Firewall/RADIUS/LDAP

Hi,
Someone please help me with ip authentication proxy.
In the firewall, there is two acls. One is for authentication and one is for access. When you try to access a system behind the firewall, you are required to enter username and password for authentication if you are permit in the authentication acl. The firewall then query RADIUS servers. The RADIUS server then query LDAP servers to verify username and password. My question is what information is returned to the RADIUS server if the username and password are valid and invalid? What information is returned to the Firewall?
Thanks.

Hi Vivek,
If I don't define any downloadable ACL on the Radius server, only authentication only attributes, will source ip, destination ip, and traffic types checked against my "access= list 105" acl? Or bypass the "access" acl if I am authenticated and check against the "access" acl if I am not authenticated. Help me clear out this concept.
Thanks.
Some main configuration:
ip auth-proxy name NAME http list 120
interface FastEthernet0/0
ip address x x
ip access-group 105 in
ip auth-proxy NAME
ip http server
ip http authentication aaa

Similar Messages

WPA2 802.1x with MS RADIUS, LDAP, Clean Access

We are in a multivendor enviornment using NAC and WCS. We would like to implement WPA2 Enterprise. We currently authenticate with LDAP to place users in proper roles.
Not 100% sure on this. As far as I know, it is not possible to implement 802.1x with LDAP.....so how could we use LDAP and a Radius server together in order to implement WPA2 Enterprise? Is this possible? Any documentation out there that I have yet to find explaining this?
Any help would be appreciated.
Thanks in advance,
Ben

Hi,
Let's clarify all possibilities and you can chose one from there :-)
1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).
The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.
2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.
3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.
Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.
I hope this clarifies ?
Nicolas
===
please rate answers that you find useful

WARNING: No "known good" pasword found in LDAP

I'm trying to get windows client (EAP-PEAP MSCHAPv2) to authenticate through freeRadius. I have eDirectory as user store. I've configured universal password and assigned the policy to respective OUs in eDir. I configured universal password policy to allow to retrieve cleartet password by users and "radmin" account, as per Novell docs. iManager RADIUS plugin is also installed, eDir RADIUS schema is extended, radius profile is applied to some users for testing (although no radius attributes are specified in that Radius profile, as Novell docs don't mention anything about it).
However, is looks like eDirectory is still not returning user's clear-text password in its LDAP reply to freeRadus server, the following warning appears in radius debug log: (WARNING: No "known good" password found in LDAP).
I followed this Novell guide to setup eDir and freeRadius: https://www.netiq.com/documentation/...ata/front.html
Here is my radius ldap config:
ldap TEST {
server = "192.168.1.1"
port = 636
identity = "cn=radmin,ou=USERS,o=TEST"
password = "password"
basedn = "ou=USERS,o=TEST"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
auto_header = yes
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
# start_tls = yes
tls_mode = yes
cacertfile = /etc/raddb/certs/test-tree.b64
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = no
set_auth_type = no
# access_attr = dialupAccess
keepalive {
idle = 60
probes = 3
interval = 3
#END
Any suggestions on fixing the problem are welcomed. Thanks in advance.

log doesn't seem display any errors, also I notices that the "nspm password" is is mentioned twice. As far as I know the n="nspm password" attribute is the clear text password. Also From the log i can see that all attributes are the request from radius, would be good to see actual eDir ldap reply in the log, including reply attributes. Any suggestions?
4269549312 LDAP: Work info status: Total:2 Peak:0 Busy:0
4211123968 LDAP: New TLS connection 0x8d5c00 from 192.168.1.52:54349, monitor = 0xffffffffe5102700, index = 1
3843041024 LDAP: Monitor 0xffffffffe5102700 initiating TLS handshake on connection 0x8d5c00
4205860608 LDAP: DoTLSHandshake on connection 0x8d5c00
4205860608 LDAP: BIO ctrl called with unknown cmd 7
4205860608 LDAP: Completed TLS handshake on connection 0x8d5c00
3821344512 LDAP: DoBind on connection 0x8d5c00
3821344512 LDAP: Bind name:cn=radmin,ou=USERS,o=TEST, version:3, authentication:simple
3821344512 AUTH: [000080c4] <.radmin.USERS.TEST.TEST-TREE.> LocalLoginRequest. Error success, conn: 8.
3821344512 LDAP: Sending operation result 0:"":"" to connection 0x8d5c00
4222703360 LDAP: DoSearch on connection 0x8d5c00
4222703360 LDAP: Search request:
base: "ou=USERS,o=TEST"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:1
filter: "(uid=radmin)"
attribute: "nspmPassword"
attribute: "radiusNASIpAddress"
attribute: "radiusExpiration"
attribute: "acctFlags"
attribute: "userPassword"
attribute: "dBCSPwd"
attribute: "sambaNtPassword"
attribute: "sambaLmPassword"
attribute: "ntPassword"
attribute: "lmPassword"
attribute: "radiusCallingStationId"
attribute: "radiusCalledStationId"
attribute: "radiusSimultaneousUse"
attribute: "radiusAuthType"
attribute: "radiusCheckItem"
attribute: "radiusTunnelPrivateGroupId"
attribute: "radiusTunnelMediumType"
attribute: "radiusTunnelType"
attribute: "radiusReplyMessage"
attribute: "radiusLoginLATPort"
attribute: "radiusPortLimit"
attribute: "radiusFramedAppleTalkZone"
attribute: "radiusFramedAppleTalkNetwork"
attribute: "radiusFramedAppleTalkLink"
attribute: "radiusLoginLATGroup"
attribute: "radiusLoginLATNode"
attribute: "radiusLoginLATService"
attribute: "radiusTerminationAction"
attribute: "radiusIdleTimeout"
attribute: "radiusSessionTimeout"
attribute: "radiusClass"
attribute: "radiusFramedIPXNetwork"
attribute: "radiusCallbackId"
attribute: "radiusCallbackNumber"
attribute: "radiusLoginTCPPort"
attribute: "radiusLoginService"
attribute: "radiusLoginIPHost"
attribute: "radiusFramedCompression"
attribute: "radiusFramedMTU"
attribute: "radiusFilterId"
attribute: "radiusFramedRouting"
attribute: "radiusFramedRoute"
attribute: "radiusFramedIPNetmask"
attribute: "radiusFramedIPAddress"
attribute: "radiusFramedProtocol"
attribute: "radiusServiceType"
attribute: "radiusReplyItem"
attribute: "nspmPassword"
4222703360 AUTH: Starting SEV calculation for conn 8, entry .radmin.USERS.TEST.TEST-TREE..
4222703360 AUTH: 1 GlobalGetSEV.
4222703360 AUTH: 4 GlobalGetSEV succeeded.
4222703360 AUTH: SEV calculation complete for conn 8, (0:0 s:ms).
4222703360 LDAP: Sending search result entry "cn=radmin,ou=USERS,o=TEST" to connection 0x8d5c00
4222703360 LDAP: Sending operation result 0:"":"" to connection 0x8d5c00
4219545344 AUTH: UpdateLoginAttributesThread page 1 processed 1 login in 1 milliseconds

Local Webauth WLC using radius database

Hi all,
I was implement local Webauth WLC not using local auth . I use radius database.
at least I try to add on my WLAN:
layer 3 web auth authentication
layer 2 security is WPA/WPA2 PSK
adding aaa radius server
aaa radius "network user" check list enabled
web auth priority order
radius
LDAP
after I Test WLAN ,I cant login using radius database.
but, if I implement security method wpa/wpa2 dot1x I can login using radius database.
is there any miss in my config for implement webauth method?
Thanks
ridho

Are you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
Sent from Cisco Technical Support iPhone App

Mobile Access Server setup

So, I'm setting up a 10.6.1 server in the DMZ to be a Mobile Access Server to reverse proxy mail, calendaring, and web. Couple issues I have:
1. I want to manage this DMZ server from a different internal 10.6.1 Server inside my network. I have turned on Remote Management on the DMZ server, but cannot connect from Server Admin on the internal server to the DMZ server. I need to be able to manage both servers from one Server Admin console. I also need to be able to screen share the DMZ server for access ONLY from the internal server. How do I accomplish this?
2. My internal 10.6.1 server is my Open Directory Master already, and working nicely. But to use Mobile Access Server and reverse proxy services back to the internal server, I need the DMZ server to be aware of my existing directory inside. Would I want to make the DMZ server an Open Directory Replica, or should I use the middle option for Open Directory types called "Connect to another directory"? Obviously, I know that it should NOT be another master.
3. I have purchased and implemented a wildcard cert on my internal 10.6.1 server to use for TLS, HTTPS, etc. I have also told the Open Directory Master to use ssl for the LDAP piece of it (there's a GUI option for that). Figured I might as well secure everything I can a bit more since I purchased the cert. What effect will this have on Question 2 above? Will I need to open a different port for instance on the firewall for LDAP over SSL? Or any issues with creating a Replica or "connect to another OD server" on the OD server in the DMZ to get it to connect to the internal OD Master?
Thanks for all the help here.

To your #1: When you use a firewall to place a device in a DMZ, that device is not part of the internal network. It 'technically' sits on the outside of the firewall at nearly the same place as your external connection.
Some discussions about a firewall use colors to designate the 'data protection' level or 'threat' vector.
(Below was 'borrowed' from http://riskless.com/firewall_configuration.aspx)
* RED Network Interface
This network is the Internet or other untrusted network. IPCop’s primary purpose is to protect the GREEN, BLUE and ORANGE networks and their computers from traffic originating on the RED network. Your current connection method and hardware are used to connect to this network.
* GREEN Network Interface
This interface only connects to the computer(s) that IPCop is protecting. It is presumed to be local. Traffic to it is routed though an Ethernet NIC on the IPCop computer firewall.
* BLUE Network Interface
This optional network allows you to place wireless devices on a separate network. Computers on this network cannot get to the GREEN network except tightly controlled “pinholes”, or via a VPN. Traffic to this network is routed through an Ethernet NIC.
* ORANGE Network Interface
This optional network allows you to place publicly accessible servers on a separate network. Computers on this network cannot get to the GREEN or BLUE networks, except through tightly controlled “DMZ pinholes”. Traffic to this network is routed through an Ethernet NIC.
* The GREEN and RED networks are required
* The ORANGE and BLUE networks are optional
The interface requirements for your RED network will vary depending on your connection to the Internet. The RED network may require an additional Ethernet card and cable.
you can also read up all this from a more neutral article here: http://www.ocmodshop.com/ocmodshop.aspx?a=1526
The point of all this is that, depending on 'where' the dat is comgin from , it either is denied access ,or must be 'punched through' to allow access. Her is a diagram of that process (from a linux firewall called ipcop)
!http://www.ipcop.org/1.4.0/en/admin/images/traffic.png!
Soaccess from inside (your network) to your DMZ device should work without any trouble but from DMZ to inside should require ports to be opened up. On most Firewalls, they call this port access 'Pin Holes' as the DMZ is itself protected by only allowing the ip address of that network into through the firewall. Possibly Your firewall is not doing any kind of Statefull Packet Inspection so all conversations must have a pinhole to come 'back' out of the dmz? Tell us your firewall brand and that might help.
#2: I would use "Connect to another directory". YOu want to limit the amount of data that can be compromised in the DMZ. As I mentioned the DMZ is outside your network, technically naked to the world. I believe that any port that does NOT get routed (forwarded) into your green, will automatically be forwarded to your DMZ, so it will be hammered with all manner of hack and virus vectors.
Peter

ASA and Multiple AD Domains

Hello,
I am having difficulties with configuring my ASA5510 to authenticate against two different Active Directory domains with LDAP for a Remote Access VPN. From what I can see, the authentication process goes as far as checking the first server, seeing that the user doesn't belong to that domain and then it bombs out.
I read some technote which specified that if the DC was set up as a Global Catalog that this would be a non-issue - sadly, this doesn't appear to be the case.
Can anyone shed any light on this?
Thanks
Keith

Hi Keith
First of all the behavior you describe is correct and expected. If you configure 2 aaa servers (regardless of whether it's radius, ldap, etc.) then the ASA will consider them as having identical user DB's, and so will only use the 2nd when the 1st is unreachable.
So the solution would indeed consist of having a global catalog server (GCS) that can search both domains, and point the ASA to that server (or set of servers). The downside is that the global catalog server may not have information about local groups which may be needed for authorization and or DAP.
Having said that, there may be an alternative if you are using (or willing to change to) double authentication (i.e. certificate based authentication + username/password) or if you are ok to use certificate based authentication with LDAP authorization (i.e. only the cert is used to log in, the ldap attributes are only used to override settings in the group-policy).
In that case you can use tunnel group mapping (i.e. have certificates from one domain land on a certain group, and another domain on another group). Since each group has its own aaa-server config, you can point them to different ldap servers.
hth
Herbert

Migration from Forefront TMG to Ironport c680

Hello,
We're planning to migrate replace Microsoft Forefront TMG with Cisco Ironport c680.
I am here to get an ideas for easy and smooth migration (change over).
Need experts advise to list down the tasks before migration / change over & important things to remember.
Best Regards,
Juned

Standard it would be.
Port 25 SMTP -> Inbound and Outbound for mail delivery
Port 53 (TCP/UDP) DNS
Port 80 HTTP - GUI Access (for internal) and Updates/upgrades to download from internet
Port 443 HTTPS - (As above)
Port 22 SSH - CLI access (And possible for tunnel)
Port 23 Telnet - CLI access
A long list would be depending on required services:
Port Protocol In/Out Hostname Description
20/21 TCP In or Out AsyncOS IPs, FTP ServerFTP for aggregation of log files.
22 TCP In AsyncOS IPs SSH access to the CLI, aggregation of log files.
22 TCP Out SSH Server SSH aggregation of log files.
22 TCP Out SCP Server SCP Push to log server
23 Telnet In AsyncOS IPs Telnet access to the CLI, aggregation of log files.
23 Telnet Out Telnet Server Telnet upgrades, aggregation of log files
(not recommended).
25 TCP Out Any SMTP to send email.
25 TCP In AsyncOS IPs SMTP to receive bounced email or if injecting
email from outside firewall.
80 HTTP In AsyncOS IPs HTTP access to the GUI for system monitoring.
80 HTTP Out downloads.ironport.com Service updates, except for AsyncOS
upgrades and McAfee definitions.
80 HTTP Out updates.ironport.com AsyncOS upgrades and McAfee Anti-Virus
definitions.
80 HTTP Out cdn-microupdates.cloudmark.com Used for updates to
third-party spam component in Intelligent MultiScan. Appliance must also
connect to CIDR range 208.83.136.0/22 for third-party phone home updates.
82 HTTP In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
quarantine.
83 HTTPS In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
quarantine.
53 UDP/TCP In & Out DNS Servers DNS if configured to use Internet root
servers or other DNS servers outside the firewall. Also for SenderBase
queries.
110 TCP Out POP Server POP authentication for end users for Cisco
IronPort Spam Quarantine
123 UDP In & Out NTP Server NTP if time servers are outside firewall.
143 TCP Out IMAP Server IMAP authentication for end users for Cisco
IronPort Spam Quarantine
161 UDP In AsyncOS IPs SNMP Queries
162 UDP Out Management Station SNMP Traps
389 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
firewall. LDAP authentication for Cisco IronPort Spam Quarantine
3268 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
firewall. LDAP authentication for Cisco IronPort Spam Quarantine
636 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
3269 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
443 TCP In AsyncOS IPs Secure HTTP (https) access to the GUI for system
monitoring.
443 TCP Out res.cisco.com Cisco Registered Envelope Service
443 TCP Out updates-static.ironport.com Verify the latest files for the
update server.
443 TCP Out phonehome.senderbase.org Receive/Send Outbreak Filters
514 UDP/TCP Out Syslog Server Syslog logging
628 TCP In AsyncOS IPs QMQP if injecting email from outside firewall.
2222 CCS In & Out AsyncOS IPs Cluster Communication Service (for
Centralized Management).
6025 TCP Out AsyncOS IPs Cisco IronPort Spam Quarantine
7025 TCP Out AsyncOS IPs Cisco Policy Virus Outbreak Quarantine.

Authentication with EAP-MD5/PEAP/FAST

Version: ISE 1.2p12
Hello,
I have trouble authenticating devices that use different protocols:
- Cisco IP Phones: EAP-MD5
- Windows machines: EAP-PEAP
- Cisco APs: EAP-FAST
1) I'm able to authenticate the IP Phones individually with a authentication rule:
IP PHONES If Wired_802.1X allowed protocols EAP-MD5
For EAP-MD5 I selected only EAP-MD5
Now if I use a generic rule
DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
ISE says that there's a protocol mismatch:
"Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
Does any of you have hints ?

I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
Kind regards
Alex

Wireless Controller with 802.1x

Hi.
This may seem like a stupid question, but if i'm using 802.1x on my wireless network and using RADIUS/LDAP/ACS for authentication, do I need to configure any aaa commands on my access switches? It was my understanding that all traffic from the client is tunnelled back to the controller so this is not necessary?
Thanks.

No commands necessary on your switches. Your WLC has radius servers configured and the WLC will communicate with your radius.
Sent from Cisco Technical Support iPhone App

User Authentication for Internet access

Hi,
Is it possible to configure authentication for internal (LAN) users to Authenticate (local/RADIUS/LDAP) for any kind of internet access through the ISA550/570? (like cut-through authentication proxy in ASA.)
And Can the ISA550/570 act as a Web proxy?
Thanks in advance.

HI Sulu,
You can configure captive portal for internal LAN users to authenticate (local/Radius/LDAP) for internet
access through ISA500. (see attached screenshot)
ISA500 cannot act as a web proxy. what is your use case ?
Regards,
Wei

Is ACS required in NAC appliance.

Hi,
One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
Thx in advance.
Sonu

NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
The great thing about NAC Appliace is that it works for all four major use cases:
1. VPN users
2. WIFI users
3. LAN/wired users
4. GUest/vistors
We can
1. authenticate
2. Posture assess (scan)
3. Quarantine/
4. Remediate
You don't want users to have to learn three different ways to connect to the netowrk.
802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
I hope this helps.

Airserver multicast mDNS problem

I have WLC 2504 running 7.4.100.0 with a single 1242AG AP
single wireless SSID on the WLC
an Apple AIRSERVER and an IPAD which should be able to do mirroring to show ipad screen on the pc
they have IPs in same subnet and have base connectivity
it just wont work! the ipad never sees the airplay server option come up
BUT
if i move these 2 systems to a cisco autonomous AP. or another commodity wireless LAN and have the 2 systems (pc/ipad) in same subnet it works
if i have the pc on wired and the ipad (wireless obviously) this work on the autonomous or commodity AP fine
so there is something "different" about using the WLC/LWAP right?
i have tried with and without the various multicast options enabled etc
please can anyone advise or help?
many thanks
dave

thank you both for helping me and for the pointers.
I have a config (attached)
I have this update to the case:-
laptop and iphone on same wireless LAN (interface3) wireless LANcalled clients34
With the command
config mdns snooping DISable
i can see the Airserver from the iPAD and it works (WITHIN) the wireless WLAN i.e. both on same WLAN and IP subnet
if i issue
config mdns snooping ENable
the
Airserver disappears and wont work
it comes back as soon as i disable the mdns snooping
this is consistently reproducible
any ideas welcomed
it never works between WLANs (so far!)
dave
here is the config
config location expiry tags 5
config interface address management 10.99.98.40 255.255.255.128 10.99.98.1
config interface dhcp management primary 10.99.98.3
config interface port management 1
config interface vlan management 10
config interface address virtual 1.1.1.1
config interface address dynamic-interface clients33 10.10.33.6 255.255.255.0 10.10.33.1
config interface create clients33 33
config interface dhcp dynamic-interface clients33 primary 10.99.98.3
config interface port clients33 2
config interface vlan clients33 33
config interface address dynamic-interface clients34 10.10.34.6 255.255.255.0 10.10.34.1
config interface create clients34 34
config interface dhcp dynamic-interface clients34 primary 10.99.98.3
config interface port clients34 2
config interface vlan clients34 34
config 802.11b 11gsupport enable
config 802.11b cac voice sip bandwidth 64 sample-interval 20
config 802.11b cac voice sip codec g711 sample-interval 20
config 802.11b cleanair alarm device enable 802.11-nonstd
config 802.11b cleanair alarm device enable jammer
config 802.11b cleanair alarm device enable 802.11-inv
config sysname Apple
config logging traceinfo disable debugging
config logging syslog level debugging
config logging syslog level 7
config logging syslog host 10.99.98.36
config database size 2048
config country US
config advanced probe limit 2 500
config advanced probe-limit 2 500
config advanced 802.11a channel add 36
config advanced 802.11a channel add 40
config advanced 802.11a channel add 44
config advanced 802.11a channel add 48
config advanced 802.11a channel add 52
config advanced 802.11a channel add 56
config advanced 802.11a channel add 60
config advanced 802.11a channel add 64
config advanced 802.11a channel add 149
config advanced 802.11a channel add 153
config advanced 802.11a channel add 157
config advanced 802.11a channel add 161
config advanced 802.11b channel add 1
config advanced 802.11b channel add 6
config advanced 802.11b channel add 11
config mdns service query enable AFP
config mdns service create AFP _afpovertcp._tcp.local. query enable
config mdns service query enable AirPrint
config mdns service create AirPrint _ipp._tcp.local. query enable
config mdns service query enable AirTunes
config mdns service create AirTunes _raop._tcp.local. query enable
config mdns service query enable AppleRemoteDesktop
config mdns service create AppleRemoteDesktop _net-assistant._udp.local. query enable
config mdns service query enable AppleTV
config mdns service create AppleTV _airplay._tcp.local. query enable
config mdns service query enable HP_Photosmart_Printer_1
config mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. query enable
config mdns service query enable HP_Photosmart_Printer_2
config mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. query enable
config mdns service query enable Printer
config mdns service create Printer _printer._tcp.local. query enable
config mdns profile service add default-mdns-profile AirPrint
config mdns profile service add default-mdns-profile AppleTV
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
config mdns profile service add default-mdns-profile Printer
config mdns profile create default-mdns-profile
config mdns snooping enable
config mobility group domain MOBGROUP
config network rf-network-name RFGROUP
config network telnet enable
config network broadcast enable
config network multicast igmp snooping enable
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config network multicast mld snooping enable
config network multicast global enable
config dhcp address-pool scope33 10.10.33.2 10.10.33.254
config dhcp default-router scope33 10.10.33.1
config dhcp create-scope scope33
config dhcp network scope33 10.10.33.0 255.255.255.0
config dhcp address-pool "scope 34" 10.10.34.2 10.10.34.254
config dhcp default-router "scope 34" 10.10.34.1
config dhcp create-scope "scope 34"
config dhcp dns-servers "scope 34" 8.8.8.8
config dhcp network "scope 34" 10.10.34.0 255.255.255.0
config dhcp lease scope33 86400
config dhcp enable scope33
config dhcp lease "scope 34" 86400
config license boot base
config license agent max-sessions 9
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
config 802.11a cleanair alarm device enable 802.11-nonstd
config 802.11a cleanair alarm device enable jammer
config 802.11a cleanair alarm device enable 802.11-inv
config nmsp notification interval rssi rfid 2
config certificate generate webauth
config wlan mfp client enable 1
config wlan mfp client enable 3
config wlan mfp client enable 4
config wlan dhcp_server 1 10.99.98.3 required
config wlan security ft over-the-ds disable 1
config wlan security wpa wpa1 ciphers aes enable 1
config wlan security wpa wpa1 ciphers tkip enable 1
config wlan security wpa wpa1 enable 1
config wlan security wpa wpa2 ciphers aes disable 1
config wlan security wpa wpa2 disable 1
config wlan security wpa akm psk set-key hex encrypt 1 a1f6e0bbf14d724dc3f66873d6f810a6 786fcab479dd2b3ab7fe1e79eb569f3bcd8bec22 48 db307698ce2f6146a19f3b40cb7a52b39b8062c5d6f8f0f37d60dc98cde78d6a1e8aea0014292f6192cd1a06a447fccd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1
config wlan security wpa akm psk enable 1
config wlan security wpa akm 802.1x disable 1
config wlan security wpa enable 1
config wlan security web-auth server-precedence 1 local radius ldap
config wlan security wapi akm psk set-key hex encrypt 1 a1f6e0bbf14d724dc3f66873d6f810a6 786fcab479dd2b3ab7fe1e79eb569f3bcd8bec22 48 db307698ce2f6146a19f3b40cb7a52b39b8062c5d6f8f0f37d60dc98cde78d6a1e8aea0014292f6192cd1a06a447fccd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1
config wlan dhcp_server 3 10.99.98.3 required
config wlan security ft over-the-ds disable 3
config wlan security wpa wpa1 ciphers aes enable 3
config wlan security wpa wpa1 enable 3
config wlan security wpa wpa2 ciphers aes disable 3
config wlan security wpa wpa2 disable 3
config wlan security wpa akm psk set-key hex encrypt 1 42a623f34bd4ac9f6c4d8415be540e52 aa8f5add9351816443d374a3fa1cd76ee34ec325 48 83269c2ab1bfffb0717cf80763bf2be8e30af9de5d784f132deef8aba1ef463d37eda9fcca7b3edac4f16806799bddb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3
config wlan security wpa akm psk enable 3
config wlan security wpa akm 802.1x disable 3
config wlan security wpa enable 3
config wlan security web-auth server-precedence 3 local radius ldap
config wlan security wapi akm psk set-key hex encrypt 1 42a623f34bd4ac9f6c4d8415be540e52 aa8f5add9351816443d374a3fa1cd76ee34ec325 48 83269c2ab1bfffb0717cf80763bf2be8e30af9de5d784f132deef8aba1ef463d37eda9fcca7b3edac4f16806799bddb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3
config wlan dhcp_server 4 10.99.98.3 required
config wlan security ft over-the-ds disable 4
config wlan security wpa wpa1 ciphers aes enable 4
config wlan security wpa wpa1 enable 4
config wlan security wpa wpa2 ciphers aes disable 4
config wlan security wpa wpa2 disable 4
config wlan security wpa akm psk set-key hex encrypt 1 5032332e8e93f8a77f2d0e2f97d411e4 37dee84d8d542d677ead99c9a06b559c3c6c39e7 48 d5576ca89f5c5201557c2a30274ac2034f0881e1502f22d0fb59b2ea05c338c9e09c57844efaa2d20967d8931c7b795c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4
config wlan security wpa akm psk enable 4
config wlan security wpa akm 802.1x disable 4
config wlan security wpa enable 4
config wlan security web-auth server-precedence 4 local radius ldap
config wlan security wapi akm psk set-key hex encrypt 1 5032332e8e93f8a77f2d0e2f97d411e4 37dee84d8d542d677ead99c9a06b559c3c6c39e7 48 d5576ca89f5c5201557c2a30274ac2034f0881e1502f22d0fb59b2ea05c338c9e09c57844efaa2d20967d8931c7b795c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4
config wlan nasid Cisco_88:af:84 1
config wlan broadcast-ssid enable 1
config wlan interface 1 management
config wlan nasid Cisco_88:af:84 3
config wlan broadcast-ssid enable 3
config wlan interface 3 clients34
config wlan nasid Cisco_88:af:84 4
config wlan broadcast-ssid enable 4
config wlan interface 4 clients33
config wlan create 1 wall wall
config wlan session-timeout 1 1800
config wlan create 3 clients34 clients34
config wlan session-timeout 3 1800
config wlan create 4 clients33 clients33
config wlan session-timeout 4 1800
config wlan exclusionlist 1 60
config wlan exclusionlist 3 60
config wlan exclusionlist 4 60
config wlan wmm allow 1
config wlan wmm allow 3
config wlan mdns disable 3
config wlan wmm allow 4
config wlan enable 1
config wlan enable 3
config wlan enable 4
config ap packet-dump truncate 0
config ap packet-dump buffer-size 2048
config ap packet-dump capture-time 10
config mgmtuser add encrypt admin 1 321719832e36efcfeefd2273c587a40e 5b6894ae997a61fda287052deb92ad880db51682 16 87acec2a7c4ebbed6eee748deb8b111c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write
config mgmtuser add encrypt l8admin 1 f2fbd280a591024db06b5e26e3aea6f0 0a6c6ee6cd7de16f828232164d3edeefdce05f4a 16 ba42eb8ce58babcf06c6e402e96353d60000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write
config rfid timeout 1200
config rfid status enable
config rfid mobility pango disable
transfer upload path /
transfer upload datatype config
transfer upload serverip 172.29.254.1
transfer upload filename Daves_WLC.txt
transfer download path /
transfer download serverip 172.29.254.1
transfer download filename Daves_WLC.txt

Upgrade failure

Hi experts,
I am deploying a new WSA, but seem unable to upgrade AsyncOS - when I check for available upgrades, I receive the following error:
Error
Failure downloading upgrade list.
Everything else seems to be OK - I have time via the default NTP servers, checks for new feature keys return a success, policy trace returns what I would expect.
I have noticed that the feature keys the client purchased are listed as Active with 30 days remaining and an expiration date of Dormant.
Does the appliance license need to be activated? I can't seem to locate a Claim Certificate to find the PAK...
Thanks.

Hi,
The status Dormant means that the feature is currently not being used by the Device e.g as the HTTPS Proxy status shows Dormant this generally means that the device is currently not using this feature.
Regarding the Upgrade issue, I would request you to make sure the following ports are not being blocked by the firewall:
Firewall Ports:
Port         Protocol        In/Out Hostname use       Description
===============================================
20/21      TCP              In or out   AsyncOS IPs     FTP server FTP for aggregation of
log files.
22           TCP              In            AsyncOS IPs     SSH access to the CLI,
aggregation of log files.
22           TCP              Out          SCP server        SCP push to log server.
23           Telnet           In            AsyncOS IPs     Telnet access to the CLI.
23           Telnet           Out          Telnet server    Telnet upgrades.
25           TCP              Out          Any SMTP to send email.
25           TCP              In            AsyncOS IPs       SMTP to receive bounced
email or if injecting email from outside firewall.
80           TCP              In or out AsyncOS IPs,downloads.ironport.com   HTTP access
to the GUI for system monitoring. AsyncOS and Sophos upgrades are retrieved via HTTP from
port 80.
82           HTTP            In             AsyncOS IPs        Used for viewing the
IronPort Spam Quarantine.
83           HTTPS          In             AsyncOS IPs       Used for viewing the IronPort
Spam Quarantine.
53           UDP/TCP       Out           DNS servers        DNS if configured to use
Internet root servers or other DNS servers outside the firewall. Also for SenderBase
110         TCP              Out            POP server        POP authentication for end
users for IronPort Spam Quarantine.
123         UDP              Out            NTP server        NTP if time servers are
outside firewall.
143         TCP              Out            IMAP server       IMAP authentication for end
users for IronPort Spam Quarantine.
161         UDP              In              AsyncOS IPs      SNMP queries.
162         UDP              Out            Management station SNMP traps.
389 or 3268       LDAP   Out            LDAP servers      LDAP if LDAP directory servers
are outside firewall. LDAP authentication for IronPort Spam Quarantine.
636 or 3269       LDAPS Out           LDAPS               LDAPS ActiveDirectory's global
catalog server.
443         TCP               In             AsyncOS IPs       Secure HTTP (https) access
to the GUI for system monitoring.
443         TCP               Out           update manifests, ironport.com -Verify the
latest files for the update server.
443         TCP               Out           phonehome.senderbase.org - Receive/send Virus
Outbreak Filters.
514         UDP/TCP        Out           Syslog server       Syslog logging.
2222       CCS               In/Out       AsyncOS IPs        Cluster Communication Service
(for centralized management).
6025       TCP               In/Out       AsyncOS IPs        Send IronPort Spam Quarantine
data to the Security Management appliance if the external IronPort Spam Quarantine is
enabled.
If it still fails, please try to use the recommended P1 interface and then try to do the upgrade.
Regards,
Kush

Force to reauthenticate to webauth after reboot

2100 wireless lan controller
1130 AP's in H-Reap mode
Static WEP and Web Authentication
The problem is when clients, who are connected and authenticated reboot their machines, it is not necessary for them to login to the webauth page again. This brings up a security concern obviously. Is there a way to force the clients to re-authenticate? I was thinking about a small idle timeout but I don't want users to have to login all day long.
Thanks.

What method are you using to validate credentials in the web authentication? Local database, RADIUS, LDAP, etc.? Unfortunately, without clicking "logout" the session remains active. At this point, my only thoughts are to use something like AD (RADIUS/IAS) or the Lobby function where you can specify when a particular account times out.
Regards,
Scott

Exception Handling : Memory Leak???

Hi all
I have a problem in my system.It use radius-ldap for authentication and insert accounting to Oracle DB.In accounting table,I put a trigger with using an exception handling to update or insert some data to other tables in Oracle schema and ldap schema.When error occured,exception would be handled but when it completed,trigger didn't not release all of connections between Oracle DB,radius and ldap.Many many TCP connections were established but not destroyed and my system spent all memory for these connections.This may be caused by exception handling.
Does any body have a same problem?How can I solve this?
Sincerely Yours.

Does anybody know how to solve this problem?

Firewall/RADIUS/LDAP

Similar Messages

Maybe you are looking for