WLC 5508 Local Authentication- need guidance
Hi formers'
i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
The environment don't have ACS, no directory services ( AD or LDAP).
Requirement:
say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
user's entry is store at WLC.
i create the user at local net user, and map it to appropirate WLAN.
at the WLAN, i enable local EAP and select the profile that i create.
PROBLEM STATEMENT:
The moment i test, it always prompt to input EAP-TTLS domain\usename. password (token)
Question
a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
b. can please post any useful document URL or any supportive info, it will be very helpful
Thanks
Noel
Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
You could also follow the WLC config guide in the "Local eap" chapter.
The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast
Similar Messages
-
WLC 5508 WPA Authentication Problems
Hello,
We have a WLC 5508 with 7.4.100.0 Firmware.
We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
The strange thing is that the problem is solved restarting the Access-points.
Anyone had this problem previusly?
Thanks in advance.I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
Cisco Recommended and not recommended Authentication Settings
Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
These images provide examples of incompatible settings for TKIP and AES:
Note: Be aware that security settings permit unsupported features.
These images provide examples of compatible settings: -
WLC 5508 AD authentication for management
Hi,
I was wondering if it is possible to set up a 5508 to authenticate to AD for management. Currently, all of our Cisco devices authenticate to AD through NPS running on a windows 2008 server and if the server is unavailable, they failover to local authentication. I'd like to do this on our new controller but I can't seem to find the correct info on how to do this, if it can. All my searches result in instructions on how to authenticate wireless users.
ThanksYes, you can via NPS (Radius) which then ties into AD. Here is a Cisco exmaple document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
I hope this helps... -
Wlc 5508 radius authentication fail
I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
so settings are:
Layer Wlan settings:
Layer 2 security:WPA+WPA2
AES
Auth Key mgmt:802.1x
We have the authentication server enabled:
Ip an port are correct
AAA overide not enabled
Order for authentication, radius only
Advanced: dafault settings
Radius authentication servers:
Call Station ID Type: IP address
MAC Delimiter: Colon
Network User
Management
Server Index
Server Address
Port
IPSec
Admin Status
Server Index
Server Address
Shared Secret Format
ASCII Hex
Shared Secret
Confirm Shared Secret
Key Wrap
(Designed for FIPS customers and requires a key wrap compliant RADIUS server)
Port Number
Server Status
Enabled Disabled
Support for RFC 3576
Enabled Disabled
Server Timeout
seconds
Network User
Enable
Management
Enable
IPSec
Enable
*radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
*radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
Radius server occasionally sees attempts from user "XXZZYY"Osvaldo,
Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
Quote:
Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
AAA server defined on WLAN takes precedence over global. -
2 Cisco WLC 5508 controllers and software upgrade 7.6.130 + FUS 1.9
Hi
I have two WLC 5508 controllers that need 7.6.130 and FUS 1.9 installed. (Current version 7.3 and FUS 1.7)
Configuration: One controller is at Site A and the other controller is at Site B (two different states..)
They're configured so that if Site A goes down, Site A AP's will failover to Site B and vice versa ..
- What would be the recommended approach for upgrading the software to 7.6.130.0 (from 7.3) and also upgrading FUS 1.9 (from 1.7)?
My plan was to download 7.6.130.0 to both controllers and pre-download the software to all AP's (about 100 total between both sites) and then reboot the controllers at night at the same time? Or one before the other?
Step 2. Install FUS 1.9 to each controller.
I'm concerned over what might happen during the upgrade and AP failover etc..
ThanksThis is what I would do:
Upload v7.6.130.0 to all WLCs and then use the pre image download to push the image to all access points.
Dont reboot the wlc
Image swap in the access points so that v7.6.130.0 is primary
Move all access point to one of the WLCs (A)
Enable ap AAA authentication on the WLC that has no access points and the one you will work on first. This prevents access points from joining
Reboot the WLC (A)
Upload the FUS 1.9.0.0
Reboot WLC (A) this takes up to 45 minutes
When the WLC (A) comes back online, uncheck ap AAA authentication
Move access points from WLC (B) to WLC (A)
Enable ap AAA authentication on WLC (B)
Perform all the other task you did earlier on WLC (A)
That's it.
-Scott -
Hi All
I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
any tool to migrate wlc 4400 config to wlc 5508
cheers
VishalThanks Scott, some more inquiry
how to reboot the AP from the controller. ( I see 'Reset AP' - this option to reboot or something else)
how to disconnect all users connected to specific SSID from controller
Can AP model 3702 work with WLC 5508, do we need specific software version
cheers
Vishal -
Repeated wlc 5508 client web authentication
I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface. the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC. For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
The WCS screenshot shows a good example of how often this occurs! Is the client actually re-associating with the AP (which in turn would require a web reauth)? Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
I do have a TAC case opened up, but was wondering if anyone has experienced this before?
Sorry for the rambling...Rene,
I did several things and at least one of them seemed to resolve the issue:
These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
1. Upgrade WLC to 7.0.98.218 [self explanatory]
2. Upgrade WCS to 7.0.172.0 [current version, as of this note]
3. Increase DHCP scope time on ASA from default (30 minutes) to 4
days [DHCP running external from the WLC]
4. Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
5. Increased session timeout from 14400 seconds to 64800 seconds
(4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
I think that the TKIP and/or DHCP setting was integral as part of the resolution. I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
Good Luck,
Rob. -
SNMP web authenticated users wlc 5508
Hello everyone,
I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
I am using an external web server and my client are authenticated with ldap.
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
Can anyone help me ?
Thanks a lot for your answers.Hello Julien,
Thank you for the info. +5 for solving your own problem.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
Wlc flexconnect wlan local authentication and central web authentication maximum rtt
Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts! -
Need Information of cisco WLC 5508 LAG Interface
HI
We have cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC.
Now we want to segregate the trafffic og GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ?
Can i use one interfcae cisco WLC 5508 and connect it to the firewall or any device ?
Thanks
PuneetHi
Thanks ...I am using WLC as a DHCP server for Guest.
So i want to know ,is there any requirement that GUEST subnet should be pingable from WLC management IP address.
my topology is here...
Corp network and management network are reachable however management metwork is not pinagble from guest netowrk. -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space.
Any suggestions would be gratefully appreciated from the knowledgeable community.
Cheers,
MikeHi Rasika,
We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows <1ms.
currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem.
any suggestions,
Thank you,
Arjun -
IPad & 3502i WAP wlc 5508 H-REAP
I have a wierd situation occouring at a new remote location.
Here is my scheme.
At my phyiscal location =WHQ
wlc 5508 (7.0.98.0)
vlan 800
ssid KWD-Guest
open authentication
wep 48bit key
(ACL restricted to internet only access)
Remote physical location = 80NY
2821 router (12.4ios) - routes and dhcp for the locations networks.
3560-48 switch - user connections and WAP connections.
3502i WAP - H-REAP back to WHQ for management and configuration.
Remote physical location = 1441NY
3825 router (12.4ios) - routes and dhcp for the locations networks.
3560-48 switch - user connections and WAP connections.
1131AG WAP - H-REAP back to WHQ for management and configuration.
Here is the issue we are running into.
At 80NY the users want to connect to the guest vlan 800 ssid KWD-Guest with iPads and smart phones (model unknown).
They can see the ssid broadcasting. Try to connect to the ssid, input the wep key. wait, wait and time out on dhcp, giving themselves a 168.x.x.x addy
From the router side, I can see the dhcp request on the correct vlan hitting the correct dhcp pool.
The router hands out a valid ip address and associates it to the correct wireless devices Mac-Address
But as I said the client times out waiting for the dhcp address.
Now the kicker here is that the very same iPad and smart phone CAN connect to the guest ssid at 1441NY which is also hosted off the same 5508 at WHQ.
The only difference I see is the WAP model and the network addresses I hand out at each location.
To the best of my ability I have double checked my router/switch and controller/WAP configurations against each site to make sure there is a mirror in place.
Any ideas?
SR 617433573dmantill,
Good morning and thank you for linking in the pdf.
I read it and hit several of the hyperlinks included in the pdf.
While I found the information useful and informative overall I did not really see anything that explained or covered the issue I am encountering.
I have a SR open now and the TAC engineer wants me to capture some debugs on the client mac. Once I can get the local tech onsite again we will perform the connection attempt with the debugging enabled.
FYI this is what the engineer wants to see.
Here is the information that I need to see when the problem occurs:
Disable/Disconnect the wireless client from the network – wait 1-2 mins
Open Telnet/SSH session to the WLC CLI - (Use Putty/SecureCRT with logging enabled)
type: Debug client
Turn the wireless device back on and let it authenticate/associate to the wireless network. Once the client experiences the problem, disable the debug process using the command:
debug disable-all
Filename: DebugClient.TXT -
Hello!
I am having problem in configuring wlc 5508, in a security option i applied mac-filtering and it works fine.
Now I need to configure ip-mac address binding, i tried both with gui and cli method but it is not working. While configuring mac-filtering on gui there is a option to define ip address, after defining xx.xx.xx.xx ip address for device xx it is not peaking particular ip from the pool.
mac-filtering is still working with out issue.
Also tried with cli.....
Looking through the configuration guide i tried every possible ways but couldn't get any resolution.
mac-binding, mac-filtering is enable,
What will be the possible causes of this?
does it support mac-ip binding in its local database?
I would be thankful in your any suggestions and advises!
NikhilThanks for reply David,
Currently user are authenticate from mac address and we want IP-MAC base authentication in cisco 5508 controller.
we are facing some problem that in stead of ip-mac pair only mac address is authenticate.
can u guide me that how can i authenticate IP-MAC pair in cisco 5508 controller?
or Is this possible on Cisco 5508 controller as it is showing ip address field in GUI option?
i am waiting your reply. -
WLC, ISE certificate authentication issue
Hi Folks,
This is the setup:
Redundant pair of WLC 5508 (version 7.5.102.0)
Redundant Pair of ISE (Version 1.2.0.899)
The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
A corporate WLAN is configured on the WLC:
L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).
The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself). I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
After I did this, I could no longer associate to the Corp WLAN.
My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.
The ISE troubleshooting tool reported no new failed or successful authentication attempts.
Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE. Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
Thanks in advance,
DarraghHi,
I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
If this does not work, try to import the CA into another system and export it, then import into ISE.
Regards,
Maybe you are looking for
-
Combobox as Datagrid Item editor
Hi there, i'm trying to use a combobox as an itemEditor for a datagridcolumn, and i'm having some difficulties in doing this. I'm using the code below to define the column, so far so good the itemeditor appears and selects the item accordingly to the
-
Best ecommerce plug in for order tracking
I created a site for a client who is currently only receiving orders by email/mail and payment by personal check. We want upgrade the site, add a shopping cart with payment via Paypal, with USPS shipping costs calculated based on total dollar amount.
-
Exchange Server 2013 and Domain Controller
Hello, I am planning to install domain controller and exchange server 2013 in same server hardware. Is that not recommended? If not, why is it no recommended? Thank you in advance,
-
I don't know why it isn't opening, I have searched everywhere for an answer and I don't know what to do, I've deleted it and re-downloaded it and I've changed the permissions on it but now I'm stuck
-
How do I upgrade Safari? I have Snow Leopord with Safari 5.1.10 now
How do I upgrade Safari? I have Snow Leopord with Safari 5.1.10 now. Thanks