly
*Mar 4 18:46:25.655: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
VNRouter#
*Mar 4 18:46:25.659: %DOT11-6-ASSOC: Interface Dot11Radio0, Station VNRouter 001b.771a.dbad Associated SSID[VN-WiLess1] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
VNRouter#
*Mar 4 18:47:25.571: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.575: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded
*Mar 4 18:47:25.579: *** Not encrypted dot1x packet from 001b.771a.dbad has been discarded.
I've created two VLANs (and tied these two vlans to 2 separate SSID) on this router for a reason and so far has not been able to connect to any of them (SSID). I've also attached the config so you can have a look. Thanks in advance for your help.

The configuration looks fine. In most cases, the connectivity issues with WPA-PSK is due to the mismatch in PSK on the Client and the AP. Try re-entering the PSK key on both the router and the client and check if you are seeing any issues.

Stuck with a 802.11b/g router?

I have a MI424WR (Rev E) router with a 50/25 plan. This router only supports the 802.11b/g networking standards, which of course, has a theoretical wireless speed of 54Mbps, but in actuality doesn't get anywhere near those numbers due to overhead. Therefore, I'm paying for speeds I can't wirelessly obtain. I've found my way around the issue by connecting to a 2nd router which supports 802.11n, but I'm not really sure why I should have to do this. Why has Verizon supplied me with such old technology? I did some research and found this particular router began production around 2008. Is this a ploy to get people to spend more for faster speeds, or buy the "advanced" router for $100, or should I have been given a newer model modem which actually does support 802.11n?
I tried to do a chat with support, but he just wanted me to go through some pointless troubleshooting steps. I got frustrated trying to explain that my issue is hardware limitations, not router settings and ended the chat.

hlppls wrote:
Verizon bases the fact that the wired portion of the router supports your service. They still will not guarantee wireless speed so the wireless portion of the router is a just an extra feature. Turn off your router and call in saying it doesn't work. They will send you another one and chances are hight that it might be a gen 3. Even if it is a gen 3 they still will not guarantee you wireless.
Keep in mind that doing this *might* invoke a router rental fee or replacement charge on the bill, if Verizon is still doing that. He may be just be better off buying another cheap router with Wireless N or AC and either setting it up as an AP/Switch, or making the ActionTec into a backup router and take it out of the picture entirely.
========
The first to bring me 1Gbps Fiber for $30/m wins!

Replacing ACS with ISE

What is required to replace ACS with ISE in simple terms?
I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
Is there a limit to how many devices or users the base can deal with in its simplest form.
I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
thanks
dave

yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
Software Packages
Options
Base
Capabilities: Basic network access and guest access
Network deployment support: Wired, wireless, and VPN
License prerequisite: None
Perpetual license
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Advanced
Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
Network deployment support: Wired, wireless, and VPN
License prerequisite: Base license
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wireless
License prerequisite: None
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless Upgrade
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wired, wireless, and VPN
License prerequisite: Wireless license
Term license: 1, 3- and 5-year terms
Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
***Do rate Hekofuls posts***

ACS with Aruba Controller

Dears
hi
i would like to ask you if we can restrict wireless users to be authenticated from 3 devices only via ACS. currently wireless users are authenticated via MSCHAPv2 PEAP from local ACS database. but we have a request that user can be authenticated maximum by 3 devices concurrently, and ACS should limit the user if tries to access from 4th device., can we do that in ACS?

Hi Saurav Lodh
actually i have Aruba wireless controller and integrated with ACS for wireless users authentication. meanwhile ACS is used for network devices administration. when i enable MAX User Sessions in ACS 5.3, it work for TACACS protocol but not for Radius protocol. eventhough Aruba engineer enabled Radius Accounting. in ACS report, i Can see the same user can open multiple sessions " account status is Start " without limiting the user.

Wireless 802.11r and .k on WLC

Hello all,
I've seen that in 7.4 and later Release on the WLC5508 you can configure 802.11r and 11k support using Fast Transaction so that iOS7 won't experience connection loss during Roaming...my question is on the same WLAN can I configure 802.1X and FT-802.1X Authentication so that I'll be able to have on the same SSID non802.11r and 802.11r capable client? Or this setup will create association problem ?
BR
OG

Maybe this can help explain it also:
http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0111.html#d155467e2632a1635
Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).
Sent from Cisco Technical Support iPhone App

Imac works well with ethernet not with wireless - although my other imac work fine w the wireless

imac works well with ethernet not with wireless - although my other imac work fine w the wireless? do i have a prob with a wireless card?

Are the computers in the same place?
You can look around for wireless networks. See:
iStumbler - 98
find AirPort networks, Bluetooth devices, Bonjour services
http://www.versiontracker.com/dyn/moreinfo/macosx/17572
>USB dongle
Newer Technology MAXPower 802.11g/b Wireless USB 2.0 Stick Adapter $15.99 http://eshop.macsales.com/item/Newer%20Technology/MXP2802GU2/
Newer Technology MAXPower 802.11n/g/b USB Adapter. The easiest way to add Wireless Connectivity to ANY computer! 'n' speed is the newest and fastest. $29.99 http://eshop.macsales.com/item/Newer%20Technology/MXP802NU2C/

ACS with wireless 802.1x

Similar Messages

Maybe you are looking for