Using a BM 3.8 RADIUS Server to Assign Users to VLANs
I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
users are accessing the network via Cisco 1100 Aironet Wireless Access
Points. We have defined two VLANs on the network. One goes directly to
the internet for GUEST, VLAN1, and the other goes to our private network
MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
not available in the RADIUS.ATR file. Is there some way of editing the
ATR file to add these attributes? Is there another solution to assign
VLANs with Bordermanager?
> I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
VLAN-ID which is 1 or 2. These attribute are not available in the
RADIUS.ATR file. Is there some way of editing the ATR file to add these
attributes? Is there another solution to assign VLANs with Bordermanager?
Similar Messages
-
Trying to implement EAP/TLS using java (as part of RADIUS server)
Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksKeys);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setWantClientAuth(true);
sslEngine.setEnableSessionCreation(true);
appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
appBuffer.clear();
netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
SSLEngineResult result = null;
SSLEngineResult.HandshakeStatus hsStatus = null;
if( internalState != EAPTLSState.Handshaking ) {
if( internalState == EAPTLSState.None ) {
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
peerIdentity = tlsPacket.getData();
internalState = EAPTLSState.Starting;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
return;
else if(internalState == EAPTLSState.Starting ) {
internalState = EAPTLSState.Handshaking;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
netBuffer.put( tlsPacket.getData() );
netBuffer.flip();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
try {
result = sslEngine.unwrap( netBuffer, appBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
return;
}When I try to send data I use the following code:
SSLEngineResult.HandshakeStatus hsStatus = null;
SSLEngineResult result = null;
// netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
netBuffer.clear();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
try {
result = sslEngine.wrap( dummyBuffer, netBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
int size = Math.min(result.bytesProduced(),this.MTU);
byte [] tlsData = new byte[size];
netBuffer.flip();
netBuffer.get(tlsData,0,size);
TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
if( size < result.bytesProduced() ) {
tlsPacket.setFlag(TLSFlag.MoreFragments);
return new EAPTLSRequestPacket( ID,
(short)(tlsPacket.getData().length + 6),
stateMachine.getCurrentMethod(), tlsPacket );
else {
return null;
}After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 moreI am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?
-
AP or RADIuS Server disconnects Wireless Users constantly
Hi,
We are working with an Autenthication Server with Wireless Network, the AP´s are located on diferent LAN´s, but the problem is that some users get disconnection constantly, while anothers users are working without problems, same AP or diferent, you can be working without problems, but sometimes this problem can be in your PC.
Do you know, what i need to check ? do you have any idea about it?
Thank you, regards.I would strongly advise you to try to find a constant in your troubleshooting, be it a specific wlan client radio, a specific vlan, our perhaps a group policy on the radius server. Your approach can aid you greatly in eliminating possible culprits if your approach is effective, else you find yourself covering the same ground and making no headway toward resolve. This could be something as simple as an "idle-timeout" setting in radius (seems like it would impact all clients, but not all clients are logging in at the same time or staying on continuously)...there is a variable that you've yet to discover that could be a one-stop solution to your problem. Based on the limited info in your post, it would be mile-long checklist to troubleshoot, but you can do so if you look, as mentioned before, for a constant. Wish I could help more!
-
[ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server
So here is my goal:
Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
Background:
I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
I've also used NPS to authenticate wireless clients in a lab setting.
Problem:
I cannot figure out what is going on with NCS/PI authentication against NPS.
Here are a couple/few steps I've taken:
- I've added the RADIUS client to the list.
- I've created a network policy to grant access to a specific group of users (AD group). It accepts either CHAP or PAP authentication
- I've also taken out the default radius attributes and inserted these:
- - Vendor Specific, Cisco-AV-Pair
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
- - Vendor-Specific, RAIDUS Standard
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
On the NPS server I can see the request coming in on the NPS logs. Access has been granted and it matches the Network Policy I created.
The usual message I receive is this:
No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
Attached is a picture from a packet capture. The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
- "[Not enough room in packet for AVP] "
This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
Here are some of guides I used:
http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
https://supportforums.cisco.com/thread/339057
http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtmlHi Kyujin,
I wish I had finished my guide. Didn't realize it would take this long.
But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
If you use NCS, you have to add the role, all the tasks, and the virtual domain.
See the screenshots and see if that helps explain it. Not sure how TACACS will work as I'm not familiar with it.
Microsoft NPS - Attributes for NCS
Microsoft NPS - Attributes for PI -
Cisco ISE: External RADIUS Server
Hi,
I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
So, how can I use this external RADIUS server to process my request ?
Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
If anyone use this, please suggest this to me.
Thanks,
PongsatornDefining an External RADIUS Server
The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
To create an external RADIUS server, complete the following steps:
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2 Click Add to add an external RADIUS server.
Step 3 Enter the values as described:
•Name—(Required) Enter the name of the external RADIUS server.
•Description—Enter a description of the external RADIUS server.
•Host IP—(Required) Enter the IP address of the external RADIUS server.
•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
•Key Encryption Key—This key is used for session encryption (secrecy).
•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
Step 4 Click Submit to save the external RADIUS server configuration. -
Dynamic WEP with Win2k3 Radius server
Can someone provide information as how to configure AP350 and AP1200 to use dynamic WEP with Win2k3 Radius server.
What security feature should be configured
If possible provide information for configuration of Win2k3 Radius server.PEAP CHAPS,128-BIT or WPA
-
Dynamic IP allocation by Radius server
Hi community,
Can Cisco Radius server allocation different IP pools for requests from difference source IP addresses but having the same username/ password information? We have multiple GGSNs using dynamic IP allocation by Radius server. In Radius server, we configure username is subscriber's MSISDN. So we face a situation that a subscriber can go through any GGSN but for different GGSN, Radius server return different IP pools, even for the same subscriber. Is it possible?
Thanks and regards,
HieuI'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
it is possible to use wlse internal radius server to authenticate users with LEAP.
When you say it should use LEAP is this what you have configured on the phone? The WLSE Express can configure and use more than one of the authentication services at the same time. If more than one service is configured, the WLSE negotiates which one to use. Where are you seeing it is using Cisco-PEAP instead of LEAP? Can you attach these?
-
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
SGE2010 - Autentication Mac with radius(rada) and assign in VLAN.
Hi all
I need to create two VLANs with authentication radius.
and through its radius assign VLANs to the client.
What is the model SGE2010 can do this thing, because the manual none understandableI'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN
Hello,
What we are trying to do:
John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
Here is what we are seeing
1. dynamic vlan assignment is not working -- radius server is set with the attributes
2. RSA authentication works
3. John and Mary are always put into the VLAN where the MGMT interface is
4. I can see that attributes are making it back to the WLC by sniffing
We are stuck at this point. Any help would be much appreciated,
P.Here is a little more background:
We have created a dynamic interface in VLAN 157
Wireless LAN has been assigned to MGMT interface which is on VLAN 35
This is a VWLC ver 7.4.100
AP is attached to VWLC (only FlexConnect mode is supported)
RADIUS Server has been configured
Users are getting assigned to VLAN 35
Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
I dont see any atttributes in the capture when RSA sends to the VWLC
I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
And to answer your question we have sending a VLAN ID (157) -
Lobby ambsssador user authenticatio using a RADIUS server
I have Wism installed in unified wireless network, MS IAS server is sittign in between enterprise AD and Wism. Wireless clients are getting authentincated via ISA againt enterprise AD without any issue.
Now I want to authenticate the admin users in WLC ( for example Lobby admin users) also with AD using the same method.
I tried adding a RADIUS server in WLC on "administraiton>AAA servers" . But the external authentication doesn't seems to be happaning. Does someone has any exmaple on this type of configuraiton ?you can use Radius to authenticate management user, but I'm afraid can't use it to authenticate Lobby admin user.
To authen management user, you need:
1. in WLC, when creating Radius server, need to enable "management"
2. In Radius, you need to enable service type[006] to be administrative in user's IETF(Radius) attribute -
Radius server web authentication using ISE
Hi,
Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
The following link explains "Radius Server Web Authentication" using ACS. I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
Thanks,Hi,
Please check these:
Central Web Authentication on the WLC and ISE Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Regards
Dont forget to rate helpful posts -
OTP of ASDM using external radius server ( Not RSA )
Hello,
Just seeing if the ASDM will support OTP using an external radius server, and not RSA. I see there was a feature added to 8.2 that states its possible with RSA, but nothing of any other support. Just checking to see if someone know for sure.
Thanks,
JasonI did see in the Release notes for ASDM 6.2, that SDI is support with RSA. Can anyone confirm or not if it works with Radius too ( OTP ).
http://www.cisco.com/en/US/docs/security/asdm/6_2/release/notes/asdmrn62.html -
Multiple stand alone servers using one radius server?
Hello, I have a question.
I'm working for a company and our problem is we need a username and password for every server.
We would like to set up a Radius server using an extension so it can use a SQL database for the users.
Is it possible to put 1 username and 1 password for each user in this database so we don't need more then one for each server?
Also can we set up policy's for those users so they can't access every stand-alone server.
Kind Regards,
MichaelHi,
Based on my research, when a RADIUS client (access server) sends connection requests and accounting messages to a RADIUS server, the RADIUS server will sends back an Access-Accept message or sends back an Access-Reject message to authenticate and authorize
the connection requests based on a set of rules and the information in the user account database. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
In addition, according to your description, it seems that you used the SQL database as the User account database. Did you use NPS as a RADIUS server? If yes, maybe you can configure related network policy to restrict access. I would appreciate it if you can
introduce more detailed information about your environment. The link below may be helpful:
Configuring Microsoft NPS (Network Policy Server) / (Internet Authentication Service)IAS as Wireless LAN Controller (WLC) RADIUS Server
Best regards,
Susie
Maybe you are looking for
-
How do I move a photo from iPhoto to a CraigsList posting?
How do I move a photo from iPhoto to a CraigsList posting ?
-
Spam email about iTunes billing?
I received an email about an iTunes billing problem implying a 3rd party may be using my account. It seems a bit sketchy to me, is it spam? Has anyone else received anything similar?
-
Use Lion Server to set up security in Web Sharing
Can I use Lion Server to set up security in Web Sharing? I want a password prompt to appear when someone comes to look at my Web Sharing files. I have tried to do this manually in Snow Leopard and Lion, and am considering buying Lion Server just for
-
9ias 1.0.2.2 on Linux other than Suse 7.1
Hi friends, Is there anynone else in the world trying using/trying to use 9ias 1.0.2.2 on any other Linux than Suse 7.1 (as recommended here in the technet)? I'm having so many troubles trying to install it on a Mandrake 8 (where I can install an Ora
-
Unknown Devices appearing in Application Sharing
I have noticed a number of unknown devices are listed in the application sharing section of Hub Manager. Does this pose a security threat and is there any way I can prevent external access of this kind? There doesn't seem to be any way of removing th