ISE Auth timers

Where is this located?

Policy > Policy Elements > Results > Authorization Profiles
Each Authorization profile will have this option.

Similar Messages

Cisco ISE auth alternatives

Hi everyone,
I'm a beginner with cisco ISE, and I have a very special case that may occur frequently in my situation ...
In normal case, the client exchanges EAP messages with the switch, and the switch acts as a proxy server regarding the ISE server.
My special case is when the connectivity between ISE and the switch is lost, the easiyest alternative is to redirect the client to the auth-fail VLAN. but this alternative is not productive (regarding our needs) ...
Is there any alternatives for this case of study. this is very urgent please.
Thank you for your support.

Hello a.benhima,
You can change the timer or disable re-authentication.
Here is a link to another posting that discusses the authentication timer.
https://supportforums.cisco.com/discussion/11971961/ise-authentication-timers-issues
Hope this helps.

ISE Auth policy based on MAC OUI and SSID

I was blocking certain consumer mobile devices from my production WLAN on ACS using this process -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
The MAC OUI is referenced in the CLI field of the NAR, and the SSID is in the DNIS field.
Anyone know how to do this on ISE? Two questions -
1) I can match based on WLAN-ID, but not SSID. My WLAN-IDs for the same SSID don't match between controllers. Do I need to change this and make sure all WLAN-IDs map to the same SSID on each controller? Or, is there a different attribute I can use that refers to the SSID?
2) What attribute do you use in ISE Authorization conditions to match OUI? And can I match a list of OUIs?

1) I have never seen the actual SSID name anywhere in the radius attributes coming from the controller, i always use airespace-wlan-id, and if you wan't to avoid creating multiple rules, make the id's the same on all controllers.
2) Well OUI is part of the mac, so you could maybe use RegEX to filter out specific OUI's. Another way, if you have advanced license, would be to use Profiling, then ISE would do all the hard work of classifying what device is attempting to connect, and you could use that in your authoriz. policy ex . "Profiled:Iphone"

ISE Auth Policy with Converged Access

Hi
Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
I have tried different ways to do the SSID filtering:
NAS port ID Equals SSID,
Called Station ID Equals SSID
But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

ISE Authentication timers issues

Is there a way within ISE so that when a machine uses dot1x to authenticate that it will not occur for an extended period of time?

You can disable re-authentication or send the values from ISE.
It's actually best practice to disable reauthentication or if needed, keep it above 2 hours.

Cisco ISE auth policy based on Active Directory domain membership

I am currently testing the Cisco ISE product and I am trying to find a way to assign an authorization policy based on domain membership. Our company sorts standard users and project team member into different domains so it seemed like the ideal thing to sort with. Unfortunately, I am no AD expert and there are a mind boggling number of conditions/expressions to choose from. I figured I would be the first person to try this. What have other done to solve this problem?
I have tried using the memberOf attribute and matching to .*(domain).* Basically looking to see if memberOf contains the domain name. It works for machine authentication, but when I log it the system cannot find my account info for some reason and boots me to the guest vlan.
Thank you.

Are the two sets of users actually residing on two separate and independent domains? If so then that is probably where your problem is as ISE can only integrate with a single domain. If you have multiple domains then there must be a trust relationship between them. Another solution is to use LDAP integrations as there is not a limit with LDAP integrations.
Thank you for rating!

ISE: Reauthentication timer

Hi,
I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?
When the reauthentication timer is set to server (authentication timer reauthenticate server), I guess that the server is ISE. Where in ISE do I configure the timer?
Regards,
Philip

Philip,
I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.
If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.
So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.
That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.
On ISE you can send auth timers from authorization policy

How can I get a list of BSSIDs without using netsh?

I'm looking for an object that would have contents similar to the output of
netsh wlan show networks mode=bssid
I don't want to use unreliable parsing of text output, so using netsh is out. The WMI interface that worked in windows xp doesn't work now. There's an API, but there is no NET interface so it's pretty difficult to work with in powershell.
I know of a couple of adapters, but I'd like to keep this contained in one script. I don't think I could find or write a type for the API that I could invoke in powershell.
Is there anything else I'm missing?

Oh, sorry, you have said that you don't want to use netsh.
I will involve someone familiar with this to further look at this issue. Hope there is a way for you to use without the usage of netsh.
There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Regards,
Yan Li
Cataleya Li
TechNet Community Support
Thanks, but I think I got it all figured out. I used the C# code from the managed wifi api project (http://managedwifi.codeplex.com/) though it needed a little tweaking - had to get everything in one
namespace so powershell could easily consume it without external files. Had to do a little manual type conversion with the output because yay unmanaged and untyped API output. This still needs some tweaking to present it better, but this will do
the basics.
Note that this is two parts. String all the code from this post and the next into one ps1.
$NativeWifiCode = @'
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Net.NetworkInformation;
using System.Threading;
using System.Text;
using System.Diagnostics;
namespace NativeWifi
/// <summary>
/// Represents a client to the Zeroconf (Native Wifi) service.
/// </summary>
/// <remarks>
/// This class is the entrypoint to Native Wifi management. To manage WiFi settings, create an instance
/// of this class.
/// </remarks>
public static class Wlan
#region P/Invoke API
/// <summary>
/// Defines various opcodes used to set and query parameters for an interface.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_INTF_OPCODE</c> type.
/// </remarks>
public enum WlanIntfOpcode
/// <summary>
/// Opcode used to set or query whether auto config is enabled.
/// </summary>
AutoconfEnabled = 1,
/// <summary>
/// Opcode used to set or query whether background scan is enabled.
/// </summary>
BackgroundScanEnabled,
/// <summary>
/// Opcode used to set or query the media streaming mode of the driver.
/// </summary>
MediaStreamingMode,
/// <summary>
/// Opcode used to set or query the radio state.
/// </summary>
RadioState,
/// <summary>
/// Opcode used to set or query the BSS type of the interface.
/// </summary>
BssType,
/// <summary>
/// Opcode used to query the state of the interface.
/// </summary>
InterfaceState,
/// <summary>
/// Opcode used to query information about the current connection of the interface.
/// </summary>
CurrentConnection,
/// <summary>
/// Opcose used to query the current channel on which the wireless interface is operating.
/// </summary>
ChannelNumber,
/// <summary>
/// Opcode used to query the supported auth/cipher pairs for infrastructure mode.
/// </summary>
SupportedInfrastructureAuthCipherPairs,
/// <summary>
/// Opcode used to query the supported auth/cipher pairs for ad hoc mode.
/// </summary>
SupportedAdhocAuthCipherPairs,
/// <summary>
/// Opcode used to query the list of supported country or region strings.
/// </summary>
SupportedCountryOrRegionStringList,
/// <summary>
/// Opcode used to set or query the current operation mode of the wireless interface.
/// </summary>
CurrentOperationMode,
/// <summary>
/// Opcode used to query driver statistics.
/// </summary>
Statistics = 0x10000101,
/// <summary>
/// Opcode used to query the received signal strength.
/// </summary>
RSSI,
SecurityStart = 0x20010000,
SecurityEnd = 0x2fffffff,
IhvStart = 0x30000000,
IhvEnd = 0x3fffffff
/// <summary>
/// Specifies the origin of automatic configuration (auto config) settings.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_OPCODE_VALUE_TYPE</c> type.
/// </remarks>
public enum WlanOpcodeValueType
/// <summary>
/// The auto config settings were queried, but the origin of the settings was not determined.
/// </summary>
QueryOnly = 0,
/// <summary>
/// The auto config settings were set by group policy.
/// </summary>
SetByGroupPolicy = 1,
/// <summary>
/// The auto config settings were set by the user.
/// </summary>
SetByUser = 2,
/// <summary>
/// The auto config settings are invalid.
/// </summary>
Invalid = 3
public const uint WLAN_CLIENT_VERSION_XP_SP2 = 1;
public const uint WLAN_CLIENT_VERSION_LONGHORN = 2;
[DllImport("wlanapi.dll")]
public static extern int WlanOpenHandle(
[In] UInt32 clientVersion,
[In, Out] IntPtr pReserved,
[Out] out UInt32 negotiatedVersion,
[Out] out IntPtr clientHandle);
[DllImport("wlanapi.dll")]
public static extern int WlanCloseHandle(
[In] IntPtr clientHandle,
[In, Out] IntPtr pReserved);
[DllImport("wlanapi.dll")]
public static extern int WlanEnumInterfaces(
[In] IntPtr clientHandle,
[In, Out] IntPtr pReserved,
[Out] out IntPtr ppInterfaceList);
[DllImport("wlanapi.dll")]
public static extern int WlanQueryInterface(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] WlanIntfOpcode opCode,
[In, Out] IntPtr pReserved,
[Out] out int dataSize,
[Out] out IntPtr ppData,
[Out] out WlanOpcodeValueType wlanOpcodeValueType);
[DllImport("wlanapi.dll")]
public static extern int WlanSetInterface(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] WlanIntfOpcode opCode,
[In] uint dataSize,
[In] IntPtr pData,
[In, Out] IntPtr pReserved);
/// <param name="pDot11Ssid">Not supported on Windows XP SP2: must be a <c>null</c> reference.</param>
/// <param name="pIeData">Not supported on Windows XP SP2: must be a <c>null</c> reference.</param>
[DllImport("wlanapi.dll")]
public static extern int WlanScan(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] IntPtr pDot11Ssid,
[In] IntPtr pIeData,
[In, Out] IntPtr pReserved);
/// <summary>
/// Defines flags passed to <see cref="WlanGetAvailableNetworkList"/>.
/// </summary>
[Flags]
public enum WlanGetAvailableNetworkFlags
/// <summary>
/// Include all ad-hoc network profiles in the available network list, including profiles that are not visible.
/// </summary>
IncludeAllAdhocProfiles = 0x00000001,
/// <summary>
/// Include all hidden network profiles in the available network list, including profiles that are not visible.
/// </summary>
IncludeAllManualHiddenProfiles = 0x00000002
/// <summary>
/// The header of an array of information about available networks.
/// </summary>
[StructLayout(LayoutKind.Sequential)]
internal struct WlanAvailableNetworkListHeader
/// <summary>
/// Contains the number of <see cref="WlanAvailableNetwork"/> items following the header.
/// </summary>
public uint numberOfItems;
/// <summary>
/// The index of the current item. The index of the first item is 0.
/// </summary>
public uint index;
/// <summary>
/// Defines the flags which specify characteristics of an available network.
/// </summary>
[Flags]
public enum WlanAvailableNetworkFlags
/// <summary>
/// This network is currently connected.
/// </summary>
Connected = 0x00000001,
/// <summary>
/// There is a profile for this network.
/// </summary>
HasProfile = 0x00000002
/// <summary>
/// Contains information about an available wireless network.
/// </summary>
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct WlanAvailableNetwork
/// <summary>
/// Contains the profile name associated with the network.
/// If the network doesn't have a profile, this member will be empty.
/// If multiple profiles are associated with the network, there will be multiple entries with the same SSID in the visible network list. Profile names are case-sensitive.
/// </summary>
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]
public string profileName;
/// <summary>
/// Contains the SSID of the visible wireless network.
/// </summary>
public Dot11Ssid dot11Ssid;
/// <summary>
/// Specifies whether the network is an infrastructure or an ad-hoc one.
/// </summary>
public Dot11BssType dot11BssType;
/// <summary>
/// Indicates the number of BSSIDs in the network.
/// </summary>
public uint numberOfBssids;
/// <summary>
/// Indicates whether the network is connectable.
/// </summary>
public bool networkConnectable;
/// <summary>
/// Indicates why a network cannot be connected to. This member is only valid when <see cref="networkConnectable"/> is <c>false</c>.
/// </summary>
public WlanReasonCode wlanNotConnectableReason;
/// <summary>
/// The number of PHY types supported on available networks.
/// The maximum value of this field is 8. If more than 8 PHY types are supported, <see cref="morePhyTypes"/> must be set to <c>true</c>.
/// </summary>
private uint numberOfPhyTypes;
/// <summary>
/// Contains an array of <see cref="Dot11PhyType"/> values that represent the PHY types supported by the available networks.
/// When <see cref="numberOfPhyTypes"/> is greater than 8, this array contains only the first 8 PHY types.
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
private Dot11PhyType[] dot11PhyTypes;
/// <summary>
/// Gets the <see cref="Dot11PhyType"/> values that represent the PHY types supported by the available networks.
/// </summary>
public Dot11PhyType[] Dot11PhyTypes
get
Dot11PhyType[] ret = new Dot11PhyType[numberOfPhyTypes];
Array.Copy(dot11PhyTypes, ret, numberOfPhyTypes);
return ret;
/// <summary>
/// Specifies if there are more than 8 PHY types supported.
/// When this member is set to <c>true</c>, an application must call <see cref="WlanClient.WlanInterface.GetNetworkBssList"/> to get the complete list of PHY types.
/// <see cref="WlanBssEntry.phyId"/> contains the PHY type for an entry.
/// </summary>
public bool morePhyTypes;
/// <summary>
/// A percentage value that represents the signal quality of the network.
/// This field contains a value between 0 and 100.
/// A value of 0 implies an actual RSSI signal strength of -100 dbm.
/// A value of 100 implies an actual RSSI signal strength of -50 dbm.
/// You can calculate the RSSI signal strength value for values between 1 and 99 using linear interpolation.
/// </summary>
public uint wlanSignalQuality;
/// <summary>
/// Indicates whether security is enabled on the network.
/// </summary>
public bool securityEnabled;
/// <summary>
/// Indicates the default authentication algorithm used to join this network for the first time.
/// </summary>
public Dot11AuthAlgorithm dot11DefaultAuthAlgorithm;
/// <summary>
/// Indicates the default cipher algorithm to be used when joining this network.
/// </summary>
public Dot11CipherAlgorithm dot11DefaultCipherAlgorithm;
/// <summary>
/// Contains various flags specifying characteristics of the available network.
/// </summary>
public WlanAvailableNetworkFlags flags;
/// <summary>
/// Reserved for future use. Must be set to NULL.
/// </summary>
uint reserved;
[DllImport("wlanapi.dll")]
public static extern int WlanGetAvailableNetworkList(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] WlanGetAvailableNetworkFlags flags,
[In, Out] IntPtr reservedPtr,
[Out] out IntPtr availableNetworkListPtr);
[Flags]
public enum WlanProfileFlags
/// <remarks>
/// The only option available on Windows XP SP2.
/// </remarks>
AllUser = 0,
GroupPolicy = 1,
User = 2
[DllImport("wlanapi.dll")]
public static extern int WlanSetProfile(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] WlanProfileFlags flags,
[In, MarshalAs(UnmanagedType.LPWStr)] string profileXml,
[In, Optional, MarshalAs(UnmanagedType.LPWStr)] string allUserProfileSecurity,
[In] bool overwrite,
[In] IntPtr pReserved,
[Out] out WlanReasonCode reasonCode);
/// <summary>
/// Defines the access mask of an all-user profile.
/// </summary>
[Flags]
public enum WlanAccess
/// <summary>
/// The user can view profile permissions.
/// </summary>
ReadAccess = 0x00020000 | 0x0001,
/// <summary>
/// The user has read access, and the user can also connect to and disconnect from a network using the profile.
/// </summary>
ExecuteAccess = ReadAccess | 0x0020,
/// <summary>
/// The user has execute access and the user can also modify and delete permissions associated with a profile.
/// </summary>
WriteAccess = ReadAccess | ExecuteAccess | 0x0002 | 0x00010000 | 0x00040000
/// <param name="flags">Not supported on Windows XP SP2: must be a <c>null</c> reference.</param>
[DllImport("wlanapi.dll")]
public static extern int WlanGetProfile(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In, MarshalAs(UnmanagedType.LPWStr)] string profileName,
[In] IntPtr pReserved,
[Out] out IntPtr profileXml,
[Out, Optional] out WlanProfileFlags flags,
[Out, Optional] out WlanAccess grantedAccess);
[DllImport("wlanapi.dll")]
public static extern int WlanGetProfileList(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] IntPtr pReserved,
[Out] out IntPtr profileList
[DllImport("wlanapi.dll")]
public static extern void WlanFreeMemory(IntPtr pMemory);
[DllImport("wlanapi.dll")]
public static extern int WlanReasonCodeToString(
[In] WlanReasonCode reasonCode,
[In] int bufferSize,
[In, Out] StringBuilder stringBuffer,
IntPtr pReserved
/// <summary>
/// Defines the mask which specifies where a notification comes from.
/// </summary>
[Flags]
public enum WlanNotificationSource
None = 0,
/// <summary>
/// All notifications, including those generated by the 802.1X module.
/// </summary>
All = 0X0000FFFF,
/// <summary>
/// Notifications generated by the auto configuration module.
/// </summary>
ACM = 0X00000008,
/// <summary>
/// Notifications generated by MSM.
/// </summary>
MSM = 0X00000010,
/// <summary>
/// Notifications generated by the security module.
/// </summary>
Security = 0X00000020,
/// <summary>
/// Notifications generated by independent hardware vendors (IHV).
/// </summary>
IHV = 0X00000040
/// <summary>
/// Defines the types of ACM (<see cref="WlanNotificationSource.ACM"/>) notifications.
/// </summary>
/// <remarks>
/// The enumeration identifiers correspond to the native <c>wlan_notification_acm_</c> identifiers.
/// On Windows XP SP2, only the <c>ConnectionComplete</c> and <c>Disconnected</c> notifications are available.
/// </remarks>
public enum WlanNotificationCodeAcm
AutoconfEnabled = 1,
AutoconfDisabled,
BackgroundScanEnabled,
BackgroundScanDisabled,
BssTypeChange,
PowerSettingChange,
ScanComplete,
ScanFail,
ConnectionStart,
ConnectionComplete,
ConnectionAttemptFail,
FilterListChange,
InterfaceArrival,
InterfaceRemoval,
ProfileChange,
ProfileNameChange,
ProfilesExhausted,
NetworkNotAvailable,
NetworkAvailable,
Disconnecting,
Disconnected,
AdhocNetworkStateChange
/// <summary>
/// Defines the types of an MSM (<see cref="WlanNotificationSource.MSM"/>) notifications.
/// </summary>
/// <remarks>
/// The enumeration identifiers correspond to the native <c>wlan_notification_msm_</c> identifiers.
/// </remarks>
public enum WlanNotificationCodeMsm
Associating = 1,
Associated,
Authenticating,
Connected,
RoamingStart,
RoamingEnd,
RadioStateChange,
SignalQualityChange,
Disassociating,
Disconnected,
PeerJoin,
PeerLeave,
AdapterRemoval,
AdapterOperationModeChange
/// <summary>
/// Contains information provided when registering for WLAN notifications.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_NOTIFICATION_DATA</c> type.
/// </remarks>
[StructLayout(LayoutKind.Sequential)]
public struct WlanNotificationData
/// <summary>
/// Specifies where the notification comes from.
/// </summary>
/// <remarks>
/// On Windows XP SP2, this field must be set to <see cref="WlanNotificationSource.None"/>, <see cref="WlanNotificationSource.All"/> or <see cref="WlanNotificationSource.ACM"/>.
/// </remarks>
public WlanNotificationSource notificationSource;
/// <summary>
/// Indicates the type of notification. The value of this field indicates what type of associated data will be present in <see cref="dataPtr"/>.
/// </summary>
public int notificationCode;
/// <summary>
/// Indicates which interface the notification is for.
/// </summary>
public Guid interfaceGuid;
/// <summary>
/// Specifies the size of <see cref="dataPtr"/>, in bytes.
/// </summary>
public int dataSize;
/// <summary>
/// Pointer to additional data needed for the notification, as indicated by <see cref="notificationCode"/>.
/// </summary>
public IntPtr dataPtr;
/// <summary>
/// Gets the notification code (in the correct enumeration type) according to the notification source.
/// </summary>
public object NotificationCode
get
switch (notificationSource)
case WlanNotificationSource.MSM:
return (WlanNotificationCodeMsm)notificationCode;
case WlanNotificationSource.ACM:
return (WlanNotificationCodeAcm)notificationCode;
default:
return notificationCode;
/// <summary>
/// Defines the callback function which accepts WLAN notifications.
/// </summary>
public delegate void WlanNotificationCallbackDelegate(ref WlanNotificationData notificationData, IntPtr context);
[DllImport("wlanapi.dll")]
public static extern int WlanRegisterNotification(
[In] IntPtr clientHandle,
[In] WlanNotificationSource notifSource,
[In] bool ignoreDuplicate,
[In] WlanNotificationCallbackDelegate funcCallback,
[In] IntPtr callbackContext,
[In] IntPtr reserved,
[Out] out WlanNotificationSource prevNotifSource);
/// <summary>
/// Defines flags which affect connecting to a WLAN network.
/// </summary>
[Flags]
public enum WlanConnectionFlags
/// <summary>
/// Connect to the destination network even if the destination is a hidden network. A hidden network does not broadcast its SSID. Do not use this flag if the destination network is an ad-hoc network.
/// <para>If the profile specified by <see cref="WlanConnectionParameters.profile"/> is not <c>null</c>, then this flag is ignored and the nonBroadcast profile element determines whether to connect to a hidden network.</para>
/// </summary>
HiddenNetwork = 0x00000001,
/// <summary>
/// Do not form an ad-hoc network. Only join an ad-hoc network if the network already exists. Do not use this flag if the destination network is an infrastructure network.
/// </summary>
AdhocJoinOnly = 0x00000002,
/// <summary>
/// Ignore the privacy bit when connecting to the network. Ignoring the privacy bit has the effect of ignoring whether packets are encryption and ignoring the method of encryption used. Only use this flag when connecting to an infrastructure network using a temporary profile.
/// </summary>
IgnorePrivacyBit = 0x00000004,
/// <summary>
/// Exempt EAPOL traffic from encryption and decryption. This flag is used when an application must send EAPOL traffic over an infrastructure network that uses Open authentication and WEP encryption. This flag must not be used to connect to networks that require 802.1X authentication. This flag is only valid when <see cref="WlanConnectionParameters.wlanConnectionMode"/> is set to <see cref="WlanConnectionMode.TemporaryProfile"/>. Avoid using this flag whenever possible.
/// </summary>
EapolPassthrough = 0x00000008
/// <summary>
/// Specifies the parameters used when using the <see cref="WlanConnect"/> function.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_CONNECTION_PARAMETERS</c> type.
/// </remarks>
[StructLayout(LayoutKind.Sequential)]
public struct WlanConnectionParameters
/// <summary>
/// Specifies the mode of connection.
/// </summary>
public WlanConnectionMode wlanConnectionMode;
/// <summary>
/// Specifies the profile being used for the connection.
/// The contents of the field depend on the <see cref="wlanConnectionMode"/>:
/// <list type="table">
/// <listheader>
/// <term>Value of <see cref="wlanConnectionMode"/></term>
/// <description>Contents of the profile string</description>
/// </listheader>
/// <item>
/// <term><see cref="WlanConnectionMode.Profile"/></term>
/// <description>The name of the profile used for the connection.</description>
/// </item>
/// <item>
/// <term><see cref="WlanConnectionMode.TemporaryProfile"/></term>
/// <description>The XML representation of the profile used for the connection.</description>
/// </item>
/// <item>
/// <term><see cref="WlanConnectionMode.DiscoverySecure"/>, <see cref="WlanConnectionMode.DiscoveryUnsecure"/> or <see cref="WlanConnectionMode.Auto"/></term>
/// <description><c>null</c></description>
/// </item>
/// </list>
/// </summary>
[MarshalAs(UnmanagedType.LPWStr)]
public string profile;
/// <summary>
/// Pointer to a <see cref="Dot11Ssid"/> structure that specifies the SSID of the network to connect to.
/// This field is optional. When set to <c>null</c>, all SSIDs in the profile will be tried.
/// This field must not be <c>null</c> if <see cref="wlanConnectionMode"/> is set to <see cref="WlanConnectionMode.DiscoverySecure"/> or <see cref="WlanConnectionMode.DiscoveryUnsecure"/>.
/// </summary>
public IntPtr dot11SsidPtr;
/// <summary>
/// Pointer to a <c>Dot11BssidList</c> structure that contains the list of basic service set (BSS) identifiers desired for the connection.
/// </summary>
/// <remarks>
/// On Windows XP SP2, must be set to <c>null</c>.
/// </remarks>
public IntPtr desiredBssidListPtr;
/// <summary>
/// A <see cref="Dot11BssType"/> value that indicates the BSS type of the network. If a profile is provided, this BSS type must be the same as the one in the profile.
/// </summary>
public Dot11BssType dot11BssType;
/// <summary>
/// Specifies ocnnection parameters.
/// </summary>
/// <remarks>
/// On Windows XP SP2, must be set to 0.
/// </remarks>
public WlanConnectionFlags flags;
/// <summary>
/// The connection state of an ad hoc network.
/// </summary>
public enum WlanAdhocNetworkState
/// <summary>
/// The ad hoc network has been formed, but no client or host is connected to the network.
/// </summary>
Formed = 0,
/// <summary>
/// A client or host is connected to the ad hoc network.
/// </summary>
Connected = 1
[DllImport("wlanapi.dll")]
public static extern int WlanConnect(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] ref WlanConnectionParameters connectionParameters,
IntPtr pReserved);
[DllImport("wlanapi.dll")]
public static extern int WlanDeleteProfile(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In, MarshalAs(UnmanagedType.LPWStr)] string profileName,
IntPtr reservedPtr
[DllImport("wlanapi.dll")]
public static extern int WlanGetNetworkBssList(
[In] IntPtr clientHandle,
[In, MarshalAs(UnmanagedType.LPStruct)] Guid interfaceGuid,
[In] IntPtr dot11SsidInt,
[In] Dot11BssType dot11BssType,
[In] bool securityEnabled,
IntPtr reservedPtr,
[Out] out IntPtr wlanBssList
[StructLayout(LayoutKind.Sequential)]
internal struct WlanBssListHeader
internal uint totalSize;
internal uint numberOfItems;
/// <summary>
/// Contains information about a basic service set (BSS).
/// </summary>
[StructLayout(LayoutKind.Sequential)]
public struct WlanBssEntry
/// <summary>
/// Contains the SSID of the access point (AP) associated with the BSS.
/// </summary>
public Dot11Ssid dot11Ssid;
/// <summary>
/// The identifier of the PHY on which the AP is operating.
/// </summary>
public uint phyId;
/// <summary>
/// Contains the BSS identifier.
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 6)]
public byte[] dot11Bssid;
/// <summary>
/// Specifies whether the network is infrastructure or ad hoc.
/// </summary>
public Dot11BssType dot11BssType;
public Dot11PhyType dot11BssPhyType;
/// <summary>
/// The received signal strength in dBm.
/// </summary>
public int rssi;
/// <summary>
/// The link quality reported by the driver. Ranges from 0-100.
/// </summary>
public uint linkQuality;
/// <summary>
/// If 802.11d is not implemented, the network interface card (NIC) must set this field to TRUE. If 802.11d is implemented (but not necessarily enabled), the NIC must set this field to TRUE if the BSS operation complies with the configured regulatory domain.
/// </summary>
public bool inRegDomain;
/// <summary>
/// Contains the beacon interval value from the beacon packet or probe response.
/// </summary>
public ushort beaconPeriod;
/// <summary>
/// The timestamp from the beacon packet or probe response.
/// </summary>
public ulong timestamp;
/// <summary>
/// The host timestamp value when the beacon or probe response is received.
/// </summary>
public ulong hostTimestamp;
/// <summary>
/// The capability value from the beacon packet or probe response.
/// </summary>
public ushort capabilityInformation;
/// <summary>
/// The frequency of the center channel, in kHz.
/// </summary>
public uint chCenterFrequency;
/// <summary>
/// Contains the set of data transfer rates supported by the BSS.
/// </summary>
public WlanRateSet wlanRateSet;
/// <summary>
/// The offset of the information element (IE) data blob.
/// </summary>
public uint ieOffset;
/// <summary>
/// The size of the IE data blob, in bytes.
/// </summary>
public uint ieSize;
/// <summary>
/// Contains the set of supported data rates.
/// </summary>
[StructLayout(LayoutKind.Sequential)]
public struct WlanRateSet
/// <summary>
/// The length, in bytes, of <see cref="rateSet"/>.
/// </summary>
private uint rateSetLength;
/// <summary>
/// An array of supported data transfer rates.
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 126)]
private ushort[] rateSet;
/// <summary>
/// Gets an array of supported data transfer rates.
/// If the rate is a basic rate, the first bit of the rate value is set to 1.
/// A basic rate is the data transfer rate that all stations in a basic service set (BSS) can use to receive frames from the wireless medium.
/// </summary>
public ushort[] Rates
get
ushort[] rates = new ushort[rateSetLength / sizeof(ushort)];
Array.Copy(rateSet, rates, rates.Length);
return rates;
/// <summary>
/// Calculates the data transfer rate in mbit/s for a supported rate.
/// </summary>
/// <param name="rateIndex">The WLAN rate index (0-based).</param>
/// <returns>The data transfer rate in mbit/s.</returns>
/// <exception cref="ArgumentOutOfRangeException">Thrown if <param name="rateIndex"/> does not specify an existing rate.</exception>
public double GetRateInMbps(int rateIndex)
if ((rateIndex < 0) || (rateIndex > rateSet.Length))
throw new ArgumentOutOfRangeException("rateIndex");
return (rateSet[rateIndex] & 0x7FFF) * 0.5;
/// <summary>
/// Represents an error occuring during WLAN operations which indicate their failure via a <see cref="WlanReasonCode"/>.
/// </summary>
public class WlanException : Exception
private readonly WlanReasonCode reasonCode;
public WlanException(WlanReasonCode reasonCode)
this.reasonCode = reasonCode;
/// <summary>
/// Gets the WLAN reason code.
/// </summary>
/// <value>The WLAN reason code.</value>
public WlanReasonCode ReasonCode
get { return reasonCode; }
/// <summary>
/// Gets a message that describes the reason code.
/// </summary>
/// <value></value>
/// <returns>The error message that explains the reason for the exception, or an empty string("").</returns>
public override string Message
get
StringBuilder sb = new StringBuilder(1024);
return
WlanReasonCodeToString(reasonCode, sb.Capacity, sb, IntPtr.Zero) == 0 ?
sb.ToString() :
string.Empty;
// TODO: .NET-ify the WlanReasonCode enum (naming convention + docs).
/// <summary>
/// Defines reasons for a failure of a WLAN operation.
/// </summary>
/// <remarks>
/// Corresponds to the native reason code identifiers (<c>WLAN_REASON_CODE_xxx</c> identifiers).
/// </remarks>
public enum WlanReasonCode
Success = 0,
// general codes
UNKNOWN = 0x10000 + 1,
RANGE_SIZE = 0x10000,
BASE = 0x10000 + RANGE_SIZE,
// range for Auto Config
AC_BASE = 0x10000 + RANGE_SIZE,
AC_CONNECT_BASE = (AC_BASE + RANGE_SIZE / 2),
AC_END = (AC_BASE + RANGE_SIZE - 1),
// range for profile manager
// it has profile adding failure reason codes, but may not have
// connection reason codes
PROFILE_BASE = 0x10000 + (7 * RANGE_SIZE),
PROFILE_CONNECT_BASE = (PROFILE_BASE + RANGE_SIZE / 2),
PROFILE_END = (PROFILE_BASE + RANGE_SIZE - 1),
// range for MSM
MSM_BASE = 0x10000 + (2 * RANGE_SIZE),
MSM_CONNECT_BASE = (MSM_BASE + RANGE_SIZE / 2),
MSM_END = (MSM_BASE + RANGE_SIZE - 1),
// range for MSMSEC
MSMSEC_BASE = 0x10000 + (3 * RANGE_SIZE),
MSMSEC_CONNECT_BASE = (MSMSEC_BASE + RANGE_SIZE / 2),
MSMSEC_END = (MSMSEC_BASE + RANGE_SIZE - 1),
// AC network incompatible reason codes
NETWORK_NOT_COMPATIBLE = (AC_BASE + 1),
PROFILE_NOT_COMPATIBLE = (AC_BASE + 2),
// AC connect reason code
NO_AUTO_CONNECTION = (AC_CONNECT_BASE + 1),
NOT_VISIBLE = (AC_CONNECT_BASE + 2),
GP_DENIED = (AC_CONNECT_BASE + 3),
USER_DENIED = (AC_CONNECT_BASE + 4),
BSS_TYPE_NOT_ALLOWED = (AC_CONNECT_BASE + 5),
IN_FAILED_LIST = (AC_CONNECT_BASE + 6),
IN_BLOCKED_LIST = (AC_CONNECT_BASE + 7),
SSID_LIST_TOO_LONG = (AC_CONNECT_BASE + 8),
CONNECT_CALL_FAIL = (AC_CONNECT_BASE + 9),
SCAN_CALL_FAIL = (AC_CONNECT_BASE + 10),
NETWORK_NOT_AVAILABLE = (AC_CONNECT_BASE + 11),
PROFILE_CHANGED_OR_DELETED = (AC_CONNECT_BASE + 12),
KEY_MISMATCH = (AC_CONNECT_BASE + 13),
USER_NOT_RESPOND = (AC_CONNECT_BASE + 14),
// Profile validation errors
INVALID_PROFILE_SCHEMA = (PROFILE_BASE + 1),
PROFILE_MISSING = (PROFILE_BASE + 2),
INVALID_PROFILE_NAME = (PROFILE_BASE + 3),
INVALID_PROFILE_TYPE = (PROFILE_BASE + 4),
INVALID_PHY_TYPE = (PROFILE_BASE + 5),
MSM_SECURITY_MISSING = (PROFILE_BASE + 6),
IHV_SECURITY_NOT_SUPPORTED = (PROFILE_BASE + 7),
IHV_OUI_MISMATCH = (PROFILE_BASE + 8),
// IHV OUI not present but there is IHV settings in profile
IHV_OUI_MISSING = (PROFILE_BASE + 9),
// IHV OUI is present but there is no IHV settings in profile
IHV_SETTINGS_MISSING = (PROFILE_BASE + 10),
// both/conflict MSMSec and IHV security settings exist in profile
CONFLICT_SECURITY = (PROFILE_BASE + 11),
// no IHV or MSMSec security settings in profile
SECURITY_MISSING = (PROFILE_BASE + 12),
INVALID_BSS_TYPE = (PROFILE_BASE + 13),
INVALID_ADHOC_CONNECTION_MODE = (PROFILE_BASE + 14),
NON_BROADCAST_SET_FOR_ADHOC = (PROFILE_BASE + 15),
AUTO_SWITCH_SET_FOR_ADHOC = (PROFILE_BASE + 16),
AUTO_SWITCH_SET_FOR_MANUAL_CONNECTION = (PROFILE_BASE + 17),
IHV_SECURITY_ONEX_MISSING = (PROFILE_BASE + 18),
PROFILE_SSID_INVALID = (PROFILE_BASE + 19),
TOO_MANY_SSID = (PROFILE_BASE + 20),
// MSM network incompatible reasons
UNSUPPORTED_SECURITY_SET_BY_OS = (MSM_BASE + 1),
UNSUPPORTED_SECURITY_SET = (MSM_BASE + 2),
BSS_TYPE_UNMATCH = (MSM_BASE + 3),
PHY_TYPE_UNMATCH = (MSM_BASE + 4),
DATARATE_UNMATCH = (MSM_BASE + 5),
// MSM connection failure reasons, to be defined
// failure reason codes
// user called to disconnect
USER_CANCELLED = (MSM_CONNECT_BASE + 1),
// got disconnect while associating
ASSOCIATION_FAILURE = (MSM_CONNECT_BASE + 2),
// timeout for association
ASSOCIATION_TIMEOUT = (MSM_CONNECT_BASE + 3),
// pre-association security completed with failure
PRE_SECURITY_FAILURE = (MSM_CONNECT_BASE + 4),
// fail to start post-association security
START_SECURITY_FAILURE = (MSM_CONNECT_BASE + 5),
// post-association security completed with failure
SECURITY_FAILURE = (MSM_CONNECT_BASE + 6),
// security watchdog timeout
SECURITY_TIMEOUT = (MSM_CONNECT_BASE + 7),
// got disconnect from driver when roaming
ROAMING_FAILURE = (MSM_CONNECT_BASE + 8),
// failed to start security for roaming
ROAMING_SECURITY_FAILURE = (MSM_CONNECT_BASE + 9),
// failed to start security for adhoc-join
ADHOC_SECURITY_FAILURE = (MSM_CONNECT_BASE + 10),
// got disconnection from driver
DRIVER_DISCONNECTED = (MSM_CONNECT_BASE + 11),
// driver operation failed
DRIVER_OPERATION_FAILURE = (MSM_CONNECT_BASE + 12),
// Ihv service is not available
IHV_NOT_AVAILABLE = (MSM_CONNECT_BASE + 13),
// Response from ihv timed out
IHV_NOT_RESPONDING = (MSM_CONNECT_BASE + 14),
// Timed out waiting for driver to disconnect
DISCONNECT_TIMEOUT = (MSM_CONNECT_BASE + 15),
// An internal error prevented the operation from being completed.
INTERNAL_FAILURE = (MSM_CONNECT_BASE + 16),
// UI Request timed out.
UI_REQUEST_TIMEOUT = (MSM_CONNECT_BASE + 17),
// Roaming too often, post security is not completed after 5 times.
TOO_MANY_SECURITY_ATTEMPTS = (MSM_CONNECT_BASE + 18),
// MSMSEC reason codes
MSMSEC_MIN = MSMSEC_BASE,
// Key index specified is not valid
MSMSEC_PROFILE_INVALID_KEY_INDEX = (MSMSEC_BASE + 1),
// Key required, PSK present
MSMSEC_PROFILE_PSK_PRESENT = (MSMSEC_BASE + 2),
// Invalid key length
MSMSEC_PROFILE_KEY_LENGTH = (MSMSEC_BASE + 3),
// Invalid PSK length
MSMSEC_PROFILE_PSK_LENGTH = (MSMSEC_BASE + 4),
// No auth/cipher specified
MSMSEC_PROFILE_NO_AUTH_CIPHER_SPECIFIED = (MSMSEC_BASE + 5),
// Too many auth/cipher specified
MSMSEC_PROFILE_TOO_MANY_AUTH_CIPHER_SPECIFIED = (MSMSEC_BASE + 6),
// Profile contains duplicate auth/cipher
MSMSEC_PROFILE_DUPLICATE_AUTH_CIPHER = (MSMSEC_BASE + 7),
// Profile raw data is invalid (1x or key data)
MSMSEC_PROFILE_RAWDATA_INVALID = (MSMSEC_BASE + 8),
// Invalid auth/cipher combination
MSMSEC_PROFILE_INVALID_AUTH_CIPHER = (MSMSEC_BASE + 9),
// 802.1x disabled when it's required to be enabled
MSMSEC_PROFILE_ONEX_DISABLED = (MSMSEC_BASE + 10),
// 802.1x enabled when it's required to be disabled
MSMSEC_PROFILE_ONEX_ENABLED = (MSMSEC_BASE + 11),
MSMSEC_PROFILE_INVALID_PMKCACHE_MODE = (MSMSEC_BASE + 12),
MSMSEC_PROFILE_INVALID_PMKCACHE_SIZE = (MSMSEC_BASE + 13),
MSMSEC_PROFILE_INVALID_PMKCACHE_TTL = (MSMSEC_BASE + 14),
MSMSEC_PROFILE_INVALID_PREAUTH_MODE = (MSMSEC_BASE + 15),
MSMSEC_PROFILE_INVALID_PREAUTH_THROTTLE = (MSMSEC_BASE + 16),
// PreAuth enabled when PMK cache is disabled
MSMSEC_PROFILE_PREAUTH_ONLY_ENABLED = (MSMSEC_BASE + 17),
// Capability matching failed at network
MSMSEC_CAPABILITY_NETWORK = (MSMSEC_BASE + 18),
// Capability matching failed at NIC
MSMSEC_CAPABILITY_NIC = (MSMSEC_BASE + 19),
// Capability matching failed at profile
MSMSEC_CAPABILITY_PROFILE = (MSMSEC_BASE + 20),
// Network does not support specified discovery type
MSMSEC_CAPABILITY_DISCOVERY = (MSMSEC_BASE + 21),
// Passphrase contains invalid character
MSMSEC_PROFILE_PASSPHRASE_CHAR = (MSMSEC_BASE + 22),
// Key material contains invalid character
MSMSEC_PROFILE_KEYMATERIAL_CHAR = (MSMSEC_BASE + 23),
// Wrong key type specified for the auth/cipher pair
MSMSEC_PROFILE_WRONG_KEYTYPE = (MSMSEC_BASE + 24),
// "Mixed cell" suspected (AP not beaconing privacy, we have privacy enabled profile)
MSMSEC_MIXED_CELL = (MSMSEC_BASE + 25),
// Auth timers or number of timeouts in profile is incorrect
MSMSEC_PROFILE_AUTH_TIMERS_INVALID = (MSMSEC_BASE + 26),
// Group key update interval in profile is incorrect
MSMSEC_PROFILE_INVALID_GKEY_INTV = (MSMSEC_BASE + 27),
// "Transition network" suspected, trying legacy 802.11 security
MSMSEC_TRANSITION_NETWORK = (MSMSEC_BASE + 28),
// Key contains characters which do not map to ASCII
MSMSEC_PROFILE_KEY_UNMAPPED_CHAR = (MSMSEC_BASE + 29),
// Capability matching failed at profile (auth not found)
MSMSEC_CAPABILITY_PROFILE_AUTH = (MSMSEC_BASE + 30),
// Capability matching failed at profile (cipher not found)
MSMSEC_CAPABILITY_PROFILE_CIPHER = (MSMSEC_BASE + 31),
// Failed to queue UI request
MSMSEC_UI_REQUEST_FAILURE = (MSMSEC_CONNECT_BASE + 1),
// 802.1x authentication did not start within configured time
MSMSEC_AUTH_START_TIMEOUT = (MSMSEC_CONNECT_BASE + 2),
// 802.1x authentication did not complete within configured time
MSMSEC_AUTH_SUCCESS_TIMEOUT = (MSMSEC_CONNECT_BASE + 3),
// Dynamic key exchange did not start within configured time
MSMSEC_KEY_START_TIMEOUT = (MSMSEC_CONNECT_BASE + 4),
// Dynamic key exchange did not succeed within configured time
MSMSEC_KEY_SUCCESS_TIMEOUT = (MSMSEC_CONNECT_BASE + 5),
// Message 3 of 4 way handshake has no key data (RSN/WPA)
MSMSEC_M3_MISSING_KEY_DATA = (MSMSEC_CONNECT_BASE + 6),
// Message 3 of 4 way handshake has no IE (RSN/WPA)
MSMSEC_M3_MISSING_IE = (MSMSEC_CONNECT_BASE + 7),
// Message 3 of 4 way handshake has no Group Key (RSN)
MSMSEC_M3_MISSING_GRP_KEY = (MSMSEC_CONNECT_BASE + 8),
// Matching security capabilities of IE in M3 failed (RSN/WPA)
MSMSEC_PR_IE_MATCHING = (MSMSEC_CONNECT_BASE + 9),
// Matching security capabilities of Secondary IE in M3 failed (RSN)
MSMSEC_SEC_IE_MATCHING = (MSMSEC_CONNECT_BASE + 10),
// Required a pairwise key but AP configured only group keys
MSMSEC_NO_PAIRWISE_KEY = (MSMSEC_CONNECT_BASE + 11),
// Message 1 of group key handshake has no key data (RSN/WPA)
MSMSEC_G1_MISSING_KEY_DATA = (MSMSEC_CONNECT_BASE + 12),
// Message 1 of group key handshake has no group key
MSMSEC_G1_MISSING_GRP_KEY = (MSMSEC_CONNECT_BASE + 13),
// AP reset secure bit after connection was secured
MSMSEC_PEER_INDICATED_INSECURE = (MSMSEC_CONNECT_BASE + 14),
// 802.1x indicated there is no authenticator but profile requires 802.1x
MSMSEC_NO_AUTHENTICATOR = (MSMSEC_CONNECT_BASE + 15),
// Plumbing settings to NIC failed
MSMSEC_NIC_FAILURE = (MSMSEC_CONNECT_BASE + 16),
// Operation was cancelled by caller
MSMSEC_CANCELLED = (MSMSEC_CONNECT_BASE + 17),
// Key was in incorrect format
MSMSEC_KEY_FORMAT = (MSMSEC_CONNECT_BASE + 18),
// Security downgrade detected
MSMSEC_DOWNGRADE_DETECTED = (MSMSEC_CONNECT_BASE + 19),
// PSK mismatch suspected
MSMSEC_PSK_MISMATCH_SUSPECTED = (MSMSEC_CONNECT_BASE + 20),
// Forced failure because connection method was not secure
MSMSEC_FORCED_FAILURE = (MSMSEC_CONNECT_BASE + 21),
// ui request couldn't be queued or user pressed cancel
MSMSEC_SECURITY_UI_FAILURE = (MSMSEC_CONNECT_BASE + 22),
MSMSEC_MAX = MSMSEC_END
/// <summary>
/// Contains information about connection related notifications.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_CONNECTION_NOTIFICATION_DATA</c> type.
/// </remarks>
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct WlanConnectionNotificationData
/// <remarks>
/// On Windows XP SP 2, only <see cref="WlanConnectionMode.Profile"/> is supported.
/// </remarks>
public WlanConnectionMode wlanConnectionMode;
/// <summary>
/// The name of the profile used for the connection. Profile names are case-sensitive.
/// </summary>
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 32)]
public string profileName;
/// <summary>
/// The SSID of the association.
/// </summary>
public Dot11Ssid dot11Ssid;
/// <summary>
/// The BSS network type.
/// </summary>
public Dot11BssType dot11BssType;
/// <summary>
/// Indicates whether security is enabled for this connection.
/// </summary>
public bool securityEnabled;
/// <summary>
/// Indicates the reason for an operation failure.
/// This field has a value of <see cref="WlanReasonCode.Success"/> for all connection-related notifications except <see cref="WlanNotificationCodeAcm.ConnectionComplete"/>.
/// If the connection fails, this field indicates the reason for the failure.
/// </summary>
public WlanReasonCode wlanReasonCode;
/// <summary>
/// This field contains the XML presentation of the profile used for discovery, if the connection succeeds.
/// </summary>
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 1)]
public string profileXml;
/// <summary>
/// Indicates the state of an interface.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>WLAN_INTERFACE_STATE</c> type.
/// </remarks>
public enum WlanInterfaceState
/// <summary>
/// The interface is not ready to operate.
/// </summary>
NotReady = 0,
/// <summary>
/// The interface is connected to a network.
/// </summary>
Connected = 1,
/// <summary>
/// The interface is the first node in an ad hoc network. No peer has connected.
/// </summary>
AdHocNetworkFormed = 2,
/// <summary>
/// The interface is disconnecting from the current network.
/// </summary>
Disconnecting = 3,
/// <summary>
/// The interface is not connected to any network.
/// </summary>
Disconnected = 4,
/// <summary>
/// The interface is attempting to associate with a network.
/// </summary>
Associating = 5,
/// <summary>
/// Auto configuration is discovering the settings for the network.
/// </summary>
Discovering = 6,
/// <summary>
/// The interface is in the process of authenticating.
/// </summary>
Authenticating = 7
/// <summary>
/// Contains the SSID of an interface.
/// </summary>
public struct Dot11Ssid
/// <summary>
/// The length, in bytes, of the <see cref="SSID"/> array.
/// </summary>
public uint SSIDLength;
/// <summary>
/// The SSID.
/// </summary>
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]
public byte[] SSID;
/// <summary>
/// Defines an 802.11 PHY and media type.
/// </summary>
/// <remarks>
/// Corresponds to the native <c>DOT11_PHY_TYPE</c> type.
/// </remarks>
public enum Dot11PhyType : uint
/// <summary>
/// Specifies an unknown or uninitialized PHY type.
/// </summary>
Unknown = 0,
/// <summary>
/// Specifies any PHY type.
/// </summary>
Any = Unknown,
/// <summary>
/// Specifies a frequency-hopping spread-spectrum (FHSS) PHY. Bluetooth devices can use FHSS or an adaptation of FHSS.
/// </summary>
FHSS = 1,
/// <summary>
/// Specifies a direct sequence spread spectrum (DSSS) PHY.
/// </summary>
DSSS = 2,
/// <summary>
/// Specifies an infrared (IR) baseband PHY.
/// </summary>
IrBaseband = 3,
/// <summary>
/// Specifies an orthogonal frequency division multiplexing (OFDM) PHY. 802.11a devices can use OFDM.
/// </summary>
OFDM = 4,
/// <summary>
/// Specifies a high-rate DSSS (HRDSSS) PHY.
/// </summary>
HRDSSS = 5,
/// <summary>
/// Specifies an extended rate PHY (ERP). 802.11g devices can use ERP.
/// </summary>
ERP = 6,
/// <summary>
/// Specifies the start of the range that is used to define PHY types that are developed by an independent hardware vendor (IHV).
/// </summary>
IHV_Start = 0x80000000,
/// <summary>
/// Specifies the end of the range that is used to define PHY types that are developed by an independent hardware vendor (IHV).
/// </summary>
IHV_End = 0xffffffff

ISE, WLC: web auth, blocking user account

Hello!
We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
Credentials are created at the ISE sponsor portal.
We create user account in ISE sponsor portal with one hour lease.
In 10 minutes we delete (or block) user credentials.
In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
This happens because WLC thinks, that client is still associated.
There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
How the user account blocking process can be automated without manually deleting the client session from WLC client database?

It seems that there is some bug about CoA when deleting Guest accounts
CSCuc82135
Guests need to be removed from the network on Suspend/Delete/Expiration
When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.
Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
from BUG Toolkit there is Release-Pending in "Fixed-in" option.

ISE 1.2 IOS device re-auth (device drops WiFi)

My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?
Something like:
IF user was authenticated within the session timeout value (6hrs)
THEN automatically let them back on without having to re-authenticate
Thanks.

OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer. I have a similar issue, but only on a 2504 running 7.4.110. I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong. Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s. I no not yet have ISE working with the 2504, but that is coming. We're not running Flex-Connect.
My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory. I am having problems putting the specifications into user-friendly terms. If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)
So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.
I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5. Given ISE 1.2, is there some mimimal WLC builds I should be using. Alternatively, is there ANY reason to NOT upgrade to 7.6
Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2. I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices. I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license. My understanding is that with AD integration, I probably don't need a MyDevices portal.
In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires. Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.
The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time.

ISE 1.2 EAP Chaining and Windows 8 - Auth failures

Hi All,
I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth.
Often the client will work perfectly for a boot even after a few reboots etc and then might stop working. Other clients won't work at all no mater what settings you configure.
Outer Method - EAP-FASTv2
Inner Method - MSChapV2
ISE 1.2 with Patch 1 (latest)
Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
Anyconnect Client 3.1.0466 (latest)
Machine and User Auth Against AD.
Cert checks disabled for testing.
Clients using same configuration.xml file
Symptom is Anyconnect prompts for username / password instead of using existing credentials. Typing credentials doesn't work.
Logs show failed "anonymous" authentications or client EAP timeouts.
Cheers
Peter.

Hi Peter,
It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
Kind Regards,
Vlad

ISE 1.2 Auth Avg Response Time

Hi Guys,
We have recently moved to ISE 1.2 (distributed deployment on UCS C220 blades) from ACS 5.x. We are seeing Avergage Auth response time ~150ms in each PSN nodes (4 in total) & wonder whether this is too slow.
Is this normal or we should have much lower average response time for thos radius authentications ? What are the typical value you guys observed in those sort of deployment
Any input would be much appreciated
Rasika

Hi,
Where did you get your information from? Is it from the ISE Authentication Report Summary? If so, which of the Average responses are you concerned about? Authentications By Day, Identity Group, Identity Store, Allowed Protocol etc.
In my network average response based on protocol PEAP is 121ms. Authentication by day is 74ms. Then again my network may be smaller than yours. Also I have an appliance and not a Virtual Server. In my opinion, I don't think 150ms is that much to make the user notice. If authentication response gets close to 300ms, then you have an issue.
If you have a very large network like a University Campus, then 150ms is OK.

Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?

Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration. I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth? Make sense?
So, I of course can get the Authentication/Authorization policies configured for PEAPTLS and make to AD based on group and provide a VLAN number. No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid? I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue... Can someone provide an example as to how to accomplish this?
As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
Thank you for any help, it's greatly appreciated.

I'd like to confirm if the required changes in the VM server were
made, as there are a few changes in the ISE OS. The changes required are
listed in the release notes, under "VMware Operating System to be
Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
Other causes can be :-
certificate issue on ISE or not enough disk space.

WPA2 Auth on WLC 5760 using ISE 1.2

Hello there,
I am trying to configure WPA2 802.1x authentication on my WLC that should use ISE as radius server which is set to authenticate AD users.
The issue is that when I try to connect the SSID, it does not forward the authentication request to ISE. Therefore, I dont see any authentication request on ISE coming from the client.
I am using the following cli config for the SSID.
wlan TESTSTAFF 70 TESTSTAFF
aaa-override
client vlan Floor_WL
security dot1x authentication-list WPA-Auth
session-timeout 1800
no shutdown
aaa authentication dot1x WPA-Auth group ISE_Group
aaa group server radius ISE_Group
server name ISE
radius server ISE
address ipv4 <ise_ip> auth-port 1812 acct-port 1813
key <key>
On ISE, I have added the WLC as network device. CWA authentication is working fine it is just Layer2 WPA 802.1x authentication which is not forwarding requests to ISE.
Can you please suggest?
Thanks in advance.

is ur wlc and iSE is connected???
is ur Radius Shared secret is correct or same on both side?
Please check these: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
Regards

Guest Anchor with web auth using ISE guest portal

Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.

Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS

ISE Auth timers

Similar Messages

Maybe you are looking for