SG300: MAC authentication with Radius VLAN assignment problems
Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
gi5 0090dca15880 00:90:dc:a1:58:80 MAC Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.
I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.
Similar Messages
-
802.1x authetication with dynamic Vlan assignment by a radius server
Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra -
My Mac mini with my samsung screen, Problem is it not windscreen ?
My Mac mini with my samsung screen, Problem is it not windscreen ? Help me
How is it being connected?
What is resolution of display?
What OSX version?
Have you tried different resolution settings in System Preferences>Displays>Scaled -
Mac adress authentication with Radius
Hello all
we have an WiFi architecture based on two Radius servers (ACS 3.2)
We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
Ideas ?
RegardsFirst ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.
-
Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008
Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my caseHi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD => It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet -
Limti PO with Multiple account assignment Problem
Hi,
Can we create limit PO with Multiple account assignment.
If yes, i have issue with commitment distribution for all the account assignment. when i post service entry sheet the value is posting for only first one cost centre/Order but not all.
So in the purchase order for the remaining account assignment commitment remain left.
Reagrds,
JMHi Summer,
We have implemented SAP Note 1165524 for multiple account assignment as suggested, and it is working fine for New POs.
But we have old Purchase order which still have wrong commitment, and GR and IR are already posted for this PO, we have to reduce the commitment to Zero.
there is one solution for this is set 'No further Invoice expected' check box selected in this PO, but in our case PO went into error in process after doing this.
Please help me to reduce commitment to zero for this old PO
Thanks in advance
Vikas -
ACS Server MAC Authentication with Windows Database
Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.
Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml -
Web authentication with Radius server problem
Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538: Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538: protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40 .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603: Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603: protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605: structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605: resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605: protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605: Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter. -
Acs and Dynamic vlan assignment problem
Hi all,
I'm unable to dinamically pass the Radius attribute , about assigned vlan, to 802.1x clients.
I'm sure that everything is well configured but the only way to do it is configuring these attributes directly on user or group properties.
When i try to pass these attributes by appliction of a Shared RAC (acs 4.2) or NAP (ACS 5.0) the only message that i can find on the switch, where the vlan has to be configured, is:
dot1x-ev:Received VLAN is No Vlan
dot1x-ev:Received VLAN Id -1
The user is still authenticated successfully ( and all the profiles correctly assigned) but remain in the vlan statically configured on the interface.
The logic is working, but transmission do not.
Is this a bug ?test the authentication again.If is still fails, set the logging to full on the ACS server using:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#setting_acs
Also Check if you are running another RADIUS product on the same server as the ACS services and the same decryption was being used.Reset shared key on switch and radius server. -
Issue with authentication with RADIUS when using VPN
Our customer has a problem with auhtentication against Radius vhen he is using VPN or SSL VPN. Authentication on SSH or TELNET via RADIUS is working fine . When I configure on VPN (and SSL VPN) authentication against the local database, everything is working fine and tunnel is established.
In attachement is running-config of customer's gateway and capture file of communication between RADIUS server and gateway (radius access request starting at 85th line).
I found in this file at AVP attributes that the gateway is sending ipsec profile name (in this case "VPN") instead of username.SSLVPN is configured to use the local database of usernames only in this config. It is not configured to use RADIUS.
-
IEEE 802.1x Authentication with RADIUS failed
Hello guys,
I've a little strange Situation.
If user start his Computer (Windows 7 enterprise) and computer is connected via LAN it works fine.
If user start his Computer (Windows 7 enterprise) and computer is connected via WLAN it works also fine.
But if user start his Computer (Windows 7 enterprise) that is connected via LAN it is not more possible to connect to WLAN (parallel). I've implemented an IEEE 802.1 RADIUS authenticiation.
It does not work with this special user account. I've tested it already successful with couple other accounts.
Does someone has experience with such Situation?
Regards
RodikIt does not work with this special user account. I've tested it already successful with couple other accounts.
Hi,
Did you mean that this problem just occures to the single User Account but others works fine at same computer, isn't it?
When it connect Wlan failed, is there any error message? Have you tried to reinstall the WLan device driver for test?
it would be better to provide more details about the Wlan connect failed.
Roger Lu
TechNet Community Support -
IEEE 802.1x Port based Authentication with Restricted VLAN
Hi all,
I have the following configuration:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
LaurentLaurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
thanks,
Tarik Admani -
Toplink Proxy Authentication with 10.1.3 problem
Hi,
I'm are using Toplink Proxy Authentication in a JSF application with SessionFacade pattern and have implemented a preLogin() method of oracle.itech.pil.utils.PILSessionEventManager (which implements SessionEventListener) as described in
http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm. Due to Class Loader problem while loading of SessionEventManager, I'm explicitly loading the Class by doing this:
try {
Thread.currentThread().getContextClassLoader().loadClass("oracle.itech.pil.utils.PILSessionEventManager");
catch(Exception exp) {
System.out.println("Exception while loading class oracle.itech.pil.utils.PILSessionEventManager "+exp.toString());
The SessionEventManager is loaded by doing this:
session.getEventManager().addListener(new PILSessionEventManager());
(Encountered while using <event-listener-class>oracle.itech.pil.events.PILSessionEventManager</event-listener-class> in sessions.xml file, so removed and added the same using session.getEventManager().addListener(new PILSessionEventManager()) )
But now, I'm encountering ClassCastException during the login to my application
The below pasted exception (oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager) is coming when invoking line (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
Code :
XMLSessionConfigLoader xmlLoader =
new XMLSessionConfigLoader("META-INF/sessions.xml");
SessionManager sessionMgr = SessionManager.getManager();
DatabaseSession session =
(DatabaseSession)sessionMgr.getSession(xmlLoader, "serverSession",
SessionFacadeEJBBean.class.getClassLoader());
// Set Listener through Java code
//session.getEventManager().addListener(new PILSessionEventManager());
new PILSessionEventManager();
System.out.println("I am at getLoginDetails after the listner...>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>");
Login login = null;
LoggedInBB loggedIn = null;
ExpressionBuilder builder = new ExpressionBuilder();
Expression expression = null;
// If username is not null
System.out.println("The _uname is "+_uname);
if (_uname != null) {
expression = builder.get("uname").equalsIgnoreCase(_uname).and(builder.get("empno").equalsIgnoreCase(_empNo));
if (expression != null) {
System.out.println("expression != null >>>>>>>>>>>>>>");
//login = (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
login =(oracle.itech.pil.model.Login) (session.readAllObjects(oracle.itech.pil.model.Login.class, expression)).get(0);
System.out.println("Login Object is "+login);
Exception:
[TopLink Info]: 2006.05.02 05:04:18.703--ServerSession(21707422)--TopLink, version: Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)
[TopLink Info]: 2006.05.02 05:04:22.619--ServerSession(21707422)--serverSession login successful
06/05/02 17:04:22 I am at getLoginDetails after the listner............>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
06/05/02 17:04:22 The _uname is admin
06/05/02 17:04:22 expression != null >>>>>>>>>>>>>>
[TopLink Warning]: 2006.05.02 05:04:22.639--ServerSession(21707422)--java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
at com.evermind.server.ejb.EJBUtils.getUserException(EJBUtils.java:333)
at com.evermind.server.ejb.interceptor.system.AbstractTxInterceptor.convertAndHandleMethodException(AbstractTxInterceptor.java:69)
at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:39)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Nested exception is:
java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
at oracle.toplink.sessions.SessionEventManager.preExecuteQuery(SessionEventManager.java:508)
at oracle.toplink.publicinterface.Session.executeQuery(Session.java:976)
at oracle.toplink.publicinterface.Session.executeQuery(Session.java:938)
at oracle.toplink.publicinterface.Session.readAllObjects(Session.java:2458)
at oracle.itech.pil.ejb.SessionFacadeEJBBean.getLoginDetails(SessionFacadeEJBBean.java:399)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:37)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Any clue why this error, which i am facing since 10 days to complete my task
Thanks In Advance
PrashantJames, what Venkat and Prashant are trying to do is something like this...
1. If I connect to the DB using scott/tiger then in the preLogin method of the Toplink Session Listener class, the proxy user will connect using something like admin/welcome1 and in the database audit view, the name that shows up SHOULD BE that of admin and NOT of scott. This is called proxy authentication if it works fine.
We developed the above scenario but in the audit logs, we still see scott instead of admin as the user who connected.
2. This feature is available in the DB but our objective is to use it through TopLink
Also see Toplink Proxy Authentication Not Working
I hope I was able to explain the scenario clearly.
Any help will be appreciated
Regards,
Amit -
AAA authentication with RADIUS
Hi,
aaa authentication login user-list group radius local
radius-server host 10.1.1.3 auth-port 1645 acct-port 1646 key xxxx
radius-server deadtime 10
If i add more radius-server host such as
radius-server host 10.1.1.4 auth-port 1645 acct-port 1646 key xxxx
1. Server 10.1.1.4 will be backup for server 10.1.1.3?
2. Can i configure to be radius group?
ThanksHi,
you can try the following:
Router(config)# aaa group server radius
Router(config-sg radius)# server 10.1.1.3
Router(config-sg radius)# server 10.1.1.4
when you configure the aaa group like this 10.1.1.3 will be primary and 10.1.1.4 is secondary
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps
Maybe you are looking for
-
Can I open a file in photoshop
I have ripped a file at my Barco station. I produced a .ct file that I want to convert to black and white in phtoshop. Can I open this file (31226A_PS08_397678_R2_S1_pdf_001_001.ct) in photoshop or do I need some sort of plugin for phtoshop before I
-
Cannot Import in Aperture 2.1 - not a camera or connection problem
Ive tried 2 cameras, 3 different USB leads and every time Aperture 2.1 does not show the import path or the images on camera to import, Aperture shows an image of the camera top left & produces a blank grey box that appears every time the mouse is mo
-
How can I get a filename without the file extension?
I using a JFileChooser to select and read a file. Now I want to get the filename without the file extension JFileChooser j = new JFileChooser; String file = j.getSelectedFile.getName(); At the moment I get this result "file.dat". I need only the file
-
Custom Login works in IE Explorer, but not mozilla 1.2. Why?
Portal Rel. 2, all patches applied. Our custom login portlet works just fine when IE Explorer is the browser. When mozilla 1.2 is the browser, everything processes without errors, but the user is never logged in. The portlet is calling the procedure
-
RWCGI - Recieves Request only in GET???
Hi, We have a problem, where our URL with Query parameters is beyond 2048 chars. The browser trims beyond 2048 chars and submits(This is IE limitation) and Reports server fails in serving the request. We wanted to send the request to CGI as POST, but