WPA2-PSK with open MAC authentication
Can anyone help me with the configuration of Autonomous ap with WPA2-PSK with mac authentication..?
I tried configuring and created 700 ACL. But its not working
once i enable mac authentication "wpa-psk ascii 7 06020C234D1F5B4A511416" dissappears. :(
Model: AIR-SAP1602E-N-K9
IOS: ap1g2-k9w7-mx.152-2.JB2/ap1g2-k9w7-mx.152-2.JB2
Getting Error: WPA-PSK not supported with MAC address authentication configured
Similar Messages
-
WPA2+PSK with local webauth?
Hi all, I'm trying to configure a guest wlan with WPA2+PSK and local webauth. This will authenticate against ISE and once authentication is complete dropped into a authz profile.
This is supposed to be possible per cisco's docs, however when I try to set this up on the WLAN I get the message:
Only PSK can be enabled for WPA with web-auth and Radius Nac.
Well, I've got only WPA with PSK configured. Is there any 'trick' to this config that I'm missing? I've got L2 security set to WPA+WPA2, WPA2 Policy and AES with only PSK configured. Under advanced I've got AAA override and NAC state sent to radius NAC. What else, that should be it right? I've tried it on multiple controllers with the same results every time.That error is a little confusing and I don't think is a proper description of what the WLC is trying to tell you; there are actually a couple errors you may see depending on the combination of RADIUS NAC with L3 security. Essentially, you shouldn't be able to enable RADIUS NAC if you're configured for a PSK. What exactly are you trying to accomplish? It sounds like you want ISE to perform CWA for your wireless guests, but you mention local webauth. In order to do the CWA, you will use the mac-filtering option for L2 security and set security type to None. This will allow you to specify the RADIUS NAC option correctly.
When you say that "ISE will authenticate the users", how are you planning on doing this with a PSK WLAN, or are you intending that the local webauth will use RADIUS for authentication to ISE? What is the end-user flow or experience you are expecting? ie. user connects to guest, redirects, logs in, gets appropriate access.
Please also post what version of ISE and WLC you are running so we can determine what features will and will not work. -
Trouble with opening Mac system operator. Strange pulsing noise.
When I open the laptop it takes a while to reboot and the circular rainbow disc shows up for a really long time so i can't even authenticate the system. I closed and reopened the laptop many times to no avail and it started to make this loud pulsing noise. So I took the battery out. and although without the battery it made the pulsing noise I managed to authenticate it with my password and open the system.
What could be the problem? My mac is not even a year old. i use a regular adaptor since I am in Europe and it has an American plug. Could this be a factor? What should I do?First thing you should do, if you haven't... Get the 3 year extended AppleCare.
Tough to say about the noise from here, but I'd try this first...
Get Applejack...
http://www.versiontracker.com/dyn/moreinfo/macosx/19596
After installing, reboot holding down CMD+s, then when the prompt shows, type in...
applejack AUTO
Then let it do all 5 of it's things.
At least it'll eliminate some questions if it doesn't fix it.
The 5 things it does are...
Correct any Disk problems.
Repair Permissions.
Clear out Cache Files.
Repair/check several plist files.
Dump the VM files for a fresh start. -
Help with inconsistant MAC authentication on AP1200's
I am troubleshooting an issue with a wireless LAN that consists of 9 identical 1200 series AP's. All 9 AP's are configured the same except for IP and Hostname. There are 74 Wireless users at this site, they are required to authenticate to the AP's using a WEP key + MAC. All 74 MAC addresses have been entered into the access points manually from the command line.
The problem we are having is that as the number of MAC address has grown, an increasing number of the clients can no longer authenticate. They associate OK but are unable to authenticate and pick up an IP address. It also seems that the further down the list of MAC addresses in the list the client is, the more likely the problem is to happen.
Example: New Acer laptop MAC address is entered into the local database and appears at the end of the list. This laptop will not authenticate. when this MAC is entered in a fashion that places it at the top of the list, it will authenticate without any problems. This may or may not cause one of the previously entered MAC's which was authenticating to loose its ability to authenticate as it has now been bumped further down the list of MAC addresses in the local database.
I have read that MAC addresses should be entered using the CLI due to an issue that only allows the first 43 MACS to be entered from the GUI. We have been entering all MACS from the CLI as follows:
username 00aa11bb22cc password 00aa11bb22cc
username 00aa11bb22cc autocommand exit
All units are running IOS 12.3(2) JA2Based on experienced, if more wifi clients exists in the network, it's recommended to use external authentication database like Cisco Secure ACS.
Like you mentioned, web-brower only allows you to enter the first 43 MACs. If you have more than that, you need to use CLI which support max of 2,048 MACs. But to have hundreds of MACs in every APs is a huge task, and less practical.
With Cisco Secure ACS, it allows you to eliminate AP's authentication-related issues, managed the user database and helps network admin to manage the wifi services efficiently.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml
HTH
AK -
Problems with opening Mac App Store
Ok, here is my problem. I installed Snow Leopard on my iMac and updated my OS software which is now version 10.6.8 so that I could have the Mac App Store with a view to upgrading to OS Lion. However when I went to hit on the Mac App Store icon, it tells me that "you can't use this version of the application App Store with this version of Mac OS X." It goes onto say... "You have Mac OS X 10.6.8. The application requires Mac OS X 10.7 or later."
Does anyone have any solutions to this problem, I want to upgrade to Lion (I have it on my MacBook Pro) but can't do it without the App Store (unless I pay for the key fob version which I don't want to do.Install the Mac OS X 10.6.8 Update Combo
Then restart your Mac.
It's ok to install the combo even though you are already running v10.6.8.
Make sure your Mac meets Lion's Apple - OS X Lion - Requirements
Informative articles to read before upgrading to Lion:
Lion upgrade questions and answers: Apple Support Communities
What applications are not compatible with Mac OS X 10.7 "Lion"? What upgrade or substitute options are available for common incompatible applications? @ EveryMac.com -
CSCuh08009 - WPA2-PSK mac-filter assign interface wrong after client roaming back
Hi All,
Does anyone here experienced the same problem in WLC 5500 controllers?
FW: 7.4.110
WPA2-PSK with MAC-Filter, ACS has the database of allowed host MAC addresses
Regards,
Mikhail VeranThanks Scott, The code version is 7.6.130.0 which supports Sleeping Client feature. However, as per the docu "http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_010111.html#reference_7008E6F7D7094BA7AD39491D7361622D"
The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled.
and as you mentioned as well
...Sleeping client like George mentioned is a better way than adjusting the idle timer but strictly for layer 3 only...
Sleeping Client wasn't an option in my case. That is why I was hoping that Idle Timeout may do the trick here. This is an actual case where a client with an existing wireless network just wanted to enable sleeping client feature so that their guests don't need to re-auth if their device sleeps or they go out (break) and come back after some time. Layer-3 Web Auth alone should be enough I think. Keeping L2-PSK is probably their security team's decision, as they also use the same SSID for BYOD devices and don't want nearby people/buildings to see that there is an Open Wifi available and on joining would see the Web Auth portal and company disclaimer.
George, I agree with Dot1X method. It can be used for the BYOD devices (separate SSID) while we can keep the Guest WLAN as L3-WebAuth only on controller (or do CWA through ISE if available).
Thanks for all your help.
Rick. -
Greetings -
I currently have a Cisco AIR-AP1231G-A-K9 that is running IOS version 12.3(8)JEA1. I am trying to setup WPA2 "Personal" (WPA2-PSK) with a client running Windows XP SP2. The WLAN Nic is a Cisco a/b/g PCMCIA, driver version 2.5.0.22. I have configured the PSK on both the AP and the client and verified that I did not make a typing mistake. I have installed the Microsoft WPA2 hotfix to see if that was causing the problem but it is not. The actual problem is that the client says it's "Authenticated" but will not allow any traffic to pass through. Whenever I created an SSID NOT using WPA2-PSK, the client can ge an IP address and things function normally. Here is the current AP configuration:
sh run
Building configuration...
Current configuration : 4170 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP1
enable secret ****
ip subnet-zero
no aaa new-model
dot11 vlan-name Joes-VLANofFUN vlan 237
dot11 vlan-name Joes-VLANofFUN-PartII vlan 238
dot11 ssid -=b0Gg$=-
vlan 237
authentication open
--More-- authentication key-management wpa
wpa-psk ascii ****
username Cisco password ****
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 237 mode ciphers aes-ccm
ssid -=b0Gg$=-
--More-- speed basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 50
power local cck 50
power local ofdm 30
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.237
encapsulation dot1Q 237
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 237
bridge-group 237 subscriber-loop-control
bridge-group 237 block-unknown-source
--More-- no bridge-group 237 source-learning
no bridge-group 237 unicast-flooding
bridge-group 237 spanning-disabled
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
speed 100
full-duplex
hold-queue 160 in
interface FastEthernet0.237
encapsulation dot1Q 237
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 237
--More-- bridge-group 237 subscriber-loop-control
bridge-group 237 block-unknown-source
no bridge-group 237 source-learning
no bridge-group 237 unicast-flooding
bridge-group 237 spanning-disabled
interface FastEthernet0.238
encapsulation dot1Q 238 native
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.238.1.100 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
--More-- ip default-gateway 10.238.1.10
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
control-plane
bridge 1 route ip
line con 0
privilege level 15
logging synchronous
line vty 0 4
login local
end
I have tried upgrading the WLAN NIC drivers to the latest version (3.5 I believe) but it does not help. If I run the troubleshooting task of the Aironet Desktop Utility is sasys that the Authentication tests failed, even though the status shows me as "Authenticated". Perhaps there is something in the above config that I am missing.
Any help would be greatly appreciated.
JoeCheck the hardware version of your AP radio(S).
Earlier versions (ending in "20") do not support AES (used for WPA2 / 802.11i).
You should have at least a "Radio AIR-MP31G " for your 802.11G and "Radio AIR-RM21A" for your 802.11a radio.
THe (probably) easiest way to check this is the Web GUI ... go to INterfaces, select each band, then the "Detailed Status" tab.
If your radios are older than this, the CLI and GUI will accept your configuration for WPA2/802.11i, but will not operate in that mode (and usually fail).
Either radio is independently upgradeable for ~US$100.00 through someplace like www.cdw.com.
Good Luck
Scott -
WPA PSK doesn't work with MAC Authentication. AP1231G
Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
It only works with "Open Authentication" without MAC-Filter.
Settings:
Encryption Manager: TKIP
SSID Manager
1. Client Authentication: Open Authentication with MAC Authentication
2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.Tina,
In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916 -
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
WLAN User Idle Timeout and WPA2-PSK authentication
Hi,
There is a WLAN for Guest users with Session Timeout of 65535 sec and User Idle Timeout of 28800 sec. The WLAN uses PSK as Layer-2 authentication and Web Auth as Layer-3 authentication. Authentication source is locally created users on the controllers (LocalEAP) - can be RADIUS through ISE as well.
(Cisco Controller) show>sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
RTOS Version..................................... 7.6.130.0
Bootloader Version............................... 7.6.130.0
Emergency Image Version.......................... 7.6.130.0
Build Type....................................... DATA + WPS
System Name...................................... vwlc-1
System Location.................................. Matrix
System Contact................................... IT HelpDesk Matrix
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.10.10.50
System Up Time................................... 6 days 17 hrs 30 mins 26 secs
System Timezone Location......................... (GMT+10:00) Sydney, Melbourne, Canberra
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... AU - Australia
--More-- or (q)uit
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:0C:29:74:15:2F
Maximum number of APs supported.................. 200
(Cisco Controller) show> wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... Matrix-LocalEAP
Network Name (SSID).............................. Matrix-LocalEAP
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 65535 seconds
User Idle Timeout................................ 28800 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... vwlc-1
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=2)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.10.10.70 1812
Accounting.................................... 10.10.10.70 1813
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Enabled (Profile 'local-eap-matrix')
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
IPv4 ACL........................................ Unconfigured
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy Name
The wireless user on joining the WLAN enters the PSK and than gets redirected to WLC Web Auth portal for authentication. On successful login, the user is granted access. The issue is that despite Idle Timeout being 28800 sec (8 hours), the WLC removes the client entry before 8 hours if the device goes to sleep - mostly within the first hour. Tested this on Windows 7 notebook multiple times. When the PC is put to sleep, the WLC loses its record after some time. When PC wakes up, it has to undergo Web Auth again. Debugging the client MAC generates these logs - from initial association to final clearing.
(Cisco Controller) >*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Association received from mobile on BSSID 00:26:cb:4c:89:d1
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Global 200 Clients are allowed to AP radio
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Max Client Trap Threshold: 0 cur: 1
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 override for default ap group, marking intgrp NULL
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 10
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Re-applying interface policy for client
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Applying site-specific Local Bridging override for station 3c:a9:f4:0b:91:70 - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Applying Local Bridging Interface Policy for station 3c:a9:f4:0b:91:70 - vlan 10, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 STA - rates (6): 152 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Processing RSN IE type 48, length 22 for mobile 3c:a9:f4:0b:91:70
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 AID 1 in Assoc Req from flex AP 00:26:cb:4c:89:d0 is same as in mscb 3c:a9:f4:0b:91:70
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 apfMs1xStateDec
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 START (0) Initializing policy
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Encryption policy is set to 0x80000001
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Central switch is FALSE
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Sending Local Switch flag = 1
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 8021X_REQD (3) DHCP Not required on AP 00:26:cb:4c:89:d0 vapId 2 apVapId 2for this client
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 10.10.1.130 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:cb:4c:89:d0 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_0: Feb 04 07:48:10.562: 3c:a9:f4:0b:91:70 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 3c:a9:f4:0b:91:70 on AP 00:26:cb:4c:89:d0 from Associated to Associated
*apfMsConnTask_0: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 apfPemAddUser2:session timeout forstation 3c:a9:f4:0b:91:70 - Session Tout 65535, apfMsTimeOut '65535' and sessionTimerRunning flag is 0
*apfMsConnTask_0: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_0: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 Func: apfPemAddUser2, Ms Timeout = 65535, Session Timeout = 65535
*apfMsConnTask_0: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 Sending Assoc Response to station on BSSID 00:26:cb:4c:89:d1 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_0: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 3c:a9:f4:0b:91:70 on AP 00:26:cb:4c:89:d0 from Associated to Associated
*pemReceiveTask: Feb 04 07:48:10.563: 3c:a9:f4:0b:91:70 10.10.1.130 Removed NPU entry.
*spamApTask7: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Sent 1x initiate message to multi thread task for mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Creating a PKC PMKID Cache entry for station 3c:a9:f4:0b:91:70 (RSN 2)
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Resetting MSCB PMK Cache Entry 0 for station 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Removing BSSID 00:26:cb:4c:89:d1 from PMKID cache of station 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Setting active key cache index 0 ---> 8
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Adding BSSID 00:26:cb:4c:89:d1 to PMKID cache at index 0 for station 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: [0000] 67 67 8f 7d 2a 8d 78 f9 6d 29 c7 74 d2 fd 6a 25
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Initiating RSN PSK to mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 dot1x - moving mobile 3c:a9:f4:0b:91:70 into Force Auth state
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Skipping EAP-Success to mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 EAPOL Header:
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Found an cache entry for BSSID 00:26:cb:4c:89:d1 in PMKID cache at index 0 of station 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Found an cache entry for BSSID 00:26:cb:4c:89:d1 in PMKID cache at index 0 of station 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: [0000] 67 67 8f 7d 2a 8d 78 f9 6d 29 c7 74 d2 fd 6a 25
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Starting key exchange to mobile 3c:a9:f4:0b:91:70, data packets will be dropped
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 Allocating EAP Pkt for retransmission to mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 mscb->apfMsLwappLradNhMac = 00:0c:29:e4:e9:6a mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 mscb->apfMsBssid = 00:26:cb:4c:89:d0 mscb->apfMsAddress = 3c:a9:f4:0b:91:70 mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 10 mscb->apfMsLwappMwarInet.ipv4.addr = 168430130
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.566: 3c:a9:f4:0b:91:70 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 168427904 mscb->apfMsLwappLradPort = 41879
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.567: 3c:a9:f4:0b:91:70 Received EAPOL-Key from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Received EAPOL-key in PTK_START state (message 2) from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Stopping retransmission timer for mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 EAPOL Header:
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 Reusing allocated memory for EAP Pkt for retransmission to mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 mscb->apfMsLwappLradNhMac = 00:0c:29:e4:e9:6a mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 mscb->apfMsBssid = 00:26:cb:4c:89:d0 mscb->apfMsAddress = 3c:a9:f4:0b:91:70 mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 10 mscb->apfMsLwappMwarInet.ipv4.addr = 168430130
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.568: 3c:a9:f4:0b:91:70 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 168427904 mscb->apfMsLwappLradPort = 41879
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Received EAPOL-Key from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Stopping retransmission timer for mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Freeing EAP Retransmit Bufer for mobile 3c:a9:f4:0b:91:70
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Central switch is FALSE
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Sending the Central Auth Info
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 0
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Sending Local Switch flag = 1
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:cb:4c:89:d0 vapId 2 apVapId 2for this client
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:cb:4c:89:d0 vapId 2 apVapId 2 flex-acl-name:
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) pemAdvanceState2 6236, Adding TMP rule
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Adding Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:26:cb:4c:89:d0, slot 0, interface = 1, QOS = 0
IPv4 ACL ID
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 2, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 10, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_0: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*spamApTask7: Feb 04 07:48:10.569: 3c:a9:f4:0b:91:70 spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*pemReceiveTask: Feb 04 07:48:10.570: 3c:a9:f4:0b:91:70 10.10.1.130 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Feb 04 07:48:10.570: 3c:a9:f4:0b:91:70 Pushing IPv6: fe80:0000:0000:0000:c915:4a8e:6d1a:e20d , and MAC: 3C:A9:F4:0B:91:70 , Binding to Data Plane. SUCCESS !!
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP received op BOOTREPLY (2) (len 308,vlan 10, port 1, encap 0xec03)
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP xid: 0xcce207f6 (3437365238), secs: 0, flags: 0
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP chaddr: 3c:a9:f4:0b:91:70
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.1.130
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 04 07:48:10.589: 3c:a9:f4:0b:91:70 DHCP server id: 10.10.1.20 rcvd server id: 10.10.1.20
*SNMPTask: Feb 04 07:48:16.594: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:48:16.594: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:48:16.595: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:48:16.595: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*ewmwebWebauth1: Feb 04 07:48:31.129: 3c:a9:f4:0b:91:70 Username entry (local1) created for mobile, length = 6
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 Username entry (local1) created in mscb for mobile, length = 6
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_REQD (8)
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 apfMsRunStateInc
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 10.10.1.130 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state WEBAUTH_NOL3SEC (14)
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 Session Timeout is 65535 - starting session timer for the mobile
*ewmwebWebauth1: Feb 04 07:48:31.130: 3c:a9:f4:0b:91:70 10.10.1.130 RUN (20) Reached PLUMBFASTPATH: from line 6571
*ewmwebWebauth1: Feb 04 07:48:31.131: 3c:a9:f4:0b:91:70 10.10.1.130 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:26:cb:4c:89:d0, slot 0, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID =
*ewmwebWebauth1: Feb 04 07:48:31.131: 3c:a9:f4:0b:91:70 10.10.1.130 RUN (20) Fast Path rule (contd...) 802.1P = 2, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 10, Local Bridging intf id = 0
*ewmwebWebauth1: Feb 04 07:48:31.131: 3c:a9:f4:0b:91:70 10.10.1.130 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Feb 04 07:48:31.132: 3c:a9:f4:0b:91:70 10.10.1.130 Added NPU entry of type 1, dtlFlags 0x0
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*pemReceiveTask: Feb 04 07:48:31.132: 3c:a9:f4:0b:91:70 Pushing IPv6: fe80:0000:0000:0000:c915:4a8e:6d1a:e20d , and MAC: 3C:A9:F4:0B:91:70 , Binding to Data Plane. SUCCESS !!
*emWeb: Feb 04 07:49:14.120: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*emWeb: Feb 04 07:49:14.120: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*emWeb: Feb 04 07:49:14.120: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.646: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.646: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.662: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.662: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.663: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:51:19.663: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*IPv6_Msg_Task: Feb 04 07:53:35.661: 3c:a9:f4:0b:91:70 Link Local address fe80::c915:4a8e:6d1a:e20d updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
*dot1xMsgTask: Feb 04 07:54:26.664: GTK Rotation Kicked in for AP: 00:26:cb:4c:89:d0 SlotId = 1 - (0x47440ef0)
*dot1xMsgTask: Feb 04 07:54:26.665: Generated a new group key for AP 00:26:cb:4c:89:d0(1) - vap 1
*dot1xMsgTask: Feb 04 07:54:26.665: Sending of M5 for 00:26:cb:4c:89:d0 is Skipped, rc = 1
*dot1xMsgTask: Feb 04 07:54:26.665: Generated a new group key for AP 00:26:cb:4c:89:d0(1) - vap 2
*dot1xMsgTask: Feb 04 07:54:26.665: Sending of M5 for 00:26:cb:4c:89:d0 is Skipped, rc = 1
*SNMPTask: Feb 04 07:56:19.689: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 07:56:19.689: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 08:01:19.730: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*SNMPTask: Feb 04 08:01:19.730: 3c:a9:f4:0b:91:70 Central Switch = FALSE
*dot1xMsgTask: Feb 04 08:01:23.904: GTK Rotation Kicked in for AP: 00:26:cb:4c:89:d0 SlotId = 0 - (0x47440ef0)
*dot1xMsgTask: Feb 04 08:01:23.904: Generated a new group key for AP 00:26:cb:4c:89:d0(0) - vap 1
*dot1xMsgTask: Feb 04 08:01:23.905: Sending of M5 for 00:26:cb:4c:89:d0 is Skipped, rc = 1
*dot1xMsgTask: Feb 04 08:01:23.905: Generated a new group key for AP 00:26:cb:4c:89:d0(0) - vap 2
*dot1xMsgTask: Feb 04 08:01:23.905: GTK rotation for 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:23.905: 3c:a9:f4:0b:91:70 EAPOL Header:
*dot1xMsgTask: Feb 04 08:01:23.905: 00000000: 02 03 5f 00 .._.
*dot1xMsgTask: Feb 04 08:01:23.905: 3c:a9:f4:0b:91:70 Key exchange done, data packets from mobile 3c:a9:f4:0b:91:70 should be forwarded shortly
*dot1xMsgTask: Feb 04 08:01:23.905: 3c:a9:f4:0b:91:70 Key exchange done, data packets from mobile 3c:a9:f4:0b:91:70 should be forwarded shortly
*dot1xMsgTask: Feb 04 08:01:23.906: Confirmation Key: (16)
*dot1xMsgTask: Feb 04 08:01:23.906: [0000] fa a3 68 28 46 1f 49 18 a0 60 7a 92 c4 f5 64 3d
*dot1xMsgTask: Feb 04 08:01:23.906: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Feb 04 08:01:23.906: 3c:a9:f4:0b:91:70 Sending EAPOL-Key Message to mobile 3c:a9:f4:0b:91:70
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Feb 04 08:01:23.906: 3c:a9:f4:0b:91:70 Allocating EAP Pkt for retransmission to mobile 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:23.906: 3c:a9:f4:0b:91:70 mscb->apfMsLwappLradNhMac = 00:0c:29:e4:e9:6a mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*dot1xMsgTask: Feb 04 08:01:23.906: 3c:a9:f4:0b:91:70 mscb->apfMsBssid = 00:26:cb:4c:89:d0 mscb->apfMsAddress = 3c:a9:f4:0b:91:70 mscb->apfMsApVapId = 2
*dot1xMsgTask: Feb 04 08:01:23.907: 3c:a9:f4:0b:91:70 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 1 mscb->apfMsLwappLradVlanId = 10 mscb->apfMsLwappMwarInet.ipv4.addr = 168430130
*dot1xMsgTask: Feb 04 08:01:23.907: 3c:a9:f4:0b:91:70 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 168427904 mscb->apfMsLwappLradPort = 41879
*dot1xMsgTask: Feb 04 08:01:23.907: 3c:a9:f4:0b:91:70 Updated broadcast key sent to mobile 3C:A9:F4:0B:91:70
*dot1xMsgTask: Feb 04 08:01:23.907: 3c:a9:f4:0b:91:70 Updated broadcast key sent to mobile 3C:A9:F4:0B:91:70
*dot1xMsgTask: Feb 04 08:01:23.907: Sending of M5 for 00:26:cb:4c:89:d0 is Skipped, rc = 1
*osapiBsnTimer: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 802.1x 'timeoutEvt' Timer expired for station 3c:a9:f4:0b:91:70 and for message = M5
*dot1xMsgTask: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 Retransmit 1 of EAPOL-Key M5 (length 131) for mobile 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 mscb->apfMsLwappLradNhMac = 00:0c:29:e4:e9:6a mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*dot1xMsgTask: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 mscb->apfMsBssid = 00:26:cb:4c:89:d0 mscb->apfMsAddress = 3c:a9:f4:0b:91:70 mscb->apfMsApVapId = 2
*dot1xMsgTask: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 1 mscb->apfMsLwappLradVlanId = 10 mscb->apfMsLwappMwarInet.ipv4.addr = 168430130
*dot1xMsgTask: Feb 04 08:01:25.104: 3c:a9:f4:0b:91:70 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 168427904 mscb->apfMsLwappLradPort = 41879
*osapiBsnTimer: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 802.1x 'timeoutEvt' Timer expired for station 3c:a9:f4:0b:91:70 and for message = M5
*dot1xMsgTask: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 Retransmit 2 of EAPOL-Key M5 (length 131) for mobile 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 mscb->apfMsLwappLradNhMac = 00:0c:29:e4:e9:6a mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*dot1xMsgTask: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 mscb->apfMsBssid = 00:26:cb:4c:89:d0 mscb->apfMsAddress = 3c:a9:f4:0b:91:70 mscb->apfMsApVapId = 2
*dot1xMsgTask: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 1 mscb->apfMsLwappLradVlanId = 10 mscb->apfMsLwappMwarInet.ipv4.addr = 168430130
*dot1xMsgTask: Feb 04 08:01:26.104: 3c:a9:f4:0b:91:70 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 168427904 mscb->apfMsLwappLradPort = 41879
*osapiBsnTimer: Feb 04 08:01:27.104: 3c:a9:f4:0b:91:70 802.1x 'timeoutEvt' Timer expired for station 3c:a9:f4:0b:91:70 and for message = M5
*dot1xMsgTask: Feb 04 08:01:27.104: 3c:a9:f4:0b:91:70 Retransmit failure for EAPOL-Key M5 to mobile 3c:a9:f4:0b:91:70, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Feb 04 08:01:27.104: 3c:a9:f4:0b:91:70 Resetting MSCB PMK Cache Entry 0 for station 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Removing BSSID 00:26:cb:4c:89:d1 from PMKID cache of station 3c:a9:f4:0b:91:70
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Setting active key cache index 0 ---> 8
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Sent Deauthenticate to mobile on BSSID 00:26:cb:4c:89:d0 slot 0(caller 1x_ptsm.c:598)
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Setting active key cache index 8 ---> 8
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Deleting the PMK cache when de-authenticating the client.
*dot1xMsgTask: Feb 04 08:01:27.105: 3c:a9:f4:0b:91:70 Global PMK Cache deletion failed.
*dot1xMsgTask: Feb 04 08:01:27.106: 3c:a9:f4:0b:91:70 Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*dot1xMsgTask: Feb 04 08:01:27.106: 3c:a9:f4:0b:91:70 Freeing EAP Retransmit Bufer for mobile 3c:a9:f4:0b:91:70
*osapiBsnTimer: Feb 04 08:01:37.105: 3c:a9:f4:0b:91:70 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Feb 04 08:01:37.105: 3c:a9:f4:0b:91:70 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile 3c:a9:f4:0b:91:70 on AP 00:26:cb:4c:89:d0 from Associated to Disassociated
*apfReceiveTask: Feb 04 08:01:37.105: 3c:a9:f4:0b:91:70 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Feb 04 08:01:47.105: 3c:a9:f4:0b:91:70 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 Sent Deauthenticate to mobile on BSSID 00:26:cb:4c:89:d0 slot 0(caller apf_ms.c:6749)
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 Setting active key cache index 8 ---> 8
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 Deleting the PMK cache when de-authenticating the client.
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 Global PMK Cache deletion failed.
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 apfMsAssoStateDec
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 apfMsExpireMobileStation (apf_ms.c:6787) Changing state for mobile 3c:a9:f4:0b:91:70 on AP 00:26:cb:4c:89:d0 from Disassociated to Idle
*apfReceiveTask: Feb 04 08:01:47.106: 3c:a9:f4:0b:91:70 Scheduling deletion of Mobile Station: (callerId: 47) in 10 seconds
*osapiBsnTimer: Feb 04 08:01:57.106: 3c:a9:f4:0b:91:70 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Feb 04 08:01:57.106: 3c:a9:f4:0b:91:70 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Feb 04 08:01:57.106: 3c:a9:f4:0b:91:70 10.10.1.130 START (0) Deleted mobile LWAPP rule on AP [00:26:cb:4c:89:d0]
*apfReceiveTask: Feb 04 08:01:57.106: 3c:a9:f4:0b:91:70 Username entry deleted for mobile
*apfReceiveTask: Feb 04 08:01:57.106: 3c:a9:f4:0b:91:70 Deleting mobile on AP 00:26:cb:4c:89:d0(0)
If Layer-2 Auth (PSK) is set to "none" and only Layer-3 Web Auth is kept, then there are no issues. PC can wake up before 8 hours and not prompted for Web Auth again. As a test, I setup the WLAN with Layer-2 PSK auth only with Layer-3 auth set to none. The WLC removed the client entry after 25 minutes. Not an issue for PSK based auth only as PC on wake up seamlessly gets associated to WLAN.
Is User Idle Timeout setting not valid when WPA2-PSK is used as the auth method ?
Thanks,
Rick.Thanks Scott, The code version is 7.6.130.0 which supports Sleeping Client feature. However, as per the docu "http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_010111.html#reference_7008E6F7D7094BA7AD39491D7361622D"
The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled.
and as you mentioned as well
...Sleeping client like George mentioned is a better way than adjusting the idle timer but strictly for layer 3 only...
Sleeping Client wasn't an option in my case. That is why I was hoping that Idle Timeout may do the trick here. This is an actual case where a client with an existing wireless network just wanted to enable sleeping client feature so that their guests don't need to re-auth if their device sleeps or they go out (break) and come back after some time. Layer-3 Web Auth alone should be enough I think. Keeping L2-PSK is probably their security team's decision, as they also use the same SSID for BYOD devices and don't want nearby people/buildings to see that there is an Open Wifi available and on joining would see the Web Auth portal and company disclaimer.
George, I agree with Dot1X method. It can be used for the BYOD devices (separate SSID) while we can keep the Guest WLAN as L3-WebAuth only on controller (or do CWA through ISE if available).
Thanks for all your help.
Rick. -
Configuring Aironet 1040 with WPA2-PSK
I am attempting to configure two Aironet 1040 series wireless access points for the first time and am having some difficulty. This office does not have a RADIUS server so I would like to set them up to use WPA2 with a pre-shared key. However just how this is accomplished is not immediately apparent. I have attempted using both the command line interface and the web interface, but I get errors in both places. It doesn't seem like it is all that difficult, we're just talking about a few lines in the configuration file.
This is what I have so far:
Current configuration : 1684 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap1
logging rate-limit console 9
enable secret 5 $1$q9i9$V8Z042Zif0H7t4qN5awMM.
no aaa new-model
ip domain name Office
dot11 syslog
dot11 ssid WLAN
vlan 30
authentication open
username Cisco password 7 05280F1C2243
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid WLAN
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
ssid WLAN
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
login local
endOK, I figured out some of what was going on. The admin account was set to read only instead of read/write, and both radios had not been added to my VLAN. Now I have successfully (?) configured WPA2-PSK on both wireless access points, and they are broadcasting their SSIDs, but I am unable to connect to them for an unknown reason. I am prompted for the pre shared key and then the connection fails. Hmm...
-
Unable to connect to Wi-Fi connection using WPA2 PSK authentication and encryption type TKIP
I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
My issue is copy/pasted below:
Original Title: TKIP selection in WiFi network settings
I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
My issue is copy/pasted below:
Original Title: TKIP selection in WiFi network settings
I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again. -
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
Quick question on EAP with MAC auth....
Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authenticationI have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.
Does anyone have an answer that we can use? -
1130 WPA-PSK Radius Mac Authentication
I am trying to get our Cisco 1130 AP's to use Radius MAC Authentication using a freeradius server. We have been successful with other AP's (Proxim, Netgear) but haven't been able to get the Cisco 1130 to work.
I have attached 2 files. One is the running config, and the other is a debug of radius.
This is what the freeradius log says.
Thu Nov 6 02:48:46 2008 : Auth: Login OK: [004096a3e012/004096a3e012] (from client 10.80.0.17 port 291 cli 00-40-96-A3-E0-12)
I would appreciate any help that anyone is willing to give.Use the wpa-psk SSID interface configuration command to configure a pre-shared key for use in WPA authenticated key management. To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key for the SSID.
wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key
but make sure that This command is not supported on bridges.
Maybe you are looking for
-
Adobe illustrator Visual C++ Runtime library error
hi, all! i'd thankfull if somebody can help me. windows show me this message when i try to run adobe illustrator CS2 microsoft visual c++ runtime library runtime error! program: ...rator CS2\support files\contents\windows\illustrator.exe this applica
-
Cannot get Telnet to work between two servers on same subnet
I need to test if communication is open on port 8444 between two servers. I installed telnet client on a Server 2008 R2 server and telnet server on a Server 2008 SP2 server. I also manually started the Telnet service that was set to disabled on the
-
Setting privileges in Cisco Secure ACS Version 5.1.0.44
I am setting privileges in Cisco Secure ACS Version 5.1.0.44. In the command sets from the ACS server, I denied few commands as can be seen in the attached screenshot and selected 'Permit any command that is not in the table below'. I am unable to se
-
can i link to a folder with a button in captivate? a link to let show the content of a folder (and open the files there..) thx PS please answer me also a pair of topic under this one. :(((
-
I'm using the mini-dvi to hdmi, hdmi to hdmi adapter and im wondering if there was any way to have the audio come out of the lcd monitor instead of from my computer?