Callback using CLI & RADIUS

Hi
I'm trying to configure a 3745 router with PRI ISDN to callback to 1721 routers with BRI ISDN. Currently, the 1721 routers dialin and are authenticated by a RADIUS server. I'd like to extend this so that the 1721's are still authenticated by the RADIUS server but then request callback to the number supplied by the CLI, with the 3745 confirming that the 1721 is allowed to be called back by the setting of the relevant RADIUS attribute for "Dialup client specifies callback number".
I know that i need the command "PPP callback request" in the 1721 router and "PPP callback accept" & "dialer aaa" to get the dialback number from the RADIUS server.
If the RADIUS server is set to "Dialup client specifies callback nuber" will this automatically use the CLI number for dialback??

Instead of using ppp callback accept on the hub router, you would use ppp callback request. As long as their is an entry for each remote site ion the Radius server everything should be fine.

Similar Messages

Using CLI to enter Mac local list on 1200 Series

I have a number of 1200 series Ap's that are set up for MAC Authentication based on a local list only. From the GUI these addresses are entered from the Advanced Security Screen.
I wnt to find a method for entering them from the CLI but am running into a problem with the level 7 passwords that seem to be automaticly applied when the MAC addresses are added from the GUI.
If I enter MAC 0011.22aa.33ff from the GUI and then look at the config from the CLI it looks like this:
username xxx password xxxx
username xxxx autocommand exit
how do I do this from the CLI?

Hi,
I think if you need to enter lots of MAC Addresses into AP, the fastest way is to use CLI.
Refer to the following doc on how to configure MAC from CLI. Look under "Local Authenticator Access Point - Step 11"
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341e72.html#wp1039558
If authentication is purely done via MAC, then you can do like the following example:
AP#config t
AP(config-radsrv)# user xxx password xxx group clerks mac-auth-only
Probably you need to use notepad to list all MAC (as username & password), then copy &paste to your AP's CLI.
Hope this helps.
Rgds,
AK

10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
Here's the log out put when the connection fails.
2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
2010-08-27 12:52:34 PDT Listening for connections...
2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
Fri Aug 27 12:52:39 2010 : L2TP received ICCN
Fri Aug 27 12:52:39 2010 : L2TP connection established.
Fri Aug 27 12:52:39 2010 : using link 0
Fri Aug 27 12:52:39 2010 : Using interface ppp0
Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
*Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
*Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
*Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
Fri Aug 27 12:52:40 2010 : Connection terminated.
Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
Fri Aug 27 12:52:40 2010 : L2TP sent CDN
Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
Fri Aug 27 12:52:40 2010 : L2TP disconnected
2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
Message was edited by: sarah mays

I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
Here's the log out put when the connection fails.
2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
2010-08-27 12:52:34 PDT Listening for connections...
2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
Fri Aug 27 12:52:39 2010 : L2TP received ICCN
Fri Aug 27 12:52:39 2010 : L2TP connection established.
Fri Aug 27 12:52:39 2010 : using link 0
Fri Aug 27 12:52:39 2010 : Using interface ppp0
Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
*Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
*Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
*Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
Fri Aug 27 12:52:40 2010 : Connection terminated.
Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
Fri Aug 27 12:52:40 2010 : L2TP sent CDN
Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
Fri Aug 27 12:52:40 2010 : L2TP disconnected
2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
Message was edited by: sarah mays

Can the Policy Management System be enabled by using CLI/Script?

Hi,
I know you can enable the Policy Management System in OER Console by selecting True for Enable Asset Policies in the Functional Settings. But I need to automate an OER configuration, so I am wondering if this can be done using CLI.
Thanks in advance,
Iris

Hi,
I know you can enable the Policy Management System in OER Console by selecting True for Enable Asset Policies in the Functional Settings. But I need to automate an OER configuration, so I am wondering if this can be done using CLI.
Thanks in advance,
Iris

Configure Open Directory using CLI

We have a Leopard Server in Advanced Mode.
If you have a fresh install of Leopard Server with nothing configured, is there a way to configure Open Directory to be an Open Directory Master completely using CLI utilities?
Wasn't able to find anything in Apple's PDFs

I agree with Dal78 Apple using a base DN of servername.example.com rather than just example.com is illogical. In fact originally they did seem to use just example.com as the format but in recent years now use server.example.com as the format. When I first encountered this change it was still possible to overridge the use of servername.example.com and force it to use just example.com as the format. In more recent times I have decided to leave things the way Apple do it.
I don't know if there is an official answer as to why, but a possible guess is that you can now have multiple Open Directory servers for a single domain. This is the 'Locales' option in Server.app. It maybe that including the servername makes it possible/easier to implement this.
I also agree Strontium90 do not use a .local root domain for Open Directory. In theory there are hacks to (sort of) get this to work, but Apple engineers will typically run screaming for the woods when they encounter this.
PS. Briefly Apple also did the same illogical thing with DNS zones, whereby the zone name for a domain was servername.example.com instead of example.com this at least they have stopped doing.

Cisco 4402 WLC IOS Upgradation using CLI and Web Interface

Hi,
I would like to know how to upgrade IOS of Cisco 4402 WireLess LAN Controller using CLI and Web interface ?
Can any one help me regarding the same.
Please answer as soon as possible.
Thanks in advance.

Here are the instructions for upgrading the controllers via GUI:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn52.html#wp472449
Instructions via cli:
Cisco recommends that a direct CLI console port connection is used to update the controller software.
1. Make sure a TFTP server is available for the Operating System (OS) software download. Also, keep these guidelines in mind when the TFTP server is set up:
If a download is performed through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable.
If a download is performed through the Distribution System (DS) network port, the TFTP server can be on the same or a different subnet because the DS port is routable.
The TFTP server cannot run on the same computer as the Cisco Wireless Control System (WCS) because WCS and the TFTP server use the same communication port.
2. Download the desired OS software update file from the Cisco website to the default directory on the TFTP server.
3. Log into the WLC CLI.
4. Issue the ping server-ip-address command to verify that the WLC can contact the TFTP server.
5. Issue the transfer download start command and answer n when prompted to view the current download settings.
This example shows the command output:
transfer download start
Mode........................................... TFTP
Data Type...................................... Code
TFTP Server IP.................................
xxx.xxx.xxx.xxx
6. TFTP Path...................................... TFTP Filename.................................. AS_2000_3_0_x_x.aes --OR-- AS_4100_3_0_x_x.aes --OR-- AS_4400_3_0_x_x.aes Are you sure you want to start? (y/n) n Transfer Canceled Issue these commands to change the download settings:
* transfer download mode tftp
* transfer download datatype code
* transfer download serverip tftp-server-ip-address
* transfer download filename filename
* transfer download path absolute-tftp-server-path-to-file
Note: All TFTP servers require the full pathname. For example, in Windows, the path is C:\TFTP-Root. (In UNIX forward slashes (/) are required.)
7. Issue the transfer download start command to view the updated settings, and answer y when prompted to confirm the current download settings and start the OS code download.
This example shows the download command output:
transfer download start
Mode........................................... TFTP
Data Type...................................... Code
TFTP Server IP.................................
xxx.xxx.xxx.xxx
TFTP Path......................................
path>
TFTP Filename..................................
AS_2000_3_0_x_x.aes --OR--
AS_4100_3_0_x_x.aes --OR--
AS_4400_3_0_x_x.aes
Are you sure you want to start? (y/n) y
TFTP Code transfer starting.
TFTP receive complete... extracting components.
Writing new bootloader to flash.
Making backup copy of RTOS.
Writing new RTOS to flash.
Making backup copy of Code.
Writing new Code to flash.
TFTP File transfer operation completed successfully. Please
restart the switch (reset system) for update to complete.
8. The WLC now has the code update in active volatile RAM, but the reset system command must be issued to save the code update to non-volatile RAM (NVRAM) and reboot the WLC.
This is a sample output:
The system has unsaved changes.
Would you like to save them now? (y/n) y
The controller completes the bootup proce

Creating san-port-channel on 6248 using CLI

I can create the san port channel using UCS manager. But I would like to know the syntax using CLI. So far I was able to figure out the following. One thing missing was moving the port channel from the default VSAN(1) to a different VSAN i.e VSAN 10 in my case. I have looked at the CLI guide, but have not found the commands syntax. Appreciate if anyone can post the syntax
### Create Port Channel ###
scope fc-uplink
scope fabric a
create port-channel 1
enable
set name port-channel-1
set adminspeed auto
commit-buffer
end
### Add interfaces to Port Channel ###
scope fc-uplink
scope fabric a
scope port-channel 1
create member-port 1 29
exit
create member-port 1 30
commit-buffer
end

Thanx Wdey. That's exactly what I was looking for. Here is the syntax which works for me.
scope fc-uplink
scope fabric a
create port-channel 1
enable
set name port-channel-1
set adminspeed auto
commit-buffer
end
scope fc-uplink
scope fabric a
enter port-channel 1
enable
enter member-port 1 29
enable
exit
enter member-port 1 30
enable
exit
set adminspeed auto
exit
enter vsan VSAN10 10 10
set fc-zoning disabled
set fcoe-vlan 10
set id 10
enter member-port-channel a 1
exit
localize
exit
end
commit-buffer

Using external radius with ise for guest authentication

Hi Everyone,
I am trying to migrate from NAC Guest Server to Cisco ISE Guest CWA on wireless, and can't figure out whether what i am trying is just unsupported or i just can't find out how to do this ?
I am attempting to authenticate my existing guest users, using a radius lookup towards my existing NAC Guest server, which has many hundred guest users with long account duration, which i really don't want to recreate on ISE, and send new passwords to all those users. Problem is i can't export the user list from NAC guest server with the password intact, and ISE can't import guest users with a set password.
Any ideas ?

Setting up ISE as radius proxy server will work because NAC guest user does not support exporting user information with passwords
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The External RADIUS Servers page appears.
Step 2 Click Filter > Advanced Filter to perform your search. The Filter page appears.
Step 3 You must define whether the search should match any or all of the rules that you define on this page.
Step 4 Enter your search criteria based on the name or description of the RADIUS server, choose an operator, and enter the value.
Step 5 You can do the following:
•To add a filter condition, click the plus sign (+).
•To remove a filter condition, click the minus sign (-).
•To clear all filter conditions, click Clear Filter.
Step 6 Click Go to perform your search.
You can also save the filter criteria so that it can be used again. Click the Save icon to save the filter condition.

Get DNS configuration using CLI

To get DNS configuration on CNR using CLI as the following:
-List of Domains
-Name Servers
-Hosts
-ZoneTransfer
-DHCP
-SubZone
-Resources Record
Many thanks

Yes, there are some API calls available - it depends on what info you want to acquire. For example, you can call "DAQmxGetSysDevNames()" to get a list of the devices in your system. then you could walk the list and call "DAQmxGetDevProductType()" for additional info.

I'm new to the LabView. How do I pass data from VI configured using Serial (CMTS using CLI commands to set Parameters ) to VI configured using GPIB(vector signal analyzer ) to measure such as RF frequency or power on the instrument? Thanks

I'm new to the LabView. How do I pass data from VI configured using Serial (CMTS using CLI commands to set Parameters ) to VI configured using GPIB(vector signal analyzer ) to measure such as RF frequency or power on the instrument?
I just want to set something on the front panel that will execute the Serial parameters first and then pass these settings to vector signal analyzer
Thanks
Phong

You transfer data with wires.
Frankly, I'm a little confused by your question. I can't think of any reason why you would want to pass serial parameters (i.e. baud rate, parity) to a GPIB instrument. Please explain with further detail and attach the code.

Sjsws7 log rotation policy using CLI

Is it possible to set the log rotation policy using CLI.
We want to script the process of log rotation using CLI instead of configuring it from the console.

Thanks for you interest in Web Server 7.
Yes, Web Server 7 has a rich CLI and
Log rotation like most administration tasks is configurable using the CLI.
To schedule log rotation you need a create an "event" . The event as can be seen from the usage could be restart/reconfig/rotate-log/rotate-access-log etc.
wadm> create-event
Usage: create-event [--echo] [--no-prompt] [--verbose] [--no-enabled] config=name command=restart|reconfig|rotate-log|rotate-access-log|update-crl|commandline ( (--time=hh:mm [--month=1-12] [--day-of-week=sun/mon/tue/wed/thu/fri/sat] [--day-of-month=1-31]) | --interval=60-86400(seconds) )
CLI014 config is a required option.
I will walk thru the steps in the CLI starting from scratch..
1. Create a config.
2. Create an event
3. Create an instance of the config
4. Start the instance
5. Deploy the config ( This is a workaround. You should not have to to do this in the upcoming Technology Preview Release 3).
That's it.. The log should be rotated as per the parameters specified when you create the event.
I am pasting below the actual result of following the above steps.
In the example below the event scheduled is a rotate-log event. rotate-log rotates the error log. If you need to rotate the access logs use rotate-access-log instead.
bash-3.00# ./wadm user admin port 18911
Please enter admin-user-password>
Sun Java System Web Server 7.0-Technology-Preview-2 B06/19/2006 17:16
wadm> date
Sat Sep 16 09:52:27 IST 2006
wadm> create-config -- server-name servername http-port 18923 test
CLI201 Command 'create-config' ran successfully
wadm> create-event config=test command=rotate-log --time=09:55
CLI201 Command 'create-event' ran successfully
wadm> list-events config=test verbose --all
command time interval
rotate-log {09:55}
wadm> create-instance --config=test wspqes032
CLI201 Command 'create-instance' ran successfully
wadm> start-instance --config=test
CLI204 Successfully started the server instance.
wadm> deploy-config test
CLI201 Command 'deploy-config' ran successfully
wadm> date
Sat Sep 16 09:53:22 IST 2006
wadm> pwd
/space/hari/ws7/tpv2/bin
wadm> cd ../https-test/logs
wadm> date
Sat Sep 16 09:53:37 IST 2006
wadm> ls -al
total 8
drwxr-xr-x 2 root root 512 Sep 16 09:53 .
drwxr-xr-x 10 root root 512 Sep 16 09:53 ..
-rw-r--r-- 1 root root 143 Sep 16 09:53 access
-rw-r--r-- 1 root root 683 Sep 16 09:53 errors
wadm> date
Sat Sep 16 09:55:18 IST 2006
wadm> ls -al
total 8
drwxr-xr-x 2 root root 512 Sep 16 09:55 .
drwxr-xr-x 10 root root 512 Sep 16 09:53 ..
-rw-r--r-- 1 root root 143 Sep 16 09:53 access
-rw-r--r-- 1 root root 0 Sep 16 09:55 errors
-rw-r--r-- 1 root root 869 Sep 16 09:55 errors.200609160955
wadm>
In this example we have configures the log to be rotated at 09:55 am and as can be seen this has been done.
We appreciate your valuable feedback. Please do mail us at [email protected]
Hope that helps,
Hari.
Message was edited by:
hari19

Ise Authentication to two different forests second using External Radius, Not LDAP

Hi Guys,
I am hoping someone can help me. We currently have two AD forests one for staff and one for students. These forests do not have a two way trust between them nor do we want to. We currently have Ise 1.2 integration with our Student forest using AD working just fine. The ipads and other devices are playing nicely and cooperating well. We want to get our staff to be able to use ISE as well. Currently there is no way to use two AD forests so I was directed to use LDAP instead for the second domain. Unfortunatley after playing around with it LDAP doesn't support mschapv2 which our mobile devices like ipads do play nicely with. This causes an issue only because we would have to utilize certificates to get everything to work correctly. This is not the route we want to go. So i was speaking to Tac and they recommended using an External Radius server. Then modify my auth profiles to look for the domain name in the authentication string. If it starts for example student\ then i can have ise forward the auth request to the AD integrated PSNs for auth. If the auth string starts with staff\ for example i should be able to forward this request to my external radius server.
This sounds all good in theory but i have not found any documentation to support this to help me configure it. Has anyone tried this approach? Or have any leads on where i can find some good documentation as to what radius servers are supported. I am hoping Windows server 2008 R2 with a radius role installed, but i am just not sure.
If anyone can help i would greatly appreciate it.
Thank you
Joey

That is correct! Cisco ISE supports integration with a single Active Directory identity source. Cisco ISE uses this Active Directory identity source to join itself to an Active Directory domain. If this Active Directory source has a multidomain forest, trust relationships must exist between its domain and the other domains in order for Cisco ISE to retrieve information from all domains within the forest.
However, you may create multiple instances for LDAP. Cisco ISE can communicate via LDAP to Active Directory servers in an untrusted domain. The only limitation you would see with LDAP being a database that it doesn't support PEAP MSCHAPv2 ( native microsoft supplicant). However it does suppport EAP-TLS.
For more information you may go through the below listed link
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

Hello,
What we are trying to do:
John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
Here is what we are seeing
1. dynamic vlan assignment is not working -- radius server is set with the attributes
2. RSA authentication works
3. John and Mary are always put into the VLAN where the MGMT interface is
4. I can see that attributes are making it back to the WLC by sniffing
We are stuck at this point. Any help would be much appreciated,
P.

Here is a little more background:
We have created a dynamic interface in VLAN 157
Wireless LAN has been assigned to MGMT interface which is on VLAN 35
This is a VWLC ver 7.4.100
AP is attached to VWLC (only FlexConnect mode is supported)
RADIUS Server has been configured
Users are getting assigned to VLAN 35
Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
I dont see any atttributes in the capture when RSA sends to the VWLC
I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
And to answer your question we have sending a VLAN ID (157)

Using Multiple RADIUS servers w/ LEAP & WPA concurrently

Our current Wireless network was setup by someone on the outside an it uses LEAP w/ckip. When we have random employees come in CKIP is a pain since ckip usually isn't supported by any of the laptop OEM wireless drivers. We've had to resort to using the manufacturer's drivers to get it to work. So because of this we started looking at moving to using WPA w/ TKIP or AES. I started out with a small test setup using MS IAS, PEAP and an IOS based Aironet 1231. The test environment seems to be working fine I can associate with it and gain network access so I don't think there are any problems with IAS or PEAP.
My intention is to setup additional SSIDs on new VLANs so I can run the test WPA network in parallel with the in use LEAP networks. My problem I've seem to run into is when I mix the two configs WPA no longer works. I've enable quite a few different debugs get an idea on what might be the problem and the only thing I can come up with at this time is the possibility of wlccp being the problem. When the machine is trying to connect to the WPA SSID I see a lot of wlccp messages which if I understand how this is supposed to work wlccp shouldn't come into play. For the WPA data clients I don't really care about fast roaming which is what I understand wlccp to be for. People aren't walking around with their laptops while doing something network dependent. They sit down in one location and so seemless roaming is a non-issue.
I've attached sanitized version of the two configs. I'll continue to hack on this but I'm hoping I'm just overlooking something that a second set of eyes might catch. Or maybe it's not even possible. I'd also be interested in what others are using as their network EAP methods, EAP-FAST, PEAP, EAP-TLS. I initially chose PEAP since it seems like a happy medium between strength and ease of use from the client end since 98% of all clients will be Windows laptops. Any comments on using WPA-PSK vs LEAP with 7920 phones?
Thanks in advance,
jeff

Jeff
1. it is recommended that the AP you use as the primary WDS has the radiu disabled.
2. It is also standard that your bridge groups be numbered the same as you VLAN's
3. your native VLAN should not have an SSID associated with it. this is not mandatory but again SOP for multiple VLAN configs.
4. heere is an excelent link for configuring WDS of course it shows using an ACS server as your radius server but any radius server will work.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
5 as Irene points out PEAP is a better choice for EAP as it is more secure than LEAP and more widely supported.
6. Any version of WPA is prefered over the older security protocls due the the better encryption methods used.
regards
Bill

Lobby ambsssador user authenticatio using a RADIUS server

I have Wism installed in unified wireless network, MS IAS server is sittign in between enterprise AD and Wism. Wireless clients are getting authentincated via ISA againt enterprise AD without any issue.
Now I want to authenticate the admin users in WLC ( for example Lobby admin users) also with AD using the same method.
I tried adding a RADIUS server in WLC on "administraiton>AAA servers" . But the external authentication doesn't seems to be happaning. Does someone has any exmaple on this type of configuraiton ?

you can use Radius to authenticate management user, but I'm afraid can't use it to authenticate Lobby admin user.
To authen management user, you need:
1. in WLC, when creating Radius server, need to enable "management"
2. In Radius, you need to enable service type[006] to be administrative in user's IETF(Radius) attribute

Callback using CLI & RADIUS

Similar Messages

Maybe you are looking for