Wlc and radius authenticationn
We have deployed Cisco Airspace AP with Wireless LAN Controllers (4400).
Currently we have the WLC authenticating using radius to ACS version 4.01 servers.
Unfortunately when the primary ACS get rebooted all the athentication requests go to the secondary server which in affect is fine but when the primary comes back up the authenticatons continue to go to the secondary server.
Is there no round-robin feature to enable on the WLC so that it detects that the primary is back up and continue to authenticate to that server ?
I have not seen a way yet except by using a CSS to front-end the ACS servers (mainly done for lad-balancing purposes actually). I am also curious if there is an option as I have been through most web pages many times. Maybe it's buried in the command line.
-Eric
Please remember to rate all helpful posts.
Similar Messages
-
WLC and Radius that only speaks PAP.
Hi, I have a costumer with a WLC 2500 controller and a guest-solution with a radius server that only supports PAP authentication to the radius client (WLC). How can I make the WLC talk PAP to the Radius server? It looks like the controller uses MS-CHAP2 as default.
Regards
Tom C.I have not seen a way yet except by using a CSS to front-end the ACS servers (mainly done for lad-balancing purposes actually). I am also curious if there is an option as I have been through most web pages many times. Maybe it's buried in the command line.
-Eric
Please remember to rate all helpful posts. -
We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
Any idea?
Thanks,
RADIUS server 10.108.32.33:1812 activated on WLAN 1
RADIUS server 10.140.4.9:1812 deactivated on WLAN 1Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
DHCP_REQ is meaning there is a DHCP issue
8021x_REQ means it failed auth
You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Cisco wlc and steel belted radius
we have cisco wlc controller that have two ssid one for user and one for guest
we need the user in ssid 1 take user name and password from user group in active directory through steel belted radiu
please send to me any integrated guide between cisco wlc and steel belted radius
regardsHi Mohammad,
I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
You may wish to contact your RADIUS vendor for additional configuration steps on the server.
Best,
Drew -
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
RegardsYou have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication). -
Hi!
I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
Thanks in advance for any help.Check out the doc below
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
I configured my Aironet 1262N autonomous AP to authenticate and account my users against a FreeRADIUS server. In the RADIUS server database, I saw some records like:
select username, acctauthentic, acctterminatecause, acctstarttime, acctstoptime from radacct where username='xxxxxx';| xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:32 | 2014-02-22 11:15:58 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 09:15:58 | 2014-02-22 12:16:36 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:16:37 | 2014-02-22 09:22:13 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:22:14 | 2014-02-22 09:27:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:27:35 | 2014-02-22 09:33:12 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:33:14 | 2014-02-22 09:38:34 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:38:35 | 2014-02-22 09:43:55 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:43:57 | 2014-02-22 09:49:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:49:18 | 2014-02-22 09:54:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 09:54:54 | 2014-02-22 10:00:14 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:00:14 | 2014-02-22 10:00:26 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 10:00:26 | 2014-02-22 10:06:17 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:06:19 | 2014-02-22 10:11:39 || xxxxxx | Local | Lost-Carrier | 2014-02-22 10:11:41 | 2014-02-22 10:17:52 || xxxxxx | Local | Lost-Carrier | 2014-02-22 14:50:41 | 2014-02-22 14:50:42 || xxxxxx | RADIUS | Lost-Carrier | 2014-02-22 14:50:42 | 2014-02-22 15:01:25 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:01:26 | 2014-02-22 15:06:46 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:06:48 | 2014-02-22 15:12:08 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:12:09 | 2014-02-22 15:20:24 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:20:25 | 2014-02-22 15:28:33 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:28:35 | 2014-02-22 15:33:54 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:33:55 | 2014-02-22 15:39:15 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:39:17 | 2014-02-22 15:44:37 || xxxxxx | Local | Lost-Carrier | 2014-02-22 15:44:38 | 2014-02-22 15:49:59 || xxxxxx | Local | | 2014-02-22 15:49:59 | NULL |
As you can see, the Acct-Authentic fields contains two possible values: Local and RADIUS. I didn't create any user with name 'xxxxxx' on AP, and I configure the authentication is against the RADIUS server. Why there are so many Acct-Authentic = 'Local'?
Also, this user always lost his connection and then reconnected quickly. This user login his account in multiple devices, including smart phone and computers. All of them are experiencing the same issue. Is there anyway to debug it? Any protential reasons?
Regards,
Lingfeng XiongHi,
I have exactly the same problem with my freeradius and switchs when swiths are in IOS 15.x .
You can see the log accounting :
| 5971 | 0000007E | bde8f71b768f2785 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5972 | 0000007F | 27c15b7db52213d9 | | | | 10.254.1.253 | 50001 | Ethernet | 2014-04-03 23:23:04 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5973 | 00000080 | 8fb0d5fe41e82d65 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:18 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5974 | 00000081 | fa753225306a1a30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:23:35 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5975 | 00000082 | 39b6dfcf6aa90e30 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:25:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5976 | 00000083 | d7766e99f09aee2f | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-03 23:26:33 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5977 | 00000084 | 7094f61110fe4eef | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:29:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5978 | 00000085 | 66ded1d410f07c51 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:00 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5979 | 00000086 | 326144c4321e0286 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:30:32 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5980 | 00000087 | 01d1379a4f9c3365 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:32:57 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5981 | 00000088 | 91164743f562dfdb | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:34:59 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5982 | 00000089 | abf1519e403f8305 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-03 23:36:21 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5984 | 0000008B | 2e199e473e646ba4 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:21:01 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5986 | 0000008C | cb4c2e11189d484c | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:10 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5987 | 0000008D | 1e928dc7eabc1e6d | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:11 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5988 | 0000008E | f1e3754a954e6863 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 00:28:15 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5989 | 0000008F | e46d377efc8a47f8 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:00:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5990 | 00000090 | e098f1dc19bdeee2 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:01:02 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5991 | 00000091 | 6ae3acb7d57c9c5a | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 01:56:25 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5992 | 00000092 | abc974156cf20e23 | | | | 10.254.1.253 | 50021 | Ethernet | 2014-04-04 03:10:56 | NULL | 1943 | Local | | | 0 | 204825 | | | | Framed-User | | | 0 | 0 | |
| 5993 | 00000093 | be822673509843a6 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 03:51:41 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5994 | 00000094 | 0a4366a6cd9eb0c5 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 07:53:42 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5996 | 00000095 | 5d289b8db37d0c8d | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 5997 | 00000096 | c4ea1e813085a6d7 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 08:58:22 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6002 | 0000009A | a82ac41b1ff5f16b | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:03:12 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6004 | 0000009B | 0719718c780250c2 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:53:30 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6005 | 0000009C | c58f9c5e30b60fb7 | | | | 10.254.1.253 | 50016 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6007 | 0000009D | f78cc71528fd7898 | | | | 10.254.1.253 | 50024 | Ethernet | 2014-04-04 09:56:54 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
| 6008 | 0000009E | 200a1608264cc03c | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:14 | 2014-04-04 10:30:24 | 1750 | Local | | | 114654 | 93145 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6009 | 0000009F | c5ec021f0ef399c1 | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:01:44 | 2014-04-04 10:30:24 | 1720 | Local | | | 109122 | 86295 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6013 | 000000A4 | 042773e07781caba | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:26 | 2014-04-04 10:39:51 | 565 | Local | | | 36891 | 39077 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6015 | 000000A5 | f6b305e3f0d6aa5a | | | | 10.254.1.253 | 50019 | Ethernet | 2014-04-04 10:30:56 | 2014-04-04 10:39:51 | 535 | Local | | | 31698 | 32171 | | | Lost-Carrier | Framed-User | | | 0 | 0 | |
| 6017 | 000000A6 | ef6cad3df24ccd61 | | | | 10.254.1.253 | 50002 | Ethernet | 2014-04-04 10:42:20 | NULL | 0 | Local | | | 0 | 0 | | | | Framed-User | | | 0 | 0 | |
Someone has an idea ?
Thanks,
Best regards, -
Problem share folder WLC and pc macbookpro
I am doing a migration from my wireless network in the old network in the PC MacBookPro I can see shared files on the network. But when I connect to the SSID configured on the WLC and I can not see shared files on the network. I have no ACL configured on the SSID.
Bonjour is a non-routabe multicast based service. A trick I use sometimes is to configure the WLAN to be in hreap mode if the ap is located locally to the target bonjour device.if your running in local mode, make sure they are on the same vlan and global multicast is enabled.
Sent from Cisco Technical Support iPad App -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
WLC 4402 RADIUS Authentication with IAS
Hello
I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
The IAS server don't use the configured policy when a authentication reguest arrive.
I there an issue with special RADIUS attributes or configuration items on the IAS Server?
The following event appear in the windows logs:
User STANS\kaesmr was denied access.
Fully-Qualified-User-Name = STANS\kaesmr
NAS-IP-Address = 172.17.25.6
NAS-Identifier = keynet-01
Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
Calling-Station-Identifier = 00-16-CE-52-C8-EB
Client-Friendly-Name = Wireless-Controller
Client-IP-Address = 172.17.25.6
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
Also, chek out the logs of the IAS server for obtaining more info on this. -
Cisco 8510 WLC and RTU licence
Hi Guys,
I have a simular issue where is shows the status as active, not-in-use.
What does this mean and how do I get this to be in use.
This is a Controller with HA-SKU license.
The licenses has been inherited from the Primary Controller.
Any license on HA-SKU controller is disregarded.
Feature name: ap_count (adder)
License type: Permanent
License state: Active, Not-In-Use
License Nodelocked: No
RTU License Count: 50
Hope to hear from you soon.
Regards,
Clifton.Hi,
since this is a HA-SKU WLC, and the license is inherited from the active then no need to have a permenant license on it.
is the HA working fine?
please review the following link for the HA licensing requirements
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml#licensing -
Hi I am currently using 21 X WLC with N+1 Redundancy and 1X WCS with 1000++ of LAP1020. If had been observed that the antenna type and power TX had been changed with no reason. Is there any settings that may affect with AP customized Tx Power and antenna settings other than using the WCS template to push the configure to the APs instead of the WLC.
Sorry for jumping in on the question with another question but it seemed the right place.
I have an AIR-CT5508-25-K9 WLC and +25AP license : L-LIC-CT5508-25A.
As far as I understand it the WLC should already have a 25AP license installed and with the adder license I should have a count of 50 APs.
However, after installing the adder license the count is still 25.
Could you please let me know if it's just something wrong in my reasoning or should a case be opened?
Thank you,
Barbara -
How to draw an arc of a circle in flash pro cc,considering center and radius as parameters?
Please help to draw curves in flash pro cc,considering center and radius as parameters...
function drawArcF(sp:Sprite,centerX:int,centerY:int,radius:int,startA:int,endA:int,color:uint):voi d{
if(startA>endA){
var tempA:int=startA;
startA=endA
endA=tempA;
var degToRad:Number = Math.PI/180;
with(sp.graphics){
lineStyle(0,color);
moveTo(centerX+radius*Math.cos(degToRad*startA),centerY+radius*Math.sin(degToRad*startA)) ;
for(var i:int=startA+1;i<=endA;i++){
lineTo(centerX+radius*Math.cos(degToRad*i),centerY+radius*Math.sin(degToRad*i)); -
Guest-Anchor-WLC and NAC integration guide
I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?
User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.
-
WPA2 and Radius server configuration
On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
is described how to setup a WPA2 and Radius server.
If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
Normal WPA2 personal, without Radius does work.
I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
The IOS version is 12.3(8)JA2.
Does anyone know what to do?
HaikHello,
I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
But even if I fill it in correctly (copy / paste) it does not work.
So what can be wrong with this configuration?
Haik
Maybe you are looking for
-
Group and Merge Delimited List
Hi All Is there a way we can sort the result of Group and Merge processor->Delimited list values ? I see none in the options and it seems sorting them in alphabetical order. Thanks, Sid
-
I've just got a new computer and would like to duplicate my iTunes library from my other computer to the new one. Helpful comments please.
-
Adobe Interactive Form / Web Service - Connection question
Hi We have CRM 2007 and want to use Adobe Interactive forms for our sales managers to upload customer information when they're out in the field. Before they leave all information about the customer will be downloaded to an Adobe Interactive Form. The
-
LoopOut expression - bug - please confirm
Can somebody try this and confirm I'm not crazy. ******BUG****** LoopOut and LoopIn do not cycle properly with Position property. Steps to reproduce bug: 1. Create a composition at 960x540 2. Create a solid that is 50x50 3. On frame 0, keyframe the p
-
Hi guys just a quick question I'm am currently with virgin media and the speeds in my area are very poor I'm getting 3mb at night if that and I'm paying for 60mb my question is can anyone tell me if b.t interest is good in my area I live in Penn war