Cisco :: 2100 WLC - Guest Access / Passing AD Credentials
Aug 31, 2011
We have a building with 6 Cisco Airnet 1140 connected to a Cisco 2100 WLC, all tied into a nice Central Certificate server and a Win2008 NPS/Radius server on a Win2008 AD. Our trusted PC wireless access is fine, with domain laptops with certificates authenticating with DHCP all round the building. We use GP to apply settings to an AD integrated Proxy server for internet access.
The problem I now have is with guest access...
We are an education establishment, so students could turn up with anything from a laptop to an iPad to an Android phone, which immediately rules out using proxy PAC files to configure the proxy.
What I really want is a method of using the radius to verify the guest user against their existing AD user account, which I believe is possible. The one snag we have is in order to avoid the user having to configure the Internet proxy we would have to switch it to a transparent mode, which immediately restricts our ability to report on AD username, we would only have an IP address to report on, which is next to useless!
We've looked at a Gateway product (Astaro), which integrates the Filtering onto the Gateway, but the downside is that you have to use their APs, so we would be replicating existing work, whilst also managing two filters.
View 1 Replies
ADVERTISEMENT
Jul 4, 2011
To enable our receptionits to print a guest user ticket on a small A8 ticket printer I'm looking for a way to adjust the layout and formatting of the guest account credentials page.
I have searched through the javascript and css files but with no success.
We are using WCS 7.0.172.0
View 3 Replies
View Related
Oct 10, 2011
I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.If I point the web auth at the internal WLC page using a WLC local user account it works.If I set the guest access to pass through it works without issues getting dhcp and dns. On the ISE is there a policy needed to say if guests are web authenticated give them access? The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with.
View 1 Replies
View Related
Jun 2, 2011
We’d like to extend our current Guest LAN from a 4400 WLC in our data center to a 2100 WLC located at a remote facility. However, we cannot get the foreign controller to pass traffic to the anchor controller – or so it seems. The catch is that we’re not actually trying to extend the SSID itself to provide wireless access, but instead flub it so that we can provide local wired access tunneled to the Guest LAN on the anchor WLC. I’m not entirely sure if this is possible, because I’ve read that before the EoIP tunnel will come up a guest client must associate to the foreign WLC.
We’ve followed the instructions we could find that go over setting up this type of scenario, but unfortunately they only cover setting up back-to-back 4400 controllers and as such, some functions described (notably being able to create a Guest LAN) are not possible on the 2100. We haven’t been able to find a clear and concise guide on the scenario we want to set up.
Here’s some detail:
Mobility group is up/up between both WLCs. Both WLCs are running 6.0.x code.
Anchor WLC – 3750G-24WS-S25 (a 4400 WLC w/ integrated 3750G-24)
Guest LAN WLAN “wired-guest” created; Ingress is “none” and Egress is our existing “dirtnet” – i.e. outside access. The “dirtnet” interface is *not* a Guest LAN interface. Mobility anchor is set as local.
Remote WLC – WLC2106
WLAN “wired-guest” created; Interface is “wired” w/ an IP address on the same subnet as the anchor “dirtnet” and associated with port 2. Mobility anchor is set to the anchor WLC and is up/up. I have a laptop connected to port 2 with a statically assigned IP address on the same subnet as “dirtnet.” I am able to ping the local port 2 address, but I can’t ping across the tunnel to the anchor WLC. I also cannot ping the anchor WLC "dirtnet" interface from the foreign WLC’s Ping tool.
View 1 Replies
View Related
Feb 24, 2013
I have a cisco wlan controller (2100) running software 7.0.235.0. I have the internal private wlan running off of port 1 and that is working fine with an internal dhcp server.Is it possible to setup another ssid (guest) and have the interface directly linked to a static ip on the WAN and also use the built in cisco internal dhcp server?
View 4 Replies
View Related
Aug 18, 2011
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies
View Related
Sep 2, 2012
I have powered ON WLC(2100 Series) and connected LAN port from WLC to my PC. To access WLC GUI what is the factory default IP address?
I connected Console Port of WLC to Serial port of my PC. I have configured WLC as per the WLC quick guide.
Management Interface IP address :: 10.40.0.4
Management interface Net Mask: 255.255.255.0
[Code].....
The result is same even when below commands are used Configuration modeport adminmode all enablenetwork webmode enablenetwork secureweb enable
View 12 Replies
View Related
Jul 29, 2012
I have a wireless controller 2100. I can't access it via browser, when I am connected to one of its physical ports. I use the same subnet ip address as that of the management interface of the wlc.
View 5 Replies
View Related
Apr 2, 2011
I have a D Link WL-2100 AP, I connected my PC to AP with ethernet cable, then I tried to connect the AP to my wireless modem but I couldn't do.How can I make the AP recognize wireless modem?
View 2 Replies
View Related
Sep 4, 2012
I have configued Cisco LAP 1242AG with statis IP.I have connected LAP to WLC.I am able to ping WLC management interface IP Address from LAP's console.LAP is failed to Join WLC with error "Could not resolve CISCO-SAPWAP-CONTROLLER"
View 3 Replies
View Related
Mar 15, 2012
we have a scenario that consists of a Cisco 4507 series core switch with more than 20 vlans which is connected to a C2960G switch( in a nearby building) using a trunk by a fiber connection. Up to this point everyhting is fine . VTP domain is configured on the core switch and we have all of the 20 vlans present correctly on the edge 2960G wich is part of course of this same VTP domain.the fiber connection goes from core switch to a "in the middle location" where we have a fiber patch panel that is connected in a jumper style to another fiber patch panel going to the destination building where the C2960G sits.
Now imagine that Fiber connection from this middle location to the destination C2960 edge switch is down for any possible reason meanwhile the fiber connection from Core switch 4507 to the middle location is still intact.In the same time, in this middle location , we do have a wireless connection which links 1 Cisco 3750G switche ( a different infrastructure and different VTP domain) to another C3560G switch which sits on the same Room in the nearby destination building where we have the edge C2960G, An idea came to me is to connect one of the fiber port (core) in the intact fiber patch panel coming from Core switch 4507 TO an access vlan configured switchport in the 3750G switch ( this switchport will belong to a vlan designed only to trasmit the vlans on the trunk coming from 4507 core switch say VLAN 10) then connect one VLAN 10 access switchport to the destination C2960 edge switch ( the switchport on the c2960G is still a trunk)Will this solution work and all of the 20- 4507 core switch vlans arrive to the destination C2960G ? Or we do need something that tags the 2 VLAN 10 switchports like switchport dot1q tunnel like QinQ
View 2 Replies
View Related
May 9, 2012
I have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same Internet connection.
I cannot get the guest access to access the Internet. It looks like my computer will go, but it just comes up saying no Internet access.All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the Internet.
View 10 Replies
View Related
Jan 9, 2013
Does the N750 (F9K1103V1) support Guest Access while in Access Point mode? It will not provide an IP address when a guest attempts to connect.
View 20 Replies
View Related
Jan 17, 2013
I have an n600 ( F9K1102 v1 , firmware 1.00.09 ). My ISP provides my main router for my network, but I want to use the N600 as an access point, I have activated the "Use as Access Point" feature.Is it possible to still utilize the Guest Access feature in this case?
View 1 Replies
View Related
Jun 9, 2011
My network is such that I want to extend the signal of the GUEST account. I have a WAP54G set up for that purpose and am getting a very strong signal. I can access the main network, but not the Guest, I cannot even see the GUEST access. Any setting change that needs to be made that will allow me to access the GUEST account from the Access Point?
View 2 Replies
View Related
Dec 13, 2012
Here is my setup:
Netgear WNDR3700 - Main router, DHCP turned on
4x Netgear WNR2000 - Setup as Access Points (DHCP turned off), connected to main router via LAN ports
I only want the guest network to have internet access. I have the guest network enabled on the router and access points with the option to "Allow Guest network to access main network" disabled. My problem is that since the access points aren't hooked directly to my modem via the WAN port, the guest network broadcasted from the access points does not have internet access.I have read up on setting up a separate subnet for the guest network using DD-WRT but was curious if there was a way to get the desired result with the stock Netgear firmware.
View 9 Replies
View Related
Jun 20, 2011
I need to edit device information for multiple devices using feature Edit Credentials. I'm not able to overwrite all device credentials using a new set.
View 2 Replies
View Related
Jun 20, 2011
I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD, I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
View 1 Replies
View Related
Jan 4, 2012
I am setting up a new ASA. Actually it's an old 5510, but this is a new temporary install until the one we ordered comes in. Everything is working except for SSH. I have SSH open on the inside and outside interfaces and I get a prompt when I try to SSH to it from either the inside or outside. But after I put in my username and password it tells me that my credentials are invalid. I am using a local username/password, not AAA and it accepts that username and password for the console. Console and telnet (password only) both work so I can get in to make changes. When I debug SSH, the error states that my username and password are incorrect. But this happens even when I create a new, simple username/password to test. I've even gone so far as to copy/paste the username and password into the login window just to be safe (making sure I don't copy spaces, etc). Below is a copy of the SSH Debug output followed by a sanitized copy of the config. I have AAA configured for remote VPN users, but not for access to the ASA. Also, this problem existed before I created the AAA settings for the VPN users. Also, I have zeroized and regenerated the RSA keys a couple of times to no avail. [code]
View 2 Replies
View Related
Jan 3, 2012
I have a problem when doing this report. If I do a device credentials report on a user defined group (40 devices) 11 of these devices fails to connect via SSH. I can make an SSH connection to all 11 devices from the CiscoWorks server, but 11 devices still fails on the report
Device Name Read Community Read Write Community SSH
1. 149.212.XXX.164 Ok Ok Failed to connect.
2. 149.212.XXX.153 Ok Ok Failed to connect.
3. 149.212.XXX.152 Ok Ok Failed to connect.
4. 149.212.XXX.151 Ok Ok Failed to connect.
5. 149.212.XXX.150 Ok Ok Failed to connect.
[code]....
View 2 Replies
View Related
Sep 7, 2011
I am trying to copy a setup from a Nortel IAX100 where the carrier provides two ATM PVC's over ADSL - one for voice (VoIP) and one for data (IP). Relevant lines from the backup of the IAX's configuration include the following for the PPP authentication over the voice circuit:
<wan_8_32>
<entry1 vccId="1" conId="1" name="Voice" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949441"/>
</wan_8_32>
<pppsrv_8_32>
<ppp_conId1 userName="" password="" serviceName="" idleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="255.255.255.255" />
</pppsrv_8_32>
The null username and password for the PPP connection have me a bit stumped. Does the PPP connection not use any authenetication at all? (Is that possible/likely? How could I deubg it?) Or does does the IAX100 supply a chap/pap response with null credentails? (If so, how would I duplicate that using an instruction to a dialer interface?I am configuring an 877 with 12.4T and advanced IP services.
View 11 Replies
View Related
Dec 18, 2011
I have 2 Cisco 1141 aironets access points.
I've fallowed this tutorial: [URL]
I have an Ubuntu server running free radius authenticating against an LDAP server. Now I'm able to log into the AP via ssh with my LDAP credentials.
What I can't figure out is how do I setup the AP so when people connect to the AP's wireless they are prompted to use their LDAP credentials.
View 7 Replies
View Related
Feb 20, 2012
How to upgrade from LMS 3.0 December 2007 update to LMS 3.1 or LMS 3.2. The problem is the large number of C2960S-24TS-L switches that my organization has and cannot managed them.. I tried to upgrade devices through Software Center but always Ciscoworks informs me with the following message."Error while downloading package information from [URL] for the selected products. See the log file for details". Also i can not run EOL/EOS inventory report. The message is " INVREP0102: Cisco.com user credentials are invalid. Enter correct credentials." I check my credentials and is right. The server has access to www through proxy without any restrictions. In the past I've already updated devices through the software center. Also in the past i ve run EOS/EOL inventory reports.The LMS 3.0 December 2007 has the following products LMS3.0.116 May 2008
CiscoWorks Common Services3.1.102 Jul 2009, 07:44:58 EEST2.Campus Manager5.0.511 Oct 2009, 07:36:10 EEST3.CiscoView6.1.702 Jul 2009, 07:45:05 EEST4.CiscoWorks Assistant1.0.102 Jul 2009, 07:45:05 EEST5.Device Fault Manager3.0.512 Jun 2010, 07:31:48 EEST6.Internetwork Performance Monitor4.0.102 Jul 2009, 07:45:11 EEST7.Integration Utility1.7.102 Jul 2009, 07:45:14 EEST8.LMS Portal1.0.102 Jul 2009, 07:45:16 EEST9.Resource Manager Essentials4.1.102 Jul 2009, 07:45:17 EEST
View 1 Replies
View Related
Nov 7, 2012
i'm having some trouble pushing CLI templates to controllers in my lab. i get an invalid credentials error but it is random. sometimes i can push the template fine but 30 seconds later if i push the same template it will fail with error. several minutes later try it again and it fails. i have verified the credentials by reconfiguring them consistantly accrosss the devices but if the credentials were actually wrong it should fail every time, not intermittently. there are also 2 controllers i am testing this against and it is also random which controller fails. on the instances where i don't get the credential error my CLI template fully executes without error.
i am using WCS 7.0.230.0 on WIN2K and two 4400 controllers running 7.0.230.0.both controllers are configured with SNMPv3 and SSH. telnet and lower versions of SNMP are disabled.
View 1 Replies
View Related
Nov 13, 2011
What i want to do is simple. Being able for any member of Administrators group to authenticate on our ASA5510 based on the AD credentials.
What is correct CISCO procedure for that?
View 1 Replies
View Related
Aug 28, 2012
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
View 4 Replies
View Related
May 7, 2012
I have been reading article url....wp1430161 and I am trying to get my head around the type of port authentication Methods & Modes I am going to require for a Proof of Concept using a Cisco ISE as the Authentication Server.
The switchport will have a single IP Phone in a Voice VLAN and then a Single host in a Data VLAN. Reading this article, I think I should be configuring "802.1x" authentication method using "Single Host" Mode.
However will that support a Downloadable ACL dependent on the user credentials? And will it allow a restricted ACL to be downloaded if authentication of the Machine or the User fails.? I dont really want to create & manage Guest & Remediation VLANs with thier respective ACLs on every switch in my enterprise, including our remote branch offices.
View 1 Replies
View Related
Feb 19, 2013
user can't login into domain with right credentials in active directory
View 6 Replies
View Related
Dec 12, 2012
how can i set up a guest access?
View 1 Replies
View Related
Jan 25, 2012
We currently tunnel guests to a 4402 that sits behind our firewall and it's been working well for a few years but I am aware that the 4402 is now EoL so I am exploring alternatives:
We also have several 5508s deployed and I'm wondering if - in any new guest access config - I can allocate one of its free h/w ports to connect to the firewall, even though the 5508 is configured to use LAG.
To put it another way can I configure a new port to a seperate VLAN and not be part of the the LAG'd ports or are you tied to having all ports acting as a group if LAG is switched on?
View 6 Replies
View Related
Feb 11, 2013
I understand you can have a guest wireless setup on the newer Access Points, and trunk (cisco term) the 2 VLANs and seperate them out with Access Control Lists so they don't talk to each other, but I would rather just give the VLAN 480 it's own DHCP from the router.
[code]...
View 6 Replies
View Related
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Jan 28, 2012
Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? install a secondary WLC in the DMZ and use anchor points. I only have one WLC
View 7 Replies
View Related
