WLC Prioritizing authentication messages!

Hi all,
Q: in regards to a WLC - wireless clients and QoS. when using WPA2-AES encryption.
Does anyone know how the authentication messages are prioritized? Are authentication messages (eg. EAPOL) between WLC and wireless client seen as Control traffic (CS3) Voice traffic (EF) or maybe not prioritized at all :-(
THX
Goen

Way up (from client to WLC) may vary, way back (from WLC to client) is a fixed tag value. Namely, 802.1X data from the client is classified according to the WLAN QoS settings, but packets containing 802.1X frames from the WLC are marked CS4.
Hope it helps
Jerome

Similar Messages

  • Delay the first dot1x authentication message after a port comes up

    Cisco ISE: 1.2
    Switch IOS: 15.0.2.EX4
    Hello,
    I have configured the APs to authenticate with 802.1X via the switch.
    When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication.
    I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request.
    I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ?
    When I use debug commands I see
    %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
    %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
    %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
    %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
    %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9
    NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else)
    Thank you for all answers

    Hello,
    Thank you for your reply. That document is very interesting.
    I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it.
    However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP.
    - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...)
    - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on.
    That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is.
    It's possible to do this with the Cisco APs
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html
    I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP)
    So in my humble opinion, the mab/profiling solution is good but not optimal.

  • Prioritizing of messages in PI 7.0 SP6

    Hi all
    When we are recieving messages from the server it is sending the messages to the other end Correctly. But the problem we are facing is, the meessages are not sent in the order they are recieved (FIFO), But they are are randomly processed. PLease let us know what needs to be done so to process the messages by XI in the order we recieve.
    Do we no to do any configuration in SXMB_ADM
    Thanks,
    Sita Ram

    HI Sitaram,
    To prioritizing of messages call transaction SE11 and add the following fixed values to the value range of domain SXMS_LOCATION:
    Fixed value: 1, Short description: Integration Engine - Sender
    Fixed value: 4, Short description: Integration Engine - Recipient
               Activate the changes.
    Call transaction SE11 and change the description of the domain fixed values SXMS_Q_PREFIX as follows:
    XPTA high-priority EO queue on the IS outbound processing/recipient
    XBTZ low-priority EO queue on the IS outbound processing/recipient
    XBT1 high-priority EO queue on the IS inbound processing/recipient
    XBT9 low-priority EO queue on the IS inbound processing/recipient
               Activate the changes.
    Call transaction SMQR, and regisgter the following queue prefixes on the sender and recipient systems:
    XBTA*, MAXTIME 120
    XBTZ*, MAXTIME 30
    XBT1*, MAXTIME 120
    XBT9*, MAXTIME 30
    Refer note 1000330,726080.
    Cheers,
    Shyam

  • I'm getting a User Cannot be Authenticated message when trying to order photo cards, books, etc - which I have done successfully many times

    I'm getting a User Cannot be Authenticated message when trying to order photo cards, books, etc - which I have done successfully many times

    In your account in the Apple store (store.apple.com) reenter all of yoru information and be sure one click ordering is on -
    Before ordering your book preview it using this method - http://support.apple.com/kb/HT1040 - and save the resulting PDF for reference - the delivered book will match it.
    and try again
    LN

  • Message signature for NTLMv2 Authentication message

    Hi,
    I'm implementing NTLMv2 support for SMBv2 and I have encountered some problems calculating the correct checksum for the authentication message. 
    Authentication packet:
    4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 AE 00 00 00 42 01 42 01 C6 00 00 00 1E 00 1E 00 58 00 00 00 1A 00 1A 00 76 00 00 00 1E 00 1E 00 90 00 00 00 10 00 10 00 08 02 00 00 15 82 88 E2 06 01 B1 1D 00 00 00 0F 57 7C 17 17 5E DF 25 D8 8C 06 8D E6 75 5F
    62 65 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 57 00 49 00 4E 00 2D 00 51 00 32 00 33 00 49 00 36 00 4F 00 34 00 55 00 55 00 44 00
    53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 E7 1D 8A 39 CC A0 52 A7 01 51 02 E9 5A DF 7B 01 01 00 00 00 00 00 00 7F D2 02 FD 80 6C D0 01 2A 01 01 16 D7 E9 11 F7 00 00 00 00 02 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00
    50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 01 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 04 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00
    03 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 07 00 08 00 7F D2 02 FD 80 6C D0 01 06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 20 28 45 5A F8 71 0C F9 CC 5A EB A1
    F5 FB C3 17 49 CE 76 FF 1B 32 31 4D 52 E7 0E D8 B0 BA C5 F9 0A 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63 00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E 00 31 00 36 00 38 00 2E 00 31 00 2E 00 31 00 31 00 00 00 00 00 00 00 00 00
    00 00 00 00 03 AC 9B EA 78 DD DF 49 BB D8 2D 66 0C 4F 22 61 
    By offline testing of packets I was able to get 
    ExportedSessionKey: 945d257f88b6be1a4b201748e3f134c5
    and from there calculate the correct MIC (based on the negotiation,challenge and authentication messages).
    But now when I am trying to calculate the checksum for the message signature I can't get this right.
    The SignKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server signing key magic constant")):
    2643d035ac56345368b321df5059f9b0
    The SealKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server sealing key magic constant"))
    dbb66166a80c4be9b876a6f4ec1dd3a5
    and the sequence number is: 0
    I'm using this function to calculate the checksum:
    rc4(sealKey,hmac_md5(SignKey,concat(Sequence Number,message) ) ) [0 .. 7] = 0790d273a21186ce
    That's an incorrect checksum, the real checksum should have been: 524102bf5e86c109 (captured from the packet).
    These are the negotiation flags of this session that are set:
    NegotiateUnicode,RequestTarget,NegotiateSign,NegotiateNTLM,NegotiateAlwaysSign,NegotiateNTLM2,
    NegotiateTargetInfo,NegotiateVersion,Negotiate128,NegotiateKeyExch,Negotiate56
    The only thing I wasn't sure about is if I need to calculate the checksum from the message with Z(16) instead of the mic or with the real calculated mic. Nevertheless I don't get the checksum on both ways.
    I've also added the packets from the relevant session.
    https://www.dropbox.com/s/eepcpmim3rj2zkd/ntlm.cap?dl=0
    Thanks in advance!

    Hi Guy:
    The details for how to calculate a MechListMIC are described in RFC 4178 (http://www.rfc-editor.org/rfc/rfc4178.txt) section 5(a).
    Any details specific to Windows are described in MS-SPNG (https://msdn.microsoft.com/en-us/library/cc247021.aspx) documents.
    I will give you an example here how the client calculates MechListMIC in case of NTLM.
    For this example, I used an actual SMB2 session set up exchange. If you need the network trace that I used, please send an email to dochelp at microsoft dot com to my attention referencing this thread.
    server challenge: 0x91, 0xA7, 0xB5, 0xA0, 0x93, 0xD1, 0x28, 0x73
    Password: Password01!
    client's MechTypes from first session set up message : 30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A
    Security blob from the session set up command that contains the authenticate message:
    A1 82 01 CD 30 82 01 C9 A0 03 0A 01 01 A2 82 01
    AC 04 82 01 A8 4E 54 4C 4D 53 53 50 00 03 00 00
    00 18 00 18 00 86 00 00 00 FA 00 FA 00 9E 00 00
    00 0C 00 0C 00 58 00 00 00 06 00 06 00 64 00 00
    00 1C 00 1C 00 6A 00 00 00 10 00 10 00 98 01 00
    00 15 82 88 E2 06 03 80 25 00 00 00 0F 82 C4 C5
    F7 7B 08 49 FD A2 87 0E A3 05 EC 77 AB 66 00 6F
    00 72 00 4D 00 44 00 4D 00 61 00 62 00 63 00 4D
    00 49 00 4E 00 49 00 4E 00 54 00 2D 00 36 00 37
    00 31 00 30 00 38 00 46 00 4B 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 30 0B A0 EF 0B 39 38 45 54 E6 ED 4F B4
    FD 6D B6 01 01 00 00 00 00 00 00 72 23 6C 58 68
    6D D0 01 B5 FF F2 9D 10 1B 35 60 00 00 00 00 02
    00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 01
    00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 04
    00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 03
    00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 07
    00 08 00 72 23 6C 58 68 6D D0 01 06 00 04 00 02
    00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01
    00 00 00 00 20 00 00 15 7C 95 BD E7 02 DE 3B C9
    8D F1 46 91 04 AC 4D 16 61 03 F1 BF 42 77 85 B2
    82 B7 83 2E CB 1E 3F 0A 00 10 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63
    00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E
    00 31 00 36 00 38 00 2E 00 31 00 2E 00 34 00 30
    00 00 00 00 00 00 00 00 00 00 00 00 00 8E 07 9F
    C9 F1 50 97 65 F3 BD A8 C1 32 8A 52 56 A3 12 04
    10 01 00 00 00 3B 1F D5 E0 2D 97 5F 97 00 00 00
    00
    My calculation are from servers perspective. Everything server needs to verify client's MechListMIC
    is in the security blob and what is not in blob is already with the server (password, server challenge and client's MechTypes sent in an earlier message).
    The KeyExchangeKey is NTLMv2 session base whose calculation is described in MS-NLMP (https://msdn.microsoft.com/en-us/library/cc236621.aspx) section "3.3.2 NTLM v2 Authentication"
    KeyExchangeKey (NTLMv2 session base key)=ad6e6c75872afd2178533d2ebb8ad9ad
    Using KeyExchangeKey to RC4 decrypt the Encrypted Random Session key, we get
    Random Session Key: c7 9a 31 b6 8d b6 4e 3f 84 66 be a3 b2 22 3b c1
    Using Random session key above and description in MS-NLMP, we calculate the signing and sealing keys.
    Server Signing Key: 69 cb 53 69 d5 18 75 04 dc 7e 61 03 33 10 53 e9
    Server Seal Key: 35 4e c9 d1 86 2d 4f a5 98 25 87 c4 b5 35 f2 33
    Client Signing Key: a2 b2 1a ed a9 ec d3 f1 3d ff c3 3d e0 1b 59 30
    Client Seal Key: 1e bb c6 f3 65 5b dc 13 b3 5b e4 e2 24 eb 71 e2
    Now using the client signing and sealing keys, we proceed to calculate the NTLM signature of client's MechTypes as described in MS-NLMP section "3.4.4.2 With Extended Session Security":
    Message number is 00 00 00 00
    MechList with 0000 concatenated:
    00 00 00 00 30 0c 06 0a 2b 06 01 04 01 82 37 02 02 0a
    HMAC_MD5 of the above using client signing key (first 8 bytes): 28 d5 e1 57 a4 d4 58 24
    checksum (RC4 encrypting the above using Client Sealing key): 3b 1f d5 e0 2d 97 5f 97
    MechListMIC by appending version and sequence: 01 00 00 00 3b 1f d5 e0 2d 97 5f 97 00 00 00 00
    As you can see this matches with what client sent.
    Please let me know if it does not answer your question.
    Regards, Obaid Farooqi

  • Authentication Messages - Locked User, Expired Password etc...

    In standard Servlet Security, when using the container authentication mechanism ( using j_security_check) ..., the only responses one can send to the end user are the un-authorized page and the not authenticated message.
    There is so much advancement in every other area, but none in this particular area to have a mechanism to send authentication failure error messages for specific cases like the one shown in the title.
    Is there any standard pattern that will use Container Managed security to display such error messages.
    Any pointers will be great.
    Vijay

    We can use other login mechanisms, but the problem is that the so called J2EE Pluggable Authentication Realms (or Providers or Domains or Registries) only use the j_security_check mechanism to authenticate users.
    So the end result is a very primitive mechanism.
    So I was looking for some pointers on a JSR which is dealing with this or somebody who has a pattern to circumvent this problem.
    Thanks for the info.
    Any other pointers, anyone.
    Vijay

  • Ciosco WLC Web Authentication with Internet Explorer 10

    Hi my name is Ivan
    I have a question:
    Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
    When i put the ip address https://1.1.1.1/login, the web page show me.
    Thanks for your answers
    Regards

    HUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WLC 4404 error message

    Dears,
         we have a wireless lan controller 4404 with LDAP authentication ...
    first, we are getting this error message on the WLC:
    apfMsConnTask_0: Jul 02 13:27:34.180: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:291 Could not check supported rates. Missing Supported Rate. Length :0. Mobile MAC: 78:e4:00:07:dd:10.
    second, our issue is when you open a browser, and after you enter the credentials for the username and password, it keeps redirecting to the virtual IP server "1.1.1.1" and never responds with the requested page or the "authentication succeeded" popup. however, when you open a new tab on the same browser, it connects you to the internet...
    please advise any recommended procedures or solutions that can be done to solve this issue.
    thanks in advance ...
    regards,
    Majed

    hi Scott,
    thanks for the reply...
    that means its ok that the client keeps redirecting on the VIP set on the WLC, if its the function of the vip as you have said ?
    and regarding the error message, it is the same client that is connecting to the webauth !!
    please provide me with any ideas to solve this issue if anything came up to your mind
    may updating the browser or using another solve this, and will upgrading the WLC to newer version lead us to not seeing this message and get rid of this issue ??
    regards,
    majed

  • WLC sending a message of AP under attack

    Hi to all,
    I've been getting this message from my WLC and I'm not able to find what doest it really mean and if there is something that could be done in order to solve it.
    "Warning : Our AP with Base Radio MAC 00:14:a8:53:0b:20 is under attack (contained) by another AP on radio type 802.11b/g"
    "Warning Cleared: Our AP with Base Radio MAC 00:14:a8:53:0b:20 is no longer under attack (contained) by another AP on radio type 802.11b/g"
    Can this cause me problems in the performance of my wireless network???
    Thanks in advance for your help.

    Hi,
    The firmware is 4.2.112.0
    Thanks in advance for your help.

  • ISE continue to receiving authentication message after removed the radius host test configuration on a IOS router

    I have two issues but related and need help:    
    anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration?   I have this odd testing for the new ISE server.  the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it.  I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
    On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)? 
    below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
    Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
    Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Thanks in advance,

    It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
    Regards,
    ~JG
    Do rate helpful posts!

  • WLC web authentication ACL to allow internet surfing only

    Hi forumers'
    I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
    according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
    i also try on this ACL at my core switch but seem not success.
    ip access-list extended ACL-VLAN-20
    permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
    permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
    permit tcp 172.16.20.0 0.0.0.255 any eq 80
    permit tcp 172.16.20.0 0.0.0.255 any eq 443
    deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
    deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
    int vlan 20
    ip access-group ACL-VLAN-20 in
    any problem with it?
    well, as long as can block web authenticaiton user only goto internet then serve my purpose
    thanks
    Noel

    This should work
    deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
    permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
    permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
    permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
    but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
    You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
    When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
    But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
    HTH,
    Steve

  • Wlc 5500 authentication timeout

    I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

    Scott-
    Here are the results of the sho WLAN cmd:
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... OBSD BYOD
    Network Name (SSID).............................. OBSD-BYOD
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 25
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ g9c-guest
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... Guest WiFi Internet Only
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
    --More-- or (q)uit
       Accounting.................................... Global Servers
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Web Auth
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
    --More-- or (q)uit
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status

  • WLC Syslog error message

    Hi all,
    I get a lot of the following syslog error messages from 3 of my 4 WLCs (two WiSMs).
    Error message:
    ethoip.c:342 ETHOIP-3-PKT_RECV_ERROR
    I searched at cisco.com and I found the information to use the bug toolkit or open a tac case, but I didn't find a bug or any further information related to that problem.
    I can not even recognize any differences in the WLC configs - for centralize configuration I use an WCS.
    WiSM Software version: 5.0.148.0
    WCS Software vesion: 5.0.56.0
    Does anyone of you had the same problem?
    Thank you for all information!
    Best regards
    Peter

    Hi dennischolmes,
    after your post I checked the mobility group configuration on all four controllers, and indeed, there was a inconsitency in the configuration. The WCS couldn't see the mismatch, because the settings between the WCS and the controllers were the same. As I looked on the controllers web pages i saw, that different mobility group memebers with various mobility group names were configured on every single controller, maybe caused by applying a new controller template, where i changed the mobility group name.
    I started from scratch configuring the mobility groups and the syslog error messages were stopping.
    Thank you very much!

  • WLC WLAN Authentication from External RADIUS Server

    Dears,
    How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
    Thanks,

    Hi Ahmed,
    Its not documented well, but here is it:
    CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
    . If a user has to be logged out then, following attributes are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
             SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
           - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                  we want to delete  particular user  session via particular device
                  (like PDA, Phone or PC)
           - SSH_RADIUS_AVP_USER_NAME(1)
    . If a management user has to be logged out then, following attributes
    are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
      - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                          OR
       - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
       - SSH_RADIUS_AVP_USER_NAME(1)
       - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
    Eg:
    *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
    *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
    *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
    *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
    *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
    *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
    *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
    *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
    *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • WLC PEAP authentication

    Hi
    I've created a local EAP profile for PEAP authentication and configured user accounts in the WLCs. When I tried to connect to the SSID via my iPhone, popped up a certificate (local WiSM) and I accepted it then it failed with incorrect username/password. The same username/password works fine with Windows Vista laptop. Any help?
    Thanks

    May be just show local-auth config, show wlan x, show local-auth statistics.?
    I am assuming you have only peap checked . ( and nothing else enabled like Server cert etc ). IPhone is it running latest code ?
    Thanks..Salil

Maybe you are looking for

  • Date format for import sub-folder destination

    Greetings, I have been using a trial version of LR 4 and would like to know if LR can use the format of "MM-DD-YY" for the subfolder of the destination folder. My many years of files are organized by the "YYYY" top folder then "MM-YY" then by date of

  • Unable to use X Query function in  the conditional branch of Proxy Service

    Hi all, I need to check the string length of a node then depending on that have to call two different business services. i have added a conditional branch inside the proxy service. Now when I use the below expression in the I get an error fn:string-l

  • Speaker mode is full of static during calls

    My iphone 6 iOS8.0.3 has speaker phone problems. When the phone is in speaker mode and this is only during phone calls, the sound is full of static. This also occurs when my phone is in bluetooth mode during calls. I can play music just fine. Weird.

  • Error importing network device using CSV file

    While importing a CSV file of a single network device, I am getting this error: Value for attribute TrustSecDeviceID is Mandatory In the CSV template (downloaded from ISE web gui), I don't see a field TrustSecDeviceID. What is the error referring to?

  • Java if condition problem

    Hi all i m trying to compare the value of text where text is a string and values is a string array as shown below if(text.equals(values[0]) ) but it is not giving the desired result when i try this if(text.equals(values[0]) | text2.equals(values[9]))