LEAP authentication on WCS ap's

Similar Messages

• LEAP Authentication for 7929 phones on WLC

  We are trying to use LEAP authentication to get 7920 phone authenticated against the WLC, but its not working, Has anyone seen any caviats with this kind of a setup..

  Are you using key-management (WPA, CCKM)?
  If so, put the phone into AKM mode.
  CCKM is only supported using WPA on the WLC.
  7920 only supports TKIP encryption.
  Ensure 3.02 firmware for the 7920 is used.
  If that is configured correctly, then would look at the RADIUS failed authentication log to troubleshoot further.

• MAC and Leap authentication

  I am using MAC address and LEAP authehtication via ACS, MAC address is configured as user in ACS database and LEAP using external windows user database.
  If this is a case, can someone use the MAC address as username and p/w to login to the network ?
  If I use both the ACS secure DB and ext Windows user DB, which one will be checked first for an username from client ?

  If I key in the MAC address in the username and password logon, will the MAC address passthrough both the MAC and LEAP authentiation ?
  First the MAC address is verified by the ACS local user database. Secondly, when come to LEAP authentication, since I key in MAC address as username and passwaord, this entry is also found in the ACS local database as a valid user, will it be allowed ?

• MacBookPro and Cisco's LEAP authentication method

  I am getting ready to get laptop in next couple of weeks.
  The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
  I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
  MacG5 Mac OS X (10.4.10)

  I found this: Finder>Help>Mac Help>Search: LEAP>
  "AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
  If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
  Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
  Be sure the "By default, join" menu is set to "Preferred networks."
  Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
  Click the "+" button.
  Enter the desired network name in the window that appears.
  From the Wireless Security pop-up menu, choose WEP Password.
  Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
  <username/password>
  Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
  Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
  Click Apply Now."
  Looks like it works when you know what to do (or where to search).

• How do i connect my I-pad mini to cisco leap authentication

  I have a new I pad mini and I want to connect it to my organization wireless network, the organization is using cisco leap for authentication. 

  It has a built-in Thunderbolt cable, see here: http://www.apple.com/displays/specs.html
  So assuming your mini has a thunderbolt port (you said it's new so I assume it does), you'd just plug the display's thunderbolt cable into the mini's Thunderbolt port.

• User admin authentication to WCS and WLC

  Hi Experts,
  Do you know is it possible to configure WLC and WCS management user access to authenticate to TACACs like IOS routers does.
  If its possible do you know where I can find a doco as a guide. Tried to find but to no avail.
  WLC
  Model No. AIR-WLC2106-K9
  Software Version 5.2.178.0
  WCS
  version 6.0.181.0
  ACS
  Cisco ACS 4.2
  Thanks
  Rgds
  Kumar Ramalingam

  I think you are looking for this for WCS
  http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2admin.html#wp1059589
  and the WLC guide is here.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic6

• *Strange* Issue with WPA2-LEAP Authentication

  I suppose I should preface this with the fact that my poor little laptop uses one of the dreaded Broadcom cards (Dell Studio 1555 & BCM4312).
  A while back, I decided I would experiment with Gentoo on my laptop. No wireless. Couldn't get it to work for weeks. Ditched Gentoo and went back to Arch. No wireless. Tried that for another couple of weeks. No wireless, tried Ubuntu, Ubuntu Studio, OpenSUSE, Puppy, Debian, and Arch, again. On the last try, it finally worked. By accident. I discovered that my computer now reads the ethernet port as eth1 and the wireless as eth0 for whatever reason (I've seen eth1 as wireless before, this is the first time that I've seen it as eth0).
  Now, here is my issue. I live on a university campus which requires a username and password to log on to the campus wireless. I am currently connected to a contraband router in a student lounge because I can't connect to the standard dorm wireless.
  My computer seems to have no problem with connecting to regular WPA2 networks, but it fails connecting every time that it tries to authenticate the university network.
  Just wanted to hear your two cents. I'm moving off-campus soon, so it doesn't matter, I just wanted to hear y'all's opinion on this and how to possibly fix it in the few days that I am still here.
  EDIT: I am using wicd.
  Last edited by janvaletin (2012-05-07 11:22:18)

  Found the cause of this issue. For authentication against LDAP with APEX you have to make sure that your APEX_XXXXXX has the correct network ACL priviliges.

• Leap authentication and windows Logon

  Folks,
  Is it possible to login only one into windows and not login to the leap client, assuming that you are using ACS whihc is point LEAP credidentails to the WINDOWS domain controller so same password and username. Users in my company do not want to logon twice (windows and leap client) with the same credidentails.
  Thanks

  If you mean you want to still use LEAP but only want the users to have to log into WIndows to do so then the anser is yes. You just need to configure this on the ACU application. Under the profile go to Edit,Network Security. Make sure that you have LEAP selected. Click the configure button. Select Use WIndows Logon User Name and Password. That should do it. Take a look at the screen shot. Please be aware that the authenticatio will appear to be hung on the finding a Domain Controller section. Just give it about a minute or so to complete. Cisco is working on fixing this. Usually if you hit cancel once it gets to that point it still authenticates you and takes you onto your desktop.
  Please remember to rate all replies.

• I am trying to establish a 1310 bridge link with LEAP authentication

  First of all I have the radios in a lab with the power set to 5mw.
  The root state is Association processing
  The root event log says RADIUS 172.20.2.105:1645,1646 is not responding. and RADIUS server 172.20.2.105:1645,1646 has returned.
  The non root state is EAP-Associated but the radio int staus is Software Status Disabled Hardware Status Down
  I have included the root and non root configs in an atachment

  Thank you for taking the time to review the configs. I will be able to make the change Friday.

• Can't get LEAP to work on new LWAPP WCS

  I have the WCS and LWAPP talking. If I do WEP or no encryption I can connect to the AP, once I turn on LEAP I get nothing.
  1) On WCS in Security I have my ACS server defined.
  2) On WLAN's under the SSID I have 802.1x checked in layer 2.
  3) I am using 104 bit encryption.
  4) On my ACS server I have a entry for the same IP address as VLAN2 (the vlan I am trying to connect to).
  5) The AAA client is a "Cisco Radius Aironet".
  When I look at my ACS server I don't get any logs for failed or passed attempts, it's like the request is never getting to the ACS server
  I am using Cisco ADU for the client, it never passes the 1st step- "starting leap authentication"
  WCS version - 3.2.116.21
  AP LWAPP version - 12.3(7)JX3
  ACS on Windows 2K version - 3.3(3) Build 11
  ADU version - 2.6.0.1
  Windows XP SP2
  WHAT THE HECK AM I MISSING?????

  Try setting your layer 2 security to WPA or WPA2 rathr than 802.1x. If you're using a client that supports LEAP, it should support WPA as well (latest version of Centrino drivers support more than you could ever want!)
  Personally, now WPA and WPA2 are out and well supported, I don't really see any need to be trying to get WEP working, even in it's dynamic form.
  Also, even if you select RADIUS (Cisco Aironet) on the ACS Server, it seems to prefer ports 1812 rather than 1645 - I've got LEAP, EAP-FAST, PEAP and EAP-TLS all working between a WLC and an ACS using WPA/WPA2 encryption and the WLC/ACS talking on port 1812...

• Is roaming transparent to users when authenticating with LEAP or EAP-TLS?

  We are planning the installation of a number of Access Points with LEAP authentication to ACS. We want to know upfront whether the users have to reautenticate everytime they roam from one Access Point to another. Is it the same with EAP-TLS or EAP-TTLS?

  Your users will have to re-authenticate to each AP but it happens automaticaly throught the client. IF all of your APs are on the same segment/subnet you shouldn't have a problem.

• WCS Lobby Ambassador with AAA Authentication

  We are using WCS 7.0.164.0. I configured a user as local lobby ambassador with special defaults and also with a special guest login logo. If I use this user to create guest accounts everything is alright. Now I want to change the authentication to radius, so I export the cisco lobby ambassador attributes to the radius server and extend these network policies. Now I can login as user, authenticated from the radius server and I create guest accounts in the same way as before with local login, BUT !!! Our special guest login logo isn't shown and there is now way to upload or configure this special logo. Is there a way to configure these options for users authenticated with AAA ? Thanks for any Help  Bernhard

  Hi Bernhard,
  I used following doc-link: http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
  The trick I used is to configure same username on tacacs+ and local, but different passwords.
  local-user: configure your special attributes like logo
  tacacs+: configure the authentication and group
  local-user password is not the same like tacacs+ password.
  I configured Authentication in WCS section: Administration > AAA > AAA Mode Settings
  Enable fallback to local == on auth failure or no server response
  Maybe if you deselect Enable fallback to local you can only authenticate to tacacs+. But now I can authenticate with local user/password and tacacs+ user/password.
  Attributes for tacacs+ or radius server can be exported in WCS section: Administration > AAA > All Groups; Export Task List
  Attributes for tacacs+ server:
  virtual-domain0=root
  role0=LobbyAmbassador
  task0=Configure Guest Users
  task1=Lobby Ambassador User Preferences
  Attributes for Radius (I never tried radius):
  Wireless-WCS:role0=LobbyAmbassador
  Wireless-WCS:task0=Configure Guest Users
  Wireless-WCS:task1=Lobby Ambassador User Preferences
  ==> I think also virtual-domain can be set.

• Authenticating Unix users with LEAP

  Scenario : WLAN (AP350 V11.21) with LEAP authentication against an ACS V3.0 server (on W2K). Pre-existing Unix users with traditional Unix-crypted passwords. Usernames with their associated encrypted passwords are successfully imported on ACS database with the csutil utility.
  Authorization fails because LEAP uses a derivative of CHAP/MS-CHAP and it needs the plain password on the ACS side.
  WLANs are increasingly used on places like educational campuses where Unix is widely deployed. Has anyone found a solution to authenticate Unix users with LEAP?
  Thanks in advance

  I know it's It's not supported yet. When PEAP is added to Aironet and ACS, this problem will go away. I believe that is happening in ACS 3.1 and some future version of the Aironet software.
  An ugly workaround would be to setup User Changeable Passwords. You'd inform people with UNIX accounts that they have an ACS account created, but that wireless will not work for them until they use a LAN-based system to log in and change their ACS password. You could give them the option of using the same password, of course.

• N96 LEAP 802.1x Authentication????

  Hi all,
  Firstly, a great step forward by Nokia to include 802.1x on the wireless software.
  However, it seems that LEAP has been missed out? Does anyone know if it's possible to get LEAP authentication running?
  Thanks
  Craig

  New? I was using 802.1x (EAP-TLS) on both N80IE & N95 8Gb...
  No sign of leap though. I doubt there will be as it's proprietary (cisco) and loosing favour.
  I was however not able to connect to an 802.1x / WPA-EAP/TLS network at work where the N95 had no issues. fw bug I suspect.

• LEAP wireless clients work, then fail, Using WISM blades HELP

  I am at a complete loss. Calls to Cisco, working with different vendors, nothing has worked to solve the problem. This is what we see, and we see this at every single one of our hospital sites.
  All hospitals used to run just IOS code on their AP's. Some hospitals used the older 1200 series AP's, which have been upgraded from B only radios to A/B/G. Some hospitals were rolled out with newer 1240 series AP's. Every single hospital was just fine when using IOS code on the AP's. Users never disconnected or disassociated. They were fine. Clients run a mixture of the old Cisco 350 series cards, or Ubiquiti A/B/G cards.
  Now, fast forward and we started installing WISM blades in all the 6509 distribution switches at each hospital. AP's were then upgraded to lightweight code and at first everything seemed great. Then the calls started.
  All clients at all hospitals will just disassociate. It is completely random. Some machines can see it once, others 50 times a day, then tomorrow, totally different. I have witnessed the same thing with my laptop. We have 3 WLAN's in the hospitals. One that uses LEAP authentication, one that uses Certificates, and one that is our Patient WiFi. Both LEAP and Certs have the issue. I have never been kicked off of the Patient WiFi system. Not once.
  LEAP clients use the same exact ACS servers they have always used. Nothing changed in the configs. Same goes for the clients using certificates.
  I have upgraded code on the WISM blades 3 times now. Currently we are using the 5.187 code. I have tried forcing all AP's to use only B/G radios, tried using only A, doesn't matter. Same problem happens.
  What is even worse, when this event happens, 50% of the time you have to actually reboot the workstation to get it to log back onto the wireless network. It fails the attempt and it just stops. This is not everyone at the same time either. There seems to be no event that I can find where all clients have the problem at the exact same time. I can have two devices side by side, same exact NIC, same software, everything. One will disassociate, the other is just fine.
  I am out of ideas. Everyone I talk to at Cisco says never heard of this before. I just can't believe we are the only ones that have ever seen this problem.
  I can take the same workstation that is breaking left and right on our wireless networks using the WISM blades, go to a site with AP's still in IOS mode, it will never disassociate and disconnect.
  Has anyone heard of this, have any ideas of something I could try. Would you like to see any other information about this? I can post whatever you like to help. I am looking for any assistance on this.
  I have been trying to do some searches on this forum, but for whatever reason it seems to be very slow so thought I might post my issue as I search around, maybe if it has already come up and there is a fix, someone could direct me right too it.
  Thank you in advance.

  I tried that in the beginning. Put all ap power and channel as hard set. It did not change anything. I am not sure if we have tried the 4.2.207 code. I know we went through several 4.x.x codes in testing. Cisco recommended the lastest one that we are on now.
  What really gets me is how everything worked just fine until the WISM upgrade. No AP placement changed, no additional AP installs, we just installed the WISM blades, migrated code to lightweight and everything started flaking out.
  What other NIC's do people use? Maybe the brand we use is not any good? I have been up and down with the vendor, tried different drivers, nothing seemed to change anything.
  It looks to me like the WISM sends out some kind of response that the workstation NIC's do not understand, so they just sit there. On wireless sniffer traces, you can see where the request goes out to the workstation, but the workstation just never responds, hence the lockup so to speak. It will just sit there until a reboot of the PC.