Per SSID EAP-type Authentication
Is there away to configure ACS 4.2 to only allow certain EAP-type of authentication per SSID? For example: SSIDA - only allows EAP-TLS and SSIDB - only allows EAP-PEAP on the same ACS server?
Any help is greatly appreciated.
Sent from Cisco Technical Support iPad App
You should configure a NAP (Network Access Policy). The selection factor should be "per SSID" and then for each policy you can allow different eap types.
for the "per SSID" part, the WLC has a command to change the called-station-id to append the SSID name to the ap mac address
Similar Messages
-
wireless authentication not working
I found the following in the radius
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/15/2014 2:07:57 AM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NAP01.test.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: doamin \user.a
Account Name: user.a
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-0F-7D-C4-45-20:staff
Calling Station Identifier: 0C-74-C2-EF-Dd-0B
NAS:
NAS IPv4 Address: 192.168.9.10
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 497
RADIUS Client:
Client Friendly Name: wcont1
Client IP Address: 192.168.9.10
Authentication Details:
Connection Request Policy Name: Wireless
Network Policy Name: wism
Authentication Provider: Windows
Authentication Server: NAP01.test.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Please helpHi,
Anything updates?
In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
Configure the EAP Payload Size
Best regards,
Susie -
Hi
We are just putting in a new Controller - 5500 type
We are using a WCS .
Someone has raised the issue of whether we can have multiple vlans
per SSID - as otherwise we may have very large broadcast domains
due to the overall design being to have Maybe 3 SSIDs
Guest
Staff
Engineering
I think in SWAN we could get away with dynamic vlans.
We would like to have multiple vlans in each SSID to avoid the above.
Can we do this in the new setup.
Kind Regards
SteveHi Steve,
yes it works just the same.
Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
Regards,
Nicolas -
802.1X EAP-PEAP Authentication issue
Hi Experts,
I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
The networks in question are set up identically, here is an overview:
Layer 2 security is WPA & WPA2
WPA - TKIP
WPA2 - AES
Auth Key Management is 802.1X
Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
This is the only change I can think of that could possibly be relevant.
Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
Debugs as follows:
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
*Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
*Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
*Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
*Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
*Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
*Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
*Oct 11 16:13:01.113: New PMKID: (16)
*Oct 11 16:13:01.113: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
*Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.116: Including PMKID in M1 (16)
*Oct 11 16:13:01.116: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
*Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
*Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2 VLAN: 110
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo Frames = N
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
*Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 0, flags: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 172.23.26.53
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP server id: 1.1.1.1 rcvd server id: 172.19.0.50
*Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
*Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
At this point, the client is connected and everything is working.Hi,
It looks like some issue on the client side...
Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
Looking at the logs:
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
===================
This logs show exactly what you describe...
The AAA sends an EAP request asking for the credentials.
The login pops up and the EAP timeout starts decrementing.
If the user does not enter credentials, it will expire and another EAP Request is sent.
If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
HTH,
Tiago -
EAP SIM Authentication Failure
Hi all,
Is there a way to debug EAP SIM authentication on iPhone / iPad? I see Challenge: AT_MAC_NOT_VALID failures in syslog everytime I try to connect to an EAPSIM server (freeradius). Please refer to following pcap
http://www.cloudshark.org/captures/b9610f2b4a25
I am using following values for simtriplets on freeradius server:
1320727710000010,9fddc72092c6ad036b6e464789315b78,d113e49b,7fc85b9918d92ea8
1320727710000010,81e92b6c0ee0e12ebceba8d92a99dfa5,cca822be,231f55c24633a406
1320727710000010,b120f1c1a0102a2f507dd543de68281f,0ff5b99f,4421fce1f3427e22
The iPad is loaded with a test SIM which is programmed with following values of Ki and Op and above SRES and Kc were generated using following values:
key=0C0A34601D4F07677303652C0462535B
op=63bfa50ee6523365ff14c1f45f88737d
I have verified GSM milenage algorithm with test keys in 3GPP TS 55.205 v9.0.0 and the algorithm seems to work fine. All results match with the test inputs/results provided in 3GPP TS 55.205 v9.0.0. So I doubt there is some issue with SRES/Kc for above Ki/Op values.Hi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
EAP-TLS authentication failure
We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711: Callback.....................................0x87e1870
*Jan 07 19:31:42.712: protocolType.................................0x00140001
*Jan 07 19:31:42.712: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712: Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788: structureSize................................145
*Jan 07 19:31:42.788: resultCode...................................255
*Jan 07 19:31:42.788: protocolUsed.................................0x00000001
*Jan 07 19:31:42.788: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788: Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806: Callback.....................................0x87e1870
*Jan 07 19:31:42.806: protocolType.................................0x00140001
*Jan 07 19:31:42.807: proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807: Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00 ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No. Time Source Destination Protocol Info
1 0.000000 10.10.10.10 15.15.15.15 RADIUS Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 308
Identification: 0x501f (20511)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4aee [correct]
Source: 10.10.10.10 (10.10.10.10)
Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
Source port: filenet-rpc (32769)
Destination port: radius (1812)
Length: 288
Checksum: 0xe8e0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x7d (125)
Length: 280
Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
Attribute Value Pairs
AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
AVP: l=6 t=NAS-Port(5): 2
AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1300
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=89 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 87
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0x80): Length
Length: 77
Secure Socket Layer
AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No. Time Source Destination Protocol Info
2 0.060373 15.15.15.15 10.10.10.10 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x2935 (10549)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x58e0 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1 .u..V)..
No. Time Source Destination Protocol Info
3 0.060671 15.15.15.15 10.10.10.10 RADIUS Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1381
Identification: 0x2935 (10549)
Flags: 0x00
Fragment offset: 24
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x73a4 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
[IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
Source port: radius (1812)
Destination port: filenet-rpc (32769)
Length: 1385
Checksum: 0xe8f5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x7d (125)
Length: 1377
Authenticator: 6c8300aed07505c35629a7b14de483be
Attribute Value Pairs
AVP: l=6 t=Session-Timeout(27): 30
Session-Timeout: 30
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[5]
EAP fragment
AVP: l=33 t=EAP-Message(79) Last Segment[6]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1296
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0xC0): Length More
Length: 8184
Secure Socket Layer
[Malformed Packet: SSL]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
Destination MAC: 1C:DF:0F:55:20:xx
Source MAC: F8:66:F2:62:63:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x0135 (309)
ID: 0x2B26 (11046)
Flags
Don't fragment bit: 1 - Don't fragment
More fragments bit: 0 - Last fragment
Fragment offset: 0x0000 (0)
Time to live: 0x40 (64)
Protocol: 0x11 (17) - UDP
Checksum: 0x6FE6 (28646) - correct
Source IP: 161.86.66.49
Destination IP: 15.15.15.15
IP Options: None
UDP
Source port: 32769
Destination port: 1812
Length: 0x0121 (289)
Checksum: 0x5824 (22564) - correct
Radius
Code: 0x01 (1) - Access-Request
Identifier: 0x8D (141)
Packet Length: 0x0119 (281)
Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
Attributes
Attribute
Type: 0x01 (1) - User-Name
Length: 0x1A (26)
Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
Attribute
Type: 0x1F (31) - Calling-Station-Id
Length: 0x11 (17)
Calling id: 58-94-6b-15-5f-xx
Attribute
Type: 0x1E (30) - Called-Station-Id
Length: 0x19 (25)
Called id: f0-25-72-70-65-c0:WLAN-XX
Attribute
Type: 0x05 (5) - NAS-Port
Length: 0x04 (4)
Port: 0x00000002 (2)
Attribute
Type: 0x04 (4) - NAS-IP-Address
Length: 0x04 (4)
Address: 10.10.10.10
Attribute
Type: 0x20 (32) - NAS-Identifier
Length: 0x0B (11)
NAS identifier: XX-002_WLAN
Attribute
Type: 0x1A (26) - Vendor-Specific
Length: 0x0A (10)
Vendor id: 0x00003763 (14179)
Vendor specific:
Attribute
Type: 0x06 (6) - Service-Type
Length: 0x04 (4)
Service type: 0x00000002 (2) - Framed
Attribute
Type: 0x0C (12) - Framed-MTU
Length: 0x04 (4)
Framed MTU: 0x00000514 (1300)
Attribute
Type: 0x3D (61) - NAS-Port-Type
Length: 0x04 (4)
NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
Attribute
Type: 0x4F (79) - EAP-Message
Length: 0x57 (87)
EAP-Message
Attribute
Type: 0x18 (24) - State
Length: 0x17 (23)
State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
Attribute
Type: 0x50 (80) - Message-Authenticator
Length: 0x10 (16)
Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
Destination MAC: F8:66:F2:62:63:xx
Source MAC: 1C:DF:0F:55:20:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x002C (44)
ID: 0x4896 (18582)
Flags
Don't fragment bit: 0 - May fragment
More fragments bit: 1 - More fragments
Fragment offset: 0x0000 (0)
Time to live: 0x7A (122)
Protocol: 0x11 (17) - UDP
Checksum: 0x397F (14719) - correct
Source IP: 15.15.15.15
Destination IP: 10.10.10.10
IP Options: None
UDP
Source port: 1812
Destination port: 32769
Length: 0x0569 (1385)
Checksum: 0x2FE4 (12260) - incorrectHi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
802.1x EAP type not configured
Hi, a simple 802.1x test with XP client sp2, 3560 with IOS 12.2(35)SE5 and ACS 4.1(1) build 23.
EAP MD5 selected on the client and enabled on the ACS but I receive in ACS an authentication failure message, with Authen-Failure-Code "EAP type not configured".
Any idea ?
thank you in advance
greatingsYou have to install a self-generated certificate on the ACS, and enabled PEAP with "Allow EAP-MSCHAPv2". then changed the setting on our PC, and manage to make it work.
Could you do the following,
1.) Enable full detail logging on the ACS: System Configuration -> Service
Control -> Logging detail level = "FULL". Then restart the ACS services.
2.) Enable "debug radius" together with the debugs that you already have
on the switch
3.) If there is a sniffer (Norton SnifferPro, or the freeware Wireshark or
Ethereal) on the client laptop, please start it and enable sniffing on the
client interface.
4.) Make another authentication attempt.
5.) Generate a "package.cab" on the ACS, by running Bin\CSSupport.exe
underneath the ACS installation directory
6.) Please send me the following information,
a) The package.cab file,
b) the debug output from the switch,
c) the sniffer trace (if available). -
Which EAP Type to choose for 802.1x Wireless Policy?
Hi everyone,
i have a question about recommendation for EAP Type in a wireless policy:
Which configuration is more secure/recommendet?
a)
Authentication Type: PEAP
EAP Type: EAP-MSCHAP v2
b)
Authentication Type: EAP
EAP Type: Certificate
We have a working configuration with a) and could Change to b).
Thanks,
AndyHi,
Project a uses PEAP cooperate with EAP(EAP-MSCHAP v2) is more security/recommended.
PEAP is a new member of the family of EAP protocols. To enhance both the EAP protocols and network security, PEAP provides:
1. Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the network access server (NAS) to cause the negotiation of a less secure
EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server.
2. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this.
3. Wireless clients with the ability to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
4. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared
with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.
5. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication.
This reduces resource requirements for both client and server.
You can choose between two EAP types for use with PEAP: EAP-MS-CHAPv2 or EAP-TLS. EAP-MS-CHAPv2 uses credentials (user name and password) for user authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart
card for user and client computer authentication. Comparatively, the second one is more security because public Key certificates provide a much stronger authentication method than those that use password-based credentials.
Best Regards,
Eve Wang -
One SSID with muptiple authentication methods
Have received a request from a customer to run both TKIP and AES encryption on the same SSID
From reading I believe this is not possible but can anyone confirm this please
Currently the config looks thus
dot11 ssid HELP
vlan 20
authentication open eap eap_methods
authentication network-eap eap_mtheods
authentication key-management wpa
authentication key-management wpa version 2 <<<<<<<<<<<<<<<<<<
<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
Interface Dot11Radio0
encryption mode ciphers tkip
encrytption vlan 20 mode ciphers aes-ccm tkip
Many ThanksHello
Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
Regards,
Sent from Cisco Technical Support Android App -
hi
i have an ACS 1113 ....
i have installed and configured the certificate... and trusted the CA certificate... also i configured the global authentication (enable the PEAP ,EAP-TLS)
no when i try to authenticate (by the wireless) i get failed to authenticate
when checking the ACS failed attempts i find the failure code
- EAP type not configured-
i don?t know why its happing....
but every thing is configured...Please make sure on ACS > Network Access Profiles >
Make sure we have "Grant access using global configuration,when no profile matches" option
selected.
Also make sure on ACS > ACS Certificate Setup > Install ACS Certificate >
Make sure a certificate is installed, if it is installed then click cancel.
Also go to ACS > System Configuration > Global Authentication Setup > Make sure under "PEAP" we have checked "Allow EAP-MSCHAPv2" and/or "Allow EAP-GTC" as applicable.
Regards,
~JG -
QoS Override Per-SSID Bandwith question
Hi all,
on a WLAN there is the possibility to override the QoS Bandwidth settings.
I try to get some more information about these settings, I want to understand this. As well a customer wants to limit user data.
My question is: This override Per-SSID, are these settings on a AP basis or on the global controller basis?
The next question resulting out this will then be what if the AP is set to flex-connect with local VLAN traffic, what then?
Is there a good documentation on this?
Thanks.This section describes BDRL of the 7.3 release. In releases 7.2 and earlier, there is only the ability to limit the downstream throughput across an SSID and per user on the Global interface. With this new feature in the 7.3 release, rate limits can be defined on both upstream and downstream traffic, as well as on a per WLAN basis. These rate limits are individually configured. The rate limits can be configured on WLAN directly instead of QoS profiles, which will override profile values.
This new feature adds the ability to define throughput limits for users on their wireless networks with a higher granularity. This ability allows setting a priority service to a particular set of clients. A potential use case for this is in hotspot situations (coffee shops, airports, etc) where a company can offer a free low-throughput service to everyone, and charge users for a high-throughput service.
Note: The enforcement of the rate limits are done on both the controller and AP.
Rate limiting is supported for APs in Local and FlexConnect mode (both Central and Local switching).
When the controller is connected and central switching is used the controller will handle the downstream enforcement of per-client rate limit only.
The AP will always handle the enforcement of the upstream traffic and per-SSID rate limit for downstream traffic.
For the locally switched environment, both upstream and downstream rate limits will be enforced on the AP. The enforcement on the AP will take place in the dot11 driver. This is where the current classification exists.
In both directions, per-client rate limit is applied/checked first and per-SSID rate limit is applied/checked second.
The WLAN rate limiting will always supercede the Global QoS setting for WLAN and user.
Rate limiting only works for TCP and UDP traffic. Other types of traffic (IPSec, GRE, ICMP, CAPWAP, etc) cannot be limited.
Only policing is implemented in the 7.3 releases.
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113682-bdr-limit-guide-00.html -
Overall Bandwidth Cap per SSID
Hi,
I have a 2504 controller running 8.0.100.0 code. The customer has a guest SSID and wants to cap the bandwidth being used.
I was able to create a local user account that has a bandwidth associated with it and guests are able to login and are being capped to that rate.
Now, we want to cap the overall rate. I looked at perhaps using policy on the WLAN as there is a section for bandwidth rates. However, the policy wants information such as "match string", "match EAP type" and then to pick a "device type" before the action to be taken (in this case bandwidth) can be applied.
I'd like this policy to apply to any user on any device on the WLAN. Is this possible?
Thanks for any help in advance.
-JimHi Leo,
Thanks for the reply.
Just to be sure we are discussing the same thing we are not looking to cap the amount of data that may be downloaded but cap the overall SSID to a specific bandwidth. I have looked at Cisco's BYOD guide but I do not see the same QOS options to limit SSID bandwidth in the GUI that they show. -
Transaction for characteristics per plant / order type
Transaction for characteristics per plant / order type
We need a new transaction for customizing feature
Characteristics per plant and order type
ZVP_PRNTCHARCON
example one screen - one dimension characteristics, other 15 operations
ThanksHi Tarun,
Standard SAP does not support char specific to plant & order type. You need to devlop some custom transaction. If you are looking more details, request you to share the business requiremnet, details etc.
Thanks...Sanjay -
Download and upload speed per ssid in air-sap2602.
Dear team,
How to limit the download and upload speed per ssid in air-sap2602 ?
SSID =5MB download + 1upload
SSID= 30MB download + 5upload
RegardsIf you need help with traffic shaping, you should post your question on the rLAN, Switching and Routing forum:
https://supportforums.cisco.com/community/netpro/network-infrastructure/switching
You can also look for examples by searching Configure 1941 traffic shaping:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfgts.html
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfcbshp.html
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
EAP-SIM Authentication on Lenovo K900
Hello All,
I want to use EAP-SIM authentication on Lenovo k900 to connect to wifi. Does anyone know how to? because there is no option EAP-SIM on authentication option.
Or there are other option how to use EAP-SIM?
thanksTo Lenovo Android Developer,
Please add this EAP-SIM Wifi authentication feature on the next firmware update.
Because in Indonesia almost all GSM operators using EAP-SIM for their WiFi service.
Thank you.
Maybe you are looking for
-
Install os x 5 on new hard drive
I have a APPLE POWER MAC G5 A1177 - dual core - 4 gig ram - 500 Gig HD and a DVD drive. I bought a new keyboard and mouse and both the USB OS X Mavericks and a DVD OS X Mavericks. I'm usually a PC guy, but wanted to try a Mac since I'm about to retir
-
Acrobat X plugin doesn't show up in Chrome
On mij PC (Windows 7 Pro) I have installed Acrobat X Standard 10.1.7. Today (20130608) I installed Chrome, besides Chrome I use Internet Explorer 10. The Acrobat Toolbar appears in IE, as it always did. However the Acrobat Toolbar does not appear in
-
MOVED: radeon 9800 pro too hot
This topic has been moved to VGA products. radeon 9800 pro too hot
-
T6300 power saving option, can it be disabled?
Just purchased the T6300 system after many happy years with a Creative 2.1 system. BUT I am not at all happy with the "power saving" device built into the T6300 which cuts the speakers off after 15 minutes!!!! Whose bright idea was this? If its suppo
-
Hi there, Everytime I plug an external drive conky automatically creates this new line at the end of conkyrc file, something like: ${color slate grey}HTS72108:${fs_size /media/HTS72108} ${color orange}U:${fs_used /media/HTS72108} ${color}F:${fs_free