WLC 4400 and user authentication

I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
Thanks in advance.

You'll need a radius middle man. ACS will do it natively.

Similar Messages

  • WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

    WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
    Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

    Yes, that is correct. You can set acs to use both radius and tacacs.
    For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
    eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
    2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
    You need to set up tacacs commands on WLC along with radius commands.
    Regards,
    ~JG
    Please rate helpful posts

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • WLC 4400 and IDS attacks

    Hi,
    I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
    Thanks a lot.

    Thanks Sschmidt,
    I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
    Thanks

  • WLC 4400 and WLC 5500

    We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
    Thanks,

    Hi Akil,
    You are most welcome
    Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
    same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
    this is the last version that supports the 4400 series.
    Here's a note that reflects the support;
    Note
    Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
    Cheers!
    Rob
    "Show a little faith, there's magic in the night" - Springsteen

  • Is it possible to do machine and user authentication in same Authorization profile?

    Hi,
    I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
    Condition
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    Permissions
    then Vlan x
    Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
    Any help will be of great value.

    Hi,
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    - Not possible
    As user and machine authentication occur at different contexts.
    ACS cannot verify the both at the same time.
    Using MAR, you can, though club the both together and achieve:
    "machine is part of domain and user is valid only then he should be able to have full access"
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
    Tips for configuring MAR:
    1) Set the client to perform user or computer authentication.
    2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
    3) Enable MAR under the AD configuration page on ACS and set the aging time.
    4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
    Rate if useful

  • WLC 4400 and IDS/IPS

    One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

    There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
    For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
    Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
    The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
    The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
    In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
    If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
    There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
    For more information, please reference the following:
    Wireless LAN Controller IDS Signature Parameters
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
    I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
    In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
    Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
    That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
    - John

  • Machine and User authentication with ISE 1.2.1

    Hi ,
    Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
    Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
    Thanks 
    Pranav

    is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • Problems with 802.1x MS PEAP machine and user authentication

    Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
    We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
    Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
    There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
    We are using MS-CHAPv2.

    Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
    However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
    I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
    Any idea how the domain\ can be ignored by ACS?

  • Navigation handlers and user authentication

    I've implemented a system to force user logins based on the code demonstrated here: http://www.jsftutorials.net/jsfNavigation/jsf-login-navigation-redirect.html but I've come across a problem.
    It seems the navigation handler is called only when JSF needs to resolve the outcome of an action and this means that in certain cases a user can view a secure page without having to log in. For example, using the example app from the above link, if a user goes to the start page of the project and clicks on the command buttons to access the protected pages, they are re-directed to the login page as expected. However, if they go to the url of the protected page directly (eg http://localhost:8080/jsf-loginRedirect/secure/editUserProfile.jsf ) it still displays the page.
    Currently I've got a filter in place that re-directs the user to the login page of the web app if there isn't a valid user logged in, but as this runs outside a Faces context I can't track the user's requests.
    Is there some way I can force JSF to call the navigation handler for normal get requests?

    Chops,
    There are 2 things related to this issue,
    1. When the user goes out of the application, you must invalidate the session. So that the userid will not be present in the session.
    2. You can have a phase listener that checks for User Id in session, if the user id is empty, you can re-direct the user to login page. If user id is present automatically the control will go to the navigation rule page.
    Phase Listener will enforce the user authentication.
    Hope this logic helps you to solve the issue.
    Thanks
    Prakash

  • WLC 4400 and 5500 Fail-over

    Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
    So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

    You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
    I would put them both on the 7.0.220.0.
    Sent from Cisco Technical Support iPhone App

  • Preventive maintenance WLC 4400 and 5500?

    Hi good morning,
    i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
    the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
    And i would like to know if there are documentation about this topic.
    thanks.

    thanks
    I thought of opening the WLC, and use compressed air to remove dust only.
    but like you mention would be better not open it.
    Greetings

  • Cisco WLC Local Net user Authentication

    Hi,
    I have a Controller configured with local net users. Web policy with authentication has been configured for Layer 3 security. When the user tries to access the Wireless, they will be redirected to a web authentication screen, where they need to enter the pre-configured credentials to gain access.
    Now, the requirement is: users shall have to provide login credentials only upon initial access (one time) and shall not have to accept an Acceptable Use Agreement when their systems connect to the wireless network. The next time user tries, they should be provided access automatically.
    We have configured the following setting on Windows 7 client:
    1. Connect automatically when the network is in range is selected
    2. Please refer the attached screenshots for further configuration for Windows 7 Clients.
    On WLC: SSID --> Advanced Options --> We have disabled the “Enable Session Timeout” setting, but we still have "Client Exclusion" Enabled.
    When a computer is shutdown and brought back up within a few minutes the wireless credentials seem to stick, however, when the computer is shutdown for a period of overnight, the credentials are no longer cached and we have to re-authenticate to the wireless.
    Is this issue because of  "Client Exclusion" Enabled on the SSID/WLAN ?
    If not, can someone share the complete procedure to make sure that users local net user credentials will be cache.
    Thanks,
    Jagan

    Well you only can keep it connected for an x number of minutes. You will not be able to set it longer than a day. This means, I can't configure the WLC/Client to cache the credentials permanently? And everyday, they have to enter the credentials to access SSID?You can extend it up to 30 days, but you have to run v7.5.  After that, they will have to login again.Change the idle timer to about 2-4 hours and that should keep the client on the WLC DB. This will allow the client to go away for the number set and come back without having to login again. As you said, if I configure the WLC Idle Time for 2-4 hours, do the client have to provide credentials the next day when they access Wireless?Yes.  See my previous answerIs there any other way via which this can be achieved? (The limitation is : client should be authenticated only with the WLC.)If you are looking for clients to login once and then never again, the answer is no.  You have two choices, you can use the new v7.5 and use the sleeping client feature which gives you max of 720 hours (30 days), or you use th eidle timer and after the idle timer expires, the user will have to login.Thanks,Jagan
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • J2EE and user authentication not working

    Hi,
    has anyone gotten the basic/form based authentication to
    work in the latest version of the 9iAS?
    Oracle9iAS (9.0.2.0.0)
    I've read all the posts and articles from orionsupport.com
    BUT it still does not work.
    Support Folks from ORacle: Where is the latest documentation
    for the Server ???? Everything seems outdated??
    cheers,
    Vijay

    Hi,
    You can change User and password through SU01 through UME. and also read SNote:  Note 891614 - Login problems / Expired password
    Regards
    Thomas

  • WLC 4400 and RADIUS accounting

    Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
    I'm guessing there might be a new Cisco VSA for it.
    Anyone know?
    Thanks

    The error message could be because of any unused protocol.

Maybe you are looking for

  • None of the cross tabs are being exported to Excel

    Hi All, I am experiencing a strange problem of export failing when any of the cross tab is exported. It comes out with a message, "An error occurred while trying to export the Worksheet. (Export failed.) " This is occuring in Plus and Viewer. But All

  • Mac Mail doesn't (always) find BCC of Sent messages

    The MacMail search/Find feature does always display messages when searching for the bcc email address of sent messages. It finds some, not others. I've spent some time on this but don't see any simple explanation. I wondered if it was related the for

  • Connect Iphone to car radio system

    I try to find a way to connect my Iphone to my car radio. I wan to listen my mp3 and use my phone with the car radio system. annuaire et actualité

  • ORACLE_HOME of 11g on Linux/Unix

    Hi, is default ORACLE_HOME of 11g on Linux/Unix as follows : /softwares/app/Administrator/product/11.1.0/db_1 Thanks and regards.

  • Best-practice on naming dimensions to match Oracle data source

    Hi all, I have a DW that will consist of a number of Oracle datamarts and multiple Essbase hypercubes. Can anyone advise on the naming of dimension fields that I will want to federate with the Oracle datamarts in OBIEE I.e. Should they be the same na