WLC + ACS (RADIUS) + MS-AD

Similar Messages

• Migrate WPA2 to ACS RADIUS

  Hello Guys Again me I hope you can help me as well
  I'm working with five SSID's they're using WPA2 with PSK, I wanto to migrate to 802.1x Authentication so I'm goin to set a ACS RADIUS.
  I have some remote offices and they're working with WPA2 and PSK
  My questions is what happen if I migrate this SSID's to 802.1x, my remote users are will available to join at one SSID? And what happen if my RADIUS goes down? Right now if my WLC goes down my remote AP still work and accept new clients.  But if change this authentication method.. they will working as now?
  And what happen with my local user if my RADIUS goes down?
  Thank you everyone

  Dear Scott as Well I really Aprecciate your help and Abhishek
  One more questions I'm really concern about this migration, right now I have a WLC 4402 with 1131AG AP's this AP's has an IOS version 12.4 (3g) JA and the AP's are working as LWAPP. I founf on cisco page this Matrix.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  My news 5508 have 7.2.103 version, that matix says I need as minimun 12.4 (25e)JA So... I'm not sure if I need to upgrade the IOS version to my AP's.
  I was reading the 7.2 configuration text for 5508 and in some part of the tex say this
  The WGB can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later releases (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later releases (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS releases prior to 12.4(3g)JA and 12.3(8)JEB are not supported.
  I know is talking about WGB,  but I can read between the lines that the version of IOS12.4 (3g) JA of AP should no problem joining the new controller?
  This part of the document make me guess I don't have to do anything.
  Thanks!!

• FWSM user and administrator multi-contexts authentication under ACS radius

  Hi,
  I’m preparing the setup of an ACS radius server for FWSM-related authentication operations.
  FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC – IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
  User and administrator access management will be performed thanks to a radius ACS server.
  I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
  PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
  Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
  The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
  Many thanks in advance for your attention.
  Best regards,
  Arnaud

  Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
  -Paul

• Wlc and radius authenticationn

  We have deployed Cisco Airspace AP with Wireless LAN Controllers (4400).
  Currently we have the WLC authenticating using radius to ACS version 4.01 servers.
  Unfortunately when the primary ACS get rebooted all the athentication requests go to the secondary server which in affect is fine but when the primary comes back up the authenticatons continue to go to the secondary server.
  Is there no round-robin feature to enable on the WLC so that it detects that the primary is back up and continue to authenticate to that server ?

  I have not seen a way yet except by using a CSS to front-end the ACS servers (mainly done for lad-balancing purposes actually). I am also curious if there is an option as I have been through most web pages many times. Maybe it's buried in the command line.
  -Eric
  Please remember to rate all helpful posts.

• WLC and Radius that only speaks PAP.

  Hi, I have a costumer with a WLC 2500 controller and a guest-solution with a radius server that only supports PAP authentication to the radius client (WLC). How can I make the WLC talk PAP to the Radius server? It looks like the controller uses MS-CHAP2 as default.  
  Regards 
  Tom C.

  I have not seen a way yet except by using a CSS to front-end the ACS servers (mainly done for lad-balancing purposes actually). I am also curious if there is an option as I have been through most web pages many times. Maybe it's buried in the command line.
  -Eric
  Please remember to rate all helpful posts.

• WLC - ACS TACACS+ mismatch shared secred

  Hello,
  I confgured TACACS+ Authentication on WLC 5.0.235.3 for management login.
  On ACS 5.1.0.44 I get the message
  "13011 invalid tacacs+ request packet - possibly mismatched shared secrets"
  after login.
  I compared the shared secrets (blanks) or created new secrets, the message still appears.
  Some ideas?
  Regard Sven          

  Hello David,
  WLC Version is 7.0.235.3, sorry.
  Authentication on WLC and ACS use TACACS not Radius.
  On ACS:
  Authentication Result
  Type=Drop
  Authen-Reply-Status=Error
  Steps
  Received TACACS Authentication START Request
  Invalid TACACS request packet - possibly mismatched shared secrets
  Output from WLC:
  (Cisco Controller) >debug aaa tacacs enable
  (Cisco Controller) >*tplusTransportThread: Feb 06 11:37:46.720: Exhausted all available servers for Auth/Author packet
  *tplusTransportThread: Feb 06 11:53:34.728: Forwarding request to 10.54.159.11 port=49
  *tplusTransportThread: Feb 06 11:53:34.732: AUTH Socket closed underneath
  *tplusTransportThread: Feb 06 11:53:39.948: No auth response from: 10.54.159.11, retrying with next server
  *tplusTransportThread: Feb 06 11:53:39.948: Preparing message for retransmit. Decrypting first
  *tplusTransportThread: Feb 06 11:53:39.948: Forwarding request to 10.54.159.12 port=49
  *tplusTransportThread: Feb 06 11:53:39.951: AUTH Socket closed underneath
  *tplusTransportThread: Feb 06 11:53:45.164: No auth response from: 10.54.159.12, retrying with next server
  *tplusTransportThread: Feb 06 11:53:45.164: Preparing message for retransmit. Decrypting first
  *tplusTransportThread: Feb 06 11:53:45.164: Forwarding request to 10.54.159.11 port=49
  *tplusTransportThread: Feb 06 11:53:45.166: AUTH Socket closed underneath
  *tplusTransportThread: Feb 06 11:53:50.380: Exhausted all available servers for Auth/Author packet
  (Cisco Controller) >*tplusTransportThread: Feb 06 11:55:55.564: Forwarding request to 10.54.159.11 port=49
  *tplusTransportThread: Feb 06 11:55:55.566: AUTH Socket closed underneath
  *tplusTransportThread: Feb 06 11:56:00.780: No auth response from: 10.54.159.11, retrying with next server
  *tplusTransportThread: Feb 06 11:56:00.780: Preparing message for retransmit. Decrypting first
  *tplusTransportThread: Feb 06 11:56:00.780: Forwarding request to 10.54.159.12 port=49
  *tplusTransportThread: Feb 06 11:56:00.783: AUTH Socket closed underneath
  *tplusTransportThread: Feb 06 11:56:05.996: No auth response from: 10.54.159.12, retrying with next server
  *tplusTransportThread: Feb 06 11:56:05.996: Preparing message for retransmit. Decrypting first
  *tplusTransportThread: Feb 06 11:56:05.996: Forwarding request to 10.54.159.11 port=49
  *tplusTransportThread: Feb 06 11:56:05.998: AUTH Socket closed underneath
  (Cisco Controller) >show tacacs ?
  acct           TACACS+ accounting server.
  athr           TACACS+ authorization server.
  auth           TACACS+ authentication server.
  summary        Displays TACACS+ summary.
  (Cisco Controller) >show tacacs summary
  Authentication Servers
  Idx  Server Address    Port    State     Tout
  1    10.54.159.11      49      Enabled   5
  2    10.54.159.12      49      Enabled   5
  Authorization Servers
  Idx  Server Address    Port    State     Tout
  Accounting Servers
  Idx  Server Address    Port    State     Tout
  (Cisco Controller) >show tacacs auth ?
  statistics     Displays TACACS+ authentication server statistics.
  (Cisco Controller) >show tacacs auth stat
  Authentication Servers:
  Server Index..................................... 1
  Server Address................................... 10.54.159.11
  Msg Round Trip Time.............................. 0 (msec)
  First Requests................................... 24
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Error Responses.................................. 0
  Restart Responses................................ 0
  Follow Responses................................. 0
  GetData Responses................................ 0
  Encrypt no secret Responses...................... 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Timeout Requests................................. 24
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  Server Index..................................... 2
  --More-- or (q)uit
  Server Address................................... 10.54.159.12
  Msg Round Trip Time.............................. 0 (msec)
  First Requests................................... 0
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Error Responses.................................. 0
  Restart Responses................................ 0
  Follow Responses................................. 0
  GetData Responses................................ 0
  Encrypt no secret Responses...................... 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Timeout Requests................................. 24
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0

• WLC log RADIUS server failed to respond to request

  I'm keep on getting same couple MACs being failed.  I was hoping somebody has more inside about this?  Radius server is pingable from WLC. People are authenticating.  Please let me know what log should I provide.  Thank you in advance.
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 78) for client 3c:a9:f4:42:11:a0 / user 'unknown'
  3
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 77) for client 24:77:03:20:78:d0 / user 'unknown'
  4
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 76) for client 24:77:03:d0:bd:b4 / user 'unknown'
  5
  Thu Feb 20 16:22:00 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 75) for client 24:77:03:26:86:7c / user 'unknown'
  6
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 74) for client 24:77:03:20:78:d0 / user 'unknown'
  7
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 73) for client 3c:a9:f4:42:11:a0 / user 'unknown'
  8
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 72) for client a0:82:1f:d8:24:02 / user 'unknown'

  You should look at the ACS logs as that will give you a better idea of the failure.
  Sent from Cisco Technical Support iPhone App

• Dot1x - WLC - ACS - Windows profiling

  Hello,
  Does anyone have any experience with the following setup:
  We want users to authenticate thru Dot1x with their Windows credentials.  The RADIUS server for dot1x will be ACS that uses Windows DC for authentication.  Then we would like for the ACS to grab a role based on DC OU, group, etc and send that back to the WLC for profiling?
  Sounds crazy I know but I think it can be done with an ISE server but we don't want to buy that if we don't have to. Can this be possible with just ACS?
  Thanks!

  ok, we can do something with that, easily enough.
  on your ACS you need to build a group for IT, in it's AAA attributes you want to return 64/65/81 VLAN/802/< vlan ID>
  rinse repeat for the other groups.
  On the WLC, you need to create the VLAN interfaces, and set the WLAN to have AAA override enabled.
  Now when a user gets authenticated, the ACS will pass back the attributes to assign the user to the appropriate VLAN.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#Rserver1
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC AAA Radius to ISE - Multiple Domains in Single Forrest

  I am currently having a problem configuring AAA for management access to our wireless controllers.
  Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
  Root Domain
  Americas domain                UK Domain              EU Domain            APAC Domain
  Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
  I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's. 
  I dont have this issue with other IOS based devices. 
  I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
  Dont know if someone has any suggestions for a possible workaround?

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

• WLC 5508 Radius accounting issue

  I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
  For example:
  1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
  2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
  Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
  Thanks,
  Wil

  Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
  Sent from Cisco Technical Support iPhone App

• ASA to ACS Radius - restrict by group

  Hi Everyone, this may not be the correct forum for this, but since it relates to the ASA...
  So we currently use RADIUS to authenticate users accessing our AnyConnect access... the thing is, with everything working, we want to restrict the access to only members of a specified AD group, "VPN Users". 
  So, I'm trying to figure out whether that restriction goes into the RADIUS on ACS or whether there is a setting in the ASA to restrict it...
  Can someone point me in the right direction?  (And no, I don't want to change to LDAP authentication).
  Ken

  I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
  Regards,
  ~JG

• Cisco WLC + ACS + AD for Machine AND User auth...

  So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
  I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
  Any help here?
  WLC 7.6 and ACS 5.5
  -g

  We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5

• ACS Radius + Peap + MSChapV2

  I am using a wireless setup
  Aironet 1100, ACS 4.0, 3rd party Client adapter
  I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
  Doubts: In ACS logs - Radius accounting is empty.
  Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
  But i am able to authenticate my users successfully into the wireless network. What went wrong?

  Hi
  Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
  For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
  Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
  Darran

• WLC with Radius

  somebody knows tthe steps to configure the WLC 2100 with a microsoft radius server for authentication?

  Tech-Republic has a white paper for setting up 802.1x with IAS.
  the following would be a good start point. The actual setup of Radius is fairly straight forward.
  Add the AAA server.
  Specify 802.1x in the WLAN and point to the Radius server.
  http://whitepapers.techrepublic.com.com/webcast.aspx?&docid=128588&promo=100511

• Local Webauth WLC using radius database

  Hi all,
  I was implement local Webauth WLC not using local auth . I use radius database.
  at least I try to add on my  WLAN:
  layer 3 web auth  authentication
  layer 2 security is WPA/WPA2 PSK
  adding aaa radius server
  aaa radius "network user" check list  enabled
  web auth priority order
  radius
  LDAP
  after I Test WLAN ,I cant login using radius database.
  but, if I implement security method wpa/wpa2 dot1x  I can login using radius database.
  is there any miss in my config for implement webauth  method?
  Thanks
  ridho

  Are you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
  Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  Sent from Cisco Technical Support iPhone App