Aironet 350 AP's with Funk's Steel Belted Radius Server

I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver

I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.

Similar Messages

  • Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

    I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.
    Here is the code from the Nexus:
    radius-server host [server]  key [key]
    radius-server host [server]  key [key]
    ip radius source-interface mgmt0
    aaa group server radius GEN_AAA
        server [server]
        server [server]
        use-vrf management
        source-interface mgmt0
    aaa authentication login default group GEN_AAA
    aaa authentication login console group GEN_AAA
    aaa accounting default group GEN_AAA
    aaa authentication login error-enable
    On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option).  The group setup for the relevant user group has a return code of:
    shell:roles*"network-admin"
    shell:priv-lvl=15
    When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine.  Only those users in the 'special' group have admin (lvl 15) access.
    With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
    In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear.  Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
    Is there any way to pull this off with SBR?
    Any help is much appreciated.

    Hello Nusrat,
    I appreciate the pointer.  If I was using TACACS for AAA, authorization sets would be a consideration.  However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
    In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper.  For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required.  Placing the desired group of users in the network-admin group is functioning as desired.
    NOTE:
    In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
    no aaa user default-role
    If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role.  This role has complete read access on the system allowing, among other things, a read view of the configuration.  The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.

  • Import Steel Belted Radius users to ACS

    Is there a method to import SBR (local) users into ACS?  Perhaps via some intermediate tool?  The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?

    Hi Tarik
    That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools.  So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?
    The passwords are stored directly in the SBR server.  I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course.  However, the issue is that the passwords are not exported in plain text.  If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file.  If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form. 

  • Cisco ISE with both internal and External RADIUS Server

    Hi
    I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
    I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
    So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
    I will like to know if it is possible to configure it and how I can do it ?
    Thanks in advance for your help
    Regards
    Blaise

    Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
    Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
    The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

  • Cisco wlc and steel belted radius

    we have cisco wlc controller  that have  two ssid  one for user and one for guest
    we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
    please send to me any integrated guide between cisco wlc and steel belted radius
    regards

    Hi                                                      Mohammad,
    I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
    Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
    You may wish to contact your RADIUS vendor for additional configuration steps on the server.
    Best,
    Drew

  • Problems with re authentications in a wireless with WLC working with web authentication and a radius server

    Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
    When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

    A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
    I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
    Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
    You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Aironet 350 Access Point needs security

    I have been asked to help a fledgling school lock down their wireless network.  The network is currently setup as 3 Aironet 350 Access Points with operating on the same subnet distributed around the school.
    These have NOT been updated or touched since the day they were installed, by all acounts.  I think they are running VXworks.  My issue is that most support links that might prove helpful seem to be broken.
    A few simple questions:
    Can the Aironet 350 be secured and then used with a simple shared key?  This link seems to say no, that you must have Cisco software on the user computer as well.  that certainly can't be right, can it?
    I'm clearly out of my comfort zone with these, but they just don't have anyone to do this for them.  It looks like they need to be flashed to IOS and then able to use WPA but not WPA2?  I'm having trouble finding a firmware lik for the 350 as well because it's EOL.
    Basically, any help or information is welcome!  I'm ready to just pull the plug on them and call them secure!

    350 APs (not bridges) can be converted to IOS.  Then they can do WPA-PSK TKIP.  Downside is they only have 802.11b radios.  The latest IOS they can run is old but could probably be setup with WDS using an internal RADIUS server on one.
    The upgrade tool and image are still available for download.  I'm attaching a .pdf of instructions.
    You need these files:
    Aironet-AP-Cisco-IOS-Conversion-Tool-v2.1.exe
    AP350-Cisco-IOS-Upgrade-Image-v2.img

  • Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

    I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
    https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
    But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

    I did configure the Server 2008 R2 RADIUS Server using this video below: 
    https://www.youtube.com/watch?v=g-0MM_tK-Tk
    I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
    I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

  • WRT54G with RADIUS Server

    Anyone tried WRT54G connected to RADIUS server for wireless authentication? Can anyone tell me how to go through this? I'm currently using Funk Steel Belted Radius.

    Access the router ui by http://192.168.1.1 .. logon by entering the password .. go to the "wireless" tab and click on "wireless security" tab....for the security mode , select RADIUS...Enter the ip address of the radius server , the port and the shared key used by the radius server....then set the wep settings...nothing else....

  • Aironet 350 with pismo antenna?

    Hi people. I recently bought a cisco aironet 350 pccard wireless adapter for my pbg3 500. It works, i use os x 10.3.5. The problem is it doesnt reach very far. Last week a friend of mine came with his macbook and he had full signal at places where I could not even connect.
    Doing some research I found that removing the fat sticker placed on the part of the card that remains outside the powerbook, there are 2 antennas and a jack for an external one. So I tought I could use the one built-in the display that is meant for airport cards. The problem is they can not be conected directly (the cable doesnt reach and the conectors are different anyway. To make thinks worse, the powerbook cable doesnt even have the conector, just the wire. I tried making a bridge between this cable and the cisco jack (using a 15 cm cable) but doesnt improve the signal, so I think im doing something wrong, or the pismo antenna is no better than whats built into the cisco card. Maybe someone here has some experience on using a non airport card with the airport antenna.
    Thanks in advance for your help.
    Pepo

    Thanks Brent. I have a spare ibook display that I can use for testing the antena. Problem is I dont want to burn the pccard amplifier. I dont know how the antena works, or if there is already an amplifier in the display, so if I connect the output of the card to the airport antena, I may burn the card. If I touch the antena lead it has power, as well as the pc card, so I dont think they can be connected toghether.
    Also another doubt I have is actually how the antenna works. If I check the jack with a tester, I can see that the shield and the conductor of the wire arent isolated from each other, so then how do you wire them to the card when they are bridged already?
    Sorry, hope I explain myself a bit at least, my english is not good enough I think for this kind of things.
    Thanks again.
    Pepo

  • Aironet 350 Wireless Bridge Problem

    I have inherited a wireless link between two building that used a pair of Aironet 350 wireless bridges.  I say used because one took a lightning strike and is fried.  I need to see the configuration on the remaining bridge to set up the new bridge but no one knows the user name or password to access the remaining functioning 350.  How do I reset this old buzzard?  I have tried all the instructions I have found on this site and others.  There is no reset button.  I found this out by disassembling another Aironet 350 we had which has also taken a strike.  I cannot set up the new 1300 without knowing the config of what it will be talking to.  I have been able to connect to the 350 with a serial cable and I can see some of the information.  But the only thing I get is the ip address for fe0.  I have attached the file I captured to this post.  Any help will be appreciated.  Thanks.

    If you know the IP of the 350, put a laptop on the same subnet and use a crossover cable to web to its GUI.  VxWorks CLI sucks!
    If you can get hold of a pair of 1231 APs, they can be configured to run in bridge mode and use the same antennas as the 350s.  Benefits are IOS and G radios. 

  • Aironet 350~~ Help Factory Settings must be RESTORED

    Hello,
    I am the proud and happy new owner of the Cico Aironet 350 wireless access point. Now the issue (acquired by the company's buyout of another one), needless to say when I get it there is no username/passwords included. Just the cable/power supply and the wireless access point it self. Has anyone here ever worked with this unit before and if you have, do you know how to reset to the factory defaults?

    Hi Joshua,
    Here is the method to do a factory reset;
    Reset the AP 350 That Runs Cisco IOS Software
    Complete the steps in this section in order to reset an AP 350 that runs Cisco IOS Software.
    Note: Cisco IOS Software-based APs have a default configuration that includes a username and password combination. Both the username and password are "Cisco", which is case-sensitive. After you reset to factory defaults, be prepared to give "Cisco" as both the username and password when you are prompted by either the GUI or the CLI.
    The AP350 does not have a MODE button to reset the AP to factory defaults. So, if neither the GUI or CLI is available with sufficient privileges in the AP350, complete these steps to delete the current configuration and return all access point settings to the factory defaults using the CLI.
    Reboot the access point by removing power and reapplying power. Let the access point boot until the command prompt appears and the access point begins to inflate the image. When you see these lines on the CLI, press ESC: Loading "flash:/" ...########################################################################### ################################################################################ ################################################################################ ####################
    Once you press ESC, this information is displayed on the CLI screen..
    Xmodem file system is available.
    flashfs[0]: filesystem check interrupted!
    The system has been interrupted, or encountered an error
    during initialization of the flash filesystem. The following
    commands will initialize the flash filesystem, and finish
    loading the operating system software:
    flash_init
    ether_init
    tftp_init
    boot
    ap:
    At the ap: prompt, issue the flash_init command.
    ap: flash_init
    Initializing Flash...
    flashfs[0]: 142 files, 6 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7612416
    flashfs[0]: Bytes used: 3407360
    flashfs[0]: Bytes available: 4205056
    flashfs[0]: flashfs fsck took 0 seconds.
    ...done initializing Flash.
    Issue the dir flash: command in order to view the contents of Flash, and find the config.txt configuration file.
    ap: dir flash:
    Directory of flash:/
    3 -rwx 223 env_vars
    4 -rwx 2190 config.txt
    5 -rwx 27 private-config
    150 drwx 320 c350-k9w7-mx.122-13.JA
    4207616 bytes available (3404800 bytes used)
    Rename the config.txt file to config.old.
    ap: rename flash:config.txt flash:config.old
    Issue the reset command in order to reboot the 350.
    ap: reset
    Are you sure you want to reset the system (y/n)?y
    System resetting..Xmodem file system is available.
    flashfs[0]: 142 files, 6 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7612416
    flashfs[0]: Bytes used: 3407360
    flashfs[0]: Bytes available: 4205056
    flashfs[0]: flashfs fsck took 0 seconds.
    Reading cookie from flash parameter block...done.
    Base ethernet MAC Address: 00:40:96:41:e4:df
    Loading "flash:/c350-k9w7-mx.122-13.JA/c350-k9w7-mx.122-13.JA"...########
    Note: The AP is configured with the factory default values that include:
    The IP address, which is set to receive an IP address with DHCP
    The default username and password, "Cisco"
    After the full Cisco IOS Software is loaded and connectivity is reestablished, delete the config.old file from Flash.
    Issue the del flash:config.old Cisco IOS Software command at an enabled prompt from the CLI.
    ap#del flash:config.old
    Delete filename [config.old]
    Delete flash:config.old [confirm]
    ap#
    From this doc;
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_password_recovery09186a00800949d0.shtml#res350ios
    Hope this helps!
    Rob

  • Aironet 350 WAP + IP Scheme Change

    Hello,
    I have an Aironet 350 Wireless Access Point running VxWorks 11.07.  We had it working fine on our 172.23.0.X IP address schema where the Ethernet and AP Radio shared the same IP address.
    We have recently moved to a 10.121.40.X IP address schema and so I made very simple changes to the network configuration of the WAP (IP address, Subnet Mask, Default Gateway and DNS).  However, now I can't get any devices to connect to the WAP even though I know they did before with the old IP address schema.  I've even tried the WAP on DHCP and the result is the same.
    What can I do to get this WAP working again?  Is it something to do with the 10.121.40.X range?
    Thanks.

    The clients are trying to connect but in Windows don't get to the 'Acquiring network address' stage.
    After a failed connection attempt the VxWorks 'Associations' page lists the client device but the 'State' is 'UnAuth'.
    The WAP Event Log shows a lot of the following type of entries but nothing else:
    00:07:57 (Info): Deauthentication from [10.121.41.19]0012f0dc17ca, reason "Unspecified Error"
    00:07:57 (Info): Station [10.121.41.19]0012f0dc17ca Authenticated
    00:07:56 (Info): Deauthentication from [10.121.41.19]0012f0dc17ca, reason "Unspecified Error"
    00:07:56 (Info): Station [10.121.41.19]0012f0dc17ca Authenticated
    00:07:55 (Info): Deauthentication from [10.121.41.19]0012f0dc17ca, reason "Unspecified Error"
    00:07:54 (Info): Station [10.121.41.19]0012f0dc17ca Authenticated

  • Aironet 350 Bridge associations

    Hi,
    I have 2 aironet 350 bridges that keep disassociating and then reassociating constantly. Is there any way to stop this form happening?

    Parent is "Root Bridge", end station is "Non-root bridge w/out clients." Thanks for pointing me to the Express setup page--that's the one I had in mind, but I haven't been there since day one. Now I need to figure out why, with those settings, it's allowing client connections...
    The only MAC address filtering I see is (per documentation) "allow or disallow the forwarding of unicast or multicast packets either sent from or addressed to specific MAC addresses." When I look at the actual Address Filters page, it only allows me to specify "Dest Address." Not much help if I don't want to allow other connections *to* the bridge...
    When I'm not in Express Setup, and go to the Setup page, I have the option at the bottom of the page (Network Ports | Bridge Radio or Network Ports | Root Radio) to go to an Advanced page. While there, I see a field called "Radio Cell role." The Root Radio Advanced page shows the Radio Cell role as "Access Point / Root." The other options would be "Client/Non-root" and "Repeater/non-root." The Bridge Radio Advanced page shows the role as "client/non-root." I am *assuming* that the Root radio here, although called an "access point" is not an access point for clients (i.e., its role is that of the access point for the far end(s) of the bridge).
    I can't find anyplace to stop broadcasting the SSID...
    Thanks for the help!
    t

  • Cisco Aironet 350 series/panel indicator

                     Cisco Aironet 350
    I have the next indicators signals:
    Ethernet activity= Steady RED
    Association Status=Steady GREEN
    Radio Activity=Steady AMBER
    I can't use the acces point's serial for management system

    Here is a link to the led indicators although your colors aren't shown in the list.
    http://www.cisco.com/public/scc/compass/ap/information_files/led_table_wbg.html
    Based on the age of the unit, no access to the console, all LEDs are on. I would agree with Scott. It's likely bad ..
    Sent from Cisco Technical Support iPad App

Maybe you are looking for