Web Authentication with MS IAS Server
I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?
I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/3/2008
Time: 11:00:55 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The policy is the default connection policy created when installing IAS.
In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.
Similar Messages
-
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
ISE Web Authentication with Profile
Hi,
I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
the Web Authentication cause the endpoint is already in the internal endpoint store.
What's the better way to solve this problem ?
Thanks in Advanced
Andre Gustavo LomonacoHi Neno, let me clarify my question
I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication. -
Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Web authentication with Radius server problem
Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538: Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538: protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40 .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603: Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603: protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605: structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605: resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605: protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605: Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter. -
Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008
Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my caseHi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD => It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet -
Authentication with MS-IAS / AD
I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS: authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS: User-Name [1] 17 "EUROPE\ParisAdm"
Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS: Service-Type [6] 6 Framed [2]
Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS: Framed-MTU [12] 6 1500
Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS: Called-Station-Id [30] 19 "00-24-51-55-47-84"
Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS: Calling-Station-Id [31] 19 "00-14-22-BF-46-40"
Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS: EAP-Message [79] 22
Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS: 02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D [ EUROPE\ParisAdm]
Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS: Message-Authenticato[80] 18
Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS: 27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4 [ '5Li:q]
Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS: Vendor, Cisco [26] 49
Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE030000006B13A4833C"
Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port [5] 6 50004
Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/4"
Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-IP-Address [4] 6 192.168.254.3
Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS: authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Thx for your help
PascalYou need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
Sent from Cisco Technical Support iPad App -
WISM Web Authentication against MS IAS
Does anybody know if Radius Web auth is supported with MS IAS radius server or is it working with cisco ACS only ?
ThanksI've just readed in a previous post that the service-type must be login instead of framed in the remote access policies.
That was my issue with IAS
Thanks -
Cisco AAA authentication with windows radius server
Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
^
% Invalid input detected at '^' marker.
Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
Current privilege level is 15
Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch? -
Issue of deploying a fusion Web Application with integrated Weblogic server
Hi,
i'm using Jdev 11.1.1.3.0 to develop a fusion web application, with a model and ViewController Projects.
When i try to deploy this application with the integrated server, i have any issues.
The origin seems to be that it builds an application with 3 profiles. The model application is recognized and deployed as a webapp and not an ADF library as it should be..
[11:00:45 PM] Retrieving existing application information
[11:00:45 PM] Running dependency analysis...
[11:00:45 PM] Deploying 3 profiles...
[11:00:46 PM] Wrote Web Application Module to /home/david/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/easygestionV2.0/ViewControllerWebApp.war
*[11:00:48 PM] Wrote Web Application Module to /home/david/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/easygestionV2.0/ModelWebApp.war*
[11:00:48 PM] Wrote Enterprise Application Module to /home/david/.jdeveloper/system11.1.1.3.37.56.60/o.j2ee/drs/easygestionV2.0
[11:00:48 PM] Deploying Application...
<27 déc. 2010 23 h 00 CET> <Warning> <J2EE> <BEA-160195> <The application version lifecycle event listener oracle.security.jps.wls.listeners.JpsAppVersionLifecycleListener is ignored because the application easygestionV2.0 is not versioned.>
<JpsDstCredential><setCredential> Impossible de migrer le dossier/la clé d'informations d'identification et de connexion ADF/anonymous#easygesprod. Raison : oracle.security.jps.service.credstore.CredentialAlreadyExistsException: JPS-01007: Les informations d'identification et de connexion avec la correspondance ADF et la clé anonymous#easygesprod existent déjà..
<TrinidadFilter><init>
java.lang.IllegalStateException: Application was not properly initialized at startup, could not find Factory: javax.faces.application.ApplicationFactory
at javax.faces.FactoryFinder$FactoryManager.getFactory(FactoryFinder.java:725)
at javax.faces.FactoryFinder.getFactory(FactoryFinder.java:239)
at oracle.adfinternal.view.faces.util.rich.ConverterValidatorRegistrationUtils.register(ConverterValidatorRegistrationUtils.java:36)
at oracle.adfinternal.view.faces.config.rich.RegistrationConfigurator.init(RegistrationConfigurator.java:79)
at org.apache.myfaces.trinidadinternal.config.GlobalConfiguratorImpl.init(GlobalConfiguratorImpl.java:400)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.init(RegistrationFilter.java:53)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.init(TrinidadFilterImpl.java:103)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.init(TrinidadFilter.java:54)
at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:98)
at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:59)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1867)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3126)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1512)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
How can i fix the model project to be deployed as an ADf library and not a webapp with the integrated weblogic server ? Because with me it doesn't do it by itself.
Thanks a lot for helpduplicate to Issue of deploying a fusion Web Application with integrated Weblogic server
-
Wirelss AP1140 Radius authentication with Microsoft IAS
Hi,
I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
I can see the Radius server as connected
imc-syd-ap1#show aaa servers
RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
State: current UP, duration 4337s, previous duration 0s
Dead: total time 0s, count 0
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 1h12m
The debugs show:
000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
show dot11 associations:
imc-syd-ap1#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [IMC-Wireless-Data] :
MAC Address IP address Device Name Parent State
bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
Any ideas or recomendations would be greatly appreciated
Thanks
Below is a copy of my wireless config:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxxxxxxxxxxx
logging buffered 40960 debugging
enable secret 5 xxxxxxxxxxxxx
aaa new-model
aaa group server tacacs+ IMC
server 172.16.100.3
aaa group server radius AUTHVPN
server 10.10.0.2 auth-port 1645 acct-port 1646
server 10.11.0.24 auth-port 1645 acct-port 1646
aaa authentication login default group IMC local enable
aaa authorization exec default group IMC local if-authenticated
aaa session-id common
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
no ip domain lookup
ip domain name imc.net.au
dot11 syslog
dot11 ssid IMC-Wireless-Data
vlan 10
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
guest-mode
mbssid guest-mode
infrastructure-ssid optional
information-element ssidl
dot11 ssid IMC-Wireless-Voice
vlan 14
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
mbssid guest-mode
information-element ssidl
dot11 aaa authentication attributes service login-only
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
no dfs band block
mbssid
channel dfs
station-role root
interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface GigabitEthernet0
description IMC-Wireless-Data
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
description IMC-Wireless-Data
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.14
description IMC-Wireless-Voice
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
no bridge-group 14 source-learning
bridge-group 14 spanning-disabled
interface BVI1
description IMC-Wireless-Data
ip address 10.10.0.245 255.255.255.0
no ip route-cache
ip default-gateway 10.10.0.254
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
snmp-server community public RO
snmp-server enable traps tty
tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
tacacs-server directed-request
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
bridge 1 route ip
wlccp wds aaa authentication attributes service login-only
line con 0
line vty 0 4
access-class 111 in
exec-timeout 5 0
line vty 5 15
access-class 111 in
exec-timeout 5 0
sntp server 10.10.0.254
endInside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
aaa authentication login group AUTHVPN
and adjust your "authentication open eap " to match with that method name.
Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
Nicolas -
Ciosco WLC Web Authentication with Internet Explorer 10
Hi my name is Ivan
I have a question:
Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
When i put the ip address https://1.1.1.1/login, the web page show me.
Thanks for your answers
RegardsHUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Web Authentication with RSA SecureID on a Cisco Switch
Hi,
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switch
I think this is because we're using "single use" tokens for maximum security with RSA SecureID
and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
(okay on the first authentication, but each time after it's going to want a different token code)
I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2Hello Chris,
Can you test the following configuration?
aaa group server radius webtac_grp
server
cache expiry 1
cache authorization profile httpauth
cache authentication profile httpauth
aaa authentication login httpauth cache webtac_grp group webtac_grp
aaa authorization exec httpauth cache webtac_grp group webtac_grp
aaa authorization network httpauth cache webtac_grp group webtac_grp
aaa cache profile httpauth
all
ip http server
ip http authentication aaa login-authentication httpauth
ip http authentication aaa exec-authorization httpauth
radius-server host key ******
I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
If this was helpful please rate.
Regards. -
Authentication with Windows 2003 server
Hi there,
I am looking for achieve this task. I would like to know How I could authenticate users accesing by my wireless network? I mean in windows 2003 server. They must type their username and password. I want to restricted users which are not on the list to access by my wireless network. I know that in windows 2000 I could use radius server. Could I use it here?.
Also, I guess that I have to allow these "new users" in AD.
I am looking forward to read helpfull information here and of course I will give it a rate (points)
Any ideas are welcome.
Thanks
WladimirSame thing for 2003, it is called IAS (Internet Authentication Service).
http://www.microsoft.com/technet/network/ias/default.mspx
Basically you will set up IAS with a RADIUS Client which would be your wireless access point(s). Then you will set up a remote access policy which will define how connections are authorized or rejected (windows groups, protocols etc.). Don't forget to register IAS with active directory. -
Web Services with Sun App Server
We are load testing a simple web service running in SJSAS 8.0 Standard. With 1 or 2 users concurrent it seems OK, but once we move up to 5 concurrent users calling the WS, the domain in SJSAS crashes.
Does anyone have experience or information regarding the app server and load with web services? Are there some config options that we can tweak? Are there any numbers out there about how many simultaneous connections the server can handle?
A final note, things seem fine if we are just serving a simple web page from the server, its only when we try to call a WS that we run into these performance issues.
Thanks.Are you connecting to any external resource using JNDI by any chance? If you're using Unix, check the number of file descriptors being opened on the Sun App server. "new dirContext(env)" creates OS file descriptors each time it's invoked (calling the web service for example).
use
$ps -ax
get the process number of sjas and try issuing a:
lsof -p <sjas_process_number> |wc -l
and keep invoking the web service. If this number keeps increasing then you've an "fd" leak (perhaps not closing the dirContext). Linux for example has a default max file limit of 1024 under "root" user and when depleted, sjas will hang.
Could this be the problem?
Cheers
Steve
Maybe you are looking for
-
I was running firefox on a desktop. The hard drive became unusable as the primary drive, either due to a software installation that left the operating system unstable or malware or both. The hard drive has been cleaned of malware, but was replaced by
-
System session variable ':GROUP'
Dear Friends, I am having an issue with retrieving a value for the reserved system session variable :GROUP IN OBIEE 11.1.1.5 From what I've read in the other posts I should be able to use :GROUP variable after where clause, and if there is more than
-
Connecting Airport to AT&t 2wire residential gateway
Has anyone found an easy solution to this problem?
-
Compaq Presario 2132RS: Conexant AC-Link Audio - no sound
I am desperate about this: the sound disappeared first with flash applications, then it disappeared at all. I tried to re-install drivers for the Conexant AC-Link Audio, all is fine - with no conflicts, but in the Sound and Audio Devices window it sa
-
Costing for material for which no accounting document generated
Dear Gurus, I want to have the cost of raw water used in manufacturing product X to flow in the cost of product X. But the raw water should not be posted to FI. The cost of raw water should come in the standard cost estimate as also in the process or