Bandwidth Management for Wireless Clients

Similar Messages

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Network printers drop for wireless clients

  I am having a serious problem with my Airport N. My Epson CF11NF (a laser all-in-one which is connected via ethernet to the Airport) is continuously disappearing for wireless clients. All the wired machines can see and print fine, but the printer becomes invisible for wireless clients. The problem is resolved by unplugging and plugging back in the Airport, but I am having to do this more than once a day, which is not acceptable.
  Has anyone experienced this problem? Any advice on what is going on? Should I return the Airport? The wireless clients are all running OSX 10.5.1. The wired clients are all running OSX 10.4. Could this be the issue?

  Others are having similar issues and symptoms, however, I've seen no solutions yet. My Airport Extreme disappears also but access to the internet is unaffected. I can also still access my iMac from my MacBook (iMac still shows up in Finder as a shared volume), however, once the AEBS drops from view I can no longer access printers on the network. (One connected to a networked PC and the other connected to the AEBS.) Both Macs are running Leopard.
  Anyway here's a link that others are using to discuss these issues. Good Luck. http://discussions.apple.com/thread.jspa?threadID=1197872

• Wireless 3850 and Web-Auth for Wireless clients

  Hi
  I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
  Internet is all tested and there is full IP connectivity.
  Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
  I am using local authentication for the guest users.
  When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
  Config below
  interface Vlan302
  description **** Wireless Guest ****
  ip address 10.145.224.161 255.255.255.224
  ip helper-address 10.144.214.134
  ip helper-address 172.17.2.56
  ip http server
  ip http secure server
  ip dhcp snooping
  wlan XXXXX 2 XXXXXX
  aaa-override
  accounting-list default
  client vlan 302
  ip flow monitor wireless-avc-basic input
  ip flow monitor wireless-avc-basic output
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list WEB_AUTH
  security ft
  security web-auth
  security web-auth authentication-list WEB_AUTH
  security web-auth parameter-map vit_web
  no shutdown
  parameter-map type webauth vit_web
  type webauth
  security web-auth parameter-map vit_web
  user-name Guest1
  creation-time 1390837878
  privilege 15
  password 7 022D0156060F1B351D
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  user-name Guest2
  creation-time 1390838016
  privilege 15
  password 7 0724244143000D1145
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  aaa new-model
  aaa authentication login WEB_AUTH local
  aaa authorization network WEB_AUTH local

  Hey Greg,
  Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
  parameter-map type webauth global
  type webauth
  virtual-ip ipv4 x.x.x.x wlc.whatever.org
  max-http-conns 50
  Also I had to enable http server in addition to secure server
  ip http server
  ip http secure-server
  Are you using a self signed cert?
  I saw windows clients take a long time to load the page when using a self signed cert.
  MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE  but I still have the problem.
  -Kyle

• 4404 wireless lan controller managment via wireless clients

  I am having an issue managing a 4404 wireless lan controller via wireless clients.
  I have checked the box "enable controller management to be accessible from wireless clients" under management. For some reason that does not seem to fix the problem (page cannot be displayed). I cannot ping the controller by IP but other devices on the same subnet respond. Everything else works fine.
  I CAN manage the controller when plugged in a wired connection.
  When I do a route print it is identical wireless or wired. The route simple points to my interface. If I modify the route on my computer to actually point to our gateway instead of the interface then everything works. But why should I have to do this only for my wireless connection and not my wired to manage this box?

  Thanks for the info. I narrowed the problem down to an ARP issue.
  In order for me to connect to the controller, I run a batch file that creates a static ARP entry on my laptop. I don't have to do this for any other device except the controller. Not sure what the underlying cause is, but that works as a workaround right now.

• Bridge does not work for wireless clients - connecting to existing network.

  Hi - I really hope somebody can help out here, after hours of trial & error, I have finally given up
  I need to connect my Airport Extreme Base Station to my existing network. I have a linksys router (192.168.15.1) connected to my modem and this linksys router acts as DHCP server too.
  I suppose I have to use "bridge mode" for that to work. But should the linksys be connected to the AEBS using the AEBS's WAN or LAN port?
  If I use "bridge mode", then wired computers to the AEBS works fine - getting an IP from the linksys etc. BUT, the wireless clients will have a self-assigned IP and not get through to the internet. It's like the AEBS will not allow wireless clients to "get through" unless AEBS itself is handing out IP addresses.
  Page 36 of this manual ( http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf ) shows the setup I want. But in the picture, it says "Ethernet WAN port" but the text says: "The Apple wireless device (in this example, a Time Capsule) uses your Ethernet network to communicate with the Internet through the Ethernet LAN port ( <--> )." I don't know which one to use, WAN or LAN - they show WAN but say LAN?
  When I set it up as "share an IP address", the AEBS status tells me "double nat" and to change from "shared IP" to "bridge mode". I do that, and everything seems fine - for the wired clients. Now the wireless clients cannot connect, Airport on the MacBook Pro just say "Connection failed" and the MacBook says "Invalid password" (translated from danish), even though I set the Airport Utlity to save the password in keyring, so it should be correct... If I disable wireless encryption, the wireless clients will connect but get a self-assigned IP, and therefor not work (cannot get online)...
  It seems the only way I can get wireless to work, is if I set AEBS up as DHCP, but then it won't be on the "same network" as the linksys (192.168.15.1), but rather on 10.0.x.x as I select. If I select 192.168.x.x within AEBS, I'm also getting some error messages, conflict/subnet thing.
  Anyway - I really hope somebody knows how to get wireless clients to get an IP address from existing ethernet when connected to the AEBS.
  Thanks!!

  I've given up and had to go back to running "Double NAT" which also reports as a "problem" within the AEBS, but I just "ignore" it so the light will always be green.
  It still ***** though, as "Double NAT" is also a reason for "Back to my Mac" not working properly, but how the ** am I supposed to avoid Double NAT when the wireless will not work in bridged mode?!

• Bandwidth Management for Software

  Is there a utility out there that would allow you to allocate specific amounts of bandwidth any software could use? In many download managers (such as Speed Download, Limewire, Azul, etc.) you can easily set the total amount of bandwidth and even per file download parameters. I have always been surprised that browsers such as Safari and even iTunes does not allow you to control the amount of bandwidth it is to use when downloading.
  I often find myself in situations where I need to download a large file, and yet be able to continue to surf for example, or else I would like to keep the setting in my iTunes to download podcasts automatically when I launch it. Both Safari and iTunes, will take as much bandwidth as you can throw at them which means that it can grind every other on line activity to a halt (specially when you do not have a blazing fat connection).
  Anyone know of any such software?
  Thanks.

  Shahin wrote:
  Thanks, but I don't understand what this has to do with bandwidth management? Perhaps I do not understand the capabilities of nice, but isn't nice just a way to prioritize applications and services? How would you use it to allocate bandwidth?
  By giving various jobs different priorities, the effective bandwidth is limited. If you use 100% of the bandwidth for 1% of the time and 0% of the bandwidth for 99% of the time, you are effectively giving the "niced" app only 1% of your bandwidth. And since a computer is digital, there is really no such thing as "instantaneous" bandwidth, as there is in other areas of communication.
  If you have 10 processes running and each consumes 10% of your total bandwidth, it does not matter whether the processes are time-shared or bandwidth-limited, when considered over any reasonable period of time.

• Can router dhcp different addresses to different vlans for wireless clients

  is it possible for the router to hand out different ip's to wireless clients on different vlans?

  Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
  One vlan per SSID.

• WRT54GX2 Wireless Security Enabled DHCP blocked for wireless clients

  Hey gang,
  My subject says it all.  Yesterday  I updated my WRT54GX2 version 1's firmware to the latest and greatest.I first reset the box, and rebooted. I updated the firmware. On the first attempt I picked the wrong image file. The machine halted and told me bad image. I then found and installed the correct image. I then added an Admin password, and entered a new SSID. I left the DHCP settings at the default. I then set wireless security at WPA Personl/WPA2 with TKIP&AES.
  I found the wired client could obtain an IP address and to connect to the internet. The wireless clients could connect, but could not obtain an IP address.
  I left the wireless security settings off.
  Any suggestions?

  The wireless security settings are correct. The wireless clients "CONNECT" to the WRT54GX2. The clients stall on obtaining an IP address via DHCP. Fixing the clients with static IP addresses also does not work.
  I repeat: The wireless clients successfully connect to the WRT54GX2. The WPA/WPA2 & TKIP/AES settings are correct. The clients cannot receive a dynamic IP address.
  On Friday I will reset the box for 30+ seconds. I doubt this will have any effect. I reset it on Tuesday twice on Tuesday, and still have the problem.
  Any help appreciated.
  -WJ

• What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

  I need to autheticate my clients connecting via wireless.
  clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
  can some one please help me with the steps.
  Thanks

  Two primary steps
  - define the trust certificates needed to verify the clients user certificates
  Users and Identity Stores > Certificate Authorities
  - change result of identity policy to select a certificate authorization profile. If have the defautl config
  Access Policies > Access Services > Default Network Access > Identity
  by default can select the "CN Username" as a result

• SNMP OID for wireless client

  Dear Netpro Community,
  I would like to know whether the following OID talks about the number wireless clients joining the AP at which OSI layer.
  Rgrds,
  Beno

  Sry, the oid information is here:
  Object cDot11ActiveWirelessClients
  OID 1.3.6.1.4.1.9.9.273.1.1.2.1.1
  Type Gauge32
  Permission read-only
  Status current
  Units Device
  Range 0 - 2007

• Bandwidth management for Airport Express

  is it possible to manage how much a client can download through an Airport Express without any server or bandwidth controller?
  this is related to this Thread:
  Airport Express
  Message was edited by: scooter

  Hi Scott,
  Thank you for your response.
  It would be better for users to not have to log on against a web interface. As this is a hotel they would not want to have the admin effort of creating/enabling/disabling users especially since this will be free.
  Instead what would suit their needs is a sort of a protection mechanism against "crazy big" downloads . Ideally without the need of a 3rd party that would require them to buy a server as well .
  Thanks
  Michalis

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• QoS for wireless clients

  hi
  We would like to give more priority for laptops vs mobile phones/tablets in our corporate SSID. Today all of them connect to same SSID.
  What would be the recommended way to carry this out?
  1. We mark packets coming from laptops using a COS value
  2. This COS /DSCP value need to be trusted on our switches
  3. Controller assigns dedicated bandwidth to the laptops
  4. All other devices get lesser bandwidth                  
  the general idea is to make a distinction in terms of bandwidth available to clients .. Currently we plan to install 2600 AP's in our environment to cater to about 2000 equipment .. we have a tight budget in terms of number of antennas we can buy. So we plan to install around 32 antennas for supporting 2000 equipment and hence the need for prioritisation

  Well you can mark the packets on the laptops to a higher COS level, that would work since the WLC will not mark a packet higher than what the 802.1p tag.  The thing is what your trying to accomplish is a way to just give laptops more bandwidth that any other device, using one ssid.  The issue I see is that all devices have to be able to use the encryption and authentication method for that one ssid.  Also you can still oversubscribe an access point and even traffic for the laptops could affect each other.  As long as the non-laptops don't also mark their traffic up, I think you would be able to set the traffic in the appropriate queues.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Does LAN leave more signal for wireless clients?

  This may seem like a silly question, but...
  My main computer is next to the extreme base station. If I run an LAN to it, will it essentially leave more signal for the 2 iMacs upstairs to access wirelessly?

  Actually the question is far from silly...
  And you are right, while the Extreme can handle a large number of computers simultaneously, there IS a limit on bandwidth. So if the two upstairs iMacs were busy copying some files between each other, and you started downloading something from the internet on your main computer, it is possible that would cause the copying between the iMacs to slow down. But if the main computer was connected via the LAN port, the iMacs would be unaffected (assuming the Extreme can handle all the data on its internal circuitry at those rates).
  I think the real question is how likely is the above scenario? If a computer is not actively using the wireless (actually sending or receiving data) then the bandwidth is preserved. It might just boil down to which is most convenient...
  MacBook Pro   Mac OS X (10.4.8)