Authentication Keys
Hi expert,
somebody know how i can put Authentication Keys in receiver soap adapter?
thanks for all.
Hi,
- in Configuration Repository goto the Communication Channel, tab Parameters, tab Advanced.
- check Use Adapter-specific message attributes and variable transport binding
- check View authorization keys and enter key value pairs, where key means username
- you can set this authorization data as Adapter-Specific Message Attributes in the Message Header via a UDF in message mapping
String tAuthKey = "YOURKEY";
DynamicConfiguration conf = (DynamicConfiguration) container.getTransformationParameters().get(StreamTransformationConstants.DYNAMIC_CONFIGURATION);
DynamicConfigurationKey confKey1 = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/SOAP","TAuthKey");
conf.put(confKey1, tAuthKey);
return "";
in our scenario we need to change the auth keys according to a dynamically changing TServerLocation. There is a possibility to enter about 10 auth keys which can be used, but we need more than 10.
Thanks, regards, Martin
Similar Messages
-
More than 10 Authentication Keys in receiver SOAP adapter
Hi
My requirement is that I need more than 10 authorization/authentication keys in the receiver SOAP adapter. Is this possible?
Advanced tab -> Use adapter-specific message attributes -> variable transport binding -> view authorization keys.
Only 10 entries are provided here. Can I extend this somehow?
Thanks!
regards OleYes..
These links will help u in it
Certificate Authentication with SOAP Receiver
Certificate Authentication with SOAP Receiver -
HTTP authentication key for hand shake at receiver side for HTTP POST
Hi All,
HTTP post receiver system is expecting an authentication key to be send by PI HTTP_AAE adapter while posting XML message to them.
The receiver system has a utility program in JAVA to validate this key. Has anyone done this kind of scenario in PI 7.31/7.4
How does this simple authentication mechanism works? If this doesn't work, we have to rely on just uname/pwd but that is not really recommended for our landscape because of security concerns. So the key is the only better option as of now. Please help!!
thx
mike
Attached some import packages used in the java util program in the receiver system. for validating the authentication key send by PI
import java.security.MessageDigest;
import java.util.Calendar;
import java.security.NoSuchAlgorithmException;
import java.io.UnsupportedEncodingException;
import java.io.IOException;
import sun.misc.BASE64Encoder;
import sun.misc.BASE64Decoder;
I am not pasting the java program utility here due to proprietary reasons. thx for understandingHi Michael
You can construct the target URL to include the query parameter/value using Dynamic Configuration in Message Mapping.
This previously worked on the ABAP HTTP adapter, but from the thread below it seems it is not supported on the HTTP_AAE. Not sure what version you are on, and if SAP has provided support for this in the latest SPs.
HTTP_AAE Adapater - using of dynamic url parame... | SCN
If HTTP_AAE approach can't work for you, you can use the SOAP adapter - check ASMA and "Do not use SOAP envelope"
Here is a snippet of the code you can use in a UDF for your message mapping
//write your code here
DynamicConfiguration conf = (DynamicConfiguration)container
.getTransformationParameters()
.get(StreamTransformationConstants.DYNAMIC_CONFIGURATION);
DynamicConfigurationKey key = DynamicConfigurationKey.create("http://sap.com/xi/XI/System/SOAP", "TServerLocation");
String url = "http://local.yahooapis.com/MapsService/V1/mapImage?appid=" + appid + "--&street=" + street + "&city=" + city + "&zip=" + zip;
conf.put(key, url);
return appid;
Rgds
Eng Swee -
T61 wireless can't connect with authentication key enabled
Hello all,
I have a new Thinkpad T61 that will properly connect to my wireless network when the router is configured as unsecured but CANNOT connect when I set up a network key. In my router config I have tried using both the WPA-PSK and WPA2-PSK authentications. I enter a 9 character network key made up of ordinary numbers that it accepted by the router, and save settings. The other settings on the screen are:
WPA Group Rekey Interval = 0
WPA Encryption = AES
WEP Encryption = Disabled
In the Windows wireless interface I select the network, type in the key, and get to the “acquiring network address” stage but no further. The connection window shows that packets are being sent and received. As soon as I go back to my router config and set it as unsecured, the wireless connects no problem. I have tested another laptop on the network with a passkey and it connected without any problems.
Occasionally when I am tinkering with the wireless settings (especially after clicking on the wireless tray icon) the system locks and I have to reboot. Before the reboot I get a program “not responding” dialog box where it asks me to end explorer.exe and a program called CiceroUIWndFrame.exe
The system came pre-loaded with Linux but I’ve changed to XP Pro. I have done all Windows updates, through SP3 and re-installed the driver for the network adapter 7kwc50ww.exe (I hope correctly??). I am using Windows to configure wireless, but thinkvantage ver. 4.52 is also running. I tried disabling Windows networking and configuring through thinkvantage, but this fails also.
I have called tech support on my DSL company but they are out of ideas and think it is my router but I am doubtful because it was working fine before I got the new machine, and it worked on the other laptop. I think something must have gone wrong in the XP install.
Any ideas??
Cheers,
WillA quick and dirty test would be to completely uninstall Access Connections and try using just the Windows Wireless Zero Configuration. In my personal opinion, unless you are using multiple wireless configs at multiple locations the ThinkVantage software is overkill. Also, if you search the board, you will find multiple instances of SP3 wrecking wireless. Let us know if this helps.
T520 4239-CTO
T61/p 6459-CTO (Gone but not forgotten)
A31/p XP Pro 1 gig memory
A30/p XP Pro 1 gig memory
TP600 Win 2K 288 mb memory
701C Win 98 Don't ask -
Authentication Key Managemen - 802.1X grayed out
Hi, trying to setup machine authentication on WLC (code 7.x) using 802.1x but my options for this under wlan settings/Layer2 is grayed out. Only PSK and FT PSK are available. We are running Microsoft AD and computers i like to authenticate are part of a domain.
Wondering do i need to have AD CA certificate installed on WLC to get this option available?
Appreciate your assistance.
ThanksSome time it's happen. For configuration Help you can see the below link
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#auth-8201 -
Open Authentication for Wireless Access
Hello,
The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
Thanks,
KevinHi Kevin,
Using WPA we can configure either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
EAP is more secured auth compared to PSK..
Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
in the nut shel we have 3 kinds of auth..
1> open - Dot11 auth
2> Shared - Nothing but WEP
3> 802.1X suite - EAP
again, the below link may give you some insights as well!!
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra -
PHP external authentication issue
Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication keyThere are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method. -
Machine authentication in Aironet
i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar 4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar 4 20:25:34.125: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:25:34.126: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:25:34.126: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:25:34.126: RADIUS: 32 [2]
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS(00000009): sending
*Mar 4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar 4 20:25:34.127: RADIUS: authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar 4 20:25:34.127: RADIUS: User-Name [1] 23 "host/FADI-LT.domain.com"
*Mar 4 20:25:34.127: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:25:34.128: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:25:34.128: RADIUS: Calling-Station-Id [31] 16 "0811.9699.ba30"
*Mar 4 20:25:34.128: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:25:34.128: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:25:34.128: RADIUS: 1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9 [?E?Z]???s?????b?]
*Mar 4 20:25:34.128: RADIUS: EAP-Message [79] 28
*Mar 4 20:25:34.128: RADIUS: 02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C [?????host/FADI-L]
*Mar 4 20:25:34.129: RADIUS: 54 2E 61 64 61 73 69 2E 61 65 [T.domain.com]
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:25:34.129: RADIUS: NAS-Port [5] 6 263
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Id [87] 5 "263"
*Mar 4 20:25:34.129: RADIUS: NAS-IP-Address [4] 6 10.10.64.229
*Mar 4 20:25:34.129: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar 4 20:25:34.167: RADIUS: authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar 4 20:25:34.167: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:25:34.167: RADIUS: EAP-Message [79] 8
*Mar 4 20:25:34.167: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:25:34.167: RADIUS: State [24] 38
the non working machines
*Mar 4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.949: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.949: RADIUS: 32 [2]
*Mar 4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS(0000000A): sending
*Mar 4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar 4 20:26:18.951: RADIUS: authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar 4 20:26:18.951: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.951: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.951: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.951: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.951: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.951: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.951: RADIUS: 06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA [??U?mE???ss,??(?]
*Mar 4 20:26:18.952: RADIUS: EAP-Message [79] 23
*Mar 4 20:26:18.952: RADIUS: 02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E [?????domain\user]
*Mar 4 20:26:18.952: RADIUS: 61 64 6D 69 6E [name]
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.952: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.952: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.953: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar 4 20:26:18.980: RADIUS: authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar 4 20:26:18.981: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:26:18.981: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.981: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:26:18.981: RADIUS: State [24] 38
*Mar 4 20:26:18.981: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.982: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.982: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.982: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.982: RADIUS: 1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47 [?????F?????&0IcG]
*Mar 4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar 4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.986: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.986: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.987: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.987: RADIUS: 32 [2]
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS(0000000A): sending
*Mar 4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar 4 20:26:18.988: RADIUS: authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar 4 20:26:18.988: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.988: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.988: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.988: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.988: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.989: RADIUS: 3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F [=???n??+Q??????_]
*Mar 4 20:26:18.989: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.989: RADIUS: 02 03 00 06 03 19 [??????]
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.989: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.989: RADIUS: State [24] 38
*Mar 4 20:26:18.990: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.990: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.990: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.990: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.990: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar 4 20:26:18.992: RADIUS: authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar 4 20:26:18.992: RADIUS: EAP-Message [79] 6
*Mar 4 20:26:18.993: RADIUS: 04 03 00 04 [????]
*Mar 4 20:26:18.993: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.993: RADIUS: FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9 [?!t???????:5E???]
*Mar 4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar 4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
vlan 64
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 64 mode ciphers aes-ccm
ssid corporate
mbssid
station-role root
interface Dot11Radio0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address X.Y.64.229 255.255.255.0
no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
endHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Hi All,
Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?
Solution walk-through :
A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.
The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.
Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.
Limitations and drawbacks with the current solution :
1. The private key of OSB system is issued and controlled by an external application vendor.
2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.
3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)
4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.
Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.
So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?
Thanks,
Kunal SinghHi Kunal,
Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:
import multiple key-pairs in your identity store
Configure PKI credential mapper to use reference of identity store consisting of multiple keys
When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.
Please let me know if i understood your query correctly and above helps.
Regards,
Ankit -
Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?
Product/Model Number:
AIR-CAP2602E-A-K9
Top Assembly Serial Number:
System Software Filename:
ap3g2-k9w7-xx.152-4.JB3a
System Software Version:
15.2(4)JB3a
Bootloader Version:
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
Thanks in advance.Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
------------------ show version ------------------
Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 23-Dec-13 08:11 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
WuGa-CiscoAP uptime is 3 days, 19 minutes
System returned to ROM by power-on
System restarted at 23:18:39 +0800 Mon Feb 10 2014
System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
Processor board ID FGL1650Z5X3
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
Part Number : 73-14511-02
PCA Assembly Number : 800-37898-01
PCA Revision Number : A0
PCB Serial Number : FOC164889AN
Top Assembly Part Number : 800-38357-01
Top Assembly Serial Number : FGL1650Z5X3
Top Revision Number : A0
Product/Model Number : AIR-CAP2602E-A-K9
Configuration register is 0xF
------------------ show running-config ------------------
Building configuration...
Current configuration : 5276 bytes
! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname WuGa-CiscoAP
logging rate-limit console 9
enable secret 5
aaa new-model
aaa group server tacacs+ tac_admin
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login webauth group radius
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login web_list group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone +0800 8 0
no ip cef
ip admission name webpass consent
ip admission name webauth proxy http
ip admission name webauth method-list authentication web_list
ip admission name web_auth proxy http
ip admission name web_auth method-list authentication web_list
ip admission name web-auth proxy http
ip admission name web-auth method-list authentication web_list
ip name-server 8.8.8.8
dot11 syslog
dot11 vlan-name GuestVLAN vlan 2
dot11 vlan-name InternalVLAN vlan 1
dot11 ssid Guest
vlan 2
web-auth
authentication open
mbssid guest-mode
dot11 ssid WuGa-6
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
dot11 ssid WuGa-60
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 03084C070900721F1D5A4A56444158
dot11 guest
username wuga lifetime 360 password 7 030D5704100A36594908
username Cisco privilege 15 password 7
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid Guest
ssid WuGa-6
antenna gain 2
stbc
mbssid
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel 2452
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
ip admission web-auth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
ip admission webauth
interface Dot11Radio1
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WuGa-60
antenna gain 4
peakdetect
no dfs band block
stbc
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
power local 5
channel width 40-above
channel dfs
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed 1000
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface BVI1
ip address 192.168.133.213 255.255.255.0
ip default-gateway 192.168.133.200
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.133.200
ip radius source-interface BVI1
ip access-list extended ALL
permit ip any host 0.0.0.0
permit ip any any
permit ip 0.0.0.0 255.255.255.0 any
ip access-list extended All
permit tcp any any established
permit tcp any any eq www
permit ip any any
radius-server local
nas 192.168.133.213 key 7 070C285F4D06
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
radius server 192.168.10.2
address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
radius server local
address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
key 7
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
transport input all
sntp server 128.138.141.172
sntp broadcast client
end -
Problem authenticating Wireless users with peap
Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
authentication open eap eap_list
authentication key-management wpa version 2
guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank youI haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts! -
Apple & Windows 7 Authentication Methods Cisco 1242AP EAP
Hi CSC Members,
I'm pretty new to wireless (so go easy on me): My situation is I need to be able to provide secure wireless internet access to guests with BYODs. Namely Apple iPads, iPhones, Windows PCs and Apple Macs, without them being under my administrative control, namely I cannot add them to a domain or indeed do I want to be able to have to interact with the user and install Certificates on their machines.
I'm looking for the 'best method' to achieve this, WPA2/AES with a PSK and MAC filtering was a suggestion but I don't really want to have to audit their MAC addresses. I'm just looking for a 'quick and dirty' secure username/password combination I'm guessing. I'm not using a WLC, just one or possibly a couple of 1242 Autonomous APs. I don't want to have to personally enter a PSK on their machines either as they can easily find this out and give the password to someone else, so I need to be able to change/add user accounts and user passwords centrally NOT on their devices.
I have an example configuration below, using the Cisco 1242AP as a Local Radius WHICH WORKS for me on Apple iPads and iPhones, however I cannot for the life of me get it to work with a Windows 7 Laptop. I'm not even totally sure exactly what type of authentication I've configured (Help!!), but entering the username and password on an iDevice just works! Is it EAP-FAST? My Windows 7 client doesn't seem to support EAP-FAST, only Microsoft PEAP, which I "believe" requires a certificate or some kind of machine authentication. So I'm not sure how to access this wifi network I've created using a Windows machine. I'd prefer to use a Windows 2008 NPS Radius Server if at all possible but couldn't get it working with the 1242AP, hence I went for Local Radius as a starting point.
1) Does anyone have a sensible suggestion as to what the best solution for my needs is? (I have access to a new Windows 2008 R2 Server)
2) How do I configure a Windows 7 as well as an Apple machine to authenticate to the suggested 'best' method.
3) I'd be really grateful if someone could clarify exactly what my configuration is using for Authentication.
Thanking you in advance for your guidance and recommendations,
Mike
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Media_AP
enable secret 5 $1$k3.3$QU/yBNYeOJM7BDxzRTq1g/
aaa new-model
aaa group server radius rad_local
server 192.168.1.2 auth-port 1812 acct-port 1813
aaa authentication login eap_local group rad_local
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool Media_DHCP_Pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dot11 syslog
dot11 ssid MediaCafe
authentication open eap eap_local
authentication network-eap eap_local
authentication key-management wpa version 2
guest-mode
infrastructure-ssid
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid MediaCafe
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server local
no authentication mac
nas 192.168.1.2 key 7 0505071C32444F1B1C010417081E013E
user sky nthash 7 013150277A52525774146B5F492646375B2F277C7300716062734455335224000A
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 7 11071816041A0A1E012E38212B213036
bridge 1 route ip
line con 0
line vty 0 4
endThe best senerio for guest to to have an open SSID. Autonomous AP's your sort of out of luck. With the WLC you can incorporate a splash page. That being said, you might want to look at some free hotspot software unless you want to pay for one. Here are some free ones, but you can just search around.
http://www.hotspotsystem.com/en/hotspot/free_hotspot_software.html
http://www.antamedia.com/free-hotspot/
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Cisco 1602i + Authenticating users via RADIUS?
Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
vlan 140
band-select
authentication open eap eap_methods
mbssid guest-mode
dot11 ssid walker_2
vlan 255
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS? -
Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008
Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my caseHi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD => It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet -
Configuring a 1230 AP as a "Local Radius Authenticator"
Configuring a 1230 AP as a "Local Radius Authenticator"
CCO-URL: Configuring an Access Point as a Local Authenticator
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
this is the minimal config, i think:
AP# configure terminal
AP(config)# radius-server local
AP(config-radsrv)# nas 1.1.1.1 key 111
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 2
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# end
whereas 1.1.1.1 is the IP of the AP himself ?
is there a must for additional config commands like this:
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
aaa group server radius rad_eap
server 1.1.1.1 auth-port 1812 acct-port 1813
aaa group server radius rad_admin
server 1.1.1.1 auth-port 1812 acct-port 1813
all attempts didn't work
"station <MAC> authentication failed"
is there anything else nessecary ???You seem to be missing the following commands;
authentication network-eap eap_methods
authentication key-management cckm optional
The following commands are useful for diagnosis;
Show radius local statistics
show interface dot11Radio 0 aaa client
Debug dot11 aaa dot1x state
Debug dot11 mgmt interface
Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
* With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
* ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just havent tested it);
· This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
· This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
· Replace usernames/passwords with your own usernames/passwords
· Replace ip-addresseswith the APs IP address
· I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
conf t
host loc-auth-ap-name
enable secret cisco
no ip domain-lookup
line vty 0 4
password cisco
exec-timeout 0 0
login
int bvi 1
ip address 10.11.12.13 255.255.255.0
Interface dot11 0
no ssid tsunami
encryption mode ciphers ckip-cmic
ssid test-loc-auth
authentication network-eap eap_methods
authentication key-management cckm optional
ip dhcp excluded-address 10.11.12.13
ip dhcp pool temp
network 10.11.12.0 255.255.255.0
interface BVI1
ip address 10.11.12.13 255.255.255.0
no ip route-cache
aaa new-model
aaa group server radius rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
server 10.11.12.13 auth-port 1812 acct-port 1646
aaa authentication login eap_methods group rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
radius-server deadtime 10
dot11 holdoff-time 1
ip radius source-interface BVI1
radius-server local
nas 10.11.12.13 key 0 l0cal-key-secret
user testuser password 0 testuser-key-secret
exit
exit
wri
Maybe you are looking for
-
How do you find the location of printer drivers?
First this may be in the wrong forum so if so can the moderator please move it to where it should be. I have a driver installed on my computer for an older large format printer that is no longer supported by the manufacturer and has not been for seve
-
How to NOT return MSQuery results in a table in Excel 2010
In Excel 2010, I only have the options to return my query results in a table, pivot table, or both. If I convert the resulting table to a range, I lose the query. Why am I restricted to using a table? I want to return the results into a spreadshee
-
Just imposible to download via page. Need to call to order, pay and subscribe the Creative Cloud for the $9.99/mth. I want to talk with a human. Do Adobe have a phone? The 800-585-0774 is always busy. My new email just for AdobePS is: [removed] My ce
-
Error message: network copying over 31 characters not allowed, no ownership
I have a MacBook Pro and a Mac Mini on a wired home network. The mini has an outboard USB drive mounted. I backup the MacBook Pro to that drive. I did this by turning Appleshare on on the Mini, and turning on personal file sharing. I then connect to
-
I've been working all day on a project without issue using FCP 7.1. After the last save all FCP crashed when exporting a Quicktime Converted movie and now I cannot open the project. I can open other projects without issue. It seem that the file corru