IP address Assignment for 802.1x Client
Working on a Wireless deployment using 802.1x and a question has come up regarding Address Assignment.
The design requires wireless vlan assignment based on username and Active Directory group assignment.
The simplest way to provide dynamic addressing would obviously be multiple DHCP Scopes on a server and use ip helper functionally to provide relay servers.
Another option (I think) would be to create IP address pools in the ACS server based on ACS group and have ACS pass it back as part of the authentication process. I'm wondering if this is even a valid option with 802.1x authentication. It seems to me that it would cut down on alot of the traffic assoiciated with a DHCP discovery/request/offer conversation as the number of wireless clients start to grow.
Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter
Similar Messages
-
ISE Endpoint Identity Group assignment for 802.1x clients
Hello
I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
My questions are:
A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
Thanks
AndyErr, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter -
How to manage IP address assignment for laptops?
Dear All,
I'm looking for an efficient way to manage IP address assignment for laptops.
I have a DHCP server with reservation for all my devices.
Laptops usually have 2 NICs: LAN and WiFi card.
So, how can I manage the IP assignment for these devices?
If I make a DHCP reservetion with two different IP addresses, I can have problems with DNS round-robin.
Should I enable the DNS secure dynamic update for domain members and then reserve two different IP addresses on DHCP?
I don't want that user needs to manually change their NIC configuration.
What you suggest?
ThanksThe best way to manage it would be to "not" manage it. DHCP by definition is supposed to be "dynamic". DHCP Reservations are great for a few devices that live under "special circumstances" but you never want to set Reservations for everything,...if
you do that then just don't have DHCP to start with and statically assign everything.
The combination of DHCP with dynamically updated DNS in AD means you never have to know or ever care what the IP# is. Everything is referred to by it's hostname.
Some things to keep in mind:
Every interfaces has a different MAC,...meaning the Laptops have two MACs. Therefore it is impossible to reserve the same IP# for both. So they end up with a different IP# depending on which Nic they use. Running two laptop nics on the same LAN at
the same time is always bad. Either always use the wireless,...or always turn off the wireless nic when laptops are local within your facility and can use the physical nic. In other words pick one,...or the other,...never allow both to work
at the same time. This is a responsibility and education issue of the user,...you can't do this for them.
User can not change their own network IP Specs unless they are Local Administrators on their machines,...and they should never be allowed to be Local Administrators. -
Hi all
Problem:
Client gets excluded caused by "Identity Theft" (when looking in the controller) and "Attempted to use IP Address assigned to another device" (when looking in the WCS).
Setup:
Centrally placed WLAN Controller - The SSID and AP is in H-REAP mode, and the DHCP server locally is a ASA5505.
Client:
Samsung Galaxy Tap 10.1
Other clients on the same site do not apeer to have this problem.
The problem is peoridic.
Other info:
We have recently upgraded to 7.0.230 because the same type of client would get excluded with reason "unknown", and not be removed from the exclusion list - this apears to have been a bug in the WLC software.
Now we have the reason, and the client will get removed from the exlusion list after the default 60 seconds, but then get excluded again.
When doing a troupleshoot client from the WCS the following shows up:
04/16/2012 12:10:32 CEST INFO 10.1.33.13 DHCP offer received,dhcp server set.
04/16/2012 12:10:32 CEST ERROR 10.1.33.13 Received DHCP ACK, could not update client state.
04/16/2012 12:10:32 CEST INFO 10.1.33.13 Received DHCP request, error processing packet.
04/16/2012 12:10:42 CEST ERROR 10.1.33.13 De-authentication sent to client. slot 0 (claller apf_ms.c:5113)
The question right now is:
The "could not update client state" - is this the WLC not being able to update the client or is it the DHCP server ?As i tried to explain before, we have local switching at the remote site, not centralized for this SSID.
And the DHCP server is on the same local VLAN.
It works fine, but all of a sudden a client will get "stuck" in this error.
If anyone wants to look, I have this debug output from the WLC.
The debug starts from right after I have removed the client from the exclusion list.
I can see in the ASA that the clients lease time in the DHCP server will get renewed duing this process to the default 3600 seconds.
The clients MAC is :8c:77:12:ac:8c:3b
The ASA inside interface is: 192.168.2.1 /24
Any suggestions will be greatly appreciated.
(WiSM-slot2-1) >*emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
*emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Apr 17 10:09:32.612: 8c:77:12:ac:8c:3b apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMsAssoStateDec
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMs1xStateDec
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b Deleting mobile on AP 00:1d:a2:87:02:30(0)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Adding mobile on LWAPP AP 00:1d:a2:87:02:30(0)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Association received from mobile on AP 00:1d:a2:87:02:30
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific IPv6 override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying IPv6 Interface Policy for station 8c:77:12:ac:8c:3b - vlan 199, interface id 13, interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Processing RSN IE type 48, length 20 for mobile 8c:77:12:ac:8c:3b
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfMsAssoStateInc
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Idle to Associated
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Sending Assoc Response to station on BSSID 00:1d:a2:87:02:30 (status 0) ApVapId 3 Slot 0
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Associated
*apfMsConnTask_0: Apr 17 10:09:36.658: 8c:77:12:ac:8c:3b Updating AID for REAP AP Client 00:1d:a2:87:02:30 - AID ===> 2
*dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Creating a PKC PMKID Cache entry for station 8c:77:12:ac:8c:3b (RSN 2)
*dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Adding BSSID 00:1d:a2:87:02:32 to PMKID cache for station 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: New PMKID: (16)
*dot1xMsgTask: Apr 17 10:09:36.661: [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Initiating RSN PSK to mobile 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b dot1x - moving mobile 8c:77:12:ac:8c:3b into Force Auth state
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Skipping EAP-Success to mobile 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: Including PMKID in M1 (16)
*dot1xMsgTask: Apr 17 10:09:36.661: [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Starting key exchange to mobile 8c:77:12:ac:8c:3b, data packets will be dropped
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-key in PTK_START state (message 2) from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.675: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
ACL Id = 255, Ju
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 199, IPv6 intf id = 13
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.028: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 199, IPv6 intf id = 13
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
*pemReceiveTask: Apr 17 10:09:36.689: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Apr 17 10:09:36.695: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP received op BOOTREPLY (2) (len 325,vlan 0, port 29, encap 0xec03)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP setting server from ACK (server 192.168.2.1, yiaddr 192.168.2.13)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b apfBlacklistMobileStationEntry2 (apf_ms.c:4296) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Exclusion-list (1)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station: (callerId: 44) in 10 seconds
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.854: 8c:77:12:ac:8c:3b DHCP failed to register IP 192.168.2.13 - dropping ACK -
Can we assign IPv4 IP address pool to IPv6 VPN Client
We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
LAN Server are in IPv4 only..
Requirement :
Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
Qus:
1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
Thanks
SankarAFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing.
Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods. -
Unable to set the ip address for hosted network client after creating WIFI hotspot
Original Title: INTERNET CONNECTIVITY PROBLEM WITH MY LAPTOP WIFI HOTSPOT
HI all
I am able to use internet connection from my lap hotspot, when the internet source is Public or private wifi.
so I know the cmd window commands for hotspot and settings of client(sharing to hosted network client, assigning IP address etc.,)
but the problem I am facing is slight different
I am using my cdma wireless broadband datacard as my source internet connection(Reliance netconnect +)
when I try to create hotspot for this, as usual I am able to create the hotspot and able to share the internet to hostednework client.
but I am unable to set the ip address for hosted network client, if I try to set ip 192.169.137.1 and 255.255.255.0
as soon as I close the window, the ip address also disappears
when connect my android phone to that hotspot, it is able to connect but there is no internet connectivity.
when I check the hostednetwork client for packet transmission, both sent and received packet is happening., I mean transmitting
so what cause the failure in internet connectivity but success in hotspot connectivity?
check the screen shots...
can u help me..
its little complicatedHi,
Please make sure the Ad hoc connection IP adress is at the same range with your local connection. In addition, how about recreate the ad hoc connection for test, please have a try.
If problem persists, please use Network troubleshooter in Action Center to fix this problem for test.
Roger Lu
TechNet Community Support -
Address book and ical not working for snow leopard clients
We have upgraded our server to mountain lion from snow leopard.
At first glance all appears to have gone well, however, the ical and address book services don't appear to be working for snow leopard clients. These services DO appear to be working for lion clients.
Any ideas?
Thanks.I am at work right now and don't have access to my Mac. But I need to as if your Dad is on Windows Active Directory network? I also found these directions for Princeton's 2010 Exchange that might help. Did he set up the Address contacts & iCal Calenders were enabled when setting up the account in Mail?
-
Hi everybody,
I get the following error in a Opportunity:
Item 100: Address changes for partner function Projektorganigramm (assignment BUYING-CENTER) not possible
Can anyone tell me what is wrong and how I can fix this please?
Thank You!
Regards BjoernHello Bjorhn,,
Go to the spro-->crm-->basic functions-->Partner functions-->partner determination procedure.
select the procedure set for opportunities. now Select the Check box for Changeable address which means one will be able to change the address if the partner function has many addresses.
see the attatchment snapshot
please reward the answer and like if my answer if helpful
.Regards
sai -
Error:wwnn address assignment failed for a vhba
Hello,
We are trying to create a service profile but get this message for the vhba:
wwnn address assignment failed for a vhba
Currently the Storage is not connect yet to the 6200.
Can someone please help ?
Regards,Full error is:
wwnn address assignment failed for a VHBA, possibilty illegal WWNN address or no available WWN in the pool
Yes this is happning when I try to assign from the WWNN pool. -
How to get MAC Address for maintaning unique client id at server side?
Hi All,
Can somebody tell how can i get MAC id for maintaing Unique client id at server.
or is there any alternative way to do this?
Thanks in advance..
CKUsually people just use cookies for that.
-
Message on WCS/NCS: Attempted to use IP Address assigned to another device
Hi
i have two WLCs AIR-CT5508-K9, monitored by WCS (in retiring stage) and NCS.
All APs are grouped in HREAP groups based on their locations. The wireless users are getting ip from a dhcp pool running on routers located at each site. All dhcp commands on every routers are the identical. Eg. rtr1, located on site 1 has ip pool for wifi users 192.168.8.0/24. Rtr2 on site 2 has a ip pool for wifi users in range 192.168.8.0/24. Occasionally i am getting bellow message when some wifi users are unable to connect. After creating a HREAP group and associating APs to correct group, this message stops showing for a while but now i am getting them again.
The temp solution to get it all running is to clear ip dhcp pool on router located at affected site.
Any suggestions for a better solution?
Thanks
====================
NCS has detected one or more alarms of category Security and severity Minor in Virtual Domain ROOT-DOMAIN
for the following items:
1. Message: Client '14:5a:05:6c:75:37 (0.0.0.0)' which was associated with interface '802.11b/g/n' of AP 'STV-AP-7198' is excluded. The reason code is '3(Attempted to use IP Address assigned to another device)'. - Controller Name: GEORGE-WLC
===================endpoint,
You are locally switching your networks, yes, but even without HREAP and WLCs, they are still connected networks in your overall topology, correct? I would never have site A with a given network that overlaps with a network in site B. With few exceptions, they should be completely separate, unique, non-overlapping network spaces. HREAP doesn’t even come into it.
The problem you’re likely having is that the WLC is seeing clients coming in from two different sites and because you are duplicating your configurations from site to site, the WLC sees duplicate IP assignment.
That said, you can try to turn off client IP address learning on the WLAN Advanced tab to see if that helps.
Justin -
WLC Duplicate IP address detected for AP-Manager Interface
I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
Model No. AIR-WLC2106-K9
Software Version 7.0.116.0
%LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
%LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address detected for AP AP_DUXO_3, IP address of AP 10.184.1.224, this is a duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
Cisco AP Identifier.............................. 1
Cisco AP Name.................................... AP_DUXO_3
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N
Switch Port Number .............................. 1
MAC Address...................................... cc:ef:48:1a:e4:af
IP Address Configuration......................... Static IP assigned
IP Address....................................... 10.184.1.224
IP NetMask....................................... 255.255.0.0
Gateway IP Addr.................................. 10.184.20.2
Domain...........................................
Name Server......................................
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Disabled
Cisco AP Location................................ DUXO_BOX
Cisco AP Group Name.............................. default-group
Does anyone have an issue like this ?Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device? Its OUI is registered to apple. How do clients get ip addresses DHCP? It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves.
-
I have the new Apple Airport Time Capsule as my router, being fed from a Comcast cable modem. As you know, the Apple TC is dual band capable and can provide 802.1ac wireless connectivity. I also have an Apple Airport Express located upstairs that does a good job of extending my network, providing excellent wireless n coverage throughout the second story of the house.
I purchased a TrendNet AC1200 Dual Band Wireless Media Bridge that is 802.1ac capable. To the Media Bridge I have wired Ethernet connections my DirecTV HD DVR, my AppleTV and my Roku box. When the TrendNet Media Bridge is wirelessly connected to the TC, all is well in that I get the speeds I would expect (500-800 Mb/s) from having an 802.1ac client wirelessly connected to a 802.1ac router.
My problem is that the TrendNet Wireless Media Bridge will often connect on its own to the Airport Express upstairs which is 802.1n, and only give me throughput speeds of ~270 Mb/s. I want the TrendNet to always stay wirelessly attached to the Time Capsule obviously, in order to give me ac-to-ac connectivity.
What I thought was the solution was to assign the TrendNet a static IP address (10.0.1.21) and make the default gateway setting on it the IP address of the Time Capsule (10.0.1.1). However, even with this setting, the TrendNet will regularly connect to the Airport Express upstairs. I should also say that the Time Capsule and Airport Express are about the same distance from the TrendNet.
So, how can I force the TrendNet Media Bridge to stay connected only to the Airport Time Capsule? I assume Apple will eventually ship a 802.1ac Airport Express, which would solve the problem. But until then?
Any help would be appreciated.
Thanks,
MarkSo, how can I force the TrendNet Media Bridge to stay connected only to the Airport Time Capsule?
It would seem that this is really a question for TrendNet support.
There is nothing on the Apple devices that would tell the TrendNet device what to do.
I suggest that you ask TrendNet if it is possible to force the Media Bridge to pick up a signal from a specific device.
I imagine that the TrendNet, like the Apple, is simply looking for the strongest signal....not the fastest signal... and I doubt that you can change that....but if it is possible, the "how to" is a question for TrendNet support.
I assume Apple will eventually ship a 802.1ac Airport Express, which would solve the problem.
An 802.11ac AirPort Extreme would likely solve the problem right now. -
Why Unable to identify a user for 802.1X authentication (0x50001)?
Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
<EventRecordID>37791</EventRecordID>
<Correlation />
<Execution ProcessID="760" ThreadID="2224" />
<Channel>Security</Channel>
<Computer>sba01-nb</Computer>
<Security />
</System>
<EventData>
<Data Name="SSID">Pivot_Users</Data>
<Data Name="Identity">
</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">00:24:97:83:8E:61</Data>
<Data Name="LocalMac">C4:85:08:12:77:44</Data>
<Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
<Data Name="ReasonCode">0x50001</Data>
<Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
<Data Name="ErrorCode">0x525</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString">
</Data>
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
TadasHi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Windows 7 / 2008 duplicate static address when using 802.1x / MAB - ISE
Hi all!
ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem. Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor. This is happening with Windows 7 and Windows 2008 devices.
Windows XP clients don't get the issue.
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB. Not noticed the problem with 802.1x clients but it always occurs on MAB.
I came across a similar issue here:
http://networkingblog.vvlabs.com/2012/07/cisco-ise-duplicate-ip-address-windows-7.html
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
The switches are 3750 switches running version 12.2(58)SE2.
All I have is "count, interval, use-svi" as extra options.
Catalyst 4500 switch guide has "delay" option but no "count, interval or use-svi".
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client. This is fine for the odd server but not realistic when there will be hundreds of other clients.
Any ideas?Hi
We are doing 802.1x for clients using the Windows supplicant. For clients not using supplicants we are using MAB. So the print servers and printers use MAB.
Extract of config...
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client x server-key 7 x
client x server-key 7 x
aaa session-id common
clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip routing
no ip domain-lookup
ip device tracking
dot1x system-auth-control
dot1x critical eapol
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
description ### Dot1x with MAB fallback ###
switchport mode access
switchport voice vlan 2
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 0
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
ip http server
ip http secure-server
ip access-list extended ACL-DEFAULT
remark Deny access to new network
deny ip any 172.x.x.x 0.0.0.255 log
remark Allow everything else to other networks
permit ip any any
ip radius source-interface Vlan2
logging esm config
logging host x transport udp port 20514
logging host x transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-1
address ipv4 x auth-port 1645 acct-port 1646
key 7 x
radius server ISE-2
address ipv4 x auth-port 1645 acct-port 1646
key 7 x
Maybe you are looking for
-
Itunes won't open after upgrade
i upgraded to the latest itunes yesterday morning and now itunes will not open. i can get quicktime to open. i have tried everything it says on the itunes website, i have turned off NAV and still it will not launch...grrrr. what can i do?
-
Cant get itunes to open on windows
i downloaded itunes and when i tried to open i got an error message that says itunes is not a valid Win32 application. does this mean i should return my ipod? what can i do to make this work? any help is greatly appreciated!
-
Re: Satellite L500-14N (PSLJ3E) - no DVD burning
Hello Since a couple of weeks my dvd-burner won't burn anymore. everytime i try to write things to a dvd, i get an error, but reading works fine. furthermore I've no problems with cds. i already tryed 3 programms (Nero 9, CloneDVD2 and the Windows ow
-
I listen to lots of podcasts (current I have @ 270 that I pick from) but over time I need to do a "cull" of all the older podcast episodes to free up hard disk space and avoid them clogging up my 32Gb MP3 player too! Is there a way to batch delete al
-
Why can't I open multiple tabs in safari on my I pad air
Why can't I open multiple tabs in safari on my I pad air