Sample config for wireless
Hi
Does anyone have a sample config for standalone Cisco AP1252 (Cisco IOS) for AD Authentication for wireless ?
Appreciated your kind reply.
The short version :
in config terminal mode :
-radius-server host auth-port 1812 acct-port 1813 key 0
-aaa authentication dot1x eap_methods group radiusThen you need to configure your ssid for dot1x :-dot11 ssid -authentication open eap eap_methods-authentication network-eap eap_methodsThis is only the part needed for radius interaction. This assumes that you already configured your SSID with according WPA settings.that's about it I think.If you want info about more commands or so, just check out this link :http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap11-authtypes.html#wp1002608
Similar Messages
-
Sample config for TACCAS+ on ASA 8.22
I am looking for a sample configuration for doing TACCAS+ on ACS 5.2 with an ASA 8.2.2.
Any help would be appreciated.I think the following should just about do it - However it is MUCH simpler to do this in the GUI
aaa-server TACACS protocol tacacs+
aaa-server TACACS (management) host x.x.x.x key ****
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting serial console TACACS
aaa accounting enable console TACACS
aaa accounting command TACACS
Remember you need to create the network device in ACS with the same shared key.
Paul -
Sample config for local switching of QLLC to Ethernet?
is it possible to switch a serial attached controller (PU2.0/2.1) over X.25 QLLC to a local attached Mainframe by ethernet?
We used Frame Relay across the WAN instead of X.25 and there were no problems with the implemetation. Guess it would work with X.25 too. The following doc gives you the configuration.
http://www.cisco.com/warp/customer/488/48.html -
I'm looking for a sample config for a IPS IDSM-2. I've been reviewing the configuration manual and love the excruciating detail, but would like to work from a sample config. Maybe just the basics to get started and then I can add stuff in later.
Any samples would be most appreciated.
Thanks,
MikeYou need to decide the mode you want to run your IPS in? Promiscuous, Inline (VLAN/Interface pair) ?
Here are two examples from CCO:
https://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
Regards
Farrukh -
Help setting up a Laserjet P1102w for wireless printing on a Mac
I'm trying to setup a Laserjet P1102w on my Mac for wireless printing, but it's not working. It will print fine using USB, but all the documentation for wireless setup is for Windows, not Mac. if I connect the printer via USB to my Mac, how will it get an IP address from my wireless network? Any help appreciated.
Hi Staxofjoy,
Based on the information you provided, and comparing to another post regarding this issue (link below) - It sounds like you are running 10.7 (Lion).
http://h30434.www3.hp.com/t5/Mac-Printing-and-Scanning/HP-Laserjet-P1102w-driver-for-Macbook-OS-X-Li...
Please go to the linked thread above, and look for the post by mikel1004 - he outlined the steps for connecting Adhoc to the printer very clearly.
Summary of what you will need to to:
1. Reset Printer to Defaults
2. Connect to printer via Adhoc from your Mac (This will disconnect you from your home wireless network)
3. Access HTML Config, and configure the printer's wireless settings manually from there.
4. Reconnect the Mac to the Home Network
5. Add the printer to the print queue.
Hope this helps
I am an HP Employee
Click the KUDOS Star to say "Thanks"
Please mark the post that solves your problem as "Accepted Solution" -
DMZ Anchor WLC setup for Wireless Guest Access
I have the following setup.
A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
Both WLCs are running the same 4.2.176 code.
DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
Thanks.One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.
-
I suppose Cisco ISE sends a URL redirect to the switch and the switch presents it to the client in case of guest Access getting a URL redirect with User Acceptance Page (Wired Guests and not wireless).
My question here is, Do we need to configure http and https server on the switches (both supplicant and authenticator)?
I am sure it will need but just wanted a confirmation..
I have checked the configuration for supplicant and Authenticator switches for ISE and it has no where mentioned that part of the config.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html (a problem of URL redirection and possible cause is mentioned) ------- makes me sure that the config is needed.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html
(config of supplicant and authenticator switch)---- nowhere mentioned of the http/https config for both switches.Yes, its needed. The http/s server within the swtich is used to grab the http user traffic and redirect the traffic to the CWA portal, or a device registration portal, or even to the Mobile Device Management (MDM) onboarding portal. .
ip http server
ip http secure-server
The info below I grabbed from Cisco ISE for BYOD and secure unified access book.
"Many organization want to ensure that this redirection process using the switch's internal HTTP server is decoupled from the management of the switch itself, in order to limit the chances of an end user interacting with the management intervace and control plane of a switch. this may be accomplished by running the following two commands from global configuration mode:
ip http active-session-modules none
ip http secure-active-session-modules none" -
Hi,
Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
The test cas/cam are ugraded to ver 4.8.2.
Regards
JoachimEveryone can do a mistake and it seems I did a big one :-)
l3 wireless OOB was not supported until last version :
§Wireless L3 OOB RIP has been introduced in 4.8.2.
§In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
§The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
§There are no ports in WLC hence Port profile is not required
§WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
§iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
§The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap. -
Hello all,
I have a campus network with several remote sites, at the campus I have a 6509 at the core and 3560 and 3750 switches at the access layer. I do have QoS enable on the 6509 and I am using auto QoS on the 3560 and 3750 switches and all seems to be working fine with my existing VOIP environment. But now as I am in the middle of rolling out a video conferencing solution with the existing QoS config I am experiencing a noticeable delay between audio and video. Example like during a video call I can tell that the voice and the lips of the person speaking are not in synch.
Has anyone run into this issue ? can someone provide me a sample QoS config for the 6509 and 3560/3750 switches ?
P.S. I am using a Tandberg/Codian solution for video conferencing with Tandberg/Codian MCU, IP Gateway, ISDN Gateway and Tandberg endpoints. And both the endpoints and the back-end infrastructure devices and are set for IP Precedence 5.
Thank you very much in advance !!!
DannyThe main concern with configuring your back-end infrastructure devices with IP Precedence value 5 is that the 3560/3750 auto-qos will map this value to Q1 which is ordinarily the strict priority Q.
In most cases auto-qos will also configure or map Video to Q3, you can see this as a majority SRR bandwidth is assigned to the Q.
In order to use the strict priority queue, it has to be enabled on the interface 'priority-queue out', without it Q1 will not be emptied before the others. It will be serviced according to the weight.
With auto-qos Q1 will not have enough bandwidth as it will be assigned to Q3. Therefore you could initially enable priority-queue if not already enabled so that Q1 is emptied first, or you increase the weight.
The next question is whether you are using egress scheduling within the Core? and this conforms to your edge classification for Video?
HTH.
Allan -
So I have been trying to setup trunking (got that done and tested) on a pair of CSS 11503's and now i would like to setup ASR, vr and vip redudnacy to failover between them. Does anyone have any samples of how to do this with all public ips, all the cisco docs are for nat'd configuration which we do not run, everything would be public.
right now management of the css is done over vlan100 but the servers are in vlan150, different subnet's obviously however what is messing me up is the docs are all saying to use outside public ips and inside for the servers. I only have public ips and don't have time to change anything to a nat...any help would be greatactually let me append my previous comment with a question..
since I am trunking up (to my 6509s) and down (to various switches)...what should my default route be on the CSS's
i have 2 vlan's right now
vlan 10
ip address 192.168.10.10 255.255.255.240
vlan 20
ip address 192.168.11.11 255.255.255.224
in my global however I am using
ip route 0.0.0.0 0.0.0.0 192.168.10.1 1
10.1 btw is a virtual (HSRP address) on my 6509's
11.1 would be the virtual (HSRP address) on my 6509's for vlan20 etc..
so yes my previous statement about the gateways for my web servers pointing to the CSS is true (redudant int), however if I have other servers on my switches that are not in the lb's groups and I point it those servers to my HSRP virtual for vlan20's 11.1 i cannot ping it... so what are my options cause I would rather not change gateways on some of the other machines that won't be load balancing.
I noticed in the trunking sample config the global had no route, but when i removed it, i couldn't get to anything (of course).
thanks again -
Hi,
Can some one help me with a sample configuration for ACE20?
Rgds....Partha Acharyahere is a copy of my lab config.
switch/User1# sho run
Generating configuration....
logging enable
logging buffered 7
access-list PERMIT_ANY line 10 extended permit ip any any
access-list app line 10 extended permit ip host 192.168.20.41 any
probe http ACECFG-http
interval 5
faildetect 2
passdetect interval 10
request method get url /index.html
expect status 200 299
probe ftp ftp_probe
interval 10
passdetect interval 10
expect status 0 999
open 5
parameter-map type connection REPL
parameter-map type connection TCP
rserver host 20.20.20.20
ip address 20.20.20.20
inservice
rserver host REFLECTOR-10
ip address 192.168.60.10
inservice
rserver host REFLECTOR-11
ip address 192.168.60.11
inservice
rserver host REFLECTOR-12
ip address 192.168.60.12
inservice
rserver host REFLECTOR-13
ip address 192.168.60.13
inservice
rserver host REFLECTOR-14
ip address 192.168.60.14
inservice
rserver host REFLECTOR-15
ip address 192.168.60.15
inservice
rserver host linux1-48
ip address 192.168.30.48
rserver host linux2
ip address 192.168.20.41
inservice
serverfarm host 20.20.20.20
rserver 20.20.20.20
inservice
serverfarm host REFLECTOR
predictor leastconns
rserver REFLECTOR-10
weight 1
inservice
rserver REFLECTOR-11
weight 1
inservice
rserver REFLECTOR-12
weight 1
inservice
rserver REFLECTOR-13
weight 1
inservice
rserver REFLECTOR-14
weight 1
inservice
rserver REFLECTOR-15
weight 1
inservice
rserver linux1-48
inservice
serverfarm host linux2
failaction purge
probe ACECFG-http
rserver linux2
inservice
serverfarm host linux2-ftp
probe ftp_probe
rserver linux2 21
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-REFLECTOR
replicate sticky
serverfarm REFLECTOR
class-map match-all NAT
2 match access-list app
class-map type http loadbalance match-all URL
2 match http url .*
class-map match-all VIP-250-80
2 match virtual-address 192.168.100.250 tcp eq www
class-map match-all VIP-250-ftp
2 match virtual-address 192.168.100.250 tcp eq ftp
class-map match-any VIP-REFLECTOR-254
2 match virtual-address 192.168.100.254 tcp eq www
policy-map type management first-match ALLOW
class class-default
permit
policy-map type loadbalance first-match 20.20.20.20
class class-default
serverfarm 20.20.20.20
policy-map type loadbalance first-match LB_linux2
class class-default
serverfarm linux2
policy-map type loadbalance first-match REFLECTOR
class class-default
sticky-serverfarm STICKY-REFLECTOR
policy-map type loadbalance first-match ftp-linux2
class class-default
serverfarm linux2-ftp
policy-map multi-match NAT1
class NAT
nat dynamic 1 vlan 100
policy-map multi-match SLB-REFLECTOR
class VIP-REFLECTOR-254
loadbalance vip inservice
loadbalance policy REFLECTOR
loadbalance vip icmp-reply
policy-map multi-match SLB1
class VIP-250-80
loadbalance vip inservice
loadbalance policy 20.20.20.20
loadbalance vip icmp-reply
class VIP-250-ftp
loadbalance vip inservice
loadbalance policy ftp-linux2
loadbalance vip icmp-reply
inspect ftp
service-policy input ALLOW
interface vlan 20
ip address 192.168.20.253 255.255.255.0
mac-sticky enable
access-group input PERMIT_ANY
service-policy input SLB1
no shutdown
interface vlan 100
ip address 192.168.100.2 255.255.255.0
alias 192.168.100.1 255.255.255.0
peer ip address 192.168.100.3 255.255.255.0
access-group input PERMIT_ANY
nat-pool 1 192.168.100.240 192.168.100.245 netmask 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.9
ip route 192.168.100.4 255.255.255.255 192.168.100.9
ip route 171.69.146.79 255.255.255.255 192.168.20.41
ip route 192.168.30.0 255.255.255.0 192.168.20.37
ip route 20.20.20.20 255.255.255.255 192.168.20.41 -
Basic internet config for t1 incoming wan
what would be a basic internet config on a t1 wic w/ a public ip and two fast ethernet ports? 1841 router. i'm trying to write up a checklist of everthing the config should accommodate so i don't leave anything out.
hello johnny,
sample config of a T1 is as below:
Interface serial 0/0
service-module t1 clock source internal
service-module t1 timeslots 1-24 speed 64
service-module t1 framing esf
service-module t1 linecode b8zs
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
fair-que
no shut
make sure the framing and linecode are configured right. check this with the ISP... if your LAN is on a private range, you also might need to do a NAT/PAT over the T1 interface.. for NAT examples refer to the CCO. you also need a default route to the outside towards the t1 interface...
Hope this helps.. all the best. rate replies if found useful..
Raj -
Wireless 3850 and Web-Auth for Wireless clients
Hi
I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
Internet is all tested and there is full IP connectivity.
Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
I am using local authentication for the guest users.
When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
Config below
interface Vlan302
description **** Wireless Guest ****
ip address 10.145.224.161 255.255.255.224
ip helper-address 10.144.214.134
ip helper-address 172.17.2.56
ip http server
ip http secure server
ip dhcp snooping
wlan XXXXX 2 XXXXXX
aaa-override
accounting-list default
client vlan 302
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list WEB_AUTH
security ft
security web-auth
security web-auth authentication-list WEB_AUTH
security web-auth parameter-map vit_web
no shutdown
parameter-map type webauth vit_web
type webauth
security web-auth parameter-map vit_web
user-name Guest1
creation-time 1390837878
privilege 15
password 7 022D0156060F1B351D
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
user-name Guest2
creation-time 1390838016
privilege 15
password 7 0724244143000D1145
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
aaa new-model
aaa authentication login WEB_AUTH local
aaa authorization network WEB_AUTH localHey Greg,
Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.x.x wlc.whatever.org
max-http-conns 50
Also I had to enable http server in addition to secure server
ip http server
ip http secure-server
Are you using a self signed cert?
I saw windows clients take a long time to load the page when using a self signed cert.
MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE but I still have the problem.
-Kyle -
Can not connect All in one 209b to new router for wireless printing....
Have an HP laptop and All in one priner 209b. All was working fine, wired and wireless printing. Then we had to upgrade our ATT Uverse router. Everything works...even wireless laptop and printer when connected to laptop. However, can't get printer to printer wireless since it has the old router info. I used the disk but when it asks to you to pick the printer, I choose the printer but it says printer now found ??? what ???? and this is with the cable connected. I do not have the wizard on the touch screen but I did reset to factory settings hoping it would load new router info but it does not. How do you manually enter router into for wireless printing. Is it best to delete the printer and reinstall as new...wired and then wireless ???
I am about to call an outsite company and pay the outrageous charge as the help on HP is not working. ThanksTry this utility:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02114394&cc=us&dlc=en&jumpid=reg_r1002_usen&lc=...
007OHMSS
I was a support engineer for HP.
If the advice resolved the situation, please mark it as a solution. Thank you. -
Routine sample code for reading 2 fields from existing DSO
Hi Gurus,
I am a monkey when it comes to write ABAP code. I have one DSO-A where we store accounting info of purchading (from DS 2lis_02_acc) and one DSO-B getting data from 2lis_02_scl data source.
We need to write a rountine to read DSO-A for G/L account and populate DSO-B G/L account field.
Please provide me the sample code for this.
Warm Regards,
AnilHi anil,
Create a local table this is type of you source,
Data : LV_table TYPE XXXX
use the select statement to read the table of DSO .You have to use th active table for the dso that you want to read data from.
Select xxxfieldxxx FROM /BIC/A..........50
into lv_table where
filed name of of scheule line probably order no and item no .
<soruce-fields>-IOBELN = IOBELN
and <source-fields>-IOBELP = IOBELP.
Checke the techinal name i am not sure about it. It will be something like that.
Cheers mate
Maybe you are looking for
-
Assignments not showing when published....
I've created a course in course manager, and have included a post with assignments, but the assignments aren't appearing in iTunes U when published public. What am I doing wrong?
-
Pages mysteriously changed its name to Word and now wont work
Hello, Pages wont work anymore and i cannot reinstall It is now called Word and wont open any documents... please help
-
Opening winmail.dat files
How can I open winmail.dat files on a mac osx 10.4.4? Thank you Ron
-
Hi thriugh scot when we are trying to send mail at the bottom of the screen its giving message 'Queue for incoming message is active' and all the mails get stuck in transit mode. What could be problem and how to resolve this? Thanks in advance.
-
Display next result in a recordset
Hi everyone, I'm building an ASP page (working with MS Access and DWCS3) and want to use the top three results from a query as dynamic elements of my page but I need to be able to work with the 1st, 2nd and 3rd items in the recordset separately. The