Disabling wireless clients by username
We currently have Prime Infrastructure 1.3 and we are having problems with one user. I would like to block her by username instead of mac, but I haven't found a place to do this. Is there anyway to do this? We don't have ISE or anything else that would help with this yet. Thank you for your help.
Ok, they are PED (personal devices). We'll have to be creative.
Firstly, there's a setting in MS AD that will allow only limited instance to authentication. Meaning a setting for individual account where you can only log in to ONE device. So you enable this for this user alone.
Next, disable the wireless (temporarily). Get the teacher to log in (wired network) and once she's logged in to the wired network then you enable the wireless again.
The students using the wrong login credentials will not be able to log in so they'll be forced to use their own (I hope).
Similar Messages
-
We have clients associating to a WLAN using CWA with ISE on a 5508 wlc on 7.4.121. I have noticed that under the monitor clients menu, I see clients that are authenticated, but the username field for the client is not displaying for some of these clients. It just lists the MAC. Some show the username for the client, but others do not. Any ideas?
These devices are all apple i-devices. Under the client detail, CCX version says not supported. However, there are i-devices showing the username that also says not supported for CCX version.
-
1131AG: Wireless clients randomly unreachable
Hi,
I have a weird issue with my 1131AG-E-K9. I set up a lab at home to get back into the topic after a few years break. My 1131AG is connected to one of the PoE ports of an ASA5505. Clients are 2 Soundbridge internet radios, my Android phone and my laptop. The wireless clients get their IP via DHCP from a central server in the wired LAN.
Now the problem:
The wireless clients become randomly unreachable. The DHCP leases are valid 1 hour and once a day, usually in the afternoon, the radios don't get a new IP anymore. When I monitor the LAN, I see the DHCPREQUEST, DHCPDISCOVER and DHCPOFFER packets but they don't seem to arrive in the WLAN. When I manually deassociate one arbitrary client or a completely different client, say, my laptop joins the network and gets an IP via DHCP, suddenly all clients receive the DHCPOFFER and go back active.
So it looks like the access point would somehow start throwing away packets from the server to the radios after some time.
I'm pretty much clueless and have googled for hours to find a solution...
The server and the radios are talking constantly to each other, however, mostly through broadcasts (Bonjour and DLNA).
I do not have the problem when I use a cheap crap consumer AP instead of the 1131AG, so I would at first glance exclude the ASA as source of the problems. The network is also flat, i.e. the WLAN is the same subnet as the LAN and there's no routing, no fw rules and no different VLANs involved.
Ideas, anyone?
-SHi Sebastian, thank you for your reply! The access point is an autonomous access point AIR-AP1131-AG-E-K9, so there is no WLC involved.
This is the config:
! Last configuration change at 15:16:16 UTC Mon Nov 24 2014 by sgofferj
! NVRAM config last updated at 15:16:21 UTC Mon Nov 24 2014 by sgofferj
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname echo
no logging buffered
no logging rate-limit
no logging console
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
server [RFC1918] auth-port 1812 acct-port 1813
aaa group server radius rad_admin
server [RFC1918] auth-port 1812 acct-port 1813
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting exec default start-stop group rad_acct
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
aaa session-id common
no ip igmp snooping
dot11 syslog
dot11 vlan-name LAN vlan 1
dot11 ssid Stefan_Gofferje
vlan 1
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 [CODE]
no ids mfp client
power inline negotiation injector 001d.450b.fb08
crypto pki trustpoint TP-self-signed-2716624410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2716624410
revocation-check none
rsakeypair TP-self-signed-2716624410
crypto pki certificate chain TP-self-signed-2716624410
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373136 36323434 3130301E 170D3134 30373136 31393132
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37313636
32343431 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3E0 BCF4B199 68C92993 E4DA9F8E BFD62231 C974A8DA A39F47A7 1268E490
F59A3BCD 123D0F8C 98B4DAC1 0E65FB70 BE42A8A5 A8CF8A75 A5287804 7B3244AC
3AAF5F88 A0533A76 B192A6F8 88AFBADF 2D101637 E6061BC3 FE2F197B BA7E3172
BA5FAA01 85F59AA6 3A99E2C5 4F1F1624 71657D4E 9392E228 B0FA6D3C F97EAFB5
0F770203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11656368 6F2E676F 66666572 6A652E6E 6574301F 0603551D
23041830 1680141C 09AC7570 978D1975 1CA7A73C 5927A051 6DB28630 1D060355
1D0E0416 04141C09 AC757097 8D19751C A7A73C59 27A0516D B286300D 06092A86
4886F70D 01010405 00038181 000EB3FE 7EA03ABE D215F9DB 0421AC99 CACC9501
9710D99B 3B2F155B FB7C24E1 45DA20E8 FCF7FC2D 4B794CAA 7FDF7B0E 3253A0DE
510B067D 5832636C BE03EA47 F673A389 7488788A 329F014A 755D5D1A 92502A41
11FAD8E8 CE1458DF 45246365 42B42549 C3370C03 7C8FEA47 5F0D4E01 1FF20773
741A6839 A6BBB581 7CDA3262 32
quit
username sgofferj privilege 15 password 7 [CODE]
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
broadcast-key change 10
ssid Stefan_Gofferje
no short-slot-time
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no dot11 extension aironet
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
broadcast-key change 10
ssid Stefan_Gofferje
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap debugging
logging [RFC1918]
access-list 111 permit tcp any any neq telnet
snmp-server view dot11view ieee802dot11 included
snmp-server community public RO
tacacs-server host [RFC1918] key 7 [CODE]
radius-server attribute 32 include-in-access-req format %h
radius-server host [RFC1918] auth-port 1812 acct-port 1813 key 7 [CODE]
radius-server vsa send accounting
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
sntp server [RFC1918]
sntp broadcast client
end -
Wireless Clients cannot communicate to eachother.
I have a 871W router that I am having trouble getting wireless clients to communicate.
I can ping and use applications from any wired client to any wireless device. However I am unable to ping or use any other protacol from one wireless device to another.
I have confirmed that there is no firewalls on the endpoints blocking communication.
I have removed ACLs on the BVI1 interface but that had no affect.
Any assistance would be greatly appreciated.
Current configuration : 7670 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname cc-fw-router
boot-start-marker
boot-end-marker
logging buffered 51200 debugging
enable secret 5 $1$crkU$2cWtWnMRjMvfo4ADb4pfi0
aaa new-model
aaa authentication login default local none
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1
ip dhcp pool sdm-pool1
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 192.168.2.244 8.8.8.8
ip dhcp pool xbox
host 10.10.20.20 255.255.255.0
hardware-address 0100.1dd8.5b52.73 ieee802
dns-server 192.168.2.251 4.2.2.2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
crypto pki trustpoint TP-self-signed-1816499983
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1816499983
revocation-check none
rsakeypair TP-self-signed-1816499983
crypto pki certificate chain TP-self-signed-1816499983
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383136 34393939 3833301E 170D3038 30323039 32313436
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38313634
39393938 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD37 F594F5B4 726A60BA 2C99B43C 0DE6814A 17BB53C2 A2202828 D6AA7774
7E3FF99D 7A6B06D8 C7A52D0E 2989CF78 F5E892C0 9A9DA783 1E6C8B59 6F8B01D7
1E631226 D372D65B 6E72CA49 D572FEA6 26131F83 32F87678 4B13735F 383D9F65
287E2CE3 46459CAD 582DB438 6E599885 BAE48719 4AC9EB73 8BC32114 C6C637C9
80350203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A63632D 66772D70 65746572 2E796F75 72646F6D 61696E2E
636F6D30 1F060355 1D230418 30168014 391859D0 F5A8499D 8EF185B7 DC937161
7F2B7CBA 301D0603 551D0E04 16041439 1859D0F5 A8499D8E F185B7DC 9371617F
2B7CBA30 0D06092A 864886F7 0D010104 05000381 8100BC17 189FF9F1 01349085
70E363E9 47AB7A9A 6F80498B D8F727DF 687CC37E 8FF3024F 30451A97 C4C81676
C2FCA1A0 2B51D091 AA0B44E7 BA7FCA6A ED98CF5F 3EE60AD4 AB79DB09 BBE94F64
C83FB22E 8936E561 C84AF542 DB4756E3 6EF31359 4210262A 43D2E1F7 15DD3E32
15278156 9569D8BE 5EC38773 9A2EFB63 11C55FFD 93B4
quit
username user privilege 15 secret 5 $1$wVlg$THSMUBnF3f3A3o2Oh18xS/
username ccadmin password 7 09774C051612111B180439
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 01234567890123456789 address 96.252.99.66 no-xauth
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel
set peer OFFICEVPN IP
set transform-set ESP-3DES-SHA1
match address 103
bridge irb
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dot11Radio0
no ip address
encryption mode ciphers tkip
ssid my_home
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 133E1413181F0138273D15
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip virtual-reassembly
bridge-group 1
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname verizonfios
ppp chap password 7 01050316521109012745411A
ppp pap sent-username verizonfios password 7 120F00051B11030A2C222B3B
crypto map SDM_CMAP_1
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.20.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static udp 10.10.20.20 88 interface Dialer0 88
ip nat inside source static tcp 10.10.20.20 3074 interface Dialer0 3074
ip nat inside source static udp 10.10.20.20 3074 interface Dialer0 3074
logging 10.10.20.27
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 10.10.20.0 0.0.0.255 any
access-list 120 remark Xbox
access-list 120 permit tcp any eq 88 host 10.10.20.20 eq 88
access-list 120 permit tcp any eq 3074 host 10.10.20.20 eq 3074
access-list 120 permit udp any eq 3074 host 10.10.20.20 eq 3074
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 110
control-plane
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endsee the option "client Isolation"in the Ap
Posted by WebUser Anshul Rohilla -
Bridge does not work for wireless clients - connecting to existing network.
Hi - I really hope somebody can help out here, after hours of trial & error, I have finally given up
I need to connect my Airport Extreme Base Station to my existing network. I have a linksys router (192.168.15.1) connected to my modem and this linksys router acts as DHCP server too.
I suppose I have to use "bridge mode" for that to work. But should the linksys be connected to the AEBS using the AEBS's WAN or LAN port?
If I use "bridge mode", then wired computers to the AEBS works fine - getting an IP from the linksys etc. BUT, the wireless clients will have a self-assigned IP and not get through to the internet. It's like the AEBS will not allow wireless clients to "get through" unless AEBS itself is handing out IP addresses.
Page 36 of this manual ( http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf ) shows the setup I want. But in the picture, it says "Ethernet WAN port" but the text says: "The Apple wireless device (in this example, a Time Capsule) uses your Ethernet network to communicate with the Internet through the Ethernet LAN port ( <--> )." I don't know which one to use, WAN or LAN - they show WAN but say LAN?
When I set it up as "share an IP address", the AEBS status tells me "double nat" and to change from "shared IP" to "bridge mode". I do that, and everything seems fine - for the wired clients. Now the wireless clients cannot connect, Airport on the MacBook Pro just say "Connection failed" and the MacBook says "Invalid password" (translated from danish), even though I set the Airport Utlity to save the password in keyring, so it should be correct... If I disable wireless encryption, the wireless clients will connect but get a self-assigned IP, and therefor not work (cannot get online)...
It seems the only way I can get wireless to work, is if I set AEBS up as DHCP, but then it won't be on the "same network" as the linksys (192.168.15.1), but rather on 10.0.x.x as I select. If I select 192.168.x.x within AEBS, I'm also getting some error messages, conflict/subnet thing.
Anyway - I really hope somebody knows how to get wireless clients to get an IP address from existing ethernet when connected to the AEBS.
Thanks!!I've given up and had to go back to running "Double NAT" which also reports as a "problem" within the AEBS, but I just "ignore" it so the light will always be green.
It still ***** though, as "Double NAT" is also a reason for "Back to my Mac" not working properly, but how the ** am I supposed to avoid Double NAT when the wireless will not work in bridged mode?! -
I need to autheticate my clients connecting via wireless.
clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
can some one please help me with the steps.
ThanksTwo primary steps
- define the trust certificates needed to verify the clients user certificates
Users and Identity Stores > Certificate Authorities
- change result of identity policy to select a certificate authorization profile. If have the defautl config
Access Policies > Access Services > Default Network Access > Identity
by default can select the "CN Username" as a result -
How to setup Wireless Clients MAC+Active Directory based acess
Dear Gents,
I want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series .
Steps i have configured :
1) SSID manger under Open authentication : Selected with EAP.
2) under advacned Radius : s
MAC Address Authentication
MAC Addresses Authenticated by:
Authentication Server Only
3) Server Manger : Current server list
added the radius ip address 10.1.200.x
EAP Authentication
MAC Authentication
Accounting
Priority 1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 2: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 2: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 2: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 3: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 3: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
Priority 3: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
From ACS - Radius we have choose a Group x( named as Mac-address group )
All the wireless Client ( laptops ) mac-address are added as add username option and enter username
as mac-address & enter the mac-address as pwd second option of password TAB.Hi Akber,
I think you didnt understood what i was trying to say here :-( No problem..I will explain my theory again.Your requirment is to autheticate user from ACS internal database (you have already added the MAC address as the username on your ACS internal database) as well as from ACS external database (in your case this is AD).
What i was saying is when when authetication request comes to raidus server it checks its internal database and if it find a valid username and password (here it will the MAC address and password which you have entered to the ACS database) the ACS will not query the external database (in your case the AD) for authetication.
You can not have ACS to look in to both MAC and AD database at the same time.
Hope this clears your doubt.
Regards
Najaf -
WLC 5760 - MAC Filtering wireless clients
Hi,
Does anyone ever deployed mac-filtering authentication to wireless clients in the WLC 5760?
I've configured a WLAN for Mac-filtering authentication only (named it as "macauth"):
wlan RNVDOS 4 RNVDOS
aaa-override
no broadcast-ssid
client vlan RNVDOS
mac-filtering macauth
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 1800
no shutdown
Then, below Configuration->Security->MAC Filtering I've added several MAC addresses i.e. :
MAC Address: 88532e9ef70a Attribute List: macauth
Which turned out to be display in the CLI as:
username 88532e9ef70a mac aaa attribute list macauth
The problem is that whenever I try to associate the wireless client 88532e9ef70a, the client passes to the exclusion list.:
Sep 16 10:54:55.603: 8853.2E9E.F70A Adding mobile on LWAPP AP 0C68.03EA.4070 (1) 1 wcm: E9E.F70A (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Creating WL station entry for client - rc 0 1 wcm:
Sep 16 10:54:55.603: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: ssionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:55.603: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Idle to AAA Pending
Sep 16 10:54:55.603: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.604: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.604: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Idle to AAA Pending
Sep 16 10:54:55.604: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:55.604: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:55.813: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:55.813: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:55.813: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:55.813: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:55.813: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.814: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.814: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:55.814: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:55.814: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.520: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:56.520: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.520: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.520: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.520: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.521: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.521: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.521: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.521: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.729: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n 10 seconds
Sep 16 10:54:56.729: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.729: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: from AAA Pending to Authenticated
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.729: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.729: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.730: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.730: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.730: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.730: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:56.937: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.937: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.937: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:57.143: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:57.143: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:57.143: 8853.2E9E.F70A apChanged 1 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (8): 1 wcm: 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (12): 1 wcm: 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
Sep 16 10:54:57.144: 8853.2E9E.F70A 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: site 'renova', interface 'RNVDOS'
Sep 16 10:54:57.144: 8853.2E9E.F70A Updated location for station old AP 0C68.03EA.4070 -1, new AP 0C68.03EA.4070 -0 1 wcm: va', interface 'RNVDOS'
Sep 16 10:54:57.144: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: P 0C68.03EA.4070 -0
Sep 16 10:54:57.144: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:57.144: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:57.144: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:57.145: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 0 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:57.145: 8853.2E9E.F70A apfBlacklistMobileStationEntry2 (apf_ms.c: 1 wcm: 6129) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Exclusion-list (1)
Sep 16 10:54:57.145: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 44) in 10 seconds
Sep 16 10:54:57.145: 8853.2E9E.F70A client is added to the exclusion list, reason 1 1 wcm: d: 44) in 10 seconds
Sep 16 10:54:57.145: *apfReceiveTask: 1 wcm: %APF-4-ADD_TO_BLACKLIST_REASON: Client 8853.2E9E.F70A (AuditSessionID: 0afe01fb5236e37f000000de) was added to exclusion list. Reason: 802.11 association failure
Sep 16 10:54:57.836: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:58.533: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:59.231: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:59.922: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireCallback (apf_ms.c: 1 wcm: 664) Expiring Mobile!
Sep 16 10:55:06.972: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 46) in 60 seconds
Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireMobileStation (apf_ms.c: 1 wcm: 7067) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: 3.2E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A 0.0.0.0 START (0) FastSSID for the client [ 0C68.03EA.4070 ] NOTENABLED 1 wcm: E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A Incrementing the Reassociation Count 1 for client (of interface RNVDOS) 1 wcm: D
Sep 16 10:55:06.972: 8853.2E9E.F70A Clearing Dhcp state for station --- 1 wcm: for client (of interface RNVDOS)
WLC1#
WLC1#
Kind Regards,
VascoHi Patrick,
Thank you for sharing your solution. It didn't solved entirely the problem but you pointed to the right direction!
They are caused, because the system searches for an aaa authorization list, which is not configured.
To resolve this configure the following
aaa authorization network mac-filter local
where mac-filter is the name you defined in the SSID.
I've used your sugestion to create an aaa local authorization list but instead of naming it with the SSID, I've used the name of the attribute list ( macauth ) and it solved the problem:
aaa authorization network macauth local
username 88532e9ef70a mac aaa attribute list macauth
wlan RNVDOS 4 RNVDOS
client vlan RNVDOS
mac-filtering macauth
WLC1#sh wireless client summ
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
8853.2e9e.f70a APf872.ead7.31da 4 UP 11n(5)
Cheers,
Vasco -
Certificates to 802.1x LEAP ethernet and wireless clients
Hello guys, I have just configured a radius server, active directory domain controller and certificate server on one windows 2003 pc. I have generate a self-signed digital certificate and used certificate server to generate a root certificate from it. I have exported it as a 'public key only' and saved it on the desktop of the radius server.
1) I configure the radius server policy to accept connections from wireless and Ethernet connections using 'PEAP'
2) And that the user must supply a user name and password from active directory. Before entering the network.
3) I am planning on using 802.1x port security ( config-if # dot1x port-security auto )on the switch connecting to the pc
4) i am planning on pointint the switch to server and server to switch. i will also configure the client network cards for PEAP.
What I don't know is how will the client pc get this certificate that is on my radius server? Do they need to have a copy on their own machines for them to be able to communicate with the server? This is where I am lost
ThanksCertificates are a matter of trust - if an entity trusts the root (your CA) of a user certificate, and the certificate itself has no other problems, then it automatically trusts the certificate. If your RADIUS server and user/machine certificates all came from the same root (your self-signed CA), and you put the root certificate (public key version) in the trusted list, then you are good to go.
If you are using the Microsoft PKI services on your server (that is also your domain controller), then I'm pretty sure that your windows computers will automatically trust your root once the windows computers have been joined to your domain.
Also - for PEAP on Windows computers, you can completely disable the client's verification of the (RADIUS) server certificate. It's great for testing, but I recommend deploying with server certificate validation enabled.
Lastly - if you're building a lab, you may also want to investigate user and computer certificates and EAP-TLS. Windows CA with windows clients makes it very simple to deploy. Macintoshes are a pain, no matter what kind of CA you use. -
Initial configuration of ACS 5.1 for EAP authentication for Wireless clients
Hi,
I have set-up with below devices :
Wireless LAN controller 5508
LAP 3302i
and ACS 5.1
since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
which EAP method to use for wireless client authentication ? what is the best practice ?
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
I need GUI based initial configuration for ACS 5.1
This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.Hi,
which EAP method to use for wireless client authentication ? what is the best practice ?
-> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
-> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
-> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
Please feel free to follow this step-by-step guide on
PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
WRT610N disconnects when transfering from wireless client to wired client
based on reviews, I purchased a WRT610N.
Have it setup with wireless N to work with my two laptops, and also have a desktop connected to one of the gig ports.
Whenever I try to transfer any files (or access the desktop) from any of the wireless clients, the wireless radio part of the router seem to reboot itself every 5 to 10 seconds.
If I go from a wireless client to another wireless client, it works fine. If I plug one of the laptops into one of the gig ports and transfer files to the desktop through the wired connection, it works fine. But as soon as either laptop try to access the desktop through the wireless connection, the radio goes into a reboot cycle until I stop trying to access the desktop.
Router has latest firmware. the two laptops has a Intel 5300 and intel 4965AGN card, both running windows 7, desktop is also running windows 7.
Used to be able to do this with a WRT150n without any issues, upgraded to the WRT610N for the gig port speed, but now this issue.
appreciate any assistance.Ok I disabled IPV6 and now it will go about a minute of transferring files before the wireless dies.
AP Isolation is disabled.
Even tried from within the same room, direct line of sight from the laptop to the Router, about 5 to 7 feet away. Computer shows wireless signal at full strength.
I don't think it's the wireless cards in the laptops because I used the exact same setup with a WRT150N and WRT54GR and both work fine (although slower).
Just as a sanity check, I put the WRT150N back in last night and tested it, it would let me transfer files all night long without disconnecting. -
E1200 Wireless Client List will not display and causes web UI to temporarily stop responding
I picked up an E1200 and set it up successfully. I am using wireless MAC filtering, and decided to pull up the list of connected wireless clients (Wireless >> Wireless MAC Filter >> push "Wireless Client List" button).
When I do so, it immediately throws this back:
Immediately after this the Web UI of the E1200 becomes inaccessible. It still routes traffic, and the router remains pingable, but it will not allow access to the Web UI for several minutes. The error that appears upon attempt to access the Web UI during this time window is similar to the above, but reads "Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection."
I have tried this in Google Chrome, Firefox 4, and MSIE on two separate computers. Each browser displays the error a bit differently (MSIE, for example, just says it can't display the page and gives no further detail) but the net results are always the same. I have tried resetting the device to factory defaults in addition to re-downloading the firmware from the Cisco/Linksys website and installing it. No improvement.
I have also noted that the Log (Administration >> Log; and yes, I have it enabled) doesn't appear to be picking up anything at all. In fact, the Security log, which supposedly (according to the Help) "displays the login information for the Router’s browser-based utility," is also blank.
Is this a bug, or should I head back to the retailer and swap this device?Ok - I nailed this down, I think, and it looks like a firmware bug.
Short version is that a factory reset cleared the issue, but during stepwise reconfiguration the problem came back. Through a bunch of iteration I figured out that if I have the E1200's DHCP server disabled *and* have wireless clients connected to it, the problem I described appears.
Turn the DHCP server back on and the problem goes away. Turn it off and the problem comes back. Turn it back on and it goes away. You get the idea.
If I had to pose a theory here, it's that the initial display of the Wireless Client List, which uses "IP Address" as the default sort, somehow implodes if the E1200 isn't actually assigning those IP addresses to the clients.
When this happens it appears to crash the Web UI wholesale. Just for grins, while the Web UI was unresponsive, I pinged the router it as before - still pingable - then ran nmap against it - no open ports found on the router. When the Web UI is functional, though, nmap detects port 80 quite easily. I have not timed how long it takes for the Web UI to come back up, but it is longer than 5 minutes, and I presume some sort of watchdog process has to detect that it has gone kaput and start it up again.
Final test was to restore my saved configuration from before the factory reset (note that the saved config was done under the same firmware version, and in this config, the DHCP server is disabled). Boom, problem. Wait for the Web UI to come back, turn on the DHCP server. Problem goes away. Turn the DHCP server off. Boom, problem comes back.
So, there you go.
Would be interesting if someone could verify this via a test against another E1200. It may be worth noting that in my baseline test I was also using Manual wireless setup (vs. Wi-Fi Protected Setup), and WPA2. Didn't make any other setting changes from the factory defaults. I did not actually have to turn the Wireless MAC Filter on to do the test. All one needs to do is click Enable on the Wireless MAC Filter tab, and then do *not* click Save Settings - just clicking Enable will light up the Wireless Client List button, which you can then push to get the list. That is how I handled testing to ensure that neither specific entries, nor the Prevent/Permit setting, nor having the filter enabled in saved configuration were involved in the problem.
Separately, no explanation for the lack of entries in the security log, but that pretty much looks like a firmware bug to me as well. -
Who is 10.0.1.3 wireless client in my time capsule
I use my time capsule as a router and there is this wireless client 10.0.1.3 along with all others (which are known to me), except this one.
How can I find out who is this, or what is it?
I have AirPort Express connected to TC too, but it shows separately in the AirPort Utility.OK Bob/John,
Sorry for this long post - and thank you so much for your thoughts and time.
It still shows that 10.0.1.3 wireless client. But now I think it could be my MacBook as the 10.0.1.3 wireless client on the TC has the same hardware address (xx:xx:xx...) as the one that shows in my System Information panel in the Network/Locations folder under the Wi-Fi Hardware (MAC) Address - see screen shots.
Bottom line - 10.0.1.3 could be my MacBook, but is it really - I am not that tech savvy?
If it is - where can I go and rename it so it shows my MacBook name?
Anyway, I am going to tell you what I did if this is relevant for anything you were wondering about. Otherwise you don't have to read the statements below.
Bob said:
Power off the entire network....all devices....in any order that you wish when you go to bed tonight.
In the morning, power up the modem first and let it run a minute by itself
Power up the next device connected to the modem the same way
Power up the next, etc.
Keep powering up devices one at a time until the network is back up
------->
I did that this morning.
John said:
The TC will retain the client's IP address until its DHCP lease expires, or you cycle its power.
If you had a visitor with an iPhone or iPad or iPod Touch the TC will remember its IP address long after he's gone. Don't forget the guest network - if you enabled it, it's open.
"Ping" that address using Terminal - if the client is no longer present you will get 100% packet loss so that was likely the source of this mystery. On the other hand if you get returns the times shown may be useful.
-------->
I have AU 6.1 and it shows on the TC in the Internet Tab option for "Renew DHCP Lease", but I haven't touched it yet, as I don't know what exactly to do. However, I did cycle power the modem.
And yes, I had visitor a while back (approx. 4 weeks ago) - he has an iPad and and an iPhone too. Both were not on my WiFi though. They were on my Wi-Fi before that - around 8 weeks ago. But at that time I had a different ISP. I don't know if that's important to be mentioned.
Guest Newtwork is disabled.
John, I don't know how to "ping" any address in Terminal. Which address are you referring to?
Bob is right - iPhones and iPads come and go as wireless clients depending on sleep/power off or when they are not on any Wi-Fi but on their celular network.
John, Yes, all screen shots are from my MacBook 13" AL, late 2008 (yes, I know it is old) running on Mac Lion v.10.7.5. -
WRT54GC will not give wireless clients IP addresses
Hi, I'm here on a behalf of a friend. I'm working on a WRT54GC wireless router. The issue is that any wireless client wishing to connect to the router (after seeing the SSID) always fail at "Waiting for network" during the connection screen. However, wired clients are able to connect without any problems. I have updated the firmware to the latest one. No security features (WEP/WPA) are enabled. I have tried changing the channel and mode to no avail. MAC address filter is disabled. Wireless card drivers are up to date. I'd like to know what can be done to resolve this issue. Thanks in advance. -Keres
In the non-working computer, temporarily turn off the software firewall, including Windows Firewall, and see it this helps.
Also, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also set "SSID Broadcast" to "enabled". This will help your computer find and lock on to your router's signal.
If you still have trouble, in the computer, go to the wireless adapter software, and go to "Preferred Networks" (sometimes called "Profiles" ), and delete all the networks you find. Reboot computer. Then return to "Preferred Networks" and re-enter your unique network SSID, and set it to "automatic login". Reboot computer. You should connect automatically.
If the above does not fix your problem, download and install the latest driver for your wireless card. -
Use TC as a wireless client and as ethernet switch hub at the same time?
Hi!
I have a wireless DSL-modem downstairs and my office upstairs. Since I use the TC-USB Port for my printer (to share it to my family as well) my TC is located in the office, close to the printer. Thus TC has to be configured as a wireless client and everything works fine so far,........but: When I add music (stored on TC) to my iTunes library, everything is soooo sloooow! Copying files using the route iMAC ---> DSL-modem/router ----> TC .... so sloooooow!
Is there any way to use the ethernet ports while TC is a wireless client?
Whenever I connect my iMac via ethernet using my current setup, it doesn't get an IP address from TC (obviously because there is no DHCP service active???). When I disable my Airport on the iMac, all connections are off-line.
Pls. help or advise!
Thx. HannesThanks for the response.
Everything works fine if I use your suggested setup but I need the TC in the office, and the DSL modem downstairs. An ethernet connection is not possible this way, and the printer in the living room isn't really a nice piece of furniture
I think, there is no possibility to use the wireless as uplink and the TC as a router/DHCP-server...
Probably I need a server computer to handle the connection between the wireless LAN created by the DSL modem and an ethernet network managed by the TC.
Hopefully someone has an idea/solution that fixes my problem.
meanwhile I keep looking......
Maybe you are looking for
-
Can I create a User with Root Privileges but without UID Zero?
Dear all, I'm working on this project and this is the task required: Create a user and let this user perform all that the ROOT user can perform but shouldn't have UID 0. I'm sincerely new to this task but I challenged myself and made so many search o
-
.pdf file changed into .tmp when trying to send pdf file as attachment
Dears, A few days now, .pdf files are exported as .tmp files if we try to send them as attachment directly from the adobe reader plug-in in internet explorer 8. Unfortunatly Outlook interprets .tmp files as harmfull, so we are no longer able to send
-
New Airport Extreme with old Time Capsule?
I just bought a new 802.11ac Airport Extreme to increase the speed and range of my home network. My network currently runs on an 802.11g Time Capsule. I would like to continue to back up to the old Time Capsule. Should I just set up the old Time C
-
HT201210 how to recover my games after a full recovery of my ipod touch
I lost everything on my ipod touch, i recover some of my stuff, but not my games that i bought.
-
Bluetooth to iphone to ipod touch
When trying to bluetooth iPhone with Sons iPod touch. The two devices are unable to connect to each other. Please advise on possible resolution ? Thanks