WiSM and ACS frequen reauthentications

Similar Messages

• Single SSID and ACS

  Hi,
  I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
  The main point I'm focusing on is the ACS and WISM.
  Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
  Would appreciate your advice on the best feasible way to implement this.
  Regards,

  Hi,
  You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
  Check out this link,
  http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Regards,
  ~JG
  Please rate if that helps !

• How to create guest access in wireless by WISM and WCS and ACS?

  dear sir
  i neeed to know the steps of how we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?

  You need to define your requirements a little bit. The WLC can do WebAuth and an employee can access either the WLC or WCS to put in the username and password credentials, but you would need to figure out what's best for you.
  Here is a support doc that you can reference.
  https://supportforums.cisco.com/docs/DOC-13954
  Sent from Cisco Technical Support iPhone App

• Adding a secure WLAN - WISM and WCS

  I have a setup including a WISM and WCS which currently only runs a guest service using webauth to get online. The service (by request) is not secured over the air. I would like to implement a second SSID with security but before going the whole way with 802.1x I wanted to implement a half way house. Service will still only be a guest service but I want the air traffic secured.
  So I guess my options are WEP (forget it) or WPA/WPA2.
  My question is do I have to run this service with a shared secret that I then need to inform all users of in order for them to be able to connect to the service or is there a way to implement a WPA service that uses some kind of credential check against the already configured RADIUS (ACS) servers?
  And if this is possible I assume there is no longer need for a webauth as this just seems to duplicate the login process.
  Thanks for any pointers in advance
  Paul

  The best thing you can do is start with the Configuration Guides.  If you don't have a test environment and have SMARTNET on the WiSMs/ WCS, utilize TAC to help you get up and going.  I would also suggest utilizing a Cisco Partner to help with the initial implementation as well.
  I would recommend upgrading your WiSMs and WCS to the latest versions and making sure configurations are the same across modules.  I upgraded our WiSMs from 4.x to 7.0.98.0 and WCS to 7.x.  Ran into a bug here and there but that is expected.  Just make sure the wireless devices support those versions.  If you are unsure, you can always work towards the AssureWave tested code.  WCS 7.x should be backwards compatible (check the release notes just to verify).  The Design Zone and Release Notes are your friend too.
  -Rick

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• WISM using ACS Failover

  I have wism and two ACS servers for failover. From time to time, I can see some authenticaion and accounting records on the 2nd ACS server. My primary ACS server is always up. Then why those auth requests go to the 2nd ACS server? Is this because the 1st ACS server is busy? I did not find anything useful in the primary ACS server auth logs. Any one see the similar issue? How can I find out why the authentication fail over to 2nd ACS server? Thanks.

  This is a known issue, and fixes are coming. The problem is the WLC is a bit too aggresive in it's "dead" times. If it fails to auth one client, the WLC calls it dead and generally does not fail back unless the secondary does the same. If you reboot the controller it will start to use the primary again, and I have heard that on ACS if you stop and start the service it will also trigger the controller to start using it again as well.
  If you are on 3.2.171.5/6 you could try the command: config radius aggressive-failover disable. This is supposed to change how aggressive the controller is so that it needs to fail to auth three consecutive clients before we call it dead.
  For those of you with 4.0, it is supposed to be in the next MR. due out later this year.
  For those intereseted, the bug id is CSCse29193

• After adding 2nd WiSM and failing over AP's some apps don't work

  We have a dual core made up of 2 6513's. In 6513#1 we have WiSM#1 which we have had for sometime now. We have added a 2nd WiSM in 6513#2 for redundancy purposes also we are going to be re-configuring the WiSM in 6513#1 to more match that of the new WiSM in 6513#2. We have installed the new WiSM and failed over the AP's from 6513#1 so we can re-configure it's WiSM. The failover went great and no issues, with the exception that a web application or two didn't function from wireless clients and users were having issues getting to some mapped drives. The only difference from the new WiSM config vs the old WiSM is that on the old WiSM the AP's were in the same VLAN as the controller management interfaces. Now with the new WiSM it's configuration has the controllers AP mgt interfaces ip addresses in a different VLAN from the AP's, we are doing this based on Cisco best practices. If we revert the AP's back to the original WiSM/controllers the PC's where they are on the same vlan/subnet the applications and shares that were having issues the other way work. We have placed a call with Cisco TAC and they say our configs look good and we even sent them some packet captures and they said everything looks normal. The wireless clients can ping and resolve the server hosting the application database just fine.
  Thanks

  We did create the mobility groups, and we are using DHCP opt 43. The AP's find the 2nd WiSM#2 just fine and associate to the controllers and all the WLAN's work just fine. The only issue is that after the AP's are on the new WiSM and controllers there is an application or 2 that is having trouble locating it's database server and that some share's are not working. Again the only difference in this new setup in that now the AP's are on a different subnet/vlan from the controller mgt addresses where as before they were in the same subnet/vlan and the application and shares worked fine. It's almost like it is a bit of a routing issue?
  Thanks

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• Incompatibility issue - WLC 5508 and ACS 5.4

  Hi,
  This is my scenario:
  Cisco WLC 5508 firmware 7.4.110.20 and ACS 5.4, two WLAN eap/tls, many client  can't connect to WLAN and on ACS i receive the following error:
  Authentication failed : 11051 RADIUS packet contains invalid state attribute
  workaround:
  1 -Check the network device or AAA Client for hardware problems.
  2-known RADIUS compatibility issues.
  3-Check the network that connects the device to ACS for hardware problems
  there are some incompatibility issue between WLC and ACS ? the compatibility matrix document for wireless imposes the 7.5 firmware for WLC.
  What do you think is possibile ?

  Are there any other errors shown in the details of the failed authentication?
  We may need to look at service logs in debug mode, opening a TAC case would be the best way to go about this.
  Javier Henderson
  Cisco Systems

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• Configuration details of WS-C6504-E-WISM and WS-C6509-E-WISM bundle

  Hi,
  I can't find anywhere the list of product include in the 6500 wireless bundle WS-C6504-E-WISM and WS-C6509-E-WISM. Does someone now ?
  Thanks in advance.

  Hi Gael,
  I'm not sure if this is what you are looking for;
  Cisco Catalyst 6500 Series Wireless Services Module
  From this doc;
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item0900aecd8036434e.shtml
  Configuring a Cisco Wireless Services Module and Wireless Control System
  From this doc;
  http://www.cisco.com/en/US/products/ps6305/prod_technical_reference09186a00806053bf.html
  Catalyst 6500 Series Switch Wireless Services Module Installation and Configuration Note
  From this doc;
  http://www.cisco.com/en/US/products/hw/modules/ps2797/prod_installation_guide09186a0080514536.html
  Hope this helps!
  Rob
  Please remember to rate helpful posts.........

• 802.11 n support in Wism and WCS

  Is the new wless standard 802.11n is supported in current shipments of Cisco WLC 44XX and WiSM ( 6500 wireless controller card) ?
  Also I need to know whether is is supported in WCS 4.1 ?

  Hi Nalaka,
  Yes, 802.11n is supported on the WISM and WCS starting with the following releases in the 4.2 train;
  Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 4.2.61.0
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4200.html#wp302677
  The following new features are available in WCS 4.2.62.0
  802.11n support-The introduction of the Cisco Aironet 1250 series access point, a business-class access point based on the IEEE 802.11n draft 2.0 standard. The access point offers combined data rates of up to 600 Mbps to meet bandwidth requirements. Cisco WCS display screens include a listing for configuring, managing, and monitoring 802.11n access points and their associated wireless LAN controllers.
  The newest WLC and WCS 5.0 trains are now released as well :)
  Hope this helps!
  Rob

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you

• 1100 AP and ACS 3.1 with LEAP

  Anyone been able to get this to work? I saw the link on how to configure LEAP with the 352 AP and ACS but dont see anything for the 1100. Been following the documentation for the 1100 and ACS and still no Joy.
  1120 AP latest Firmware
  ACS 3.1 win2k
  Client ACU latest software

  To configure LEAP on AP1100, you need to enable WEP & enable EAP and Open authentication. Here is the link which explains what you need to configure on AP and on Client based on security feature.
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/ap11icg/ivicgaut.htm#xtocid4
  On top of that link, it explains what to configure on AP1100 too.
  For other config on AP1100, visit
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/ap11icg/index.htm