Disable EAP Authentication for Web-Auth on WLC

Similar Messages

• Client Excluded ReasonCode on WLC for Web Auth

  Hi.
  I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
  Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

  I haven't tried it recently. But I'm afraid of this one :
  CSCsy88149 Chained certificate can not have Wildcard * character in hostname
  Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
  again, I didn't verify it mysefl

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai

• 5508 loading cert for web auth

  I have web auth enabled on the WLC so when clients connec they get a cert error because it is using the self signed cert.  I was reading up on getting a third part cert and it explains about getting openssl and then generating the cert and sending it to a third party CA etc.
  Any links you can share would be very helpful explaining best practices and method to load a third party cert on the WLC 5508 for web authentication.
  Why can't I just get a cert from them for our domain and simply load it on the WLC?

  Hi Mohammed,
  Here are the two links which are like bible to generate certs..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Depends on whether you are using Chained or Un chained certs.. Following the above link will help you in getting the issue resolved!!
  Lemme know if this answered ur question!!
  Regards
  Surendra

• Browser Requirements for Web Auth

  My configuration is 2 4404 WLCs, version 4.2.130.0, with WCS version 4.2.97.0. We have a guest WLAN set up to do Web Auth to a TACACS server and the local WCS database. I am trying to find a document for this version of WCS that gives minimum browser versions for IE, firefox, netscape, safari, etc. If anyone can point me to this information I would appreciate it.
  Thanks,
  Deanna

  I found my own answer.
  Internet Explorer 6.0 SP1 or higher is the only browser supported for accessing the controller GUI and for using web authentication.

• "Auth type not supported by External DB" error for web-auth SSIDs

  Hello
  We're having a problem with web-authentication on our 4404/WisM controllers since we moved to software rev 5.x (currently running 5.1.151.0).
  With software rev 4.x our web-auth SSIDs would send the authentication requests to a Cisco ACS4.0 which would then authenticate the users against MS Active directory.
  Now (with rev 5.x) the same SSIDs cannot authenticate users against AD, the error in the ACS is:
  Auth type not supported by External DB
  Found the following Cisco Doc regarding the problem: Cisco Secure ACS and Windows AD EAP/802.1x port authentication fails with the Auth type not supported by External DB error message - Case Number K24308566. Done a packet capture on ACS to see authentications coming in and the ones that fail with above error are using CHAP - from the Cisco documentation, MS AD doesn't support CHAP.
  Any ideas on how I can get the web-auth working again with software rev 5.x ?
  Thanks
  Andy

  my apologies - theres a setting under Controller - General for Web Radius Authentication. changed this from CHAP to PAP and its now working ok.

• Setting Basic Authentication for Web Service in WLS 6.1

  Hi,
  I am trying to set-up a Basic Username/Password authentication for a Web Service
  that is hosted in WLS 6.1.
  How do I go about doing that? Also once I get the username and password, how do
  I pass that info
  to the SOAP servlet to do the authentication? Can you give me some pointers on
  this?
  Thanks
  Madhu

  How do you want to do it? Through use of client.jar for the service or
  directly? Here is how I do it directly:
  String auth = "guest", pwd = "guest";
  URL url = new URL("http://localhost:7001");
  URL cmdURL = new URL(url.toString()+"/systemtest/TestWebService");
  HttpURLConnection conn = (HttpURLConnection) cmdURL.openConnection();
  String encAuth =
  new BASE64Encoder().encode((auth + ":" + pwd).getBytes());
  // BASE64Encode distributes long strings on multiple
  // lines; we don't like that, no siree
  int it = 0;
  while ((it = encAuth.indexOf('\n')) != -1
  || (it = encAuth.indexOf('\r')) != -1) {
  encAuth = encAuth.substring(0, it) +
  encAuth.substring(it + 1);
  conn.setRequestProperty("Authorization", "Basic " + encAuth);
  conn.setRequestProperty("Content-Type", "text/xml");
  conn.setRequestProperty("SOAPAction", cmdURL.toString());
  conn.setDoOutput(true);
  conn.setDoInput(true);
  conn.setUseCaches(false);
  OutputStream oStr = conn.getOutputStream();
  String cmd =
  "<?xml version=\"1.0\" ?>\n"
  + "<soap:Envelope xmlns:soap=\"http://schemas.xmls"
       + "oap.org/soap/envelope/\"><soap:Body>"
  + "<ping><arg0>false</arg0></ping>"
  + "</soap:Body></soap:Envelope>";
  oStr.write(cmd.getBytes());
  oStr.close();
  InputStream iStr = conn.getInputStream();
  byte[] buffer = new byte[1024];
  while (true) {
  int size = iStr.read(buffer);
  if (size == -1)
  break;
  System.out.println(new String(buffer, 0, size));
  ThorAAge

• SUP user authentication for web services

  Hi there.
  Has anyone in the comunity had any experience with building Web Service based Mobile Business Object (MBO) in SUP 1.5.2. We have built a mobile application for a blackberry device which consumes two ERP web services. The application deploys successfully and runs on the blackberry device just fine. However, untill now the user credentials needed to authenticate a consumer to a web service has been hard-coded into the mobile business object. This, from an accountability point of view, is not an acceptible model (i.e. all mobile users would be logging in to the ERP backend with 1 common user ID).
  Has anyone had any experience and could suggest an an alternative solution to this that would support accountability i.e. map SUP users to ERP users, trusted connections etc. and is this possible with SUP 1.5.2?
  S

  Actually, SUP 1.5.2 just provides the HTTP basic authentication for WS-MBO. It is enable that to create 'username' and 'password' on the WS-MBO as two input parameters. Thus, you can design your device app in SUP to prompt the dialog to accpet the username and password before you access your WS-MBO. Similar, if your web-service has input argument for username and password, you also can design a dialog like above.

• Server-side authentication for web services

  I was hoping to use Azure's server-side authentication for a HTML/JS web app. Some things are a bit unclear. For example, if a new user authenticates via Facebook, I want to create an associated record on the server-side and associate extra data with the
  user, irrespective of the service used to log in. If they log in again, I want the client to be able to get this extra data (eg preferences) from the server. On the back-end, I also want to be able to update particular fields of this record that the user cannot
  change themselves. I know how to go about this in a plain Node.js backend, but not sure how some of these basic things map to using Azure's services.

  Once the user logs in, you will have their information available to your server scripts. So one option is to use a custom API (or a Mobile Services Table) to insert/read/update the user data. You would protect this endpoint so that only logged-in users can
  access it, and then access the
  user object to obtain an ID an associate it in a table row. Lookups could be performed by similarly querying for the ID.
  In terms of some fields being restricted, you could remove these from the update request itself.
  Some pointers that might be helpful:
  http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-get-started-data/
  http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-call-custom-api/
  http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-authorize-users-in-scripts/

• User Authentication for Web Services

  Hi,
  I am developing a web services that resides in Intranet. Thus, would like to implement application layer of user authetication, i.e. to match the input user name and password against Database record through a web service logon() method. If authentication is passed, the client program is allowed to call subsequence web service methods, else exception needs to be thrown when calling subsequence methods.
  As understand that each method call to web services is treated seperately. Thus, how can we implement the authentication so that the client program only passes in the user name and password at once through logon() method, instead of perfoming the authentication for each method?
  Appreciate the advice. Thanks.

  Hi,
  But, I need to develop the web services logon method using WSDL which generated the LogonBindingImpl.java, instead of web services using EJB bean.
  Besides, the Web Service logon method (LogonBindingImpl.java) need to accept the input user name and password to check with the user name and password that stored in database table through the EJB bean. If checking successful, client program is allowed to invoke other WebServices method, else login failed exception need to be thrown when client calling other web services methods.
  Appreciate the advice here on how to achieve that. Thanks.

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Basic Authentication for Web Services

  I have build Web Service according to the weblogic 6.1 examples
  successfully deploying the .ear file etc.
  Now I want to add security to the WebService uri.
  I have added a <web-resource-collection> tag to the web.xml file, but
  what should I put for the <url-pattern> ?
  Am I obliged to 'manually' add <servlet> tags to the web.xml file in
  order to add a security constraint to a WebService deployed thru a
  .ear ?
  Taking WebLogic's own statelessSession.Weather example, what is the
  minimum I need to add to the web.xml file to have basic authentication
  on the weatheruri ?
  Thanks,
  Adam

  Ok, now I'm confused.  Is this a Flex app (runs in the browser) or an AIR app?  This makes a difference because in the browser, Flash Player/Flex uses the browser's http mechanism for transport, while AIR implements it directly.  The original posted indicated some difference between Firefox and IE, which led me to believe it was a Flex browser app.  Difference between these two would make me think something was wrong with the server response, and the two browsers were passing it (the problem) back to Flash Player differently.
  Mark

• Implementing authentication for web services

  Hi all,
  I'm struggling trying to guess how to implement basic HTTP authentication as well as using certificates in order to apply HTTPS, for some web services we've created, running on the Oracle Application Server 10.1.12. The web services were implemented using JDeveloper 9.0.4. Any help would be very appreciated.
  Thanks in advanced and regards,
  Luis

  Hi,
  But, I need to develop the web services logon method using WSDL which generated the LogonBindingImpl.java, instead of web services using EJB bean.
  Besides, the Web Service logon method (LogonBindingImpl.java) need to accept the input user name and password to check with the user name and password that stored in database table through the EJB bean. If checking successful, client program is allowed to invoke other WebServices method, else login failed exception need to be thrown when client calling other web services methods.
  Appreciate the advice here on how to achieve that. Thanks.

• LEAP Authentication for 7929 phones on WLC

  We are trying to use LEAP authentication to get 7920 phone authenticated against the WLC, but its not working, Has anyone seen any caviats with this kind of a setup..

  Are you using key-management (WPA, CCKM)?
  If so, put the phone into AKM mode.
  CCKM is only supported using WPA on the WLC.
  7920 only supports TKIP encryption.
  Ensure 3.02 firmware for the 7920 is used.
  If that is configured correctly, then would look at the RADIUS failed authentication log to troubleshoot further.