IP address Assignment for 802.1x Client

Working on a Wireless deployment using 802.1x and a question has come up regarding Address Assignment.
The design requires wireless vlan assignment based on username and Active Directory group assignment.
The simplest way to provide dynamic addressing would obviously be multiple DHCP Scopes on a server and use ip helper functionally to provide relay servers.
Another option (I think) would be to create IP address pools in the ACS server based on ACS group and have ACS pass it back as part of the authentication process. I'm wondering if this is even a valid option with 802.1x authentication. It seems to me that it would cut down on alot of the traffic assoiciated with a DHCP discovery/request/offer conversation as the number of wireless clients start to grow.

Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter

Similar Messages

  • ISE Endpoint Identity Group assignment for 802.1x clients

    Hello
    I'm using ISE 1.3 to 802.1x authenticate AD PC's (machine and user with Anyconnect NAM) and to profile/mab IP Phones, printers, APs etc.
    Phones are profiled (EndPointSource of SNMPQuery Probe) and are placed automatically in the correct Identity Group.
    AD PC's aren't profiled and are listed under Endpoints withthe Enpoint Profile of "unknown"
    To place AD PC's into a particular Identity Group, I created a Radius Profiling Policy to match on the Framed-IP-Address. This works well with the AD PC appearing in the correct Identity Group (with EndPointSource of RADIUS Probe).
    My questions are:
    A phone (profiled with EndPointSource of SNMPQuery Probe) consumes a Plus licence but an AD PC ("profiled" with EndPointSource of RADIUS Probe) does not - is this correct?
    Authenticated 802.1x AD PC's have other attributes (like AD-Host-Resolved-DNs) that I'd like to use to assign PC's to an Identity Group. I can't use these attributes with any of the ISE profilers - is there a way to assign an 802.1x authenticated client to an Identity Group at the authorisation stage rather than use the profiler?
    Thanks
    Andy

    Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
    There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
    peter

  • How to manage IP address assignment for laptops?

    Dear All,
    I'm looking for an efficient way to manage IP address assignment for laptops.
    I have a DHCP server with reservation for all my devices.
    Laptops usually have 2 NICs: LAN and WiFi card.
    So, how can I manage the IP assignment for these devices?
    If I make a DHCP reservetion with two different IP addresses, I can have problems with DNS round-robin.
    Should I enable the DNS secure dynamic update for domain members and then reserve two different IP addresses on DHCP?
    I don't want that user needs to manually change their NIC configuration.
    What you suggest?
    Thanks

    The best way to manage it would be to "not" manage it.  DHCP by definition is supposed to be "dynamic".  DHCP Reservations are great for a few devices that live under "special circumstances" but you never want to set Reservations for everything,...if
    you do that then just don't have DHCP to start with and statically assign everything.
    The combination of DHCP with dynamically updated DNS in AD means you never have to know or ever care what the IP# is.  Everything is referred to by it's hostname.
    Some things to keep in mind:
    Every interfaces has a different MAC,...meaning the Laptops have two MACs. Therefore it is impossible to reserve the same IP# for both. So they end up with a different IP# depending on which Nic they use.  Running two laptop nics on the same LAN at
    the same time is always bad.  Either always use the wireless,...or always turn off the wireless nic when laptops are local within your facility and can use the physical nic.   In other words pick one,...or the other,...never allow both to work
    at the same time.  This is a responsibility and education issue of the user,...you can't do this for them.
    User can not change their own network IP Specs unless they are Local Administrators on their machines,...and they should never be allowed to be Local Administrators.

  • Excluded client problem - "Attempted to use IP Address assigned to another device" / "Identity Theft"

    Hi all
    Problem:
    Client gets excluded caused by "Identity Theft" (when looking in the controller) and "Attempted to use IP Address assigned to another device" (when looking in the WCS).
    Setup:
    Centrally placed WLAN Controller - The SSID and AP is in H-REAP mode, and the DHCP server locally is a ASA5505.
    Client:
    Samsung Galaxy Tap 10.1
    Other clients on the same site do not apeer to have this problem.
    The problem is peoridic.
    Other info:
    We have recently upgraded to 7.0.230 because the same type of client would get excluded with reason "unknown", and not be removed from the exclusion list - this apears to have been a bug in the WLC software.
    Now we have the reason, and the client will get removed from the exlusion list after the default 60 seconds, but then get excluded again.
    When doing a troupleshoot client from the WCS the following shows up:
    04/16/2012 12:10:32 CEST INFO 10.1.33.13 DHCP offer received,dhcp server set. 
    04/16/2012 12:10:32 CEST ERROR 10.1.33.13 Received DHCP ACK, could not update client state. 
    04/16/2012 12:10:32 CEST INFO 10.1.33.13 Received DHCP request, error processing packet.
    04/16/2012 12:10:42 CEST ERROR 10.1.33.13 De-authentication sent to client. slot 0 (claller apf_ms.c:5113)
    The question right now is:
    The "could not update client state" - is this the WLC not being able to update the client or is it the DHCP server ?

    As i tried to explain before, we have local switching at the remote site, not centralized for this SSID.
    And the DHCP server is on the same local VLAN.
    It works fine, but all of a sudden a client will get "stuck" in this error.
    If anyone wants to look, I have this debug output from the WLC.
    The debug starts from right after I have removed the client from the exclusion list.
    I can see in the ASA that the clients lease time in the DHCP server will get renewed duing this process to the default 3600 seconds.
    The clients MAC is :8c:77:12:ac:8c:3b
    The ASA inside interface is: 192.168.2.1 /24
    Any suggestions will be greatly appreciated.
    (WiSM-slot2-1) >*emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
    *emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station:  (callerId: 30) in 1 seconds
    *osapiBsnTimer: Apr 17 10:09:32.612: 8c:77:12:ac:8c:3b apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
    *apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMsAssoStateDec
    *apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMs1xStateDec
    *apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b Deleting mobile on AP 00:1d:a2:87:02:30(0)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Adding mobile on LWAPP AP 00:1d:a2:87:02:30(0)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Association received from mobile on AP 00:1d:a2:87:02:30
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific IPv6 override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying IPv6 Interface Policy for station 8c:77:12:ac:8c:3b - vlan 199, interface id 13, interface 'dummy-itv-105'
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Processing RSN IE type 48, length 20 for mobile 8c:77:12:ac:8c:3b
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
    *apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Idle to Associated
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Sending Assoc Response to station on BSSID 00:1d:a2:87:02:30 (status 0) ApVapId 3 Slot 0
    *apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Associated
    *apfMsConnTask_0: Apr 17 10:09:36.658: 8c:77:12:ac:8c:3b Updating AID for REAP AP Client 00:1d:a2:87:02:30 - AID ===> 2
    *dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Creating a PKC PMKID Cache entry for station 8c:77:12:ac:8c:3b (RSN 2)
    *dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Adding BSSID 00:1d:a2:87:02:32 to PMKID cache for station 8c:77:12:ac:8c:3b
    *dot1xMsgTask: Apr 17 10:09:36.661: New PMKID: (16)
    *dot1xMsgTask: Apr 17 10:09:36.661:      [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
    *dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Initiating RSN PSK to mobile 8c:77:12:ac:8c:3b
    *dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b dot1x - moving mobile 8c:77:12:ac:8c:3b into Force Auth state
    *dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Skipping EAP-Success to mobile 8c:77:12:ac:8c:3b
    *dot1xMsgTask: Apr 17 10:09:36.661: Including PMKID in M1  (16)
    *dot1xMsgTask: Apr 17 10:09:36.661:      [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
    *dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Starting key exchange to mobile 8c:77:12:ac:8c:3b, data packets will be dropped
    *dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
                                                                                                                  state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-key in PTK_START state (message 2) from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.675: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
                                                                                                                        state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 8c:77:12:ac:8c:3b
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b apfMs1xStateInc
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Ju
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 199, IPv6 intf id = 13
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.028: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 199, IPv6 intf id = 13
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
    *pemReceiveTask: Apr 17 10:09:36.689: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: Apr 17 10:09:36.695: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP received op BOOTREPLY (2) (len 325,vlan 0, port 29, encap 0xec03)
    *DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP setting server from ACK (server 192.168.2.1, yiaddr 192.168.2.13)
    *DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b apfBlacklistMobileStationEntry2 (apf_ms.c:4296) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Exclusion-list (1)
    *DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station:  (callerId: 44) in 10 seconds
    *DHCP Proxy DTL Recv Task: Apr 17 10:09:36.854: 8c:77:12:ac:8c:3b DHCP failed to register IP 192.168.2.13 - dropping ACK

  • Can we assign IPv4 IP address pool to IPv6 VPN Client

    We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
    We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
    LAN Server are in IPv4 only..
    Requirement :
    Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
    Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
    Qus:
    1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
    2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
    Thanks
    Sankar

    AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
    Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

  • Unable to set the ip address for hosted network client after creating WIFI hotspot

    Original Title: INTERNET CONNECTIVITY PROBLEM WITH MY LAPTOP WIFI HOTSPOT
    HI all
    I am able to use internet connection from my lap hotspot, when the internet source is Public or private wifi.
    so I know the cmd window commands for hotspot and settings of client(sharing to hosted network client, assigning IP address etc.,)
    but the problem I am facing is slight different
    I am using my cdma wireless broadband datacard as my source internet connection(Reliance netconnect +)
    when I try to create hotspot for this, as usual I am able to create the hotspot and able to share the internet to hostednework client.
    but I am unable to set the ip address for hosted network client, if I try to set ip 192.169.137.1 and 255.255.255.0
    as soon as I close the window, the ip address also disappears
    when connect my android phone to that hotspot, it is able to connect but there is no internet connectivity.
    when I check the hostednetwork client for packet transmission, both sent and received packet is happening., I mean transmitting
    so what cause the failure in internet connectivity but success in hotspot connectivity?
    check the screen shots...
    can u help me..
    its little complicated

    Hi,
    Please make sure the Ad hoc connection IP adress is at the same range with your local connection. In addition, how about recreate the ad hoc connection for test, please have a try.
    If problem persists, please use Network troubleshooter in Action Center to fix this problem for test.
    Roger Lu
    TechNet Community Support

  • Address book and ical not working for snow leopard clients

    We have upgraded our server to mountain lion from snow leopard.
    At first glance all appears to have gone well, however, the ical and address book services don't appear to be working for snow leopard clients. These services DO appear to be working for lion clients.
    Any ideas?
    Thanks.

    I am at work right now and don't have access to my Mac. But I need to as if your Dad is on Windows Active Directory network? I also found these directions for Princeton's 2010 Exchange that might help. Did he set up the Address contacts & iCal Calenders were enabled when setting up the account in Mail?

  • Address changes for partner function Projektorganigramm (assignment BUYING-CENTER) not possible

    Hi everybody,
    I get the following error in a Opportunity:
    Item 100: Address changes for partner function Projektorganigramm (assignment BUYING-CENTER) not possible
    Can anyone tell me what is wrong and how I can fix this please?
    Thank You!
    Regards Bjoern

    Hello Bjorhn,,
    Go to the spro-->crm-->basic functions-->Partner functions-->partner determination procedure.
    select the procedure set for opportunities. now Select the Check box for Changeable address which means  one will be able to change the address if the partner function has many addresses.
    see the attatchment snapshot
    please reward the answer and like if  my answer if helpful
    .Regards
    sai

  • Error:wwnn address assignment failed for a vhba

    Hello,
    We are trying to create a service profile but get this message for the vhba:
    wwnn address assignment failed for a vhba
    Currently the Storage is not connect yet to the 6200.
    Can someone please help ?
    Regards,

    Full error is:
    wwnn address assignment failed for a VHBA, possibilty illegal WWNN address or no available WWN in the pool
    Yes this is happning when I try to assign from the WWNN pool.

  • How to get MAC Address for maintaning unique client id at server side?

    Hi All,
    Can somebody tell how can i get MAC id for maintaing Unique client id at server.
    or is there any alternative way to do this?
    Thanks in advance..
    CK

    Usually people just use cookies for that.

  • Message on WCS/NCS: Attempted to use IP Address assigned to another device

    Hi
    i have two WLCs AIR-CT5508-K9, monitored by WCS (in retiring stage) and NCS.
    All APs are grouped in HREAP groups based on their locations. The wireless users are getting ip from a dhcp pool running on routers located at each site. All dhcp commands on every routers are the identical. Eg. rtr1, located on site 1 has ip pool for wifi users 192.168.8.0/24. Rtr2 on site 2 has a ip pool for wifi users in range 192.168.8.0/24. Occasionally i am getting bellow message when some wifi users are unable to connect. After creating a HREAP group and associating APs to correct group, this message stops showing for a while but now i am getting them again.
    The temp solution to get it all running is to clear ip dhcp pool on router located at affected site.
    Any suggestions for a better solution?
    Thanks
    ====================
    NCS has detected one or more alarms of category Security and severity Minor in Virtual Domain ROOT-DOMAIN
    for the following items:
    1. Message: Client '14:5a:05:6c:75:37 (0.0.0.0)' which was associated with interface '802.11b/g/n' of AP 'STV-AP-7198' is excluded. The reason code is '3(Attempted to use IP Address assigned to another device)'. - Controller Name: GEORGE-WLC
    ===================

    endpoint,
    You are locally switching your networks, yes, but even without HREAP and WLCs, they are still connected networks in your overall topology, correct? I would never have site A with a given network that overlaps with a network in site B. With few exceptions, they should be completely separate, unique, non-overlapping network spaces. HREAP doesn’t even come into it.
    The problem you’re likely having is that the WLC is seeing clients coming in from two different sites and because you are duplicating your configurations from site to site, the WLC sees duplicate IP assignment.
    That said, you can try to turn off client IP address learning on the WLAN Advanced tab to see if that helps.
    Justin

  • WLC Duplicate IP address detected for AP-Manager Interface

    I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
    But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
    Model No.                   AIR-WLC2106-K9
    Software Version                 7.0.116.0
    %LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to  exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
    %LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address  detected for AP AP_DUXO_3, IP address of AP  10.184.1.224, this is a  duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
    Cisco AP Identifier.............................. 1
    Cisco AP Name.................................... AP_DUXO_3
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code.................................. US  - United States
    AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N
    Switch Port Number .............................. 1
    MAC Address...................................... cc:ef:48:1a:e4:af
    IP Address Configuration......................... Static IP assigned
    IP Address....................................... 10.184.1.224
    IP NetMask....................................... 255.255.0.0
    Gateway IP Addr.................................. 10.184.20.2
    Domain...........................................
    Name Server......................................
    NAT External IP Address.......................... None
    CAPWAP Path MTU.................................. 1485
    Telnet State..................................... Enabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ DUXO_BOX
    Cisco AP Group Name.............................. default-group
    Does anyone have an issue like this ?

    Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device?  Its OUI is registered to apple.  How do clients get ip addresses DHCP?  It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves. 

  • 802.1ac Client Issue

    I have the new Apple Airport Time Capsule as my router, being fed from a Comcast cable modem. As you know, the Apple TC is dual band capable and can provide 802.1ac wireless connectivity. I also have an Apple Airport Express located upstairs that does a good job of extending my network, providing excellent wireless n coverage throughout the second story of the house.
    I purchased a TrendNet AC1200 Dual Band Wireless Media Bridge that is 802.1ac capable. To the Media Bridge I have wired Ethernet connections my DirecTV HD DVR, my AppleTV and my Roku box. When the TrendNet Media Bridge is wirelessly connected to the TC, all is well in that I get the speeds I would expect (500-800 Mb/s) from having an 802.1ac client wirelessly connected to a 802.1ac router.
    My problem is that the TrendNet Wireless Media Bridge will often connect on its own to the Airport Express upstairs which is 802.1n, and only give me throughput speeds of ~270 Mb/s. I want the TrendNet to always stay wirelessly attached to the Time Capsule obviously, in order to give me ac-to-ac connectivity.
    What I thought was the solution was to assign the TrendNet a static IP address (10.0.1.21) and make the default gateway setting on it the IP address of the Time Capsule (10.0.1.1). However, even with this setting, the TrendNet will regularly connect to the Airport Express upstairs. I should also say that the Time Capsule and Airport Express are about the same distance from the TrendNet.
    So, how can I force the TrendNet Media Bridge to stay connected only to the Airport Time Capsule? I assume Apple will eventually ship a 802.1ac Airport Express, which would solve the problem. But until then?
    Any help would be appreciated.
    Thanks,
    Mark

    So, how can I force the TrendNet Media Bridge to stay connected only to the Airport Time Capsule?
    It would seem that this is really a question for TrendNet support. 
    There is nothing on the Apple devices that would tell the TrendNet device what to do.
    I suggest that you ask TrendNet if it is possible to force the Media Bridge to pick up a signal from a specific device.
    I imagine that the TrendNet, like the Apple, is simply looking for the strongest signal....not the fastest signal... and I doubt that you can change that....but if it is possible, the "how to" is a question for TrendNet support.
    I assume Apple will eventually ship a 802.1ac Airport Express, which would solve the problem.
    An 802.11ac AirPort Extreme would likely solve the problem right now.

  • Why Unable to identify a user for 802.1X authentication (0x50001)?

    Hello, 
      We are trying to set up wifi single-sign-on. When logging to a laptop get a message
    "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
    Server: windows server 2003 (with all updates)
    laptop: windows 7 professional SP1 (with all updates)
    When looking to event log i found this error:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-10-10 10:38:01
    Event ID:      5632
    Task Category: Other Logon/Logoff Events
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      sba01-nb
    Description:
    A request was made to authenticate to a wireless network.
    Subject:
    Security ID:                
    Account Name:                -
    Account Domain:                -
    Logon ID:                0x0
    Network Information:
    Name (SSID):                Pivot_Users
    Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
    Local MAC Address:        C4:85:08:12:77:44
    Peer MAC Address:        00:24:97:83:8E:61
    Additional Information:
    Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
    Error Code:                0x525
    EAP Reason Code:        0x0
    EAP Root Cause String:        
    EAP Error Code:                0x0
    Event Xml:
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5632</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12551</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
        <EventRecordID>37791</EventRecordID>
        <Correlation />
        <Execution ProcessID="760" ThreadID="2224" />
        <Channel>Security</Channel>
        <Computer>sba01-nb</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SSID">Pivot_Users</Data>
        <Data Name="Identity">
        </Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="PeerMac">00:24:97:83:8E:61</Data>
        <Data Name="LocalMac">C4:85:08:12:77:44</Data>
        <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
        <Data Name="ReasonCode">0x50001</Data>
        <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
        <Data Name="ErrorCode">0x525</Data>
        <Data Name="EAPReasonCode">0x0</Data>
        <Data Name="EapRootCauseString">
        </Data>
        <Data Name="EAPErrorCode">0x0</Data>
      </EventData>
    </Event>
    Thank you for answer and help.
    Regards, 
      Tadas

    Hi,
    Thanks for your post.
    Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
    Here is the process that is followed.
    1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
    2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
    3. The Authenticator cannot validate and the authentication would fail.
    4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
    it will just ignore them
    5. You will see event 15506 after the event 15514.
    Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
    http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
    0x50001 = Dec 327681
    Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
    ONEX_UNABLE_TO_IDENTIFY_USER
    Best Regards,
    Aiden
    Aiden Cao
    TechNet Community Support

  • Windows 7 / 2008 duplicate static address when using 802.1x / MAB - ISE

    Hi all!
    ISE 1.1.3
    Cisco 3750 switches
    Windows XP / 7 / 2008 clients
    I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem.  Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor.  This is happening with Windows 7 and Windows 2008 devices.
    Windows XP clients don't get the issue.
    Some clients will use 802.1x native supplicant and some will be authenticated based on MAB.  Not noticed the problem with 802.1x clients but it always occurs on MAB.
    I came across a similar issue here:
    http://networkingblog.vvlabs.com/2012/07/cisco-ise-duplicate-ip-address-windows-7.html
    Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
    The switches are 3750  switches running version 12.2(58)SE2.
    All I have is  "count, interval, use-svi" as extra options.
    Catalyst 4500 switch guide has  "delay" option but no "count, interval or use-svi".
    The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client.  This is fine for the odd server but not realistic when there will be hundreds of other clients.
    Any ideas?

    Hi
    We are doing 802.1x for clients using the Windows supplicant.  For clients not using supplicants we are using MAB.  So the print servers and printers use MAB.
    Extract of config...
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa server radius dynamic-author
    client x server-key 7 x
    client x server-key 7 x
    aaa session-id common
    clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00
    system mtu routing 1500
    vtp mode transparent
    authentication mac-move permit
    ip routing
    no ip domain-lookup
    ip device tracking
    dot1x system-auth-control
    dot1x critical eapol
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface FastEthernet1/0/1
    description ### Dot1x with MAB fallback ###
    switchport mode access
    switchport voice vlan 2
    ip access-group ACL-DEFAULT in
    srr-queue bandwidth share 10 10 60 20
    priority-queue out
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer restart 0
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    mls qos trust device cisco-phone
    mls qos trust cos
    auto qos voip cisco-phone
    dot1x pae authenticator
    dot1x timeout tx-period 5
    spanning-tree portfast
    service-policy input AutoQoS-Police-CiscoPhone
    ip http server
    ip http secure-server
    ip access-list extended ACL-DEFAULT
    remark Deny access to new network
    deny   ip any 172.x.x.x 0.0.0.255 log
    remark Allow everything else to other networks
    permit ip any any
    ip radius source-interface Vlan2
    logging esm config
    logging host x transport udp port 20514
    logging host x transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-1
    address ipv4 x auth-port 1645 acct-port 1646
    key 7 x
    radius server ISE-2
    address ipv4 x auth-port 1645 acct-port 1646
    key 7 x

Maybe you are looking for

  • Itunes won't open after upgrade

    i upgraded to the latest itunes yesterday morning and now itunes will not open. i can get quicktime to open. i have tried everything it says on the itunes website, i have turned off NAV and still it will not launch...grrrr. what can i do?

  • Cant get itunes to open on windows

    i downloaded itunes and when i tried to open i got an error message that says itunes is not a valid Win32 application. does this mean i should return my ipod? what can i do to make this work? any help is greatly appreciated!

  • Re: Satellite L500-14N (PSLJ3E) - no DVD burning

    Hello Since a couple of weeks my dvd-burner won't burn anymore. everytime i try to write things to a dvd, i get an error, but reading works fine. furthermore I've no problems with cds. i already tryed 3 programms (Nero 9, CloneDVD2 and the Windows ow

  • Batch delete older podcasts

    I listen to lots of podcasts (current I have @ 270 that I pick from) but over time I need to do a "cull" of all the older podcast episodes to free up hard disk space and avoid them clogging up my 32Gb MP3 player too! Is there a way to batch delete al

  • Why can't I open multiple tabs in safari on my I pad air

    Why can't I open multiple tabs in safari on my I pad air