Wireless Users In L2 Inband Virtual Mode

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}
Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
At present the Access point are just plugged into switch port on access vlan 10 and configured with vlan 10 SSID on Access point for wireless users Users are accessing the Network fine with no issues.I have setup a NAC in L2 inband virtual mode it is working fine when i tested for WIRED users.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
To enforce posture assement on wireless users i just have to change the switch port access vlan to authentication vlan where the Access point is connected  at present and change the SSID vlan 10 to authentication vlan. As i m using only 1 vlan so i don't have to create a trunk port on switch where the Access point is connected ?? Nothing else i have to do ?? Correct me if i m wrong
Answers ???????

Thank you for all the details.
As some further details, the CAS should be configured with the following:
1. Under the managed subnets, you should add an IP address (not used anywhere else) in the trusted vlan 10 subnet and link it to the untrusted vlan 20.
2. Under the vlan mappings, it's OK to have the untrusted vlan 20 mapped to the trusted vlan 10. So the vlan mapping should be:
20 (untrusted) ---> 10 (trusted)
Wireless users should be connecting on vlan 20 and they should get an IP in trusted vlan 10's subnet.
All the traffic should then flow through the CAS, which will take care of mapping vlan 20 to vlan 10 once the user is authenticated and certified.
AD SSO for wireless users should also be possible.
The AD SSO authentication through NAC regards only the authentication process through the NAC agent.
As long as the rest of the configuration is correct, this should also be possible for wireless users.
Regards,
Fede
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • NAC in Inband L2 Virtual mode

    Dear Experts,
    I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
    As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
    NAC in Inband L2 Virtual mode
    About my thinking for Implementation is :
    create authentication vlan on access switches,(no SVI for authentication vlan)
    Do authentication mapping and actual user vlan mapping in NAC,
    create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
    allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
    Shift the users from actual vlan to authentication vlan,
    Configure managed subnet for the reply of DHCP request
    Enable L3 and setup static routes
    Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
    The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

    Hi,
    1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
    2. Okay
    3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
    4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
    5. You would map the users, and you do that by defining the VLAN mappings
    6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
    7. You don't need static routes for L2 deployments
    8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
    HTH,
    Faisal

  • EA6400: Problems for wireless users

    There are two router EA6400 (firmware version: 1.1.40.160989). Routers are configured in bridge mode. Routers are used for wireless devices/users. Wireless users have many problems with the quality of the connection and very high ping. Wired users don't have any problems with the quality of the connection and ping.
    What's the problem?
    Ping from user
    Spoiler (Highlight to read)
    user@pc:~$ ping yandex.ru
    PING yandex.ru (93.158.134.11) 56(84) bytes of data.
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms
    64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms
    ^C
    --- yandex.ru ping statistics ---
    141 packets transmitted, 59 received, 58% packet loss, time 140168ms
    rtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2
    user@pc:~$
    user@pc:~$ ping yandex.ruPING yandex.ru (93.158.134.11) 56(84) bytes of data.64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms^C--- yandex.ru ping statistics ---141 packets transmitted, 59 received, 58% packet loss, time 140168msrtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2user@pc:~$
    Traceroute from user

    geekychix wrote:
    What is the wireless channel set for your router? Flash the firmware of your router, reset and reconfigure it. Try playing around with channels 1,3,6 or 9. Security mode should be set to WPA2 Personal. Let me know how it goes.
    Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks. I've already tried to reset the settings on the defaul and reconfigure the router again. I only use WPA2 PSK-CCMP. Have any ideas?
    Lun wrote:
    EA6400 works really good for me with the current firmware.  On 2.4ghz, channel 9 is solid and at 5.0ghz, channel 157 is strong too.  Try that.
    Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks.
    Saffronfs7 wrote:
    Your WiFi network is possibly prone to wireless interference which causes high latency and slow/intermittent connection. Adjust the wireless settings on your EA6400 routers. Use Non-overlapping Channels like 1 or 6 or 11. Use a WiFi scanner to check which Channels are crowded and which ones are not. Although 5GHz network uses non-overlapping Channels I recommend using Channel 161.
    I advance it all already made. Have any ideas?
    Lun wrote:
    Everyone in my area are using channel 1, 6, and 11 on 2.4ghz.  Channel 9 work best for me.
    Channels I specifically chose not to overlap with neighboring networks. Have any ideas?

  • Problem authenticating Wireless users with peap

    Good afternoon,
    I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
    AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
    DOT11-7-AUTH_FAILED : Station ... Authentication failed
    It shouldn't use local authentication, but the aaa server I configured.
    I looked on the internet but didn't find a working solution.
    Does anyone know why it is not working ?
    Here is my running configuration :
    Current configuration : 4276 bytes
    ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
    ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
    ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
    aaa new-model
    aaa group server radius rad_eap
     server 192.168.2.2 auth-port 1812 acct-port 1813
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    no ip routing
    no ip cef
    dot11 syslog
    dot11 ssid test
       authentication open eap eap_list
       authentication key-management wpa version 2
       guest-mode
    eap profile peap
     method peap
    crypto pki token default removal timeout 0
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     ssid test
     antenna gain 0
     stbc
     beamform ofdm
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     antenna gain 0
     no dfs band block
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     dot1x pae authenticator
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface BVI1
     ip address 192.168.3.10 255.255.255.0
     no ip route-cache
    ip default-gateway IP
    ip forward-protocol nd
    ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
     transport input all
    end
    Thank you

    I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
    dot11 ssid test
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa version 2
    guest-mode
    Hope this helps!
    Thank you for rating helpful posts!

  • PEAP authentication failed for wireless users

    Dears
    Hello
    i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
    thanks 

    Dear Neno
    the customer has sent me this in aruba
    aaa authentication dot1x "dot1xProfile"     
       termination eap-type eap-peap                                                                                                                                                                                                                                             
       termination inner-eap-type eap-mschapv2       
    aaa authentication-server radius "SERVER"
       host x.x.x.x
       key xxxx
       nas-ip x.x.x.x
    aaa server-group "RADIUS-GROUP"
      auth-server “SERVER”
    aaa profile "KSAU-JED-AAA-Profile"
       authentication-dot1x "dot1xProfile"
       dot1x-server-group "RADIUS-GROUP"
    wlan virtual-ap "SSID-NAME"
       aaa-profile "KSAU-JED-AAA-Profile"
       ssid-profile "SSID-NAME"
       vlan <VLAN ID>

  • NAC IB with wireless users

    I have a problem here guys, I will deploy cisco NAC with wireless users
    My scenario is IB-VG , the access points are autonomous there is no WLC
    the AP is connected to the switch on a trunk port and I have configured the AP
    with different SSIDs each one with different vlan (s) on the NAC i have
    configured the vlan mapping and the managed subnets but it doesn't work.
    i wanna know where is the problem or is there anu configuration example to configure \
    autonomous AP in In-Band virtual gateway mode

    Hi,
    Can you please be more specific about what does not work?
    What were you expecting to see and what are you seeing?
    Do the wireless users get IP address?
    If, yes, are they getting the IP you would expect?
    After getting IP address, if you open a web browser dod you get redirected to the NAC login page?
    If yes, do you enter the credentials and fail autentication?
    Please note that you will need to make sure that the VLAN on the clients is allowed on the untrusted interface of the CAS, and that the VLAN mapping maps this VLAN to a vlan where a DHCP server can be reachable.
    Also, please make sure that the traffic on the VLAn configured on the SSID has the only path as the path going through the CAS.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • 3850 command to show wireless user dACL

    Hi,
    I am using 3850 and 5760 with converged access mode.
    There is also ISE to provide dACL for wireless user.
    In 3850, I can issue "show access-list" to see the dACL from ISE.
    But I can't be sure which ACL apply to which user when there are more than one dACL.
    I have tried command like "show wireless client mac-address MAC detail" but didn't see anything related.
    I can only achieve that by checking logs on ISE.
    Is there any command I can do for this purpose?
    3850 and 5760 version : 3.3.0
    ISE version : 1.2
    Thanks!!!

    Hi Mason,
    I know that for switch IOS the command "show authentication session interface INTERFACE" shows the dACL that is applied to this port. I think the new command for the IOSXE devices is "show access-session mac H.H.H detail" is the corresponding one which should show the dACL that was applied to that MAC-address.
    Please see if that works for you.
    Best regards,
    Patrick Meyer

  • Can't use HP Laserjet 4000 with Windows 7 or even in XP virtual mode

    I've tried everything I can think of; read everything I can find; downloaded drivers, updates, and patches; uninstalled the printer, reinstalled the printer, rebooted, ad nauseum.  And I still can't get it to work -- this week, that is.  Last week it printed.  All the check tests say it should work.  In XP Virtual Mode the status menu shows the document printed -- but it must be a virtual copy, because I can't find it.  When I try to print in Windows 7, the status menu shows "error"  but troubleshooting can't find anything wrong.  Any suggestions?  Any assistance will be greatly appreciated.
    Thanks for your time.
    Rene 

    Been using Laserjet 4000 under XP for years. Installed Win 7, downloaded driver from this site http://h20000.www2.hp.com/bizsupport/TechSupport/S​oftwareIndex.jsp?lang=en&cc=us&prodNameId=14952&pr​... but it did not work(Driver not installed).
    Coonected to Laptop w/ Vista and it worked fine. Any help is appreciated. 

  • Open Users Setup form in Find mode

    Hello,
    When I open the users form
    Administration
    ---Setup
    General
    Users
    this form is in Add mode. Is there a way to have it in find mode directly ?
    Thank you
    Sébastien

    Hi,
    It is not possible to have the User - setup in the Find mode default.
    The form opens in the Add Mode and you have to go to the Memo and click on Find or do a Ctrl + F.
    Regards,
    Jitin
    SAP Business One Forum Team

  • Reauthencation of Wireless User does not get prompt

    Hi Sir,
    I set up a Radius server(Cisco ACS) to authenticate wireless users via 802.1x. The EAP protocol deployed is Microsoft PEAP as most of the clients OS is XP. The users might be sharing the same laptops. When a user select the wireless network to connect to, he was prompted a window for him to enter the Username, Password and Domain field. After successful authentication, he was able to access the network resources.
    However, the user is not prompted the Username, Password and Domain after he has done so the first time. I understand that XP cached the user credentials in the registry. But my customer would like the window prompt to appear when the following scenario happens to reauthenticate
    a) Session timeout (Notice options in Group profile in ACS but didnt seem to work). What is this session timeout in ACS?
    b) Idle timeout to reauthenticate the current wireless user as the user might leave his workspace for a short period of time and someone might have use his credential to access the network illegitimately
    c) When he shuts down the PC and the laptop is passed to another user but the previous user credential is used rather than the second user credentioal is used.
    How can I disable the automatic cached user credentials? Is there a way to prompt the user after a period of time for him to enter Username, Password and Domain field again? Is the option available in the XP client? I search through the AP configuration options but found none.
    Please advise. Thank you
    Delon

    Try this link
    http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094671.shtml#cswin

  • Wireless users are loosing the internet connection....

    Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG. Someone have some idea???
    Sent from Cisco Technical Support iPhone App

    Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG.
    You are barking the wrong tree.
    Can you please elaborate further?
    I need to determine whether the clients are loosing WIRELESS connection or loosing WAN connection.  Two different things, two different directions to choose from.  
    The easiest way to determine is this:
    Presume you have 10 clients and half the clients are associated to one WAP and the other to the other WAP.  Your description states that all 10 clients would loose internet connectivity.  Is this correct?  If this is so, then we start with your switch and your WAPs.  How are the WAPs powered?  PoE or power injector?  Can you console into the WAPs?  Can you post the output to the commands "sh version" and "sh logs"?  How about the switch?  Can you console into the switch?  Can you post the output to the commands "sh version" and "sh logs"?

  • Wireless users not visible in PRSM with CDA integration

    I have ASA 5515x v 9.1 with CX module v 9.1.3 and CDA integrated into the AD domain. I can see the users to IP mappings for domain windows users , like desktops and laptops. I can not see the users to ip mappings for the wireless users. I see their IP adddresses but the usernames don't come in.  I have the PRSM configured to use CDA. Do I need to also add the WLC somehow to the CDA setup?

    Hi, Try one of the following:
    1. Provision the native users with viewer role for BI+, if not done already
    2. For the folder, containing the reports, have these users being provisioned? Are you able to view the users with provisioning access to the folder?
    3. Do not put any filter for users and begins with combination to display all possilble users
    Let me know if that works!

  • Wireless users Authentication of external repository? help?

    Hi people,
    My version is 9ias 1.0.2.2
    I have read that is possible to use external repository in order to authenticate
    wireless users.
    I would like to do this work using an external repository than contains, for example, the list of telefon numbers of my users.
    Any help ?

    I believe these two links should help:
    http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devrun.htm#1023745
    http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devxml.htm#1012041

  • Getting Wireless Users onto LAN

    Hello All,
    We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
    3750X L3 Switch --> 2106 WLC --> AP
    LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24
    So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
    Management Interface:
    IP Address: 10.10.20.100
    Netmask: 255.255.0.0
    Gateway: 10.10.0.1
    DHCP Info: 10.10.20.100
    Here is the config for my test interface (which may be the problem):
    IP Address: 10.100.21.2
    Netmask: 255.255.255.0
    Gateway: 10.100.21.1
    DHCP Info: 10.10.20.100
    Thanks in advance for taking a look.

    Hello George,
    Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
    The way our devices are connected in terms of the wireless configuration:
    Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
                                          |
                                      My PC    
    So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
    On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
    On our WLC I have this configured:
    Management Interface:
    IP Address: 10.10.20.100
    Netmask: 255.255.0.0
    Gateway: 10.10.0.1
    DHCP Info: 10.10.20.100
    Here is the config for my test interface (which may be the problem):
    IP Address: 10.100.21.2
    Netmask: 255.255.255.0
    Gateway: 10.100.21.1
    DHCP Info: 10.10.20.100
    From my LAN I can ping 10.100.21.1
    Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
    Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
    Thanks again for your reply and taking the time to look at this.

  • WLC 4404 Wireless users getting disabled

    Currently Being Moderated
    Wireless users getting disabled
    Hi,
    I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
    *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
    *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
    *Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    After seeing one of the cisco forum, I have disabled RLDP for that particular APs
    so above messages are rectified.
    But right now we are not able to identify Rogue IP and it is not contained.
    So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
    Thanks & Regards
    Gaurav Pandya

    Hi Scott,
    You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
    *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
    *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
    So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
    Regards
    Gaurav

Maybe you are looking for