WLC 5508 Local Authentication- need guidance

Hi formers'
i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
The environment don't have ACS, no directory services ( AD or LDAP).
Requirement:
say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
user's entry is store at WLC.
i create the user at local net user, and map it to appropirate WLAN.
at the WLAN, i enable local EAP and select the profile that i create.
PROBLEM STATEMENT:
The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
Question
a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
b. can please post any useful document URL or any supportive info, it will be very helpful
Thanks
Noel

Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
You could also follow the WLC config guide in the "Local eap" chapter.
The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

Similar Messages

  • WLC 5508 WPA Authentication Problems

    Hello,
    We have a WLC 5508 with 7.4.100.0 Firmware.
    We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
    Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
    The strange thing is that the problem is solved restarting the Access-points.
    Anyone had this problem previusly?
    Thanks in advance.

    I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
    Cisco Recommended  and not recommended Authentication Settings
    Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
    These images provide examples of incompatible settings for TKIP and AES:
    Note: Be aware that security settings permit unsupported features.
    These images provide examples of compatible settings:

  • WLC 5508 AD authentication for management

    Hi,
    I was wondering if it is possible to set up a 5508 to authenticate to AD for management.  Currently, all of our Cisco devices authenticate to AD through NPS running on a windows 2008 server and if the server is unavailable, they failover to local authentication.  I'd like to do this on our new controller but I can't seem to find the correct info on how to do this, if it can.  All my searches result in instructions on how to authenticate wireless users.
    Thanks

    Yes, you can via NPS (Radius) which then ties into AD. Here is a Cisco exmaple document:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
    I hope this helps...

  • Wlc 5508 radius authentication fail

    I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
    so settings are:
    Layer Wlan settings:
    Layer 2 security:WPA+WPA2
    AES
    Auth Key mgmt:802.1x
    We have the authentication server enabled:
    Ip an port are correct
    AAA overide not enabled
    Order for authentication, radius only
    Advanced: dafault settings
    Radius authentication servers:
    Call Station ID Type: IP address
    MAC Delimiter: Colon
    Network User
    Management
    Server Index
    Server Address
    Port
    IPSec
    Admin Status
    Server Index
    Server Address
    Shared Secret Format
                     ASCII                 Hex              
    Shared Secret
    Confirm Shared Secret
    Key Wrap
      (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
    Port Number
    Server Status
                     Enabled                  Disabled              
    Support for RFC 3576
                     Enabled                  Disabled              
    Server Timeout
      seconds
    Network User
    Enable
    Management
    Enable
    IPSec
    Enable
    *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
    *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    Radius server occasionally sees attempts from user "XXZZYY"

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • 2 Cisco WLC 5508 controllers and software upgrade 7.6.130 + FUS 1.9

    Hi
    I have two WLC 5508 controllers that need 7.6.130 and FUS 1.9 installed. (Current version 7.3 and FUS 1.7)
    Configuration: One controller is at Site A and the other controller is at Site B (two different states..)
    They're configured so that if Site A goes down, Site A AP's will failover to Site B and vice versa ..
    - What would be the recommended approach for upgrading the software to 7.6.130.0 (from 7.3) and also upgrading FUS 1.9 (from 1.7)?
    My plan was to download 7.6.130.0 to both controllers and pre-download the software to all AP's (about 100 total between both sites) and then reboot the controllers at night at the same time? Or one before the other? 
    Step 2. Install FUS 1.9 to each controller.
    I'm concerned over what might happen during the upgrade and AP failover etc..
    Thanks

    This is what I would do:
    Upload v7.6.130.0 to all WLCs and then use the pre image download to push the image to all access points. 
    Dont reboot the wlc
    Image swap in the access points so that v7.6.130.0 is primary
    Move all access point to one of the WLCs (A)
    Enable ap AAA authentication on the WLC that has no access points and the one you will work on first.  This prevents access points from joining  
    Reboot the WLC (A)
    Upload the FUS 1.9.0.0
    Reboot WLC (A) this takes up to 45 minutes
    When the WLC (A) comes back online, uncheck ap AAA authentication
    Move access points from WLC (B) to WLC (A)
    Enable ap  AAA authentication on  WLC (B)
    Perform all the other task you did earlier on WLC (A)
    That's it.
    -Scott

  • WLC 4400 to WLC 5508

    Hi All
    I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
    any tool to migrate wlc 4400 config to wlc 5508
    cheers
    Vishal 

    Thanks Scott, some more inquiry
    how to reboot the AP from the controller. ( I see 'Reset AP' -  this option to reboot or something else)
    how to disconnect all users connected to specific SSID from controller
    Can AP model 3702 work with WLC  5508, do we need specific software version
    cheers
    Vishal

  • Repeated wlc 5508 client web authentication

    I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
    I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
    I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
    The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
    I do have a TAC case opened up, but was wondering if anyone has experienced this before?
    Sorry for the rambling...

    Rene,
    I did several things and at least one of them seemed to resolve the issue:
    These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
    1.       Upgrade WLC to 7.0.98.218 [self explanatory]
    2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
    3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
    days [DHCP running external from the WLC]
    4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
    5.       Increased session timeout from 14400 seconds to 64800 seconds
    (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
    I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
    Good Luck,
    Rob.

  • SNMP web authenticated users wlc 5508

    Hello everyone,
    I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
    I am using an external web server and my client are authenticated with ldap.
    I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
    Can anyone help me ?
    Thanks a lot for your answers.

    Hello Julien,
    Thank you for the info. +5 for solving your own problem.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Wlc flexconnect wlan local authentication and central web authentication maximum rtt

    Hi
    From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
    Is this limitation refer to web authentication also?
    Thanks
    Anyone???

    Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
    Also, the version of code that you are running in ISE and your controller. 
    Thank you for rating helpful posts!

  • Need Information of cisco WLC 5508 LAG Interface

    HI
    We have cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC.
    Now we want to segregate the trafffic og GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ?
    Can i use one interfcae cisco WLC 5508 and connect it to the firewall or any device ?
    Thanks
    Puneet

    Hi
    Thanks ...I am using WLC as a DHCP server for Guest.
    So  i want to know ,is there any requirement that GUEST subnet should be pingable from WLC management IP address.
    my topology is here...
    Corp network and management network are reachable however management metwork is not pinagble from guest netowrk.

  • WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

    WLC 5508: software version 7.0.98.0
    Windows 7 Client
    Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
    I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
    However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
    AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
    AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
    AVP: l=6  t=Tunnel-Type(64): VLAN(13)
    I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

    Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
    The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
    Install Packages
    1.  Install needed packages.
    yum install openldap*
    yum install freeradius*
    2.  Set the services to automatically start of system startup
    chkconfig --level 2345 slapd on
    chkconfig --level 2345 radiusd on
    Configure and start LDAP
    1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
    cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
    2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
    slappasswd
    3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
    useradd ldap
    groupadd ldap
    4.  Create the directory and assign permissions for the database files
    mkdir /var/lib/ldap
    chmod 700 /var/lib/ldap
    chown ldap:ldap /var/lib/ldap
    5.  Edit the slapd.conf file.
    cd /etc/openldap
    vi slapd.conf
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #Default needed schemas
    include        /etc/openldap/schema/corba.schema
    include        /etc/openldap/schema/core.schema
    include        /etc/openldap/schema/cosine.schema
    include        /etc/openldap/schema/duaconf.schema
    include        /etc/openldap/schema/dyngroup.schema
    include        /etc/openldap/schema/inetorgperson.schema
    include        /etc/openldap/schema/java.schema
    include        /etc/openldap/schema/misc.schema
    include        /etc/openldap/schema/nis.schema
    include        /etc/openldap/schema/openldap.schema
    include        /etc/openldap/schema/ppolicy.schema
    include        /etc/openldap/schema/collective.schema
    #Radius include
    include        /etc/openldap/schema/radius.schema
    #Samba include
    #include        /etc/openldap/schema/samba.schema
    # Allow LDAPv2 client connections.  This is NOT the default.
    allow bind_v2
    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral    ldap://root.openldap.org
    pidfile        /var/run/openldap/slapd.pid
    argsfile    /var/run/openldap/slapd.args
    # ldbm and/or bdb database definitions
    #Use the berkely database
    database    bdb
    #dn suffix, domain components read in order
    suffix        "dc=cisco,dc=com"
    checkpoint    1024 15
    #root container node defined
    rootdn        "cn=Manager,dc=cisco,dc=com"
    # Cleartext passwords, especially for the rootdn, should
    # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    # rootpw        secret
    rootpw      
    {SSHA}
    cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
    # Mode 700 recommended.
    directory    /var/lib/ldap
    # Indices to maintain for this database
    index objectClass                       eq,pres
    index uid,memberUid                     eq,pres,sub
    # enable monitoring
    database monitor
    # allow onlu rootdn to read the monitor
    access to *
             by dn.exact="cn=Manager,dc=cisco,dc=com" read
             by * none
    6.  Remove the slapd.d directory
    cd /etc/openldap
    rm -rf slapd.d
    7.  Hopefully if everything is correct, should be able to start up slapd with no problem
    service slapd start
    8.  Create the initial database in a text file called /tmp/initial.ldif
    dn: dc=cisco,dc=com
    objectClass: dcobject
    objectClass: organization
    o: cisco
    dc: cisco
    dn: ou=people,dc=cisco,dc=com
    objectClass: organizationalunit
    ou: people
    description: people
    dn: uid=jonatstr,ou=people,dc=cisco,dc=com
    objectClass: top
    objectClass: radiusprofile
    objectClass: inetOrgPerson
    cn: jonatstr
    sn: jonatstr
    uid: jonatstr
    description: user Jonathan Strickland
    radiusTunnelType: VLAN
    radiusTunnelMediumType: 802
    radiusTunnelPrivateGroupId: 10
    userPassword: ggsg
    9.  Add the file to the database
    ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
    10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
    ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
    Configure and Start FreeRadius
    1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
    cd /etc/raddb
    vi ldap.attrmap
    For dynamic vlan assignments, verify the follow lines exist:
    replyItem    Tunnel-Type                                   radiusTunnelType
    replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
    replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
    Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
    checkItem    Cleartext-Password    userPassword
    2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
    eap
    {      default_eap_type = peap      .....  }
    tls {
        #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
    peap {
        default_eap_type = mschapv2
        #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
        use_tunneled_reply = yes
    3.  Change the authenication and authorization modules and order.
    cd /etc/raddb/sites-enabled
    vi default
    For the authorize section, uncomment the ldap module.
    For the authenicate section, uncomment the ldap module
    vi inner-tunnel
    Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
    authorize
    {      ldap      mschap      ......  }
    4.  Configure ldap module
    cd /etc/raddb/modules
    ldap
    {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
    5.  Start up radius in debug mode on another console
    radiusd -X
    6.  radtest localhost 12 testing123
    You should get a Access-Accept back
    7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
    First install openssl support libraries, required to compile
    yum install openssl*
    yum install gcc
    wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
    tar xvf wpa_supplicant-0.6.10.tar.gz
    cd wpa_supplicant-0.6.10/wpa_supplicant
    vi defconfig
    Uncomment CONFIG_EAPOL_TEST = y and save/exit
    cp defconfig .config
    make eapol_test
    cp eapol_test /usr/local/bin
    chmod 755 /usr/local/bin/eapol_test
    8.  Create a test config file named eapol_test.conf.peap
    network=
    {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
    9.  Run the test
    eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

  • Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

    Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
    I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
    We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
    I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
    Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
    I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
    We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
    Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
    Any suggestions would be gratefully appreciated from the knowledgeable community.
    Cheers,
    Mike

    Hi Rasika,
    We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
    Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
    currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
    any suggestions,
    Thank you,
    Arjun

  • IPad & 3502i WAP wlc 5508 H-REAP

    I have a wierd situation occouring at a new remote location.
    Here is my scheme.
    At my phyiscal location =WHQ
    wlc 5508 (7.0.98.0)
    vlan 800
    ssid KWD-Guest
    open authentication
    wep 48bit key
    (ACL restricted to internet only access)
    Remote physical location = 80NY 
    2821 router (12.4ios) - routes and dhcp for the locations networks.
    3560-48 switch     - user connections and WAP connections.
    3502i WAP - H-REAP back to WHQ for management and configuration.
    Remote physical location = 1441NY
    3825 router (12.4ios) - routes and dhcp for the locations networks.
    3560-48 switch     - user connections and WAP connections.
    1131AG WAP - H-REAP back to WHQ for management and configuration.
    Here is the issue we are running into.
    At 80NY the users want to connect to the guest vlan 800 ssid KWD-Guest with iPads and smart phones (model unknown).
    They can see the ssid broadcasting. Try to connect to the ssid, input the wep key. wait, wait and time out on dhcp, giving themselves a 168.x.x.x addy
    From the router side, I can see the dhcp request on the correct vlan hitting the correct dhcp pool.
    The router hands out a valid ip address and associates it to the correct wireless devices Mac-Address
    But as I said the client times out waiting for the dhcp address.
    Now the kicker here is that the very same iPad and smart phone CAN connect to the guest ssid at 1441NY which is also hosted off the same 5508 at WHQ.
    The only difference I see is the WAP model and the network addresses I hand out at each location.
    To the best of my ability I have double checked my router/switch and controller/WAP configurations against each site to make sure there is a mirror in place.
    Any ideas?
    SR 617433573

    dmantill,
    Good morning and thank you for linking in the pdf.
    I read it and hit several of the hyperlinks included in the pdf.
    While I found the information useful and informative overall I did not really see anything that explained or covered the issue I am encountering.
    I have a SR open now and the TAC engineer wants me to capture some debugs on the client mac. Once I can get the local tech onsite again we will perform the connection attempt with the debugging enabled.
    FYI this is what the engineer wants to see.
    Here is the information that I need to see when the problem occurs:
    Disable/Disconnect the wireless client from the network – wait 1-2 mins
    Open Telnet/SSH session to the WLC CLI - (Use Putty/SecureCRT with logging enabled)
    type: Debug client
    Turn the wireless device back on and let it authenticate/associate to the wireless network.  Once the client experiences the problem, disable the debug process using the command: 
    debug disable-all
    Filename: DebugClient.TXT

  • IP-MAC Binding for WLC-5508

    Hello!
    I am having problem in configuring wlc 5508, in a security option i applied mac-filtering and it works fine.
    Now I need to configure ip-mac address binding, i tried both with gui and cli method but it is not working. While configuring mac-filtering on gui there is a option to define ip address, after defining xx.xx.xx.xx ip address for device xx it is not peaking particular ip from the pool.  
    mac-filtering is still working with out issue.
    Also tried with cli.....
    Looking through the configuration guide i tried every possible ways but couldn't get any resolution.
    mac-binding, mac-filtering is enable,
    What will be the possible causes of this?
    does it support mac-ip binding in its local database?
    I would be thankful in your any suggestions and advises!  
    Nikhil

    Thanks for reply David,
    Currently user are authenticate from mac address and we want IP-MAC base authentication in cisco 5508 controller.
    we are facing some problem that in stead of ip-mac pair only mac address is authenticate.
    can u guide me that how can i authenticate IP-MAC pair in cisco 5508 controller?
    or Is this possible on Cisco 5508 controller as it is showing ip address field in GUI option?
    i am waiting your reply.

  • WLC, ISE certificate authentication issue

    Hi Folks,
    This is the setup:
    Redundant pair of WLC 5508 (version 7.5.102.0)
    Redundant Pair of ISE (Version 1.2.0.899)
         The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
         There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
    A corporate WLAN is configured on the WLC:
    L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
    This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
    The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
    I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
    The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
    Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
    I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
    After I did this, I could no longer associate to the Corp WLAN.  
    My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
    The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
    Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
    It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
    Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
    Thanks in advance,
    Darragh

    Hi,
    I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
    Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
    If this does not work, try to import the CA into another system and export it, then import into ISE.
    Regards,

Maybe you are looking for