Called-Station-ID attribute and Cisco WLC code 7.4
Hello
I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
Thanks
Andy
Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Bonjour Discovery browser and cisco WLC mDNS
Hello
I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
Multicast disabled on WLC
wired vlan (with bonjour services) is trunked to WLC
mdns profile configured and bonjour services are visible on WLC
mdns profile applied to WLAN
when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
*Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
*Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
Is it possible to get Bonjour Discovery browser working with cisco WLC?
thanks
andyI have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc. Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
mDNS AP
1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
5. This configuration also allows the user to specify the VLANs from which the AP should snoop the mDNS advertisements from wired side. The maximum number of VLANs that AP can snoop is 10.
6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
AP will send untagged packets when a query is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
7. If the AP is in trunk mode, then the user has to configure the VLAN on the controller on which AP would snoop & forward the mDNS packets. The native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Cisco Call Manager 5.1 and Cisco VoIP Gateways
Hi,
I have Cisco Call Manager 5.1 with Cisco 2800 series routers as a ISDN gateways and Cisco VG224/ATA 186 as POTS gateways. While Cisco Call Manager collects call statistics from 7900 series SCCP handsets managed by the Call Manager (number of VoIP packets, dropped frames etc.), it shows only one side of the call as it does not collect statistics from the Cisco routers (configured as H.323 gateways), the Cisco VG224 (with ports configured as H.323 gateways and as a SCCP devices) and Cisco ATA 186 (configured for SCCP).
Is the collection of these statistics possible? What needs to be done?
Thanks,
PaulUpdate: Logging of QoS/Call Management Records (CMR) to Call Manager CDR database is not possible with H.323 gateways; only MGCP gateways:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_qanda_item09186a008020650a.shtml#qa4
Anyone know how to get the Cisco router gateway to log these statistics anyway using standard router logging mechanisms (e.g. syslog)?
Anyone know about calls to SCCP ports on Cisco VG224 or ATA 186?
Thanks,
Paul -
Tablets and Cisco WLC Web Authentication
Hi my name is Ivan
I have a question:
I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
Android, Samsung, others?
And wich are the requeriments of the tablet to use this way to authentication?
Regards
IvanAny device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth. If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS. From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine. Apple IOS can handle this automatically (in most cases)
As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine. -
BILLING SETUP WITH NOMADIX AND CISCO WLC
Hai I need to implement cisco wireless controller along with nomadix box for bandwidth control and billing in a hotel . anybody implemented same ?.
how the topology in this case ?.nessary config on wlcRefer the post: https://supportforums.cisco.com/discussion/11431756/wlc-and-nomadix
https://supportforums.cisco.com/discussion/11601111/guest-ssid-redirect-nomadix-box -
RADIUS packet-id not incrementing, called-station-id missing
I am running v1.3.5.58 on an SG300-20. I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy. It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication.
1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation. The packet identifier is always 0x00.
2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP). Instead, it is left blank.
Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot. Have I done something in the config to cause this to happen (see below)? Is this a known bug? Does it have a workaround? Will our hero save defeat the villain and save the day? ;-)
config-file-header
ausoff-sw-test1
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
spanning-tree priority 40960
port jumbo-frame
vlan database
vlan 2-3,12,14,16,99,600,1000,1010
exit
voice vlan id 1010
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x
dot1x traps authentication success 802.1x
hostname ausoff-sw-test1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
radius-server host 172.18.58.58 usage dot1.x
radius-server timeout 10
logging host 172.18.58.50
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted
username nac password encrypted *** privilege 15
username admin password encrypted *** privilege 15
username cisco password encrypted *** privilege 15
username readonly password encrypted ***
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308cc68423f4d
snmp-server location "***"
snmp-server contact "***"
snmp-server community *** rw 172.18.58.58 view DefaultSuper
snmp-server community *** rw 172.18.14.105 view DefaultSuper
snmp-server host 172.18.58.58 traps version 2c nac
snmp-server host 172.18.58.58 version 3 auth nac
snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
encrypted snmp-server user nac nac v3 auth sha ***
encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
ip http timeout-policy 1800
clock timezone " " -6
sntp anycast client enable ipv4
sntp broadcast client enable ipv4
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 0.pool.ntp.org poll
sntp server 1.pool.ntp.org poll
ip domain name blah.net
ip name-server 172.18.19.232
ip domain timeout 2
ip domain retry 1
ip telnet server
interface vlan 2
name NACRegistration
interface vlan 3
name NACIsolation
interface vlan 12
name Users
interface vlan 14
name Dev
interface vlan 16
name LAN
interface vlan 99
name Mgmt
ip address 172.18.58.61 255.255.255.128
interface vlan 600
name "Core Test"
dot1x guest-vlan
interface vlan 1000
name Guest
interface vlan 1010
name Voice
interface gigabitethernet1
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet2
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet3
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet4
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet5
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet6
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet7
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet8
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet9
dot1x host-mode single-host
dot1x violation-mode protect trap 10
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet10
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet11
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet12
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet13
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet14
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet15
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet16
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet17
dot1x host-mode multi-sessions
no snmp trap link-status
port monitor GigabitEthernet 20
spanning-tree disable
spanning-tree bpduguard enable
switchport mode general
switchport general acceptable-frame-type untagged-only
switchport forbidden default-vlan
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet19
switchport trunk native vlan 600
interface gigabitethernet20
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
exit
ip default-gateway 172.18.58.1Thank you for your response, Tom. I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300. There is not an issue with capitalization, the value is simply not provided at all. Here is an example of a tcpdump decode of such a packet. Please note the missing attribute:
15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
0x0000: ac12 3a3d
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
NAS Port Attribute (5), length: 6, Value: 57
0x0000: 0000 0039
Username Attribute (1), length: 12, Value: SSO\dalewl
0x0000: 5353 4f5c 6461 6c65 776c
Accounting Session ID Attribute (44), length: 10, Value: 050000DF
0x0000: 3035 3030 3030 4446
Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
0x0000: 4530 2d44 422d 3535 2d42 332d 3144 2d35
0x0010: 43
EAP Message Attribute (79), length: 17, Value: ..
0x0000: 0201 000f 0153 534f 5c64 616c 6577 6c
Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
0x0000: bed3 b19e c70f 52e0 ec31 afcb d545 55ad -
Radius NMAS 2 Calling station Id
Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
MichaelThe called-station-id and calling-station-id attributes are generally
referred to as "request attributes" because the NAS provides them in the
access-request packet. Unfortunately, the current version of RADIUS does not
support request attributes. When you configure attributes for Novell RADIUS,
you may only configure attributes for the access-accept packet.
>>> <[email protected]> 10/07/04 7:08 AM >>>
Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
Michael -
Cisco WLC with Bonjor services - MSE 3310 compatibility
Hi All,
We have a Cisco WLC 5508 currently running on code 7.2. We have Cisco MSE 3310 appliance (which is EoS & EoS) and it is running on code 7.2 as well.
Now, we want to implement Bonjor Gateway services to support Apple Services such as Apple TV, Apple Printer etc.
My understanding is that in order to deploy Bonjour gateway the controller needs to be at least on version 7.4.
I can upgrade the Controller Code, but I need to know the compatibility between Cisco WLC code 7.4 (7.4.100.0) with Cisco MSE 3310 code (7.3.101.0, as it the highest code available). MSE 3310 appliance compatibility with WLC Code 7.4 ?
I checked the Cisco Software Compatibility Matrix, and it's not clear at all.
http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-148309
Thanks and Regards,
CJIf you really want to keep everything compatible, you might want to look at another route, like using Avahi as an mDNS gateway. Take a look at this document... there are other mDNS gateways out there which can work, but this doc is strictly for the Avahi:
http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series-access-point/113443-cuwn-apple-bonjour-dg-00.html
http://www.timabbott.com/computers/multi-vlan-airplay-with-avahi/
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX
Hi,
I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
The Setup is like :-
AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
could anyone please help me to resolve this issue.Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
Firmware for AP is 12.4(10b)JA1
The logs form WLC during disconnection :-
Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout -
Interface, Attribute and visibility
Dear all,
how can I make my attributes protected or privat in an interface. The class setting up the interface has then the getter and setter methods for the attributes (even the interface has the methods too).
Kind regards
RomanHi Roman,
An interface should not be pictured as a template, but more as a communication channel for different objects with common characteristics. If you want a template to create other classes, with private/protected attributes, and methods, I recommend that you use an abstract class. An abstract class will allow you to declare attributes and methods without code. Of course, you cannot instantiate an abstract class; you have to create another class that inherits from it.
Cheers,
Luc -
Why Calling-Station-Id [31] attribute is "async"??
AS5350, IOS tried 12.4(4T) and 12.4(3b).
Cisco configured as dial-up server. When subscriber connects to some SPE via usual modem using radius authentication, his callback number may not be determined. Then I see in radius debug, that:
RADIUS: Calling-Station-Id [31] 7 "async"
When I used ios 12.3(3a) in that case i saw a blank field instead of "async".
When callback number is determined i see, i.e.:
RADIUS: Calling-Station-Id [31] 12 "3272779467"
What does "async" mean? Why exactly this? How to cut this async off?Okay. Let it so. But in IOS 12.3(3a) there was a blank field. No "async" words.
Have you got any link to a document where it is said that "async" is a normal value of 31th attribute of RADIUS protocol? -
Cisco 3640, PPPoE, MAC in Calling-Station-Id
Hi ALL!
Almighty ALL, please tell me which IOS on 3640 can send MAC address in Calling-Station-Id when user connecting via РРРоЕ? I tried command "radius-server attribute 31 mac format unformatted" with no luсk :(
Thanks!You can try using the code 12.3(9.9) on a 3640. You could use the radius-server attribute nas-port format command to configure the NAS-Port field for the PPP extended format. And the called-station-id should be the mac of the AP.
-
Call/video not working between Cisco jabber for Windows and VCS control C40s
Hello,
I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
Anyway here is what is happening:
When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone.
I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
Let me know if someone of you are interested in read these logs or could point me on the right direction.
Thanks!Ok,
I have looked at both logs. I have to mentinon though that you didnt
provide the log that shows the h323 setup between cucm and the VCS. This
is most likely because the call originated from a different cucm than
the ones you provided the logs from.
The call would have orginated from the first cucm in the cucm group of
this trunk: Name=RL_TRUNK_VIDEO
The cucm ip will be : 10.252.53.10.
This is the VCS log that confirms where the h323 request originated
from:
pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="54000"
Received RAS PDU:
Having said that here is my analysis of the logs that you sent..
Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
video it can support)..
Observer that Jabber says it doesnt support G729 anexB
21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
[862370,NET]
INVITE sip:[email protected];user=phone SIP/2.0
Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
-00000e65
To: <sip:[email protected]>
Call-ID: [email protected]
Max-Forwards: 70
Date: Fri, 11 Apr 2014 01:55:16 GMT
CSeq: 101 INVITE
User-Agent: Cisco-CSF/9.4.1
m=audio 19252 RTP/AVP 0 8 18 105 104 101
c=IN IP4 10.223.20.73
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:105 G7221/16000
a=fmtp:105 bitrate=24000
a=rtpmap:104 G7221/16000
a=fmtp:104 bitrate=32000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
m=video 28878 RTP/AVP 97
c=IN IP4 10.223.20.73
++++Now lets observer the capabilites exchange during h245 negotiation
between cucm and VCS++++
Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
Note that G729A, G729AB, G729 is all advertised..
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : terminalCapabilitySet
capabilityTableEntryNumber 2,
capability receiveAudioCapability :
g729wAnnexB : 6
capabilityTableEntryNumber 3,
capability receiveAudioCapability : g729AnnexAwAnnexB : 6
capabilityTableEntryNumber 4,
capability
receiveAudioCapability : g729 : 6
capabilityTableEntryNumber 5,
capability receiveAudioCapability :
g729AnnexA : 6
++++++
After doing MSD (master slave determination, we move to the OLC phas e..
Here we see that the far end..c40 wants to use G729AB for media++++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
Module="network.h323" Level="DEBUG": Src-ip="10.224.114.11" Src-
port="11163"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
dataType audioData :
g729AnnexAwAnnexB : 20,
multiplexParameters
h2250LogicalChannelParameters :
+++Next VCS sends G729AB as the codec to use to CUCM+++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
Module="network.h323" Level="DEBUG": Dst-ip="10.252.53.10" Dst-
port="45660"
Sending H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
dataType audioData :
g729AnnexAwAnnexB : 20,
multiplexParameters
h2250LogicalChannelParameters :
++++The next thing we get is an OLC reject from CUCM and this is where
th call drops++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= response : openLogicalChannelReject :
forwardLogicalChannelNumber 1,
cause dataTypeNotSupported : NULL
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="INFO": Dst-ip="10.224.114.11" Dst-
port="11163"
Detail="Sending H.245 OpenLogicalChannelRejResponse
+++We then receive a call release from cucm with cause code of 47:
resource unavailable++++
Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="50913"
Received H.225 PDU:
Q931
Message Type: Release
Complete
Call reference flag: Message sent from originating side
Call reference value: 0x7b
Info Element : Cause
Location: Usr
Cause Value: Resource unavailable
Info Element : User User
Length = 22
Suggestions:
Change the region setting between the ICT trunk to VCS and Jabber to use
G711 and test again. -
What attributes are shared between a Radius Server and a WLC?
I have a customer who is trying to setup a Radius server to authenticate Management users for the controller,
she is using a Microsoft NPS R2 server. All good at this point.
She needs to know what attributes are shared between the server and the WLC to complete the authentication
because she is being successfully authenticated, but still unable to access the WLC.
Someone knows what those attributes are?
The only information at the moment that I found, was on a document that said that different management
users can receive different Vendor-specific Attributes. That means that the returned attributes to the WLC
will depend of what radius server model or platform you are using.Robin,
For using Microsoft radius to authenticate management users, you can reference this document, which shows you the steps involved.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91392-airespace-vsa-msias-config.html
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Cisco WLC 2504 and ways to authenticate users
Hi All,
What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
and any one can give me case study for this issue
System consist of Cisco 2504 and Cisco LAP 1140
ThanksTo implement radius based authentication is the best practice for the small & enterprise environment.
Information About RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
•Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
•Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.
For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947
Maybe you are looking for
-
HT1338 need to version 5.1.1
help me I need version 5.1.1
-
Tricky query with multiple hierarchial sub queries
Here's a pussle that I cannot solve. Who can help me? Given table F (records form a binary tree with levels 0, 1, and 2): Id IdParent F1 null F2 F1 F3 F2 F4 F2 F5 F1 F6 F5 F7 F5 and given table D (records form a similar binary tree with levels 0, 1,
-
Type restricted to a fixed area
I want to have a paragraph restricted to a define shape - say a rectangle. If I have some free text in a Word document, how can copy it in Illustrator so that its formatting is restricted to the reectangle that I have defined of a specific size? Than
-
IOS 7, iPad 4: keyboard problems with Shift key
Since I have upgraded my iPad 4 to iOS 7 a few days ago the keyboard drives me mad: I did not experience the overall slowness of the keyboard as reported by so many others. Anyway, I reset my settings just to be safe. But the reset had absolutely no
-
UIX Table: Very complex (?!) data presentation
Hello, I will define this problem using HR schema object on Employees table. What I need is to present the data from this table in the following fashion: DepartmentId-> | 10 | 20 | 30 | ... EmployeeId | 200 | 201 | 114 | | | 202 | 115 | | | | 116 | |