Wireless users

I have an AP 1242.
Is there a command to see what users are using this access point?
regards and thanks

Hi Hernan,
If you are trying to find out how many users are associated to an AP, this example shows how to display all client devices associated with the access point:
AP# show dot11 associations client
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/command/reference/cr34main.html#wpxref81339
Hope this helps! Happy Holidays!
Rob

Similar Messages

Reauthencation of Wireless User does not get prompt

Hi Sir,
I set up a Radius server(Cisco ACS) to authenticate wireless users via 802.1x. The EAP protocol deployed is Microsoft PEAP as most of the clients OS is XP. The users might be sharing the same laptops. When a user select the wireless network to connect to, he was prompted a window for him to enter the Username, Password and Domain field. After successful authentication, he was able to access the network resources.
However, the user is not prompted the Username, Password and Domain after he has done so the first time. I understand that XP cached the user credentials in the registry. But my customer would like the window prompt to appear when the following scenario happens to reauthenticate
a) Session timeout (Notice options in Group profile in ACS but didnt seem to work). What is this session timeout in ACS?
b) Idle timeout to reauthenticate the current wireless user as the user might leave his workspace for a short period of time and someone might have use his credential to access the network illegitimately
c) When he shuts down the PC and the laptop is passed to another user but the previous user credential is used rather than the second user credentioal is used.
How can I disable the automatic cached user credentials? Is there a way to prompt the user after a period of time for him to enter Username, Password and Domain field again? Is the option available in the XP client? I search through the AP configuration options but found none.
Please advise. Thank you
Delon

Try this link
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094671.shtml#cswin

Wireless users are loosing the internet connection....

Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG. Someone have some idea???
Sent from Cisco Technical Support iPhone App

Dear All, My wireless users are loosing the internet(http and https) connection many times per day. I just check the ports configuration in the switch, but The problem persist. The device is a Cisco Aironet 1130 AG.
You are barking the wrong tree.
Can you please elaborate further?
I need to determine whether the clients are loosing WIRELESS connection or loosing WAN connection. Two different things, two different directions to choose from.
The easiest way to determine is this:
Presume you have 10 clients and half the clients are associated to one WAP and the other to the other WAP. Your description states that all 10 clients would loose internet connectivity. Is this correct? If this is so, then we start with your switch and your WAPs. How are the WAPs powered? PoE or power injector? Can you console into the WAPs? Can you post the output to the commands "sh version" and "sh logs"? How about the switch? Can you console into the switch? Can you post the output to the commands "sh version" and "sh logs"?

EA6400: Problems for wireless users

There are two router EA6400 (firmware version: 1.1.40.160989). Routers are configured in bridge mode. Routers are used for wireless devices/users. Wireless users have many problems with the quality of the connection and very high ping. Wired users don't have any problems with the quality of the connection and ping.
What's the problem?
Ping from user
Spoiler (Highlight to read)
user@pc:~$ ping yandex.ru
PING yandex.ru (93.158.134.11) 56(84) bytes of data.
64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms
64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms
^C
--- yandex.ru ping statistics ---
141 packets transmitted, 59 received, 58% packet loss, time 140168ms
rtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2
user@pc:~$
user@pc:~$ ping yandex.ruPING yandex.ru (93.158.134.11) 56(84) bytes of data.64 bytes from yandex.ru (93.158.134.11): icmp_seq=1 ttl=56 time=6.66 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=2 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=3 ttl=56 time=112 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=4 ttl=56 time=338 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=5 ttl=56 time=463 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=10 ttl=56 time=449 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=12 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=13 ttl=56 time=515 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=14 ttl=56 time=744 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=17 ttl=56 time=17.5 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=19 ttl=56 time=139 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=21 ttl=56 time=388 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=22 ttl=56 time=1440 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=23 ttl=56 time=433 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=24 ttl=56 time=1580 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=25 ttl=56 time=574 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=31 ttl=56 time=783 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=35 ttl=56 time=954 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=36 ttl=56 time=5.31 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=37 ttl=56 time=1110 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=38 ttl=56 time=103 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=39 ttl=56 time=225 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=40 ttl=56 time=761 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=41 ttl=56 time=157 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=43 ttl=56 time=10.0 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=44 ttl=56 time=1241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=45 ttl=56 time=241 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=47 ttl=56 time=1020 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=48 ttl=56 time=946 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=49 ttl=56 time=5.29 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=51 ttl=56 time=1122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=52 ttl=56 time=122 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=54 ttl=56 time=275 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=55 ttl=56 time=500 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=56 ttl=56 time=427 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=57 ttl=56 time=554 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=60 ttl=56 time=730 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=61 ttl=56 time=1062 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=62 ttl=56 time=66.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=63 ttl=56 time=390 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=64 ttl=56 time=526 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=73 ttl=56 time=944 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=77 ttl=56 time=123 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=81 ttl=56 time=325 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=89 ttl=56 time=626 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=92 ttl=56 time=701 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=94 ttl=56 time=852 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=102 ttl=56 time=1043 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=103 ttl=56 time=43.3 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=104 ttl=56 time=150 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=110 ttl=56 time=828 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=114 ttl=56 time=9.44 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=115 ttl=56 time=1154 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=116 ttl=56 time=155 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=119 ttl=56 time=435 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=127 ttl=56 time=734 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=134 ttl=56 time=81.6 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=135 ttl=56 time=100 ms64 bytes from yandex.ru (93.158.134.11): icmp_seq=137 ttl=56 time=559 ms^C--- yandex.ru ping statistics ---141 packets transmitted, 59 received, 58% packet loss, time 140168msrtt min/avg/max/mdev = 5.290/524.123/1580.880/407.470 ms, pipe 2user@pc:~$
Traceroute from user

geekychix wrote:
What is the wireless channel set for your router? Flash the firmware of your router, reset and reconfigure it. Try playing around with channels 1,3,6 or 9. Security mode should be set to WPA2 Personal. Let me know how it goes.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks. I've already tried to reset the settings on the defaul and reconfigure the router again. I only use WPA2 PSK-CCMP. Have any ideas?
Lun wrote:
EA6400 works really good for me with the current firmware. On 2.4ghz, channel 9 is solid and at 5.0ghz, channel 157 is strong too. Try that.
Forgot to say that I only use 2GHz wireless network. A fifth channel to another 12th channel. Channels I specifically chose not to overlap with neighboring networks.
Saffronfs7 wrote:
Your WiFi network is possibly prone to wireless interference which causes high latency and slow/intermittent connection. Adjust the wireless settings on your EA6400 routers. Use Non-overlapping Channels like 1 or 6 or 11. Use a WiFi scanner to check which Channels are crowded and which ones are not. Although 5GHz network uses non-overlapping Channels I recommend using Channel 161.
I advance it all already made. Have any ideas?
Lun wrote:
Everyone in my area are using channel 1, 6, and 11 on 2.4ghz. Channel 9 work best for me.
Channels I specifically chose not to overlap with neighboring networks. Have any ideas?

Wireless users not visible in PRSM with CDA integration

I have ASA 5515x v 9.1 with CX module v 9.1.3 and CDA integrated into the AD domain. I can see the users to IP mappings for domain windows users , like desktops and laptops. I can not see the users to ip mappings for the wireless users. I see their IP adddresses but the usernames don't come in. I have the PRSM configured to use CDA. Do I need to also add the WLC somehow to the CDA setup?

Hi, Try one of the following:
1. Provision the native users with viewer role for BI+, if not done already
2. For the folder, containing the reports, have these users being provisioned? Are you able to view the users with provisioning access to the folder?
3. Do not put any filter for users and begins with combination to display all possilble users
Let me know if that works!

Wireless users Authentication of external repository? help?

Hi people,
My version is 9ias 1.0.2.2
I have read that is possible to use external repository in order to authenticate
wireless users.
I would like to do this work using an external repository than contains, for example, the list of telefon numbers of my users.
Any help ?

I believe these two links should help:
http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devrun.htm#1023745
http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devxml.htm#1012041

Getting Wireless Users onto LAN

Hello All,
We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
3750X L3 Switch --> 2106 WLC --> AP
LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24
So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
Management Interface:
IP Address: 10.10.20.100
Netmask: 255.255.0.0
Gateway: 10.10.0.1
DHCP Info: 10.10.20.100
Here is the config for my test interface (which may be the problem):
IP Address: 10.100.21.2
Netmask: 255.255.255.0
Gateway: 10.100.21.1
DHCP Info: 10.10.20.100
Thanks in advance for taking a look.

Hello George,
Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
The way our devices are connected in terms of the wireless configuration:
Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
                                      |
                                  My PC
So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
On our WLC I have this configured:
Management Interface:
IP Address: 10.10.20.100
Netmask: 255.255.0.0
Gateway: 10.10.0.1
DHCP Info: 10.10.20.100
Here is the config for my test interface (which may be the problem):
IP Address: 10.100.21.2
Netmask: 255.255.255.0
Gateway: 10.100.21.1
DHCP Info: 10.10.20.100
From my LAN I can ping 10.100.21.1
Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
Thanks again for your reply and taking the time to look at this.

WLC 4404 Wireless users getting disabled

Currently Being Moderated
Wireless users getting disabled
Hi,
I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
*Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
After seeing one of the cisco forum, I have disabled RLDP for that particular APs
so above messages are rectified.
But right now we are not able to identify Rogue IP and it is not contained.
So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
Thanks & Regards
Gaurav Pandya

Hi Scott,
You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
*Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
*Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
Regards
Gaurav

Problem authenticating Wireless users with peap

Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
   authentication open eap eap_list
   authentication key-management wpa version 2
   guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank you

I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts!

EAP-TLS on ACS v4 for wireless users

Hi,
I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
Regards,
Belal

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS.

Wireless Users In L2 Inband Virtual Mode

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}
Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
At present the Access point are just plugged into switch port on access vlan 10 and configured with vlan 10 SSID on Access point for wireless users Users are accessing the Network fine with no issues.I have setup a NAC in L2 inband virtual mode it is working fine when i tested for WIRED users.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
To enforce posture assement on wireless users i just have to change the switch port access vlan to authentication vlan where the Access point is connected at present and change the SSID vlan 10 to authentication vlan. As i m using only 1 vlan so i don't have to create a trunk port on switch where the Access point is connected ?? Nothing else i have to do ?? Correct me if i m wrong
Answers ???????

Thank you for all the details.
As some further details, the CAS should be configured with the following:
1. Under the managed subnets, you should add an IP address (not used anywhere else) in the trusted vlan 10 subnet and link it to the untrusted vlan 20.
2. Under the vlan mappings, it's OK to have the untrusted vlan 20 mapped to the trusted vlan 10. So the vlan mapping should be:
20 (untrusted) ---> 10 (trusted)
Wireless users should be connecting on vlan 20 and they should get an IP in trusted vlan 10's subnet.
All the traffic should then flow through the CAS, which will take care of mapping vlan 20 to vlan 10 once the user is authenticated and certified.
AD SSO for wireless users should also be possible.
The AD SSO authentication through NAC regards only the authentication process through the NAC agent.
As long as the rest of the configuration is correct, this should also be possible for wireless users.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

PEAP authentication failed for wireless users

Dears
Hello
i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
thanks

Dear Neno
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
host x.x.x.x
key xxxx
nas-ip x.x.x.x
aaa server-group "RADIUS-GROUP"
auth-server “SERVER”
aaa profile "KSAU-JED-AAA-Profile"
authentication-dot1x "dot1xProfile"
dot1x-server-group "RADIUS-GROUP"
wlan virtual-ap "SSID-NAME"
aaa-profile "KSAU-JED-AAA-Profile"
ssid-profile "SSID-NAME"
vlan <VLAN ID>

NAC IB with wireless users

I have a problem here guys, I will deploy cisco NAC with wireless users
My scenario is IB-VG , the access points are autonomous there is no WLC
the AP is connected to the switch on a trunk port and I have configured the AP
with different SSIDs each one with different vlan (s) on the NAC i have
configured the vlan mapping and the managed subnets but it doesn't work.
i wanna know where is the problem or is there anu configuration example to configure \
autonomous AP in In-Band virtual gateway mode

Hi,
Can you please be more specific about what does not work?
What were you expecting to see and what are you seeing?
Do the wireless users get IP address?
If, yes, are they getting the IP you would expect?
After getting IP address, if you open a web browser dod you get redirected to the NAC login page?
If yes, do you enter the credentials and fail autentication?
Please note that you will need to make sure that the VLAN on the clients is allowed on the untrusted interface of the CAS, and that the VLAN mapping maps this VLAN to a vlan where a DHCP server can be reachable.
Also, please make sure that the traffic on the VLAn configured on the SSID has the only path as the path going through the CAS.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Wireless User Tracking

LMS 3.2 (W2003).
No idea about WLSE, WLC or AP's, sorry :-(
We have done a discovery, ignoring AP. They say that MAC's from wireless clients are seen from switches as a hub or switch no Cisco, and they want to see it as a UT, with their IP and MAc address from AP, is that right???
I don't know if the resolution is possible because of no idea about AP...

If you have standalone APs, then you can enable wireless user tracking directly from the APs under Campus Manager > Admin > User Tracking > Acquisition. This is enabled by default. If you have a WLSE, you can disable direct acquisition from APs, then make sure your WLSEs are in DCR with correct HTTP credentials, and Campus will automatically synchronize those users.
If, however, you are using WLC/WCS with LWAPPs, then LMS management will not be possible. Those wireless users will show up, but they will show up as being connected to the wired switch to which the LWAPPs connect (unless trunking is used, then they may not show up at all).

3850 command to show wireless user dACL

Hi,
I am using 3850 and 5760 with converged access mode.
There is also ISE to provide dACL for wireless user.
In 3850, I can issue "show access-list" to see the dACL from ISE.
But I can't be sure which ACL apply to which user when there are more than one dACL.
I have tried command like "show wireless client mac-address MAC detail" but didn't see anything related.
I can only achieve that by checking logs on ISE.
Is there any command I can do for this purpose?
3850 and 5760 version : 3.3.0
ISE version : 1.2
Thanks!!!

Hi Mason,
I know that for switch IOS the command "show authentication session interface INTERFACE" shows the dACL that is applied to this port. I think the new command for the IOSXE devices is "show access-session mac H.H.H detail" is the corresponding one which should show the dACL that was applied to that MAC-address.
Please see if that works for you.
Best regards,
Patrick Meyer

Determining active wireless users with ACS

Is there a way to determine how many active wireless users are on the network by checking ACS? Currently our users need to re-authenticate periodically (about every 15 minutes), however, ACS shows no logged in users. There should at least be one -- ME!

We should be looking for something like this on the AP:
aaa group server radius rad_acct
server auth-port XXXX acct-port XXXX
aaa accounting network acct_methods start-stop group rad_acct

Wireless users

Similar Messages

Maybe you are looking for