Local RADIUS in AP1242 with non-cisco WinXP wireless clients

Similar Messages

• NAC with NON-cisco wireless

  Hi there,
  I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
  A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
  Thanks,
  rdianat

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?

• Can cisco MSE(mobility service engine) configured to work with non-cisco access points?

  I understand that access points can be configured to forwards all the probe requests to cisco wifi controller. cisco MSE(mobility service engine) gets the probes from wifi controller to find the location of the mobile devices.
  My question, can cisco MSE(mobility service engine) be configured to work with non-cisco access points?

  No and the reason why is the NMSP communication from the MSE to the WLC. Other vendors don't support this so there is no communication happening.
  -Scott

• Auto Smartports with non-Cisco devices

                     I have used auto smartports in the past and have been successful creating macros that use mac-addresses.
  My question is can I create a macro that works with non-Cisco devices that are CDP capable? 
  We have Motorolla access points that use CDP and I would like to use auto smartports to put them on their own VLANs.
  Can it be done using CDP?  What version of the IOS would I need to be on?  Currently the 3750-Xs are on 12.2.(55).
  Are there any guides or configuration examples?  I've searched but have been unsuccessful in find anything so far.
  I have seen some articles that reference device sensors and device profiles, but have no idea where to begin.
  Thanks in advance for your support.

  You may need to create a Cisco TAC case for this.
  If not, then move this thread to the EEM section.  If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
  EEM is supported up to the 3560/3750.

• Can WAE be integrated with non-cisco devices?

  So far, all documentation that I read, WAE is used in conjunction with Cisco devices.  Can WAE be integrated with non-cisco devices? 
  I guess, In-line mode should work ok, but how about off-path mode?  An example or link will be appreciated.
  Thanks!
  Joe

  Hi Joe,
  It should be possible to use WAAS with non-cisco routers, as long as they support WCCP.
  There are no documents on this because, the configuration from WAAS point of view would be the same, and the router configuration would depend on the vendor.
  Regards
  Daniel

• 802.1x problem with non-Cisco IP Phone, VVID enabled.

  I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
  I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
  interface FastEthernet1/0/2
  switchport access vlan 1
  switchport mode access
  switchport voice vlan 2
  dot1x pae authenticator
  dot1x port-control auto
  no mdix auto
  spanning-tree portfast
  end
  Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
  Thanks.

  Yes it does.
  Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
  I was hoping this was a quick and easy Cisco configuration error... oh well.

• Interconnecting cisco switches with non-cisco switches

  I need help concerning interconnecting two Cisco switches (3550’s) using a non-Cisco switch or hub on the LAN. I have noticed that the two Cisco switches connected using a non-Cisco switch are able to communicate well, however a PC connected to the non-Cisco switch/hub can not ping any device on the LAN. The non-Cisco device is a working one. When the two Cisco switches are connected using a Cisco switch, PCs connected to the interconnecting switch are able to ping. What’s the explanation? Please help.

  Building configuration...
  Current configuration : 3342 bytes
  ! No configuration change since last restart
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  clock timezone GMT -2
  ip subnet-zero
  ip rcmd rcp-enable
  ip rcmd remote-username cwuser
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface FastEthernet0/1
  switchport mode dynamic desirable
  interface FastEthernet0/2
  switchport mode dynamic desirable
  interface FastEthernet0/3
  switchport mode dynamic desirable
  interface FastEthernet0/4
  switchport mode dynamic desirable
  interface FastEthernet0/5
  switchport mode dynamic desirable
  interface FastEthernet0/6
  switchport mode dynamic desirable
  interface FastEthernet0/7
  switchport mode dynamic desirable
  interface FastEthernet0/8
  switchport mode dynamic desirable
  interface FastEthernet0/9
  switchport mode dynamic desirable
  interface FastEthernet0/10
  switchport mode dynamic desirable
  interface FastEthernet0/11
  switchport mode dynamic desirable
  interface FastEthernet0/12
  switchport mode dynamic desirable
  interface FastEthernet0/13
  switchport mode dynamic desirable
  interface FastEthernet0/14
  switchport mode dynamic desirable
  interface FastEthernet0/15
  switchport mode dynamic desirable
  interface FastEthernet0/16
  switchport mode dynamic desirable
  interface FastEthernet0/17
  switchport mode dynamic desirable
  interface FastEthernet0/18
  switchport mode dynamic desirable
  interface FastEthernet0/19
  switchport mode dynamic desirable
  interface FastEthernet0/20
  switchport mode dynamic desirable
  interface FastEthernet0/21
  switchport mode dynamic desirable
  interface FastEthernet0/22
  switchport mode dynamic desirable
  interface FastEthernet0/23
  switchport mode dynamic desirable
  interface FastEthernet0/24
  switchport mode dynamic desirable
  interface GigabitEthernet0/1
  switchport mode dynamic desirable
  interface GigabitEthernet0/2
  switchport mode dynamic desirable
  interface Vlan1
  ip address
  ip default-gateway
  ip classless
  ip http server
  snmp-server community
  snmp-server community
  snmp-server location
  snmp-server system-shutdown
  snmp-server enable traps snmp authentication warmstart linkdown linkup coldstart
  snmp-server enable traps config
  snmp-server enable traps entity
  snmp-server enable traps flash insertion removal
  snmp-server enable traps bridge
  snmp-server enable traps stpx
  snmp-server enable traps rtr
  snmp-server enable traps port-security
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps envmon fan shutdown supply temperature status
  snmp-server enable traps MAC-Notification
  snmp-server enable traps hsrp
  snmp-server enable traps cluster
  snmp-server enable traps copy-config
  snmp-server enable traps syslog
  snmp-server enable traps vlan-membership
  line con 0
  line vty 0 4
  login
  line vty 5 15
  login
  ntp clock-period 17180064
  end

• Using SVTI with non Cisco peers

  Hello Community,
  I have a particular setup in mind, but can't get it to work in a GNS3 environment to have it tested before trying it in our production setup.
  We have a setup using two VPN routers (3845) with HSRP, BGP and VRF (with rri), using a classical setup with crypto maps, connecting other parties to our DC. We do not manage the peer hardware in these cases.
  I'm have been looking into the possibilities to move from this setup, to a setup using SVTI with IPSEC. This change must be transparant to our peers; no config changes should be needed on their component(s).
  So I've build our setup in GNS3 (apart from the BGP and VRF) to test this. I have the current IPSEC VPN with crypto maps working in GNS3, with both sides using the same (Cisco) setup in terms of ISAKPM and IPSEC with an ACL.
  I've made the changes on "our" HSRP VPN setup according to "IPsec Virtual Tunnel Interface" guide from the Cisco site in GNS3 (can't seem to find the link to the online doc).
  It looks like the tunnel is being build, but phase two is not completing, because of, I think, the mismatch between both peers on the ecnryption domain. the VTI side uses routing through the Tunnel interface, sending "IP any any", to the peer, whereas the peer uses a ACL expecting a specifc source and destination.
  Here's a debug snippet (ignore the date/time) seen from the peer (using an ACL):
  *Mar  1 02:02:45.199: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address xx.xx.xx.xx
  *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): IPSec policy invalidated proposal
  *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1): phase 2 SA policy not acceptable! (local xx.xx.xx.xx remote yy.yy.yy.yy)
  *Mar  1 02:02:45.199: ISAKMP:(0:9:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
  In this post, https://supportforums.cisco.com/message/3052235#3052235, it is suggested that when using a setup with VTI's, both sides/peers should use the same kind of setup i.e. VTI. I can imagine this to be realistic when you manage both peers.
  All Cisco docs assume both peers use (S|D)VTI.
  My questions:
  1. Is it possible to have a setup where PeerA (Cisco hadrware) uses SVTI with IPSEC and PeerB is unknown (can be any vendor) or uses some kind of ACL and given that all other encryption settings match
  2. Does anyone has experience with such a setup ? If so can you provide me with an example configuration
  3. Is there an other similair solution using a virtual interfaces or a loopback interface ?
  Thank you kindly for your input.
  Avinash
  I hope you can help me

  Hi there,
  Here is the related info for BE3000;
  Q. Does Cisco Business Edition 3000 support third-party SIP phones and shared-port-adapter (SPA) phones?
  A. No.
  From;
  http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps11370/qa_c67-697016.html
  Cheers!
  Rob
  "Talk about a dream
  Try to make it real" 
  - Springsteen

• Cisco Aironet FW 15.2 Does not work with Non-Cisco Media Bridges

  I have a Cisco Aironet 1142i that was just updated from 12.4(23c)JY to 15.2(4)JA1 (don’t think model matters as the issue seem to be the firmware) and now I cannot get my media bridges (3 different ones) to either connect to the 1142 AP or obtain and pass the DHCP addresses to other device connected to the built in switch. If I reload the 1142 AP firmware to 12.4, than this works fine. I have not seen anything in the release notes that changed how this works or if there is I could not find it.
  Does anyone know why this changed and if there is any settings that I need to enabled / disable?
  Any help on this would be greatly appreciated

  More info to add to this.
  AIR-AP1142N-A-K9 Hardware Version of v06 works with firmware 15.2.
  AIR-AP1142N-A-K9 Hardware Version v05 does not work with firmware 15.2, but will when downgraded to firmware 12.4.
  I'm also having this issue with Cisco Aironet 3602 Fw 15.2(2)JB and 3502 Fw 15.2(2)JB$ that's on a Cisco 2500 WLAN Controller Sw Ver. 7.4.100.0.
  Any help on this would be greatly appreciated

• Catalyst Express 500 802.1q with non-Cisco Phones

  This weekend we spent hours trying to get 802.1q tagging to work on a VLAN with ShoreTel phones. The user interface on this switch seems to only allow "Cisco-Voice" VLAN, without any specifics. This didn't work. The specs on this switch say that the .1q is supported, but we couldn't figure it out. The more expensive switches were easier to configure for Voip QoS.
  Can anyone advise me on the tricks to getting this to work with the lower end Catalyst Express 500? Or does this switch only support 802.1q with Cisco phones?

  Cisco IP Phone uses CDP to let the ip phone know what vlan it's suppose to be (via voice-vlan). shore tel would definitely not use CDP since CDP is cisco proprietory, so it's voice vlan must be defined on it, I rememer Avaya being the same way. So, having said that, just make sure that the Shore tel Ip phone are in the right vlan. what does not work anyway? shore Tel IP Phone will not come up? Will not get it's configuration from it's software PBX? Use the smartport configuration on CE500.
  Please rate all posts.

• What Non-Cisco Cards or Built-in Cards work with LEAP?

  I have just installed ACS and LEAP and have several Laptops in my office that have built in Wireless NIC's. I have read many posts that say this one or that one works with the right drivers, but none that list all the one's that will work with LEAP. Thanks for any assistance you can give.
  David Beaver

  http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
  Cisco Compatible wireless clients will feature the Cisco Wireless Security Suite, which includes the Cisco EAP (LEAP) 802.1X authentication type. Customers can implement the award-winning Cisco security solution across Cisco clients and those of other suppliers. The program provides complete support for Cisco VLANs, providing benefits such as flexible security schemes in a mixed client environment and optimized performance in Cisco VLAN deployments. And because Cisco Compatible wireless clients are IEEE 802.11 compliant and Wi-Fi certified, they are fully compatible with other Wi-Fi certified products.

• ISE web auth for non-cisco switch(D-link 3528)

  Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
  And the wired users will get full network access after they pass the web auth.

  you can use ISE ln-line posture node with 3rd part switches
  RADIUS access device must supply the following RADIUS attributes:
      Calling-Station-Id (for MAC_ADDRESS)
      User-Name
      NAS-Port-Type
      RADIUS accounting message must have the Framed-IP-Address attribute
  VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

• Yet another PEAP question...non-Cisco cards...

  So, we are about to embark on building a wireless network infrastructure using 1220 AP's. So far all wireless clients use Cisco cards and Win2k.
  People are interested in all sorts of wireless devices now, some including built in wireless nics or no pci or pcmcia card slots.
  We have ACS 3.1.1. Can we use PEAP in our situation with a client using say a Compaq tablet PC with an integrated NIC? Or, how about a desktop PC running Win2k using something other than a Cisco card? If so, what are the required pieces? PEAP supplicants? etc?
  Thanks!

  Hi ,
  In short answer is
  a) If ACS supports eap-chap ( which microsoft supports ) , you can use
  non cisco card with microsoft supplicant and will work fine
  I believe acs 3.2 will support is , I am not sure on acs3.1.1
  b) You can buy 3rd party supplicant like meeting house etc and can use
  non cisco card
  http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps458/prod_bulletin09186a0080100194.html
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_qanda_item09186a008010018c.shtml
  PEAP is hybrid process ( combination of leap and eap tls )
  To download server side certificate on ACS you can use eap tls doc.
  Depending on AP use either of following doc
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i1224ja/i1224icg/ivicgaut.htm
  You have to careful while selecting the client supplicant , you can choose Cisco peap supplicant or Microsoft peap supplicant
  You can have Microsoft peap supplicant or Cisco Peap supplicant .
  If you have windows 2000 OS , than if you load service pack3 , Microsoft peap supplicant is installed . On top of this if you install ACU 5.05 microsoft supplicant wil be overwritten by Cisco supplicant .
  In case of XP , if you install service pack 1 , it will install microsoft peap supplicant , if you install ACU 5.05 it will be overwriteen by Cisco Peap supplicant .
  Microsoft peap supplicant send eap-Chap in EAP tunnel and Cisco support EAP-GTC in eap tunnel .
  with non cisco card it depends on which radius server and database you are running .
  At present ACS 3.1 supports EAP-GTC so it will not interoperate with Microsoft supllicant . In later release ACS will have support for EAP-Chap so
  that you can use 3rd party card with Microsoft supplicant and ACS3.2
  http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
  http://www.cisco.com/en/US/products/hw/wireless
  Nilesh

• Non-Cisco devices support in LMS 4.1

  Hi! How i could import third party MIB file for my devices? Is there any guide/manual for working with non-cisco devices?

  Specifically which module are you talking about?
  The most flexibile module is HUM which has support for third party devices
  Most modules do not support non cisco devices, compelte list is here:
  http://www.cisco.com/en/US/products/ps11200/products_device_support_tables_list.html
  Regards
  Farrukh

• Inline Posture deployment for non Cisco Wireless Controler

  Hi all of you
  I have to deploy an Inline Posture to manage non Cisco Wireless Controler ( ZoneDirecteur 1000 Ruckus), It seem easy but I don't know from where to start. All documentation I rode it's about Inline Posture for VPN. I want just to use this Inline Posture to manage Wireless user through ZoneDirector wirelss controler. Thank you.
  Regards
  Kouassi

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?