Authenticating 1300 Bridges to WLSE Express
I'm curious how I can authenticate my 1300 bridges as a client to a WLSE Express.. The WLSE Express does have a built in AAA server and i've created the usernames, but, i'm not sure where in the 1300 I can assign it to authenticate to the WLSE..
My question I guess is, do I need to point these bridges to authenticate to the Root Bridge, and configure a RADIUS association between the Root Bridge and the WLSE Express? Also, where abouts on the Non-Root bridge (or Workgroup) do I configure this?
Any help would be appreaciated.
Thanks,
Jamie
Administratively Standalone - Active defines that this is the active WDS in WDS domain.
Active, backup, or candidate. If the state is backup, the command (show wlccp wds) also displays the current WDS access point's IP address, MAC address, and priority.
You can configure the WLSE 1030 internal AAA server to authenticate infrastructure APs.
http://www.cisco.com/en/US/customer/products/sw/cscowork/ps3915/products_user_guide_chapter09186a008052dbfd.html
Similar Messages
-
Security on Aironet 1300 bridges
I am a newbie on this fourm. I required your suggestions and recommendations. I have aironet 1300 bridges. I want to connect them in point to multipoint envt.
I want to have one root bridge and rest as non root bridges. But i want to implement authentication of non-root bridges through root bridge. Please suggest what is the latest and strongest authentication and security protocols that i can use. Please i am looking for an early response.EAP Authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the root access point/bridge helps another access point/bridge and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the root access point/bridge, which uses it for all unicast data signals that it sends to or receives from the non-root access point/bridge. The root access point/bridge also encrypts its broadcast WEP key (entered in the access point/bridge's WEP key slot 1) with the non-root access point/bridge's unicast key and sends it to the non-root access point/bridge.
-
I'm looking for a document showing the settings and how to use AES-CCMP with the latest firmware on the 1300 bridges.
I use my Br1300 in bridge-mode with WPA-PSK and aes-ccm. Note the bug mentioned in the config.
*** root***
interface Dot11Radio0
no ip address
no ip route-cache
no concat (CSCef66724)
cca 61
station-role root
encryption mode ciphers aes-ccm
ssid xxxx
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 0 1234567890
***non-root***
interface Dot11Radio0
no ip address
no ip route-cache
no concat (CSCef66724)
cca 61
station-role non-root
encryption mode ciphers aes-ccm
ssid xxxx
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 0 1234567890 -
Hi All,
We are playing with an WLSE 1030 in combination with PEAP. We think we have a certificate mismatch somewhere. Users are getting a pop-up for there username and password, but get not authenticated.
We imported a CA cert, Server cert and an pvk file with the private key which seems to be correct.
Is someone having a procedure to configure the WLSE Express with PEAP?
Thanks in advance.I am having a problem importing the certificate to the WLSE Express. Here is teh error that i am getting:
An error has occurred. Please try again or contact an administrator. The error message is:
A validation error has occurred /Radius/Services/cisco-peap/ServerRSAKeyFile: The Server RSA private key cannot be loaded from PEM:/cisco-ar/certs/cisco-peap/server-key.pem. Verify that it contains a valid PEM encoded Server RSA key and that the private key password is correct
Any help would be greatly appreciated. -
Win XP PEAP - AP - WLSE express - AD
Hello
I'm trying to set up the following configuration:
- Windows XP client connects to 1130 AP using PEAP with EAP-MSCHAP using the computer account
- AP use WLSE express RADIUS server for authentication
- WLSE express use Windows AD to verify computer account
Is there an example for this configuration?
thanks in advance
ThomasThe procedure for enabling EAP based authentication on the AP is the same for all EAP variants. This document has all the information to enable EAP authentication with a RADIUS server.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml -
1300 Bridge: VLAN and encryption question
Hi!
I configured a 1300 bridge with dot1q-VLANs and tkip/wpa encryption:
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1 mode ciphers tkip
encryption vlan 91 mode ciphers tkip
encryption vlan 150 mode ciphers tkip
ssid skylink
vlan 1
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 7 xxxx
short-slot-time
cca 0
concatenation
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 4000
channel 2472
station-role root
payload-encapsulation dot1h
antenna receive right
antenna transmit right
infrastructure-client
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.91
encapsulation dot1Q 91
no ip route-cache
bridge-group 91
bridge-group 91 spanning-disabled
interface Dot11Radio0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.91
encapsulation dot1Q 91
no ip route-cache
bridge-group 91
bridge-group 91 spanning-disabled
interface FastEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 spanning-disabled
Is it necessary to set the
encryption vlan 91 mode ciphers tkip
encryption vlan 150 mode ciphers tkip
so that all VLANs are crypted?
How can I examine that all VLANs are crypted?
Best regards
Michael SimonNo. As there is no SSID assigned to VLAN 91 and 150, I was by the TME (Technical Marketing Engineer) that the 1300 should use the encryption defined in the native VLAN (VLAN 1 in your case) to transport traffic on VLAN 91 and 150. I have not taken any wireless sniffer trace to verify it though.
There are a couple of ways to verify it:
1. a wireless sniffer trace
2. debug dot dot 0 trace print xmt rcv
Please be very careful when use option #2. Option #2 turns the wireless bridge into a wireless sniffer. If there are heavy traffic between the two bridges, the wireless bridges will crash. Please use option # 2 in test environment or limited traffic. -
WLSE Express - OpenSSL certificate translating issue
Does anyone have suggestions for converting a .PFX file to .PEM? I can't unzip / am getting an error when trying to install the latest version off of www.openssl.com. I need to perform this conversion for WLSE to accept the certificates. (This is needed for WLSE Express to become a AAA Radius server.) Thanks. Russ
When you install an SSL certificate on a BBSM server, it enables visitors to verify the site's authenticity and communicate with it securely through SSL encryption, which protects confidential information, such as credit card numbers, online forms, and financial data from interception and hacking.
This protection is accomplished by using "HTTPS" when coding the page sets. SSL comes in two strengths, 40 bit and 128 bit, which refer to the length of the "session key" that every encrypted transaction generates. The longer the key, the more difficult it is to break the encryption code.
If you are using RADIUS or credit card page sets, you must install an SSL certificate for end users to gain access to the Internet. -
Can not Authenticate WLSE Express with Active Directory
Hi ,All
I can not authenticate WLSE Express using external database with AD. I have downloaded the agent to the Domain Controller and install it on AD.
At WLSE Express I found log
"Error Server 0 RemoteDomainAuth server domain-auth: Agent API encountered error (1)"
"Error Server 0 Service domain-auth has no active remote servers available"
"Warning Protocol 0 Request from AP101 (10.224.20.143): User insee-wds rejected (ServiceUnavailable)"
"Warning Protocol 0 Request from AP101 (10.224.20.143): User insee-wds rejected (InternalError)"
maybe something wrong on AD ,
If anyone has an idea , please help me.
Thankss.I got the problem like you.
Do you have any solution to solve this issue?
If you have, please e-mail or post to me and everybody who be like this.
Thank you so much. -
OS-Authentication for a Oracle 10g Express Edition
I want to use OS-Authentication for an Oracle 10g Express Edition. What value must be set in sqlnet.ora ? Where are the possible authentcation modes described ? I only found the description KERBEROS5.
I tryed the value all, but with all no connect is possible.
Tanks for help
Josef Springer>
Thanks for your link.
A special username with prefix is needed. This user must be created for external authentication. This user must be known by the OS. Am i right ?
>Right.
>
As i understand, to login with OS-Authentication i need a new windows user. This is not usable, because my users have their login and do not want to use another, when working with the database.
Is there another way to use OS-Authentication ?As far as I know, this is not possible especially with Oracle XE which has not all features of Entreprise Edition.
>
Must the prefix be used in any case ?
>You can have an empty prefix: you should use OS_AUTHENT_PREFIX init. parameter http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/initparams147.htm#REFRN10152 -
Setting the time on 1300 bridges
stupid question, how do you set the clock on the 1300 bridges, specifically the 1310?
kieran
two issues
one the Cisco AP's do not have a clock like your PC if you set the time manually when the AP loses power or reboots the time is reset to the default and you need to set it again.
te]wo the better solution is to designate a time server for the AP to syncronize to.
either method can be configured by clcking services on hte WEB interface and then select NTP or SNTP depending on you IOS version. then entering the time server IP address in the proper box or typing in hte proper date and time in the fields below, if you select the time server method the date and time will be filled in automaticaly once the time is syncronized.
HTH
Bill -
1300 bridges trunking question
Hi all,
I have two 1300 bridges connecting two buildings. Both buildings are using native vlan. I only have one SSID and native vlan on the birdges. There is a L3 switch connecting to the root bridge and L2 switch connecting to the non-root bridge.
Right now, we are upgrading the network to support mutilple vlans. Do I need to make trunking on the bridges in order for the bridges to pass multiple vlans traffic? I already made trunking (802.1q) on both switches. But once I assign ports to access different vlan, I could not get dhcp address (except native vlan)if I am on the second building.
Any suggestion/comment?
thanks
GeneHey Gene,
I had a similar setup and the only thing you need to care about pretty much is that the native vlan in your bridges is the one assigned to the SSID which it linking those 1300 together... All the rest of the vlans at your switch will pass through the wireless link effortlessly... :)
Just try to be sure you are NOT restricting vlans at the switch port where you have your bridges connected.
If you need any assistance please do not hesitate in contact me... :)
Cheers,
Hery -
Need help on Aironet 1300 bridges
Greeting,
We have just upgraded two Aironet 1300 bridges (from cisco 350) on two buildings about 100 yards apart. They are only running as bridges. One is set up as root bridge and another one is setup as non-root bridge. Root bridge is in the main building direct connect to Cat 4506. For some reason the root bridge has some intermittant problem connect to the network. We are running the IOS 12.3(8). We changed the cable but the problem still occured. Everytime we have to reboot the root bridge in order to get it back. but all the interfaces in the root bridge show " up / up" prior to reload. The "show tech" looks fine on the root bridge. Any suggestion? Shall I change root bridge to workgroup bridge?
really appreciate for any helps,
GeneHi Steprodr,
I just need to clearify that the power injector is on the non-root bridge? I think the power are fine on both bridges when the problem occured. We used cisco 350 bridges before the upgrade. So the cable and port are still remain the same. The problem is more going towards from root bridge come back to Cat 4506 because both root and non root bridges can ping each other when the problem occured.
thanks,
Gene -
I have a client w/ an AP 1300 bridged across two buildings (Building A Building B). Past history - Building A had Internet, Building B did not. The link was constantly going down, so it was turned off and both locations now have Internet. From time to time, Building B's Internet goes down (cheaper service) and would like to resurrect the wireless for failover. There is zero documentation and we found the Air-PWRINJ-BLR2 unit, but cannot find the actual AP unit without climbing into attics. Is this the unit we use to configure it? It has a console port - Also the IP's configured on the unit appears to be on the same LAN segment as Building A (192.168.10.250 & 192.168.10.251). I'd like to place both ends of the wireless bridge (Building's) into a DMZ port and static route route. How the heck can I accomplish this if the bridge is configured w/ the same LAN segments as Building A? I have a router w/ multiple ports ready to plug in.
I just need Building B to be able to access the Internet via Building A if their default Internet goes down.
Building A Network
192.168.10.0/24
Building B Network
10.20.190.0/24Hi
yes the console port on the power injector is is console port for the AP. probably the best way to recover the bridge is to connect the 1310 to a laptops etherernet port and use the console port to learn the IP of the 1310 then manage the 1310 with the GUI it can be done with the CLI but if you have not done a wireless bridge before stick with the GUI. Both 1310's need to be on the same subnet, this is for management not for bridging. the bridging is at level 2 unless you use VLANS but with the routers that should not be an issue. once you have configured the Root router save the config and use it to to congigure the non-root router changing the IP address and the role to Non Root. plug the network cables into the the apropriate router ports and you should be set.
this is assuming you know the userid/passwords for the AP's the default was Cisco/Cisco.
if the antennas are alinged your bridge should be reliable.
based on the signal level between the AP's i would disable the B data rates use the G data rates and possibley disable the higher data rates if the radio stats show to many retrys, mor than 10%.
Bill -
I have two buildings that are only about 200 feet from each other. I have two 1300 bridges joining both buildings. This works great! The only thing that I notice is when I copy files from our file server in one building to my PC in the other building it takes 7 min for a 700M file, and I use a monitor and see that the wireless is only transfereing 2.4MPS off of the wireless interface. I have both bridges set to require 48MPS and 54MPS and all other is disabled. Why am I not getting the full 54MPS copying the file? The rest of my network is on gig switches.
ThanksHi Christopher,
Don't forget that the 54M numbers are really only theoretical and not a reflection of the true throughput,with the subtraction due to overhead the actual throughput is much lower. Have a look;
Approximate Throughput Comparison for 802.11a, 802.11b, and 802.11g
802.11b Data Rate (Mbps)=11 Approximate Throughput (Mbps)=6
802.11g (no 802.11b clients in cell) Data Rate (Mbps)=54 Approximate Throughput (Mbps)=22
802.11a Data Rate (Mbps)=54 Approximate Throughput (Mbps)=25
From this good doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00801d61a3.shtml
Here is a nice explanation from one of my favourite NetPros Scott;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=WLAN%20Radio%20Standards&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcbbd2/3#selected_message
Hope this helps! I know its a bummer :(
Rob -
Dears
i have two sites required to be connected using wireless 1300 bridge but There is 30 VLAN and i think that 1300 series support 16 VLAN only is it right ?. Please advice me if 1300 support more than 16 VLAN how to conigure it if not support then which mode support more VLANS.
Thanksbuy a pair of routers, and use the 1300's to provide the link between the routed interfaces, then you only have to pass one VLAN between them.
Then, if you're still desperate to get those specific VLANs to the other site, I believe you can do some magic with your routers to tunnel them inside your routed link.
Maybe you are looking for
-
I had reset my iPhone and my Dictaphone refuse to start. I sea a microphone picture but when I push the 3 horizontal bars or the red buttom, they return to the main menu...
-
Password not accepted for Windows sharing
I am trying to transfer files from my Windows box to my iMac. When I try to enable Windows sharing for my account it asks me to "enable file sharing using SMB for <Account>, enter the password for the account." but it never accepts my password for th
-
Should I let the battery run down before charging my iPad or iPhone or iPod Nano to help the battery last longer? I took a class at Verizon and they said let it drain completely and it would last longer. Thanks
-
When I set up my Tiscali email account on my new Ipad my mail stops working and I get a message on my laptop asking for " the network password" Typing in the correct password does not fix the problem and this Network window just keep appearing. When
-
Can't install "find my device" app.
I just bought used iPod touch, gen 4. The device had been reset to defaults. I tried to install the "find my iPod touch" app., but a request appeared wanting a logon using the previous owner's e-mail. I can contact the previous owner, but what do I a