WiSM - MAC Authenication

Similar Messages

• Mac-Authen in 1141 AP not working with WPA!

  I want to have my stand-alone 1141 to do Mac-Authentication locally and have WPA running to let the AP run in 11n mode but it is not running. I have tried having an No Encr and Mac-Authentication and it works.
  I have read an article that WPA and Mac-Authentication don't work together. Is it right?
  Please enlighten me on this.

  Hi,
  indeed the simplest is to have WPA and mac filters. Mac authentication allows to authenticate mac addresses against radius. Mac filters is an access list with mac addresses stored on the AP itself.
  ap(config)#dot11 association mac-list ?
    <700-799>  Ethernet address access list
  You can then configure an ACL (with number between 700 and 799) to go with that.
  Regards,
  Nicolas

• Mac address ACS authentication

  I have 3 cisco 350 aironets here. right now they all have mac authenication with each one having to have the mac address statically entered. I have a hardware ACS and would like to use that for the authenication so I do not have to enter the mac address 3 time. I have seen that you are suppose to add the mac address as the username and then the password, but i get an error stating that the username and password cannot be the same and will not add the user. What do i do now? I have done it just like cisco documentation states but again i get an error. please help.......

  There is a feature called "Per User VLAN Assignment" which should provide you with just the protection you're looking for. It uses the ACS Server to assign a user to a VLAN, regardless of what SSID they connect to the access point with. Per User VLAN Assignment requires IOS version 12.2(11)JA1.
  No configuration changes are made on the AP to engage per user VLAN assignment. All the configuration changes are made on the ACS. For more details check out the following URL,
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html

• Aironet 1300 - problems with security

  Hi,
  I have two Aironets setup as below. They both have the radio configured and up. I suspect the issue is with the security. I am unfamiliar with how it works - if anyone can provide me any pointers, it would be much appreciated!
  thanks,
  Mark
  dot11 vlan-name BRIDGE1 vlan 153
  dot11 vlan-name BRIDGE2 vlan 254
  dot11 vlan-name BRIDGE3 vlan 154
  dot11 ssid BRIDGE1
  vlan 153
  dot11 ssid BRIDGE2
  vlan 254
  authentication open
  authentication key-management wpa
  infrastructure-ssid
  wpa-psk ascii 7 <key here>
  dot11 ssid BRIDGE3
  vlan 154
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 3 size 128bit 7 <key here> transmit-key
  encryption mode ciphers wep128
  encryption vlan 254 mode ciphers tkip
  ssid BRIDGE1
  ssid BRIDGE2
  ssid BRIDGE3
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
  asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  station-role root bridge
  cca 75
  concatenation
  infrastructure-client
  interface Dot11Radio0.153
  encapsulation dot1Q 153
  no ip route-cache
  bridge-group 153
  interface Dot11Radio0.154
  encapsulation dot1Q 154
  no ip route-cache
  bridge-group 154
  interface Dot11Radio0.254
  encapsulation dot1Q 254 native
  no ip route-cache
  bridge-group 1
  interface FastEthernet0
  no ip address
  no ip route-cache
  interface FastEthernet0.153
  encapsulation dot1Q 153
  no ip route-cache
  bridge-group 153
  interface FastEthernet0.154
  encapsulation dot1Q 154
  no ip route-cache
  bridge-group 154
  interface FastEthernet0.254
  encapsulation dot1Q 254 native
  no ip route-cache
  bridge-group 1
  interface BVI1
  ip address 10.0.254.203 255.255.255.0
  no ip route-cache

  Hi Vincent,
  Firstly, if you've got a MAC address access list to restrict access, just confirm you've got the right MAC address in there - in my testing it caused exactly the error you've indicated.
  The other things to try are:
  Remote end is not powered up
  Antennas are misaligned
  Channels do not match
  Radios are switched off
  Radio power is set too low
  Speed not matched
  Authentication failing
  Check this link for authentication debugging:
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml
  These commands may help:
  debug dot11 aaa authenticator mac-authen
  debug dot11 aaa authenticator all
  thanks,
  Mark

• AP1200 with EAP - dot11 holdoff timer

  Hi all
  We are running AP1200 with open eap. We are experiencing a transient problem with a couple unknown PC's attempting (and Failing) authentication every second. After some time, the memory gets fragmented on the AP, causing the AP to hang.
  From the AP
  >>>
  Aug 4 14:12:17: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:18: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:19: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:21: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:22: %SYS-2-MALLOCFAIL: Memory allocation of 1500 bytes failed from
  Pool: Processor Free: 122180 Cause: Memory fragmentation
  Alternate Pool: None Free: 0 Cause: No Alternate pool
  -Process= "Logger", ipl= 6, pid= 16
  -Traceback= 10DDB0 10FF40 108EF0 117C20 366E0 368A0 442FC 445A8 47CEC 1337F8
  Aug 4 14:12:23: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  <<<
  We have not been able to find this certain host.
  We attempted to mitigate the failures using the "dot11 holdoff-timer 120". From the documentation this command looks like it will only take effect when performing MAC Authentication, yet in the configuration guide, it does not specify mac authen only. We have not had success in the lab.
  Can anyone here shed some more light on this command.
  TIA,
  Alex

  If all the PCs in your wireless network are working , then the unknown PCs could be some rogue devices trying to access the network. Since authentication is failing at every attempt it is clear that it is a rogue device trying to get entry in to the network.

• Proxy authenication problems from Macs.... argh

  I am seeing this regularly in mixed Windows/Macs environments where all machines proxy over 8080 to the TMG box (integrated authentication).
  I can have a firewall rule that allows traffic from Internal to External over HTTP/HTTPS for Domain Users and both clients, Macs and PCs, will be able to browse internet fine so long as they have approrpiate proxy server settings configured on either their
  machine or browser.
  However, some websites that use Flash or Java, for viewing videos result in the Macs NOT working.  Looking in the firewall loggging I can see that access is being denied because the Mac is not passing user credentials and is attempting to go out
  using anonymous credentials (which is not allowed).  This ONLY happens for the Macs, and ONLY happens on certain websites, and ONLY for stuff like Java/Flash, etc. 
  Anyone else running into this?  It's happening so frequently that I am about to just turn OFF all proxying to TMG and have everyone go out as secure NAT clients because everytime this happens, I have to create a specific rule for THAT website to allow
  SecureNAT.
  Thoughts??

  Hi,
  Your analysis is correct. TMG (or any other proxy) will ask user for authentication, if the rule is configured to do so. Its upto the client (browser or software entity trying to access internet) to authenticate to the proxy. If that entity is not designed
  for such proxy authentications, they will fail to access the resource.
  If you see in your logs that the browser/application (Safari/Java) on MAC is unable to authenticate to proxy, thats exactly the reason its failing. If you look above that, you should see 407 messages, where the proxy server is telling the client to
  negotiate and authenticate for proxy.
  Hope this help. If you have any furhter questions, please let me know.
  Related post:
  http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/78b2a5e8-9a80-42d8-bd38-a3c175161b12
  Regards, Amit Saxena. Keep Walking! Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.

• WiSM Status LED 1 & Status LED 2 showing off. Is it normal?

  Hi,
  WiSM WLAN Service Module WS-SVC-WISM-1-K9 in 6509e running VSS IOs s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin having trouble to get the IP from service-vlan DHCP also status LED 1 & Status LED 2 showing off.
  The pertinent config is as follows.
  vlan 300
  name WiSM_Service_Vlan
  interface Vlan300
  description *** WiSM Service-Vlan
  ip address 192.168.200.1 255.255.255.0
  ip dhcp excluded-address 192.168.200.1
  ip dhcp pool WiSM_Service-Vlan_300
     network 192.168.200.0 255.255.255.0
     default-router 192.168.200.1
  wism service-vlan 300
  vlan 183
  name WiSM_Management
  interface Vlan183
  description *** WiSM Management Vlan ***
  ip address 10.39.139.254 255.255.255.0
  wism switch 1 module 4 controller 1 allowed-vlan 125,126,183,300
  wism switch 1 module 4 controller 2 allowed-vlan 125,126,183,300
  wism switch 2 module 4 controller 1 allowed-vlan 125,126,183,300
  wism switch 2 module 4 controller 2 allowed-vlan 125,126,183,300
  wism switch 1 module 4 controller 1 native-vlan 183
  wism switch 1 module 4 controller 2 native-vlan 183
  wism switch 2 module 4 controller 1 native-vlan 183
  wism switch 2 module 4 controller 2 native-vlan 183
  HO2NET0001#sh wism status
  Service Vlan : 300, Service IP Subnet : 192.168.200.1/255.255.255.0
        WLAN
  Slot  Controller  Service IP       Management IP    SW Version  Status
  ----+-----------+----------------+----------------+-----------+---------------
  20    1           0.0.0.0          0.0.0.0                      Service Port Up
  20    2           0.0.0.0          0.0.0.0                      Service Port Up
  HO2NET0001#sh module
  Mod Ports Card Type                              Model              Serial No.
    1    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      SAL13442Q5N
    2    8  CEF720 8 port 10GE with DFC            WS-X6708-10GE      SAL13442GAL
    3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL13410N8P
    4   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9   SAD133101UY
    5    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G        SAL13442JE4
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  0025.84f1.55b8 to 0025.84f1.55bf   2.1   12.2(18r)S1  12.2(33)SXI2 Ok
    2  0025.84f1.4e58 to 0025.84f1.4e5f   2.1   12.2(18r)S1  12.2(33)SXI2 Ok
    3  0027.0da7.c240 to 0027.0da7.c26f   3.2   12.2(18r)S1  12.2(33)SXI2 Ok
    4  0023.5e25.7168 to 0023.5e25.7177   2.3   12.2(14r)S5  12.2(33)SXI2 Ok
    5  001f.9e2a.2608 to 001f.9e2a.260f   3.1   8.5(3)       12.2(33)SXI2 Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status
    1  Distributed Forwarding Card WS-F6700-DFC3C     SAL13442EG9  1.4    Ok
    2  Distributed Forwarding Card WS-F6700-DFC3C     SAL13442H9T  1.4    Ok
    3  Centralized Forwarding Card WS-F6700-CFC       SAL13442HU9  4.1    Ok
    4  Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD133200D6  2.1    Ok
    5  Policy Feature Card 3       VS-F6K-PFC3C       SAL13442E5S  1.1    Ok
    5  MSFC3 Daughterboard         VS-F6K-MSFC3       SAL13421AJZ  2.0    Ok
  Mod  Online Diag Status
    1  Pass
    2  Pass
    3  Pass
    4  Pass
    5  Pass
  HO2NET0001#sh vlan
  300  WiSM_Service_Vlan                active    Gi1/4/9, Gi1/4/10
  The service IP is supposed to have been populated with an address from the dhcp pool. I am also unable to connect to access it by console as well as doing a session switch 1 slot 4 processor 1. I get the following upon attempting to do so:
  Through Console.
  It is giving following & then got stuck.
  Bootloader 3.2.202.0 (Nov 13 2007 - 19:35:12)
  Motorola PowerPC ProcessorID=00000000 Rev. PVR=80200020
          CPU: 999 MHz
          CCB: 333 MHz
          DDR: 166 MHz
          LBC: 41 MHz
  L1 D-cache 32KB, L1 I-cache 32KB enabled.
  I2C:   ready
  DTT:   1 is 33 C
  DRAM:  DDR module detected, total size:512MB.
  512 MB
  8540 in PCI Host Mode.
  8540 not PCI Arbiter.
  Memory Test PASS
  FLASH:
    Flash Bank 0: portsize = 2, size = 8 MB in 142 Sectors
  8 MB
  L2 cache enabled: 256KB
  Card Id: 1537
  Card Revision Id: 1
  Card CPU Id: 1287
  Number of MAC Addresses: 32
  Number of Slots Supported: 4
  Serial Number: FAM133200D6
  Manufacturers ID: 30464
  Board Maintenance Level: 00
  In:    serial
  Out:   serial
  Err:   serial
                        .o88b. d888888b .d8888.  .o88b.  .d88b.
                       d8P  Y8   `88'   88'  YP d8P  Y8 .8P  Y8.
                       8P         88    `8bo.   8P      88    88
                       8b         88      `Y8b. 8b      88    88
                       Y8b  d8   .88.   db   8D Y8b  d8 `8b  d8'
                        `Y88P' Y888888P `8888Y'  `Y88P'  `Y88P'
                      Model SVC-WiSM   S/N: FAM133200D6
  Net:   TSEC ETHERNET
  IDE:   Bus 0: OK
    Device 0: Model: STI Flash 8.0.0 Firm: 01/17/07 Ser#: STI1MMJ109198093647
              Type: Removable Hard Disk
              Capacity: 488.7 MB = 0.4 GB (1000944 x 512)
    Device 1: not available
  Booting Primary Image...
  Press <ESC> now for additional boot options...
  Detecting Hardware . . .
  Cryptographic library self-test....passed!
  XML config selected
  Validating XML configuration
  Cisco is a trademark of Cisco Systems, Inc.
  Software Copyright Cisco Systems, Inc. All rights reserved.
  Cisco AireOS Version 5.2.178.0
  Initializing OS Services: ok
  Initializing Serial Services: ok
  Initializing Internal Interfaces: ok
  Initializing Network Services: ok
  Initializing Licensing Services: ok
  Starting ARP Services: ok
  Starting Trap Manager: ok
  Starting Network Interface Management Services: ok
  Starting System Services: ok
  Starting FIPS Features: ok : Not enabled
  Starting Fast Path Hardware Acceleration: ok
  Starting Switching Services: ok
  Starting QoS Services: ok
  Starting Policy Manager: ok
  Starting Data Transport Link Layer: ok
  Starting Access Control List Services: ok
  Starting System Interfaces: ok
  Starting Client Troubleshooting Service: ok
  Starting Management Frame Protection: ok
  Starting LWAPP: ok
  Starting CAPWAP: ok
  Starting Certificate Database: ok
  Starting VPN Services: ok
  Starting Security Services: ok
  Starting Policy Manager: ok
  Starting Authentication Engine: ok
  Starting Mobility Management: ok
  Starting LOCP: ok
  Starting Virtual AP Services: ok
  Starting AireWave Director: ok
  Starting Network Time Services: ok
  Starting Cisco Discovery Protocol: ok
  Starting Broadcast Services: ok
  Starting Logging Services: ok
  Starting DHCP Server: ok
  Starting IDS Signature Manager: ok
  Starting RFID Tag Tracking: ok
  Starting WLAN Control Protocol (WCP): ok
  Starting Mesh Services:  ok
  Starting TSM: ok
  Starting CIDS Services: ok
  Starting Ethernet-over-IP: ok
  Starting DTLS server:  enabled in CAPWAP
  Starting FMC HS: ok
  Starting WIPS: ok
  Starting SSHPM LSC PROV LIST: ok
  Starting Management Services:
     Web Server: ok
     CLI: ok
     Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
  (Cisco Controller)
  Welcome to the Cisco Wizard Configuration Tool
  Use the '-' character to backup
  Would you like to terminate autoinstall? [yes]:
  AUTO-INSTALL: starting now...
  Through Session
  HO2NET0001##session switch 1 slot 4 proc 1
  The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 0.0.0.0 ...
  Any assistance or ideas offered will be greatly appreciated.
  Thanks,

  Hi Tabish,
  How many times do you have to open this same topic?
  In my opinion, this is your THIRD thread for the same topic.

• SMB2 Mac to Mac over LAN

  Hi,
  I have three MacBooks of various ages and a Mac Mini runnign Mavericks server, all running Mavericks 10.9.2. All have access to the LAN via my service providers WiFi N router.
  I've had an issue with SMB2 for a while, but with Mavericks pushing it as default its beginning to bug me that is not working as it should.
  I can see all machines in the sidebar, I can connect via cmd-k using AFP without any problems. But if I try browsing to the various machiens and shares, its defaulting to SMB2 and seems to be having problems authenticating.
  I get around 45sec delay, from pointing to a machine to getting an authentication screen where I can log in. I also get this same delay when manually using SMB2 using cmd-k.
  There doesn't seem to be an issue with the machines, I've set up an ad-hoc network, and everything works perfectly, as soon as I'm connecting back thorugh the LAN via my router, thats where problems start. Don't really want to get another switch or Airport Hub etc at this stage.
  Anyone else seen similar issues? Or have an idea what may be causing the problem on the router. I'd tried disabling IPV6, but makes not difference.
  As mentioned above, there seems to be something interferring with the authenication process and delaying the whole process.

  Thanks Hevisko,
  I've been following the CIFS work round, as I understand it, this is really a work round to connect to older SMB1/SMBX shares now that SMB2 has been rolled out as default. Particularly useful for older NAS boxes that only have SMB1.
  My shares are all on OS Mavericks machines, therefore the shares are SMB2.
  Also, there seems to be no problem when I take the router out of the equation. Think I might need to invest in a descent switch and bypass the router. Just wondering if anyone else has resolved this or can suggest a good switch that works with SMB2 mac to mac.
  Failing that my Mac mini is always on, so might look at using that to run DNS/DHCP and see how that goes.

• WISM 7.0.235.0 post-upgrade problem?

  I upgraded one of our WISM-1 modules from 7.0.98.0 to 7.0.235.0 last night.  For some reason, APs don't join with it unless I tell them specifically to do so.  We haven't specified primary & secondary controllers on purpose, allowing the APs to determine from DHCP & the controllers' responses and decide on one based on load.  This has always worked great for us.
  After upgrading, I couldn't get an AP to join the upgraded wism even after I specified the controller in the AP config.  So then I changed my 6506 load balancing to src-dst-mac since that is a known (although seldom seen) issue with APs joining a controller for the first time.  We usually keep it set at
  src-dst-mixed-ip-port.  That worked & the AP joined the upgraded wism.  Then I reset the load-balancing algorithm on the 6506, removed the specific controller from the AP's config, rebooted the AP, and all is fine.  I thought that solved it.  Not.
  Any other AP that I reboot tries to join the upgraded wism since it has only 1 AP connected, but it fails and the AP joins the other wism running 7.0.98.0.  Even if I change the load balancing algorithm to src-dst-mac, src-dst-ip, or src-mac, it won't join unless I specify the upgraded controller, which I don't want to do.  I can see the wism responding to the join requests, but the APs still end up on the other controller.  It soulds like the years-old load balancing algorithm issue, but that doesn't seem to be the whole answer this time.
  I hope this information makes sense to those that are aware of the issues I bring up.  Any ideas why the 7.0.235.0 wism isn't getting APs to join it successfully without my specifying that controller?  The config hasn't changed, except for what new or changed defaults exist.  I suspect it might have to do with one of those....  Or could it be the two different controller versions returning confusing and different responses to the initial query?
  Thanks.
  Bill

  We're not using the built-in DHCP service on the WISMs.
  A wise decision.
  I've upgrade our WiSM-1's to this version and we don't have any issues. 
  However, in the past, we use to host our DHCP server for the WAPs and the clients on a plain Linux box and we noticed that the Linux box took a painfully long, long time to dish out IP addresses to around 1k WAPs.  We later moved our DHCP server to InfoBlox and the problems go away. 
  Any other AP that I reboot tries to join the upgraded wism since it has only 1 AP connected, but it fails and the AP joins the other wism running 7.0.98.0. Even if I change the load balancing algorithm to src-dst-mac, src-dst-ip, or src-mac, it won't join unless I specify the upgraded controller, which I don't want to do. I can see the wism responding to the join requests, but the APs still end up on the other controller. It soulds like the years-old load balancing algorithm issue, but that doesn't seem to be the whole answer this time.
  Never saw this problem at all. 

• WLAN Controller learning IP/MAC on wrong virtual interface

  Hello
  I believe since I upgraded my WiSM to 7.0.250.0 is it learning a MAC address on the wrong virtual interface.
  The setup:
  - a Linux server with 2 virtual interfaces, both use the same MAC address, one is the gateway of VLAN 116 and one is the gateway of VLAN 240
  - a WiSM with several virtual interfaces, including one in 116 and one in 240
  Here the arp table with the problem:
      MAC Address        IP Address     Port   VLAN   Type
  00:50:56:BD:32:92   172.16.240.9     29     240    Host
  00:1E:4A:FA:87:8B   172.16.102.12    29     0      Permanent
  00:1E:4A:FA:50:0B   172.16.102.13    29     0      Permanent
  00:1E:4A:FA:81:2B   172.16.102.14    29     0      Permanent
  00:50:56:BD:32:92   172.16.116.9     29     240    Host
  00:1D:E0:31:55:23   172.16.116.185   29     116    Client
  58:94:6B:68:50:E8   172.16.118.201   29     116    Client
  1C:B0:94:B7:38:08   172.16.118.234   29     116    Client
  And here after I made a PING from the controller to the listed ip address:
      MAC Address        IP Address     Port   VLAN   Type
  00:50:56:BD:32:92   172.16.240.9     29     240    Host
  00:1E:4A:FA:87:8B   172.16.102.12    29     0      Permanent
  00:1E:4A:FA:50:0B   172.16.102.13    29     0      Permanent
  00:1E:4A:FA:81:2B   172.16.102.14    29     0      Permanent
  00:50:56:BD:32:92   172.16.116.9     29     116    Host
  00:1D:E0:31:55:23   172.16.116.185   29     116    Client
  38:E7:D8:D3:7C:FA   172.16.118.92    29     116    Client
  58:94:6B:68:50:E8   172.16.118.201   29     116    Client
  1C:B0:94:B7:38:08   172.16.118.234   29     116    Client
  18:AF:61:12:E9:FB   192.168.1.59     29     117    Client
  Has anybody else the same problem?
  The host 172.16.116.9 is also the configured DHCP server on VLAN 116.
  Is there a way to statically configure this IP address on that VLAN? Because it causes every few days a service outage on that VLAN (which is bound to an SSID).

  Yup, I'd say still valid. Seeing as it is the gateway, if it had different mac addresses per interface, it might still work.
  No, clients in the same subnet can communicate, but it is not recommended to 'bridge' wired and wireless with a WLC. The WLC doesn't like to bridge the communication by default, though there are work arounds.
   I might also say that as it uses the same MAC address for both virtual interfaces L2 is going to be messed up as each time there were an ARP the entry would change.
  Take a look and see if you can manually change the mac for one of the interfaces and test again.
  HTH,
  Steve

• 802.1x multiple sessions with same LOGIN+MAC on single-host port

  We have 802.1x with radius server.
  c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
  From time to time user seems to get multiple authentications on single port with single mac-address.
  So we get several sessions on port with the same login, mac (but different session-id).
  Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
  Happens with different users.
  Anybody seen this issue?
  IOS 12.2(46)SE

  Sure. Tried to make it short.
  Config for 802.1x-aaa:
  aaa new-model
  aaa group server radius default
    server X.X.X.X auth-port 12345 acct-port 12346
  aaa authentication login default group radius enable
  aaa authentication dot1x default group radius
  aaa authorization exec default group radius if-authenticated
  aaa authorization network default local group radius
  aaa authorization reverse-access default group radius
  aaa accounting suppress null-username
  aaa accounting update periodic 1
  aaa accounting dot1x default start-stop group radius
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa session-id common
  dot1x system-auth-control
  interface FastEthernet0/48
  switchport access vlan 1398
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode shutdown
  spanning-tree portfast
  spanning-tree link-type point-to-point
  radius-server attribute 44 include-in-access-req
  radius-server attribute 44 extend-with-addr
  radius-server attribute 188 format non-standard
  radius-server attribute 218 mandatory
  radius-server attribute 32 include-in-accounting-req format %i %h %d
  radius-server attribute 55 include-in-acct-req
  radius-server attribute list att
  attribute 30-31,44
  radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
  radius-server vsa send accounting
  sh dot1x int fa 0/48 det
  Dot1x Info for FastEthernet0/48
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = SHUTDOWN
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  Dot1x Authenticator Client List Empty
  Port Status               = UNAUTHORIZED
  And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
  sh aaa user all
  Unique id 34974 is currently in use.
  Accounting:
    log=0x208241
    Events recorded :
      CALL START
      ATTR REPLACE
      NET UP
      INTERIM START
      VPDN NET UP
    update method(s) :
      PERIODIC
    update interval = 60
    Outstanding Stop Records : 0
    Dynamic attribute list:
      0244DC34 0 00000001 connect-progress(44) 4 Auth Open
      0244DC48 0 00000001 pre-session-time(272) 4 0(0)
      0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
      0244DC70 0 00000001 input-giga-words(111) 4 2(2)
      0244DC84 0 00000001 output-giga-words(250) 4 8(8)
      024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
      024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
      024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
      024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
      024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
      024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
      024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
      024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
    No data for type EXEC
    No data for type CONN
    NET: Username=(n/a)
      Session Id=000088AD Unique Id=0000889E
      Start Sent=0 Stop Only=N
      stop_has_been_sent=N
      Method List=0
      Attribute list:
        024CAA00 0 00000001 session-id(336) 4 34989(88AD)
        024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
    No data for type CMD
    No data for type SYSTEM
    No data for type RM CALL
    No data for type RM VPDN
    No data for type AUTH PROXY
    8: Username=157102
      Session Id=000088AD Unique Id=0000889E
      Start Sent=1 Stop Only=N
      stop_has_been_sent=N
      Method List=226B3E4 : Name = default
      Attribute list:
        0244DB94 0 00000001 session-id(336) 4 34989(88AD)
        0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
        0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
    No data for type IPSEC-TUNNEL
    No data for type RESOURCE
    No data for type 11
    No data for type 12
    No data for type CALL
    No data for type VPDN-TUNNEL
    No data for type VPDN-TUNNEL-LINK
  Debg: No data available
  Radi: 2032FD8
  Interface:
    TTY Num = -1
    Stop Received = 0
    Byte/Packet Counts till Call Start:
      Start Bytes In = 993512241     Start Bytes Out = 3867828098
      Start Paks  In = 23586320      Start Paks  Out = 28511581
    Byte/Packet Counts till Service Up:
      Pre Bytes In = 993519614     Pre Bytes Out = 3867836302
      Pre Paks  In = 23586388      Pre Paks  Out = 28511642
    Cumulative Byte/Packet Counts :
      Bytes In = 1112561235    Bytes Out = 3160900227
      Paks  In = 69526526      Paks  Out = 75491430
    StartTime = 16:22:08 GMT+5 Jan 23 2012
    AuthenTime = 16:22:08 GMT+5 Jan 23 2012
    Component = DOT1X
  Authen: service=8021X type=EAP method=RADIUS
  Kerb: No data available
  Meth: No data available
  PreA: No data available
  General:
    Unique Id = 0000889E
    Session Id = 000088AD
    Attribute List:
      024A8C10 0 00000001 port-type(174) 4 Ethernet
      024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
      024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
      024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
  PerU: No data available
  Unique id 34976 is currently in use.
  Accounting:
    log=0x10000208241
    Events recorded :
      CALL START
      ATTR REPLACE
      NET UP
      INTERIM START
      VPDN NET UP
      SESSION INFO
    update method(s) :
      PERIODIC
    update interval = 60
    Outstanding Stop Records : 0
    Dynamic attribute list:
      024CAA00 0 00000001 connect-progress(44) 4 Auth Open
      024CAA14 0 00000001 pre-session-time(272) 4 2(2)
      024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
      024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
      024CAA50 0 00000001 output-giga-words(250) 4 8(8)
      024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
      024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
      024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
      024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
      024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
      0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
      0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
      0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
    No data for type EXEC
    No data for type CONN
    NET: Username=(n/a)
      Session Id=000088AF Unique Id=000088A0
      Start Sent=0 Stop Only=N
      stop_has_been_sent=N
      Method List=0
      Attribute list:
        024A8C10 0 00000001 session-id(336) 4 34991(88AF)
        024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
    No data for type CMD
    No data for type SYSTEM
    No data for type RM CALL
    No data for type RM VPDN
    No data for type AUTH PROXY
    8: Username=157102
      Session Id=000088AF Unique Id=000088A0
      Start Sent=1 Stop Only=N
      stop_has_been_sent=N
      Method List=226B3E4 : Name = default
      Attribute list:
        024CAA00 0 00000001 session-id(336) 4 34991(88AF)
        024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
        024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
    No data for type IPSEC-TUNNEL
    No data for type RESOURCE
    No data for type 11
    No data for type 12
    No data for type CALL
    No data for type VPDN-TUNNEL
    No data for type VPDN-TUNNEL-LINK
  Debg: No data available
  Radi: 2032F58
  Interface:
    TTY Num = -1
    Stop Received = 0
    Byte/Packet Counts till Call Start:
      Start Bytes In = 993533200     Start Bytes Out = 3867849339
      Start Paks  In = 23586534      Start Paks  Out = 28511761
    Byte/Packet Counts till Service Up:
      Pre Bytes In = 993539419     Pre Bytes Out = 3867856344
      Pre Paks  In = 23586593      Pre Paks  Out = 28511812
    Cumulative Byte/Packet Counts :
      Bytes In = 1112561235    Bytes Out = 3160900227
      Paks  In = 69526526      Paks  Out = 75491430
    StartTime = 16:22:18 GMT+5 Jan 23 2012
    AuthenTime = 16:22:19 GMT+5 Jan 23 2012
    Component = DOT1X
  Authen: service=8021X type=EAP method=RADIUS
  Kerb: No data available
  Meth: No data available
  PreA: No data available
  General:
    Unique Id = 000088A0
    Session Id = 000088AF
    Attribute List:
      0244DB94 0 00000001 port-type(174) 4 Ethernet
      0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
      0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
      0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
  PerU: No data available
  PS. Have no command "show authentication"

• Multi-MAC Address to One IP Attack?

  I had posted something earlier but have more information.
  Earlier I asked if you could have multiple IP addresses mapped to the same MAC-Address in the ARP table.
  Based on wire captures I have found that it is no problem for the WGB1310 or for the Cisco 6500 to have this. However, I am hearing that there is a special security feature in the WiSM or WLC that sees this as an attempted ATTACK on the network.  I would see a ping come through the 6500, over the wireless network and hit my virtual IP address and I would see the virtual IP address respond.  However, the response did not make it back to the sending PC because of this issue.
  And so now my application fails.
  Does anyone know of this feature or if I can disable it on the WiSM?  This is crushing my deployment.

  Ok, an update on this.
  I have a layer 3 switch on every train.
  I am thinking I can just keep the 1310 in WGB mode near my end user and keep the other 1310 in AP mode for the link back to the WiSM, plug the ethernet interface of my WGB into the layer 3 switch then on the other side of the switch I will have a /28 network.
  On the WLC/WiSM I would then create a static route for each /28 to the external interface (by which I mean the interface on the same subnet as the WLC) of the layer 3 switch.
  I think I would also have to create a static route on the 6500 for these networks as well since it needs to know that they exist on the other side of the WiSM.
  Make sense?
  Can't wait to test it out.
  James

• WiSM-A and -B communication problem

  I am deploying a 6509-WISM with 120 x 1130 APs running 4.1.181.0. Both controllers (A and B) are configured as LWAPP Layer 3 mode with he same mobility and RF domain. The APs use DHCP to obtain their IP through option 43. All APs register only to WiSM-B and none go to WiSM-A. I even tried configuring the Primary and Secondary Controller with WISM-A only and the APs are still only registering to WiSM-B only. Any advice would be greatly appreciated.

  Hi Chris,
  Since I restarted both controllers this morning, here are the only messages that show up in the log.... There should be more than that as far as I am concerned.+
  Aug 24 15:20:39.932 hwutils.c:2159 INIT-0-MSGTAG007: Security Module not found.
  Aug 24 15:20:39.161 bootos.c:874 INIT-0-MSGTAG001: Starting code...
  We are also looking at the arp table on the default gateway and there is a MAC that is not making sense. On WISM-A ap-manager interface, the AMC shows up as being 001b.243d.a9f6 which is a Quanta Computer MAC..... but should be showing as a Cisco one. Will let you know.
  Any thoughts?
  Thanks

• WiSM - Mobility Group - Control Path Down

  I have 2 WiSMs with 4 WLCs. Each WLC is in the same subnet. I have set up the mobility group using the virtual interface MAC address. I get a Control Path Down message for any WLC on another WiSM e.g
  From controller 10.x.x.1 on WiSM 1, 10.x.x.1 and 10.x.x.2 (on WiSM 1) show as UP in mobility groups, but 10.x.x.3 and 10.x.x.4 (on WiSM 2) show Control Path Down.
  I have tried setting them up using the management interface MAC address but when I click apply it says there is a problem creating the member with MAC (MAC address of the controller I am on).
  Any suggestions?

  It SHOULD BE MANAGEMENT INT MAC WHICH ENDS WITH ZERO..
  Either
  WLC >> Controller >> Interfaces >> Managemet >> MAC address
  OR
  WLC >> Controller >> Interfaces >> Managemet >>Inventory >> MAC Address..
  Regards
  Surendra

• WiSM PortChannel Issue?

  I'm running a WiSM on a 6504E using supervisor code s72033-ipservices_wan-mz.122-33.SXI2.bin. When I add a statement configuring the allowed VLANs on the WiSMs, I get the following errors:
  *Aug 5 16:56:35.202: %EC-SP-5-CANNOT_BUNDLE2: Gi2/6 is not compatible with Po404 and will be suspended (trunk mode of Gi2/6 is dynamic, Po404 is trunk)
  *Aug 5 16:56:35.826: %EC-SP-5-CANNOT_BUNDLE2: Gi2/5 is not compatible with Gi2/7 and will be suspended (trunk mode of Gi2/5 is trunk, Gi2/7 is dynamic)
  *Aug 5 16:56:36.138: %EC-SP-5-CANNOT_BUNDLE2: Gi2/6 is not compatible with Gi2/8 and will be suspended (trunk mode of Gi2/6 is trunk, Gi2/8 is dynamic)
  Keep in mind that I don't have the option to configure these gigabit interfaces as they are auto-provisioned by the version of code being run on the switch.
  Here are some show commands that may be of interest:
  ###-###-mdf#sh etherchannel summary
  Flags: D - down P - bundled in port-channel
  I - stand-alone s - suspended
  H - Hot-standby (LACP only)
  R - Layer3 S - Layer2
  U - in use N - not in use, no aggregation
  f - failed to allocate aggregator
  M - not in use, no aggregation due to minimum links not met
  m - not in use, port not aggregated due to minimum links not met
  u - unsuitable for bundling
  d - default port
  w - waiting to be aggregated
  Number of channel-groups in use: 2
  Number of aggregators: 2
  Group Port-channel Protocol Ports
  ------+-------------+-----------+-----------------------------------------------
  403 Po403(SU) - Gi2/1(P) Gi2/2(P) Gi2/3(P)
  Gi2/4(P)
  404 Po404(SU) - Gi2/5(P) Gi2/6(P) Gi2/7(P)
  Gi2/8(P)
  ###-###-mdf#show wism status
  Service Vlan : 3015, Service IP Subnet : 10.139.255.1/255.255.255.0
  WLAN
  Slot Controller Service IP Management IP SW Version Status
  ----+-----------+----------------+----------------+-----------+---------------
  2 1 0.0.0.0 10.137.139.2 5.2.178.0 Service Port Up
  2 2 0.0.0.0 10.137.139.4 5.2.178.0 Service Port Up
  ###-###-mdf#show etherchannel load-balance
  EtherChannel Load-Balancing Configuration:
  src-dst-ip
  mpls label-ip
  EtherChannel Load-Balancing Addresses Used Per-Protocol:
  Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address
  MPLS: Label or IP

  Do you have qos enabled globally? This was an issue with IOS a while back, but should be fine in SXI
  how6506A#sh ver
  Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3)
  maybe they broke it again in SXI2
  show6506A#sh mls qos
  QoS is enabled globally
  Policy marking depends on port_trust
  QoS ip packet dscp rewrite enabled globally
  Input mode for GRE Tunnel is Pipe mode
  Input mode for MPLS is Pipe mode
  QoS Trust state is CoS on the following interface:
  Gi4/1 Gi4/2 Gi4/3 Gi4/4 Gi4/5 Gi4/6 Gi4/7 Gi4/8 Po407 Po408
  Vlan or Portchannel(Multi-Earl) policies supported: Yes
  Egress policies supported: Yes
  ports listed in above command are my wism ports