Problem with work group bridge authentication with ACS 5.x

EAP-TLS authentication for workgoup brdige fails.
Folloing is the log on ACS
Authentication failed 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
12811 Extracted TLS Certificate message containing client certificate.
12814 Prepared TLS Alert message.12817 TLS handshake failed.
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
12507 EAP-TLS authentication failed12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
11504 Prepared EAP-Failure11003 Returned RADIUS Access-Reject

I have seen this issue before, the AP is present an old PAC and doesnt update until after you reboot. You can open a wireless TAC case and they will get you the right image as to when this was fixed. As a workaround you can extend the lifetime of the PAC in your authentication settings for EAP-FAST.
Thanks,
Sent from Cisco Technical Support iPad App

Similar Messages

Work group bridge with cisco 3500

Hi,
We have few cisco 3500 ap's which is to be used as work group bridge. I am not very sure but i think we need the ap to be in autonomous mode to make it a work group bridge. Currently it is running lwapp/capwap image.
Is this correct, please help with suggestions.

sh ip int brie
Interface                  IP-Address      OK? Method Status                Prot
ocol
BVI1                       10.82.6.247     YES DHCP   up                    up
Dot11Radio0                unassigned      NO unset up                    up
Dot11Radio1                unassigned      NO unset up                    up
GigabitEthernet0           192.168.1.2     YES manual up                    up
AP-OF#sh ver
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 12.4(23c)JA7, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 29-Jan-13 05:19 by prod_rel_team
ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514
116]
AP_OF uptime is 3 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w8-mx.124-23c.JA7/ap3g1-k9w8-xx.124-23c.JA7
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP3502E-S-K9    (PowerPC460exr) processor (revision B0) with 81910K/4
9152K bytes of memory.
Processor board ID FGL1721S5G0
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 7.0.240.0
1 Gigabit Ethernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: BC:16:65:77:D9:93
Part Number                          : 73-12175-06
PCA Assembly Number                  : 800-32268-06
PCA Revision Number                  : B0
PCB Serial Number                    : FOC171622Y6
Top Assembly Part Number             : 800-32904-02
Top Assembly Serial Number           : FGL1721S5G0
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP3502E-S-K9
Configuration register is 0xF
sh run | i def
aaa authentication login default local
ip default-gateway 192.168.1.55

Cisco AP 700w as a Work Group Bridge with a WLAN Controller

I am trying to setup an AP 700w as a Work Group Bridge as it would be interesting to have this running, because it has the built-in 4 port switch.
I have WiSM based WLCs running the version 7.0.240.0. I converted a 700w to an autonomous AP and on the AP I installed the IOS Version 15.3(3)JA1.
When I use an autonmous based AP to connect the 700w as a WGB everything works fine. I can connect clients through the 4 port switch.
If I try to use a Controller based WLAN environment it does not work. The config is simple:
ap#sh run
Building configuration...
Current configuration : 1805 bytes
! Last configuration change at 18:37:11 UTC Thu Mar 5 2015
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$b5Da$QTI6Geq7ARZud34ZqA45.0
no aaa new-model
led display off
no ip source-route
no ip cef
dot11 syslog
dot11 ssid LAGERWPA
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username CISCO password 7 14341B180F0B
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm tkip
ssid LAGERWPA
antenna gain 0
packet retries 64 drop-packet
station-role workgroup-bridge
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
mac-address 18e7.2801.9610
ip address dhcp client-id GigabitEthernet0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
lan-port port-id 1
no shutdown
lan-port port-id 2
shutdown
lan-port port-id 3
shutdown
lan-port port-id 4
shutdown
bridge 1 route ip
line con 0
line vty 0 4
login local
transport input all
end
The association is OK, it is seen as a WGB, I can reach resources on our network from the AP, ping works, I can use a telnet from client to access the AP 700w etc.:

20... Here is an old post for reference.
https://supportforums.cisco.com/thread/2119996
Sent from Cisco Technical Support iPhone App

Not Working-central web-authentication with a switch and Identity Service Engine

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
    10 permit ip any any
Extended IP access list redirect
    10 deny ip any host 172.22.2.38
    20 permit tcp any any eq www
    30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
           Interface: FastEthernet0/24
          MAC Address: 0015.c549.5c99
           IP Address: 172.22.3.184
            User-Name: 00-15-C5-49-5C-99
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
     URL Redirect ACL: redirect
         URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: AC16011F000000490AC1A9E2
      Acct Session ID: 0x00000077
               Handle: 0xB7000049
Runnable methods list:
       Method   State
       mab      Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
Nuno

OK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
    10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
    10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
     Admission feature: DOT1X
     ACS ACL: xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL: redirect
     URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
     Interface: FastEthernet0/24
     MAC Address: 0015.c549.5c99
     IP Address: 172.22.3.74
     User-Name: 00-15-C5-49-5C-99
     Status: Authz Success
     Domain: DATA
     Oper host mode: multi-auth
     Oper control dir: both
     Authorized By: Authentication Server
     Vlan Group: N/A
     ACS ACL: xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL: redirect
     URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
     Session timeout: N/A
     Idle timeout: N/A
     Common Session ID: AC16011F000000160042BD98
     Acct Session ID: 0x0000001B
     Handle: 0x90000016
     Runnable methods list:
     Method   State
     mab      Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing?

Need Help With Work Group Wiki Page (404)

I am somwhat of a novice with all this server stuff so I will try to explain....
I have done a standard server install of OS X 10.5.6 Server on my Xserve. Everything seemed to work like a charm. The only problem I am having is when I select my home page to be my Workgroup Wiki page (inside the standard server prefences window). When I select this and try to test the page with the link under the drop down (open home page), it opens Safari and the header looks right but the page says "Not Found. 404: No group with that name (workgroup) hosted on this server).
I have a Workgroup and then two other groups....print and interactive. I want people to be able to log-on and see the main work group wiki page and then be able to select to go to one of the other two groups. I have had this working before but had to reformat my hard drive and reinstall the OS.
From the page that comes-up, I CAN click on the "groups" link in the header bar and that does take me to a working page, but I want to be able to have people go to this workgroup page first.
Any help would be MUCH appreciated. Thanks in advance.

Hi,
If you have the original index.html file installed in the /Library/WebServer/Documents/ folder then your wikid server will use it to display the web service groups.
If you have changed the index.html file or substituted a different index.html then wikid will not be able to perform its display action.
HTH,
Harry

Problem to work on ThinkPad T430 with Autodesk Revit 2013 models on external monitor

Did anybody from the community experience problem to work with Revit 2013 on external monitor, which hooked up to Lenovo T430 laptop with hybrid (Intel/Nvidia) video card? When I double click on any a model element on external screen this element jumps to unpredictable direction and I am getting an error message “can't keep elements joined”. It happened only on external monitor, when I am using the laptop screen nothing happened.
Is there any way to fix this issue? Thanks

have you spoke to Autodesk about this issue?
Try to update the Nvidia video driver to the latest version, and see whether that helps.
Regards,
Jin Li
May this year, be the year of 'DO'!
I am a volunteer, and not a paid staff of Lenovo or Microsoft

X3500 wont work in Bridge mode with ASA 5505

Hi Everyone, I am currently running Linksys X3500 v1.0.0 and plan to use ASA 5505 as a PPPoE client. While PPPoE connection is working fine when i configure the linksys for PPoE, but When I configure the ASA 5505 to act as PPPoE client I'm unable to get the Linksys get the Internet up and running. I have opened support ticket with Cisco and per them X3500 is unable to provide PPPoE details in bridge mode. Cisco Ticket # 62968611 (PPPoE connection not working) The error on Cisco console is - asa5505# PPPoE: send_padiSnd) Dest:ffff.ffff.ffff Src:c8b3.735d.4e13 Type:0x8863=PPPoE-Discovery PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12 PPPoE: Type:0101VCNAME-Service Name Len:0 PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4 PPPoE: 00000002 PPPoE: padi timer expired Can Linksys help.. What's the issue. Regards, Sumit

Hi! I'm not so familiar with the Cisco ASA 5505 device. If you set your X3500 to a Bridge Mode, it will not give any PPPoE mode details and vice versa. Which of the two devices would you like to connect to the ISP's connection, is it the X3500 or the ASA 5505?

Cross dissolve problem - only works as fade in with graphics clips

I inserted three graphics clips with transitions (cross dissolve default) at the beginning of a sequence. The transitions only seem to work as fade-ins I have plenty of extra frames beyond the edit section of the clips. I tried to adjust the transitions in the transition editor - it shows the transition aligned to start at the edit, but won't allow mw to choose to center it on the edit or end on the edit.
Thanks for any help you can provide

Thank you - no, there seems to be a handle only on the left side of the edit (to the left of the transition - which sits only to the right of the edit). On the right side,(in the zone of hte transition) the cursor shows the symbol for the roll tool - r. Excuse my limited understanding of the interface and tools - I am just beginning to learn FCE.
I will be away from the workstation until tomorrow morning.

Printer Sharing Problem in Work group

Hi all !
I’m using HP Laserjet 1300 Printer. I connect my Printer to my windows xp computer and share this printer with other computers in my network. I attached all –in - one computer (Wireless) in to my network. I used wireless router also. But i unable to install HP LaserJet 1300 Printer in my all-in-one computer. it generate error message “No drivers install” then I download the drivers for windows 7 home premium (64 –bit) and install. but problem not solve. I’m using windows 7 home premium (64 –bit) Os in my all-in-one. I can share folders between my all-in-one PC and other PC’s in my workgroup. but I can’t share this printer. Please help me
Thank you
Chamath

Hi Chamath,
I assume your XP machine is 32bit (most are)? Here are a couple guides that may help:
http://goo.gl/br6c
and
http://goo.gl/4Eun
Also, here is a Microsoft Article to ensure that you have Windows 7 setup properly for printer sharing (article is for Vista, but works just as well for 7):
http://goo.gl/WVO6U
If I have helped in any way, just click the Kudos star on the left. Also, if your issue has been resolved, don't forget to select Accept as Solution

Work Group Bridge - Which Mode to Use?

We have some rolling carts used for telemedicine and are currently using Linksys WET610N wireless bridges. I haven't been very impressed with them - I have to reboot them at least once a week and figure it's a roaming issue. Since they are a residential product they probably weren't designed to do a lot of roaming.
I started playing around with WGB and setup an 1142 AP and got it to work. Unfortunately, the only place I can put the AP is inside the cart and the metal top seems to be interfering with the wireless signal.
Which Cisco indoor APs have external antennae mounts and are capable of performing as a WGB?
Our infrastructure is 4400 controllers and 1142 APs.
Thanks.

Look at the 1242's to use as WGB.
Sent from Cisco Technical Support iPhone App

How many clients on etehrnet lan when config as work-group bridge?

I am considering configuring a 1242ag as either a WGB / non-root bridge, I have read that a WGB can have only 8 clients on its ethernet lan side, and does not associate with wireless clients other then the root-bridge/AP. Can someone confirm this for me?

WGB acts only in Non-Root Bridge w/o clients mode.It is right that Workgroup bridge can accosiate to either Root AP or Root Bridge.

Calendar synch with work computer, Music synch with home?

I love my new iPod touch. I want to use it as both a music library and as a PDA, but that seems to be the rub.
My music library doesn't belong on my work computer, it belongs on my home computer. My work calendar belongs only on my work computer. I don't really want to put work email on my work computer, only my calendar.
Work calendar is in Microsoft Outlook 2003 on a PC.
Can this be done? Please tell me yes. If yes, please tell me how.

Yes, it can. In iTunes on your home computer, with the IPT connected, click the Info tab and make sure the calendar sync option is not checked. Install iTunes for Windows on your work PC. Connect your IPT. Do not let it auto-sync (click No at the prompt). The IPT will mount in iTunes, go through the tabs and make sure options to sync music/movies/TV shows are UNchecked. In the Info tab check the box to sync your Outlook calendar.
Now, when you connect to your work PC your calendar will sync, and when you connect to your home PC your music/videos will sync.
Note that you can't sync emails regardless - checking the box to sync mail accounts syncs +just the settings+, not the emails themselves.
Hope this helps...

Work Group Bridge

I have a cisco AIR-CAP3602E-EK9 and I want to configure it as WGB, I am trying to run dot11 ssid command to conifgure SSID but its not working. Can anybody tell me the command reference to configure AIR-CAP3602E-EK9 as WGB?

Do you have autonomous image on your 3602 ? If not you have to convert Lightweigh image to Autonomous using one of the below methods before configuring it as WGB.
http://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/
http://mrncciew.com/2013/12/13/ap-conversion-using-mode-button/
Then you can configure WGB like below.
http://mrncciew.com/2013/07/02/wgb-config-example/
HTH
Rasika
**** Pls rate all useful responses ****

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

802.1x wireless authentication with certificates

Hi.
I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it with:
"12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
the ACS is the same, the certificate the same, and the root ca is the same.
what's hapenning????
Antero Vasconcelos

What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
~BR
Jatin Katyal
**Do rate helpful posts**

Problem with work group bridge authentication with ACS 5.x

Similar Messages

Maybe you are looking for