Secure Wireless access?

Hi, I'm sure this has probably been covered before, but I couldn't find anything that did the trick by searching - if it's there please feel free to show me a link.
Anyway, I have a week 27 MBP and a Netgear router, DG834G. The problem is, I can connect to it via Airport but only if there is no security selected. as soon as I try to set any security there is always an error trying to connect.
Without security it connects fine and I don't have any other issues.... :?
Is this a hardware/firmware issue? is there a simple way to get it to work (perhaps I am not setting it up correctly?)
any help appreciated, thanks
arum

well I reset P Ram and router and I can now get it working with MAC filtering, but still can't enable any encryption.
can anyone here with the Netgear router walk me through the steps on both the mac and the router that I need to take to set up WPA ??
thanks.
oh, and it seems to connect to the network with WEP now but still no internet connection

Similar Messages

Secure wireless authentication

I have just been reading all the posts about secure wireless access and I am
not happy with the direction Novell has chosen to take.
I have been extremely pleased with Netware, GroupWise & ZenWorks but Novell
is starting to loose it's appeal.
Let me summarize what I have learned and see if I have made any mistakes
with my understanding.
1. Novell has stopped development on their Radius server and have no plans
to resume development.
2. Novell contributed code to the open source FreeRadius project.
http://www.novell.com/news/press/arc...2/pr05008.html
3. There isn't any Radius server with 802.1x authentication that runs on
Netware (Netware kernel).
a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
802.1x authentication.
b. I have contacted Funk and this is their reply. Steel-Belted Radius
Server will run on Windows and Solaris (Linux is coming).
http://www.funk.com/News&Events/sbr_linux_pn.asp
c. MTG House hasn't gotten back to me about a solution for Netware. (I
am doubtful, I didn't find anything on their website.)
4. You need to run a Radius server that does 802.1x authentication and will
work/integrate with eDir.
a. FreeRadius (Linux) will integrate with Edir.
http://www.novell.com/documentation/...ius/index.html
http://www.novell.com/coolsolutions/feature/15383.html
b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is in
beta).
http://www.funk.com/radius/default.asp
c. Aegis Server
http://www.mtghouse.com/products/aeg...er/index.shtml
5. You need a 802.1x Client to authenticate to a Radius server for wireless
authentication.
a. Microsoft has 802.1x support in their client. (read this from other
posts in this forum)
b. Novell isn't planning on putting 802.1x support in the NW Client.
(read this from other posts in this forum)
c. There are 2 Radius clients that integrate with the NW Client for
Radius Edir authentication.
1. Funk's Odyssey Client ($45 - $50 per workstation depending on
quantity) + added annual maintenance costs.
$2281.25 for 50 Client licenses & annual maintenance.
http://www.funk.com/radius/wlan/wlan_c_radius.asp
2. Aegis' Client ($32 - $39.99 per workstation depending on
quantity) + added annual maintenance costs.
$2240.00 for 50 Client licenses & annual maintenance.
http://www.mtghouse.com/products/aeg...nt/index.shtml
http://www.mtghouse.com/novell_app_note_122204.pdf
3. When FreeRadius is integrated with Edir is this separate client
still needed?
I didn't see anything about a separate client being needed while
reading the Integrating FreeRadius with Edir documentation.
6. FreeRadius support is going to be built-in to the next version of Edir.
http://www.novell.com/news/press/arc...2/pr05008.html
Why didn't Novell contribute code to port FreeRadius to Netware?
At this point in time they are still giving us a choice between the Netware
kernel and the Linux kernel. To me that says they are willing to make
things work with both systems until they drop support for the Netware
kernel. Ok, so give me support for 802.1x authentication in the Netware
kernel. I don't have stray single purpose servers floating around my
network and I don't want to have to begin that practice just to get Radius
802.1x authentication working.
I also won't put my district at a disadvantage by upgrading to the Linux
kernel until I know Linux well enough to administer it properly. I am the
IT department at this district so I don't have a great deal of extra time to
run about learning the new things I would LOVE to learn. I'm sure I'm not
the only person in this situation so Novell should take these things into
concideration before they just drop support for a product they say they are
still supporting. Obviously all of the real support is going toward the
Linux side at Novell.
Daniel Blake
Milford Central School

Ok, I'll give them the benefit of the doubt and say fine the Netware kernel
might as well be considered dead. So they are giving me support via
FreeRadius if I just migrate to OES (Linux). Ok, I might/can live with that
as a Novell decision.
But that still doesn't explain why they don't give us some client to log in
via 802.1x. Giving us the server but not the client is like giving us a
locked door without a key. That's just plain stupid. I would rather stay a
Netware - OES shop, but if Novell can't think something this simple through
then I'm a little nervous about staying with them. What could they think up
next?
I guess Novell has decided to port all it's software to Windows cause it
sucks so bad at business decisions. GroupWise & ZenWorks run completely on
Windows now, so why do I need OES at all? Except for complexity &
integration issues of course. I mean why would I need to purchase Edir for
Windows if I didn't stay with OES? Or Nsure Identity Manager for that
matter. So if we start looking deeper into this we see Marketing all over
this thing. Novell Marketing has always done such a good job for Novell.
Novell has given me a real choice that will work though. If I migrate
completely to a Windows network it just works without any added costs. Heck
it even makes my installs easier without having to install the NW Client on
every new workstation. I can still run ZenWorks & GroupWise too.
Now, how is Novell Marketing going to screw up and make me hate GroupWise &
Zenworks so I migrate completely away from Novell products? Way to go
Novell!
Daniel Blake
Milford Central School
"Jim Michael" <[email protected]> wrote in message
news:[email protected]...
> mcsdtech wrote:
>
>> 1. Novell has stopped development on their Radius server and have no
>> plans to resume development.
>
> Correct, so far as we know.
>
>> 2. Novell contributed code to the open source FreeRadius project.
>> http://www.novell.com/news/press/arc...2/pr05008.html
>
> Yes. Code to allow easier integration with eDirectory.
>
>> 3. There isn't any Radius server with 802.1x authentication that runs on
>> Netware (Netware kernel).
>
> Correct.
>
>> a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
>> 802.1x authentication.
>
> Correct. It was developed quite a while before 802.1x even existed.
>
>> b. I have contacted Funk and this is their reply. Steel-Belted
>> Radius Server will run on Windows and Solaris (Linux is coming).
>> http://www.funk.com/News&Events/sbr_linux_pn.asp
>
> Correct, but Stell-Belted Radius is probably the last solution I would
> look at. Radiator is a commercial product that runs on Linux or Windows
> (it is Perl-based) and you will get far better support from them on
> eDirectory issues and general Radius problems. freeRADIUS is what I would
> run on Linux if you don't want to spend a dime on the software.
>
>> c. MTG House hasn't gotten back to me about a solution for Netware.
>> (I am doubtful, I didn't find anything on their website.)
>
> Not familiar with them.
>
>> 4. You need to run a Radius server that does 802.1x authentication and
>> will work/integrate with eDir.
>> a. FreeRadius (Linux) will integrate with Edir.
>> b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is
>> in beta).
>
>> c. Aegis Server
>
> And Radiator (what I run) http://www.open.com.au This is the solution we
> run.
>
>> 5. You need a 802.1x Client to authenticate to a Radius server for
>> wireless authentication.
>
> Correct.
>
>> a. Microsoft has 802.1x support in their client. (read this from
>> other posts in this forum)
>
> Correct. Technically, the "support" is in Windows, not the MS client.
>
>> b. Novell isn't planning on putting 802.1x support in the NW Client.
>> (read this from other posts in this forum)
>
> Correct.
>
>> c. There are 2 Radius clients that integrate with the NW Client for
>> Radius Edir authentication.
>> 1. Funk's Odyssey Client 2. Aegis' Client ($32 - $39.99 per
>> workstation depending on
>
> Correct.
>
>> 3. When FreeRadius is integrated with Edir is this separate
>> client still needed?
>
> Yes. You ALWAYS need a 802.1x supplicant (client) on the workstation.
> Windows has one built-in, which works FINE against eDirectory. HOWEVER,
> because of the way it works you must log into eDirectory *after* fully
> logging into windows. That is unacceptable to most organizations (you
> would have to manually log in and map drives to NW, etc). This is why
> there are third-party clients that integrate specifically with the NetWare
> client.. they allow the 802.1x authentication to "insert" itself
> in -between the Windows and eDirectory login, thus preserving all of the
> normal features like dynamic local user, zen policies, etc.
>
>> I didn't see anything about a separate client being needed
>> while reading the Integrating FreeRadius with Edir documentation.
>
> A client is always assumed.
>
>> Why didn't Novell contribute code to port FreeRadius to Netware?
>
> Because Novell's future direction is Linux, and there isn't much demand
> for a NetWare Radius server.
>
>> At this point in time they are still giving us a choice between the
>> Netware kernel and the Linux kernel. To me that says they are willing to
>> make things work with both systems until they drop support for the
>> Netware kernel. Ok, so give me support for 802.1x authentication in the
>> Netware kernel. I don't have stray single purpose servers floating
>> around my network and I don't want to have to begin that practice just to
>> get Radius 802.1x authentication working.
>
> You can always make your wishes known at
> http://support.novell.com/enhancement
>
>> I also won't put my district at a disadvantage by upgrading to the Linux
>> kernel until I know Linux well enough to administer it properly. I am
>> the IT department at this district so I don't have a great deal of extra
>> time to run about learning the new things I would LOVE to learn. I'm
>> sure I'm not the only person in this situation so Novell should take
>> these things into concideration before they just drop support for a
>> product they say they are still supporting. Obviously all of the real
>> support is going toward the Linux side at Novell.
>
> I understand the frustration, but I doubt things will change. There is a
> big difference between "supporting" existing products and adding major
> enhancements to products to support new standards. I just don't think
> Novell believes it is worth dedicating development resources to enhancing
> Radius on NetWare, for those few that can't/won't run a Linux or Windows
> box where the software already exists.
>
>
> --
> Jim
> NSC SYsop

Apple TV 2G (Airplay and Homesharing) can only stream from devices on the same wireless access point range??

connection:
40 Mbps Fiber Broadband connection using:
Devices:
1. Main Modem/router (AP1): Huawei HG8245 (provided by ISP) - Wireless enabled.
2. Remote Access point (AP2): Linksys/Cisco E3200 Wireless gigabyte router flashed with DD-WRT v24-sp2 (06/14/11) mini (Cascaded -wired- LAN to LAN from main modem).
3. Wireless Repeater to cover a dead spot (AP3): Linksys/Cisco E1000 wireless repeater.
4. Apple Tv (AT2G) with home sharing/airplay enabled.
5.( Ipad) with home sharing on itunes enabled.
6. Win7 (PC) using iTunes with Home sharing enabled.
all devices are updated to their latest firmware.
In order to cover a large 3 story house with Wifi. I had (AP1) is located on the first floor, while (AP2) is located in the basement floor directly wired by LAN to LAN with (AP1). (AP3) is located on the Ground floor away from the living room to repeat wireless network into the back yard. While (AT2G) is located in the living room on the ground floor right in the middle of both (AP1) + (AP2) while connected via Wifi.
Network SSID, security, passphrase and wireless settings of (AP2) are identical to (AP1) to create a single big LAN/WLAN roaming network where all devices connected to both wireless access points can find/share the others. As understood, it's refered to as bridging.
I have noticed that my iphone/ipad does not show the airplay button anywhere within the wireless network. it seems that the apple TV randomly choses to connect to the AP with stronger signal, or switch to the other in case of a reboot to one of them.
to elaborate further, if i was sitting in the living room (groundfloor), trying to airplay some you tube contents via Wifi to my Apple TV, i may not find the airplay button available all the time, i found out the reason is while i'm wirelessly connected to AP1, the Apple TV was connected to AP2 and both deviced cannot detect each others to enable my purpose. that goes the same for Home Sharing. only if my Ipad/PC and Apple Tv are on the same wireless AP. they would detect each others immediately.
although, the second AP (AP2) is suppose to extend my wireless network of the same subnet in which any device connected can be found.
After all sorts of trial and error tweaking my router/access point, I thought the problem would be due to the Linksys 3200 capability of bridging WLAN and lacks few protocols that enables my purpose. i have flashed the firmware to a DD-WRT, but again, problem was not solved.
I have not tried having my Apple Tv wired to either router/AP, but i assume it may work well if i do so. i still need to solve this wireless connection issue though.
Am i the only one with this problem, would there be something wrong with my setup?
Your feedback is highly appreciated.

You may or may not already have your network set up correctly, it's just that I can't tell from what you have said.
I have a main router provided by my ISP, I have several other Airport Extremes and Airport expresses connected by Ethernet, all set up to bridge the network created by the main router.
Each maker has their own settings, but bridging should be reasonably obvious. In simple terms my main router distributes IP addresses to all devices, the Airports bridge that network by passing these addresses to the devices from the main router. A base station that isn't in bridging mode will distribute its own addresses to the devices connected to it.
I don't really follow your next point.
instruction for configuration vary from manufacturer to manufacturer, the best course of action here is to refer to the manual. If everything is set up properly the addresses of everything on your network will have identical sets of numbers for the first 3 of 4 groups of numbers that make up an address, the last set must always be different. I think the part you are referring to with your DD-WRT is the option to have Ethernet and wifi bridged or not.
Some routers may be easier to configure than others, but generally speaking they should all work with the Apple TV. 5Ghz is less likely to suffer interference but it is much more likely to be blocked by solid objects, it may or may not be an advantage.

How to set-up Guest Client Wireless Access "PIN" with Restricted Access ???

This is my first time, and, I am not familiar with the rules.
Is it possible for someone to answer a slightly different question...
I just bought a TC and hooked it up to my cable modem. I have 3 computers that I want to configure, with the following requirements: WPA/WPA2 security all around, only the 3 computers I have to be allowed use of the TC, and, no listing of the network should appear on remote computers (i.e., a "closed network"). With these basic needs, the three computers I want to be in this network are listed below --- subject to the following ACCESS limitations:
1. A G4 iMAC (10.5.5), wired to the TC via an Ethernet cable: FULL ACCESS; i.e., shared file access, TM back-ups, HP printer access, internet access;
2. A MacBook (10.5.5), airport wireless access to the TC: FULL ACCESS, as the iMAC.
3. A (new generation) PC laptop: VERY LIMITED access --- access only to the internet, so that the TC looks only like a "wireless router." Internet access available at any time of the day or week. It would be good if this client did not have to use any of my passwords, just a "PIN." Also, I do NOT want this PC client to see my printer, and, also, to NOT see my TC base station and NOT have access to my TC/TM disks. To set this up, I entered the PC laptop name and the "MAC" address using the Airport Utility. Then, I selected the "PIN" choice for access, so that this client need not have to ever use or know of any of my passwords. After I selected the "PIN" option, the utility asked me to enter the PC client's PIN. How do I obtain the PC's PIN? This is very confusing to me, so, I apologize to you all (I'm very new at this).
Hopefully, this TC-only network concern is within the guidelines to be answered.
Thanks,
David.

Dear Smokerz,
Well, this is where I'm confused. I did use the Airport Utility. I went to the place where it asks for the PIN number. So, I made up an 8-digit number and entered it. I assumed that after I entered the number, it would prompt me to do something with the PC. But, the "Continue" button did not become highlighted. Hence, my confusion. Can you please be more specific as to exactly what I should do using the Airport Utility? The detailed instructions are vague to me, unfortunately.
Also, with respect to the PC Laptop: I only want it to have access to the internet via the TC (so that the TC acts as a wireless router). And, I want to set up restrictions for limited use of the PC: NO ACCESS to the HP printer, and NO ACCESS to the TM/TC (other than as a wireless router). As before, can you please be more specific as to exactly what I should do using the Airport Utility?
I must be missing a trivial menu item, so, again, I apologize.
Thank you,
David.

Is it possible to remove the iphone history of wireless access points to which you've connected?

So.... I work in a place where there is a lot of security and snooping. There are folks specifically assigned to track down phones in unauthorized places. Their enthusiasm is sometimes annoying.
I leave my phone in a locker outside of the restricted area. However, I recently overheard some of the "snoops" discussing a phone that they had found. They were discussing a specific wireless access point that was in that phone's history, that caused some discussion. Although the phone was located in the locker area, they had apparently discovered it and examined it.
It was my phone.
One obvious course of action is to make sure the phone is always turned off (which I will do), but they have now identified my phone by the APs to which I connect, and I'd like to erase that history.
Is it possible?
Thank you.

Settings > General > Reset > Reset Network Settings.

IOS 6.0.1 - Problems with certificate based authentication on wireless access point

Hi all
We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure. The numbers of affected devices increased until all iOS 6.0.1 were affected.
Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
"Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
In the analysis of the issue, it turned out that the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
A comprehensive update to iOS 6.1.3 is currently excluded.
Does anyone knows this issue? What else can be done (except from updating)?

I will answer my own question in case it helps anyone else.
It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
To Fix I did the following:
Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW.
I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway. I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
Created some rues on the firewall to allow...
- IMAP-SSL (port993) outbound
- SMTPS (port 465) to yahoo servers outbound
- tcp port 587 to yahoo servers outbound
- https to akamai servers
Most http and https goes through the proxy as it should, BUT...
It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway. I suspect there is a bug in the icloud app?
Hope this helps someone else.
-Bo

HP Deskjet 3050 - Unable to connect to WPA secured wireless network

Hello,
My first post here so please excuse any faux pas on my part. I bought this HP Deskjet 3050 a week ago and have been waging war with it ever since. I'd be really grateful if someone could possibly advise on how I can resolve this.
I am unable to connect the printer to my secured wireless network, even though other computers, cell phones, etc. are connected without issue. I have tried WPA, WPA2 and WPA2-Mixed security modes with the same failure. Specifically, the connection wizard reaches 66% and then displays the error that the wizard is unable to find network/printer. If I disable the security, the printer connects fine.
I'm using a Linksys WRVS4400N router with firewall and associated firewall settings disabled. The router is broadcasting on 802.11G/N mixed mode.
I'm installing the software supplied on the setup CD on a Windows XP SP3 system. I have confirmed that the network the PC and printer are connected to are the same.
A question as well, if I may: I haven't tried these drivers yet but I see there are updated drivers for the printer dated 14/12/2010. The release notes indicate improved networking, but don't elaborate beyond this. Does anyone know if there was a known problem with connecting to secured networks that has now been fixed?
Finally, just a note that I'm partially sighted and am using a screen reader on all systems. I'll try my best to be as helpful as I can but please do excuse me if I occasionally can't find settings, etc. on screen and need a bit more detailed help.
Thanks in advance for your help, which I really will appreciated.
Have a pleasant day,
All the best for now and take care,
Hussein.
It's not the fact it can't be done, it's the fact it hasn't been done, yet.
This question was solved.
View Solution.

HI,
firstly, apologies for the delay getting back to you. Poor health has meant I've had little time nor inclination to do much on the computer side of htings.
Anyway, I'm please to say the problem with the HP 3050 failing to connect to my network is now solved. It seems to be a bug with the setup software, and that seems to include the latest version posted Dec 2010.
To resolve the problem, I did the following:
1. Disable all security options for the network, so it's just an open network.
2. Connect the HP 3050 to the network using the setup wizard. This time it connected OK for me.
3. Locate the printer's IP address. I used the client list table accessed through my router's interface. You may be able to get this through the printer's on-screen menu, but as I'm partially sighted, this wasn't an option for me.
4. Log into the printer's control panel at http://ip.address.of.printer e.g. http://192.168.2.108
5. Under the advanced options, configure the settings for the network, including security protocol and passphrase. Remember to enter the SSID of the network exactly as configured on the router.
6. Apply the settings and log out of the printer's control panel.
7. Log back into the router's control panel and re-apply the security options. Be sure that they match those match those entered for the printer.
Hopefully this will be of use to others in the same position.
Thanks again for your time.
Best,
H.
It's not the fact it can't be done, it's the fact it hasn't been done, yet.

Setting up webauth for guest wireless access

Hi there,
I'm trying to set up guest wireless access. having no experience with this at all, I'm beginning to struggle.
Equipment:
2x 3850 stacked and acting as one switch running 03.06.00E
4x 1602E AP's registered to the WLC running on the 3850
The infrastructure is sound and corporate wireless access works ok.
I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to; So far my config looks like this (removed unnecessary parts for brevity);
Building configuration...
user-name test
creation-time 1414684496
privilege 0
password 7 051F031C35
type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
aaa new-model
aaa authentication login aaa_guest_webauth local
aaa authentication login local_login local
aaa authorization exec local_authorise local
aaa authorization network guest_authorisation local
aaa authorization credential-download default local
aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
parameter-map type webauth global
virtual-ip ipv4 1.2.3.4
parameter-map type webauth guest-webauth
type webauth
redirect on-success http://www.google.com
banner text ^CC test text test ^C
custom-page login device flash-1:login.html
custom-page failure device flash-1:failed.html
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface VlanXXX
description "Guest-Access-VLAN"
ip address 10.x.x.126 255.255.255.128
ip helper-address x.x.x.x
ip helper-address x.x.x.x
line vty 0 4
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
line vty 5 15
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
wireless mobility controller
wlan Wireless-Guest-Access 24 wireless-guest
client vlan Guest-Access-VLAN
ip access-group GUEST-ACCESS
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list aaa_guest_webauth
security web-auth parameter-map guest-webauth
session-timeout 1800
no shutdown
ap country GB
ap group default-group
ap group BUS-AP-Group
wlan Wireless-Corporate-Access
vlan BUS-CORP-DATA-VLAN
wlan Wireless-Guest-Access
vlan Guest-Access-VLAN
end
I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login'
I am under the impression that the way this should work is as follows;
1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
2. open browser on client and carry out name resolution
3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
4. once three way handshake is completed client carries out an HTTP GET request
5. WLC holds the response and redirects to the login page
6. on successful login, original requested page is forwarded to client.
I can't seem to get a response - even if I remove the ACL.
Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
Cheers

also, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
38725 -rw- 4265 Nov 4 2014 12:21:28 +00:00 webauth_login.html
38726 -rw- 6937 Nov 4 2014 12:11:03 +00:00 webauth_aup.html
38727 -rw- 1356 Nov 4 2014 12:11:30 +00:00 webauth_logout.html
38728 -rw- 662 Nov 4 2014 12:11:43 +00:00 webauth_failed.html
38729 -rw- 318 Nov 4 2014 12:11:58 +00:00 webauth_loginscript.js
38731 -rw- 82940 Nov 4 2014 12:12:28 +00:00 web_auth_image.jpg
CORE-SW01#sho run | s param
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
parameter-map type webauth guest-webauth
type webauth
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
security web-auth parameter-map guest-webauth
CORE-SW01#

Using WRT54GR as a Wireless Access Point only

I have a WRT610N as my main router. I want to use an existing WRT54GR purely as a wireless access point and ethernet switch. Any suggestions on how best to do that so I can still access the WRT54GR to make configuration changes? Right now I have the network functionality working by simply not using the Internet port on the WRT54G but by going to 192.168.1.1 I can only get to the WRT610N.

(Restarting this thread).
I made the change you suggested and statically assigned 192.168.1.200 to the WRT54GR. I can reliably access it through this IP address. I connected it to the rest of my network by using one of the 4 switch ports (not the Internet port). I disabled DHCP on it and configured the Wireless settings to be the same (same SSID and Security Settings) as my other wireless router.
What I'm finding is that devices in my house won't assoicate with it. I tried changing the SSID to a different value; devices were able to see the new SSID but when I entered the pasword they told me that no DHCP server could be detected. A wired device that I plugged into another of the 4 switch ports on the WRT54GR was able to pick up an IP address from the main router just fine so I know that basic connectivity is OK.
To achieve what I want (i.e. the WRT54GR just acts as a wireless base station to extend wireless coverage in the house), do I need to connect the WRT54GR to the rest of the network using the Internet port rather than a switch port? If so, what configuration settings do I need to set up so that all the devices can get their IP address from the main router?

Unable to connect to a secure wireless network - Event ID: 8002 Task Category: AcmConnection..., Event ID: 11006, Event ID: 11006

Hi,
I have a Dell Latitude E6440 running Win 7
Enterprise 64 on a domain. It will connect to any unsecured network, and it can see the secured network in the list when I click the wireless connection icon on the system tray. When I go to manage wireless networks, the secured network does not show
up (and thus, I cannot delete the network to try to re-add it). Normally, we would add the secure network here. I click Add, give the name in the correct syntax, add the needed information (WPA/2-Enterprise, EAS or TKIP), and hit Next, it immediately returns
with "An unexpected error occurred". A similar thing happens when I hit Connect from the list of available networks that pops up when I open the system tray icon: it says it was unable to connect, when I hit troubleshoot, it says that it could not
identify the problem. The event log shows the error below. I haven't been able to find any resolutions here or elsewhere that address the fact that I can connect to unsecured wireless networks, but not secured wireless networks.
Other notable troubleshooting steps:
Uninstalled/Reinstalled wireless adapter with the latest driver
Other laptops are able to access the same secure wireless network
The first WLAN-AutoConfig error in the event log was Event ID: 12013, attempting a 802.1x authentication. Then Event ID: 11006; stating "Explicit Eap failure received". After a few days of alternating all 3 errors, they started to only error on
Event ID 8002.
Log Name: Microsoft-Windows-WLAN-AutoConfig/Operational
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 6/4/2014 11:53:55 AM
Event ID: 8002
Task Category: AcmConnection
Level: Error
Keywords: (512)
User: SYSTEM
Computer: [COMPUTERNAME.DOMAIN]
Description:
WLAN AutoConfig service failed to connect to a wireless network.
Network Adapter: Intel(R) Centrino(R) Advanced-N 6235 Interface GUID: {f27af762-dff8-4927-84e0-7f4ade30dcc9}
Connection Mode: Connection to a secure network without a profile Profile Name: [SECURE NETWORK NAME]
SSID: [SECURE NETWORK SSID]
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WLAN-AutoConfig" Guid="{9580D7DD-0379-4658-9870-D5BE7D52D6DE}" />
<EventID>8002</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>24010</Task>
<Opcode>191</Opcode>
<Keywords>0x8000000000000200</Keywords>
<TimeCreated SystemTime="2014-06-04T16:53:55.956762800Z" />
<EventRecordID>1475</EventRecordID>
<Correlation />
<Execution ProcessID="432" ThreadID="5348" />
<Channel>Microsoft-Windows-WLAN-AutoConfig/Operational</Channel>
<Computer>[COMPUTERNAME.DOMAIN]</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="InterfaceGuid">{F27AF762-DFF8-4927-84E0-7F4ADE30DCC9}</Data>
<Data Name="InterfaceDescription">Intel(R) Centrino(R) Advanced-N 6235</Data>
<Data Name="ConnectionMode">Connection to a secure network without a profile</Data>
<Data Name="ProfileName">[SECURE NETWORK NAME]</Data>
<Data Name="SSID">[SECURE NETWORK NAME]</Data>
<Data Name="BSSType">Infrastructure</Data>
<Data Name="FailureReason">The specific network is not available.</Data>
<Data Name="ReasonCode">163851</Data>
<Data Name="ConnectionId">0x6</Data>
</EventData>
</Event>

check this article:http://technet.microsoft.com/en-us/library/cc735927(v=ws.10).aspx
also could contact your domain administrator to ask for help.

Domain user authentication for 3650 Wireless Access point

Dear All,
I have got new proposal inorder to configure the wireless access points by managing with the 3650 wireless controller.
We wanted to block the Wifi Access to mobile users.
Only domain users need to be authenticate to the corporate wireless access.
We have 3650 switch as a wireless controller and ISE in place. Kindly guide me the achieve the same. Attached the setup diagram.
If possible share the sample configuration and it would be helpful.

Please refer
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Using Mac as Wireless Access point

If i set up the MAC to be a Wireless Access point, via the Sharing option in System Preferences, it works fine if i am trying to connect a PC, other MAC or iPhone to the internet, but devices such as Nintendo DS or Kindle fail (these devices work OK on other wireless networks) to connect they recognise the Wireless network OK but fail to connect and i have tried the basic configuration with no security and it still fails.
What am i doing wrong please?
Thx
John

I managed to resolve this issue with help from the following:-
http://hints.macworld.com/article.php?story=20051119155606277
Thanks

RE: How to secure an access point signal.

Hi everyone,
I have difficulty making my access point wireless signal secure. My network setup is simple, Modem to Router to Homeplug 1st floor, (secure wireless signal),
2nd floor (secure signal). Problem when comes to 3rd floor, signal too weak, so I place Homeplug to Access Point. (wireless works well but not secured).
Tried calling D-link support but was told that I need to fix static IP address before things can work. What the **** is that? Was told many technical issue about sub-net different, etc. Lastly the setup disc don't work with a Mac. (HaHa).
Thank you all in advance for the solution.

How are you going to connect them? cat5 or coax?
cat5 instructions:
Can I use my wireless or an extra router along with the Verizon provided router?
coax instructions:
Can I get an ethernet connection in a room with only coax?

1242AG Wireless Access Point - Cannot Get DHCP IP for BVI1 interface - Multiple SSIDs...

Hello,
I am attempting to set up three Cisco 1242AG Wireless Access Points with multiple SSID's. I used the web interface and directions online to set up the two networks I want and at least one of the networks work wirelessly.
However, I have two problems:
The first, which is the most important, is that the "management" interface, BVI1, doesn't get an ip address from our DHCP server. I set the VLAN 60 (which you'll see in the documenation below) to be the native VLAN on the device as well as on the switch that the device is connected to as well as other settings in the configeration file below. Because of this, I can only manage the device via the console port which would be a huge pain once all of the devices are mounted.
The second problem is that I am not sure how to get both wireless networks broadcasting their SSID's. I have to manually type in the SSID for the second wireless network I have which I would prefer I don't have to. Anyway I can enable broadcasting on all of the SSID's?
Thank you for your time.
Regards,
Christopher Koeber
Using 7916 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP-18.wesleysem.edu
enable secret {Number Here} {Encrypted Password Here}
enable password {Number Here} {Encrypted Password Here}
aaa new-model
aaa session-id common
dot11 syslog
dot11 vlan-name Kresge vlan 20
dot11 vlan-name Library vlan 30
dot11 vlan-name Public vlan 60
dot11 vlan-name Secure_Public vlan 70
dot11 vlan-name Secure_Seminary vlan 80
dot11 vlan-name Server_Room vlan 1
dot11 vlan-name Straughn vlan 40
dot11 vlan-name Trott vlan 10
dot11 vlan-name Web_Room vlan 50
dot11 ssid (Secure) Wesley Campus
vlan 80
authentication open
authentication key-management wpa version 2
wpa-psk ascii {Number Here} {WPA Key Here}
dot11 ssid Public
vlan 60
authentication open
mobility network-id 60
username Cisco password {Number Here} {Encrypted Password Here}
username admin privilege 15 secret {Number Here} {Encrypted Password Here}!
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 80 mode ciphers aes-ccm
ssid (Secure) Campus
ssid Public
mbssid
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 80 mode ciphers aes-ccm
dfs band 3 block
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
interface Dot11Radio1.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio1.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
bridge-group 70 spanning-disabled
interface Dot11Radio1.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
interface FastEthernet0
ip dhcp client update dns
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
interface FastEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
no bridge-group 40 source-learning
bridge-group 40 spanning-disabled
interface FastEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
no bridge-group 70 source-learning
bridge-group 70 spanning-disabled
interface FastEthernet0.80
encapsulation dot1Q 80
no ip route-cache
bridge-group 80
no bridge-group 80 source-learning
bridge-group 80 spanning-disabled
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
end

I am using a third party DHCP server which is our Windows Domain Controller. I have the ip helper-address set for the native vlan of the Access Point through a layer 3 distribution switch (a Catalyst 4506) that the current switch connects to.
I didn't see any event on the logs for the AP.
Let me know if I need to do something else.
Thanks.

Help me find the required Wireless Access point

Dear Friends,
I am in search of a access point with below specification, so please let me know that which model has this functionalities.
. Wireless Access Point:
* No of port should be 10Base-T/100Base-TX Ethernet
* Standard should be IEEE 802.11g, IEEE802.11b, IEEE 802.3, IEEE 802.3u, IEEE 802.3af(PoE), 802.1q(VLAN) , 802.1X(Security authentication), 802.11i ready (Security WPA2), 802.11e ready (wireless QoS), 802.11F(Wireless roaming)
* LEDs should be power, PoE, Wireless, Ethernet
* Web Management should be built-in web user interface for easy browser-based configuration (HTTP/HTTPS)
* SNMP Support should be SNMP version 1, 2c, 3
* Operation modes should be access point made, point to point bridge mode, point to point multipoint bridge mode, repeater mode
* External antennas should be 2 (omni directional) SMA detachable
* Security should be WEP 64-bit/128-bit, WPA-PSK, WPA2-PSK, WPA-ENT, WPA2-ENT
* Access Control should be wireless connection control: MAC-based
* Wireless Security monitor should be Intrusion alarms(e.g. rogue client detected, spoofed MAC address) Denial-of-service alarms (e.g. duration attack, association table full) vulnerability alarms (e.g. access point is not using encryption, access point is broadcasting SSID)
* Power should be 12V 1A DC input, and IEEE 802.3af compliant PoE. Maximum power draw should be 3.36W

Hello Shekib,
All you did was describe the WAP200.
It fully fits in your description.
Please check it and see with your eyes.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10047/ps10048/data_sheet_c78-501966.html
I hope i helped you.
Regards.
Andrey Cassemiro.

Secure Wireless access?

Similar Messages

Maybe you are looking for