Wireless Autentication + WLC + ACS + AD
Hello Everyone,
I'm trying to configure autentication policy in my wireless network.
I need to autenticate users members of group "Wireless users" in active directory.
My question is: I need use ACS for this autentication in AD Group? Or only the controller is enough?
I do not like to use this digital certificate solution.
My Topology is:
USER -> AP -> Controller -> ACS -> AD
Or
USER -> AP -> Controller -> AD
Help?
Tks a lot.
Well, The kind of requirement you have does ask for digital certs because most of the EAP flavors are dependent on certs.
However, you may go for LEAP ( doesn't need certs)
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4
You may go for WLC and LDAP ( with certs without ACS)
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
Regds,
Jatin
Do rate helpful posts-
Similar Messages
-
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
The ACS version 4.1, can be configured with two differents Active Directorys, to authenticate users ?
Wireless Users ---> WLC --> 802.1X ---> AAA Servers ---> ACS ----> External Data Base ---> Active Directory (server A)
---> Active Directory (server B)Hi,
What ACS is linking to is an AD Domain. It's usual to have several domain controllers in the domain, so ACS will automatically get all the domain controller ip address through DNS resolution.
Regards,
Nicolas -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
I want to do the restriction on the bases of SSID. I have two SSID on Wireless LAN controller and all authentications are happing through Active directory through ACS. ACS is integrated with Active directory.
Objective is to restrict the users, I want that GROUP-A users can only login on SSID-A and GROUP-B user only login on SSID-B.
GROUP-A users could not login to SSID-B and GROUP-B users could not login to SSID-A
Is it possible in ACS to apply the restriction on the basis on SSID or any other workaround?
Regrds,
VashdevVashdev,
Yes, SSID base restriction is possible with Cisco acs, please configured the GROUP-A and GROUP-B with their respective SSID like (*ssid) as mentioned in the below listed configuration example.
Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Regds,
JK
Do rate helpful posts- -
WLC + ACS (RADIUS) + MS-AD
Hi!
I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
Thanks in advance for any help.Check out the doc below
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
WLAN Clients not browsing on Cisco Wireless Controller WLC NME-AIR-WLC12-K9
HiI have a question and i need a solution and expert help.I have done a deployment which involves Security (ASA5540), Routing/voice gateway/wlc NME-AIR-WLC12-k9) and Switching (Cisco3845-ccme/k9)Below is the list of equipment used:1. Cisco ASA 5540 - which is connected at the edge to the ISP router
2. Core Switch WS-C4948E as core and DHCP Server for all VLANs
3. Access/Distribution Switches WS-C3560G-48PS-S connected as trunk to the core switch
4. Router/Voice Gateway/WLC Cisco3845-CCME/K9 - This is the voice gateway and also the WLC
5. Wireless APs AIR-LAP1242AG-E-K9 (12 qty)Here is the deployment scenario:1. G0/0 of the ASA is connected to a 7200 router from the ISP (Public IP Add)
2. G0/1 of the ASA is connected to gig 1/3 on the Core Switch on VLAN 2 which is the management VLAN (Local IP 10.1.1.2)
3. Port 3 of the Core switch is on vlan 2 connected to ASA - Management IP of Core Switch is 10.1.1.1. Core Switch is the DHCP Server for all VLANS on the network.
4. All the Access/Distribution switches are configured with IP Addresses on VLAN 2
5. Telephony Services is configured on the router and DHCP Pool for Access Points and Wireless Clients is running on the router.
6. Two DHCP pools were created on the router for APs and Wireless Clients.
7. G0/0 of the router is configured on the same network that issues dhcp ip to the AP and is connected to gig 1/1 on the core switch
8 G0/1 of the router is configured as the voice port for the IP Telephony Services and is connected to G 1/2 on the core switch1. Clients receiving DHCP IP on the Core Switch can communicate with all vlans and can browse to the Internet.
2. IP Telephony Services is running well.
3. Client on wireless can get IP from the DHCP on the router but cannot browse.I have pings from the router to the core switch and firewall, but clients connected to the wireless
cannot ping other vlans on the core switch and vice versa.The port connecting the router to the core switch is an Access Port, i have changed to to trunk but still no changes.My biggest problem now is how to make the clients on the wireless communicate with other clients on the network and be able to browse to the Internet.Below is the configs on the router and core switch.Router ConfigNimc_Voice_Router#sh run
Building configuration...
Current configuration : 10513 bytes
! Last configuration change at 13:03:55 Nigeria Mon Nov 29 2010 by admin
! NVRAM config last updated at 13:03:56 Nigeria Mon Nov 29 2010 by admin
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Nimc_Voice_Router
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/2
logging message-counter syslog
enable secret
aaa new-model
! aaa authentication login default local
aaa session-id common
clock timezone Nigeria 1
dot11 syslog
ip source-route
ip dhcp excluded-address 10.1.12.1 10.1.12.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool LWAAP-AP
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
option 43 hex f104.c0a8.0002
dns-server 83.229.88.30 4.2.2.2 193.238.28.249
option 60 ascii "Cisco AP c1240"
ip dhcp pool Wireless
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip cef
no ip domain lookup
ip domain name nimc.gov.ng
ip name-server 83.229.88.30
ip name-server 193.238.28.249
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface GigabitEthernet0/0
description Connection to AP
ip address 10.1.12.1 255.255.255.0
ip helper-address 192.168.0.2
load-interval 30
duplex auto
speed auto
media-type rj45
interface Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
interface Integrated-Service-Engine1/0
ip address 192.168.0.1 255.255.255.0
no keepalive
interface Integrated-Service-Engine1/0.15
encapsulation dot1Q 15
ip address 192.168.1.1 255.255.255.0
interface Integrated-Service-Engine1/0.100
encapsulation dot1Q 100
ip forward-protocol nd
ip forward-protocol udp 12223
ip route 10.1.0.0 255.255.255.0 10.1.1.1
ip route 10.1.1.0 255.255.255.0 10.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
ip route 10.1.3.0 255.255.255.0 10.1.1.1
ip route 10.1.4.0 255.255.255.0 10.1.1.1
ip route 10.1.5.0 255.255.255.0 10.1.1.1
ip route 10.1.6.0 255.255.255.0 10.1.1.1
ip route 10.1.7.0 255.255.255.0 10.1.1.1
ip route 10.1.8.0 255.255.255.0 10.1.1.1
ip route 10.1.9.0 255.255.255.0 10.1.1.1
ip route 10.1.10.0 255.255.255.0 10.1.1.1
ip route 10.1.11.0 255.255.255.0 10.1.1.1
ip route 10.1.12.0 255.255.255.0 10.1.1.1
ip route 192.168.0.0 255.255.255.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
ip http secure-server
!Core Switch Configsh run
Building configuration...Current configuration : 10622 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Nimc_Core
boot-start-marker
boot-end-marker!
aaa new-model
aaa authentication login default local
aaa session-id common
storm-control broadcast include multicast
ip subnet-zero
no ip domain-lookup
ip domain-name nimc.gov.ng
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.4.1 10.1.4.10
ip dhcp excluded-address 10.1.5.1 10.1.5.10
ip dhcp excluded-address 10.1.6.1 10.1.6.10
ip dhcp excluded-address 10.1.7.1 10.1.7.10
ip dhcp excluded-address 10.1.8.1 10.1.8.10
ip dhcp excluded-address 10.1.9.1 10.1.9.10
ip dhcp excluded-address 10.1.10.1 10.1.10.10
ip dhcp excluded-address 10.1.3.1 10.1.3.10
ip dhcp pool Voice
network 10.1.2.0 255.255.255.0
next-server 10.1.2.1
option 150 ip 10.1.2.2
default-router 10.1.2.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip dhcp pool SF_DGs_Office
network 10.1.3.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.3.1
dns-server 81.199.3.7
lease 10
ip dhcp pool Admin_Process_Fac_Mgt
network 10.1.4.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.4.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_IDD
network 10.1.5.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.5.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_Fin_Inv
network 10.1.6.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.6.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_CS
network 10.1.7.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.7.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Human_Capital_Mgt
network 10.1.8.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.8.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Legal_Services
network 10.1.9.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.9.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_Procurement_Serv
network 10.1.10.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.10.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip vrf mgmtVrf
errdisable recovery cause bpduguard
errdisable recovery interval 180
power redundancy-mode redundant
spanning-tree mode mst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree mst configuration
name xxxx
revision 1
instance 1 vlan 1-20
spanning-tree mst 1 priority 0
spanning-tree vlan 1-20 priority 0
vlan internal allocation policy ascending
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/3
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/5
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/6
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/7
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/8
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast!
interface GigabitEthernet1/9
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/10
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/11
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/12
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/13
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/14
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/15
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/16
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/17
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/18
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/19
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/20
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/21
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/22
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/23
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/24
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/25
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/26
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/27
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/28
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/29
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/30
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/31
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfastinterface GigabitEthernet1/32
switchport access vlan 2
switchport voice vlan 4
interface GigabitEthernet1/33
switchport mode access
interface GigabitEthernet1/34
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/35
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/36
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/37
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/38
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/39
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/40
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/41
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/42
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/43
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/44
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/45
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/46
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/47
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
no ip address
shutdown
interface Vlan2
description Management
ip address 10.1.1.1 255.255.255.0
interface Vlan3
description Enterprise
ip address 10.1.0.1 255.255.255.0
interface Vlan4
description Voice
ip address 10.1.2.1 255.255.255.0
interface Vlan5
description SS_DGs_Office
ip address 10.1.3.1 255.255.255.0
interface Vlan6
description Admin_Process_Fac_Management
ip address 10.1.4.1 255.255.255.0
interface Vlan7
description SF_National_Identity_Database
ip address 10.1.5.1 255.255.255.0
interface Vlan8
description Fin_Finance_Investment
ip address 10.1.6.1 255.255.255.0
interface Vlan9
description Fin_Corporate_Services
ip address 10.1.7.1 255.255.255.0
interface Vlan10
description FF_Human_Capital_Management
ip address 10.1.8.1 255.255.255.0
interface Vlan11
description FF_Legal_services
ip address 10.1.9.1 255.255.255.0
interface Vlan12
description SF_Procurement_Services
ip address 10.1.10.1 255.255.255.0
ip default-gateway 10.1.1.2
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 10.1.1.0 255.255.255.0 10.1.1.2
ip route 10.1.2.0 255.255.255.0 10.1.1.2
ip route 10.1.3.0 255.255.255.0 10.1.1.2
ip route 10.1.4.0 255.255.255.0 10.1.1.2
ip route 10.1.5.0 255.255.255.0 10.1.1.2
ip route 10.1.6.0 255.255.255.0 10.1.1.2
ip route 10.1.7.0 255.255.255.0 10.1.1.2
ip route 10.1.8.0 255.255.255.0 10.1.1.2
ip route 10.1.9.0 255.255.255.0 10.1.1.2
ip route 10.1.10.0 255.255.255.0 10.1.1.2
ip route 10.1.11.0 255.255.255.0 10.1.1.2
ip http server
--More--
control-plane
line con 0
stopbits 1
line vty 0 4
end
Please i need somebody to help meI wouldn't configure an ip address on the service engine subinterface.
Try setting up a vlan interface on the router with that ip address and the subinterface will be linked to the vlan interface through the encapsulation command. A vlan interface will better work as a gateway for the wireless clients
Nicolas -
I need to autheticate my clients connecting via wireless.
clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
can some one please help me with the steps.
ThanksTwo primary steps
- define the trust certificates needed to verify the clients user certificates
Users and Identity Stores > Certificate Authorities
- change result of identity policy to select a certificate authorization profile. If have the defautl config
Access Policies > Access Services > Default Network Access > Identity
by default can select the "CN Username" as a result -
ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices
Hi,
We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
Where we have created open ssid in wlc and redirect web login portal in wlc for guest users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are only able to see the username which guest user login but not the end device in monitoring log.
Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
Thanks
PranavHi Tarikh,
I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
Thanks
Pranav -
Best Wireless Auth. methods ACS 3.2(3) and AD
I am new with ACS and wirless authentication. Have just deployed my ACS 3.2 for Windows, and am trying to select the best methods of authentication for my invironment. I have determined my risk level to be low to medium. I would consider MAC based Auth. to be sufficient for users that don't support LEAP or similar Proto. I have a mixed OS base from Win98, 2000 and XP and MacOS 9.2 to MacOSX, I have AD setup for the external database, and it is working with ACS to allow Radius Auth. on my AP1100G Access Points. My questions are these.
1- What is the best practice for setting up the MAC address auth.? Do I creat a text list, ACS records, SQL database, or can it be done in AD in some way?
2- Is Leap the best Auth. Protocol considering my needs? Is there one that would be less difficult to set up but offer low to medium security I need.
3- I am a little confussed by the config that needs to exhist on the Aironet 1100 series AP. What would be a good document/s for the configuration of these devices?
Eric Bodily
Idaho Falls School District 91
Network AdministratorI have no issues running Cisco ACS version 3.2 on Windows
Server 2003 with SP2:
1) create user test1 in MS Active Directory and put test1
in users group with dial-in access granted,
3) Create a group called "LDAP". Actually I renamed
group name "group 1" to "LDAP".
3) in ACS external user database configuration, I specified
domain "CCIE" as for this. unknow user policy is to use
Windows Database configuration,
4) Configure the database configuration in ACS to point
to "CCIE" windows domain,
5) setup the ACS to authenticate one of your Cisco devices
and log in using the MS windows account,
By the way, mgurwara, you are wrong. I run Cisco
ACS 3.2 on windows 2003 Enterprise Edition with Service
Pack 2. I am running it on a Dell Optiplex Gx240
(1.7 GHz with 512MB of RAM) and it is running fine.
I use it to manage about 20 cisco devices and
about 200 Wireless LEAP user(s). Furthermore, I am also
running ACS 4.1 on another identical hardware. It has
nothing to do with the hardware. I don't know where
you get that information from. -
Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510
I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW -
Cisco WLC + ACS + AD for Machine AND User auth...
So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
Any help here?
WLC 7.6 and ACS 5.5
-gWe are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5 -
WLC - ACS TACACS+ mismatch shared secred
Hello,
I confgured TACACS+ Authentication on WLC 5.0.235.3 for management login.
On ACS 5.1.0.44 I get the message
"13011 invalid tacacs+ request packet - possibly mismatched shared secrets"
after login.
I compared the shared secrets (blanks) or created new secrets, the message still appears.
Some ideas?
Regard SvenHello David,
WLC Version is 7.0.235.3, sorry.
Authentication on WLC and ACS use TACACS not Radius.
On ACS:
Authentication Result
Type=Drop
Authen-Reply-Status=Error
Steps
Received TACACS Authentication START Request
Invalid TACACS request packet - possibly mismatched shared secrets
Output from WLC:
(Cisco Controller) >debug aaa tacacs enable
(Cisco Controller) >*tplusTransportThread: Feb 06 11:37:46.720: Exhausted all available servers for Auth/Author packet
*tplusTransportThread: Feb 06 11:53:34.728: Forwarding request to 10.54.159.11 port=49
*tplusTransportThread: Feb 06 11:53:34.732: AUTH Socket closed underneath
*tplusTransportThread: Feb 06 11:53:39.948: No auth response from: 10.54.159.11, retrying with next server
*tplusTransportThread: Feb 06 11:53:39.948: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Feb 06 11:53:39.948: Forwarding request to 10.54.159.12 port=49
*tplusTransportThread: Feb 06 11:53:39.951: AUTH Socket closed underneath
*tplusTransportThread: Feb 06 11:53:45.164: No auth response from: 10.54.159.12, retrying with next server
*tplusTransportThread: Feb 06 11:53:45.164: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Feb 06 11:53:45.164: Forwarding request to 10.54.159.11 port=49
*tplusTransportThread: Feb 06 11:53:45.166: AUTH Socket closed underneath
*tplusTransportThread: Feb 06 11:53:50.380: Exhausted all available servers for Auth/Author packet
(Cisco Controller) >*tplusTransportThread: Feb 06 11:55:55.564: Forwarding request to 10.54.159.11 port=49
*tplusTransportThread: Feb 06 11:55:55.566: AUTH Socket closed underneath
*tplusTransportThread: Feb 06 11:56:00.780: No auth response from: 10.54.159.11, retrying with next server
*tplusTransportThread: Feb 06 11:56:00.780: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Feb 06 11:56:00.780: Forwarding request to 10.54.159.12 port=49
*tplusTransportThread: Feb 06 11:56:00.783: AUTH Socket closed underneath
*tplusTransportThread: Feb 06 11:56:05.996: No auth response from: 10.54.159.12, retrying with next server
*tplusTransportThread: Feb 06 11:56:05.996: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Feb 06 11:56:05.996: Forwarding request to 10.54.159.11 port=49
*tplusTransportThread: Feb 06 11:56:05.998: AUTH Socket closed underneath
(Cisco Controller) >show tacacs ?
acct TACACS+ accounting server.
athr TACACS+ authorization server.
auth TACACS+ authentication server.
summary Displays TACACS+ summary.
(Cisco Controller) >show tacacs summary
Authentication Servers
Idx Server Address Port State Tout
1 10.54.159.11 49 Enabled 5
2 10.54.159.12 49 Enabled 5
Authorization Servers
Idx Server Address Port State Tout
Accounting Servers
Idx Server Address Port State Tout
(Cisco Controller) >show tacacs auth ?
statistics Displays TACACS+ authentication server statistics.
(Cisco Controller) >show tacacs auth stat
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.54.159.11
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 24
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 24
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Server Index..................................... 2
--More-- or (q)uit
Server Address................................... 10.54.159.12
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 24
Unknowntype Msgs................................. 0
Other Drops...................................... 0 -
Restricting Wireless Access using ACS 3.3
We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
ErikHi,
On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
-Parm -
Wireless 5508 WLC's in a Mobility Group
All,
Scenario: Would like redundancy on 2 x 5508's but unable to utilise HA (SSO) due to internal WLC DHCP requirements.
Mobility groups - Can 2 controllers in the same mobility group share a DHCP scope? I.E overlapping addresses or would the scope need to be split across controllers?
If scopes are slit hat happens to DHCP requests once the primary DHCP server has allocated all leases? Also what happens if a clients joined controller A receives valid IP address then controller A goes off line? AP's re-establish with controller B but client has invalid scope IP?
Cheers,
JayHi,
Actually in the Mobility Group you enable the user to move form one WLC APs coverage to other WLC APs coverage with same client IP configuration.. so if we make groups then obviously we should make different DHCP scope to avoid network address range exhausted.
As far as controller A is up, IP configuration on wireless client would be remain same, but if your controller A goes off then the client will acquire the new IP from different DHCP scope which is assigned to controller B. -
Wireless Design - WLC Configuration
Soon to be working on a design for a Wireless installation across one of our buildings. The wireless survery has been completed, and we'll be installing 175 APs, across the 3 floors of the
building.
With regards to the back-end WLC setup, I have a few queries around the WLC configuration. We're looking at implementing the 4400 series of devices, and due to us having nearly 200 APs, we'll need at least 2 x 4404 or 4 x 4402 - I'm assuming its simpler to have fewer devices to make management simpler.
Also, looking at the Cisco reference material, they recommend that a 4404 can support up to 100 APs, with regards configuring the ports on the box, would I need to configure LAG across the WLC
ports in order for it to accomodate all of the Access Points. If we were to go with a scenario of using 2 x 4404 devices, would we be in a position whereby if we lost a Controller, we'd lose
all of the Access Points associated with that Controller? In order for us to have full resiliency, we'd need an additional 4404 controller for the APs to failover on too?
From a licensing perspective, we'll be purchasing a licence to cover 200 APs.
TIADo you think that the phone carrier change the Android OS kernel and removed the proxy setting option before they sell it to consumers? If it's so why would they do such thing?
As far as I'm aware, no. Phone carriers don't care about wi-fi proxy. They won't make any money if they do and they equally won't make money if they don't. This "proxy" issue came straight from the developers of the Android OS themselves. It's been highlighted since day one of the Android release. This is why some browsers have incorporated proxy settings to their application because the Android OS developers are not interested to fix this shortfall.
RE: iPhone and iPad users if you use Windows proxy server and intergrated Windows authentication is enabled the credential should not be prompted for user if it's already entered in their devices.
Unfortunately, I don't have the details with me right now but I'll try to see if I still have this information when I go back to work. -
WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)
Hi All,
I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
Am I on the right path?
Anyone done this before or have any bright ideas?
Cheers,
JohnWith the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
1. EAP authentication
2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
For the further description and configuraiton following URL may help you :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Maybe you are looking for
-
Good pdf viewer with different functionalitites
Hello folks, I am looking for a good pdf viewer (would be nice if it could support pdf editiing) to view same pdf document at the same time. Document viewer is good enough but when I want to view the same pdf file which is already open with Document
-
How can I get my new iphone to be recognized in devices in itunes
I just got the new iphone 4S and when I plug it into my mac to sync, its not being recognized in "Devices" in itunes, for me to sync. How can I get itunes to find the iphone thats connected?
-
My itunes opened up in german today. how do i get it back to engllish?
-
Operating with multiple versions of Photoshop
I have Photoshop CS4, CS 5.1 and have recently upgraded to Photoshop CS6. I also own Elements 12. I would like to uninstall previous versions of Photoshop (they are all currently still installed) but I am uncertain if the uninstall might remove a m
-
Build yields a folder with file, not a .aip file
Hi Everyone, I'm using Xcode 3.1.2 and trying to complete the HelloWorld example from the "Getting Started With Adobe Illustrator CS4 Development" guide. I was able to get the program to compile (after figuring out some errors with 32bit long unsign