Adding a secure WLAN - WISM and WCS
I have a setup including a WISM and WCS which currently only runs a guest service using webauth to get online. The service (by request) is not secured over the air. I would like to implement a second SSID with security but before going the whole way with 802.1x I wanted to implement a half way house. Service will still only be a guest service but I want the air traffic secured.
So I guess my options are WEP (forget it) or WPA/WPA2.
My question is do I have to run this service with a shared secret that I then need to inform all users of in order for them to be able to connect to the service or is there a way to implement a WPA service that uses some kind of credential check against the already configured RADIUS (ACS) servers?
And if this is possible I assume there is no longer need for a webauth as this just seems to duplicate the login process.
Thanks for any pointers in advance
Paul
The best thing you can do is start with the Configuration Guides. If you don't have a test environment and have SMARTNET on the WiSMs/ WCS, utilize TAC to help you get up and going. I would also suggest utilizing a Cisco Partner to help with the initial implementation as well.
I would recommend upgrading your WiSMs and WCS to the latest versions and making sure configurations are the same across modules. I upgraded our WiSMs from 4.x to 7.0.98.0 and WCS to 7.x. Ran into a bug here and there but that is expected. Just make sure the wireless devices support those versions. If you are unsure, you can always work towards the AssureWave tested code. WCS 7.x should be backwards compatible (check the release notes just to verify). The Design Zone and Release Notes are your friend too.
-Rick
Similar Messages
-
802.11 n support in Wism and WCS
Is the new wless standard 802.11n is supported in current shipments of Cisco WLC 44XX and WiSM ( 6500 wireless controller card) ?
Also I need to know whether is is supported in WCS 4.1 ?Hi Nalaka,
Yes, 802.11n is supported on the WISM and WCS starting with the following releases in the 4.2 train;
Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 4.2.61.0
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4200.html#wp302677
The following new features are available in WCS 4.2.62.0
802.11n support-The introduction of the Cisco Aironet 1250 series access point, a business-class access point based on the IEEE 802.11n draft 2.0 standard. The access point offers combined data rates of up to 600 Mbps to meet bandwidth requirements. Cisco WCS display screens include a listing for configuring, managing, and monitoring 802.11n access points and their associated wireless LAN controllers.
The newest WLC and WCS 5.0 trains are now released as well :)
Hope this helps!
Rob -
How to create guest access in wireless by WISM and WCS and ACS?
dear sir
i neeed to know the steps of how we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?You need to define your requirements a little bit. The WLC can do WebAuth and an employee can access either the WLC or WCS to put in the username and password credentials, but you would need to figure out what's best for you.
Here is a support doc that you can reference.
https://supportforums.cisco.com/docs/DOC-13954
Sent from Cisco Technical Support iPhone App -
1. WiSM code 4.1.171. When a user login using a wrong password and failed, WiSM still counts it as a login session. So when the same user try to login from another computer, he may get the error about too many login sessions. I think if the login fails, the WiSM should not count it as a login session.
2. Just upgraded to WCS 4.1.83 on Windows 2003 server. Once log out from the console, the WCS stops. Anyone sees this problem?
ZhenningRE #2. In case you haven't figured this one out yet, it's a bug. Seems WCS gets started as an app instead of service regardless of config. You'll sometime notice when you exit the console (or term svc console) that you briefly see a black dos box screen & then it closes. Then wcs is no longer running. Fixed in later versions supposedly.
-
1230 Series LAP and WCS 6.0.199.0 Heatmap Problem
I recently upgraded from WLC 4.2.207.0 to 6.0.199.0 (WiSM), and WCS 5.2.130.0 to 6.0.196.0. All my heatmaps that contain 1231G LAPs are solid "maroon" (-35 dBm) in color. If I remove the 1231 APs from the heatmap selection on the right hand side, my coexisting 1131 and 1142's display their heatmaps properly. My maps are all CAD format (dwg) converted to .png's using WCS. My goal is to migrate to 802.11n in small steps which our Cisco rep said we could do. Any ideas?
Unfortunately, this is a bug in 6.0.199.0. The "fix" is to upgrade to 7.0.98.0 or 6.0.199.4. As you figured out, it only affects 1230 series APs, and only on the 802.11b/g side. Bug ID was
CSCti05687
Incorrect power unit was used on AIR-AP1231G-A-K9 and IR-AP1220-IOS-UPGRD. -
After adding 2nd WiSM and failing over AP's some apps don't work
We have a dual core made up of 2 6513's. In 6513#1 we have WiSM#1 which we have had for sometime now. We have added a 2nd WiSM in 6513#2 for redundancy purposes also we are going to be re-configuring the WiSM in 6513#1 to more match that of the new WiSM in 6513#2. We have installed the new WiSM and failed over the AP's from 6513#1 so we can re-configure it's WiSM. The failover went great and no issues, with the exception that a web application or two didn't function from wireless clients and users were having issues getting to some mapped drives. The only difference from the new WiSM config vs the old WiSM is that on the old WiSM the AP's were in the same VLAN as the controller management interfaces. Now with the new WiSM it's configuration has the controllers AP mgt interfaces ip addresses in a different VLAN from the AP's, we are doing this based on Cisco best practices. If we revert the AP's back to the original WiSM/controllers the PC's where they are on the same vlan/subnet the applications and shares that were having issues the other way work. We have placed a call with Cisco TAC and they say our configs look good and we even sent them some packet captures and they said everything looks normal. The wireless clients can ping and resolve the server hosting the application database just fine.
ThanksWe did create the mobility groups, and we are using DHCP opt 43. The AP's find the 2nd WiSM#2 just fine and associate to the controllers and all the WLAN's work just fine. The only issue is that after the AP's are on the new WiSM and controllers there is an application or 2 that is having trouble locating it's database server and that some share's are not working. Again the only difference in this new setup in that now the AP's are on a different subnet/vlan from the controller mgt addresses where as before they were in the same subnet/vlan and the application and shares worked fine. It's almost like it is a bit of a routing issue?
Thanks -
I just bought a new iPhone and added 25$ to my iTunes and it won't let me buy anything bc it says I have to type in my security questions answers but I don't rennet them what do I do? Please help me I don't want my 25$ to go to waste
Click here and search the article for '2 out of 3' without the quotes; this generally involves either a message being sent to your rescue email address or contacting the iTunes Store staff directly.
(74403) -
Installed Java update three days ago. Now, can't play yahoo games as it's now blocked by security settings. Already have tried moving Java security to Medium and adding yahoo.games.com (including web address of game) as a "Permissive exception". Also tried removing java and installing older version. Still nothing. Really Apple?!? What's your beef with yahoo games?
csnorth,
all of the older update versions of Java SE 7 can be found here. If 7u45 also didn’t work with your Yahoo! games, you can choose from any of the even older versions there as well. -
what about if you have added a rescue email address and verifyed it and the i forgot my security questions still doesnt show up and i dont no the answers !?!?!?!?!?!?!?! what do i do then because i dont want to phone up !?!?!?! please help !!??!?!?!
If you have just added an address to your account then it will be an alternate email address - a rescue email address can only be added by answering 2 of your questions. You will need to contact iTunes Support or Apple to get the questions reset.
e.g. you can try contacting iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Account Management , and then 'Forgotten Apple ID security questions'
or try ringing Apple in your country and ask to talk to the Accounts Security Team : http://support.apple.com/kb/HE57
When they've been reset you can then use the steps half-way down the page that you posted from to add a rescue email address for potential future use, or you could change to 2-step verification : http://support.apple.com/kb/HT5570 -
I just added money to my account and i haven't bought apps in a long time and i forgot the answers to the security questions. How do i reset them?
Alternatives for Help Resetting Security Questions and/or Rescue Mail
1. If you have a valid rescue email address, then use this procedure:
Rescue email address and how to reset Apple ID security questions.
2. Fill out and submit this form. Select the topic, Account Security. You must
have a Rescue Email to use this option.
3. This is the only option if you do not already have a valid Rescue Email.
These are telephone numbers for contacting Apple Support in your country.
Apple ID- Contacting Apple for help with Apple ID account security. Select
the appropriate country and call. Ask to speak to the Account Security Team.
4. Account security issues almost always require you to speak directly to an
Apple representative to securely establish your identity as the account holder.
You can set it up so that Apple calls you, either immediately or at a time
convenient to you.
1. Go to www.apple.com/support.
2. Choose Contact Support and click Contact Us.
3. Choose Other Apple ID Topics and choose the appropriate topic for
your issue.
4. Follow the onscreen instructions.
Note: If you have already forgotten your security questions, then you cannot
set up a rescue email address in order to reset them. You must set up
the rescue email address beforehand.
Your Apple ID: Manage My Apple ID.
Apple ID- All about Apple ID security questions. -
Revision: 1433
Author: [email protected]
Date: 2008-04-28 13:13:12 -0700 (Mon, 28 Apr 2008)
Log Message:
adding 'console' security constraint to MBeanServerGateway remote object for MBean tests and ds-console, used when running on Websphere with administrative security enabled. Should call setCredentials("bob","bob1") to use this RO.
Modified Paths:
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/remoting-config.mods.xml
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/services-config.mods.xmlHi,
It seems that you were using Hyper-V Remote Management Configuration Utility from the link
http://code.msdn.microsoft.com/HVRemote, if so, you can refer to the following link.
Configure Hyper-V Remote Management in seconds
http://blogs.technet.com/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx
By the way, if you want to perform the further research about Hyper-V Remote Management Configuration Utility, it is recommend that you to get further
support in the corresponding community so that you can get the most qualified pool of respondents. Thanks for your understanding.
For your convenience, I have list the related link as followed.
Discussions for Hyper-V Remote Management Configuration Utility
http://code.msdn.microsoft.com/HVRemote/Thread/List.aspx
Best Regards,
Vincent Hu -
Can't get secure wlan to work with new guest wlan
Dear Support,
I'm having a nightmare! where I can seem to get either one wlan to work or the other but not both together.
I posted previously and reconfigured as per the suggestion, however the problem I get is that the secure wlan client associates, then de-associates after roughly 30 seconds with both a guest (no security) and secure (eap using ms ias as radius server)
my previous post is;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcfe12
and the log shows the following, obviously the client is set to connect automatically.
*Mar 1 00:04:35.105: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:04:51.391: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000e.35f8
.5d13 Associated KEY_MGMT[NONE]
*Mar 1 00:04:51.506: %DOT11-4-MAXRETRIES: Packet to client 000e.35f8.5d13 reach
ed max retries, removing the client
*Mar 1 00:04:51.506: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 000e.35f8.5d13 Reason: Previous authentication no longer valid
*Mar 1 00:05:15.176: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:05:32.703: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:05:58.780: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:06:16.141: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:06:40.759: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:06:58.145: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:07:00.560: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:07:18.020: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:07:43.902: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:01.254: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:16.172: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:16.737: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:37.397: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
13.cefd.48ca Associated KEY_MGMT[NONE]
*Mar 1 00:08:54.732: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0013.cefd.48ca Reason: Sending station has left the BSS
*Mar 1 00:08:57.193: %DOT11-4-MAXRETRIES: Packet to client 0013.cefd.48ca reach
ed max retries, removing the client
Thanks in advance for your assistance.
Any prompt reply will be greatfully received. I also rate responses.
Thanks again, regards, AdrianHi Ben,
Please find attached AP config, I can access the switch at the moment, but the config is fairly basic, trunk port with two vlans and vlan 1 as the native.
here's the ap config.
AP-CDC#2#sh startup-config
Using 2989 out of 32768 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP-CDC#2
enable secret 5 $1$LQ1O$NKYZoYAeiahKw0805kLHg0
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
ip subnet-zero
ip domain name wlan.internal
aaa new-model
aaa group server radius rad_eap
server 10.10.10.2 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name dmz vlan 2
dot11 ssid Secure
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
dot11 ssid Guest
vlan 2
authentication open
guest-mode
username Cisco password 7 062506324F41
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode wep mandatory
ssid Secure
ssid Guest
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
no preamble-short
channel 2412
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 10.10.10.49 255.255.255.0
no ip route-cache
ip default-gateway 10.10.10.253
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.2 auth-port 1645 acct-port 1646 key 7 xyz
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end
AP-CDC#2#
Thanks again, regards, Adrian -
How do i copy text added to a protected pdf and save in word.
how do I copy text added to a protected pdf and save in word?
More details would be helpful. What security restrictions are there, exactly? Do you know the password? Do you want to copy all of the text in a document, or just some?
-
Security attributes, qfp and un-authenticated users
Hi,
I have some observations regarding security attributes, query filter plugins and un-authenticated users that I would like your comments on.
I am developing a custom crawler, a will be using OID for authentication. Not all users will be authenticated (hence they should only have access to content considered public). Authorization is done by the document source (using the option "ACLs controlled by the source").
I am quite sure that I have read somewhere that not adding a security attribute for a certain document leads to the document being treated as public.
Observations:
A) Query filter plugins will only be called for authenticated users
B) At crawl-time, not adding a defined security attribute leads to the document not being indexed
Observation B means that my security attribute has to be added for every document (for the public documents populated with a value representing public access). Observation A means that the query filter will not be invoked for un-authenticated users (hence, they won't see any of the indexed documents, since all have security attributes).
Question:
How should I ensure that the documents considered public are available for unauthenticated users?
Regards,
RuneHi all,
I seem to have had inaccurate logging , so my assumption A is false.
Then I have a simple workaround (add a special security attribute value for public documents), and you can forget about my question.
regards,
Rune -
I just received my new iPad, and I've been buying songs and apps with no problems until iTunes asked me my security questions... I totally forgot the answers! I've already reset my password, and that didn't help. I also tried adding a new email address and that didn't help either. Can anyone help?
If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then you can try going to https://appleid.apple.com/ and click 'Manage your Apple ID' on the right-hand side of that page and log into your account. Then click on 'Password and Security' on the left-hand side of that page and on the right-hand side you might see an option to send security question reset info to your rescue email address.
If you don't have a rescue email address then see if the instructions on this user tip helps : https://discussions.apple.com/docs/DOC-4551
Maybe you are looking for
-
I have a 5S and I've had it since december. ever since i got it I've had trouble whit it. It spaces out at random times, types stuff on its own, goes out of applications, scrolls up/down a page etc. This happens almost daily and the only thing I can
-
Case or Decode in the Where clause
Dear all, My requirement is: If user select other then "ALL"option from the LOV the following condition should be part of the where clause. current_req_status = :block1.req_statusIf user select "ALL" from the lov no need to append the above condition
-
Where can I find Creative Media Explo
So, I bought a new computer, and now I can't find the CD for my Zen Vision M: 60 GB. Anyone can help me with this problem? Thanks in advance!
-
How Do I change the color of the background?
I am currently working on an important project,where my client wants their image on certain colors, they were shot on a white background, so how do I change the color of the background? Do I do that in the Develop stage? I do not want to print these
-
Recently purchased new Macbook Pro. Also purchased iWork. Old Macbook (damaged) hd transferred, along with Microsoft Office. No longer want Microsoft Office, thus deleted. Microsoft AutoUpdate will not delete, displaying error of "Microsoft AU Daemon