MAB, 802.1x and ACS 4.2

Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is:   users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster  way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth)  but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1"  is configured.
I used the dot1x auth-fail vlan  because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
 switchport mode access
 switchport voice vlan 30
 authentication host-mode multi-auth
authentication event fail action authorize vlan 1
 authentication order mab dot1x
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 2
 dot1x max-reauth-req 1
 storm-control broadcast level 2.00
 storm-control multicast level 2.00
 spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advance

hi,
any ideas?
thx

Similar Messages

  • MAB/802.1x and Alkatel IP Phones

    Hi All
    We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
    Thanks
    G

    Hi Tarik,
    Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image
    Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
    Interface gi x/y
    switchport access vlan xx
     switchport mode access
     switchport voice vlan yy
     ip access-group ACL_ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan xx
     authentication event server dead action authorize voice
     authentication host-mode multi-auth
     authentication open
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast

  • 802.1x and ACS

    when implementig a 802.1x with a cisco ACS is necesary to work with certificates or it can just work with username and password?

    Check here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml>
    Hope this helps,

  • 802.1x with ACS 4.2 (RADIUS) problem

    HI all!
    I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
    When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
    My running config:
    Building configuration...
    Current configuration : 1736 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R4
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip domain name lab.local
    ip device tracking
    dot1x system-auth-control
    interface FastEthernet0/0
    ip address 10.10.0.253 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface FastEthernet1/0
    dot1x port-control auto
    interface FastEthernet1/1
    interface FastEthernet1/2
    interface FastEthernet1/3
    interface FastEthernet1/4
    interface FastEthernet1/5
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    interface Vlan100
    ip address 192.168.100.1 255.255.255.0
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
    radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
    radius-server vsa send accounting
    radius-server vsa send authentication
    My Radius debug information:
    *Mar  1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.491: RADIUS: ustruct sharecount=2
    *Mar  1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
    *Mar  1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
    *Mar  1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
    *Mar  1 00:21:31.511: RADIUS:  authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
    *Mar  1 00:21:31.511: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.511: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.511: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.515: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.515: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.515: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.515: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.515: RADIUS:  EAP-Message         [79]  11
    *Mar  1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
    *Mar  1 00:21:31.515: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12  [???L?m??N??=S?A?]
    *Mar  1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
    *Mar  1 00:21:31.555: RADIUS:  authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
    *Mar  1 00:21:31.555: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC  [??????????&?R?C?]
    *Mar  1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
    *Mar  1 00:21:31.555: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.559: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E  ["???D????,?B????]
    *Mar  1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
    *Mar  1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.587: RADIUS: ustruct sharecount=1
    *Mar  1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
    *Mar  1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
    *Mar  1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
    *Mar  1 00:21:31.591: RADIUS:  authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
    *Mar  1 00:21:31.595: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.595: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.595: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.595: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.595: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.595: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.595: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.595: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC  [?????????9?)????]
    *Mar  1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
    *Mar  1 00:21:31.595: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13  [3W??\$??g?????t?]
    *Mar  1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
    *Mar  1 00:21:31.731: RADIUS:  authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
    *Mar  1 00:21:31.735: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
    *Mar  1 00:21:31.735: RADIUS:  EAP-Message         [79]  6
    *Mar  1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
    *Mar  1 00:21:31.735: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"
    *Mar  1 00:21:31.739: RADIUS:  Class               [25]  22
    *Mar  1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30  [CACS:0/5b1/a0a00]
    *Mar  1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
    *Mar  1 00:21:31.739: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26  [u?????l?M\?P???&]
    *Mar  1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
    As a result the vlan-switch data based does not change.
    Any help will be appreciated!
    Thanks a lot,
    Chelovekov Alexander

    I've tried multiple ways to cope with this problem but nothing was helpfull...
    Tunnel-Medium-Type  [65]  6   01:ALL_802
    I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
    Screenshot n attachment.
    The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair)  - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
    What am i missing?

  • 802.1x with ACS and Windows AD

    Hi
    Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
    I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
    Marco

    Hi Marco,
    i guess you've missed a mapping configuration in the Access Policy Section.
    Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
    You'll see the new service click Identity.
    Select the identity source you've created then save.
    Click on authorization
    Select a default authorization rule permit access and save.
    Create a Service Access Rule name it 802.1x
    Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
    then you can try again.
    regards
    alex

  • Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

    Hi experts,
    I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
    i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
    Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
    ii. If it is possible, any reference that I can check on how to configure this?
    The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
    Hope anyone here could help me on this.
    Thanks very much,
    Daniel

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

    I configured the Switch 3750 and ACS for 802.1x authentication.
    when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
    The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
    What is the most possibly problem?
    Thx in advance!!!
    The configuration is Sw3750 is:
    aaa new-model
    aaa authentication login default local
    aaa authentication enable default line
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    dot1x system-auth-control
    interface GigabitEthernet1/0/18
    description Link to test 802.1x
    switchport access vlan 119
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    spanning-tree portfast
    radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
    radius-server source-ports 1645-1646
    radius-server key keepopen0
    In the ACS:
    Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
    user setup -->real name:test1, password: test1.
    Attached is the debug information

    What do you see in acs failed attempts?

  • 802.1x, 350AP, 3550 Switch, and ACS 3.0

    Yikes!
    Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
    1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
    2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
    Confused? I am too, help!
    Thanks

    Nilesh, Thanks for the reply.
    But I do have a few further questions if you are willing:
    1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
    2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
    I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
    1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
    Whew.

  • Compatibility 802.1X and mac-filter from ACS

    If the  clients identities and mac address are stored in the same ACS server.
    In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
    this is really a critical problem for me!
    Thanks~

    Hi,
    I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
    If my understading of your queston is  correct the answer is
    Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
    But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
    i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
    another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
    Thanks

  • Machine authentication with MAR and ACS - revisited

    I'm wondering if anyone else has overcame the issue I'm about to describe.
    The scenario:
    We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
    We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
    The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
    The passed authentications log does successfully show the machines authenticating.
    The challege:
    We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
    In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
    In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
    So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
    The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
    Has anyone seen / over come this ?
    Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

    Here's the only thing I could find on extending the schema (I'm not a schema expert):
    http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
    If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
    You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

  • Wireless Virtual LAN - SSID and ACS User Mapping

    Hi Everybody
    We have the following senario:
    - WLC 4402 and ACS 3.3
    - 2 SSID's , One for Emploies - one for gests
    - All users are (guest and emploies) are authentication against the ACS Server.
    We would like to only permit Guest users to use the Guest SSID.
    I've been reading the Wireless Virtual LAN Deployment Guide :
    http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
    and have tried to use methode 1.
    - RADIUS-based SSID access control:
    "Upon successful 802.1X or MAC address authentication, the RADIUS server
    passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
    "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
    - Enable and configure Cisco IOS/PIX RADIUS Attribute,
    009\001 cisco-av-pair
    - Example: ssid=LEAP_WEP"
    I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
    Does anyone have any idea of what I'm doing wrong?
    Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
    Greetings
    Jarle

    Hi I'm sorry but this still does not help.
    We have now upgraded ACS to version 4.0 and I'm still having the same problems.
    This is what i have configured:
    WLC:
    - WLAN
    - SSID : Public
    - WLAN id = 3
    - L2 Security : 802.1x
    - Interface Name : GuestVLAN
    - Controller - Interface
    - management - Untagged
    - GuestVLAN - VLAN 112
    - Security
    - RADIUS Servers
    When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
    Switch:
    - Port connected to WLC uses Trunking.
    - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
    ACS:
    - AAA Client is the WLC, Authenticating using Cisco Airespace
    - Guest Users are member of Group 11
    - Private Users are member of Group 1
    Group 11
    - Use Per Group NAR to only allow WLAN Access
    - Cisco Airespace RADIUS Attributes
    x 14179\001 - Aire-WLAN-ID = 3
    - Cisco IOS / PIX RADIUS Attributes
    x 009\001 Ciso-av-pair = "ssid=Public"
    - IETF Radius Attributes
    x 006 Service Type = Login
    x 007 Framed-Prot = ppp
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 112
    Group (default Group)
    - Cisco Airespace RADIUS
    x 14179\001 Aire-WLAN-ID = 1
    - Cisco IOS/PIX Radius Attrib
    x 009\001 Cisco-av-pair = "ssid=Private"
    - IETF RADIUS
    x 008 Service-type = Login
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 1
    Do you have any idea of what i should change?
    Greetings
    Jarle

  • 802.1x and WOL issues

    OK here is the deal. We use 802.1x with ACS as the Radius server. We also use WOL to wake computers for patching and remote use. We cannot get rid of WOL or 802.1x. We also cannot have ports assigned to our Data VLAN since that would, in the eyes of the auditors, allow unauthorized devices on the VLAN. We use a "Sleep" VLAN and then use ACS policies to assign the authenticated device to the proper VLAN. We also have VOIP with the computers connected to them. Here is the actual issue we are having. It seems that on some switches even with sleeping computers the "Sleep" VLAN is down/down or up/down. If there is at least one computer that is asleep and not behind a phone everything works fine. It looks like an issue with the phone and enhanced CDP. We are looking for a way to have the "Sleep" VLAN always up/up even without devices connected. We have been tossing around ideas like having a loop so that STP runs for that VLAN, connecting a layer 3 interface to a layer 2 interface on the same switch, even connecting a phone on every access switch and placing it in the "Sleep" VLAN. We are looking for better ideas.
    Thanks.                

    Hello,
    I suspect your problem is the fact that you're using self-signed certificates, but you haven't installed and trusted the root cert that issued them. The reason the phone can't validate the certificate is because it doesn't trust the issuer (or you don't have all of the certificates in the chain if you have intermediate CAs). That's also the problem with your Mac client forcing you to hit 'Accept' each time you authenticate - it doesn't trust the root CA. You should be able to talk to your IT folks to get a copy of it to import and trust (the certificate itself isn't secret).
    1. Once you have the certificate, import it into your Mac's keychain and set the appropriate trust settings.
    2. You should use the iPhone Configuration utility to create a profile to install the certificates onto the phone. On the Credentials tab hit '+' and browse to the location of the root certificate you got from IT. Once it's part of the profile you can then setup the Wi-Fi settings as needed.
    This can get tricky, depending on the configuration your IT staff has in place. They should be amenable to providing you the same information they'd provide a Windows client (hopefully). Do you know what kind of EAP type you're using on your network? From the log the client is negotiating PEAP, which I assume is correct.
    You'll need to get the certs ironed out before this will work reliably.

  • Cisco Systems vs "CSIRO" 802.11a and 802.11g infringed upon the '069 patent

    Hi,
    any news about Cisco Systems and the "CSIRO" 802.11a and 802.11g infringed upon the '069 patent ?
    http://www.buffalotech.com/products/wireless/
    Dear Customer
    As you may be aware, Commonwealth Scientific and Industrial Research Organisation ("CSIRO") sued Buffalo, Inc. and Buffalo Technology (USA), Inc. ("Buffalo"), for alleged infringement of United States Patent No. 5,487,069 ("the '069 patent"). Subsequently, CSIRO also asserted its patent against the entire wireless LAN industry, including, Microsoft, Intel, Accton, SMC and Netgear.
    In it's lawsuit against Buffalo, CSIRO claimed certain Buffalo wireless networking products compliant with IEEE standards 802.11a and 802.11g infringed upon the '069 patent. Buffalo believed at that time and continues to believe that there are no grounds for CSIRO's allegations of infringement. The United States district court, however, found Buffalo to infringe the '069 patent and enjoined the importation and sale of Buffalo's IEEE 802.11a and 802.11g compliant products.
    CSIRO's lawsuits are against the entire wireless LAN industry and could affect the supply of wireless LAN products by any manufacturer, not just Buffalo. The entire industry is resisting CSIRO's attempts to enjoin the sale of wireless LAN products. Recently, Microsoft, 3COM Corporation, SMC Networks, Accton Technology Corporation, Intel, Atheros Communications, Belkin International, Dell, Hewlett-Packard, Nortel Networks, Nvidia Corporation, Oracle Corporation, SAP AG, Yahoo, Nokia, and the Consumer Electronics Association filed briefs in support of Buffalo's position that injunctive relief is inappropriate in this case.
    During the period of time that the injunction is in effect (10/1/2007), Buffalo cannot offer for sale, sell, import, or use its IEEE 802.11a and 802.11g compliant products in the United States. A list of the products covered by the injunction is attached here . The injunction does not prohibit sales of pre-existing inventories of products by Buffalo's customers. In addition, Buffalo has secured CSIRO's agreement to permit the replacement of defective products under warranty. None of Buffalo's other products are currently affected by this injunction.
    While Buffalo believes that it will be successful in reversing the district court's decision and will obtain a stay of the injunction pending a decision on the merits, the Court of Appeals has not yet issued a decision. Should the Court of Appeals issue a decision staying the injunction, you will be promptly notified. After the stay is issued or a favorable decision on the merits is obtained, Buffalo will be able to resume the supply of IEEE 802.11a and 802.11g products
    Please rest assured that Buffalo continues to stand behind their products and will continue to support all of our loyal customers as it relates to product warranties, technical support and the like without interruption.

    I suspect after reading the patent and the litigation that you mentioned above, that the US District Court decision will be reversed as the patent appears to be very vague in its contsruction and verbage. Furthermore, the intent to hold the IEEE hostage on the ratification of 802.11n will not bode well in the court's eyes. If in fact the case is reversed, I believe that the members of CSIRO will be in danger of lost profits litigation from Buffalo. Stay tuned to this bat channel.

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Potential Security Hole with 802.1x and Voice VLANs?

    I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
    If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
    Has anyone done any research into this potential security hole?
    Thanks
    Andy

    Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
    As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
    Andy

Maybe you are looking for

  • People Search question in Ent Search 2013

    There's a recommendation for breaking our s3://My_Site_host_URL into its own Content Source for People Search How does the Seach know to connect Standard Names (ex: AnneW or A. Weiler below) to document search. Do I have to map that in Managed Proper

  • I downloaded Lion and everything works, save Photobooth

    So I recently bought a new mac this spring and transfered everything from my old mac book pro onto this new one using an external hd and time machine. Now I recently installed lion and hoped this issue would go away but it has not. I open up photoboo

  • Backup via Cron job - SQL ERROR: ORA-01031: insufficient privileges

    Hi, We are Using Oracle RAC - linux - SAP EP . We have scheduled online backup through crontab . Always we are getting below error when the backup job runs via crontab ================ BR0278E Command output of '/usr/sap/EP1/SYS/exe/run/brtools -f pr

  • What are the limitations of Java,what cannot be done with Java?

    Hello.I want to ask, is there anything which cannot be done with Java related to computer programming ,does Java have limitations?

  • CiscoWorks ANI server cannot connect, Joe Clark please help

    Joe, if you see this, please help I noticed yesterday I was getting some Java errors when opening different modules of Cisco Works, Campus Manager, RME. I rebooted the server and everything seemd to be working fine. I tried to set up Notification Ser