Built in RADIUS - 2504 ?

                   Hi.. still I'm having issue to setup authentication with our external Radius server so I'm thinking whether the 2504 has inbuilt feature which I can configure as a Radius server? if so are there any guide for configuration?
Tks

You can use local EAP feature. It is somehow limited though to the EAP types supported. You can have credentials locally saved or externally (in LDAP Directory)
Check this:
www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml
HTH
Amjad
Sent from Cisco Technical Support iPad App

Similar Messages

  • 1141n multiple AP's one SSID with Radius

    I have two 1141n APs.
    I have the first one configured as a root AP using the built in Radius feature (LEAP)
    I also have this thing configured using AES CCM.
    My clients are connecting to it with WPA2-Enterprise, getting 144Mbps. Perfect.
    The question is this second AP.
    How do I set it up so my users can wander semlessly between the two AP's?
    Do I need to config it with the Radius feature as well?  That would be a pain
    Any help would be great!
    Jeff

    Hi,
    All you need to do is configure the second AP to point to the first one IP address as its Radius serveur but bear in mind that if you do so and the primary AP fails, the second cannot authenticate users because the Radius seveur will be unvailable!
    Configuring the two AP's to backup each will of course be tedious but a more resilient approach.

  • Getting started with aironet 1200 and radius

    Hi,
    Does anyone has a manual how to configure some aironet 1200 AP's with the use of a radius server?
    The best would be a manual from start (reset to factory defaults) to a working solution.
    The built-in radius server or a windows 2008r2 radius server are both possible for me.
    I have tried both, buth did not succeed. (unknown EAP type and unknown username in the radius log)
    Kind regards,
    Ernst

    i talk with a rep and i heard the new good news...there is no c sharp interface for berkeley db on handheld devices yet, it will be released later.
    imagine one having problems executing a simple select statement due to the first release bugs...
    dissapointing...
    good article rekounas once again, your blog was very helpfull especially on my first steps in the olite universe, please keep it up
    Edited by: vasileios on 03-Sep-2010 05:24

  • Local eap-tls drawbacks

    Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
        I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
    but dont know if this is true or not either. I would like to know if I am locking myself into never having an external  radius server If i go down the local eap-tls path.
    Thanks,
    Brian

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • CacheGetDNForName: NWDSReadObjectInfo returned -601

    Hi,
    I did install 2 radius servers.
    1 server is good.
    and the other server is so bad.
    what's '-601'...???? help me...!!!
    [2004-12-04 00:33:56 AM] CopyCache:
    [2004-12-04 00:33:59 AM] CopyCache:
    [2004-12-04 00:34:02 AM] 5) [(ip) 123.456.789.000:16384], Received 169 Bytes
    (Accounting-Request (4))
    [2004-12-04 00:34:02 AM] [(total=5) (p=4) (d=0) (r=0) (acc=0) (rej=0)]
    [2004-12-04 00:34:02 AM] <5> Done GetNextMessage [(ip)
    123.456.789.000:16384]: time:4683767
    [2004-12-04 00:34:02 AM] -------- START : (Accounting-Request (4)) [(ip)
    123.456.789.000:16384]: time:5915609---
    [2004-12-04 00:34:02 AM] AcctRequestHandler(), userName = user.abc
    [2004-12-04 00:34:02 AM] CACHE:
    CacheReadSecretForNASAddress(nw6-radius.radius.pb), using cache
    [2004-12-04 00:34:02 AM] CacheGetDNForName entered
    [2004-12-04 00:34:02 AM] CACHE:
    CacheGetEnableCNLogin(nw6-radius.radius.pb), using cache
    [2004-12-04 00:34:02 AM] CacheGetDNForName: NWDSReadObjectInfo returned -601
    [2004-12-04 00:34:02 AM] CacheGetDNForName(user.abc), Using cache
    [2004-12-04 00:34:02 AM]
    (->)CacheGetDNForName:NWDSReadObjectInfo(user.abc) , succeeded, time:23
    [2004-12-04 00:34:02 AM] CacheFindContext - GetParentDN(userDN)
    (abc.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(hd.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(at.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(kma.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(at.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(mt.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(ts.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(ts.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(kb.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(kb.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(cm.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(cm.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(cr.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(cr.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(ht.dial.pb)
    [2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
    contextName(abc.dial.pb)
    [2004-12-04 00:34:02 AM] Handling local accounting request.
    [2004-12-04 00:34:02 AM] HandleLocalAcctRequest(), oldName=user.abc,
    userName=user.abc, userDN=user.abc.dial.pb, reportName=user.abc
    [2004-12-04 00:34:02 AM] CacheGetDNForName entered
    [2004-12-04 00:34:02 AM] CACHE:
    CacheGetEnableCNLogin(nw6-radius.radius.pb), using cache
    [2004-12-04 00:34:02 AM] CacheGetDNForName: NWDSReadObjectInfo returned -601
    [2004-12-04 00:34:02 AM] CacheGetDNForName(user.abc), Using cache
    [2004-12-04 00:34:02 AM]
    (->)CacheGetDNForName:NWDSReadObjectInfo(user.abc) , succeeded, time:14
    [2004-12-04 00:34:02 AM] Built attr RADIUS:Active Connections for user
    user.abc.dial.pb, succeeded
    [2004-12-04 00:34:02 AM] Built attr RADIUS:Connection History for user
    user.abc.dial.pb, succeeded
    [2004-12-04 00:34:02 AM] Start reconciliation algorithm.
    [2004-12-04 00:34:02 AM] Stop reconciliation algorithm.
    [2004-12-04 00:34:02 AM] Start Interim Timeout Cleanup.
    [2004-12-04 00:34:02 AM] CACHE:
    CacheGetInterimTimeout(nw6-radius.radius.pb), using cache
    [2004-12-04 00:34:02 AM] Stop Interim Timeout Cleanup.
    [2004-12-04 00:34:02 AM] Stop Packet in History List of user
    user.abc.dial.pb
    [2004-12-04 00:34:02 AM] CACHE:
    CacheGetIntervalForAging(nw6-radius.radius.pb), using cache
    [2004-12-04 00:34:02 AM] Start Aging Cleanup.
    [2004-12-04 00:34:02 AM] Stop Aging Cleanup.
    [2004-12-04 00:34:02 AM] User:user.abc.dial.pb, Attribute:RADIUS:Connection
    History
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):11]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):13]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):27]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):3]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):5]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):14]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):2]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):6]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):8]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):24]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):7]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):1]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):10]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):17]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):4]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):9]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):12]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):20]
    [2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
    VR(123.456.789.000):16]
    [2004-12-04 00:34:02 AM] ->Sending Accounting-Response (5) [(ip)
    123.456.789.000(16384)] count=20
    [2004-12-04 00:34:02 AM] -------- END : (Accounting-Request (4)) [(ip)
    123.456.789.000:16384]: time:5915760---
    [2004-12-04 00:34:02 AM] CopyCache:
    [2004-12-04 00:34:05 AM] CopyCache:

    Benjamin,
    It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
    - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
    - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
    If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • 1300's in Secure point to point deployment

    I'm looking to recommend to deploy pairs of aironet 1300's as point to point bridges in multiple sites, but need some assistance on the limits of the security functionality. I need an absolutely/uncrackable secure way for the 1300's to authenticate/encrypt to each other and disallow all other radio connections. All the examples I found so far dont address the point to point model in necessary depth security wise. Any pointers here ??
    thanks
    Martyn Beck

    Couple of options, you can use WPA + TKIP or AES which is pretty secure and doesn't rely on any external auth servers. Another alternative is to use the built in radius server on the bridges. Top line security would use an external radius server (assuming you can do so). As to it being absolutely uncrackable, there isn't any such thing! : ) By the way, forget MAC security, it isn't worth the bother and doesn't add much to the security of the setup.

  • Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

    HI,Friends.
    I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
    question:
    one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
    I was using radius authentication or ldap certification to do web authentication ?which is good. ???
    I specified child ou, ou its users superiors can not be landed on

    hi ,Scott Fella
    Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
    the err:
    <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
    then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

  • 2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

  • Cisco 2504 Local radius configuration, is their any ways for backing up the user db? In case the WLC dies

    Cisco 2504 Local radius configuration, is their any ways for backing up the user db?  In case the WLC dies

    Please find the guide to keep the backup:-
    http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0/configuration/guide/c70mfw.html#wp1063850

  • 2504 controller and RADIUS security problem

    I am trying to congure a RADIUS server and the 2504 controller, but have a problem with the types of security. On the controller I have the choice of WPA+WPA2 but on RADIUS server I have WPA-Enterprise (PEAP) or smat card. How do I get the same security on both of them? I am very frustrated with this!
    TIA,
    Eric

    In all the reading and videos and help from you here in this forum I have concluded that:
    1. There are 3 places I need to have authentication congfigured.
       a. WLC
       b. NPS
       c. Group Policy
    Here is how I have it setup ( still not working )
    What am I missing or doing wrong here? I am so @#&*^&*)()*> frustrated.
    TIA,
    Eric

  • Cannot ping IAS RADIUS from WLC 2504

    I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server.  All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server.  The only thing that cannot ping the RADIUS server is the WLC itself.  Nothing in the FW is blocking connectivity.  Any ideas?
    (Cisco Controller) >show radius summ
    Vendor Id Backward Compatibility................. Disabled
    Call Station Id Case............................. lower
    Call Station Id Type............................. IP Address
    Aggressive Failover.............................. Disabled
    Keywrap.......................................... Disabled
    Fallback Test:
        Test Mode.................................... Off
        Probe User Name.............................. cisco-probe
        Interval (in seconds)........................ 300
    MAC Delimiter for Authentication Messages........ none
    MAC Delimiter for Accounting Messages............ hyphen
    Authentication Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1    NM    10.10.50.63       1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    2    NM    10.10.50.130      1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    Accounting Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1      N     10.10.50.63       1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none
    2      N     10.10.50.130      1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

    It's in the arp cache through the default router
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... d0:c2:82:df:5b:c0
    IP Address....................................... 10.30.72.250
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.30.72.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. untagged
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 10.10.10.65
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Disabled
    (Cisco Controller) >show arp switch
    Number of arp entries................................ 19
        MAC Address        IP Address     Port   VLAN   Type
    50:57:A8:D6:DE:C0   10.10.19.1       1      5      Host
    50:57:A8:D6:DE:C0   10.10.20.138     1      5      Host
    50:57:A8:D6:DE:C0   10.10.50.63      1      5      Host
    64:00:F1:08:A0:D0   10.30.72.1       1      0      Host
    50:57:A8:9E:B5:CD   10.30.72.40      1      0      Host
    50:57:A8:A1:7B:C5   10.30.72.44      1      0      Host
    50:57:A8:9E:99:78   10.30.72.48      1      0      Host
    50:57:A8:3B:66:E3   10.30.72.49      1      0      Host
    00:07:7D:43:23:DA   10.30.72.58      1      0      Host
    50:57:A8:9E:B6:1D   10.30.72.59      1      0      Host
    50:57:A8:9E:95:C5   10.30.72.60      1      0      Host
    50:57:A8:A1:7C:0D   10.30.72.61      1      0      Host
    00:07:7D:65:36:DD   10.30.72.62      1      0      Host
    50:57:A8:44:57:0C   10.30.72.63      1      0      Host
    50:57:A8:CA:CC:01   10.30.72.64      1      0      Host

  • WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

    Hello,
    In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
    On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
    I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
    Thanks,

    Hi Kyujin,
    I wish I had finished my guide.  Didn't realize it would take this long.
    But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
    If you use NCS, you have to add the role, all the tasks, and the virtual domain.
    See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
    Microsoft NPS - Attributes for NCS
    Microsoft NPS - Attributes for PI

  • Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

    I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
    https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
    But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

    I did configure the Server 2008 R2 RADIUS Server using this video below: 
    https://www.youtube.com/watch?v=g-0MM_tK-Tk
    I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
    I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

  • Acs 5.3 and wlc 2504 config with restricted network access

    Hello,
    i submit you the following issue that i'm actually facing:
    i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
    the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
    i followed the procedure below to configure it:
    -- creating user identity groups;
    -- creating users and assigning them to the groups;
    --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
    --- assigning the authorization profiles to the identity groups under access policies.
    after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
    i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
    Please can someone provide with the right steps to follow to achieve this kind of config.
    tkx in advance

    Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • SX20 and SX10 best practices for small conference rooms using built in Display Speakers

    Hi, 
    Im planning to deploy some small meeting rooms using SX10 and SX20 codecs, I was wondering if someone could give me some key points to consider: 
    1. Display recommendation, nice built in speakers, low delay (goog performance with codec echo canceller) I wish to use a 60 - 70 inch Led TV (not yet defined which brand and model)  I would like to receive some feedback about nice performance displays with nice audio and echo cancellation performance based on your experience. 
    2. What would be the drawbacks of using SX10 and SX20 in larger meeting rooms maybe 10 or 12 people?
    3. When to use external microphone? or when is recommended to use only  internal microphone?
    Thanks in advance for your help. 
    Best Regards,  have a nice day!

    Pretty well any modern display should work well - different people are going to have different ideas about whether the speakers are any good or not, so you'll have to listen to a few yourself and make up your mid what you think is "better".  The echo cancellation can be tweaked manually on the codec to suit the display if required (rather than leaving it on the "auto" setting which, in our installations, has caused more troubles than it's worth).
    The main drawback of using the SX10, or the cheaper of the range of the SX20s, is the camera and the amount of zoom.  In a larger room, you're not going to get a good close up view with a 2.5x camera.  I'd suggest for a bigger room, you look at the 12x cameras.
    As a general rule - use additional microphone(s) when you can't get someone within a 3m radius one of the other microphones.  So in a larger room, you may need many.
    Wayne
    Please remember to rate responses and to mark your question as answered if appropriate.

Maybe you are looking for