Cisco wlc and steel belted radius

Similar Messages

• Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

  I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.
  Here is the code from the Nexus:
  radius-server host [server]  key [key]
  radius-server host [server]  key [key]
  ip radius source-interface mgmt0
  aaa group server radius GEN_AAA
      server [server]
      server [server]
      use-vrf management
      source-interface mgmt0
  aaa authentication login default group GEN_AAA
  aaa authentication login console group GEN_AAA
  aaa accounting default group GEN_AAA
  aaa authentication login error-enable
  On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option).  The group setup for the relevant user group has a return code of:
  shell:roles*"network-admin"
  shell:priv-lvl=15
  When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine.  Only those users in the 'special' group have admin (lvl 15) access.
  With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
  In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear.  Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
  Is there any way to pull this off with SBR?
  Any help is much appreciated.

  Hello Nusrat,
  I appreciate the pointer.  If I was using TACACS for AAA, authorization sets would be a consideration.  However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
  In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper.  For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required.  Placing the desired group of users in the network-admin group is functioning as desired.
  NOTE:
  In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
  no aaa user default-role
  If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role.  This role has complete read access on the system allowing, among other things, a read view of the configuration.  The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.

• Aironet 350 AP's with Funk's Steel Belted Radius Server

  I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver

  I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.

• Import Steel Belted Radius users to ACS

  Is there a method to import SBR (local) users into ACS?  Perhaps via some intermediate tool?  The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?

  Hi Tarik
  That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools.  So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?
  The passwords are stored directly in the SBR server.  I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course.  However, the issue is that the passwords are not exported in plain text.  If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file.  If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form. 

• Mobility between Cisco WLC and Meraki(other vendor)

  Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
  They keep saying it is a IEEE feature and everone should support but I do not understand how?

  While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
  Sent from Cisco Technical Support iPad App

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Cisco WLC and Airtight SS-300AT-C-60

  Hello Guys, I have some AirTight APs, SS-300AT-C-60, which are working standalone as WIPS. Those devices can work as AP too but
  I was wondering if a Cisco WLC can support it. I mean, is there any way to manage these AirTight devices via CAPWAP using a Cisco Controller ??

  Why not?  Because AirTight ain't owned by Cisco.  And if they are, Cisco's customer base and AirTight's customer base are two different and distinct group.

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco WLC and Unsecured WLAN with redirect

  Hi Folks,
  Can someone point me in the right direction heer.
  I have a WLS box - i want to create a WLAN which will
            1.)     allow anyone to connect to without authentication.
            2.)     once connected they need to be redirected to a web server for further instructions.
  Any suggestions greatly appreciated.
  Cheers

  Hi George,
  I have downloaded those files and will have a look now.
  I have a couple of other questions in relation to this.
  When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect
  Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1
  This 1.1.1.1 address maps to a virtual interface on both controllers that we have.
  Why does it go to this page?
  Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.
  Cheers

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• CISCO WLC How to Block a Client

  Hi,
  We are using CISCO WLC and broadcasting a number of SSIDs.
  What we want to do is to block some spesific users to a spesific SSIDs while letting to connct to another SSID.
  Dows anyone have any idea?

  You can use radius 802.1x authentication or you can setup Mac filtering on the WLC and specify what WLAN's they can connect to. They will only be able to connect to one SSID though.
  This setup you have is not normal as you want to have a device only connect to one ssid for simplicity and for user experience. Having the be able to connect to multiple
  SSID's can lead to connectivity issues on the client side, since the device might switch back and fourth to the different SSID's. Also the more SSID's you have the more noise in the environment. Typically 3-4 max SSID's is suggested.
  Sent from Cisco Technical Support iPhone App

• WLC and LWAP Registration Log Question

  We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs.  I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs.  We have a AP that has unregistered and we can't seem to find what switchport it was attached to.  It would be helpful to know the IP address and ideally any CDP information it had.  Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.  Any help would be appreciated.

  You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Cisco WLC AP count over SNMP

  Hi,
  Is it possible to monitore a quantity of AP on Cisco WLC and quantity of wireless clients?
  I was found only list of AP names over snmp...
  Thanks in advance

  Hi, Ralf
  If not late
  I use script directly in monitoring system
  main ()
  VALUE=`snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  echo "Message: Warning! Number of registed APs decriased."
  echo "Data:Count"
  echo "Count\t$VALUE"
  exit 0
  main $*
  This is shell. but you can use simple only one line
  `snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  (from linux)