ACS/WLC/WLAN

Similar Messages

• WCS and WLC WLAN Config not fully in sync

  Hi,
  We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC  showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even  after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.

  You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
  If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Dynamic VLAN assignment issue with ACS & WLC

  I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
  During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
  Am I missing something?

  I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
  I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

• WLC WLAN Authentication from External RADIUS Server

  Dears,
  How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
  Thanks,

  Hi Ahmed,
  Its not documented well, but here is it:
  CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
  . If a user has to be logged out then, following attributes are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
           SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
         - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                we want to delete  particular user  session via particular device
                (like PDA, Phone or PC)
         - SSH_RADIUS_AVP_USER_NAME(1)
  . If a management user has to be logged out then, following attributes
  are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
    - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                        OR
     - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
     - SSH_RADIUS_AVP_USER_NAME(1)
     - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
  Eg:
  *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
  *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
  *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
  *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
  *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
  *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
  *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
  *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
  *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Why is IP address needed for WLC WLANs?

  I'm familiar with autonomous APs but am new to the WLC. Is there a way to just bridge the WLAN traffic to a VLAN? I don't understand why the WLC requires an IP address for the VLAN when the clients essentially are already on that VLAN. How is it used?
  Thanks.
  (Edit: fixed typo.)

  the parameters specific to this VLAN. Some of the parameters include the IP Address, Netmask, Gateway, and the DHCP server IP address.
  The IP address assigned to this interface acts as the DHCP relay for a client to obtain an IP address from the DHCP server. For example, when a client attempts to associate to a WLAN/SSID (see step 5 in this configuration) mapped to this dynamic interface, it performs a local subnet broadcast to identify the DHCP server. The controller sends a request to the DHCP server (or to itself if it is the DHCP server for the segment) with the IP address of this dynamic interface as relay IP to the DHCP server configured for this interface. The DHCP server assigns an IP address to the client from the configured DHCP scope.
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/68100-wlan-controllers-vlans.html

• Need advice about ACS/WLC upgrade ?

  We have two ACS 4402 with software version 5.2.193.0 . What version should I upgrade to ?
  The ACS is running version 5.2.148.0. What version do you recommend here ?
  Regards
  Johann F
  Volda Universiy College, Norway

  Hi Johan,
  Are you facing any bug or require any new feature?
  Normally recommended in the latest on your code train:
  latest on 5.2
  latest on 6.0
  latest on 7.0
  and so on...
  Have a good day.
  Serge

• ACS and WLAN

  We have a customer who has several remote locations all connected via private links. In those remote locations they will have Aironet 1200 series APs. Will we be able to have those wireless users authenticate to an ACS server at the main location?

  You can use the ACS server at the main location. The only problem that I can think of that may be an issue would be caused by latency of the link back to the main site. You may need to adjust your radius timeout values if the links have high utilization or an latency issues.
  The other thing I would do is implement WDS at the remote sites. This will cause the first authentication to get passed to the ACS server and subsequent authentications to occur locally to the WDS master AP at the remote site for the specific account.
  I have a similar setup at many of my remote sites. All of my remote sites connect back to the main site via T1's that have AP's deployed. I have not heard of any problems from my users with this setup.
  HTH
  Steve

• WLC WLAN SSID L3 Security Passthru

  With passthru security the end user get a pop-up warning about accepting the self signed certifcate from the virtual ip 1.1.1.3.
  Is there a way to replace the certificate with a trusted public certificate?

  You can disable https: on the controller. This will eliminate that windows pop-up warning. You need to reboot the controller for change to take effect.
  Or you can install an actual SSL certificate on the controller.
  For ease of administration I went with option 1 so I did not have to worry about renewing the certificate every year.

• CISCO WLC/WLAN ERROR CODES

  Need more info regarding error messages (links). Are these error codes made public or just for TAC use?
  Thanks.
  Posted by WebUser John from Cisco Support Community App

  I have the same question , Can anyone please reply ?
  Posted by WebUser Rajesh Nagarajan from Cisco Support Community App

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• Certificate on acs

  Hello Folks
  wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
  question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

  Hi Ibrahim,
  How are you?
  First, what 802.1X EAP are you using?What ACS rev are you on?
  I will assume PEAP.
  1) ACS Cert is requried. You have 2 options for a certifciate.
       a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
       Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
  Self-signed Certificate Setup (only if you do not use an external CA)
  Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
  Complete these steps:
  On the Cisco Secure ACS server, click System Configuration.
  Click ACS Certificate Setup.
  Click Generate Self-signed Certificate.
  Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
  Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
  Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
  Enter and confirm the private key password.
  Choose 1024 from the key length drop-down menu.
  Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
  Check Install generated certificate.
  Click Submit.
       b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
  Here is a link to read up on the CA certifciate.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  How and where to install the certs and how it works...
  1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
  So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
  When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
  So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
  Make sense?

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• WLC in a DMZ for guest access

  I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
  On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

  This should get you on the right track:
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
  Brad

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• Using AD to authenticate BYOD users on Guest WLAN

  First off, I have several WLANs -- one is a "Guest" that is anchored to our corporate WiSMv1 running 7.0.240.0 code.  We have many 5508s running 8.0.100.0 -- the "guest" is tunneled back to the core WiSMv1.   Right now, the Guest splashes a web page that a user just has to click through to get n the Guest WLAN.  I currently have a production WLAN set up to use 802.1x and pass credentials through Win 2012R2 NPS (Radius) so that our employees can log on using their AD credentials.
  We are looking to avoid the complexity and cost of ISE.   We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller.  Behind the scene, we will load these credentials into an AD OU.   The bottom of this web page will be the fields for the user to enter the ID / PW which in turn will be validated to the AD. 
  I can't mess with the current Guest "anchored" in the corporate WiSM.   We already have a custom web page and it appears you can only have one.  So I was thinking of setting it up at one of the remote 5508 sites....  I can download a custom web page there and I believe I can still use the "management" interface to grab IPs out of the Guest Subnet that resides in our HQ.  
  My uncertainty revolves around the WLC / WLAN setup to use AD (via Radius if necessary) to validate the user -- and since it is BYOD, I have no idea what the client device will be and do not want the user to be required to do any setup.
  I have gone through a lot of docs --- many talk about ISE.  Others are really old -- and of course there is difference between WLC web pages simply due to the 8.0 code on the 5508s!
  I am hoping this is a fairly straight forward setup.  
  TIA - Perry

  Hi,
  Your starting 3 Paragraphs say that you want to modify Guest page only.But after that You talk about the BYOD.BYOD involves device registration , supplicant provisioning etc and is entirely for different use. If you think , you are asking about that , Please go through this Tech-Talk by me to understand BYOD (Video as well Brief note )along with PPT having all the required configuration on WLC side,AD side,CA server and ISE side.
  "We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller. "
  If the requirement is the above i.e display Phone number which user would call to get credentials , it can be done via simply modifying the HTML web-page to show that number and load in to the WLC or else host that page on some external server.Infact , you can modify the Internal web page of the WLC via Security>Web-authentciation and write a header and message to be displayed on the web-page which WLC displays which can have your Mobile number to call.Once credentials are submitted , WLCcan do radius authentication.
  Also 8.0 simply brings Redirection over HTTPS feature in to the WLC and there is no change in anything else i.e the concept via which web-authentciation/works.
  Regards
  Dhiresh
  **Please rate helpful posts**