Wireless Users In L2 Inband Virtual Mode
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}
Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
At present the Access point are just plugged into switch port on access vlan 10 and configured with vlan 10 SSID on Access point for wireless users Users are accessing the Network fine with no issues.I have setup a NAC in L2 inband virtual mode it is working fine when i tested for WIRED users.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
To enforce posture assement on wireless users i just have to change the switch port access vlan to authentication vlan where the Access point is connected at present and change the SSID vlan 10 to authentication vlan. As i m using only 1 vlan so i don't have to create a trunk port on switch where the Access point is connected ?? Nothing else i have to do ?? Correct me if i m wrong
Answers ???????
Thank you for all the details.
As some further details, the CAS should be configured with the following:
1. Under the managed subnets, you should add an IP address (not used anywhere else) in the trusted vlan 10 subnet and link it to the untrusted vlan 20.
2. Under the vlan mappings, it's OK to have the untrusted vlan 20 mapped to the trusted vlan 10. So the vlan mapping should be:
20 (untrusted) ---> 10 (trusted)
Wireless users should be connecting on vlan 20 and they should get an IP in trusted vlan 10's subnet.
All the traffic should then flow through the CAS, which will take care of mapping vlan 20 to vlan 10 once the user is authenticated and certified.
AD SSO for wireless users should also be possible.
The AD SSO authentication through NAC regards only the authentication process through the NAC agent.
As long as the rest of the configuration is correct, this should also be possible for wireless users.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
Dear Experts,
I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
As i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
NAC in Inband L2 Virtual mode
About my thinking for Implementation is :
create authentication vlan on access switches,(no SVI for authentication vlan)
Do authentication mapping and actual user vlan mapping in NAC,
create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ??????? Correct me if i m wrong.
Shift the users from actual vlan to authentication vlan,
Configure managed subnet for the reply of DHCP request
Enable L3 and setup static routes
Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
The point above i have worte,, that is what i think NAC is any other point's if i m missing please plese please advice me.or give proper guidance.Hi,
1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
2. Okay
3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
5. You would map the users, and you do that by defining the VLAN mappings
6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
7. You don't need static routes for L2 deployments
8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
HTH,
Faisal -
EA6400: Problems for wireless users
There are two router EA6400 (firmware version: 1.1.40.160989). Routers are configured in bridge mode. Routers are used for wireless devices/users. Wireless users have many problems with the quality of the connection and very high ping. Wired users don't have any problems with the quality of the connection and ping.
What's the problem?
Ping from user
Spoiler (Highlight to read)
user@pc:~$ ping yandex.ru
PING yandex.ru (93.158.134.11) 56(84) bytes of data.
64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms
^C
--- yandex.ru ping statistics ---
141 packets transmitted, 59 received, 58% packet loss, time 140168ms
rtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2
user@pc:~$
user@pc:~$ ping yandex.ruPING yandex.ru (93.158.134.11) 56(84) bytes of data.64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms^C--- yandex.ru ping statistics ---141 packets transmitted, 59 received, 58% packet loss, time 140168msrtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2user@pc:~$
Traceroute from usergeekychix wrote:
What is the wireless channel set for your router? Flash the firmware of your router, reset and reconfigure it. Try playing around with channels 1,3,6 or 9. Security mode should be set to WPA2 Personal. Let me know how it goes.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks. I've already tried to reset the settings on the defaul and reconfigure the router again. I only use WPA2 PSK-CCMP. Have any ideas?
Lun wrote:
EA6400 works really good for me with the current firmware. On 2.4ghz, channel 9 is solid and at 5.0ghz, channel 157 is strong too. Try that.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks.
Saffronfs7 wrote:
Your WiFi network is possibly prone to wireless interference which causes high latency and slow/intermittent connection. Adjust the wireless settings on your EA6400 routers. Use Non-overlapping Channels like 1 or 6 or 11. Use a WiFi scanner to check which Channels are crowded and which ones are not. Although 5GHz network uses non-overlapping Channels I recommend using Channel 161.
I advance it all already made. Have any ideas?
Lun wrote:
Everyone in my area are using channel 1, 6, and 11 on 2.4ghz. Channel 9 work best for me.
Channels I specifically chose not to overlap with neighboring networks. Have any ideas? -
Problem authenticating Wireless users with peap
Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
authentication open eap eap_list
authentication key-management wpa version 2
guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank youI haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts! -
PEAP authentication failed for wireless users
Dears
Hello
i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
thanksDear Neno
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
host x.x.x.x
key xxxx
nas-ip x.x.x.x
aaa server-group "RADIUS-GROUP"
auth-server “SERVER”
aaa profile "KSAU-JED-AAA-Profile"
authentication-dot1x "dot1xProfile"
dot1x-server-group "RADIUS-GROUP"
wlan virtual-ap "SSID-NAME"
aaa-profile "KSAU-JED-AAA-Profile"
ssid-profile "SSID-NAME"
vlan <VLAN ID> -
I have a problem here guys, I will deploy cisco NAC with wireless users
My scenario is IB-VG , the access points are autonomous there is no WLC
the AP is connected to the switch on a trunk port and I have configured the AP
with different SSIDs each one with different vlan (s) on the NAC i have
configured the vlan mapping and the managed subnets but it doesn't work.
i wanna know where is the problem or is there anu configuration example to configure \
autonomous AP in In-Band virtual gateway modeHi,
Can you please be more specific about what does not work?
What were you expecting to see and what are you seeing?
Do the wireless users get IP address?
If, yes, are they getting the IP you would expect?
After getting IP address, if you open a web browser dod you get redirected to the NAC login page?
If yes, do you enter the credentials and fail autentication?
Please note that you will need to make sure that the VLAN on the clients is allowed on the untrusted interface of the CAS, and that the VLAN mapping maps this VLAN to a vlan where a DHCP server can be reachable.
Also, please make sure that the traffic on the VLAn configured on the SSID has the only path as the path going through the CAS.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
3850 command to show wireless user dACL
Hi,
I am using 3850 and 5760 with converged access mode.
There is also ISE to provide dACL for wireless user.
In 3850, I can issue "show access-list" to see the dACL from ISE.
But I can't be sure which ACL apply to which user when there are more than one dACL.
I have tried command like "show wireless client mac-address MAC detail" but didn't see anything related.
I can only achieve that by checking logs on ISE.
Is there any command I can do for this purpose?
3850 and 5760 version : 3.3.0
ISE version : 1.2
Thanks!!!Hi Mason,
I know that for switch IOS the command "show authentication session interface INTERFACE" shows the dACL that is applied to this port. I think the new command for the IOSXE devices is "show access-session mac H.H.H detail" is the corresponding one which should show the dACL that was applied to that MAC-address.
Please see if that works for you.
Best regards,
Patrick Meyer -
Can't use HP Laserjet 4000 with Windows 7 or even in XP virtual mode
I've tried everything I can think of; read everything I can find; downloaded drivers, updates, and patches; uninstalled the printer, reinstalled the printer, rebooted, ad nauseum. And I still can't get it to work -- this week, that is. Last week it printed. All the check tests say it should work. In XP Virtual Mode the status menu shows the document printed -- but it must be a virtual copy, because I can't find it. When I try to print in Windows 7, the status menu shows "error" but troubleshooting can't find anything wrong. Any suggestions? Any assistance will be greatly appreciated.
Thanks for your time.
ReneBeen using Laserjet 4000 under XP for years. Installed Win 7, downloaded driver from this site http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=14952&pr... but it did not work(Driver not installed).
Coonected to Laptop w/ Vista and it worked fine. Any help is appreciated. -
Open Users Setup form in Find mode
Hello,
When I open the users form
Administration
---Setup
General
Users
this form is in Add mode. Is there a way to have it in find mode directly ?
Thank you
SébastienHi,
It is not possible to have the User - setup in the Find mode default.
The form opens in the Add Mode and you have to go to the Memo and click on Find or do a Ctrl + F.
Regards,
Jitin
SAP Business One Forum Team -
Reauthencation of Wireless User does not get prompt
Hi Sir,
I set up a Radius server(Cisco ACS) to authenticate wireless users via 802.1x. The EAP protocol deployed is Microsoft PEAP as most of the clients OS is XP. The users might be sharing the same laptops. When a user select the wireless network to connect to, he was prompted a window for him to enter the Username, Password and Domain field. After successful authentication, he was able to access the network resources.
However, the user is not prompted the Username, Password and Domain after he has done so the first time. I understand that XP cached the user credentials in the registry. But my customer would like the window prompt to appear when the following scenario happens to reauthenticate
a) Session timeout (Notice options in Group profile in ACS but didnt seem to work). What is this session timeout in ACS?
b) Idle timeout to reauthenticate the current wireless user as the user might leave his workspace for a short period of time and someone might have use his credential to access the network illegitimately
c) When he shuts down the PC and the laptop is passed to another user but the previous user credential is used rather than the second user credentioal is used.
How can I disable the automatic cached user credentials? Is there a way to prompt the user after a period of time for him to enter Username, Password and Domain field again? Is the option available in the XP client? I search through the AP configuration options but found none.
Please advise. Thank you
DelonTry this link
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094671.shtml#cswin -
Wireless users are loosing the internet connection....
Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG. Someone have some idea???
Sent from Cisco Technical Support iPhone AppDear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG.
You are barking the wrong tree.
Can you please elaborate further?
I need to determine whether the clients are loosing WIRELESS connection or loosing WAN connection. Two different things, two different directions to choose from.
The easiest way to determine is this:
Presume you have 10 clients and half the clients are associated to one WAP and the other to the other WAP. Your description states that all 10 clients would loose internet connectivity. Is this correct? If this is so, then we start with your switch and your WAPs. How are the WAPs powered? PoE or power injector? Can you console into the WAPs? Can you post the output to the commands "sh version" and "sh logs"? How about the switch? Can you console into the switch? Can you post the output to the commands "sh version" and "sh logs"? -
Wireless users not visible in PRSM with CDA integration
I have ASA 5515x v 9.1 with CX module v 9.1.3 and CDA integrated into the AD domain. I can see the users to IP mappings for domain windows users , like desktops and laptops. I can not see the users to ip mappings for the wireless users. I see their IP adddresses but the usernames don't come in. I have the PRSM configured to use CDA. Do I need to also add the WLC somehow to the CDA setup?
Hi, Try one of the following:
1. Provision the native users with viewer role for BI+, if not done already
2. For the folder, containing the reports, have these users being provisioned? Are you able to view the users with provisioning access to the folder?
3. Do not put any filter for users and begins with combination to display all possilble users
Let me know if that works! -
Wireless users Authentication of external repository? help?
Hi people,
My version is 9ias 1.0.2.2
I have read that is possible to use external repository in order to authenticate
wireless users.
I would like to do this work using an external repository than contains, for example, the list of telefon numbers of my users.
Any help ?I believe these two links should help:
http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devrun.htm#1023745
http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devxml.htm#1012041 -
Getting Wireless Users onto LAN
Hello All,
We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
3750X L3 Switch --> 2106 WLC --> AP
LAN Network - 10.10.0.0/16 Wireless Users Network - 10.100.21.0/24
So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
Management Interface:
IP Address: 10.10.20.100
Netmask: 255.255.0.0
Gateway: 10.10.0.1
DHCP Info: 10.10.20.100
Here is the config for my test interface (which may be the problem):
IP Address: 10.100.21.2
Netmask: 255.255.255.0
Gateway: 10.100.21.1
DHCP Info: 10.10.20.100
Thanks in advance for taking a look.Hello George,
Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
The way our devices are connected in terms of the wireless configuration:
Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
|
My PC
So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
On our WLC I have this configured:
Management Interface:
IP Address: 10.10.20.100
Netmask: 255.255.0.0
Gateway: 10.10.0.1
DHCP Info: 10.10.20.100
Here is the config for my test interface (which may be the problem):
IP Address: 10.100.21.2
Netmask: 255.255.255.0
Gateway: 10.100.21.1
DHCP Info: 10.10.20.100
From my LAN I can ping 10.100.21.1
Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
Thanks again for your reply and taking the time to look at this. -
WLC 4404 Wireless users getting disabled
Currently Being Moderated
Wireless users getting disabled
Hi,
I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
*Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
After seeing one of the cisco forum, I have disabled RLDP for that particular APs
so above messages are rectified.
But right now we are not able to identify Rogue IP and it is not contained.
So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
Thanks & Regards
Gaurav PandyaHi Scott,
You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
Regards
Gaurav
Maybe you are looking for
-
Itunes 9.0.1.8 Error -3259
Since Itunes 9.0 I can't download the music I bought ! Same problem with the new release 9.0.1.8 ! Everytime same error 3259 ! Nothing has been changed on my computer ! Also Can't see video preview ! Give my money back !
-
What can I do for this? Thank you. - Never in the library of Itunes - Never on the store !!!!!!!!
-
I have a question about Adobe Flash Player.
I am wondering why the iPhone doesn't support the Adobe Flash Player. I tried downloading it onto my phone but it's not available?
-
WD My Book essential from Windows to Mac?
I want to add my old Windows based Musik, Videos and Fotos to a MacBook Pro. My old Windows PC broke down and now I only have a BackUp of the Data on my WD My Book essential 1TB external Drive. Is it possible to connect it to a MacBook Pro or is my
-
Firefox won't allow me to Upload a video from "MY Video's" recorded on an iPhone 4
Firefox won't allow me to Upload a video from "MY Video's" recorded on an iPhone 4