Radius server web authentication using ISE

Similar Messages

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• New client cant get ip from dhcp server (web authentication)

  We have WLC 5508 with two SSID staff (vlan 58, PSK auth) and customer (vlan 48, web auth)
  Recently, new client can connect to SSID staff without problem but It cant get IP when it connect to Customer SSID.
  many other client ( smart phone, laptop) which connect for few week still connect to Customer normally.
  DHCP server still have a lot of IP for wireless client. 
  We want to use firewall to make policy for Customer so we put gateway of vlan 48 on the firewall.
  Please check the dubug client file.
  Thanks.

  The debug just shows a single DHCP Discover attempt when attaching to WLAN with VLAN 48 interface.  It appears the client is simply not pulling an IP (not the WLCs responsibility), although you are using DHCP-Proxy.
  Can you put a wired client in VLAN 48 on the same switch as the WLC and have a client pull an IP?

• Web authentication using custom priovider in wl8 sp3

  I have built the custom Provider( and tested using the console) and its default provider. However I try invoking my loginmodule (j_security_check action in JSP, servlet filter ..) it does not get called. Is there any way I can get further debug info ,I can't see what else needs doing?

  I have built the custom Provider( and tested using the console) and its default provider. However I try invoking my loginmodule (j_security_check action in JSP, servlet filter ..) it does not get called. Is there any way I can get further debug info ,I can't see what else needs doing?

• Guest Portal Using ISE with Flexconnect Mode

  Folks,
  I have configured my guest web authentication using ISE with flexconnect mode like this:
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml
  After done, I connect the SSID but cannot log in. I cannot get IP address and in the ISE I can see that my device has already hit my authorization profile and the status is pending. Can anyone help me with this?

  As Richard says, check to see if you have an IP address.  If not check the AP settings for FlexConnect.  Is the mode on the AP set right?  Please confirm that you are using FC local switching and not centralised switching? 
  Is the VLAN tagging enabled on the AP, and/or the VLANs on the AP switchport set right?

• Local Web Authentication Started after Central Web Authentication

  Hi everyone,
  We have a DMZ based anchor WLC for a guest WLAN. I have this WLAN configured for central web authentication using ISE 1.2, this works correctly and can login using the guest portal.
  However, after logging when browsing to a website everything is redirected to the local web authentication page and the policy manager state for the client goes in to a WEBAUTH_REQD state. I currently don't have any layer 3 security configured for this WLAN, so from my understanding it should just be using the central authentication provided by ISE.
  Thanks for your help.
  Mark

  Hi Mark,
  Thanks - that looks very similar to ours, though I'm doing the 3850 via the CLI as the web UI keeps dying when I click into things.
  I've realsed that I unticked the Authentication servers box instead of the Accounting as I miss-read the WLC page, however while the LWA no-longer kicks in, I'm unable to pass anything except DNS traffic.  The Anchor says that the client is in "Webauth" state so it looks like it's expecting something, but ISE says it's all ok and I can see the 3850 traffic going through the process flow.
  If I attach an AP to the WLC directly and have the accounting box ticked, then it all works exactly as I'd expect - this is just, well, odd....
  Warmest
  Kev

• How to create a Web Authentication Meathod using Server 2008 r2 ?

  HI, i am a NewBee in Server Managment. am using windows server 2008 R2 Enterprise Edition, with 2 NiC One is Connected to modem other one connected to Lan , using ICS for internet . i have 80 client computers , all clients have access to unlimited internet,
  i want to control them without 3rd part application, or  Create a Web authentication username and Password for users , is there any possible way to create a web authentication server in server 2008 r2 ? plz give me a proper guideline.....

  Hi,
  According to your description, my understanding is that you want to configure web authentication that allow the client to connect to Internet by password and user name.
  I am afraid that no function within Windows Server 2008 R2 may fulfill your requirement. 
  For better control of your clients, I would recommend you to configure the Windows Server 2008 R2 as an RRAS (dial-up) router(use NAT to assign private IP address for the internal network), and connect to the clients with intermediate device, such as hub,
  switch. Cooperate with NPS to provide authentication for network connection.
  3rd party software/device should be needed for configuring web authentication. Here is a deployment scenario just for your reference:
  Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Best Regards,           
  Eve Wang                                                                                            

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.

• 10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• Question about RADIUS server configuration with a MacBook Pro

  Hello,
  I own a modem router which is capable of WPA2 Enterprise and I want to use it with a RADIUS server for authentication and security purposes.
  However, I have a few doubts about this.
  MY CONFIGURATION:
  The modem router would be connected to a fixed PC with Windows and to a MacBook Pro (both with Ethernet)
  The RADIUS server would be running on the MacBook Pro (freeRADIUS)
  The bold is the issue, that comes when I disconnect the MBP (it's a notebook, so I use it disconnected from the router sometimes).
  Supposing the router would have recognized it (correct configuration), it would disconnect from it.
  My questions:
  Would Wi-Fi be lost in this manner? Or would the modem router automatically switch to another Wi-Fi authentication?
  If I reconnected the MBP to the modem router and re-run the RADIUS server, would I need to access the control panel and re-configure the WPA2 Enterprise in order for Wi-Fi to work again?
  Thanks in advance,
  Tyrexionibus

  "Full HD 3DD camcorder..." Marketing at it's best.
  This is HDV, right? HDV has the same data rate as DV...13.6GB/hour. But because of the MPEG-2 Long GOP format the HDV format employs, it can be a bit tough to edit, but mainly when rendering effects. IT will be slower than DV, and you can't monitor thru the camera like you can with DV, but a simple FW400 drive and Intel Mac will be fine. Better if you can convert to ProRes upon ingest, but then that eats up a LOT more space and requires at least FW800...
  http://library.creativecow.net/articles/poisson_chris/hdv-prores.php
  Shane

• Guest Parameter for Web Authentication

  Hi Forum,
  Just to find out a little more detail in regards to the guest account created for web authentication using Ambassador account.
  1) If the authenticated guest did not perform a proper logout, what action will the WLC take?
  2) As such, is there any timeout involved?
  Where can i tune the timeout?
  Rdgs,
  Kelvin

  Hi I just wanted to add what I have found regarding WCS and the guest feature.
  -There are two ways to configure a "local net user". The first is a static guest ID that has the "guest" flag off. This means that the client's session will not timeout. The second is to specify the "guest" user checkbox and give it a timeout value in seconds.
  This should let you control how long a user is logged in.
  From the WLC login, go to SECURITY --> LOCAL NET USERS --> then click on NEW. From there you can specify a user ID and also set that optional guest user box. If you click on the Guest User box then you will see a timeout field.
  With my guest account set to not be a guest user (no timeout value), I have noticed the following.
  1. If a guest gets disconnected, usually they will reassociate and still be able to log in.
  2. If a guest has problems, I usually tell them to disable their wireless card, close all browser windows, and then reassociate to the network.
  The steps above have worked well for my setup...

• 1240AG as WDS & Local Radius Server

  Have 5 1240AG's and want to use one as WDS and Local Radius Server.
  Am using the following as a guide:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml#hw
  The above example uses a Cisco Secure ACS and designates both an AP and a WSLM as the WDS. I just want to use the AP as the WDS.
  Isn't it possible to do the whole thing just using a 1240AG as both the WDS and Local Radius Server and not use a Cisco Secure ACS or WSLM?
  Is there an online guide for such a thing? (looked, didn't find it)
  Appreciate the guidance
  Cheers

  Thanks, that's what I thought.
  I had found the WDS setup link but wasn't sure if I was missing something.
  The link you provided for the Local Radius Server setup is for "partners" only I believe? Can't access it.
  But I think I should be able to find some guides/examples somewhere else in the archives. I'm starting w/ these 2 links;
  https://www.cisco.com/en/US/products/ps6521/prod_configuration_examples_list.html
  and
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  Appreciated the heads up about port 1812.