EAP-TLS on ACS v4 for wireless users

Hi,
I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
Regards,
Belal

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS.

Similar Messages

'Could not find user' with EAP-TLS in ACS

Hi all,
we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
Sometimes machine authentications fail with following message in AUTH.log:
AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
Thanks
Kai

AUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
You might need to check the log on AD side to see why it could not find this host.
Comparing the logs between the working and non-working cases might be helpful.

Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

Hi All,
I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
I confront PEAP and Eap-TLS for now:
1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
can you help me to know if I understood everything good ? I would be please to exchange experience on that
thanks ;)
bye

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS.

EAP-TLS and ACS 5.1 with AD

Hello,
I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
24435 Machine Groups retrieval from Active Directory succeeded
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24483 Failed to retrieve the machine certificate from Active Directory.
22049 Binary comparison of certificates failed
22057 The advanced option that is configured for a failed authentication request is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
12507 EAP-TLS authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
What ist the problem? I can't find documents how to configure this in detail.
Can some one helf me?
King regardes
Torsten

Hi Torsten,
The option you are looking for is under system configuration:
Configuring Local Server Certificates
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
Configuring CA Certificates
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
HTH
Regards,
JK
Plz rate helpful posts-

EAP-TLS wi-fi net for PC and iPhone

Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers and mobile devices (iPhones, Nokia Symbian, Android devices).
The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
I have 2 testing computers with wi-fi adapters: one is connected to the domain (has a wire connection), another has a local account, and an iPhone. I customized the settings on these computers,iphone, AP and ACS.
We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
"EAP-TLS or PEAP authentication failed during SSL handshake".
"EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
So I think the reason is that only domain devices are allowed to join the net. How can I change this thing?
Another variant is that I issue the certificates first to wired domain computers and then export them to non-connected to domain devices so they have inappropriate credentials.
Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

IPhone and EAP-TLS with ACS & 5508

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.

I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?

ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at. Customer is using EAP-TLS with and everything appears to setup properly. Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
OpenSSL messages are:
SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
certificate ex pi red"'
4 727850450.3616:error.140890B2: SS L
rOYbne s: SSL 3_ G ET _CL IE NT _CE RT IF ICAT E:no ce rtific ate
relurned: s3_ srvr.c: 272 0
I'm not sure if this is cosmetic or if this is something that I should be tracking down. System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain. Any ideas what to check?

Hello Dino,
thanks very much for your reply.
The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI. The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
I suspect the cert-setup itself, but don't get a clue where this might stuck...
Björn

EA6400: Problems for wireless users

There are two router EA6400 (firmware version: 1.1.40.160989). Routers are configured in bridge mode. Routers are used for wireless devices/users. Wireless users have many problems with the quality of the connection and very high ping. Wired users don't have any problems with the quality of the connection and ping.
What's the problem?
Ping from user
Spoiler (Highlight to read)
user@pc:~$ ping yandex.ru
PING yandex.ru (93.158.134.11) 56(84) bytes of data.
64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms
^C
--- yandex.ru ping statistics ---
141 packets transmitted, 59 received, 58% packet loss, time 140168ms
rtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2
user@pc:~$
user@pc:~$ ping yandex.ruPING yandex.ru (93.158.134.11) 56(84) bytes of data.64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms^C--- yandex.ru ping statistics ---141 packets transmitted, 59 received, 58% packet loss, time 140168msrtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2user@pc:~$
Traceroute from user

geekychix wrote:
What is the wireless channel set for your router? Flash the firmware of your router, reset and reconfigure it. Try playing around with channels 1,3,6 or 9. Security mode should be set to WPA2 Personal. Let me know how it goes.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks. I've already tried to reset the settings on the defaul and reconfigure the router again. I only use WPA2 PSK-CCMP. Have any ideas?
Lun wrote:
EA6400 works really good for me with the current firmware. On 2.4ghz, channel 9 is solid and at 5.0ghz, channel 157 is strong too. Try that.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks.
Saffronfs7 wrote:
Your WiFi network is possibly prone to wireless interference which causes high latency and slow/intermittent connection. Adjust the wireless settings on your EA6400 routers. Use Non-overlapping Channels like 1 or 6 or 11. Use a WiFi scanner to check which Channels are crowded and which ones are not. Although 5GHz network uses non-overlapping Channels I recommend using Channel 161.
I advance it all already made. Have any ideas?
Lun wrote:
Everyone in my area are using channel 1, 6, and 11 on 2.4ghz. Channel 9 work best for me.
Channels I specifically chose not to overlap with neighboring networks. Have any ideas?

PEAP authentication failed for wireless users

Dears
Hello
i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
thanks

Dear Neno
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
host x.x.x.x
key xxxx
nas-ip x.x.x.x
aaa server-group "RADIUS-GROUP"
auth-server “SERVER”
aaa profile "KSAU-JED-AAA-Profile"
authentication-dot1x "dot1xProfile"
dot1x-server-group "RADIUS-GROUP"
wlan virtual-ap "SSID-NAME"
aaa-profile "KSAU-JED-AAA-Profile"
ssid-profile "SSID-NAME"
vlan <VLAN ID>

Criticial VLAN for Wireless Users

Hi
I have a setup were all users (LAN & WIRELESS) Are being authenticated using Dot1x with ACS
In case of ACS failure (without a secondary one), I know i can configure the switch port on the LAN to have a critical VLAN, so in case ACS was detected as Dead, a new user being authenticated is assigned to the Critical VLAN,
Is there any Similar solutions for users connecting through the wireless connection? Can we do a critical VLAN in case of ACS Failure, or anything similar to it? knowing that there is a WLC in the setup with Light weight access points.
Thanks
Best regards,

Hello,
Since in wireless network, the Radius server has an active part in the encryption key derivation, the WLC can't just grant network access to the end client when the radius server is down, as the client wouldn't have the necessary keying material (nor the WLC as well).
The best option would be to either have multiple radius servers, or to make the WLC act as a radius server and use it as a backup method, so that if your radius server is down, your WLC will handle the radius request and generate the keying material. The issue is that you will need to have a consistent user database on the WLC.
The easiest way would be to have a separate SSID with legacy WPA/WPA2 that are pre configured on clients computer, and allow network access to this SSID only when the primary SSID with Dot1x is down. This can be done manually, or on the layer 3 gateway using PBR/EEM...
For example with PBR, you can set output interface to null0 from traffic originating from the WPA SSID, only of Radius server is reachable, otherwise let the traffic flow.

Intermittent High Response for Wireless Users

Dear all
I am facing one strange issue while using below WLC and AP.
WLC 5508, OS= 7.4.100.0
AP 3602i
Some times, ping response becomes very high around 500-1000 ms even to next hop for some laptops. During that time every thing slows down. Please note that Signal to noise ratio remains around 60 db and there are maximum 2-5 users per AP. I am doing more troubleshooting, I noticed that once I disconnected from SSID and reconnected every thing returns to normal. Kindly inform in which direction I should do troubleshooting. Has anyone faced similar issue with above mentioned hardware and software.
Regards

Thanks all. Many Thanks for your time. Some commands I am unable to post here as it includes some confidential info, pasting below what ever i can and also see attached.
I have checked all SSIDs at that time, found issues with all. RSSI was -53 and SNR was 43. The issue starts when I start browsing, but not all time. Many times there is no issue even with browsing.
!switch to wlc. ==================
interface GigabitEthernet
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan x,xxx
switchport mode trunk
spanning-tree portfast edge trunk
channel-group x mode on
end
==========
show client output
-More-- or (q)uit
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... OFF
Current Rate..................................... m0
Supported Rates.................................. 11.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. 0afa0f1500001f845309d223
IPv4 ACL Name.................................... none
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Client Type...................................... SimpleIP
PMIPv6 State..................................... Unavailable
mDNS Status...................................... Enabled
--More-- or (q)uit
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................
VLAN.............................................
Quarantine VLAN.................................. 0
Access VLAN......................................
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 90
      Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
--More-- or (q)uit
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 1123649
      Number of Bytes Sent....................... 11737780
      Number of Packets Received................. 7213
      Number of Packets Sent..................... 10310
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 4878
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 69418
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
--More-- or (q)uit
      Radio Signal Strength Indicator............ -52 dBm
      Signal to Noise Ratio...................... 41 dB
Client Rate Limiting Statistics:
      Number of Data Packets Recieved............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Recieved.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Recieved........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Recieved.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
=========
--More-- or (q)uit
QoS Level........................................ Silver
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... OFF
Current Rate..................................... m0
Supported Rates.................................. 11.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. 0afa0f1500001f845309d223
IPv4 ACL Name.................................... none
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Client Type...................................... SimpleIP
PMIPv6 State..................................... Unavailable
mDNS Status...................................... Enabled
--More-- or (q)uit
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................
VLAN.............................................
Quarantine VLAN.................................. 0
Access VLAN......................................
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 90
      Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
--More-- or (q)uit
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 1123649
      Number of Bytes Sent....................... 11737780
      Number of Packets Received................. 7213
      Number of Packets Sent..................... 10310
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 4878
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 69418
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
--More-- or (q)uit
      Radio Signal Strength Indicator............ -52 dBm
      Signal to Noise Ratio...................... 41 dB
Client Rate Limiting Statistics:
      Number of Data Packets Recieved............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Recieved.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Recieved........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Recieved.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
===

LDAP access levels for wireless users

How is it possible if I want my Directory Server 5.2 to authenticate only few number of users to have wireless and dial-up access. LDAP should not permit the other users when they try to login by wireless or dial-up. But everyone should be authenticated when they try to login through a direct ethernet connection. Currently all my users are under ou=people.
Joshua

Hi,
Directly-connected APs are supported in 7.4 code, if you are not on that code then
The PoE Ports are not for the APs
Ports 3 and 4 are PoE only ports; do not connect access point devices to these ports. The ports can be used for infra-switch connection using multiple an AP-Manager or data interface
Connect port 1 to a trunk port on the switch.
configure the native vlan ON THE TRUNKPORT only eg vlan 10
Let's assume your wireless is on vlan 10 and your WLC2504 is 10.10.10.20 /24 gateway 10.10.10.1
Enable and Configure DHCP scope for vlan 10
The APs are then connected to a vlan 10 access port on the switch
Configure the SSID
DHCP server tips
- enable bridging mode if using the controller as the DHCP server, otherwise disable it.
- if using other DHCP server and the DHCP server is in the same vlan as the controller, nothing further is needed.
- if DHCP server is on another vlan, you will need to configure option 43 (vendor specific into)
Check with these configuration it will hopefully fix your issue.

Cisco NAC Guest Server for Wireless Users integration with IP telephony

Hi Team
I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
Kindly advice on the same.
Regards
Azeem

Hi Vishal,
Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
Basically the process is as follows:
1 - Client plugs cable on switch.
2 - Web auth is triggered on the port.
3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
4 - Client will be redirected to the NGS hotspot login page.
5 - Client will enter credentials.
6 - Client broswer will send an HTTP POST packet containing the credentials.
7 - The switch will intercept the POS packets and retrieve the credentials entered.
8 - The switch will send Radius Access-Request to the ACS.
9 - The ACS will use the NGS as External Identity source to authenticate the client.
10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
Please follow the document Nicolas posted as it is a good one.
HTH,
Thanks

Added a BASE Station now Drop box's don't work for wireless users

We have a small business run out of a large home. Since Tiger came out we were using the drop box networking technology flawlessly. But recently we installed an Airport Base station replacing our Linksys router and now all the laptop users who connect wirelessly cannot be accessed remotely, we can use the drop box only with the people hardwired. Does anyone have any suggestions.

You might try making a Recovery set with the software included on your machine-though it may not work now either. Creating Recovery Media >> Windows 8
******Clicking the Thumbs-Up button is a way to say -Thanks!.******
**Click Accept as Solution on a Reply that solves your issue to help others**

802.1x EAP-TLS for wired users with ACS 5.5

Hi All,
We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
Kindly suggest on how to get certificates for clients both manually as well as automatically?
Thanks,
Vijay

Hi Vijay,
for the Wired 802.1x (EAP-TLS) you need to have following certificates:
On ACS--- Root CA, Intermediate CA, Server Certificate
On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself.
In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
Cheers
Minakshi(rate the helpful post)

EAP-TLS on ACS v4 for wireless users

Similar Messages

Maybe you are looking for