WLSM and wireless user authentication.

Similar Messages

• Wireless user authentication detail at syslog server

  Hi Dear.  I configurated wireless network. i want to see my wireless user authentication detail(ip address, username and if it is possibly mac-address) at my syslog server. i do some configuration, the wireless controller send something to my syslog server but i need exctahly the user authentication detail.
  how i do that? please help me. thank you veru much.

  Hi dears. please help me

• NAC differentiate wired and wireless users

  We have NAC installed and are using it control both wired and wireless ports.  We also have the Guest Server that we are in the process of implementing.  We would like for only users that are created via the Guest Server to use both wired and wireless access, which we are able to do @ this point.  Our issue is that we have a Guest account that we would like to restrict to only wired users, this account is posted in conference rooms for internet access only.  We don't want this account to be able to be used on the wireless network, is this possible?
  Thanks,
  Joe

  Where are those conference room guests authenticating currently ? Through Nac ? Through webauth on a switch linked with NGS ?
  Nicolas

• Wireless users Authentication of external repository? help?

  Hi people,
  My version is 9ias 1.0.2.2
  I have read that is possible to use external repository in order to authenticate
  wireless users.
  I would like to do this work using an external repository than contains, for example, the list of telefon numbers of my users.
  Any help ?

  I believe these two links should help:
  http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devrun.htm#1023745
  http://otn.oracle.com/docs/products/ias/doc_library/1021doc_otn/portal.102/a86700/devxml.htm#1012041

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• INTERNAL and EXTERNAL users authentication via OAM

  Hi ,
  We have a scenario where in a resource is protected by OAM and we want the internal users in the system to access the resource w/o and authentication , However at the same time we want the external users should be challenged by OAM for credentials .
  How to implement such a scenario ?
  Any ideas would be helpful ..
  Thanks
  Sid

  More details (architecture etc) would be needed to suggest any kind of solution.
  Also content served is static or dynamic ? If content is dynamic then backend component (app) would expect identity to be propagated to it. This could be potential issue if internal user wont authenticate.
  If it is static content then you can make use of rewrite rules / rewrite conditions to filter ip address (internal users should have some ip address range). Although you may have to do multiple url rewrite at apache level to by pass authentication.
  One another solution is to implement zero sign on experience via WNA for internal users. WNA would take advantage of user's login to desktop. Hope this helps.

• AAA and local user authentication

  Hi,
  I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
  But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
  Thanks.

  Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
  So in your case if the user account is not present in the local data base it will not fallback to aaa server.
  aaa authentication login default local group radius
  The same holds true if the user account is not there in the aaa server
  aaa authentication login default group radius local
  Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
  Hope this helps!

• Clean access server and wireless users

  Hi,
  The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
  I would like to add a clean access server.
  1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
  2) Is the ip address of the trusted interface on the clean access server a trunk too?
  Thank you,
  Best regards,
  Pascal

  I think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Radius for 802.1x; Remote Access and Wireless authentication

  Looking to use a single Radius platform for authenticating Remote, wired and wireless users and machines. Anyone with some experience with that use to share some lessons learns...

  Hello Richard,
  there is a previous post from a user who wants to add authentication to his Cisco ACS Radius server for wireless clients, it might be worth contacting that user to see how he resolved this...here is the link to the thread:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9504e
  Also, have a look at the document below, which talks about the issue:
  Selecting an EAP Method: the RADIUS Authentication Server Component
  http://www.interlinknetworks.com/news/newsletters/20031104/tech.htm
  HTH,
  GP

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• Cisco ip phone and wired user authenticate form ISE

  Hi dears,
  I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
  Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
  I create new authentication policy and use mab, and  new authorization police.
  The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
  Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
  Thanks.

  interface GigabitEthernet1/0/48
   switchport access vlan 10
   switchport mode access
   switchport voice vlan 14
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 20
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  do you need ISE configuration??

• Basic User Authentication

  I'm a Dreamweaver beginner, and am trying to create a user account creation page.  I've created the basic form and applied "User Authentication->Check New Username" (checking for username field in my database).  The problem I'm having is that while I was able to successfully create one account, all subsequent account creation attempts are unsuccessful and take me back to my "If already exists..." page.  This seems like a simple thing, and in fact, there're aren't too many options that I can try to get this working.  Yet I'm still stumped.
  Any ideas?

  Sorry for not including this initially.  Here's the full code module for my Sign Up page.
  <?php require_once('Connections/iband_db.php'); ?>
  <?php
  if (!function_exists("GetSQLValueString")) {
  function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
    if (PHP_VERSION < 6) {
      $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
    $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
    switch ($theType) {
      case "text":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;   
      case "long":
      case "int":
        $theValue = ($theValue != "") ? intval($theValue) : "NULL";
        break;
      case "double":
        $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
        break;
      case "date":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;
      case "defined":
        $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
        break;
    return $theValue;
  // *** Redirect if username exists
  $MM_flag="MM_insert";
  if (isset($_POST[$MM_flag])) {
    $MM_dupKeyRedirect="taken.php";
    $loginUsername = $_POST['username'];
    $LoginRS__query = sprintf("SELECT id FROM user_profile WHERE id=%s", GetSQLValueString($loginUsername, "int"));
    mysql_select_db($database_iband_db, $iband_db);
    $LoginRS=mysql_query($LoginRS__query, $iband_db) or die(mysql_error());
    $loginFoundUser = mysql_num_rows($LoginRS);
    //if there is a row in the database, the username was found - can not add the requested username
    if($loginFoundUser){
      $MM_qsChar = "?";
      //append the username to the redirect page
      if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
      $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
      header ("Location: $MM_dupKeyRedirect");
      exit;
  $editFormAction = $_SERVER['PHP_SELF'];
  if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
  if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
    $insertSQL = sprintf("INSERT INTO user_profile (id, first_name, last_name, username, password, email_address) VALUES (%s, %s, %s, %s, %s, %s)",
                         GetSQLValueString($_POST['username'], "int"),
                         GetSQLValueString($_POST['first_name'], "text"),
                         GetSQLValueString($_POST['last_name'], "text"),
                         GetSQLValueString($_POST['username'], "text"),
                         GetSQLValueString($_POST['password'], "text"),
                         GetSQLValueString($_POST['email_address'], "text"));
    mysql_select_db($database_iband_db, $iband_db);
    $Result1 = mysql_query($insertSQL, $iband_db) or die(mysql_error());
    $insertGoTo = "index.php";
    if (isset($_SERVER['QUERY_STRING'])) {
      $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
      $insertGoTo .= $_SERVER['QUERY_STRING'];
    header(sprintf("Location: %s", $insertGoTo));
  ?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Sign Up Page</title>
  </head>
  <body>
  <h1>Sign Up!</h1>
  <form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
    <p>
      <label>First Name:
        <input type="text" name="first_name" id="first_name" />
      </label>
  </p>
    <p>
      <label>Last Name:
        <input type="text" name="last_name" id="last_name" />
      </label>
    </p>
    <p>
      <label>Username:
        <input type="text" name="username" id="username" />
      </label>
    </p>
    <p>
      <label>Password:
        <input type="password" name="password" id="password" />
      </label>
    </p>
    <p>
      <label>Email:
        <input type="text" name="email_address" id="email_address" />
      </label>
    </p>
    <p>
      <label>
        <input type="submit" name="button" id="button" value="Sign Up" />
      </label>
    </p>
    <input type="hidden" name="MM_insert" value="form1" />
  </form>
  <p> </p>
  </body>
  </html>

• One server 4 wire and wireless

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi
  Can we use the one NAC server for wired user and wireless users? One more thing wired users license can be used for wireless user or not ?
  Regards,
  Vashdev

  Vashdev,
  Yes, using one server for both is possible.
  No differentiation is made between licenses.
  HTH,
  Faisal

• NAC Guest server for wired and wireless

  Hi
  My customer wants the NGS to install for both wired and wireless users. For wireless users we can integrate it with the WLC but i don't know how it will work for wired users at the same time. Pls suggest.
  Thanks

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks