Web Authentication with RSA SecureID on a Cisco Switch

Similar Messages

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

  Hi,
  In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
  Did any one face similar issue with ASA access ?
  Rgds
  Siddhesh

  Hi Siddesh,
  In order to help you here, I need to know few things:
  1.] Show run | in aaa
  2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
  3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

  Hi Guys,
  I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
  This is my Configure file on Aironet 2702i
  Aironet2702i#show run
  Building configuration...
  Current configuration : 8547 bytes
  ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Aironet2702i
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login DTSGROUP group radius
  aaa authentication login webauth group radius
  aaa authentication login weblist group radius
  aaa authentication dot1x default group radius
  aaa authorization exec default local 
  aaa session-id common
  clock timezone +0700 7 0
  no ip source-route
  no ip cef 
  ip admission name webauth proxy http
  ip admission name webauth method-list authentication weblist 
  no ip domain lookup
  ip domain name dts.com.vn
  dot11 syslog
  dot11 activity-timeout unknown default 1000
  dot11 activity-timeout client default 1000
  dot11 activity-timeout repeater default 1000
  dot11 activity-timeout workgroup-bridge default 1000
  dot11 activity-timeout bridge default 1000
  dot11 vlan-name DTSGroup vlan 46
  dot11 vlan-name L6-Webauthen-test vlan 45
  dot11 vlan-name NetworkL7 vlan 43
  dot11 vlan-name SGCTT vlan 44
  dot11 ssid DTS-Group
     vlan 46
     authentication open eap DTSGROUP 
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 ssid DTS-Group-Floor7
     vlan 43
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  dot11 ssid SaigonCTT-Public
     vlan 44
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
  dot11 arp-cache optional
  dot11 adjacent-ap age-timeout 3
  eap profile DTSGROUP
   description testwebauth-radius
   method peap
   method mschapv2
   method leap
  username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
  username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 46 mode ciphers aes-ccm 
   encryption mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid L6-Webauthen-test
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 2412
   station-role root
   rts threshold 2340
   rts retries 128
   ip admission webauth
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface Dot11Radio1
   no ip address
   shutdown
   encryption vlan 46 mode ciphers aes-ccm 
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 45 mode ciphers ckip-cmic 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   peakdetect
   dfs band 3 block
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 5745
   station-role root
   rts threshold 2340
   rts retries 128
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface GigabitEthernet0
   no ip address
   duplex auto
   speed auto
   dot1x pae authenticator
   dot1x authenticator eap profile DTSGROUP
   dot1x supplicant eap profile DTSGROUP
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface GigabitEthernet1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface BVI1
   mac-address 58f3.9ce0.8038
   ip address 172.16.1.62 255.255.255.0
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  radius-server attribute 32 include-in-access-req format %h
  radius server 172.16.50.99
   address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
   key 7 104A1D0A4B141D06421224
  bridge 1 route ip
  line con 0
   logging synchronous
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  line vty 5 15
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  end
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
  Account Name: xxxxxxxxxxxxxxxx
  Account Domain: xxxxxxxxxxx
  Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
  Client Machine:
  Security ID: S-1-0-0
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: -
  Calling Station Identifier: -
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  So i will explain problems what i have seen:
  SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
  SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
  => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
  Any idea or recommend for me ?
  Thanks for see my case  

  Hi Dhiresh Yadav,
  Many thanks for your reply me,
  I will explain again for clear my problems.
  At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
  I had login SSID by Account create in AD =>  It's work okay with me. Done
  Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  Im  think ROOT CAUSE is :
  PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

• Ciosco WLC Web Authentication with Internet Explorer 10

  Hi my name is Ivan
  I have a question:
  Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
  When i put the ip address https://1.1.1.1/login, the web page show me.
  Thanks for your answers
  Regards

  HUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• How can I do for ESA work with token RSA, I mean when I entry the login the authentication with RSA

  Hi there,
  How can I do for ESA work with token RSA, I mean when I entry the login, the authentication ask me the token with RSA, Is it possible???
  Regards,

  Hello Miguel,
  RSA tokens are currently not supported for login, neither to the GUI/CLI or access to the spam quarantine. There is currently a feature request"Support SecurID via RADIUS" for the WSA, if you want you can open a ticket and have either add your company to that request, or have it extended for ESA as well.
  Hope that helps,
  Andreas

• Web authentication with Radius server problem

  Hello,
  I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
  *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
  *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
  *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
  *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
  *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
  *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
  *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
  *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
  *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
  *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
  *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
  *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
  *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
  *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
  *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
  *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
  *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
  *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
  *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
  *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
  *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
  *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
  *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
  That was pretty clear for me that Radius is refusing to give user access.
  Fully-Qualified-User-Name = NMEA\aaaaaa
  NAS-IP-Address = 10.xx.9.20
  NAS-Identifier = xxxxx-lwc10
  Called-Station-Identifier = 10.xx.9.20
  Calling-Station-Identifier = 192.168.1.61
  Client-Friendly-Name = YYY10.xx
  Client-IP-Address = 10.xx.9.20
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 13
  Proxy-Policy-Name = Use Windows authentication forall users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Users
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
  That output is from WLC 5508 version 7.0.235
  What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
  this is output from working client connection from old WLC
  NAS-IP-Address = 10.xx.9.13
  NAS-Identifier = xxxxx-lwc03
  Client-Friendly-Name = YYY10.46
  Client-IP-Address = 10.xx.9.13
  Calling-Station-Identifier = 192.168.19.246
  NAS-Port-Type = <not present>
  NAS-Port = <not present>
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Guest Access
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
  Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
  Is it maybe problem of version 7.0.235?
  Any toughts would be much appriciated.

  Scott,
  You are probably right. The condition that is checked for the first policy name (we have 2) is to match
  NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
  as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
  As I said before.
  WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
  WLC 4402 ver. 4.2.207 is not.
  The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

• Authentication with RSA SecurID

  Hi,
  Can we use RSA SecurID for OBIEE Authentication? if yes, Can recomend a blog or document?
  Thanks,
  Gustavo.

  Yes, you can. But you will have to develop a Custom Authenticator.
  http://obiee101.blogspot.com/2009/03/obiee-custom-authenticators.html

• Firefox 10 and IE 9 is not displaying Cisco ASA Web Authentication

  Hi All,
  We are having issue on AAA authentication page display for our ASA.
  1. There 2 issue reported here.
  2. First is customer cannot access the  website using IE 9. But this is because there is security patch on customer  PC.
  3. After customer uninstall KB2585542, the website load fine.
  4.  Second issue is, today morning, there is auto update on FireFox which  automatically upgrade users firefox to Firefox 10.
  5. After these upgrade,  users cannot load the website anymore.
  6. Error message is Server Does Not  Support RFC 5746/ CVE-2009-3555
  7. Customer using Firefox as default Internet  Browsing.
  8. As workaround, customer have downgrade their Firefox to version  3.6.22 and it's working fine.
  9. Java Version 6 update 23.
  10. An Cisco  case have been raise the check the compatibility of Cisco Web Authentication  with the FF10
  11. SR 620756799.
  Firewall Version : ASA 5520 7.2(5)
  Does anyone also experiencing the same issue? Any idea does this is a cisco bug or AAA issue.

  Hi,
  Please share the URL of the web site.
  Regards,
  Abhishek Maurya

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you

• TMG with RSA for OWA on the same URL as EAS

  Hi
  We have a requirement to use RSA authentication for external OWA users on Exchange 2010.  Exchange ActiveSync users will not be affected and will authenticate normally.  We currently have OWA, EAS and Autodiscover on the same URL mail.company.com.
  I have installed TMG on a server with 1 NIC on our DMZ.  I have set up 3 listeners, one for OWA with RSA, one for EAS and one for Autodiscover.  The problem is the OWA/RSA listener can't share the same IP as the others (I get an 'overlap' error
  message) so I have had to add a 2nd IP address to the server NIC to solve that.  All looks OK on TMG except now I have the problem that all the traffic is coming into our firewall on one URL and has to be NATted to only one of the 2 IP addresses.
  Do I need to have separate external URL's for OWA and EAS/Autodiscover so that they can be NATted to different IP addresses and hence different listeners?  Is there an easier way to split the traffic?
  Thanks

  Hi,
  The following part in the thread below might help.
  Quote:
  We have a firewall in front of the TMG that we are using static NATs. So I would have to create another static NAT for the IP i just added to my external NIC for ActiveSync.
  Create two external DNS entries. One for owa.domain.com and one for activesync.domain.com and point them to their respective IPs.
  For more information:
  http://social.technet.microsoft.com/Forums/en-US/119c0a10-b475-449f-b2ea-15fe260e89ce/publishing-exchange-2010-owa-with-rsa-secureid-authentication-and-active-sync?forum=Forefrontedgegeneral
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How many web authentication users do 2125 support?

  when 2125 use local database for web authentication. how many web authentication users do 2125 support?

  thank you very much!!
  醉生梦死谁成气,拓马长枪定乾坤
  Date: Fri, 19 Aug 2011 01:10:43 -0600
  From: [email protected]
  To: [email protected]
  Subject: - Re: how many web authentication users do 2125 support?
  Cisco Support Community
  Re: how many web authentication users do 2125 support? created by pcroak in Getting Started with Wireless - View the full discussion
  Hello Yuliang,
  The maximum number of local database accounts that could be created is 2048. You can configure the size of the local database with the command:
  config database size <512-2048>
  NOTE: This local database count is shared between the following entries:
  MAC filters (clients)
  AP MIC/SSC (AP authorization list)
  Dynamic Interfaces
  Management users
  Local net users
  Excluded Clients
  If you are asking about the number of simultaneous wireless clients, I believe the 2125 supports 350 active wireless clients.
  -Patrick Croak
  Wireless TAC
  Reply to this message by going to Cisco Support Community
  Start a new discussion in Getting Started with Wireless at Cisco Support Community

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.