WLC OID (snmp) for authenticated clients

Similar Messages

• WLC connect LDAP for Authentication, but could not connect to server

  Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
  Service Port - Not connected
  Distrubution port include:
       Management Interface - in AP Management VLAN - 30
       Student AP interface - in Student VLAN - 20
       Staff AP interface - in Staff VLAN - 10
  AD is in Staff VLAN - 10
  WLC LDAP Server setting
  Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  User Attribute: sAMAccountName
  User Object Type: Person
  Debug aaa all enable message
  *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
  WLC GUI Log:
  *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  LDP Message of LDAP BaseDN:
  Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
  Result <0>: (null)
  Matched DNs:
  Getting 1 entries:
  >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  4> objectClass: top; person; organizationalPerson; user;
  1> cn: Frankie F. Yeung;
  1> sn: Yeung;
  1> givenName: Frankie;
  1> initials: F;
  1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  1> instanceType: 0x4 = ( IT_WRITE );
  1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
  1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
  1> displayName: Frankie F. Yeung;
  1> uSNCreated: 3850555;
  1> uSNChanged: 3850571;
  1> name: Frankie F. Yeung;
  1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
  1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
  1> badPwdCount: 0;
  1> codePage: 0;
  1> countryCode: 0;
  1> badPasswordTime: 0;
  1> lastLogoff: 0;
  1> lastLogon: 0;
  1> pwdLastSet: <ldp error <0x0>: cannot format time field;
  1> primaryGroupID: 513;
  1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
  1> accountExpires: <ldp error <0x0>: cannot format time field;
  1> logonCount: 0;
  1> sAMAccountName: fckyeung;
  1> sAMAccountType: 805306368;
  1> userPrincipalName: [email protected];
  1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  Hope I can resolve this problem ASAP, thanks!

  Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
  The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
  But you can do LDAP for web authentication, that has no eap methods.
  Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

• AP541N SNMP for Active Clients

  I'm hoping to query our AP541N's for the number of active wireless clients.
  I've walked the device and searched the MIBs but can't find what I need.
  Aironets seem to use "CISCO-DOT11-ASSOCIATION-MIB|cdot11active devices" (1.3.6.1.4.1.9.9.273.1.1.2), but our AP541N's don't respond to this OID.
  Do the AP541N's have something similar?
  Software image is AP541N-K9-2.0(4).
     Thanks in advance - JD

  Hi
  I'm looking for the exact same thing.. And cannot find it either.
  I'd appreciate if someone could find a solution for this.
  We have over 15 other APs (1230's, 1252's) and all of them have their clients graphed nicely.. only that ap541n is missing from the graph.
  Thank you

• Problem configuring SOA suite to use OID for authentication

  We are in the process of rebuilding our environment to use the full SOA suite with our OID server for authentication (was previously just BPEL using AD directly), and have encountered several problems (below). We have rebuilt the OID server, and reinstalled the SOA suite into a clean ORACLE_HOME to no avail.
  We first rebuilt the OID server using the following steps (derived from Oracle® Internet Directory Administrator's Guide):
  1)     Create the Import and Export profiles for AD synchronization. We did this using the Directory Integration and Provisioning Server Administration tool under “Active Directory Configuration”
  2)     Modify the map file to specify the correct OU mappings between AD and OID.
  3)     Update the profile with the new map file using “dipassistant.bat mp”
  4)     Bootstrap the import profile using “dipassistant.bat bootstrap”
  5)     Start a new instance of the Integration server (odisrv) running on config set 1 (the config set containing the Active Directory import/export profiles) using “oidctl”
  6)     Set the Import profile to Enable. The OID server does not export changes to AD in our current configuration, so the Export profile is left on disable (and not bootstrapped)
  At this point it appears that the AD synchronizes correctly into our new OID server.
  Next we installed the SOA suite:
  1)     We ran “irca.bat” on our database server to create the ORABPEL, ORAESB, and ORAWSM schemas and associated integration repository structure.
  2)     After launching the SOA suite installer, we selected Advanced Install.
  3)     On the next screen, we selected J2EE Server, Web Server, and SOA Suite.
  4)     We then provided the credentials for our Oracle database, and the passwords for ORABPEL, ORAESB, and ORAWSM.
  5)     We configured our new AS instance as an administration instance, but did not opt to use from a separate HTTP server, and did not make this instance part of an OAS cluster topology.
  And finally, we configured our new SOA suite instance to use OID for authentication (using the instructions in Oracle® BPEL Process Manager Administrator's Guide section 2.1.3):
  1)     Used the configure_oid.bat command to seed OID with required users only.
  2)     Logged into the OracleAS Control Console
  3)     Chose the oc4j_soa instance, then Administration->Security->Identity Management
  4)     Configured the OID server using a non-ssl connection and the cn=orcladmin account.
  5)     When prompted, chose to reconfigure all applications in the oc4j_soa instance to OID, but not to use SSO for any of them.
  6)     Copied the contents of ORACLE_HOME\j2ee\home\config\jazn.xml to ORACLE_HOME\j2ee\oc4j_soa\config\jazn.xml
  7)     Restarted the application server.
  After this procedure, we encountered the following issues:
  1)     The BPEL console appears to authenticate users correctly out of OID, but no users have access to the default domain, including bpeladmin and oc4jadmin. All users receive a similar access denied message when attempting to log into the BPEL Admin Console.
  2)     We cannot upload a BPEL process to our new server via JDeveloper’s standard BPEL deployment mechanisms. The connection appears to be working properly and passes all tests, but on uploading a process we get a Java AccessDeniedException. ESB appears to be functioning properly, and accepts uploaded projects without issue.

  Bassman,
  We recently configured our SOA Suite to use OID and SSO. We had the same issues you are having, and we found the resolutions in a blog from Jaas Poot (http://blog.jpoot.com/category/oracle-appserver/oid-ldap/). For the BPEL domain access, this involved going to the data-sources.xml file and changing the database passwords from using ->pwForOrabpel for the orabpel schema and ->pwForOraesb for the oraesb schema to the real passwords; the blog explains more about this.
  The blog also covers the JDeveloper deployment issue, and another issue we encountered, where we couldn't access the BPEL Admin console. All of these were resolved following the steps in the blog.
  Hope this helps
  Candace

• AP1252 : Support for LEAP and PEAP for authentication

  Hi,
  We are deploying Cisco AP1252 in unified (lighweight) mode and would like to know whether it will support both LEAP as well as PEAP for authenticating clients at the same time (mixed mode). If yes, kindly let me know the configuration for the same.

  Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.
  Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
  Local EAP can use an LDAP server as its backend database to retrieve user credentials.
  An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

• 4400 WLC Layer 3 Authentication Status for WLAN Clients

  We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller.  The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage.  These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402.  On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest".  This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.
  Functionally there is no issue.  Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser.  The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.
  For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated.  In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients.  For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed.  The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.
  Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes".  We have proven over and over that this is not accurate.  This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers.  The WSC reports will show all 15 as Authenticated and they are not.  We have proven many times that the anchor WLC is the only controller accuratly conveying this info.
  Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected.  They suggested it may be a code bug with the 4400 series WLC.  We are running controller Software Version 6.0.188.0 on all 3 controllers.
  Please let me know what you think may be causing this issue.  Any help or advice is greatly appreciated!

  Hi,
  We run version 7.0 on the WCS and WLCs but I thought I'd try the report and see what I got. The result is a line graph with the number of associated and authenticated clients superimposed. I'm not sure how useful a report of this nature is.
  It doesn't inspire confidence: when I specifiy the guest wireless SSID I get zero clients! I know there have been guest clients authenticated during the report period I spec'd.
  Scott

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Sharepoint authentication Client object model for direct links

  We have a Sharepoint 2010 site and another website [ASP.Net Web API 2] which uses Client object model to get data from Sharepoint, this is an intranet environment.
  The Client object model part of it is working fine, if any user logs in, it works with that user credentials. But when a user tries to access a direct SP link, ex: a link to a document from a document library, it pops up a credentials window.
  How to get rid of this pop up window, or how to set the authentication for the entire server when the user logs in to our web api.

  Hi,
  The prompt for credential can be seen as a behavior by designed for the sake of safe and there are no solutions to avoid it at this moment per my knowledge. 
  Here is a similar thread will provide more information:
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/85b5d22a-88ed-4975-8de9-1d65df293aeb/avoiding-prompting-for-authentication-when-accessing-the-aspx-page-in-layouts-folder-from-my?forum=sharepointdevelopmentprevious
  Thanks
  Patrick Liang
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Patrick Liang
  TechNet Community Support

• Which clients are using my Sun One server for authentication?

  We use Sun One ver. 5.2 .
  Our LDAP clients use it for authentication.
  How can I list which clients recently used the Sun One server to authenticate?
  The reason I need that is because I want to upgrade the Sun One server and I want to notify the clients that I'm about to do it.
  Thanks.

  https://www.redhat.com/archives/fedora-directory-users/2005-September/msg00010.html
  Useful script to extract LDAP based user posixGroup memberships information
  ===
  Assuming you are using posixGroup objectclass and memberUid attribute to
  store your membership information, you may find my shell script useful
  and handy.
  It works on Solaris LDAP Client with "ldapaddent" and "ldaplist"
  commands, and works against FDS, SUN DS or OpenLDAP.
  ===
  Gary

• Unable to create SASL client connection for authentication mechanism [PLAIN

  I have problem to use dscc to admin my ds/dps servers, since I the dscc can't contact dscc agent. Though the agent is running on the default port number with network-bind-port of 0.0.0.0, there is nothing I can do to fix it.
  I debug the problem, and found following errors in server.log under dscc (deployed on SUN AS 8.2):
  Message: Unable to create SASL client connection for authentication mechanism [PLAIN]|#]
  [#|2007-08-21T15:28:40.252-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.jmx.remote.opt.security.SASLClientHandler.initialize(SASLClientHandler.java:124)|#]
  [#|2007-08-21T15:28:40.253-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.jmx.remote.opt.security.AdminClient.connectionOpen(AdminClient.java:131)|#]
  [#|2007-08-21T15:28:40.254-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.jmx.remote.generic.ClientSynchroMessageConnectionImpl.connect(ClientSynchroMessageConnectionImpl.java:71)|#]
  [#|2007-08-21T15:28:40.256-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | javax.management.remote.generic.GenericConnector.connect(GenericConnector.java:177)|#]
  [#|2007-08-21T15:28:40.257-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | javax.management.remote.jmxmp.JMXMPConnector.connect(JMXMPConnector.java:119)|#]
  [#|2007-08-21T15:28:40.258-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)|#]
  [#|2007-08-21T15:28:40.260-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.directory.nquickclient.NquickClient.getJmxConnector(NquickClient.java:816)|#]
  [#|2007-08-21T15:28:40.261-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.directory.nquickclient.NquickClient.getConnector(NquickClient.java:519)|#]
  [#|2007-08-21T15:28:40.262-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.directory.nquickclient.NquickClient.getConnectorSystemAuthentication(NquickClient.java:314)|#]
  [#|2007-08-21T15:28:40.263-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.directory.dcc.core.NquickPool.getSyncServerMBean(NquickPool.java:435)|#]
  [#|2007-08-21T15:28:40.264-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | com.sun.directory.dcc.core.NquickPool$1.run(NquickPool.java:320)|#]
  [#|2007-08-21T15:28:40.271-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.admin.directory.dcc.util.ViewBeanUtils:appendDebugLine | java.lang.Thread.run(Thread.java:534)|#]
  [#|2007-08-21T15:28:40.289-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.ui.taglib.pagetitle.CCPageTitleTag:appendPageTitleAlertAndText | Node has no attributes.|#]
  [#|2007-08-21T15:28:40.293-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.ui.taglib.pagetitle.CCPageTitleTag:appendPageActions | Could not obtain pageactions element.|#]
  [#|2007-08-21T15:28:40.295-0400|INFO|sun-appserver-pe8.2|javax.enterprise.system.stream.out|_ThreadID=11;|
  15:28:40 | httpWorkerThread-8080-0 | com.sun.web.ui.taglib.pagetitle.CCPageTitleTag:appendPageViewsMenu | Could not obtain pageviews element.|#]
  Please help if you could figure out what's going on. Thanks!

  Bug ID: 6551672
  Synopsis: SunAS claims "Unable to create SASL client conn for auth mechanism" and do not talk to Cacao
  Work Around:
  Work arround:
  Change the JVM of used by App Server.
  Edit the file:
       /usr/appserver/config/asenv.conf
  and replace
       AS_JAVA="/usr/j2se"
  by
       AS_JAVA="/usr/java"
  Then restart your AS domain.

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Https errors for when client authentication

  Hi all,
  I encountered the error when i configured the web server to require client authentication. Can anyone advise?
  [01/Jun/2006:15:41:08] failure (17048): HTTP3068: Error receiving request from 1
  0.60.20.126 (SSL_ERROR_NO_TRUSTED_LIBSSL_CLIENT_CA: the CA that signed the clien
  t certificate is not trusted locally)
  Regards
  Ken

  The message "the CA that signed the client certificate is not trusted locally" means that the CA that signed the client certificate (i.e. the cert that 10.60.20.126 sent to the server, here) is not trusted locally (i.e. by the web server).
  For SSL client auth the clients must have certs signed by some CA which is trusted by the web server. If the client has a cert issued by a known CA (like Verisign and others), those are trusted by default. I suspect here the client has a cert issued by some local CA. You need to import that CA's cert into the web server and mark it trusted.

• Can WLC's built-in DHCP provide IP addresses for wired client?

  Hi,
  We've got a WLC running on 7.0.98.0. It's providing IP addresses for the Guest Wireless users. Now we'd like to put a couple of wired workstations for those customers who don't bring laptops. I'm wondering if I put these workstations on the same guest wireless vlan, they can still get IPs from the WLC. If not, I have set static IPs on these workstations.
  Thanks in advance.
  Robert

  Rob:
  The answer is simply "No". WLC can not provide wired clients on same wireless VLAN with IP addresses if the DHCP is configured on WLC.
  The case metnioned by fbarboza above is a "very" special configuraiton on WLANs where the WLC is configured to take care of some wired clients and it needs you to have two WLCs  (The featured is called wired guest).This special case does not apply at your situation.
  With your situation my answer above applies.
  Note A internal DHCP server pool will only serve the wireless clients of that controller, not clients of other controllers. Also, internal DHCP server can only serve wireless clients and not wired clients.
  Reference: http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html
  HTH
  Amjad

• Caching for Web Portal Authenticated clients

  Reading CUWN documentation, Sticky Key Caching works only on WPA2-enabled WLANs.   Is it possible to enable a caching to help Web Portal Authenticated clients perform intra-controller roaming faster?

  Ok, so here's how it works:
  When the client gets on the network, the controller contacts the DHCP server and hands the client back its IP (as with any helper address).
  In order for web auth to work, you need to open a browser on the client.
  When you go to a page (say www.google.com) your browser does a DNS query for the IP address of the site (www.google.com), the controller intercepts the query.
  Since you have not been authenticated yet, the controller does not allow the query directly, but it proxies the query to the DNS server you were trying to resolve against. It sources this query from its interface that is on the VLAN the SSID your client is on maps to.
  That reply is proxied back to your computer, and then your browser does its normal request to Google?s IP.
  The controller then intercepts that request, and sends a reply back redirecting the browser to the controller login page (usually https://1.1.1.1).
  Once you log into the web page, you will be redirected back to your original page (www.google.com).
  I hope I explained it well. If I wasn't clear, please let me know.
  -Eric

• Cisco ISE 1.3 using 802.1x Authentication for wireless clients

  Hi,
  I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
  I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
  MACHINE AUTHENTICATION
  match
  framed
  Wireless
  AD group (machine)
  USER AUTHENTICATION
  match
  framed
  Wireless
  AD group (USER)
  was authenticated = true
  Below are steps taken to authenticate any ideas would be great.
  11001  Received RADIUS Access-Request  
    11017  RADIUS created a new session  
    15049  Evaluating Policy Group  
    15008  Evaluating Service Selection Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    15048  Queried PIP  
    15006  Matched Default Rule  
    11507  Extracted EAP-Response/Identity  
    12300  Prepared EAP-Request proposing PEAP with challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
    12318  Successfully negotiated PEAP version 0  
    12800  Extracted first TLS record; TLS handshake started  
    12805  Extracted TLS ClientHello message  
    12806  Prepared TLS ServerHello message  
    12807  Prepared TLS Certificate message  
    12810  Prepared TLS ServerDone message  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12318  Successfully negotiated PEAP version 0  
    12812  Extracted TLS ClientKeyExchange message  
    12804  Extracted TLS Finished message  
    12801  Prepared TLS ChangeCipherSpec message  
    12802  Prepared TLS Finished message  
    12816  TLS handshake succeeded  
    12310  PEAP full handshake finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12313  PEAP inner method started  
    11521  Prepared EAP-Request/Identity for inner EAP method  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11522  Extracted EAP-Response/Identity for inner EAP method  
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
    15041  Evaluating Identity Policy  
    15006  Matched Default Rule  
    22072  Selected identity source sequence  
    15013  Selected Identity Source - AD1  
    24430  Authenticating user against Active Directory  
    24325  Resolving identity  
    24313  Search for matching accounts at join point  
    24315  Single matching account found in domain  
    24323  Identity resolution detected single matching account  
    24343  RPC Logon request succeeded  
    24402  User authentication against Active Directory succeeded  
    22037  Authentication Passed  
    11824  EAP-MSCHAP authentication attempt passed  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
    11814  Inner EAP-MSCHAP authentication succeeded  
    11519  Prepared EAP-Success for inner EAP method  
    12314  PEAP inner method finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    24423  ISE has not been able to confirm previous successful machine authentication  
    15036  Evaluating Authorization Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    24432  Looking up user in Active Directory - xxx\zzz Support  
    24355  LDAP fetch succeeded  
    24416  User's Groups retrieval from Active Directory succeeded  
    15048  Queried PIP  
    15048  Queried PIP  
    15004  Matched rule - Default  
    15016  Selected Authorization Profile - DenyAccess  
    15039  Rejected per authorization profile  
    12306  PEAP authentication succeeded  
    11503  Prepared EAP-Success  
    11003  Returned RADIUS Access-Reject  
    5434  Endpoint conducted several failed authentications of the same scenario  

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there.