AP or RADIuS Server disconnects Wireless Users constantly
Hi,
We are working with an Autenthication Server with Wireless Network, the AP´s are located on diferent LAN´s, but the problem is that some users get disconnection constantly, while anothers users are working without problems, same AP or diferent, you can be working without problems, but sometimes this problem can be in your PC.
Do you know, what i need to check ? do you have any idea about it?
Thank you, regards.
I would strongly advise you to try to find a constant in your troubleshooting, be it a specific wlan client radio, a specific vlan, our perhaps a group policy on the radius server. Your approach can aid you greatly in eliminating possible culprits if your approach is effective, else you find yourself covering the same ground and making no headway toward resolve. This could be something as simple as an "idle-timeout" setting in radius (seems like it would impact all clients, but not all clients are logging in at the same time or staying on continuously)...there is a variable that you've yet to discover that could be a one-stop solution to your problem. Based on the limited info in your post, it would be mile-long checklist to troubleshoot, but you can do so if you look, as mentioned before, for a constant. Wish I could help more!
Similar Messages
-
Os x server disconnect inactive user
i have an OS X Server 10.6 and one with 10.7.
i'm thinking of getting an OS X Server Mavericks.
Now my Question:
On the old Server there was an option to disconnect inactive user after an certain ammount of time.
i can't find this option an the 10.7 server and heard about this option is lost on 10.9 too.
Is this right and why should apple reduce the options to configure a server.
Best regards from germany, Frank Kueper.Hi Linc,
thx, this solves my problem, but why aren't these options in the GUI any more?
To make settings in the commandline is so oldschool and not userfriendly.
Why? -
Cisco NAC Guest Server for Wireless Users integration with IP telephony
Hi Team
I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
Kindly advice on the same.
Regards
AzeemHi Vishal,
Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
Basically the process is as follows:
1 - Client plugs cable on switch.
2 - Web auth is triggered on the port.
3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
4 - Client will be redirected to the NGS hotspot login page.
5 - Client will enter credentials.
6 - Client broswer will send an HTTP POST packet containing the credentials.
7 - The switch will intercept the POS packets and retrieve the credentials entered.
8 - The switch will send Radius Access-Request to the ACS.
9 - The ACS will use the NGS as External Identity source to authenticate the client.
10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
Please follow the document Nicolas posted as it is a good one.
HTH,
Thanks -
Using a BM 3.8 RADIUS Server to Assign Users to VLANs
I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
users are accessing the network via Cisco 1100 Aironet Wireless Access
Points. We have defined two VLANs on the network. One goes directly to
the internet for GUEST, VLAN1, and the other goes to our private network
MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
not available in the RADIUS.ATR file. Is there some way of editing the
ATR file to add these attributes? Is there another solution to assign
VLANs with Bordermanager?> I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
VLAN-ID which is 1 or 2. These attribute are not available in the
RADIUS.ATR file. Is there some way of editing the ATR file to add these
attributes? Is there another solution to assign VLANs with Bordermanager? -
Clean access server and wireless users
Hi,
The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
I would like to add a clean access server.
1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
2) Is the ip address of the trusted interface on the clean access server a trunk too?
Thank you,
Best regards,
PascalI think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.
-
Disconnect wireless users when they leave the building
Hi!
I wanted to know is there any functionality or solution that drops wi-fi users automatically when they leave permitted area, for example when they go out of the shop? This is for restriction of unwanted connections from outside the building to guest wi-fi.
Best wishes, ZhomartYou would have to really survey the area to see where the access points can be placed and then what power should they be. The issue you will face is that the 5ghz attenuate's faster than the 2.4ghz so this might be tricky. Your coverage toward the exterior walls will be poor for your users and that's not a good thing. All you really can do is buy window film that blocks rf and or paint that blocks rf. This will also affect your cellular, etc.
Sent from Cisco Technical Support iPhone App -
When WLC authenticate users with secondary RADIUS server?
Hi Sir,
I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
Please advise.
Thank you.
B.Rgds,
Lim TSHi,
I navigated to the following on the WLC:
MANAGEMENT -> SNMP -> Trap Logs
I noticed the following SNMP trap:
Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
Please advise.
Thank you.
B.Rgds,
Lim TS -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Anyone tried WRT54G connected to RADIUS server for wireless authentication? Can anyone tell me how to go through this? I'm currently using Funk Steel Belted Radius.
Access the router ui by http://192.168.1.1 .. logon by entering the password .. go to the "wireless" tab and click on "wireless security" tab....for the security mode , select RADIUS...Enter the ip address of the radius server , the port and the shared key used by the radius server....then set the wep settings...nothing else....
-
it is possible to use wlse internal radius server to authenticate users with LEAP.
When you say it should use LEAP is this what you have configured on the phone? The WLSE Express can configure and use more than one of the authentication services at the same time. If more than one service is configured, the WLSE negotiates which one to use. Where are you seeing it is using Cisco-PEAP instead of LEAP? Can you attach these?
-
Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN
Hello,
What we are trying to do:
John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
Here is what we are seeing
1. dynamic vlan assignment is not working -- radius server is set with the attributes
2. RSA authentication works
3. John and Mary are always put into the VLAN where the MGMT interface is
4. I can see that attributes are making it back to the WLC by sniffing
We are stuck at this point. Any help would be much appreciated,
P.Here is a little more background:
We have created a dynamic interface in VLAN 157
Wireless LAN has been assigned to MGMT interface which is on VLAN 35
This is a VWLC ver 7.4.100
AP is attached to VWLC (only FlexConnect mode is supported)
RADIUS Server has been configured
Users are getting assigned to VLAN 35
Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
I dont see any atttributes in the capture when RSA sends to the VWLC
I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
And to answer your question we have sending a VLAN ID (157) -
Connecting AE to a RADIUS server wirelessly
I have found several posts on this subject, but none that have the same circumstances. I am running a Snow Leopard Server with RADIUS enabled to authenticate users connecting to my AEBS/s. I need to join an AE to the network wirelessly to connect a printer which is in an area where I can't run cabling.
I have tried numerous times and spent a lot of time on the internet looking for a solution. In most cases the perpetrators are trying to connect to a University network or some such. In my case I control both sides of the equation.
Does anyone have an idea how I may be able to connect the AE to the AEBS wirelessly using the RADIUS server (802.1X, TTLS)?I to have the same issue. Have Airport Extreme connected to RADIUS server and I want to extend that with an airport express so I can use airplay on my stereo in living room. Somebody help please.
-
Radius local server and wireless access points
Hello to all,
I would like to ask a question related to radius server. I have a Allied telesis core switch and i configure the radius server locally, also i configure the port1.0.7 for dot1x and i am using dynamic vlan. If i connect my laptop to port 1.0.7 i can get the correct ip from the dhcp server. If i connect an access point to the same port , how i should configure the dot1x ? for multiple hosts? I know i am using allied telessis but the config is very similar to the cisco: take a look:
(Radius and nas config)
radius-server host 127.0.0.1 key awplus-local-radius-server
aaa authentication dot1x default group radius
aaa authentication auth-web default group radius
crypto pki trustpoint local
crypto pki enroll local
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group Andrew
attribute NAS-Identifier andrew
attribute Tunnel-Medium-Type IEEE-802
attribute Tunnel-Private-Group-Id 10
attribute Tunnel-Type VLAN
user andrew encrypted password wh8q0J2oYSn0y4cynksNCqfbaUtRGv/E6JaJrW+s3Zs= group Andrew
(port config)
interface port1.0.7
switchport
switchport mode access
auth-web enable
dot1x port-control auto
auth host-mode multi-supplicant
auth dynamic-vlan-creation
I tried with auth-web and without but no luck. If someone have a sample config how to configure the dot1x to be able to use access point please paste it.
Thanks
AndrewI'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Lobby ambsssador user authenticatio using a RADIUS server
I have Wism installed in unified wireless network, MS IAS server is sittign in between enterprise AD and Wism. Wireless clients are getting authentincated via ISA againt enterprise AD without any issue.
Now I want to authenticate the admin users in WLC ( for example Lobby admin users) also with AD using the same method.
I tried adding a RADIUS server in WLC on "administraiton>AAA servers" . But the external authentication doesn't seems to be happaning. Does someone has any exmaple on this type of configuraiton ?you can use Radius to authenticate management user, but I'm afraid can't use it to authenticate Lobby admin user.
To authen management user, you need:
1. in WLC, when creating Radius server, need to enable "management"
2. In Radius, you need to enable service type[006] to be administrative in user's IETF(Radius) attribute -
Authenticate Users against external RADIUS-Server
Hi,
i have some users in the local LDAP database of an 10.5 Server.
Is there a way to store their passwords on an external RADIUS-Server?
Thank you very much,
macservo
Message was edited by: macservoCryptoCard does this.
We use it at one customer for L2TP VPN authentication.
This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
You then have to authenticate to any service you want to use (Kerberos?).
We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
For just AFP server auth I don't know.
Maybe you are looking for
-
What's wrong with this or Hero DataGrid blues
I am working with Hero DataGrid.To say it's meant to be hard is to to say nothing. Without going into what's not working here is some source code and its run time values: Code #1. owner.selectedItem[column.dataField] = 1; Message from compiler: 1119:
-
JSP compiler error (WL 4.5.1, RH Linux 6.1, JDK 1.1.8)
I am new to WebLogic, and have been trying to get it setup to serve JSP files. I followed the instructions in the documentation. However, when I try to access a JSP, I get the following errors. It looks like my java compiler doesn't like the syntax W
-
How to write thread safe to a file..please help!!
Hi, need a sample writing thread safe to a file. thanks
-
ON UPDATE CASCADE and Autoincrement primary key with Oracle SQL Developer
hello everybody, I want to know if Oracle SQL Developer manage autoincrement on primary key and "ON UPDATE CASCADE" when i migrate (with data) SQL Server database in Oracle database. Can you help me ? Thanks for your suggestions.
-
How do I build folders in email for my iPad mini?
How do I make folders in my email with my iPad mini?