QoS for wireless clients
hi
We would like to give more priority for laptops vs mobile phones/tablets in our corporate SSID. Today all of them connect to same SSID.
What would be the recommended way to carry this out?
1. We mark packets coming from laptops using a COS value
2. This COS /DSCP value need to be trusted on our switches
3. Controller assigns dedicated bandwidth to the laptops
4. All other devices get lesser bandwidth
the general idea is to make a distinction in terms of bandwidth available to clients .. Currently we plan to install 2600 AP's in our environment to cater to about 2000 equipment .. we have a tight budget in terms of number of antennas we can buy. So we plan to install around 32 antennas for supporting 2000 equipment and hence the need for prioritisation
Well you can mark the packets on the laptops to a higher COS level, that would work since the WLC will not mark a packet higher than what the 802.1p tag. The thing is what your trying to accomplish is a way to just give laptops more bandwidth that any other device, using one ssid. The issue I see is that all devices have to be able to use the encryption and authentication method for that one ssid. Also you can still oversubscribe an access point and even traffic for the laptops could affect each other. As long as the non-laptops don't also mark their traffic up, I think you would be able to set the traffic in the appropriate queues.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Similar Messages
-
Initial configuration of ACS 5.1 for EAP authentication for Wireless clients
Hi,
I have set-up with below devices :
Wireless LAN controller 5508
LAP 3302i
and ACS 5.1
since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
which EAP method to use for wireless client authentication ? what is the best practice ?
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
I need GUI based initial configuration for ACS 5.1
This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.Hi,
which EAP method to use for wireless client authentication ? what is the best practice ?
-> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
-> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
I have no clear picture for this certificate ?
from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
-> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
Please feel free to follow this step-by-step guide on
PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Network printers drop for wireless clients
I am having a serious problem with my Airport N. My Epson CF11NF (a laser all-in-one which is connected via ethernet to the Airport) is continuously disappearing for wireless clients. All the wired machines can see and print fine, but the printer becomes invisible for wireless clients. The problem is resolved by unplugging and plugging back in the Airport, but I am having to do this more than once a day, which is not acceptable.
Has anyone experienced this problem? Any advice on what is going on? Should I return the Airport? The wireless clients are all running OSX 10.5.1. The wired clients are all running OSX 10.4. Could this be the issue?Others are having similar issues and symptoms, however, I've seen no solutions yet. My Airport Extreme disappears also but access to the internet is unaffected. I can also still access my iMac from my MacBook (iMac still shows up in Finder as a shared volume), however, once the AEBS drops from view I can no longer access printers on the network. (One connected to a networked PC and the other connected to the AEBS.) Both Macs are running Leopard.
Anyway here's a link that others are using to discuss these issues. Good Luck. http://discussions.apple.com/thread.jspa?threadID=1197872 -
Wireless 3850 and Web-Auth for Wireless clients
Hi
I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
Internet is all tested and there is full IP connectivity.
Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
I am using local authentication for the guest users.
When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
Config below
interface Vlan302
description **** Wireless Guest ****
ip address 10.145.224.161 255.255.255.224
ip helper-address 10.144.214.134
ip helper-address 172.17.2.56
ip http server
ip http secure server
ip dhcp snooping
wlan XXXXX 2 XXXXXX
aaa-override
accounting-list default
client vlan 302
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list WEB_AUTH
security ft
security web-auth
security web-auth authentication-list WEB_AUTH
security web-auth parameter-map vit_web
no shutdown
parameter-map type webauth vit_web
type webauth
security web-auth parameter-map vit_web
user-name Guest1
creation-time 1390837878
privilege 15
password 7 022D0156060F1B351D
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
user-name Guest2
creation-time 1390838016
privilege 15
password 7 0724244143000D1145
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
aaa new-model
aaa authentication login WEB_AUTH local
aaa authorization network WEB_AUTH localHey Greg,
Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.x.x wlc.whatever.org
max-http-conns 50
Also I had to enable http server in addition to secure server
ip http server
ip http secure-server
Are you using a self signed cert?
I saw windows clients take a long time to load the page when using a self signed cert.
MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE but I still have the problem.
-Kyle -
Bridge does not work for wireless clients - connecting to existing network.
Hi - I really hope somebody can help out here, after hours of trial & error, I have finally given up
I need to connect my Airport Extreme Base Station to my existing network. I have a linksys router (192.168.15.1) connected to my modem and this linksys router acts as DHCP server too.
I suppose I have to use "bridge mode" for that to work. But should the linksys be connected to the AEBS using the AEBS's WAN or LAN port?
If I use "bridge mode", then wired computers to the AEBS works fine - getting an IP from the linksys etc. BUT, the wireless clients will have a self-assigned IP and not get through to the internet. It's like the AEBS will not allow wireless clients to "get through" unless AEBS itself is handing out IP addresses.
Page 36 of this manual ( http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf ) shows the setup I want. But in the picture, it says "Ethernet WAN port" but the text says: "The Apple wireless device (in this example, a Time Capsule) uses your Ethernet network to communicate with the Internet through the Ethernet LAN port ( <--> )." I don't know which one to use, WAN or LAN - they show WAN but say LAN?
When I set it up as "share an IP address", the AEBS status tells me "double nat" and to change from "shared IP" to "bridge mode". I do that, and everything seems fine - for the wired clients. Now the wireless clients cannot connect, Airport on the MacBook Pro just say "Connection failed" and the MacBook says "Invalid password" (translated from danish), even though I set the Airport Utlity to save the password in keyring, so it should be correct... If I disable wireless encryption, the wireless clients will connect but get a self-assigned IP, and therefor not work (cannot get online)...
It seems the only way I can get wireless to work, is if I set AEBS up as DHCP, but then it won't be on the "same network" as the linksys (192.168.15.1), but rather on 10.0.x.x as I select. If I select 192.168.x.x within AEBS, I'm also getting some error messages, conflict/subnet thing.
Anyway - I really hope somebody knows how to get wireless clients to get an IP address from existing ethernet when connected to the AEBS.
Thanks!!I've given up and had to go back to running "Double NAT" which also reports as a "problem" within the AEBS, but I just "ignore" it so the light will always be green.
It still ***** though, as "Double NAT" is also a reason for "Back to my Mac" not working properly, but how the ** am I supposed to avoid Double NAT when the wireless will not work in bridged mode?! -
Can router dhcp different addresses to different vlans for wireless clients
is it possible for the router to hand out different ip's to wireless clients on different vlans?
Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
One vlan per SSID. -
WRT54GX2 Wireless Security Enabled DHCP blocked for wireless clients
Hey gang,
My subject says it all. Yesterday I updated my WRT54GX2 version 1's firmware to the latest and greatest.I first reset the box, and rebooted. I updated the firmware. On the first attempt I picked the wrong image file. The machine halted and told me bad image. I then found and installed the correct image. I then added an Admin password, and entered a new SSID. I left the DHCP settings at the default. I then set wireless security at WPA Personl/WPA2 with TKIP&AES.
I found the wired client could obtain an IP address and to connect to the internet. The wireless clients could connect, but could not obtain an IP address.
I left the wireless security settings off.
Any suggestions?The wireless security settings are correct. The wireless clients "CONNECT" to the WRT54GX2. The clients stall on obtaining an IP address via DHCP. Fixing the clients with static IP addresses also does not work.
I repeat: The wireless clients successfully connect to the WRT54GX2. The WPA/WPA2 & TKIP/AES settings are correct. The clients cannot receive a dynamic IP address.
On Friday I will reset the box for 30+ seconds. I doubt this will have any effect. I reset it on Tuesday twice on Tuesday, and still have the problem.
Any help appreciated.
-WJ -
I need to autheticate my clients connecting via wireless.
clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
can some one please help me with the steps.
ThanksTwo primary steps
- define the trust certificates needed to verify the clients user certificates
Users and Identity Stores > Certificate Authorities
- change result of identity policy to select a certificate authorization profile. If have the defautl config
Access Policies > Access Services > Default Network Access > Identity
by default can select the "CN Username" as a result -
Dear Netpro Community,
I would like to know whether the following OID talks about the number wireless clients joining the AP at which OSI layer.
Rgrds,
BenoSry, the oid information is here:
Object cDot11ActiveWirelessClients
OID 1.3.6.1.4.1.9.9.273.1.1.2.1.1
Type Gauge32
Permission read-only
Status current
Units Device
Range 0 - 2007 -
Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.
Hello all,
I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
Thanks a lot for your help.
The followings screenshots show the logs appearing in the ISE :
Kind regards, Emeric.This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST.
In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
When the user logs in you then see the user ID.
For my benefit when rule are you talking about ?
Thank you -
DHCP only works for wireless clients on Time Capsule. How to fix?
Hi All,
I have a question concerning the DHCP server on my Time Capsule. I'm posting here because I think you network pros lurking in this forum probably have way more insightful advice than the n00bs in the Time Capsule forum
My DHCP server on the Time Capsule only works for clients connected wirelessly to that specific access point; clients plugged directly into the network via ethernet and through other APs do not receive a DHCP assignment from the Time Capsule.
How can I get the Time Capsule to serve DHCP addresses to EVERYONE on the network, not just clients connected via the Time Capsule?
Thanks,
ChrisI don't know that TC provides that. Switch the TC over to its bridged mode (also known as an Access Point or AP), and run a DHCP Server on Mac OS X Server (fodder for this forum) or a DHCP server on another available device. Less desirable though feasible (so long as the IP address pools are coordinated and non-overlapping with other pools or static addresses), run multiple DHCP servers.
-
Cisco ISE 1.3 using 802.1x Authentication for wireless clients
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Bandwidth Management for Wireless Clients
We are looking at putting in a solution at a hotel for Free Guest WiFI
The solution would cover 4 floors and about 120 rooms and some open areas .
In short the hardware would look as follows
2500 controller
1142LAP
2960 PoE switch
878 Adsl router for internet connectivity (20Mbps/1Mbps internet ADSL feed)
One of the concerns raised by the client is that they would like to make sure that no single user could eat up too much bandwidth creating problems for the rest of the users .
Can the above KIT or something similar achieve this objective? As far as I can think of we would require a Proxy server .
Thank youHi Scott,
Thank you for your response.
It would be better for users to not have to log on against a web interface. As this is a hotel they would not want to have the admin effort of creating/enabling/disabling users especially since this will be free.
Instead what would suit their needs is a sort of a protection mechanism against "crazy big" downloads . Ideally without the need of a 3rd party that would require them to buy a server as well .
Thanks
Michalis -
Does LAN leave more signal for wireless clients?
This may seem like a silly question, but...
My main computer is next to the extreme base station. If I run an LAN to it, will it essentially leave more signal for the 2 iMacs upstairs to access wirelessly?Actually the question is far from silly...
And you are right, while the Extreme can handle a large number of computers simultaneously, there IS a limit on bandwidth. So if the two upstairs iMacs were busy copying some files between each other, and you started downloading something from the internet on your main computer, it is possible that would cause the copying between the iMacs to slow down. But if the main computer was connected via the LAN port, the iMacs would be unaffected (assuming the Extreme can handle all the data on its internal circuitry at those rates).
I think the real question is how likely is the above scenario? If a computer is not actively using the wireless (actually sending or receiving data) then the bandwidth is preserved. It might just boil down to which is most convenient...
MacBook Pro Mac OS X (10.4.8) -
AX Setup tips for wireless clients?
This is driving me buggy. I have successfully use AX with my iBook and now my Macbook with no problems. But, whenever any other client wants to use my internet connection via AX, it indicates "connected to internet..." but will not load web pages.
I have checked "distribute IP addresses" in AdminUt, but there has to be some other setting I'm missing. Anyone??This is driving me buggy. I have successfully use AX with my iBook and now my Macbook with no problems. But, whenever any other client wants to use my internet connection via AX, it indicates "connected to internet..." but will not load web pages.
I have checked "distribute IP addresses" in AdminUt, but there has to be some other setting I'm missing. Anyone??
Maybe you are looking for
-
Hi All, Short dump is occuring while trying to activate the data in the ods. The ods consists of 5 million records. I have gone through the short dump analysis. The error is showing that the file system is full. Database error text........: "SQL0968C
-
File System Task - using a wildcard in variable
Hi,When using the "delete file" operation in the file system task I get an error stating that I have an incorrect path when using the wildcard symbol. Is there a way around this or do I have to spell out the whole name for each file in the directior
-
Iphone 4 will not sync with itunes on Windows 7 64 bit
My iphone 4 will not sync with itunes on Windows 7 64 bit. My computer recognizes the iphone but Itunes does not. Any suggestions?
-
Hi, I wold like to know if there is any way that I can invoke #{bindings.myVO.collectionModel.makeCurrent} from the backing bean. Thanks. Regards, K.Hein
-
How to copy a PLD in one database to another.
Hi, How can we copy a PLD in one database to the other without using Copy Express. I tried openin up the PLD in the Test DB and copying it over to the Live DB, using Edit copy and Paste, but it doesn't work.... Is there any other way it can be done?