Wireless Rate Limiting via Radius

We have a setup as 1 SSID in air , authentication via LDAP
One user login as aaa to VLAN 51
other user login as bbb to VLAN 52
I want to setup different rate limiters for those users.As i know thera are 2 methods of rate limiting available in WLC
a)per User in the same SSID
b)per SSID for any user
In this case there is only one WLAN so we cant use b , as i dont want all users to get same bandwidth contract rate limiting method a isnt useful for us.Because i want to seperate employee / guest / admin bandwidth limits.
How can i overcome of this case ?

For the first question ;
What do you mean with "maybe depends on your equipment" ?
For the second question ;
Sorry it has to be "VLAN" assignment , and i have found the solution.
As i read
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
Three types of attribute has to be returned from ldap server.All three of these has to be returned or just Private group id is enough ?

Similar Messages

Authentication via RADIUS : MSCHAPv2 Error 691

Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

WLC Management Admin via RADIUS

I am trying to have a management user authenticate via radius and have full admin privileges.
For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius? Thanks.

My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL. When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console. The last time this happened I had to reset the WLC and start over. I don't want to do that again, so I need some way to get into the WLC.
Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work. My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS. I have set the RADIUS (MS IAS) to return two attributes;
1. Vendor-Specific -Vendor Code 14179, Value=management
2. Service-Type - Value=Login
When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user. But the login prompt for the GUI comes back as if it has failed. Same with the CLI login. Now I can't get logged into the WLC. How can I get into the box to manage it again?
Thanks

Current outbound rate limiting capabilities

Hello All,
I have recently reviewed this thread from back in January-March: https://supportforums.cisco.com/thread/2002325?tstart=60 . I have been facing the same predcament decrsibed be people in this thread. That being end user machines get compromised and then send out large volumes of spam via legitimate accounts on our servers. In our cases, the outbound from addresses have all been the actual user address. The end user environment is ActiveDirectory & Exchange.
If I cannot rate limit based on a sender address, then I am wondering if the 370D model would allow me to somehow define virtual gateways which would correspond to users found within a specific portion of my Active Directory environment. For example, if all sales dept. staff were within a single AD OU, could I create a virtual gateway that corresponds to just these people and have that gateway set with different rate limits than another gateway which corresponds to a different group of users?
Lastly, is it possible with any of the appliance models to define specific outbound rate limits for recipient domains? For example, messages destined for hotmail.com would have a different rate limit than messages destined for gmail.com. Would this functionality work with mixed recipient domains in the To: field?
Thanks,

Yes, you can define outgoing mail policy or outgoing content filter based on sender's LDAP group (e.g. CN=West,OU=Sales,....) and then use a filter action "Deliver from IP interface" to choose to deliver the emails from selected IP interface.
You can define delivery rate limit based on destination domain under 'Mail Policies'-'Destination Controls'.
I recommend to enable antispam scanning for outgoing emails. You can add custom header if the message is a positively-identified spam. Then you can use an outgoing content filter action to redirect spams to be delivered from another IP interface or another mail host if outgoing message contains the custom header. This can allow good and bad emails to be delivered from different IP interfaces.

Wireless rate limit

Hi,
My network infrastructure as simple as following:
LAN(edge switches 3560).......>Aggregator switch(3750)........>Firewall(ASA 5510)........>Router.......>Internet
I define 3 wireless VLANs with 3 SSIDs on the Aggregator switch(3750):
1. one SSID for company employees.
2. one SSID for wireless IP phones.
3. one SSID for company guest which access only internet.
And the wireless APs connected to the LAN(edge switches) direct with trunks.
My question is how to apply a rate limit for SSID for company guest to access internet with B.W. of 128kbps only.
I tried policy map to be applied on the aggregator switch(3750) on the VLAN interface, but, it is not working.
So, any suggested help, please.

Hi Ahmed:
With autonomous APs, rate limiting isn't possible. All the autonomous APs support is QoS and that's pretty iffy. At the core of the issue, you're dealing with radio waves and which ones arrive at the radio first, and who was prevented from talking because someone else was talking. Dealing with these QoS and traffic shaping/policing issues are really tough with wireless because the transmission medium itself is unreliable.
The "Configuring QoS" chapter of the autonomous AP configuration guide
http://tools.cisco.com/squish/5aCf1
will show you how you can map priority tagging to an SSID so that in that path from radio receiver to outbound on the fastethernet interface toward the rest of the network, you can control which SSID's packets get up into the network first, but the reverse path is a different story. Because the wireless medium is half-duplex acknowledged, you can have a high priority packet out there on the radio interface trying to be beamed out to the client, and if the client isn't sending their ACK or what have you, it's going to sit and retry until its 63 retries are done before it gets out of the way to let the next high priority packet have a turn at getting transmitted out.
Once the traffic gets past the edge switch, the fact that it was at one time wireless is irrelevant. You should look at it as a general "rate limiting one VLAN's traffic over another" and check with the routing protocols or traffic shaping folks.
Sincerely,
Rollin Kibbe
Network Management Systems Team

WLC - Rate-limiting with QoS Roles

We have a large number of locations that we would like to deploy the 2100 series wireless controllers. Among other things, we would like to provide generic rate-limiting to all users(per-user bandwidth limits). This is a hospitality guest access environment and content filtering is really not a concern. We would, however, like to prevent one or a few users from saturating the circuit at the expense of other users. It looks like the WLCs can handle this with a QoS Profile assigned to the guest wlan and bandwidth-limiting QoS Roles applied to each user. The issue we may run into is web-authentication needs to be disabled. There is another device on these locations that will be providing those services.
Is it possible to apply a QoS Role by default to all users who associate to a controller without authentication? Also, if anyone has attempted this design model I would greatly appreciate some input on any unexpected or undesirable results you may have noticed.
I appreciate everyones help.

Thanks so much for such a quick response. I may be misunderstanding some of the documentation and would really appreciate some clarity. I am understanding a QoS Profile to be applied to one or more WLANs and all user traffic from clients of those WLANs will fall under the qos policy as a group(bandwidth limitations would be applied to all of the user traffic combined). For example, a profile capping downstream bandwidth at 1544kbps would limit all user traffic from all of the clients associated to that ssid at 1544kbps. If we were to assume some degree of fair bandwidth distribution and there are 10 users receiving traffic at a given time, then each user would receive no more than 154.4kbps. Or, are QoS Profiles actual templates that are applied to each user that associates to that ssid? For instance, if we consider a profile capping 1544kbps downstream applied to a WLAN with 10 users associated. Each user would be able to download up to 1544kbps and the full bandwidth usage for that WLAN would be 15440kbps.
Thanks again for your help.

Virtual WLC 7.5 - AP Enforced Rate Limiting

In the vWLC 7.5 deployment guide in the enhancments section, there is a feature called "AP Enforced Rate Limiting"
But I cannot find any information beyond that.
Here is the guide:
http://www.cisco.com/en/US/docs/wireless/controller/technotes/7.5/Cisco_VirtualWirelessController75.html#wp43370
Looking how this might be implemented.
In particular to rate limit traffic by WLAN.
My understanding is that the Bandwidth Contracts under the WLAN QOS settings do not apply.
Thanks

Rate limiting is enforced at the AP level. It is not possible to enforce rate limiting at the virtual controller level because per client downstream rate limiting is not supported for central switching WLANs when traffic is terminated at the virtual controller.
Per client downstream rate limiting is supported if the virtual controller is a foreign controller tunneling traffic to another controller platform, for example, a Cisco 5500 Series Wireless LAN Controller.
Table 3 Rate Limiting with Cisco Virtual Wireless LAN   Controller
Traffic
FlexConnect   Central Switching
Flex   Connect Local Switching
Flex   Connect Standalone
Per client Downstream
Not Supported
Supported
Supported
Per SSID Downstream
Supported
Supported
Supported
Per client Upstream
Supported
Supported
Supported
Per SSID Upstream
Supported
Supported
Supported
Please check the below guide which may be helpful for you
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html

Rate Limiting - Will Content Engine 590 solve my problem?

We have a Cache Engine 550 deployed in our network which is great for reducing traffic on the Link to the Internet, however I have now run into a little problem with the device as we are now trying to implement Bandwidth Shaping using the existing Cisco infrastructure and thus the Cisco IOS.
One of the IOS features concerned is Committed Access Rate (CAR).
We would like to do some traffic shaping according to certain IP Protocols such as FTP, HTTP as well as rate limiting certain of our customers (IP Blocks) so that they dont saturate the Serial link to our ISP.
The problem we have is that the Cache Engine 550 replaces the original requestors IP with its own as it (the CE) now takes over as the requestor to the Internet thus we have all HTTP traffic via our ISP having the source as that of the Cache Engine.
Due to this we cannot Rate-Limit a particular customer (IP range).
Question-------
Does the Content Engine 590 (ACNS, ICDN) enable me to complete my task and control the Serial connection the way I would like to?
Can I do a sort of IP Spoofing so that the original IP is still in place, but the Content Engine still does its job of Caching?
I have already looked at the Packeteer unfortunately it only has Ethernet ports.
The WiseWan 401 with HSSI port looked promising, but I feel that even though it will do great shaping and graphs it will still not solve the problem of a saturated link upstream to the ISP (from the boxes point of view), I will still sit with packets being dropped and thus bandwidth wasted.
Anyone out there with any other solution?
Thanks in advance.
Lutz.

Hi,
We have just implemented IP spoofing in version 4.2 of ACNS code. (Caching) which will only run on a 590/560/507/7320 cache.
Version 4.2 sould be available at the end of July early August. This will slove you problem with identifing traffic to rate limit.
Cheers
Phil

Hardware rate-limiter OID

Hello,
Are the values supplied by show hardware rate-limiter available via SNMP for the Nexus 7010?
Thanks!

Unfortunately, No.
There is no such OID avaialble.

AirPort Extreme Multicast Rate limitation

I am currently using an iMac G5 which has an AirPort Extreme card with firmware 405.1. I have an AirPort Extreme (802.11n) base station that is running firmware version 7.1.1. My Radio Mode is "802.11n (802.11b/g compatible)." My wireless security is WPA/WPA2 personal.
When I go into my Wireless Options, my Country is United States, my Transmit power is 100% and my WPA Group Key Timeout is one day. It is not a closed network and I do not use interference robustness.
When I open the options for "Multicast Rate," the highest available rate is 11 Mbps. From what I understand, wireless G is capable of 56 Mbps (and that is how Apple advertised the Airport Extreme card when I bought it). Why is my multicast rate limited to 11 Mbps and how can I raise it to 56 Mbps?

I've always been a little foggy on multicast. The apple support article seems to imply that it only matters when "certain audio and video streaming servers or other applications with multicast capability" are on your network. (http://docs.info.apple.com/article.html?path=Airport/5.0/en/ap2087.html)
What if you don't have one of these multicast servers or applications on your network? Does the multicast rate have any effect on your network performance?
My understanding is that the answer is YES - regardless of whether you have one of these multicast servers or not, setting your multicast rate to X means that only airport clients that can achieve a speed of X or greater will be able to connect to the base station. If you set it to 1, then you will extend the range of your network. But sometimes, in a WDS, where multiple base stations on the same channel overlap, I find that my clients have trouble deciding which base station to connect to. So actually, it works better to set the rate a little higher. But I am never quite sure if this is true, or if its just my imagination.
At any rate (no pun intended) , I'm still foggy on multicast and would really appreciate if someone out there could clear things up or direct me to a link that explains what i need to know (starting with an actual definition of multicast).
Thanks

702W Access Point and Bi-Directional Rate Limiting

Has anyone checked whether BDRL (Bi-Directional Rate Limiting) is supported on relatively new 702W APs.
I need it to work in FlexConnect mode.
Thanks,
Nick

It is not supported,
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113682-bdr-limit-guide-00.html

Trying to connect my wired PC to the wireless airport express via the wireless router.

Trying to connect my wired PC to the wireless airport express via the wireless router. TP-link wired/wireless router. Ultimate goal is to send music from iTunes on PC to wireless router, then to airport, then to reciever. The amber light is blinking. Thanks in advance for the help!

If I'm understanding right your need and your computer has wired access to your network/router, all you have to do is give your AX wireless or wired access to your network too.
Wired should be easier. Just use a network cable to connect to the router. Power up the AX and look for it on AirPort Utility, do so without changing any of your computer settings. If it's visible, then on iTunes your AX should be visible on the AirPlay icon at the bottom-right corner.
If you want to connect your AX to your router wirelessly I would suggest to reset your AX settings by pressing and holding for a few secs the reset button next to all the ports. Once it is reset, using your computer try to look for the wireless network it'll be creating, it should be something like Apple Network 4341eb. Join that network and, using the AirPort Utility, configure your AX as a network client. Go to Wireless > Wireless Mode: Join a wireless network.
Select your router wireless network from the drop-down menu, select the appropriate security and type in your password. Click update.
It'll restart and automatically join your network. Have your computer join back your router network and, again, in iTunes bottom right you should be able to see the AX speakers.
Let me know if this worked.
Jorge...

Using ISE guest store via RADIUS

I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
Thomas

I just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept

Cisco 1602i + Authenticating users via RADIUS?

               Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
   vlan 140
   band-select
   authentication open eap eap_methods
   mbssid guest-mode
dot11 ssid walker_2
   vlan 255
   band-select
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.

Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

Rate limiting on Catalyst 2950T switches

Hi,
I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 any
class-map match-all Internet-Class
match access-group 112
policy-map Internet
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
interface FastEthernet0/1
service-policy input Internet
interface FastEthernet0/24
service-policy input Internet
Any help would be very appreciated!
Regards,
Harald

Thanks again for the reply!
My "working" configuration is as follows:
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
class-map match-all Local-Class
match access-group 111
class-map match-all Internet-Class
match access-group 112
policy-map Internet-Policy
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
class Local-Class
police 98000000 65536
interface FastEthernet0/1
description [ Local LAN facing interface ]
service-policy input Internet-Policy
interface FastEthernet0/24
description [ Internet facing interface ]
service-policy input Internet-Policy
However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
Regards,
Harald

Wireless Rate Limiting via Radius

Similar Messages

Maybe you are looking for