Controller 4402 + 802.1x + WPA + ACS

Dear friends,
Somebody could PLEASE give me a step-by-step of how configure this stuff??? The ACS configuration is all complete, but I couldn't simply associate and authenticate my clients against RADIUS server.
I tried to follow the configuration guide, but when I enable 802.1x, the controller does not permit me configure WPA (as I can do in aironet 1100 access points). Why this?
Please, this is very confusing...
Thanks

Hi,
I am just looking on my wcs-interface (4v0).
In menu-item "Layer 2 Security":
choose WPA1+WPA2
Then in menu-item "WPA1+WPA2 Parameters"
choose WPA1 and/or WPA2 "Enabled"
In menu-item "AuthenticationKeyManagement"
choose "8021x"
Maybe you have choosen the 8021x in menu-item "Layer2 Security" what is just wrong.

Similar Messages

1131ag LWAP in WLAN controller 4402

Hi, i have 1131ag but at controller 4402 i see Number of radio interfaces 2, 802.11b/g/n admin status enable, oper status up and regulatory domain supported, but en 802.11a/n admin status enable, oper status down and regulatory domain not supported, why 802.11a is not supported?

hello, AP is the model AIR-LAP1131AG-A-K9 and I configured the controller with the code of mexico MX. Now try the U.S. code, but it is the same result.
Juan Ramon
thanks....

802.1x with ACS 4.2 (RADIUS) problem

HI all!
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
My running config:
Building configuration...
Current configuration : 1736 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R4
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
ip device tracking
dot1x system-auth-control
interface FastEthernet0/0
ip address 10.10.0.253 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
dot1x port-control auto
interface FastEthernet1/1
interface FastEthernet1/2
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip forward-protocol nd
no ip http server
no ip http secure-server
mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
My Radius debug information:
*Mar 1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.491: RADIUS: ustruct sharecount=2
*Mar 1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
*Mar 1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
*Mar 1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
*Mar 1 00:21:31.511: RADIUS: authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
*Mar 1 00:21:31.511: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.511: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.511: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.515: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.515: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.515: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.515: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.515: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.515: RADIUS: EAP-Message         [79] 11
*Mar 1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
*Mar 1 00:21:31.515: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12 [???L?m??N??=S?A?]
*Mar 1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
*Mar 1 00:21:31.555: RADIUS: authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
*Mar 1 00:21:31.555: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC [??????????&?R?C?]
*Mar 1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
*Mar 1 00:21:31.555: RADIUS: State               [24] 27
*Mar 1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.559: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E ["???D????,?B????]
*Mar 1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
*Mar 1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.587: RADIUS: ustruct sharecount=1
*Mar 1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
*Mar 1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
*Mar 1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
*Mar 1 00:21:31.591: RADIUS: authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
*Mar 1 00:21:31.595: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.595: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.595: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.595: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.595: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.595: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.595: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.595: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.595: RADIUS: State               [24] 27
*Mar 1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.595: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC [?????????9?)????]
*Mar 1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
*Mar 1 00:21:31.595: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13 [3W??\$??g?????t?]
*Mar 1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
*Mar 1 00:21:31.731: RADIUS: authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
*Mar 1 00:21:31.735: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Mar 1 00:21:31.735: RADIUS: EAP-Message         [79] 6
*Mar 1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
*Mar 1 00:21:31.735: RADIUS: Tunnel-Type         [64] 6   01:VLAN                   [13]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Medium-Type [65] 6   01:ALL_802                [6]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Private-Group[81] 6   01:"100"
*Mar 1 00:21:31.739: RADIUS: Class               [25] 22
*Mar 1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30 [CACS:0/5b1/a0a00]
*Mar 1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
*Mar 1 00:21:31.739: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26 [u?????l?M\?P???&]
*Mar 1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
As a result the vlan-switch data based does not change.
Any help will be appreciated!
Thanks a lot,
Chelovekov Alexander

I've tried multiple ways to cope with this problem but nothing was helpfull...
Tunnel-Medium-Type [65] 6   01:ALL_802
I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
Screenshot n attachment.
The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair) - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
What am i missing?

802.1x with ACS and Windows AD

Hi
Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
Marco

Hi Marco,
i guess you've missed a mapping configuration in the Access Policy Section.
Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
You'll see the new service click Identity.
Select the identity source you've created then save.
Click on authorization
Select a default authorization rule permit access and save.
Create a Service Access Rule name it 802.1x
Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
then you can try again.
regards
alex

WLAN Controller 4402 - Port HA Fails

We have a WLAN Controller 4402, with firmware version 4.0.206.0. The ports are connected to 2 separate switches. 'ap-manager' is on port 1, and 'ap-manager 2' is on port 2. The wireless network is running fine when both ports are connected. However, when I disconnect port 1, the client be disassociated, then re-associated, but unable to grab DHCP IP address. I have also assigned a static IP address on the client, but is unable to ping anywhere, not even the gateway. From what I understand, the ports should be able to backup each other in case of failure, but the HA does not seem to work. What could be wrong?

Let me make sure I understand something about this bug your referring to. In order to see if this might be affecting us I would want to change my controllers ap-manager interface gateway address from that of the hsrp address, to one of the actual ip addresses setup on the router right?
I think this might be the problem with my rollout. Seems like ever so often everyone looses their wireless connection. you can be working one minute perfect signal and everything, then without moving or anything boom your disconnected. Just recently converted every AP to WCS/WLC and then this started happening.
My concern is that I have two VLANs setup for my wireless with HSRP. One VLAN for all my AP's and ap-manager interface and such. One VLAN for wireless clients.
Both VLANs setup on the core 6509's with the standby IP as the default gateway.
Wondering if the problem is only related to the vlan for ap-manager interface? Are maybe I need to do the same for the wireless lan interface for the clients?

Wireless lan Controller 4402 / ping dynamic interface failed

hi,
i've a problem with a Wireless Lan Controller 4402.
When i configure the dynamic interface on the my network , with wired lan
i don't reach (i use the ping command) the ip address of the WLC.
In my case (wired):
On my pc i've a ip 10.1.78.1 255.255.0.0 and dgw 10.1.1.1 (vlan721)
The lan WLC have a ip of management 10.12.2.4 /24 (vlan799) [dgw 10.12.2.1]
dynamic vlan 792 ip add 10.12.78.100 / 22 (vlan792) [dgw 10.12.68.1]
i ping these interfaces (10.12.2.4 and 10.12.78.100) and the ping is ok.
When i create a dynamic interface vlan 721 starting the problem:
dynamic vlan 791 ip address 10.1.1.240 / 16 (vlan721)
After this ......the ping on 10.12.2.4 and 10.12.78.100 don't respond very well
and i lose the 80-90% of the ping packages.
through the wi-fi instead I do not have problems.
the problem exist only via wired (cable).
Can you help me?
Thanks
FCostalunga

Hello,
Pinging the dynamic interface is officially not supported. The reason why is because the controller places a very low priority on ICMP traffic. Typically, you will not have an issue with doing so on your wireless network because this interface is basically a gateway for the client. However, from the wired network - the only interface designed to respond to pings 100% of the time is the management interface. Hope this helps!
-Mark

802.1x with ACS does not correctly work

Hello
I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
I have a group mapping in ACS configured which points to a small group in the ADS.
The groupmapping in ACS points to a specific group in ACS.
There I've configured the following:
[009\001] cisco-av-pair
- ssid=xx-200 (the name of the SSID the clients connect)
[006] Service-Type
- Login
[007] Framed-Protocol
- PPP
[025] Class
- OU=pers; (this is not the special group where those users are in, but they are also in this one)
[064] Tunnel-Type
- Tag 1 Value Vlan
[065] Tunnel-Medium-Type
- Tag 1 Value 802
[081] Tunnel-Private-Group-ID
- Tag 1 Value 200 (the Vlan in which they should go)
The good thing is, authentication with username password works.
The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
Here the WDS configuration:
aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
server 10.1.1.30 auth-port 1645 acct-port 1646
server 10.1.2.30 auth-port 1645 acct-port 1646
aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
aaa authentication enable default enable
aaa session-id common
radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server retransmit 2
radius-server timeout 18
radius-server deadtime 1
radius-server vsa send accounting
wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
ssid xx-200
The accesspoint config:
aaa authentication login METHOD_RAD_WDS_CLIENT group radius
aaa authentication enable default enable
aaa session-id common
dot11 ssid xx-200
vlan 200
authentication open eap METHOD_RAD_WDS_CLIENT
authentication network-eap METHOD_RAD_WDS_CLIENT
authentication key-management wpa
interface Dot11Radio0
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 200 change 60
ssid xx-200
interface Dot11Radio0.200
description
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
interface FastEthernet0.200
description
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
Thanks,
pato

I have finally found something to look into :/
000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

Wireless Controller with 802.1x

Hi.
This may seem like a stupid question, but if i'm using 802.1x on my wireless network and using RADIUS/LDAP/ACS for authentication, do I need to configure any aaa commands on my access switches? It was my understanding that all traffic from the client is tunnelled back to the controller so this is not necessary?
Thanks.

No commands necessary on your switches. Your WLC has radius servers configured and the WLC will communicate with your radius.
Sent from Cisco Technical Support iPhone App

Old famous problem - AP LAP1142N can't join the controller - 4402, please participate, let's make a good guide!

Hello folks,
I really feel sorry for bringing up this discussion again. I wouldn't dare to ask this question if I find someone's clear cut suggestion/solution or an overview giving a detailed step-by-step procedure. People just suggest jumping through so many hoops like resetting the AP or converting it back to standalone mode and then back to LWAPP.
Hence I have so many questions and hope that we can make a good guide covering all possible problems.
1) AP was originally running a standalone image. I booted it into a so-called ROMMON or AP mode (ESC is the right key to make it boot into this mode)
I found a recovery image in its flash - c1140-rcvk9w8-mx. I made the AP boot from it by using "set" command and I see that it start booting using this recovery image. Here goes the question. Do all AP settings matter ? E.g. when I run "set" command from AP I see the following:
ap: set
?=
DEFAULT_ROUTER=10.0.0.1
Default_router=10.9.99.1
ENABLE_BREAK=yes
IP_ADDR=10.0.0.1
IP_AddR=10.9.99.9
MANUAL_BOOT=no
NETMASK=255.255.255.224
NEW_IMAGE=yes
PWR_INJECTOR_DETECT=0016.c7fa.b394
RELOAD_REASON=9
ROM_PERSISTENT_UTC=1014941470
TERMLINES=0
netmask=255.255.255.0
2) How would do something like "write erase" or even recover the enable password while being in AP mode? Do I really need to do it ? What I see next makes me believe there's something with the AP configuration (particularly SSH) that prevents an AP join WLC.
3) The AP is powered on, connected to the switchport on the same L2 VLAN where WLC management interface. Then it boots and gets an IP address from the DHCP server located on the other switch.
*Mar 1 00:00:08.695: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:08.705: %CDP_PD-2-POWER_LOW: All radios disabled - AC_ADAPTOR (0000.0000.0000)
*Mar 1 00:00:09.629: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:17.534: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.122, mask 255.255.255.0, hostname AP2
Here comes the question, why do I see this on the console (pay attention at "transport input ssh" line)? Does it have anything to do with an error for DTLS ?
*Apr 12 12:44:21.034: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 12 12:44:31.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.141 peer_port: 5246
*Apr 12 12:44:55.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:1924 Max retransmission count reached!
*Apr 12 12:44:55.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 192.168.1.141 is reached.
transport input ssh
^
% Invalid input detected at '^' marker.
4) Do I have to connect the controller ap-manager interface to the network or I can rely on the AP find the WLC via its management interface. I have never worked with 4400 series controllers. Just started with 5500 and they don't have the ap-manager interface.
Cisco guide says: "The management interface is also used for layer two communications between the WLC and access points", so I can safely assume that it is enough. Moreover I can ping the AP from the WLC while connected to WLC via SSH and its management interface.
5) And finally, what's wrong with the discovery? This is what I see on the controller while debugging capwap packets:
(Cisco Controller) debug>*spamReceiveTask: Apr 12 12:53:52.253: <<<< Start of CAPWAP Packet >>>>
*spamReceiveTask: Apr 12 12:53:52.253: CAPWAP Control mesg Recd from 192.168.1.122, Port 57046
*spamReceiveTask: Apr 12 12:53:52.253:          HLEN 4,   Radio ID 0,    WBID 1
*spamReceiveTask: Apr 12 12:53:52.253:          Msg Type   :   CAPWAP_DISCOVERY_REQUEST
*spamReceiveTask: Apr 12 12:53:52.253:          Msg Length : 29
*spamReceiveTask: Apr 12 12:53:52.253:          Msg SeqNum : 0
*spamReceiveTask: Apr 12 12:53:52.253:
*spamReceiveTask: Apr 12 12:53:52.253:   Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1
*spamReceiveTask: Apr 12 12:53:52.253:          Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN
*spamReceiveTask: Apr 12 12:53:52.253:
*spamReceiveTask: Apr 12 12:53:52.253:   Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1
*spamReceiveTask: Apr 12 12:53:52.253:          WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE
*spamReceiveTask: Apr 12 12:53:52.253:
*spamReceiveTask: Apr 12 12:53:52.253:   Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1
*spamReceiveTask: Apr 12 12:53:52.253:          WTP Mac Type : SPLIT_MAC
*spamReceiveTask: Apr 12 12:53:52.253:
*spamReceiveTask: Apr 12 12:53:52.253:   Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
*spamReceiveTask: Apr 12 12:53:52.253:          Vendor Identifier : 0x00409600
*spamReceiveTask: Apr 12 12:53:52.254:
What discovery mode are we in? L2 or L3 ?

(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.230.0
RTOS Version..................................... 7.0.230.0
Bootloader Version............................... 4.0.219.0
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS
System Name...................................... Cisco_8b:83:03
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 192.168.1.140
System Up Time................................... 0 days 19 hrs 9 mins 20 secs
System Timezone Location.........................
Configured Country............................... CA - Canada
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +41 C
--More-- or (q)uit
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:23:5E:8B:83:00
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 12
"Show inventory" on the AP doesn't give any output. Giving you the "show version" instead omitting some legal stuff
AP2>sh ver
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
ROM: Bootstrap program is C1140 boot loader
BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
AP2 uptime is 1 hour, 42 minutes
System returned to ROM by reload
System image file is "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"
Last reload reason:
cisco AIR-LAP1142N-N-K9    (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FTX1329S9NB
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from reload
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:22:BD:18:ED:66
Part Number                          : 73-11451-06
PCA Assembly Number                  : 800-30554-03
PCA Revision Number                  : A0
PCB Serial Number                    : FOC13282UKM
Top Assembly Part Number             : 800-31273-01
Top Assembly Serial Number           : FTX1329S9NB
Top Revision Number                  : A0
Product/Model Number                 : AIR-LAP1142N-N-K9
Configuration register is 0xF
And the full boot process on WAP:
IOS Bootloader - Starting system.
Xmodem file system is available.
DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x84000800, 0x40000000
RQDC, RFDC : 0x80000038, 0x0000020a
PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
PCIEx: initialization done
flashfs[0]: 149 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 7901696
flashfs[0]: Bytes available: 24483328
flashfs[0]: flashfs fsck took 16 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:22:bd:18:ed:66
Ethernet speed is 100 Mb - FULL duplex
Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"...#############################################################################################################################################################################################################################
File "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx" uncompressed and installed, entry point: 0x4000
executing...
enet halted
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
Image text-base: 0x00004000, data-base: 0x00430000
Proceeding with system init
Proceeding to unmask interrupts
Initializing flashfs...
flashfs[1]: 149 files, 8 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32385024
flashfs[1]: Bytes used: 7901696
flashfs[1]: Bytes available: 24483328
flashfs[1]: flashfs fsck took 4 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.
Ethernet speed is 100 Mb - FULL duplex
cisco AIR-LAP1142N-N-K9    (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FTX1329S9NB
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:22:BD:18:ED:66
Part Number                          : 73-11451-06
PCA Assembly Number                  : 800-30554-03
PCA Revision Number                  : A0
PCB Serial Number                    : FOC13282UKM
Top Assembly Part Number             : 800-31273-01
Top Assembly Serial Number           : FTX1329S9NB
Top Revision Number                  : A0
Product/Model Number                 : AIR-LAP1142N-N-K9
% Please define a domain-name first.
ip ssh version 2
^
% Invalid input detected at '^' marker.
transport input ssh
^
% Invalid input detected at '^' marker.
aaa new-model
^
% Invalid input detected at '^' marker.
aaa authentication login default local
^
% Invalid input detected at '^' marker.
login authentication default
^
% Invalid input detected at '^' marker.
transport input ssh
^
% Invalid input detected at '^' marker.
RS
Press RETURN to get started!
SI IDB null
RSSI IDB null
*Mar 1 00:00:05.992: *** CRASH_LOG = YES
Base Ethernet MAC address: 00:22:BD:18:ED:66
*Mar 1 00:00:06.203: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)
*Mar 1 00:00:08.251: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:08.292: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
*Mar 1 00:00:08.318: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:08.327: %CDP_PD-2-POWER_LOW: All radios disabled - AC_ADAPTOR (0000.0000.0000)
*Mar 1 00:00:09.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:17.157: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.123, mask 255.255.255.0, hostname AP2
logging origin-id string AP:0022.bd18.ed66
^
% Invalid input detected at '^' marker.
logging 255.255.255.255
^
% Invalid input detected at '^' marker.
logging trap 3
^
% Invalid input detected at '^' marker.
*Mar 1 00:00:27.230: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar 1 00:00:27.343: Logging LWAPP message to 255.255.255.255.
Translating "CISCO-LWAPP-CONTROLLER"...domain server (192.168.1.40)
*Mar 1 00:00:38.267: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:00:39.267: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
*Apr 12 15:39:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.141 peer_port: 5246

802.1x with ACS 3.3 and windowsXP

We are using RADIUS IETF in ACS and EAP MD5.
My switch is 2950 whith this commands:
radius-server host a.b.c.d
radius-server key cisco
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
int fa 0/1
dot1x port-control auto
When we try authenticate appears this error: "CS user unknown" in ACS reports.
Has somethings that we forget?
Where I configure the respective VLAN to user when he authenticate?
Thanks

I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = teste
At my network icon apears: Authentication Fail
See some debug message on my switch:
03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
03:09:14: dot1x-ev:Inserted the request on to list of pending requests
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Request id = 7 and length = 25
03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
03:09:14: dot1x-ev:Username is SMSTESTE\joe
03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
03:09:34: dot1x-err:EAP packet not recvd
03:09:34: dot1x-ev:going to send to backend on SP, length = 4
03:09:34: dot1x-ev:Received VLAN is No Vlan
03:09:34: dot1x-ev:Enqueued the response to BackEnd
03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
03:09:34: dot1x-ev:Dot1x matching request-response found
03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
03:09:34: dot1x-ev:Received VLAN Id -1
03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
Can you help me?
Thanks,

802.1x and ACS

when implementig a 802.1x with a cisco ACS is necesary to work with certificates or it can just work with username and password?

Check here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml>
Hope this helps,

MAB, 802.1x and ACS 4.2

Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is: users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth) but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1" is configured.
I used the dot1x auth-fail vlan because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
authentication host-mode multi-auth
authentication event fail action authorize vlan 1
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advance

hi,
any ideas?
thx

802.1x, catalyst, ACS & active directory external DB!

Hi,
I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.
My questions are:
1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);
2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?
3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)
thanks,
Graz.

I am in a installation with 802.1x.
I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
ACS is validating users against a Microsoft Active directory.
I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
I have install Windows XP Service Pack 2 and patches:
xp-kb817778-x86-esn
xp-kb826942-x86-esn
I have change the switch software to the latest release.
How can I reduce this delay? Any idea?

Cisco Wireless LAN Controller 4402 under Cisco Works RME 4.0?

I am trying to manage a Cisco 4402 using non-default snmp communities from Cisco Works RME 4.0. RME Credential Verification fails with “Device Not Supported” recorded against selected option; however, the controller does respond to snmp queries. The 4402 has snmpv1 through snmpv3 enabled; and the snmp communities are associated with the correct client IP. Is the WLC only responsive to snmp from the WLS and should the box be manageable via it’s management interface. ICMP and telnet to the WLC from RME works OK.
Advice and Guidance would be greatly appreciated.

What firmware version are on the WLC's..... minimum is 5.0.148 per the RME Table.
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0.5/device_support/table/RME405.html

How to create multiple Vlan in Controller 4402

Please let me know step-by-step procedure to create multiple vlan in conroller 4402, In my topology we have vlan -1 for date and vlan - 11 for voice both are in different network, please light me detail config on controller and switch

Hi Balamurugan,
I don't want to sound rude, but, you have posted your issue three times. Each one, I recommended that you go through the WLC Configuration Guide. I recommended this because you are new to WLC and it's the best way for you to learn.
However, you recent post has led me to believe that you are reluctant to peruse the document and I am puzzled. Is there any reason of your reluctance and hesitance?
Cisco Wireless LAN Controller Configuration Guide, Release 6.0
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/Controller60CG.html

Controller 4402 + 802.1x + WPA + ACS

Similar Messages

Maybe you are looking for