WAP200 and .1x/radius authentication with multiple SSIDs

Similar Messages

• Authentication with Multiple SSIDs AP521G, using Autonomous

  I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

• Can bookmarks be protable for multiple computers? Is it an option to log on and use my bookmarks with multiple computers and locations? Thanks

  Can bookmarks be protable for multiple computers? Is it an option to log on and use my bookmarks with multiple computers and locations? Thanks

  Profile is a folder which store all your personal data in a safe place
  * https://support.mozilla.com/en-US/kb/Profiles
  You can use this button to go to the current Firefox profile folder:
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  here explain how to backup profile
  * https://support.mozilla.com/en-US/kb/Backing%20up%20your%20information
  Here explain how to restore it
  *https://support.mozilla.com/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile

• How do icloud and itunes match work with multiple libraries?

  How do icloud and itunes match work with multiple libraries?

  This forum is for troubleshooting compatibility issues between Macs and Windows, not iTunes. You'll probably want to repost your question in the iTunes discussions:
  http://discussions.apple.com/category.jspa?categoryID=150

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section:

• Single access point with multiple ssids and single channel possible?

  Hi everybody.
  I have this silly question.
  Let say we have three vlans, vlan1,2,3  and they are mapped to wlans as follows:
  Vlan 1  ssid1
  Vlan 2 ssid2
  Vlan3 ssid 3
                    AP --------trunk------Switchted network.
  Our Ap  has mobile devices in three wlans, i.e ssid1ssid2 and ssid3
  Since AP uses half duplex mode,  mobile devices need positive ack from ap  before they can send data,  therefore once channel let say channel 3( assuming 802.11b is used) can be shared by all mobile devices in three wlans.  
  Is  my understanding correct?
  Thanks and have a great weekend.

  Hii ,
  Yes ,that is pretty much possible as suggested by other experts on board. Depending on your access point you will have 1 (2.4 GHz) or  both 2.4 & 5GHz radios.
  You can configure multiple SSIDs (up to 16 ) known as MBSSID mode in autonomous environment. In Controller based architecture you can configure up to 512 WLAN (SSID) and transmit any 16 of them per AP (using AP group feature). However , it is recommended to keep multiple SSID count below 8 as for each SSID separate beacon will be sent on air which consumes more air time.
  Hope this helps
  Thanks
  Vinay

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• Wireless Network Management with Multiple SSIDs in one Wireless Profile

  Could anybody explain me about how Multiple SSIDs in one Wireless Network Name (Network Profile) ? Configuration will be pushed to Windows 7 Pro from Wins Server 2008 R2.
  Objective: Multiple office locations will have different SSIDs and when the laptop user travels one location to another, he/she could connect to wireless networks at any offices without any configuration change but utilizing "Automatically use my Windows
  logon name and password (and domain if any.)" setting in EAP MSCHAPv2 properties. 
  Network Name: Enterprise
  SSIDS: SFO-WIFI, LAX-WIFI,CHI-WIFI,NYC-WIFI,
  Network Type:Access Point
  Security Type: WPA2-Enterprise
  Encryption Type: AES
  Network Authentication Method: Microsoft:Protect EAP(PEAP)
  My question is: (1) Will Windows try all the SSIDs in order to get connected to the Wireless Network at the office? (Let's say, user is in NYC, but will Windows try to find SFO-WIFI SSID first, wait until time out, retry?, and moves on to LAS-WIFI SSID,
  wait until time out, retry?, and moves on to CHI-WIFI and finally tries NYC-WIFI SSID and found the SSID in the beacon from Access Point and authenticates through RADIUS?
  (2) If the answer is YES, what is the waiting time/timeout setting for one SSID before moves on to another?
  (3) If the answer is NO, what is the process to get user connected to NYC-WIFI SSID when he/she is in NYC office within the range of that SSID?

  Hello Ninjago_2224,
  About the multiple office location have different SSIDs, does the location A has the signal used in
  location D?
  Please go to Control Panel\Network and Internet\Network and Sharing Center
  , and then click Manage wireless networks.
  The windows will try to connect to these networks in the order listed.
  Please check if the four SSID pushed by Windows Server 2008 is listed as mentioned above.
  If the location A have the location D SSID and the location D SSID has higher priority, the Windows will connect to
  location D SSID.
  So about the question 1, the Windows will try the SSID in order.
  About the question 2, I can’t find the accurate time that test one SSID and move to another. But based on my test, it is very fast.
  For more information, please take a look at the following article.
  http://www.howtogeek.com/howto/27067/change-wireless-network-priority-to-make-windows-7-choose-the-right-network-first/
  Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Wirelss AP1140 Radius authentication with Microsoft IAS

  Hi,
  I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
  I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
  000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  I can see the Radius server as connected
  imc-syd-ap1#show aaa servers
  RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
  State: current UP, duration 4337s, previous duration 0s
  Dead: total time 0s, count 0
  Authen: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Author: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Account: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Elapsed time since counters last cleared: 1h12m
  The debugs show:
  000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
  show dot11 associations:
  imc-syd-ap1#show dot11 associations
  802.11 Client Stations on Dot11Radio0:
  SSID [IMC-Wireless-Data] :
  MAC Address IP address Device Name Parent State
  bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
  Any ideas or recomendations would be greatly appreciated
  Thanks
  Below is a copy of my wireless config:
  version 12.4
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxx
  logging buffered 40960 debugging
  enable secret 5 xxxxxxxxxxxxx
  aaa new-model
  aaa group server tacacs+ IMC
  server 172.16.100.3
  aaa group server radius AUTHVPN
  server 10.10.0.2 auth-port 1645 acct-port 1646
  server 10.11.0.24 auth-port 1645 acct-port 1646
  aaa authentication login default group IMC local enable
  aaa authorization exec default group IMC local if-authenticated
  aaa session-id common
  clock timezone AEST 10
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  no ip domain lookup
  ip domain name imc.net.au
  dot11 syslog
  dot11 ssid IMC-Wireless-Data
  vlan 10
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  guest-mode
  mbssid guest-mode
  infrastructure-ssid optional
  information-element ssidl
  dot11 ssid IMC-Wireless-Voice
  vlan 14
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  mbssid guest-mode
  information-element ssidl
  dot11 aaa authentication attributes service login-only
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  mbssid
  station-role root
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  no dfs band block
  mbssid
  channel dfs
  station-role root
  interface Dot11Radio1.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface GigabitEthernet0
  description IMC-Wireless-Data
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  interface GigabitEthernet0.10
  description IMC-Wireless-Data
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.14
  description IMC-Wireless-Voice
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  no bridge-group 14 source-learning
  bridge-group 14 spanning-disabled
  interface BVI1
  description IMC-Wireless-Data
  ip address 10.10.0.245 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.0.254
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any eq telnet
  access-list 111 permit tcp any any eq www
  access-list 111 permit tcp any any eq 22
  snmp-server community public RO
  snmp-server enable traps tty
  tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
  tacacs-server directed-request
  radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
  bridge 1 route ip
  wlccp wds aaa authentication attributes service login-only
  line con 0
  line vty 0 4
  access-class 111 in
  exec-timeout 5 0
  line vty 5 15
  access-class 111 in
  exec-timeout 5 0
  sntp server 10.10.0.254
  end

  Inside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
  aaa authentication login  group AUTHVPN
  and adjust your "authentication open eap " to match with that method name.
  Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
  Nicolas

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• WLC 4402 RADIUS Authentication with IAS

  Hello
  I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
  On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
  The IAS server don't use the configured policy when a authentication reguest arrive.
  I there an issue with special RADIUS attributes or configuration items on the IAS Server?
  The following event appear in the windows logs:
  User STANS\kaesmr was denied access.
  Fully-Qualified-User-Name = STANS\kaesmr
  NAS-IP-Address = 172.17.25.6
  NAS-Identifier = keynet-01
  Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
  Calling-Station-Identifier = 00-16-CE-52-C8-EB
  Client-Friendly-Name = Wireless-Controller
  Client-IP-Address = 172.17.25.6
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = <undetermined>
  Authentication-Type = Extension
  EAP-Type = <undetermined>
  Reason-Code = 21
  Reason = The request was rejected by a third-party extension DLL file.

  What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
  So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
  Also, chek out the logs of the IAS server for obtaining more info on this.

• Integrating RADIUS authentication with JAAS ???

  Hi,
  I have username/password JAAS authentication in my application.
  Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
  I am in the process of defining a login module for RADIUS.
  Is there any opensource login module existing for RADIUS ??
  After defining the RADIUS login module where to configure the multiple authentication policies ??
  Thanks,
  Dyanesh.

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• Network Locations not working with Multiple SSIDs

  I've had a MacBookPro 15 for three years.  Started with 10.5 and upgraded to 10.6.  I just received a new MacBookPro 15 with Lion 10.7.
  The Issue:
  On 10.5 and 10.6 I use multiple network locaitons.  One for work, one for Home and one for Roaming.  I have a "Work" SSID at work and at Home.  I also have a "Home" SSID at home.
  So basically, when I'm home I can select "work" to be on my hardware VPN router and connect directly to the office.  Then, when I'm not working, I can switch to the "home" location and automatically connect to my home network and not have big brother watching me surf the web.
  In 10.7 this no longer works.  All of the WIFI settings are them same in both locations.  When I'm on "home" I add the SSID for home and it connects.  I then turn off the wifi and switch locations (same as I do in 10.6).  Then I turn WIFI back on, and it connects to my home SSID.  I go to the wireless settings, and add the work SSID and delete the home SSID.  I shut off wireless, change back to home and turn it back on.  I go to wireless settings, and the only SSID is the one I added under the work location.
  Has anyone else seen this change in behavior?
  Dan

  I prefer to continue the way I've been using it for 3 years rather than switch now.  The work location has the WIFI adapter as primary so that the default gateway is the wifi network even if I have a network cable plugged in.  This allows me to use my "work" network, but I can still share content with my local home network and also print to my local printer (not on my work network).
  So, this solution really doesn't work for me.  And yes, I know you can only connect to one at a time, but  again, those are not the only settings that I change when switching locations.  Those are the only settings that are broken.
  Dan

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks