WiSM - MAC Authenication
Below config is on Auto AP. How do I configure the WiSM controller for 'authentication open mac-address mac_methods eap eap_methods '
aaa group server radius rad_eap
server 134.226.16.92 auth-port 1645 acct-port 1813
server 134.226.249.74 auth-port 1645 acct-port 1813
aaa group server radius rad_mac
server 134.226.16.92 auth-port 1645 acct-port 1813
server 134.226.249.74 auth-port 1645 acct-port 1813
dot11 ssid Test1
vlan 6
authentication open mac-address mac_methods eap eap_methods
authentication network-eap eap_methods mac-address mac_methods
authentication key-management wpa optional
accounting acct_methods
Please advise.
Thanks
Please check the peap docs that explains about setting up PEAP authentication.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Mac-Authen in 1141 AP not working with WPA!
I want to have my stand-alone 1141 to do Mac-Authentication locally and have WPA running to let the AP run in 11n mode but it is not running. I have tried having an No Encr and Mac-Authentication and it works.
I have read an article that WPA and Mac-Authentication don't work together. Is it right?
Please enlighten me on this.Hi,
indeed the simplest is to have WPA and mac filters. Mac authentication allows to authenticate mac addresses against radius. Mac filters is an access list with mac addresses stored on the AP itself.
ap(config)#dot11 association mac-list ?
<700-799> Ethernet address access list
You can then configure an ACL (with number between 700 and 799) to go with that.
Regards,
Nicolas -
Mac address ACS authentication
I have 3 cisco 350 aironets here. right now they all have mac authenication with each one having to have the mac address statically entered. I have a hardware ACS and would like to use that for the authenication so I do not have to enter the mac address 3 time. I have seen that you are suppose to add the mac address as the username and then the password, but i get an error stating that the username and password cannot be the same and will not add the user. What do i do now? I have done it just like cisco documentation states but again i get an error. please help.......
There is a feature called "Per User VLAN Assignment" which should provide you with just the protection you're looking for. It uses the ACS Server to assign a user to a VLAN, regardless of what SSID they connect to the access point with. Per User VLAN Assignment requires IOS version 12.2(11)JA1.
No configuration changes are made on the AP to engage per user VLAN assignment. All the configuration changes are made on the ACS. For more details check out the following URL,
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html -
Aironet 1300 - problems with security
Hi,
I have two Aironets setup as below. They both have the radio configured and up. I suspect the issue is with the security. I am unfamiliar with how it works - if anyone can provide me any pointers, it would be much appreciated!
thanks,
Mark
dot11 vlan-name BRIDGE1 vlan 153
dot11 vlan-name BRIDGE2 vlan 254
dot11 vlan-name BRIDGE3 vlan 154
dot11 ssid BRIDGE1
vlan 153
dot11 ssid BRIDGE2
vlan 254
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 7 <key here>
dot11 ssid BRIDGE3
vlan 154
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 3 size 128bit 7 <key here> transmit-key
encryption mode ciphers wep128
encryption vlan 254 mode ciphers tkip
ssid BRIDGE1
ssid BRIDGE2
ssid BRIDGE3
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root bridge
cca 75
concatenation
infrastructure-client
interface Dot11Radio0.153
encapsulation dot1Q 153
no ip route-cache
bridge-group 153
interface Dot11Radio0.154
encapsulation dot1Q 154
no ip route-cache
bridge-group 154
interface Dot11Radio0.254
encapsulation dot1Q 254 native
no ip route-cache
bridge-group 1
interface FastEthernet0
no ip address
no ip route-cache
interface FastEthernet0.153
encapsulation dot1Q 153
no ip route-cache
bridge-group 153
interface FastEthernet0.154
encapsulation dot1Q 154
no ip route-cache
bridge-group 154
interface FastEthernet0.254
encapsulation dot1Q 254 native
no ip route-cache
bridge-group 1
interface BVI1
ip address 10.0.254.203 255.255.255.0
no ip route-cacheHi Vincent,
Firstly, if you've got a MAC address access list to restrict access, just confirm you've got the right MAC address in there - in my testing it caused exactly the error you've indicated.
The other things to try are:
Remote end is not powered up
Antennas are misaligned
Channels do not match
Radios are switched off
Radio power is set too low
Speed not matched
Authentication failing
Check this link for authentication debugging:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml
These commands may help:
debug dot11 aaa authenticator mac-authen
debug dot11 aaa authenticator all
thanks,
Mark -
AP1200 with EAP - dot11 holdoff timer
Hi all
We are running AP1200 with open eap. We are experiencing a transient problem with a couple unknown PC's attempting (and Failing) authentication every second. After some time, the memory gets fragmented on the AP, causing the AP to hang.
From the AP
>>>
Aug 4 14:12:17: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:18: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:19: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:21: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:22: %SYS-2-MALLOCFAIL: Memory allocation of 1500 bytes failed from
Pool: Processor Free: 122180 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Logger", ipl= 6, pid= 16
-Traceback= 10DDB0 10FF40 108EF0 117C20 366E0 368A0 442FC 445A8 47CEC 1337F8
Aug 4 14:12:23: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
<<<
We have not been able to find this certain host.
We attempted to mitigate the failures using the "dot11 holdoff-timer 120". From the documentation this command looks like it will only take effect when performing MAC Authentication, yet in the configuration guide, it does not specify mac authen only. We have not had success in the lab.
Can anyone here shed some more light on this command.
TIA,
AlexIf all the PCs in your wireless network are working , then the unknown PCs could be some rogue devices trying to access the network. Since authentication is failing at every attempt it is clear that it is a rogue device trying to get entry in to the network.
-
Proxy authenication problems from Macs.... argh
I am seeing this regularly in mixed Windows/Macs environments where all machines proxy over 8080 to the TMG box (integrated authentication).
I can have a firewall rule that allows traffic from Internal to External over HTTP/HTTPS for Domain Users and both clients, Macs and PCs, will be able to browse internet fine so long as they have approrpiate proxy server settings configured on either their
machine or browser.
However, some websites that use Flash or Java, for viewing videos result in the Macs NOT working. Looking in the firewall loggging I can see that access is being denied because the Mac is not passing user credentials and is attempting to go out
using anonymous credentials (which is not allowed). This ONLY happens for the Macs, and ONLY happens on certain websites, and ONLY for stuff like Java/Flash, etc.
Anyone else running into this? It's happening so frequently that I am about to just turn OFF all proxying to TMG and have everyone go out as secure NAT clients because everytime this happens, I have to create a specific rule for THAT website to allow
SecureNAT.
Thoughts??Hi,
Your analysis is correct. TMG (or any other proxy) will ask user for authentication, if the rule is configured to do so. Its upto the client (browser or software entity trying to access internet) to authenticate to the proxy. If that entity is not designed
for such proxy authentications, they will fail to access the resource.
If you see in your logs that the browser/application (Safari/Java) on MAC is unable to authenticate to proxy, thats exactly the reason its failing. If you look above that, you should see 407 messages, where the proxy server is telling the client to
negotiate and authenticate for proxy.
Hope this help. If you have any furhter questions, please let me know.
Related post:
http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/78b2a5e8-9a80-42d8-bd38-a3c175161b12
Regards, Amit Saxena. Keep Walking! Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you. -
WiSM Status LED 1 & Status LED 2 showing off. Is it normal?
Hi,
WiSM WLAN Service Module WS-SVC-WISM-1-K9 in 6509e running VSS IOs s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin having trouble to get the IP from service-vlan DHCP also status LED 1 & Status LED 2 showing off.
The pertinent config is as follows.
vlan 300
name WiSM_Service_Vlan
interface Vlan300
description *** WiSM Service-Vlan
ip address 192.168.200.1 255.255.255.0
ip dhcp excluded-address 192.168.200.1
ip dhcp pool WiSM_Service-Vlan_300
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
wism service-vlan 300
vlan 183
name WiSM_Management
interface Vlan183
description *** WiSM Management Vlan ***
ip address 10.39.139.254 255.255.255.0
wism switch 1 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 1 native-vlan 183
wism switch 1 module 4 controller 2 native-vlan 183
wism switch 2 module 4 controller 1 native-vlan 183
wism switch 2 module 4 controller 2 native-vlan 183
HO2NET0001#sh wism status
Service Vlan : 300, Service IP Subnet : 192.168.200.1/255.255.255.0
WLAN
Slot Controller Service IP Management IP SW Version Status
----+-----------+----------------+----------------+-----------+---------------
20 1 0.0.0.0 0.0.0.0 Service Port Up
20 2 0.0.0.0 0.0.0.0 Service Port Up
HO2NET0001#sh module
Mod Ports Card Type Model Serial No.
1 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442Q5N
2 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442GAL
3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL13410N8P
4 10 WiSM WLAN Service Module WS-SVC-WISM-1-K9 SAD133101UY
5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAL13442JE4
Mod MAC addresses Hw Fw Sw Status
1 0025.84f1.55b8 to 0025.84f1.55bf 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
2 0025.84f1.4e58 to 0025.84f1.4e5f 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
3 0027.0da7.c240 to 0027.0da7.c26f 3.2 12.2(18r)S1 12.2(33)SXI2 Ok
4 0023.5e25.7168 to 0023.5e25.7177 2.3 12.2(14r)S5 12.2(33)SXI2 Ok
5 001f.9e2a.2608 to 001f.9e2a.260f 3.1 8.5(3) 12.2(33)SXI2 Ok
Mod Sub-Module Model Serial Hw Status
1 Distributed Forwarding Card WS-F6700-DFC3C SAL13442EG9 1.4 Ok
2 Distributed Forwarding Card WS-F6700-DFC3C SAL13442H9T 1.4 Ok
3 Centralized Forwarding Card WS-F6700-CFC SAL13442HU9 4.1 Ok
4 Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD133200D6 2.1 Ok
5 Policy Feature Card 3 VS-F6K-PFC3C SAL13442E5S 1.1 Ok
5 MSFC3 Daughterboard VS-F6K-MSFC3 SAL13421AJZ 2.0 Ok
Mod Online Diag Status
1 Pass
2 Pass
3 Pass
4 Pass
5 Pass
HO2NET0001#sh vlan
300 WiSM_Service_Vlan active Gi1/4/9, Gi1/4/10
The service IP is supposed to have been populated with an address from the dhcp pool. I am also unable to connect to access it by console as well as doing a session switch 1 slot 4 processor 1. I get the following upon attempting to do so:
Through Console.
It is giving following & then got stuck.
Bootloader 3.2.202.0 (Nov 13 2007 - 19:35:12)
Motorola PowerPC ProcessorID=00000000 Rev. PVR=80200020
CPU: 999 MHz
CCB: 333 MHz
DDR: 166 MHz
LBC: 41 MHz
L1 D-cache 32KB, L1 I-cache 32KB enabled.
I2C: ready
DTT: 1 is 33 C
DRAM: DDR module detected, total size:512MB.
512 MB
8540 in PCI Host Mode.
8540 not PCI Arbiter.
Memory Test PASS
FLASH:
Flash Bank 0: portsize = 2, size = 8 MB in 142 Sectors
8 MB
L2 cache enabled: 256KB
Card Id: 1537
Card Revision Id: 1
Card CPU Id: 1287
Number of MAC Addresses: 32
Number of Slots Supported: 4
Serial Number: FAM133200D6
Manufacturers ID: 30464
Board Maintenance Level: 00
In: serial
Out: serial
Err: serial
.o88b. d888888b .d8888. .o88b. .d88b.
d8P Y8 `88' 88' YP d8P Y8 .8P Y8.
8P 88 `8bo. 8P 88 88
8b 88 `Y8b. 8b 88 88
Y8b d8 .88. db 8D Y8b d8 `8b d8'
`Y88P' Y888888P `8888Y' `Y88P' `Y88P'
Model SVC-WiSM S/N: FAM133200D6
Net: TSEC ETHERNET
IDE: Bus 0: OK
Device 0: Model: STI Flash 8.0.0 Firm: 01/17/07 Ser#: STI1MMJ109198093647
Type: Removable Hard Disk
Capacity: 488.7 MB = 0.4 GB (1000944 x 512)
Device 1: not available
Booting Primary Image...
Press <ESC> now for additional boot options...
Detecting Hardware . . .
Cryptographic library self-test....passed!
XML config selected
Validating XML configuration
Cisco is a trademark of Cisco Systems, Inc.
Software Copyright Cisco Systems, Inc. All rights reserved.
Cisco AireOS Version 5.2.178.0
Initializing OS Services: ok
Initializing Serial Services: ok
Initializing Internal Interfaces: ok
Initializing Network Services: ok
Initializing Licensing Services: ok
Starting ARP Services: ok
Starting Trap Manager: ok
Starting Network Interface Management Services: ok
Starting System Services: ok
Starting FIPS Features: ok : Not enabled
Starting Fast Path Hardware Acceleration: ok
Starting Switching Services: ok
Starting QoS Services: ok
Starting Policy Manager: ok
Starting Data Transport Link Layer: ok
Starting Access Control List Services: ok
Starting System Interfaces: ok
Starting Client Troubleshooting Service: ok
Starting Management Frame Protection: ok
Starting LWAPP: ok
Starting CAPWAP: ok
Starting Certificate Database: ok
Starting VPN Services: ok
Starting Security Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting LOCP: ok
Starting Virtual AP Services: ok
Starting AireWave Director: ok
Starting Network Time Services: ok
Starting Cisco Discovery Protocol: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting WLAN Control Protocol (WCP): ok
Starting Mesh Services: ok
Starting TSM: ok
Starting CIDS Services: ok
Starting Ethernet-over-IP: ok
Starting DTLS server: enabled in CAPWAP
Starting FMC HS: ok
Starting WIPS: ok
Starting SSHPM LSC PROV LIST: ok
Starting Management Services:
Web Server: ok
CLI: ok
Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
(Cisco Controller)
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]:
AUTO-INSTALL: starting now...
Through Session
HO2NET0001##session switch 1 slot 4 proc 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 0.0.0.0 ...
Any assistance or ideas offered will be greatly appreciated.
Thanks,Hi Tabish,
How many times do you have to open this same topic?
In my opinion, this is your THIRD thread for the same topic. -
Hi,
I have three MacBooks of various ages and a Mac Mini runnign Mavericks server, all running Mavericks 10.9.2. All have access to the LAN via my service providers WiFi N router.
I've had an issue with SMB2 for a while, but with Mavericks pushing it as default its beginning to bug me that is not working as it should.
I can see all machines in the sidebar, I can connect via cmd-k using AFP without any problems. But if I try browsing to the various machiens and shares, its defaulting to SMB2 and seems to be having problems authenticating.
I get around 45sec delay, from pointing to a machine to getting an authentication screen where I can log in. I also get this same delay when manually using SMB2 using cmd-k.
There doesn't seem to be an issue with the machines, I've set up an ad-hoc network, and everything works perfectly, as soon as I'm connecting back thorugh the LAN via my router, thats where problems start. Don't really want to get another switch or Airport Hub etc at this stage.
Anyone else seen similar issues? Or have an idea what may be causing the problem on the router. I'd tried disabling IPV6, but makes not difference.
As mentioned above, there seems to be something interferring with the authenication process and delaying the whole process.Thanks Hevisko,
I've been following the CIFS work round, as I understand it, this is really a work round to connect to older SMB1/SMBX shares now that SMB2 has been rolled out as default. Particularly useful for older NAS boxes that only have SMB1.
My shares are all on OS Mavericks machines, therefore the shares are SMB2.
Also, there seems to be no problem when I take the router out of the equation. Think I might need to invest in a descent switch and bypass the router. Just wondering if anyone else has resolved this or can suggest a good switch that works with SMB2 mac to mac.
Failing that my Mac mini is always on, so might look at using that to run DNS/DHCP and see how that goes. -
WISM 7.0.235.0 post-upgrade problem?
I upgraded one of our WISM-1 modules from 7.0.98.0 to 7.0.235.0 last night. For some reason, APs don't join with it unless I tell them specifically to do so. We haven't specified primary & secondary controllers on purpose, allowing the APs to determine from DHCP & the controllers' responses and decide on one based on load. This has always worked great for us.
After upgrading, I couldn't get an AP to join the upgraded wism even after I specified the controller in the AP config. So then I changed my 6506 load balancing to src-dst-mac since that is a known (although seldom seen) issue with APs joining a controller for the first time. We usually keep it set at
src-dst-mixed-ip-port. That worked & the AP joined the upgraded wism. Then I reset the load-balancing algorithm on the 6506, removed the specific controller from the AP's config, rebooted the AP, and all is fine. I thought that solved it. Not.
Any other AP that I reboot tries to join the upgraded wism since it has only 1 AP connected, but it fails and the AP joins the other wism running 7.0.98.0. Even if I change the load balancing algorithm to src-dst-mac, src-dst-ip, or src-mac, it won't join unless I specify the upgraded controller, which I don't want to do. I can see the wism responding to the join requests, but the APs still end up on the other controller. It soulds like the years-old load balancing algorithm issue, but that doesn't seem to be the whole answer this time.
I hope this information makes sense to those that are aware of the issues I bring up. Any ideas why the 7.0.235.0 wism isn't getting APs to join it successfully without my specifying that controller? The config hasn't changed, except for what new or changed defaults exist. I suspect it might have to do with one of those.... Or could it be the two different controller versions returning confusing and different responses to the initial query?
Thanks.
BillWe're not using the built-in DHCP service on the WISMs.
A wise decision.
I've upgrade our WiSM-1's to this version and we don't have any issues.
However, in the past, we use to host our DHCP server for the WAPs and the clients on a plain Linux box and we noticed that the Linux box took a painfully long, long time to dish out IP addresses to around 1k WAPs. We later moved our DHCP server to InfoBlox and the problems go away.
Any other AP that I reboot tries to join the upgraded wism since it has only 1 AP connected, but it fails and the AP joins the other wism running 7.0.98.0. Even if I change the load balancing algorithm to src-dst-mac, src-dst-ip, or src-mac, it won't join unless I specify the upgraded controller, which I don't want to do. I can see the wism responding to the join requests, but the APs still end up on the other controller. It soulds like the years-old load balancing algorithm issue, but that doesn't seem to be the whole answer this time.
Never saw this problem at all. -
WLAN Controller learning IP/MAC on wrong virtual interface
Hello
I believe since I upgraded my WiSM to 7.0.250.0 is it learning a MAC address on the wrong virtual interface.
The setup:
- a Linux server with 2 virtual interfaces, both use the same MAC address, one is the gateway of VLAN 116 and one is the gateway of VLAN 240
- a WiSM with several virtual interfaces, including one in 116 and one in 240
Here the arp table with the problem:
MAC Address IP Address Port VLAN Type
00:50:56:BD:32:92 172.16.240.9 29 240 Host
00:1E:4A:FA:87:8B 172.16.102.12 29 0 Permanent
00:1E:4A:FA:50:0B 172.16.102.13 29 0 Permanent
00:1E:4A:FA:81:2B 172.16.102.14 29 0 Permanent
00:50:56:BD:32:92 172.16.116.9 29 240 Host
00:1D:E0:31:55:23 172.16.116.185 29 116 Client
58:94:6B:68:50:E8 172.16.118.201 29 116 Client
1C:B0:94:B7:38:08 172.16.118.234 29 116 Client
And here after I made a PING from the controller to the listed ip address:
MAC Address IP Address Port VLAN Type
00:50:56:BD:32:92 172.16.240.9 29 240 Host
00:1E:4A:FA:87:8B 172.16.102.12 29 0 Permanent
00:1E:4A:FA:50:0B 172.16.102.13 29 0 Permanent
00:1E:4A:FA:81:2B 172.16.102.14 29 0 Permanent
00:50:56:BD:32:92 172.16.116.9 29 116 Host
00:1D:E0:31:55:23 172.16.116.185 29 116 Client
38:E7:D8:D3:7C:FA 172.16.118.92 29 116 Client
58:94:6B:68:50:E8 172.16.118.201 29 116 Client
1C:B0:94:B7:38:08 172.16.118.234 29 116 Client
18:AF:61:12:E9:FB 192.168.1.59 29 117 Client
Has anybody else the same problem?
The host 172.16.116.9 is also the configured DHCP server on VLAN 116.
Is there a way to statically configure this IP address on that VLAN? Because it causes every few days a service outage on that VLAN (which is bound to an SSID).Yup, I'd say still valid. Seeing as it is the gateway, if it had different mac addresses per interface, it might still work.
No, clients in the same subnet can communicate, but it is not recommended to 'bridge' wired and wireless with a WLC. The WLC doesn't like to bridge the communication by default, though there are work arounds.
I might also say that as it uses the same MAC address for both virtual interfaces L2 is going to be messed up as each time there were an ARP the entry would change.
Take a look and see if you can manually change the mac for one of the interfaces and test again.
HTH,
Steve -
802.1x multiple sessions with same LOGIN+MAC on single-host port
We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
From time to time user seems to get multiple authentications on single port with single mac-address.
So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
Happens with different users.
Anybody seen this issue?
IOS 12.2(46)SESure. Tried to make it short.
Config for 802.1x-aaa:
aaa new-model
aaa group server radius default
server X.X.X.X auth-port 12345 acct-port 12346
aaa authentication login default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default local group radius
aaa authorization reverse-access default group radius
aaa accounting suppress null-username
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
dot1x system-auth-control
interface FastEthernet0/48
switchport access vlan 1398
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode shutdown
spanning-tree portfast
spanning-tree link-type point-to-point
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 188 format non-standard
radius-server attribute 218 mandatory
radius-server attribute 32 include-in-accounting-req format %i %h %d
radius-server attribute 55 include-in-acct-req
radius-server attribute list att
attribute 30-31,44
radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
radius-server vsa send accounting
sh dot1x int fa 0/48 det
Dot1x Info for FastEthernet0/48
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = SHUTDOWN
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
sh aaa user all
Unique id 34974 is currently in use.
Accounting:
log=0x208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
0244DC34 0 00000001 connect-progress(44) 4 Auth Open
0244DC48 0 00000001 pre-session-time(272) 4 0(0)
0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
0244DC70 0 00000001 input-giga-words(111) 4 2(2)
0244DC84 0 00000001 output-giga-words(250) 4 8(8)
024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AD Unique Id=0000889E
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34989(88AD)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AD Unique Id=0000889E
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
0244DB94 0 00000001 session-id(336) 4 34989(88AD)
0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993512241 Start Bytes Out = 3867828098
Start Paks In = 23586320 Start Paks Out = 28511581
Byte/Packet Counts till Service Up:
Pre Bytes In = 993519614 Pre Bytes Out = 3867836302
Pre Paks In = 23586388 Pre Paks Out = 28511642
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:08 GMT+5 Jan 23 2012
AuthenTime = 16:22:08 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 0000889E
Session Id = 000088AD
Attribute List:
024A8C10 0 00000001 port-type(174) 4 Ethernet
024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
Unique id 34976 is currently in use.
Accounting:
log=0x10000208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
SESSION INFO
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
024CAA00 0 00000001 connect-progress(44) 4 Auth Open
024CAA14 0 00000001 pre-session-time(272) 4 2(2)
024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
024CAA50 0 00000001 output-giga-words(250) 4 8(8)
024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AF Unique Id=000088A0
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024A8C10 0 00000001 session-id(336) 4 34991(88AF)
024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AF Unique Id=000088A0
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34991(88AF)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993533200 Start Bytes Out = 3867849339
Start Paks In = 23586534 Start Paks Out = 28511761
Byte/Packet Counts till Service Up:
Pre Bytes In = 993539419 Pre Bytes Out = 3867856344
Pre Paks In = 23586593 Pre Paks Out = 28511812
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:18 GMT+5 Jan 23 2012
AuthenTime = 16:22:19 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 000088A0
Session Id = 000088AF
Attribute List:
0244DB94 0 00000001 port-type(174) 4 Ethernet
0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
PS. Have no command "show authentication" -
Multi-MAC Address to One IP Attack?
I had posted something earlier but have more information.
Earlier I asked if you could have multiple IP addresses mapped to the same MAC-Address in the ARP table.
Based on wire captures I have found that it is no problem for the WGB1310 or for the Cisco 6500 to have this. However, I am hearing that there is a special security feature in the WiSM or WLC that sees this as an attempted ATTACK on the network. I would see a ping come through the 6500, over the wireless network and hit my virtual IP address and I would see the virtual IP address respond. However, the response did not make it back to the sending PC because of this issue.
And so now my application fails.
Does anyone know of this feature or if I can disable it on the WiSM? This is crushing my deployment.Ok, an update on this.
I have a layer 3 switch on every train.
I am thinking I can just keep the 1310 in WGB mode near my end user and keep the other 1310 in AP mode for the link back to the WiSM, plug the ethernet interface of my WGB into the layer 3 switch then on the other side of the switch I will have a /28 network.
On the WLC/WiSM I would then create a static route for each /28 to the external interface (by which I mean the interface on the same subnet as the WLC) of the layer 3 switch.
I think I would also have to create a static route on the 6500 for these networks as well since it needs to know that they exist on the other side of the WiSM.
Make sense?
Can't wait to test it out.
James -
WiSM-A and -B communication problem
I am deploying a 6509-WISM with 120 x 1130 APs running 4.1.181.0. Both controllers (A and B) are configured as LWAPP Layer 3 mode with he same mobility and RF domain. The APs use DHCP to obtain their IP through option 43. All APs register only to WiSM-B and none go to WiSM-A. I even tried configuring the Primary and Secondary Controller with WISM-A only and the APs are still only registering to WiSM-B only. Any advice would be greatly appreciated.
Hi Chris,
Since I restarted both controllers this morning, here are the only messages that show up in the log.... There should be more than that as far as I am concerned.+
Aug 24 15:20:39.932 hwutils.c:2159 INIT-0-MSGTAG007: Security Module not found.
Aug 24 15:20:39.161 bootos.c:874 INIT-0-MSGTAG001: Starting code...
We are also looking at the arp table on the default gateway and there is a MAC that is not making sense. On WISM-A ap-manager interface, the AMC shows up as being 001b.243d.a9f6 which is a Quanta Computer MAC..... but should be showing as a Cisco one. Will let you know.
Any thoughts?
Thanks -
WiSM - Mobility Group - Control Path Down
I have 2 WiSMs with 4 WLCs. Each WLC is in the same subnet. I have set up the mobility group using the virtual interface MAC address. I get a Control Path Down message for any WLC on another WiSM e.g
From controller 10.x.x.1 on WiSM 1, 10.x.x.1 and 10.x.x.2 (on WiSM 1) show as UP in mobility groups, but 10.x.x.3 and 10.x.x.4 (on WiSM 2) show Control Path Down.
I have tried setting them up using the management interface MAC address but when I click apply it says there is a problem creating the member with MAC (MAC address of the controller I am on).
Any suggestions?It SHOULD BE MANAGEMENT INT MAC WHICH ENDS WITH ZERO..
Either
WLC >> Controller >> Interfaces >> Managemet >> MAC address
OR
WLC >> Controller >> Interfaces >> Managemet >>Inventory >> MAC Address..
Regards
Surendra -
I'm running a WiSM on a 6504E using supervisor code s72033-ipservices_wan-mz.122-33.SXI2.bin. When I add a statement configuring the allowed VLANs on the WiSMs, I get the following errors:
*Aug 5 16:56:35.202: %EC-SP-5-CANNOT_BUNDLE2: Gi2/6 is not compatible with Po404 and will be suspended (trunk mode of Gi2/6 is dynamic, Po404 is trunk)
*Aug 5 16:56:35.826: %EC-SP-5-CANNOT_BUNDLE2: Gi2/5 is not compatible with Gi2/7 and will be suspended (trunk mode of Gi2/5 is trunk, Gi2/7 is dynamic)
*Aug 5 16:56:36.138: %EC-SP-5-CANNOT_BUNDLE2: Gi2/6 is not compatible with Gi2/8 and will be suspended (trunk mode of Gi2/6 is trunk, Gi2/8 is dynamic)
Keep in mind that I don't have the option to configure these gigabit interfaces as they are auto-provisioned by the version of code being run on the switch.
Here are some show commands that may be of interest:
###-###-mdf#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
M - not in use, no aggregation due to minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
d - default port
w - waiting to be aggregated
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
403 Po403(SU) - Gi2/1(P) Gi2/2(P) Gi2/3(P)
Gi2/4(P)
404 Po404(SU) - Gi2/5(P) Gi2/6(P) Gi2/7(P)
Gi2/8(P)
###-###-mdf#show wism status
Service Vlan : 3015, Service IP Subnet : 10.139.255.1/255.255.255.0
WLAN
Slot Controller Service IP Management IP SW Version Status
----+-----------+----------------+----------------+-----------+---------------
2 1 0.0.0.0 10.137.139.2 5.2.178.0 Service Port Up
2 2 0.0.0.0 10.137.139.4 5.2.178.0 Service Port Up
###-###-mdf#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip
mpls label-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
MPLS: Label or IPDo you have qos enabled globally? This was an issue with IOS a while back, but should be fine in SXI
how6506A#sh ver
Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3)
maybe they broke it again in SXI2
show6506A#sh mls qos
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Gi4/1 Gi4/2 Gi4/3 Gi4/4 Gi4/5 Gi4/6 Gi4/7 Gi4/8 Po407 Po408
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
ports listed in above command are my wism ports
Maybe you are looking for
-
'you've been signed out' - agghhh!
Anyone else repeatedly getting the 'you've been signed out' error why trying to download from Creative Cloud? Keeps doing it, despite constant relaunching...
-
i could not connect my canon MG5220 to my macbook pro version Mac OS X Lion 10.7.5. how could i connect wireless?
-
Where can I get a new keyboard for my Tecra A3 in the UK?
I spilt some water - damn! - a couple of days ago on my Tecra A3 and I think it is beyond fixing, though please correct me if I am wrong. I haven't been cleaning it regularly and I think there was probably quite a bit of dust - and other foreign matt
-
Business area and profit centre
Friends, Please tell me difference between profit center and business areas. If reporting can be done using both of them in similar fashion, why can't only one of them be used, instead of using both of them? There should be a logical distinction betw
-
I need to capture bind values in SQL Trace. I am running Oracle 9.2.0.8. I will be running my queries from an application, not SQL Plus. I can use a after log on trigger to turn on trace. Has anyone done this with success? Are there any other ways to