Local Webauth WLC using radius database

Similar Messages

• WPA2+PSK with local webauth?

  Hi all, I'm trying to configure a guest wlan with WPA2+PSK and local webauth. This will authenticate against ISE and once authentication is complete dropped into a authz profile.
  This is supposed to be possible per cisco's docs, however when I try to set this up on the WLAN I get the message:
  Only PSK can be enabled for WPA with web-auth and Radius Nac.
  Well, I've got only WPA with PSK configured. Is there any 'trick' to this config that I'm missing? I've got L2 security set to WPA+WPA2, WPA2 Policy and AES with only PSK configured. Under advanced I've got AAA override and NAC state sent to radius NAC. What else, that should be it right? I've tried it on multiple controllers with the same results every time.

  That error is a little confusing and I don't think is a proper description of what the WLC is trying to tell you; there are actually a couple errors you may see depending on the combination of RADIUS NAC with L3 security.  Essentially, you shouldn't be able to enable RADIUS NAC if you're configured for a PSK.  What exactly are you trying to accomplish?  It sounds like you want ISE to perform CWA for your wireless guests, but you mention local webauth.  In order to do the CWA, you will use the mac-filtering option for L2 security and set security type to None.  This will allow you to specify the RADIUS NAC option correctly. 
  When you say that "ISE will authenticate the users", how are you planning on doing this with a PSK WLAN, or are you intending that the local webauth will use RADIUS for authentication to ISE?  What is the end-user flow or experience you are expecting?  ie. user connects to guest, redirects, logs in, gets appropriate access. 
  Please also post what version of ISE and WLC you are running so we can determine what features will and will not work.

• WLC 5760 local webauth problem in iphone

  I am try to use the local webauth by Cisco 5760
  In the NB,MAC,Android it can authentication , but when i use iphone to test the webauth
  When I enter the username and password and submit , iphone just only white screen , it does not show authentication success
  What is my problem
  Thanks
  My webauth config
  aaa authentication login local_webauth local
  aaa authorization network default local 
  parameter-map type webauth global
   type authbypass
   virtual-ip ipv4 1.1.1.1
  parameter-map type webauth test
   type authbypass
  wlan Web 1 Web
   client vlan VLAN0100
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth authentication-list local_webauth
   security web-auth parameter-map test
   session-timeout 1800
   no shutdown

  Web-auth redirect failed with IPad/IPhone 8.0/8.1 for pop-up window
  CSCus05550
  Description
  Symptom:
  The Customer got the blank page after typing the username and password with safari pop-up window.
  Conditions:
  IPad/Iphone 8.* with pop-up window.
  Workaround:
  Using safari without pop-up window or third party browser which can work fine
  Further Problem Description:
  My testing topology:
  Internet---------------Firewall-------------------SW---------------AP-----------------------IPad
  10.140.246.32 192.168.100.1 192.168.100.2 192.168.100.9

• Lobby User using RADIUS Server in the NCS

  Hello,
  I need to know if i can use the RADIUS to classify users such as looby and specify in these users the SSID for the guest user and the time for connection like the local database in the NCS.
  Actually i'm using the local database for lobby and i'd like to migrate to RADIUS database all these information.
  Thanks.

  Hello,
  Yes, you could use RADIUS to authenticate lobby ambassador users. But the information like default WLAN & time period can't be passed as attributes using attributes.
  As a work-around, you could create a local lobby admin account with the same username, define the lobby admin defaults locally. The user will be authenticated using RADIUS but the defaults would be picked up based on the definitions set locally in NCS.
  Ram.

• WLC 5508 Radius Server

  what is the authentication list precedence for radius authentication?
  global list       network user checkbox
  per wlan        aaa server add
  global list       network user uncheck
  i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
  do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• WLC + ACS (RADIUS) + MS-AD

  Hi!
  I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
  My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
  The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
  I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
  Thanks in advance for any help.

  Check out the doc below
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• How to call a remote stored proc from a local stored proc using DB Link

  Hi All,
  I am trying to call a stored procedure residing in another data base from the local procedure of my local data base using DB link,I am using the following syntax to call the procedure
  CREATE OR REPLACE PROCEDURE MYLOCALPROCEDURE(Input1 IN varchar2 ,Input2 IN varchar2) IS
  BEGIN
  RemoteStoredprocedurename(Input1,Input2)@DBLINK;
  END;
  END MYLOCALPROCEDURE;
  Its giving a compilation error as @ not expected
  If i try to execute this way
  CREATE OR REPLACE PROCEDURE MYLOCALPROCEDURE(Input1 IN varchar2 ,Input2 IN varchar2) IS
  BEGIN
  RemoteStoredprocedurename(Input1,Input2);
  END;
  END MYLOCALPROCEDURE;
  Its giving an error as stored procedure must be declared.
  A public synonym is created at the Remote database to which DB link is created.
  Can you please let me know on the exact syntax to call the procedure residing in other database through DB Link.
  Thanks in advance,
  Kumar

  Try:
  CREATE OR REPLACE PROCEDURE MYLOCALPROCEDURE(Input1 IN varchar2 ,Input2 IN varchar2) IS
  BEGIN
  RemoteStoredprocedurename@DBLINK(Input1,Input2);
  END;
  END MYLOCALPROCEDURE; Amiel

• Wlc and radius authenticationn

  We have deployed Cisco Airspace AP with Wireless LAN Controllers (4400).
  Currently we have the WLC authenticating using radius to ACS version 4.01 servers.
  Unfortunately when the primary ACS get rebooted all the athentication requests go to the secondary server which in affect is fine but when the primary comes back up the authenticatons continue to go to the secondary server.
  Is there no round-robin feature to enable on the WLC so that it detects that the primary is back up and continue to authenticate to that server ?

  I have not seen a way yet except by using a CSS to front-end the ACS servers (mainly done for lad-balancing purposes actually). I am also curious if there is an option as I have been through most web pages many times. Maybe it's buried in the command line.
  -Eric
  Please remember to rate all helpful posts.

• Local Web Development Using Spare Mac to View

  Hi
  Hum, hope I can be clear.... my mission: use old laptop (Tiger) to view web sites in the User/Sites folder on my new laptop (Snow Leopard) via web sharing. Why? Well, it's another screen, it's there and importantly, it represents the majority of visitors to sites. Roughly 50% of visitors are using screens of 1024 - 1280 width. My new hi-res mac represents about 5% of visitors. This seems pretty consistent across all the sites.
  Anyhow, I have the hosts and httpd.conf files set up to serve multiple sites using NameVirtualHost *:80 and the <virtualhost> directive. (On my new laptop). So.. I can type into the address bar in Safari et al (new laptop) "http://mySiteWhatever/".
  What I've achieved is: (old laptop) typing in Safari et al "http://newMacID.local/" or "http://newMacIPAddress/" displays the first site in the virtualhosts list.
  What I've no idea how get to view the other sites in the list.
  Some pointers would be really helpful and appreciated - I'm more than happy to put in the time figuring out for myself. As things stand, I've no idea what direction to go in even.
  Thank you for reading.
  Message was edited by: BluePlumUk

  Hi everyone.
  Firstly a big thank you all for pitching in with kind suggestions, really appreciated... though BobHarris you naughty salesman. Did it with charm though so forgiven this once
  Anyway... apologies for taking a while to add anything, I have been reading them as they've come through. I've hung back because I'm battling with my own ignorance on this topic and want to be able to add sensible statements here... and try things out.
  Roger... all the sites are dynamic (use a database, php for example) so I'm afraid the 'simple' approach of inputting file://... into the browser doesn't work. I need to 'parse' the sites as though they are on a web server. Thank you all the same, for html only sites it's the way to go.
  Thomas... I had try of MAMP and while I know lot's of people use it, I came to the conclusion myself personally that I should persevere with setting up the Tiger laptop Apache to operate as it should, and I'm glad I did, Proved useful experience to have under my belt. Just my own personal viewpoint. Of course with Snow Leopard Apache's all sorted out-of-the-box which is really cool. Thank you for taking the time to offer a suggestion, not a wrong one.
  Hans... thank you for your pointers. Brilliant. Sorted me out. Bloomin marvelous. It was the second paragraph connected with a half formed instinct I had that the second (old) mac was needing extra info somehow somewhere.
  So... for everyone who's shown interest ->
  New mac serving web sites from the built in Apache as proper web sites, dynamic, database driven, whatever. Type in to browser "http://sitenamewhatever.ifyoulike" and you'd think it was 'out there' on the web. (Anyone wanting to sort the same situ should look at the Apache link Hans provided, all a bit technical, but worth persevering with. I use Smultron text editor for editing hidden files rather than terminal).
  Old/second mac needed the ip address for the new mac writing into it's Apache host.conf file. The ip address needs to be the network ip not the standard mac ip. Now, I can type in "http://sitenamewhatever.ifyoulike" in a browser on the old (second) mac and voila! Awesomely useful.
  What I don't know is what (router, mac itself) is identifying the network ip and therefore when/if it might change... I do know it's not dynamic in so far as it booted up today with the same ip.
  Bit of a long post, but hopefully a helpful one.
  Thank you all again.
  Regards and respect to you, everyone.
  Edit: Just a note - When I said "as proper web sites" I mean the websites are all behind the firewall, 'local' only. Viewable by me and my macs only – a 'private internet'. Of course there are copies out on the internet, on web servers - 'remote' copies viewable by everyone.
  Message was edited by: BluePlumUk

• How can I use the database default time rather than Java supplied time

  I've searched over and over and nobody seems to have this issue so maybe its just me!
  When inserting a record I would like the a create_date column to automatically use the database time rather than a supplied time via JPA. That was all times a relative to the database which makes sense.
  The trouble is I cant figure out how to do this in a sensible manor.
  If I specify an column like :
       @Temporal(TemporalType.TIMESTAMP)
       @Column(name = "CREATE_DATE")
       private Date createDate;
  and IDL
  CREATE_DATE TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_DATE NOT NULL
  If I leave createDate null I get an exception. If modify the column to allow Nullable then column is set as Null.
  If I leave the column out of the entity bean and then and create a row then the database current time is inserted. The trouble then is that if I want to read the date I'm going to have to create a copy of the bean but with the CREATE_DATE in it, and this doesn't make sense.

  I should also mention that TopLink has always supported the ability to retrieve the current time from the database for use in optimistic locking. The TimestampLockingPolicy offers the ability to configure the next value being retrieved from the database instead of using the local time from the JVM. Our extended optimistic locking configuration does not currently support setting this option but it could be done using a descriptor customizer which can be configured in your persistence unit properties.
  Using optimistic locking may be a good solution for the last modified date since it will also ensure that you do not corrupt the database if someone else has incremented this value since your last read.
  Doug

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• AAA using RADIUS

  GOod morning all,
  I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
  Dwane

  For routers and IOS switches:
  aaa new-model
  aaa authentication banner *Unauthorized Access Prohibited*
  aaa authentication login default group radius
  radius-server host 10.10.10.10 (your acs device)
  radius-server key cisco123
  radius-server configure-nas
  username nmg password telnet
  aaa authentication ppp dialins group radius local
  aaa authentication login nmg local
  aaa authorization network default group radius local
  aaa accounting network default start-stop group radius
  aaa processes 16
  line 1 16
  login authentication
  For CatOS switches:
  Set radius-server 10.10.10.10
  show radius
  set radius key cisco123
  set authentication login radius enable
  set authentication enable radius enable
  show authentication
  set radius timeout 5
  set radius retransmit 3
  set radius deadtime 3
  For Pix Firewalls:
  aaa authentication ssh console radius LOCAL
  aaa authentication telnet console radius LOCAL
  aaa-server radgroup protocol RADIUS
  max-failed-attempts 2
  reactivation-mode depletion deadtime 5
  exit
  (NOTE: This will depending on the location of the pix firewall)
  aaa-server radgroup (inside) host 10.10.10.10
  key XXXXXXX
  exit
  aaa-server radgroup(inside) host 10.10.10.10
  key XXXXXX
  exit
  This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
  If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
  Hope this helps some. I had alot of help from Cisco TAC on this.
  Dwane

• Adding Local User Account Alongside RADIUS

  Greetings!
  Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
  Thanks!
  -Noah

  Perhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
  You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
  If that does not clarify your issue then please help us understand better what your issue is.
  HTH
  Rick

• Assigning privilege level using Radius

  I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
  I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
  How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
  I've configured the router as below:
  aaa authentication login vtymethod group radius enable
  aaa authorization exec vtymethod group radius local
  radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
  line vty 0 4
  authorization exec vtymethod
  login authentication vtymethod
  On the Radius, I've configured as below:
  In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
  Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
  Is there something I'm missing.
  Appreciate the help.
  Thanks.
  sweeann

  Hi
  Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
  Given that ACS supports both and that T+ is a superior protocol for device admin.
  I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!