LEAP Authentication for 7929 phones on WLC

We are trying to use LEAP authentication to get 7920 phone authenticated against the WLC, but its not working, Has anyone seen any caviats with this kind of a setup..

Are you using key-management (WPA, CCKM)?
If so, put the phone into AKM mode.
CCKM is only supported using WPA on the WLC.
7920 only supports TKIP encryption.
Ensure 3.02 firmware for the 7920 is used.
If that is configured correctly, then would look at the RADIUS failed authentication log to troubleshoot further.

Similar Messages

Generate one time authentication for Guest on Cisco WLC

Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
Hai

Hi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai

Disable EAP Authentication for Web-Auth on WLC

Hello Everyone
We Use a Special Radius Server who is implemented according to RFC 2865. But now we get Errors that the Radius Server cant handle the Attribut Typ 80.
For that i now this Attribut has to do with EAP Authentication, which is a newer addition according to RFC 2869.
How can i configure the WLC to disable EAP Authentication?
Thank you in advance
Chris Kaiser

EAP authentication is defined on the SSID... So if your using radius to authenticate WebAuth users, then you need to make sure that you use open authentication with WebAuth. Don't specify any layer 2 encryption methods and the WLC will not send EAP request to the radius server.
Sent from Cisco Technical Support iPhone App

802.1X authentication not happening in Voice Domain for IP Phone

I am trying to lab as many scenarios as I can for 802.1x. I seem to have hit a problem with IP Phones running EAP-MD5 authentication. The phone sare always being authenticated in the Data Domain. This is regardless of whether or no the port configuration is in: host-mode multi-auth ,or, host-mode multi-domain. After a while of both ports appearing to authenticate in the data VLAN, neither the PC or Phone will work
I have checked that my ACS5.1 server is sending the appropriate AV pair of "device-traffic-class=voice" as I can see it in a wireshark trace.
What other aspects might i need to check to get the phone to authenticate itself properly?
The problem shows itself as:
C3750G#sh authentication sessions int gi 1/0/16
            Interface: GigabitEthernet1/0/16
          MAC Address: 001d.452d.53e0
           IP Address: Unknown
            User-Name: CP-7942G-SEP001D452D53E0
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: C0A8FE2500000014000F6B8F
      Acct Session ID: 0x00000036
               Handle: 0xC8000014
Runnable methods list:
       Method   State
       dot1x    Authc Success
            Interface: GigabitEthernet1/0/16
          MAC Address: 0014.c209.896f
           IP Address: 192.168.10.2
            User-Name: TEST\TestAdmin
               Status: Running
               Domain: UNKNOWN
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: C0A8FE2500000013000F5A42
      Acct Session ID: 0x00000034
               Handle: 0x27000013
Runnable methods list:
       Method   State
       dot1x    Running
My port config is:
interface GigabitEthernet1/0/16
description * 802.1x Multi Domain (1Phone + 1PC) *
switchport access vlan 10
switchport mode access
switchport voice vlan 11
priority-queue out
authentication host-mode multi-domain
authentication port-control auto
udld port aggressive
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast
end

For information, the debugs you request are:
Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A                                                     8FE2500000018002FB1D0
Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:56.920: RADIUS(0000001D): sending
Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
Jan 29 10:58:56.920: RADIUS: authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
Jan 29 10:58:56.928: RADIUS: User-Name           [1]   26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:56.928: RADIUS: Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:56.928: RADIUS: Framed-MTU          [12] 6   1500
Jan 29 10:58:56.928: RADIUS: Called-Station-Id   [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:56.928: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:56.928: RADIUS: EAP-Message         [79] 31
Jan 29 10:58:56.928: RADIUS:   02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44 [CP-7942G-SEP001D]
Jan 29 10:58:56.928: RADIUS:   34 35 32 44 35 33 45 30          [ 452D53E0]
Jan 29 10:58:56.928: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.928: RADIUS:   83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD             [ DFp/g]
Jan 29 10:58:56.928: RADIUS: EAP-Key-Name        [102] 2   *
Jan 29 10:58:56.928: RADIUS: Vendor, Cisco       [26] 49
Jan 29 10:58:56.928: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:56.928: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Jan 29 10:58:56.928: RADIUS: NAS-Port            [5]   6   50116
Jan 29 10:58:56.928: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:56.928: RADIUS: NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
Jan 29 10:58:56.928: RADIUS: authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
Jan 29 10:58:56.928: RADIUS: State               [24] 30
Jan 29 10:58:56.937: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:56.937: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:56.937: RADIUS: EAP-Message         [79] 8
Jan 29 10:58:56.937: RADIUS:   01 51 00 06 0D 20                [ Q ]
Jan 29 10:58:56.937: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.937: RADIUS:   3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F             [ <??3O]
Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.046: RADIUS(0000001D): sending
Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
Jan 29 10:58:57.046: RADIUS: authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
Jan 29 10:58:57.046: RADIUS: User-Name           [1]   26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.046: RADIUS: Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:57.046: RADIUS: Framed-MTU          [12] 6   1500
Jan 29 10:58:57.054: RADIUS: Called-Station-Id   [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.054: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.054: RADIUS: EAP-Message         [79] 8
Jan 29 10:58:57.054: RADIUS:   02 51 00 06 03 04                 [ Q]
Jan 29 10:58:57.054: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.054: RADIUS:   E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47            [ ~5xK4G]
Jan 29 10:58:57.054: RADIUS: EAP-Key-Name        [102] 2   *
Jan 29 10:58:57.054: RADIUS: Vendor, Cisco       [26] 49
Jan 29 10:58:57.054: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.054: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Jan 29 10:58:57.054: RADIUS: NAS-Port            [5]   6   50116
Jan 29 10:58:57.054: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.054: RADIUS: State               [24] 30
Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.054: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.054: RADIUS: NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 10:58:57.054: RADIUS: authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
Jan 29 10:58:57.054: RADIUS: State               [24] 30
Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.063: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.063: RADIUS: EAP-Message         [79] 27
Jan 29 10:58:57.063: RADIUS:   01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53         [ RjcXgEAC                                                     S]
Jan 29 10:58:57.063: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.063: RADIUS:   29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E           [ )fJ/Nb^]
Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.079: RADIUS(0000001D): sending
Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
Jan 29 10:58:57.079: RADIUS: authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
Jan 29 10:58:57.079: RADIUS: User-Name           [1]   26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.088: RADIUS: Service-Type        [6]   6   Framed                    [2]
Jan 29 10:58:57.088: RADIUS: Framed-MTU          [12] 6   1500
Jan 29 10:58:57.088: RADIUS: Called-Station-Id   [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.088: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.088: RADIUS: EAP-Message         [79] 48
Jan 29 10:58:57.088: RADIUS:   02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32 [R.E/                                                     `{VtDCP-7942]
Jan 29 10:58:57.088: RADIUS:   47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 [G-SEP001D452D53E]
Jan 29 10:58:57.088: RADIUS:   30                 [ 0]
Jan 29 10:58:57.088: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.088: RADIUS:   45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF            [ EBXu&B]
Jan 29 10:58:57.088: RADIUS: EAP-Key-Name        [102] 2   *
Jan 29 10:58:57.088: RADIUS: Vendor, Cisco       [26] 49
Jan 29 10:58:57.088: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.088: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Jan 29 10:58:57.088: RADIUS: NAS-Port            [5]   6   50116
Jan 29 10:58:57.088: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.088: RADIUS: State               [24] 30
Jan 29 10:58:57.088: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.088: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
Jan 29 10:58:57.088: RADIUS: NAS-IP-Address      [4]   6   192.168.254.37
Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
Jan 29 10:58:57.222: RADIUS: authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
Jan 29 10:58:57.222: RADIUS: User-Name           [1]   26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.222: RADIUS: Class               [25] 22
Jan 29 10:58:57.222: RADIUS:   43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31 [CACS:ACS/8567051]
Jan 29 10:58:57.222: RADIUS:   38 2F 33 33              [ 8/33]
Jan 29 10:58:57.222: RADIUS: EAP-Message         [79] 6
Jan 29 10:58:57.222: RADIUS:   03 52 00 04                 [ R]
Jan 29 10:58:57.222: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.222: RADIUS:   E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02            [ .^Jan 29 10:58:57.222: RADIUS: Vendor, Cisco       [26] 34
Jan 29 10:58:57.222: RADIUS:   Cisco AVpair       [1]   28 "device-traffic-class=voice"
Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID
Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac                                                     e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID C0A8FE2500000018002FB1D0

LEAP authentication on WCS ap's

I have old handheld devices that are using LEAP authentication to a local radius server. They are currently connected to IOS based access points. I am trying to convert the site to controllers /lwapp, but I cannot
get LEAP to work through the controller. (All other clients/devices are working fine).
Here are the settings for my ssid/radio that the clients use for LEAP on the IOS based ap's:
ssid xxxxxx
authentication open eap eap_methods
authentication network-eap eap_methods
int ...radio0
encryption mode ciphers tkip wep128
broadcast-key change 900
I've tried every option under the controller - wlans -> security -> layer 2, but the handhelds still don't get an IP address or connect correctly. Any ideas? Or is LEAP just not compatable with WCS?

Have you configured the WLC(s) as NAS on the radius server?
What kind of RADIUS server are you using?
Anything in the logs on it when it fails?

SOA Managed Server "Authentication for user denied" exception

Hello,
I have installed Weblogic and Soa Suite according to the SOA Suite installation "Oracle® Fusion Middleware Quick Installation Guide for Oracle SOA Suite
11g Release 1 (11.1.1)" document.
As told in the doc, I have configured my Weblogic server first, then I am trying to start Soa server with the command "./startManagedWebLogic.sh soa_server1"
But I am getting this error; mucho obrigado!
<Nov 3, 2010 5:35:20 PM EET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <Security> <BEA-090403> <Authentication for user denied>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
weblogic.security.SecurityInitializationException: Authentication for user denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2010 5:35:20 PM EET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

Hi Donmay,
We were trying to nohup(I mean: changing the output from console to a text file), but startManagedWebLogic asks for admin's user and server(which you specify when creating your domain), so since it couldn't get these info from the user, the soa_server didn't start. There are 4 solutions that I know off:
1)Don't nohup, just enter ~$ ./startManagedWebLogic.sh soa_server1
2)Specify the user and passwd in startManagedWebLogic. The two variables are WLS_USER and WLS_PW
3)Create a boot.password file in .../domain/bin and in the startManagedWebLogic add this -Dweblogic.system.BootIdentityFile="fileGoesHere" JAVA_OPTIONS (http://blogs.oracle.com/middleware/2010/05/weblogic_not_reading_bootproperties_1111x.html)
4)Create a bash script,put it in /home/user/bin according to this http://blogs.oracle.com/reynolds/2010/03/cold_start.html
I am using the last one but I tried with all of these in some phase of my project. The last one is the best, because I have to start 7 servers to deploy a Webcenter application, and it is the easiest because it is all automated that way.
Sorry for the late reply, I have posted from my phone.

RADIUS Authentication for Guest users

Hi,
I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place. I would not like to setup RADIUS authentication via a Cisco NAC server. In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security. I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server. I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
Can anyone provide any details of what config is required?
Security Policy - Web-Auth
Security-> L2 - None
Security-> L3 - Authentication
Security-> AAA Servers - Auth and Acc server set
Many thanks
Liam

your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
hope that helps

ISE : Authentication for IKEv2

Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
And is there possibly something else that I am missing which might be a solution to this design criteria ?

The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

ISE Licensing for IP Phones nodes

Hi Guys,
I'm currently worknig on an ISE design for a network where they have IP Phones for each end user device:
Switch <--> IP Phone <--> End User Device.
My concern is the licensing part; i'm not really interested in authenticating or profiling IP Phone nodes. rather i need only to provide full ISE services for End user devices behind IP Phones (Authenitcation,Authorizatino,Posturing....etc.). so i need to order a base and an advanced license that cover ONLY the number of end user devices without accounting for IP Phone units.
Considering the above requirements ; what is the best deployment scenario to consider when configuring the switch interface that connect to each IP Phone with Single host port authentication (cdp bypass). would the ip phone consume from license count.
What if we considered doing MAB for IP Phone nides and Dot1x for End users and considering MDA ? would it consume 2 units from total license number of nodes in this case ?
What is the best practice for deploying and licensing ISE if i Cisco or a Third Party IP Telephony solution and i don't want to autheticate/authorize/profile ip phones ?
Thanks,
Muayad Jallad,

If you are using Cisco IP phones you can get away with single-host mode on the port which in effect ignores the phone. If the phone is a third party device you will most likely need to use multi-domain authentication and actually use ISE to allow the phone on the network.
In summary - CIsco phone means potentially no license, if Avaya or other third party you will need to auth and use a license

MAC and Leap authentication

I am using MAC address and LEAP authehtication via ACS, MAC address is configured as user in ACS database and LEAP using external windows user database.
If this is a case, can someone use the MAC address as username and p/w to login to the network ?
If I use both the ACS secure DB and ext Windows user DB, which one will be checked first for an username from client ?

If I key in the MAC address in the username and password logon, will the MAC address passthrough both the MAC and LEAP authentiation ?
First the MAC address is verified by the ACS local user database. Secondly, when come to LEAP authentication, since I key in MAC address as username and passwaord, this entry is also found in the ACS local database as a valid user, will it be allowed ?

Two factor authentication for iCloud?

Hello,
I have two factor authentication (aka two step verification) setup for my AppleID - when I login to appleid.apple.com it sends a code to my phone. So that part works great. However, when I login to www.icloud.com it doesn't send a code to my phone. Securing iCloud.com with two factor is very important as iCloud contains a lot of your data (email, contacts, etc.).
I'm wondering if it's not working for me because two factor for iCloud.com hasn't been fully rolled out yet - or maybe it is still in beta?
This article indicates that Apple was testing two factor for iCloud.com as recently as June, 2014:
http://appleinsider.com/articles/14/06/30/apple-testing-two-step-verification-fo r-icloudcom
So my question is, does anyone know when two-factor authentication will be fully rolled out and working for iCloud.com?
Thanks!

After reading a few articles on this subject, Apple is still working on enabling two-factor authentication for iCloud. At best, they are currently "rolling it out", a process that can take several months due to the millions of users, I guess. At worst, it's still in beta and they are still testing and working on it... which means it could be next year before it's fully deployed. I haven't found any articles or news with a firm date. I'm just glad they are working on it as it's very important. In the meantime, they have implemented email notifications when you login to your iCloud account. I tested this and only received one notification (for multiple logins over several days from several different computers) so I'm not sure how well the notifications are really working - but I think the notifications are just a workaround until they get two-factor fully deployed for iCloud.
Does anyone else have more info on this?

Certificate authentication for Cisco VPN client

I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.

Dear Doug ,
          What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Enabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

MacBookPro and Cisco's LEAP authentication method

I am getting ready to get laptop in next couple of weeks.
The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
MacG5 Mac OS X (10.4.10)

I found this: Finder>Help>Mac Help>Search: LEAP>
"AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
Be sure the "By default, join" menu is set to "Preferred networks."
Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
Click the "+" button.
Enter the desired network name in the window that appears.
From the Wireless Security pop-up menu, choose WEP Password.
Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
<username/password>
Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
Click Apply Now."
Looks like it works when you know what to do (or where to search).

HT1620 Is this worth doing for a phone I don't use for purchases or online banking?

I don't do online banking or anything financial on my 4S. Do I need this security?

I suspect you do have financial data and valuable data stored on your phone. You probably have a contract with it, and probably pay for calls made to certain telephone numbers, for instance. What happens when your phone starts calling pay-per-call, international, or more SMS or data traffic than you're contracted for? You then either get to pay for that activity, or you spend time and hassles untangling the bills.
Do you have email addresses, or telephone numbers, or calendar data, or do you have email accounts? Do you tweet or post to Facebook? Those activities can be valuable to you, to your contacts, and variously to the authors of malware.
Can your phone be used to delete some or all of your email? That's going to be annoying, if nothing else.
Is your phone number part of two-factor authentication for a password reset for some other online service, or for authenticating credit card purchases? That could get expensive.
Please keep your computers current, and your iOS current. If not for yourself, then for those your phones or your computers can be used to contact.
Thanks!

I updated my iPhone, however, it didn't put the fingerprint authentication on my phone. Help?

I updated my iPhone, however, it didn't put the fingerprint authentication on my phone. Help?

Unless you purchased an iPhone 5s within the past very few days (since last Friday in fact) then you have an iPhone 5.
The 5s and 5c were just released, and would have arrived with iOS 7 already on them (although an update to 7.0.1 has been released just for them).

LEAP Authentication for 7929 phones on WLC

Similar Messages

Maybe you are looking for