AP1242, WLSE & ACS

I'm trying to configure a WLAN composed of AP1242's managed by a WLSE and authenticating via an ACS Appliance. At present I'm still testing so the ACS box is using it's internal user database and I've generated a self signed and installed cert on it. I've exported the cert and installed on the clients but my problem is that I'm not getting authenticated and I think the weak link is the AP's.
When I try and authenticate a client I get an authentication failed error on the AP and that's it, nothing on the ACS server at all. Using Ethereal I can't see any 1645 or 1812 UDP traffic between the AP and the ACS box (or any traffic at all for that matter) so it looks like the AP isn't even trying the ACS box. I've tried running debug aaa and radius commands on the AP but the only thing I see are AAA/BIND messages appearing every minute or so. I've even tried stopping the ACS services and trying again with the services stopped to try and raise an error.
Any ideas would be very welcome!

Which authentication / authorization scheme are you using?
Are you using the Microsoft Zero Wireless Config system, or the client software (in addition to the client drivers)?
Do you have a software firewall on the PC/Laptops? Try disabling it for diagnostics (make sure you shut down the service as well as the "front end" code).
Have you verified that the client has assocated?
With the PC/Laptop on, try disabling and re-enabling the NIC (versus re-booting) and see if you get the auth traffic (on your Ethereal capture).
Check it out & let us know.
Scott

Similar Messages

  • Creating Dual SSID's

    We are running phat architecture (WLSE, ACS, 1230 AP's) and PEAProtocol. I want to create additional SSID's on every AP (WPA-PSK) for vendors.
    My questions is this: "Are there any good documents that discuss the creation of dual SSID's, VLAN/AP configuration, and/or best practice approaches?"

    Hi Darin,
    jep there are some documents.
    Using VLANs with Cisco Aironet Wireless Equipment
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
    For usage of a WLSE, PEAP and ACS have a look here
    Protected EAP (PEAP) Application Note
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html
    Additional Information about WDS can be found here
    Wireless Domain Services Configuration
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
    These documents will give you the right hints for your task.
    Best reagrds,
    Frank

  • WLSE Radius(IAS or ACS)

    Hi,
    Does anyone know if WLSE will work with Microsoft IAS? The Cisco doco indicates "IEEE 802.1X authentication server, such as Cisco Secure ACS"
    We have an IAS setup using PEAP.

    These caveats are resolved in Cisco IOS Release 12.2(15)JA:
    CSCed69756—By default, the access point sends reauthentication requests to the authentication server with the service-type attribute set to authenticate-only. However, some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only.
    This came from
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_release_note09186a00802146cf.html
    I have read several forum articles dealing with IAS, FreeRadius, etc.

  • WAP is not authenticated to WLSE?

    Hello,
    I'm trying to set up WDS with 2 Cisco 1130 WAP, 1 ACS (V3.3) and Cisco WLSE.
    I got everything working except for connecting WDS access point to WLSE.
    I put WLSE's ip address in WNM global configuration but I see this access point constantly generating error messages saying 'Not authenticated'.
    WLSE had this devide under 'Managed Devices' but does it need additional configuration to talk to WDS access point?
    Thanks for your help in advance.

    I believe you are seeing this bug:
    http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb47726&Submit=Search
    There is not a very good workaround. You can downgrade ACS to 3.3.2 or run local authentication on the AP for WDS.
    What you will see if you debug radius on the WDS primary are access-request and access-challenge but never an access-accept.

  • ACS Authentication Errors

    Friday I upgraded my CiscoSecure ACS from version 3.3 to 4.1. Upgrade seemed to go fine. Today I come in to find out that no one is getting authenticated. I have APs in WLSE configed with WDS that are not authenticating. I also have AP's not in WLSE that are not authenticating. All these worked before the upgrade.
    Any ideas??
    Thanks,
    Becky

    Yes. I was getting Radius Server not responding. BUT, I just got it fixed!!! During the upgrade ACS wiped out the IP address of the AAA server. Once I re-entered it, things starting coming back up.
    Thanks to everyone who thought about this!!
    Becky

  • WLSE Radio Scan Problems

    I have recently set up WDS at a remote campus. I scheduled a radio scan for 4:00am so as not to interfere with active users. The scan completed but not successfully. I got an error message regarding the WDS and I can not determine the reason. I have attached the Job Log from the WLSE.
    All the AP's are registered with the WDS AP. The WDS AP is dedicated with the radio turned off. The WDS is in an authenticated state with the WNM. I'm not sure what the problem could be.

    This has been successfully resolved with the help of TAC. The issue is actually a bug in the ACS v3.3.3. The bug ID is CSCsb47726. Once I applied the patch (replacement of a specific dll) the WDS and ACS and WLSE completely authenticated to one another.

  • Are there any benifits to enabling WDS without WLSE?

    My clients will be using WPA with PEAP and 2 ACS 3.3 servers for authentication. Other than having an AP to be the focal point for authentication for a Wireless segment. Are there any benefits to using WDS without having WLSE?

    Yes, there are benefits from WDS:
    - list of client associations
    - list of access points in domain
    - fast secure roaming for LEAP (and EAP-FAST?)
    - local authentication (radius backup) for LEAP and EAP-FAST
    - radio management aggregation
    Only radio management needs WLSE to be useful.
    Local authentication is possible without WDS.
    WDS can be configured on an access point and also on an IOS router (like the 2811) from IOS 12.3(11)T with security feature sets.
    As an network administrator I would not do it without WDS. I does not cost extra or performance but it gives centralized information on the WDS device.
    Jens Neelsen

  • WLC/WCS vs WLSE

    ok..
    I'm looking at these solutions and I'm very puzzled why I would purchase a WLC/WCS/AP vs a WLSE/AP solution.
    First with WLC, i have to deploy multiple WLC's to get global redundancy. Don't need that with AP/WLSE combo. WLSE isn't a global failure point that takes down all my AP's.
    Second, While deploying a WLC is easier as WLSE takes an ACS server and ability to read and deploy WDS services, I can buy a WLSE and ACS server/hardware for less than the cost of one 4400 controller.
    Third - WLSE handles 2500 access points, does heat maps, something I would have to spend extra money and buy WCS for with the WLC. WLSE does the auto-reconfiguration and site survey.
    Seems to me WLC is similar to cars where they took the gauges out and just give you warning lights way of deploying wireless. Don't worry about what it does, just put it in and only pay attention if a red light appears while WLSE takes more knowledge of ACS and WDS, shows you more details, gives you greater control, autonomy and failure redundancy.
    Did I miss something??? It seems like WLC is 3 times as expensive yet doesn't provide anything other than easier deployment.

    Hi,
    Thank you Rpaquin, I also need answer which is better and which one is more sutabile for small wlan ?
    Regards
    Saher

  • CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with AP 1242

    Dear all, my customer has CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with 12 AP1242 (a/b/g) Radio 802.11g in place. Now he will buy additional AP what type of AP can i use because AP 12xx is EOS.

    Hello Dirk,
    AP 1200 is EOS, and customers were encouraged to migrate to 1240 Series (which is also EOS now)
    http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-series/eol_c51-506611.html
    Therefore it is recommended to migrate to Cisco Aironet 1600 or Cisco Aironet 2600 Series.
    http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7900-series/end_of_life_notice_c51-726425.html

  • Does AP1242 used as WGB supports PEAP?

    We are currently testing AP1242 (used as Workgroup bridge) to replace our current client bridge device that uses PEAPv0 as authentication protocol. The assumption was that AP1242 (as WGB) supports PEAP (v0 or v1). But the ACS server failure log is telling us differently ("EAP Type not configured"). Does AP1242 (as WGB) supports PEAP? What authentication protocol does AP1242 (as WGB) uses? Is it EAP-FAST? Any info you can share is much appreciated.

    I don't think there is any restriction that WGB does not support PEAP. WGB will support any EAP authentication. If its not working, we need to look at the configuration to see if we have missed something. Can u post the configuration?

  • ACS 5.3 Default Backup Password

    When doing a backup on any of the ACS 5.x appliances by default the backup is encrypted with PGP. What password is used for that? Is it configurable?

    It is not configurable and that information wasnt made public. However, when you restore it should be able to decrypt it just fine.
    You can try opening a TAC case but when I was in TAC wasnt able to find that key either.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • The difference between WLSE and WLSM

    Dear All,
    In my understandings
    WLSM can support layer 3 roaming
    1. For rogue AP detection, is WLSE or WLSM be the choice?
    2. Between AP and WLSM, it is FSRT, is it encryped? by Cisco proprietary?
    Thanks a lot in advance.
    Regards,
    mak

    WLSE is a Management/Monitoring application that uses the radio information from WLSM to show Radio data including Rogue AP Detection. WLSE itself/alone cannot do Rogue AP Detection

  • How to migrate multiple ACS database into one ACS database ?

    Hey All,
    we just purchased several companies and as IT/network department, we need to consolidate all the ACS from the HQ and the purchased company into one ACS,  I read the cisco docs. mentioned, I can export the migration file from the old acs and upload it into the new acs serve.
    but my concern is we have multiple acs server, will the the muliple acs migration files overwrite each other during the upload into the new server.
    thanks

    Raghavender -
    I am not an expert on MySQL migration, but you would look to migrate the database to a local Oracle Database and then move that to your Database Cloud Service.  However, keep in mind that at this time you can only access the Database Cloud Service from outside the Cloud via RESTful Web Services, so you might have to modify the application that accesses the database.  Hope this helps.
    - Rick Greenwald

  • ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

    Hi All
    Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
    Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
    I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
    Thanks
    pato

    Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
    server stuff has recently upgraded the Domain Controllers to 2008r2 and
    turned off the 2003 servers. This didn't make our ACS 4.1.4 really
    happy.I've read now serveral posts regarding issues with ACS and
    Server 2008r2 and hope to find a solution (besides switching to LDAP,
    yukk).Thankspato
    Hi Pato,
    Just check out the below link hope that help.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
    As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
    Hope to Help !!
    Remember to rate the helpful post
    Ganesh.H

  • Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

Maybe you are looking for

  • If i bought the iphone 4s from the US would it still work in the UK with a UK phone provider?

    Hi, Basically I'm looking to buy the iphone 4s from the american store online or from an american store. If I did this would I be able to get it so that I could use it in the UK with a UK phone service provider? Heard various tales about people not b

  • What is the reason make i lose data?

    I using a lot global variable in main vi, to control and display some nummeric in test.vi, and display graph of test.vi. Test.vi take the value from 2 vi: value.vi and position.vi.. Test.vi, Value.vi and Position.vi using Queue Operations functions I

  • G5 won't power on

    I have a lightly used G5 that will not turn on. Took it to Apple store and was told it was a power supply and it would cost $300 to repair. After waiting 11 days I jsut learned that the logic board is most likely fried and I would need to cough up an

  • Different material availability dates

    Hi sap gurus, lets say that in sales order1234....there are 5 line items..... Now today..1line item is complete available and 4 are not available today. i have to ship that one line item today so if i create a delvery doc, only one item would be copi

  • Why AirPrint is not working on my ipad4 after updating to IOS 8.1?

    WWhy AirPrint is still not working on my ipad4 after updating to IOS 8.1