WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

Similar Messages

• WLC 4400/Web Authentication and proxy autodiscovery

  We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
  We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
  My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
  Regards,
  Rutger

  The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
  The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
  Lots of documentation about how to achieve this via CCO.
  Regards,
  Richard

• Aironet 600 with Mac Filtering and a switch..

  How does the Aironet 600 handle Mac Filtering if I were to connect a switch to port 4 on the back ("Secured" network port). Does it authenticate each MAC or does it do somthing similar to how 802.1x with multi-host works, the first mac authenticates and then the port's wide open? My use-case here is a printer at a remote home-office. The printer doesn't have a supplicant in it so I need to use mac filtering. Thanks.

  MAC authentication is all I use for my OutStationed workers.  No wifi, just the rlan.  Since the rlan is configured for DHCP only, no IP gets passed until MAC auth occurs.
  When Cisco packaged this up, they said 4 is enough..  IF you use an un-managed (non-cisco) switch. 
  I had a need for 2 workstations and 2 digiports..  SOP sys a managed switch..  oops.  the switch consumed 2 MAC's right off the top.. 1 for itself and 1 for each vlan.
  After enablilng 2 rlans, and configuring a pair on different networks, we discovered that they were bridged in the 602 (or somewhere).
  We ended up switching out the 602 for an ASA5505

• Controller 4402 web authentication http instead of https?

  Hello,
  Does somebody know if its possible to redirect to a http page instead of https when using web authentication? with WLC 4400 and AP 1000?
  Or how not to have the certificat message?
  thanks Gael

  Yes, I tried it. It does work, although there is a noticable time lag until the cert warning pops up. Also, the controllers, as of ver 3.2.78.x, had only 30k space for text & images thus limiting what can be displayed on the webauth page. It does allow for url redirects though, but I am not sure it can parse html or not.

• WLC 4402 RADIUS Authentication with IAS

  Hello
  I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
  On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
  The IAS server don't use the configured policy when a authentication reguest arrive.
  I there an issue with special RADIUS attributes or configuration items on the IAS Server?
  The following event appear in the windows logs:
  User STANS\kaesmr was denied access.
  Fully-Qualified-User-Name = STANS\kaesmr
  NAS-IP-Address = 172.17.25.6
  NAS-Identifier = keynet-01
  Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
  Calling-Station-Identifier = 00-16-CE-52-C8-EB
  Client-Friendly-Name = Wireless-Controller
  Client-IP-Address = 172.17.25.6
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = <undetermined>
  Authentication-Type = Extension
  EAP-Type = <undetermined>
  Reason-Code = 21
  Reason = The request was rejected by a third-party extension DLL file.

  What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
  So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
  Also, chek out the logs of the IAS server for obtaining more info on this.

• WLC 4402 web auth Internal login page

  Hi,
  We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
  Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
  When I view the source of the preview page I can see the exact coding that is causing the issue.
  Thanks for any ideas.
  Code 4.1.185.0
  Craig

  The only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.

• E1200 - Ports not working and mac filtering problem

  If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
  I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
  On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
  The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
  Now, the rant -
  1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
  2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
  3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
  However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
  I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.

  In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
  It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
  START--> right-click My Network Places and click Properties
  right-click on the device manager and click properties
  Click on the CONFIGURE button
  Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
  In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
  gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
  Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
  Steps to reset the router:
  Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process.

• Web Auth with Mac Filtering

  I am trying to setup a scenario where a user logs in via Web Auth and witha  successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.

  well, it's not possible with just the WLC.
  You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
  Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
  in the webauth config you would check the On MAC filter failure box.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Cisco 3850 WLC mac-filtering

  Hi:
  Cisco 3850 in WLC how to config mac-filtering
  thanks

  When you create a MAC address filter on WLCs, users are granted or       denied access to the WLAN network based on the MAC address of the client they       use.
  There are two types of MAC authentication that are supported on       WLCs:
  Local MAC authentication
  MAC authentication using a RADIUS           server
  With local MAC authentication, user MAC addresses are stored in a       database on the WLC. When a user tries to access the WLAN that is configured       for MAC filtering, the client MAC address is validated against the local       database on the WLC, and the client is granted access to the WLAN if the       authentication is successful.
  By default, the WLC local database supports up to 512 user entries.
  The local user database is limited to a maximum of 2048 entries. The       local database stores entries for these items:
  Local management users, which includes lobby           ambassadors
  Local network users, which includes guest users
  MAC filter entries
  Exclusion list entries
  Access point authorization list           entries
  Together, all of these types of users cannot exceed the configured       database size.
  To Know how to configure Mac filtering please go to the below link.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you

• Delayed Web Authentication on 5500 WLC

  Hi
  I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
  Has anyone came across similar situation or can suggest a solution to this issue?
  Feel free to ask if you need more details.
  Thanks
  Sunil

  Well what I would do for testing is the following:
  Remove WebAuth to see if there is an issue with connectivity on that subnet
  Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
  If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
  If your authenticating Guest using radius, check the radius logs for errors
  Is it all devices or is it an issue with few or a certain model
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Backplane and throghput in wlc 4402

  hi,
  what is the back plane and through put of wlc 4402 ,is there any backplane and throughput 1131 series wireless device,
  2. what is difference between data rate and bandwidth, i mean 54mbps signifies in wireless datarate or its bandwidth per ap 1131

  Hi,
  The throughput of the 4402 is up to 2Gbps if its ports are bundled in a etherchannel.
  For access points, data rate is the speed at which the data frame is transmitted. to evaluate throughput you must add the fact that the medium is half-duplex, that there is signaling overhead and that there are moments of silence.
  Overall, the throughput for a 11g access points (1130,1240) is 19Mbps. This is what you test in real life with iperf.
  Regards,
  Nicolas

• IPod Touch can't be Mac Filtered....

  Airport Extreme Mac Address Filtering works for all our computers except the iPod touch.  No matter what I set the timing for, it can surf the web.  How do I get filtering to work for it?
  I've tried everything.  I substituted the MAC Address into one of the others I set up successfully and the iPod just punched right through.  I rebooted the Airport Extreme.  Nothing works.  The iPod Touch can still surf the web.
  Any ideas?
  johnnygeneric
  PS.  I have a total of 12 internet appliances set up for MAC filtering.

  OK.  I can NOT believe no one else has had this problem.  There have been 116 views of this, and no one has a solution?
  In fact, I bought a Fifth Generation Airport Extreme and the problem STILL persists.
  I used the Mac based Airport Utility to verify the MAC address.  The restriction is set up so that the iPod will only be able to hook up to the WiFi on Mondays.  Today is Saturday and it had no problem surfing the web.
  We also have an iPad Mini set up wth Mac Filtering and it shuts down at 9:30pm like it's supposed to. So someone tell me:  WHY IS THIS HAPPENING?

• Airport Extreme MAC filtering with iBook G4

  Hi,
  I recently set up an Airpot Extreme Base Station with my PowerBook G4 and an iBook G4. I like using MAC filtering and setting up a list of specific MAC addresses that can have access to the network. This works fine with my PowerBook and old iMac [through ethernet]. It works initially with the iBook, but when the iBook is restarted, or when it has to reconnect to AEBS for any reason, it only partially connects. It gets full signal, but is not able to connect to internet. Yellow light in network prefs saying it has self assigned IP address but connect access internet. Is there some way to get it to always access without having to constantly reassign it's MAC address on the AEBS and then reboot the AEBS? It seems to work fine when not using any MAC filtering security. But I want it. Any ideas? Many thanks.

  sorry wrong forum.

• WAP321 MAC Filtering Not Working

  Hello,
  We have 6 x WAP321's setup via "Single Point Setup". We have enabled MAC Filtering and set to "Block all stations in list".
  We have added one device into this list and confirmed this replicates around all the APs. However, it doesn't prevent the device from joining the wireless.
  We have tried rebooting the APs and upgrading their firmware (1.0.5.3 ).
  No difference.
  Anyone else seen this or have any ideas?
  Regards
  Charlie 

  Hey blecp1,
  Can you try a full default of the modem and see if it still happens?
  Brodie