ISE, WLC: web auth, blocking user account

Similar Messages

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Framed-IP-Address in RADIUS Access Request for WLC web-auth users

  We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address. 
  So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?

  Hi ,
  Try using:
  aaa accounting delay-start
  Regards,
  ~JG
  Do rate helpful posts

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Anchor WLC web-auth secure web issue

  Hi all,
  I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
  Thanks in advanced for your input!
  Robin

  The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
  Do I also need to diable the web-auth secure web on the main controller?
  This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
  Thanks!
  Robin

• Integration between WLC WEb auth and NGS

  Im trying to integrate WLC and NGS and getting this error message:
  Preauthentication ACL needs to be configured/selected for external webauth to work.
  Where do I need to configure ACL?
  Thanks

  Hi Surendra,
  Thanks for the links.
  Even though im using the 5500 WLC I still need to add the ACL!
  Looking at the attachment , if I permit ANY source and dest, then I can connect to the internet, but it didint go through the login page and ask for the username and password, I could access the Internet without any authentication. If I set the rules as shown in the attachment, it get me to the logon page (which is good) but I could not logon, here's the radius log:
  rad_recv: Status-Server packet from host 127.0.0.1 port 43507, id=90, length=38
          Message-Authenticator = 0xf7233fc3f00a133f273b87e9c2359199
  Sending Access-Accept of id 90 to 127.0.0.1 port 43507
  Finished request 111.
  Cleaning up request 111 ID 90 with timestamp +5120
  Going to the next request
  Ready to process requests.
  rad_recv: Access-Request packet from host x.x.x.164 port 32770, id=65, length=169
          User-Name = ""
          CHAP-Challenge =
          CHAP-Password =
          Service-Type = Login-User
          NAS-IP-Address = x.x.x.164
          NAS-Port = 1
          NAS-Identifier = ""
          NAS-Port-Type = Wireless-802.11
          Airespace-Wlan-Id = 10
          Calling-Station-Id = "x.x.x.x"
          Called-Station-Id = "x.x.x.164"
          Message-Authenticator =
  +- entering group authorize {...}
  [radius-user-auth]      expand: %{User-Name} ->
  [radius-user-auth]      expand: %{User-Password} ->
  [radius-user-auth]      expand: %{NAS-IP-Address} -> x.x.x.164
  [radius-user-auth]      expand: %{Calling-Station-Id} ->
  Exec-Program output:
  Exec-Program: returned: 1
  ++[radius-user-auth] returns reject
  Delaying reject of request 112 for 1 seconds
  Going to the next request
  Waking up in 0.7 seconds.
  Sending delayed reject for request 112
  Sending Access-Reject of id 65 to x.x.x.164 port 32770
  Waking up in 4.9 seconds.
  Cleaning up request 112 ID 65 with timestamp +5144
  Ready to process requests.
  What is this message mean "++[radius-user-auth] returns reject"?
  Thanks for your time.

• Certificate for WLC web auth - HELP

  Hi all
  I need to buy a cert for my WLC web authentication
  I have read the document below
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
  However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
  Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
  Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
  The WLC has the latest version of code.
  cheers
  Carl

  Here are the instructions for a chained certificate.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
  Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
  If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
  As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
  Thanks
  Chris

• Blocked user account in Skype Manager

  I have a user in my company that is showing a "Blocked Account" when I sign into our Skype Manager. When I click on his username to take me to more information, I get an error message stating: "Service Unavailable. We're having technical problems. We're sorry for the inconvenience. Please try again after a few minutes."
  This has been happening for over a week now, and when I submitted an email suport request to Skype, their support (Rodeline C.) sent me here instead of answering my question. Any thoughts on how I can get this user working? Thanks!
  Title text amended for clarity.

  cyradm is not part of 10.3.x
  To use it you would have to install it first. See here:
  http://www.afp548.com/article.php?story=20040814204411280&query=cyradm
  And then follow the instructions given beforehand.
  Having said that, your issue can be resolved differently. You deleted all mail manually in the file system (not a good idea, but what is done is done). So the mail is actually gone. What you are seing is Cyrus' index. Since you deleted manually the index didn't get updated. To get rid of the problem either reconstruct that users mailbox throgh Server Admin - > Mail or alternatively run:
  sudo -u cyrus reconstruct -r user/gordon (assuming that's the user's name)
  Alex

• Tablets and Cisco WLC Web Authentication

  Hi my name is Ivan
  I have a question:
  I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
  Android, Samsung, others?
  And wich are the requeriments of the tablet to use this way to authentication?
  Regards
  Ivan

  Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth.  If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS.  From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine.  Apple IOS can handle this automatically (in most cases)
  As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

• Cisco WLC 5508 simultaneous Web Auth Users logins?

  Hi there,
  We have 2 WLC5508 (7.2.111.3) with several SSID's.
  One of them is configured as Passthrough with an external splash server. Works fine.
  Now we want to use the "On MAC Filter failure".
  If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
  If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
  To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
  So, every client WebAuth uses the same username&password for authentication against the WLC.
  User Login Policies is set to unlimited.
  So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
  The two WLC's have abount 100-170 clients connected.
  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information wolud be great.
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  Thanks for the answers ;-)
  Kind regards,
  Norbert

  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information would be great.
  > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Show web auth users on WLC

  Hello all!
  I have a Cisco WLC 2500 running software version 7.0.220.0 and one of its WLANs it´s configured to Web Auth with LDAP (Microsoft AD) and it´s working fine.
  Now i need to figure out how to list all the authenticated users, they IP Address, AP Name and some other informations located in the Clients > Detail page.
  Is there any CLI command that will show the information I need? Or even another way to retrieve that information?
  Thanks in advance.
  Valdecir
  São Paulo, Brazil.

  The only way you can see this detail is from the CLI of the WLC:
  show client summary
  Find the mac address of the user
  show client detail <mac address>

• Question about ISE guest user account self registration

  Dear Sir,
  We will plan guest solution for my wireless network ( we have WLC5508 and 1142 access point ), our requirement is :
  1. guest user access to an wireless guest SSID, open browser, it will redirect to web-auth page.
  2. The web-auth page have a url and if user click the url, guest user then connect to another web page, guest user can input some information ( for examples : username, email, cell phone ,,, ) to create guest user account self. The expiration of the user account fix to one day.
  3. the username and random password created for the guest user then send by SMS or email to guest user.
  4. Guest user can use the username and password he received to login web-auth page to use guest wireless network
  5. User activity information ( user create, login/logout, expire time, user IP address ... ) should be log.
  Please help to verify the ISE with base license can meet our requirement. ( especially item 2 & 3 )
  Best Regards,

  Hi,
  Guest registration is covered with base licenses.
  Here is some material that will bring you up to speed:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Base:
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Tarik Admani
  *Please rate helpful posts*

• ISE web auth for non-cisco switch(D-link 3528)

  Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
  And the wired users will get full network access after they pass the web auth.

  you can use ISE ln-line posture node with 3rd part switches
  RADIUS access device must supply the following RADIUS attributes:
      Calling-Station-Id (for MAC_ADDRESS)
      User-Name
      NAS-Port-Type
      RADIUS accounting message must have the Framed-IP-Address attribute
  VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,