Is local EAP + Web Authentication possible in Auto Anchor Configuration

Hi,
I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller? If so, are you able to point me in the direction of a user guide to implement.
I found the following document which describes local EAP configuration . Would this work with Web Authentication?
Thanks

so, kinda but no. EAP is a layer 2 authentication that uses encryption as well.
WebAuth is a layer3 authentication only.
Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
I'm not really sure what you are looking to do based on your post.
Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
HTH,
Steve

Similar Messages

WLC Local EAP-TLS auth, certificate ACL feature?

Hi All,
I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
Thanks in advance.

Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

ISE Web Authentication with Profile

   Hi,
   I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
   The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
   But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
   the Web Authentication cause the endpoint is already in the internal endpoint store.
   What's the better way to solve this problem ?
   Thanks in Advanced
   Andre Gustavo Lomonaco

    Hi Neno, let me clarify my question
    I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
    Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

Internal Web Authentication + Local Net User

Hi all,
I'm trying to setup the WLC with internal web authentication + local net user account. I've setup a WLAN for this local net user configure the user profile map to this WLAN.
When the laptop get associated with the designated WLAN, and user tried to browse to the internet, the internal web authentication page doesn't appear on the browser.
I'm just curious is there any DNS server require in order to direct the user entered URL request to the virtual interface?
regards.

Well if you are using webauth for guest users, you really want to have an open ssid and wither have a username and password on the wlc or use a passthrough webauth where the guest users just have to click submit or accept. If you are using this for internal users, then you really shouldn't use webauth since this will not be single sign on. Again, you can if you want your internal users to sign on again. There is wpa/wpa2 PSK and then there is wpa/wpa2 8021.x in which this will require either using local EAP or a Radius Server. Ther radius server will either have the local user accounts or you can point this to AD. Depending on if you use EAP-PEAP (certificate on the radius server only) or EAP-TLS (certificate on both the radius and clinet) you will need a certificate.
For webauth only, you do not need a certificate on the user or radius server, a certificate will be required on the wlc if you don't want users to be promted with a certifcate error message. 5.1 supports unchained certificates, but I always use RapiddSSL for a root ca cert just to make deployment mush simpler for the client. So webauth and EAP will require certifcates with webauth being optional.

Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

Hi All,
I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
I confront PEAP and Eap-TLS for now:
1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
can you help me to know if I understood everything good ? I would be please to exchange experience on that
thanks ;)
bye

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS.

Cisco Auto Anchor Web Authentication - NAS IP Address

Hi,
I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
Thanks,

Hi,
I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
Thanks,

Does this support EAP? LEAP? PEAP? Web Authentication?

I am trying to access my college network at Baruch, and its not letting me get pass the authentication. Safari just freezes. Is the iPAD EAP compliant? The iPhone works fine. If its not, is Apple working on a fix?
Honestly for a an app to promote keynotes, logging into a clients network before a presentation, I see huge problems with this. What if the client uses web authentication to have to access Wifi. Is there a fix around this?
Thanks

i assume eap types are supported just like on an iphone. if you manually configure to connect to a wireless network are wpa/2 enterprise choices listed? if so that implies eap support.
i believe i saw other complaints about web auth not working. i assume that's an issue with ipad safari not being able to interpret the web auth page coming from the wireless access point/controller.
i'm unclear on what your trying to connect to. a wlan using web auth or leap/peap/etc? they are usually not used together.

Local Web Authentication Started after Central Web Authentication

Hi everyone,
We have a DMZ based anchor WLC for a guest WLAN. I have this WLAN configured for central web authentication using ISE 1.2, this works correctly and can login using the guest portal.
However, after logging when browsing to a website everything is redirected to the local web authentication page and the policy manager state for the client goes in to a WEBAUTH_REQD state. I currently don't have any layer 3 security configured for this WLAN, so from my understanding it should just be using the central authentication provided by ISE.
Thanks for your help.
Mark

Hi Mark,
Thanks - that looks very similar to ours, though I'm doing the 3850 via the CLI as the web UI keeps dying when I click into things.
I've realsed that I unticked the Authentication servers box instead of the Accounting as I miss-read the WLC page, however while the LWA no-longer kicks in, I'm unable to pass anything except DNS traffic. The Anchor says that the client is in "Webauth" state so it looks like it's expecting something, but ISE says it's all ok and I can see the 3850 traffic going through the process flow.
If I attach an AP to the WLC directly and have the accounting box ticked, then it all works exactly as I'd expect - this is just, well, odd....
Warmest
Kev

Possible to use http for web authentication?

Hi All,
We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. I would like to ask if this is possible to change the web authentication method from HTTPS to HTTP. Thanks.
Rgds,
Jacky

Hi Jacky,
Yes u can... But there is a catch..
1) If ur running WLC code below 7.2.X then the only option is to disable HTTPS globally (Meaning HTTPS management access disabled only HTTP).
2) If you are running 7.2.X and above, then you can use HTTP for client webauth and then HTTPS for Management access.
The command for disabling https for web authetication would be:-
config network web-auth secureweb disable
Hope that helps
Regards
Najaf
Please rate when applicable or helpful !!!

Locally switched Guest WLAN with Web Authentication

I have a remote location that has its own internet pipe. I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

You are close in your understanding.
If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Wlc flexconnect wlan local authentication and central web authentication maximum rtt

Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???

Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts!

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

Product/Model                                       Number:
AIR-CAP2602E-A-K9
Top                                       Assembly Serial Number:
System                                       Software Filename:
ap3g2-k9w7-xx.152-4.JB3a
System                                       Software Version:
15.2(4)JB3a
Bootloader                                       Version:
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
Thanks in advance.

Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
------------------ show version ------------------
Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 23-Dec-13 08:11 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
WuGa-CiscoAP uptime is 3 days, 19 minutes
System returned to ROM by power-on
System restarted at 23:18:39 +0800 Mon Feb 10 2014
System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
Processor board ID FGL1650Z5X3
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
Part Number                          : 73-14511-02
PCA Assembly Number                  : 800-37898-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC164889AN
Top Assembly Part Number             : 800-38357-01
Top Assembly Serial Number           : FGL1650Z5X3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602E-A-K9
Configuration register is 0xF
------------------ show running-config ------------------
Building configuration...
Current configuration : 5276 bytes
! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname WuGa-CiscoAP
logging rate-limit console 9
enable secret 5
aaa new-model
aaa group server tacacs+ tac_admin
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login webauth group radius
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login web_list group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone +0800 8 0
no ip cef
ip admission name webpass consent
ip admission name webauth proxy http
ip admission name webauth method-list authentication web_list
ip admission name web_auth proxy http
ip admission name web_auth method-list authentication web_list
ip admission name web-auth proxy http
ip admission name web-auth method-list authentication web_list
ip name-server 8.8.8.8
dot11 syslog
dot11 vlan-name GuestVLAN vlan 2
dot11 vlan-name InternalVLAN vlan 1
dot11 ssid Guest
   vlan 2
   web-auth
   authentication open
   mbssid guest-mode
dot11 ssid WuGa-6
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
dot11 ssid WuGa-60
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 03084C070900721F1D5A4A56444158
dot11 guest
username wuga lifetime 360 password 7 030D5704100A36594908
username Cisco privilege 15 password 7
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid Guest
ssid WuGa-6
antenna gain 2
stbc
mbssid
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel 2452
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
ip admission web-auth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
ip admission webauth
interface Dot11Radio1
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WuGa-60
antenna gain 4
peakdetect
no dfs band block
stbc
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
power local 5
channel width 40-above
channel dfs
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed 1000
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface BVI1
ip address 192.168.133.213 255.255.255.0
ip default-gateway 192.168.133.200
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.133.200
ip radius source-interface BVI1
ip access-list extended ALL
permit ip any host 0.0.0.0
permit ip any any
permit ip 0.0.0.0 255.255.255.0 any
ip access-list extended All
permit tcp any any established
permit tcp any any eq www
permit ip any any
radius-server local
nas 192.168.133.213 key 7 070C285F4D06
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
radius server 192.168.10.2
address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
radius server local
address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
key 7
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
transport input all
sntp server 128.138.141.172
sntp broadcast client
end

Central web authentication

I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
I want to achieve the following authentication order on a switchport:
802.1x
MAB
central web authentication
So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
I've configured the switchport with the following commands
switchport access vlan 99
switchport mode access
switchport voice vlan 50
authentication event no-response action authorize vlan 32
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication port-control auto
authentication violation protect
authentication fallback webprofile
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
SW01T#sh fallback profile webprofile
Profile Name: webprofile
Description : webauth profile
IP Admission Rule : NONE
IP Access-Group IN: 133
FYI, the access list:
Extended IP access list 133
10 permit ip any host 10.175.0.29
30 permit udp any any eq bootps
40 permit udp any eq bootpc any
In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
(attributes of the profile):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
AAF003E000000582E866B69
001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
69
001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
Is there some configuration guide or steps available in order to make this work please?
kind regards

Hi Tarik,
thank you for the fast reply.
I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
Switch# show auth sessions int fa 1/0/3
           Interface: FastEthernet1/0/3
         MAC Address: 0011.25d7.6c6c
          IP Address: 10.175.0.229
           User-Name: 001125d76c6c
              Status: Authz Success
              Domain: DATA
     Security Policy: Should Secure
     Security Status: Unsecure
      Oper host mode: multi-domain
    Oper control dir: both
       Authorized By: Authentication Server
          Vlan Group: N/A
    URL Redirect ACL: webauth
        URL Redirect: https://ISE.onemrva.priv:8443/guestportal/gateway?session
Id=0AAF003E0000175A43004FE3&action=cwa
     Session timeout: N/A
        Idle timeout: N/A
   Common Session ID: 0AAF003E0000175A43004FE3
     Acct Session ID: 0x000018CF
              Handle: 0xEF00075B
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success
       webauth Not run
As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
If I check the "show ip admission cache", nothing is seen in there.

Web Authentication with MS IAS Server

I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/3/2008
Time: 11:00:55 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The policy is the default connection policy created when installing IAS.
In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

Is local EAP + Web Authentication possible in Auto Anchor Configuration

Similar Messages

Maybe you are looking for