NAC IB with wireless users

I have a problem here guys, I will deploy cisco NAC with wireless users
My scenario is IB-VG , the access points are autonomous there is no WLC
the AP is connected to the switch on a trunk port and I have configured the AP
with different SSIDs each one with different vlan (s) on the NAC i have
configured the vlan mapping and the managed subnets but it doesn't work.
i wanna know where is the problem or is there anu configuration example to configure \
autonomous AP in In-Band virtual gateway mode

Hi,
Can you please be more specific about what does not work?
What were you expecting to see and what are you seeing?
Do the wireless users get IP address?
If, yes, are they getting the IP you would expect?
After getting IP address, if you open a web browser dod you get redirected to the NAC login page?
If yes, do you enter the credentials and fail autentication?
Please note that you will need to make sure that the VLAN on the clients is allowed on the untrusted interface of the CAS, and that the VLAN mapping maps this VLAN to a vlan where a DHCP server can be reachable.
Also, please make sure that the traffic on the VLAn configured on the SSID has the only path as the path going through the CAS.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • Cisco NAC: Issue for the Wireless Users being assigned "Un-Authenticated Role" to stop accessing the Network !!!

    Hi,
    I am looking for a solution to deal with the wireless NAC users being authenticating (Web Login Only) from a particular AD group. The mapped users gets into a particular role and access VLAN but un-mapped users get the default role which is "Un-Authentication Role" but also gets the same Access VLAN. So, the un-wanted users gets also the same access which is undesired.
    I tried with one solution which is, i put those users into a role named as "Deny_Role" and Enable a Timer of 1 minute (least Time) on it, which seems working but i can see that user is disconnecting (session timeout) after 3 or 5 minutes. I want to limit this but again, i do not find this as an appropriate solution.
    We could deal with wired users easily, bounce the port and get them again in "Unauthenticated Role" and VLAN will be "Un-Auth VLAN" with no network access or rediect them into a particular role with a specific VLAN. But, this is not valid in case of "Wireless Users".
    So, I am looking for a solution to deal with the wireless users in this situation...
    Please advise or give an idea.
    BR,
    Mubasher Sultan

    Hi,
    Any idea or suggestion...
    BR,
    Mubasher Sultan

  • Wireless users not visible in PRSM with CDA integration

    I have ASA 5515x v 9.1 with CX module v 9.1.3 and CDA integrated into the AD domain. I can see the users to IP mappings for domain windows users , like desktops and laptops. I can not see the users to ip mappings for the wireless users. I see their IP adddresses but the usernames don't come in.  I have the PRSM configured to use CDA. Do I need to also add the WLC somehow to the CDA setup?

    Hi, Try one of the following:
    1. Provision the native users with viewer role for BI+, if not done already
    2. For the folder, containing the reports, have these users being provisioned? Are you able to view the users with provisioning access to the folder?
    3. Do not put any filter for users and begins with combination to display all possilble users
    Let me know if that works!

  • Problem authenticating Wireless users with peap

    Good afternoon,
    I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
    AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
    DOT11-7-AUTH_FAILED : Station ... Authentication failed
    It shouldn't use local authentication, but the aaa server I configured.
    I looked on the internet but didn't find a working solution.
    Does anyone know why it is not working ?
    Here is my running configuration :
    Current configuration : 4276 bytes
    ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
    ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
    ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
    aaa new-model
    aaa group server radius rad_eap
     server 192.168.2.2 auth-port 1812 acct-port 1813
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    no ip routing
    no ip cef
    dot11 syslog
    dot11 ssid test
       authentication open eap eap_list
       authentication key-management wpa version 2
       guest-mode
    eap profile peap
     method peap
    crypto pki token default removal timeout 0
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     ssid test
     antenna gain 0
     stbc
     beamform ofdm
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     antenna gain 0
     no dfs band block
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     dot1x pae authenticator
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface BVI1
     ip address 192.168.3.10 255.255.255.0
     no ip route-cache
    ip default-gateway IP
    ip forward-protocol nd
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
     transport input all
    end
    Thank you

    I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
    dot11 ssid test
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa version 2
    guest-mode
    Hope this helps!
    Thank you for rating helpful posts!

  • Determining active wireless users with ACS

    Is there a way to determine how many active wireless users are on the network by checking ACS? Currently our users need to re-authenticate periodically (about every 15 minutes), however, ACS shows no logged in users. There should at least be one -- ME!

    We should be looking for something like this on the AP:
    aaa group server radius rad_acct
    server auth-port XXXX acct-port XXXX
    aaa accounting network acct_methods start-stop group rad_acct

  • Wireless Users In L2 Inband Virtual Mode

    /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}
    Hello
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    At present the Access point are just plugged into switch port on access vlan 10 and configured with vlan 10 SSID on Access point for wireless users Users are accessing the Network fine with no issues.I have setup a NAC in L2 inband virtual mode it is working fine when i tested for WIRED users.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    To enforce posture assement on wireless users i just have to change the switch port access vlan to authentication vlan where the Access point is connected  at present and change the SSID vlan 10 to authentication vlan. As i m using only 1 vlan so i don't have to create a trunk port on switch where the Access point is connected ?? Nothing else i have to do ?? Correct me if i m wrong
    Answers ???????

    Thank you for all the details.
    As some further details, the CAS should be configured with the following:
    1. Under the managed subnets, you should add an IP address (not used anywhere else) in the trusted vlan 10 subnet and link it to the untrusted vlan 20.
    2. Under the vlan mappings, it's OK to have the untrusted vlan 20 mapped to the trusted vlan 10. So the vlan mapping should be:
    20 (untrusted) ---> 10 (trusted)
    Wireless users should be connecting on vlan 20 and they should get an IP in trusted vlan 10's subnet.
    All the traffic should then flow through the CAS, which will take care of mapping vlan 20 to vlan 10 once the user is authenticated and certified.
    AD SSO for wireless users should also be possible.
    The AD SSO authentication through NAC regards only the authentication process through the NAC agent.
    As long as the rest of the configuration is correct, this should also be possible for wireless users.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Ethernet Problem with Multiple users on same Mac

    Hi, sorry i advance for my english. I am writing from italy.
    I have an imAc with 2 users profiles on it. one profile is administratoe, and the oter a standard user.
    I also have a time capsule configured to connect to my network with the ethernet cable. the cable is plugged in the wan pot, the configuration is "bridged" and i use as a router a linksys wifi router.
    well. suppsung that i am logging in with one of my users and access to time capsule wirelessly, it shows me the disk content.
    i then swith to the other user without logging off the first one and then access time capsule where i see the same folfder and i can access it. so everything works fine.
    in the case i connect my mac with ethernet (disabling airort) to my linksys router, ifuser 1mounts time capsule, user 2 can't access it if user 1 does not unmount.
    why so?
    i need to switch from user 1 to user 2 without logging off, and i don't understand why it works wirless and not with ethernet..
    thak you
    paolo

    In fact, all my page beans are in REQUEST scope...
    The only bean in Application scope is the standard applicationBean created by Creator itself.
    We use one Bean in session scope which contains another class.
    I will try to explain our common process:
    - when logging into the app, the session Bean stores user data (rights for using app,...);
    - when navigating in the app, the user can search data, modify them and create one (if he has the right to do it);
    - to define the screen, we use a lot the beforeRenderResponse();
    - when viewing a data, the user can choose to modify it, so depending on the action, the page is in "CONSULT" mode or "MODIFY" mode. In the second one, he can display new gridPanel (as a subform) to populate datatable.
    The problem is obvious while using this grid: my grid can disappear if someone else has validated his form before me and if my page goes trough the beforeRender of my page.
    It is not really clear. If needed, i can give access to our application to show the problem (and msn adress too to talk about it).
    Thank you

  • New problem with wireless connection since 27th No...

    Main desktop computer (windows xp) is connected directly to the internet via ethernet cable to BTHub3. No problem exists with this  connection.
    We have previously had no problem connecting Tablet, laptop, and internet radio via wireless connection to our Hub. Problems now exist with wireless connection to all of these devices:-
    - When attempting to use any of the devices wirelessly, we are unable to obtain a connection to our Network (shown on the list of those available) - indicates -  "out of range" or "obtaining IP address" or "authenticating" or "network disabled - poor connection"
    - On occasions, the devices DO show that they are connected wirelessly but are unable to access the internet or use any programmes requiring an internet connection. Messages indicate - "no internet connection" or "connection timed out - retry" or "cannot access this webpage", even when we are in the same room as, and only a few feet away from the Hub.
    - One anomaly has occurred in that the internet radio did connect and function normally on 2 occasions recently , for a duration of a couple of hours, before loosing the connection. However, during this time, the other devices still refused to connect.
    Measures we have undertaken to try to resolve the problem are :-
    - We have visited the "Wireless troubleshooting" part of the BT Helpdesk on several occasions, but had already tried the measures suggested here, including changing channels and hub reset.
    - We have spoken at length to the BT tech. helpline who have been unable to resolve the problem.
    - We have emailed BT Help and received a reply from India suggesting all the things that we have already tried (ie. a "stock answer").
    - We are not confident enough to access the Hub Manager as we feel feel this is beyond our capability.
    We would be most grateful if someone could help us.
    Solved!
    Go to Solution.

    Wingman2, the first thing I would do is uninstall BTDesktop Help if you have it installed. It can cause more problems than it solves.
    I would also suggest that the first thing to try is a factory reset of the homehub by pressing a pin into the recess button on the rear for about 20 seconds.
    After you have done a reset if you still have problems, download, install and run inSSider. It will show you the wireless channels and which one your Homehub is on. You want to find the channel with the least congestion, ie. least number of users. Once you have that you need to change your homehub onto that channel.
    See link for insider. Use the free version.
    http://www.metageek.net/products/inssider/
    See link how to change channel on homehub
    http://bt.custhelp.com/app/answers/detail/a_id/14094
    After that if you are still having problems you could try setting the home hub to b/g only instead of b/g/n. If one of your devices is not "n" capable it could help.
    http://bt.custhelp.com/app/answers/detail/a_id/13768/session/L2F2LzEvdGltZS8xMzg4NzgxNjIyL3NpZC9Vd3p...

  • Wireless users are loosing the internet connection....

    Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG. Someone have some idea???
    Sent from Cisco Technical Support iPhone App

    Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG.
    You are barking the wrong tree.
    Can you please elaborate further?
    I need to determine whether the clients are loosing WIRELESS connection or loosing WAN connection.  Two different things, two different directions to choose from.  
    The easiest way to determine is this:
    Presume you have 10 clients and half the clients are associated to one WAP and the other to the other WAP.  Your description states that all 10 clients would loose internet connectivity.  Is this correct?  If this is so, then we start with your switch and your WAPs.  How are the WAPs powered?  PoE or power injector?  Can you console into the WAPs?  Can you post the output to the commands "sh version" and "sh logs"?  How about the switch?  Can you console into the switch?  Can you post the output to the commands "sh version" and "sh logs"?

  • Qemu - Bridged networking with wireless adapter

    How can I use bridged networking with wireless on Qemu virtual machine? With virtualbox it can be easily done. I don't why in Qemu it is so complicated, maybe virtualbox have completely difference mechacnism on this. I've read the wiki, it looks like impossible to use wireless for bridged networking. If it is really impossible, why virtualbox can do it?
    And, in arch wiki's qemu manual, i didn't see how to use NetworkManager there to do bridged networking. Since, I use NetworkManager and disable the others (like netct and dhcpcd), it make it even more complicated. But, maybe it's because me that don't understand. Maybe someone experienced here can give me a way around this?

    bagol wrote:How can I use bridged networking
    It's up to you to set up the bridged network - or use TAP, e.g.:
    ip tuntap add dev <devname> mode tap user <youruser>
    ip lin set <devname> up
    ip route ...
    ... and proxy_arp
    ... and iptables forwarding & masquerade
    It's a good learning experience, to set up the network yourself, rather than have VirtualBox do similar things by *magic*

  • EA6400: Problems for wireless users

    There are two router EA6400 (firmware version: 1.1.40.160989). Routers are configured in bridge mode. Routers are used for wireless devices/users. Wireless users have many problems with the quality of the connection and very high ping. Wired users don't have any problems with the quality of the connection and ping.
    What's the problem?
    Ping from user
    Spoiler (Highlight to read)
    user@pc:~$ ping yandex.ru
    PING yandex.ru (93.158.134.11) 56(84) bytes of data.
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms
    ^C
    --- yandex.ru ping statistics ---
    141 packets transmitted, 59 received, 58% packet loss, time 140168ms
    rtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2
    user@pc:~$
    user@pc:~$ ping yandex.ruPING yandex.ru (93.158.134.11) 56(84) bytes of data.64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms^C--- yandex.ru ping statistics ---141 packets transmitted, 59 received, 58% packet loss, time 140168msrtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2user@pc:~$
    Traceroute from user

    geekychix wrote:
    What is the wireless channel set for your router? Flash the firmware of your router, reset and reconfigure it. Try playing around with channels 1,3,6 or 9. Security mode should be set to WPA2 Personal. Let me know how it goes.
    Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks. I've already tried to reset the settings on the defaul and reconfigure the router again. I only use WPA2 PSK-CCMP. Have any ideas?
    Lun wrote:
    EA6400 works really good for me with the current firmware.  On 2.4ghz, channel 9 is solid and at 5.0ghz, channel 157 is strong too.  Try that.
    Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks.
    Saffronfs7 wrote:
    Your WiFi network is possibly prone to wireless interference which causes high latency and slow/intermittent connection. Adjust the wireless settings on your EA6400 routers. Use Non-overlapping Channels like 1 or 6 or 11. Use a WiFi scanner to check which Channels are crowded and which ones are not. Although 5GHz network uses non-overlapping Channels I recommend using Channel 161.
    I advance it all already made. Have any ideas?
    Lun wrote:
    Everyone in my area are using channel 1, 6, and 11 on 2.4ghz.  Channel 9 work best for me.
    Channels I specifically chose not to overlap with neighboring networks. Have any ideas?

  • Getting Wireless Users onto LAN

    Hello All,
    We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
    3750X L3 Switch --> 2106 WLC --> AP
    LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24
    So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
    Management Interface:
    IP Address: 10.10.20.100
    Netmask: 255.255.0.0
    Gateway: 10.10.0.1
    DHCP Info: 10.10.20.100
    Here is the config for my test interface (which may be the problem):
    IP Address: 10.100.21.2
    Netmask: 255.255.255.0
    Gateway: 10.100.21.1
    DHCP Info: 10.10.20.100
    Thanks in advance for taking a look.

    Hello George,
    Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
    The way our devices are connected in terms of the wireless configuration:
    Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
                                          |
                                      My PC    
    So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
    On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
    On our WLC I have this configured:
    Management Interface:
    IP Address: 10.10.20.100
    Netmask: 255.255.0.0
    Gateway: 10.10.0.1
    DHCP Info: 10.10.20.100
    Here is the config for my test interface (which may be the problem):
    IP Address: 10.100.21.2
    Netmask: 255.255.255.0
    Gateway: 10.100.21.1
    DHCP Info: 10.10.20.100
    From my LAN I can ping 10.100.21.1
    Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
    Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
    Thanks again for your reply and taking the time to look at this.

  • WLC 4404 Wireless users getting disabled

    Currently Being Moderated
    Wireless users getting disabled
    Hi,
    I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
    *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
    *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
    *Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    After seeing one of the cisco forum, I have disabled RLDP for that particular APs
    so above messages are rectified.
    But right now we are not able to identify Rogue IP and it is not contained.
    So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
    Thanks & Regards
    Gaurav Pandya

    Hi Scott,
    You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
    *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
    *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
    So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
    Regards
    Gaurav

  • EAP-TLS on ACS v4 for wireless users

    Hi,
    I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
    As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
    Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
    Regards,
    Belal

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

Maybe you are looking for

  • Can I use 1600x900 res while using VGA ?

    I have a new Mac Mini (2012) and I'm connecting it to a Viewsonic VA20137m-LED monitor. Both units say they'll support 1600x900 resolution, however, that option doesn't appear for me in the preferences / settings. I'm using a VGA cable to connect the

  • I phone 4S frozen and can't reboot...it won't turn off?

    My I Phone 4S has frozen on a call and will not reboot...it just won't do anything?

  • Where are subtitles saved?

    Hi All, I'm working on a DVD of HMS Pinafore for a client of mine (School) and have been asked to add subtitles to the DVD so that people can sing along. I manually entered the entire libretto as subtitles. I spent 2 days entering the subtitles ...an

  • Font  Choas

    I am developing an application using jdk1.3 in "My LOCAL LANGAUGE of India(Maharashtra) NAMED Marathi". In it Data entry will also be in LOCAL LANGAUGE, Java is supporting Fonts with antialising of LOCAL LANGAUGE But all the chaos is when data is sto

  • Can Flickr RSS feeds be viewed?

    So I know that Flickr photos can be used on AppleTV now. Any word on how that's actually done? Anyone know if you can specify an RSS feed? I'd like to be able to view photos by one particular user who's tagged specific photos with a keyword and use a