We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
We're having trouble trying to deploy 802.1x authentication on a brand new site.
Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France. Both sites are connected through the WAN. Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.
I have a DIR-825 with 2.60VT firmware (rented from Videotron).
Even though the manual says the stateful firewall should have a timeout on connections of 240 seconds or 7800 seconds, all of my connections start at a mere 120 seconds. I'm having trouble with IMAP IDLE pushing e-mails because the connections timeout so quickly (before any stay alive can be sent). A connection to the e-mail server gets opened on 143 (Videotron) or 993 (encrypted - google, e.g.), and I see the connection on the Internet Sessions page, the timeout starts at 120. When it hits 0, the connection is no longer displayed (it is not renewed), and the IMAP IDLE ****s out because the server can't find the client (i.e. the connection has been closed). But it's not just on those ports or servers. ALL of my TCP sessions begin at a mere 120 seconds! Even for a home router, isn't this way too low?
confirm that their DIR-825, on the Internet Sessions page, shows initial timeout values of greater than 120 for a TCP connection? I would love to see a picture of that screen showing higher values. Does it start at 240? Do you ever see a connection start at a timeout of 7800?
I see no way of changing the timeout value. Is it possible to force connections on certain ports to begin at a higher timeout value?
Per PCI & company policy all VPN users have a 12 hour session limit. They will disconnected after 12 hours regardless of use. Is there any way to send a message prior to the 12 hour limit to warn the users that they will be disconnected in x minutes? I'm running SSL VPN on a ASA 5520 ver 8.4(1)
View 1 Replies View RelatedIs there any way to change a setting which causes a user logged in to the web browser interface (or connected via ssh) to have to re-authenticate. Im getting annoyed by being disconnected from the AP and having to re-authenticate.
View 1 Replies View RelatedWhat the command to prevent a telnet session to the 4400 controller from timing out is?
View 1 Replies View RelatedFor guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page .
We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
Our company has installed ACS Version: 5.1.0.44.6 Internal Build ID: B.2347 with patches: 5-1-0-44-5, 5-1-0-44-6. The security policy of our company includes a password change every 3 months. Our programmers had written a script that allows us to do it. When testing revealed that the script does not work. This is due to the fact that it is not possible to enter the mode "acs-config". In determining the reasons it was found that to enter this mode there is a limit on sessions (6 sessions). When the number of connections becomes larger than 6 then the script does not work. The documentation says that the update is not active sessions is set with terminal session-timeout. In this case, the terminal session-timeout 30. But after 30 minutes of the session will remain active. It interferes with our script.
View 1 Replies View Relatedwhat would be causing my management HTTPS session to a SF200-24 to suddenly timeout? I receive "The session has been timed out. You may log in again" few mins after logging into to switch.Sometime it happens within 45seconds, other times after 3mins, timouts are not consistent. And, i was not idle when it timed-out. My HTTPs idle time-out is set for 10mins.
I had a continuous PING going to managment IP, and it did not drop any pings when session timed-out.Interface stats are also clean. I tried IE, FireFox, Chrome and all are timming out.
I've changed the HTTP default idle-time out from 1 to 10 and my HTTPs stopped timing out. Management Access Authentication is cleary set for HTTPs, and the Idle-timeout for HTTPs was set for 10mins since install. Yet, adjusting the HTTP idle-timeout cleared the issue.
I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
I enclose the relevant part of the running config.
interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit
[code]....
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
View 1 Replies View RelatedWhen a client connecting to a specific AP (example AP01), after every 1800 sec uptime it will reconnect and join other unit AP (example AP02)Both AP physically installed distance is around 6 meters from each other. I conduct the testing where i get myself sitting in middle between these two APs.
01. If i disable settsion timeout this feature, or setting the seconds become higher value, what's the performance and security impact? Is it recomend to change the default 1800 seconds session timeout?
02. Is there anyway i can tweak on WLC controller to prevent the client after session timeout then associate with another AP. This will lead major performance impact as the client woudl possibility connect to the weak signal AP and effect on the performance.
These are the details for reference:Client detail
- Dell DW1520 wireless-N WLAN card, with firmware version 5.100.235.12
- CCX version 4 supported
- Layer 2 security is WPA2 personal with PSK.
- wireless radio an
Controller detail:
model is AIR-CT5508-K9
software version is 7.2.110.0
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
How do we setup ip pools in freeradius?
View 1 Replies View RelatedI have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:
1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.
2. Used the client certificate import password as the "Private Key Password"
3. Typed in the client "Login Name"
The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read [URL]
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?
I'm not sure if this is a recent issue for our setup, but I've only just noticed it. Although most authenticated users are shown by their correct user names (which are required for 802.1x authentication), a few users show up in the WCS reports as "anonymous", and one as "anonymous@myabc.com", which are not valid usernames on our network.
I can track these users by MAC via our network registration database, but have not yet figured what makes their systems unique. All three in yesterday's report are Win 7. I don't see anything strange in the RADIUS logs, but have not yet caputured "debug" traces of wireless authentication from an anonymous user.
We are running WCS 7.0.172.0 , with a pair of WLC 4402 controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP, with the SecureW2 supplicant for Windows.
I have two 1310 bridges. one configured as root and the other as non-root. Authentication Settings: Open with EAP and Network EAP with no addition. Set up: when non-root bridge tries to associate with root bridge, root bridge checks with radius server if it's ok to associate with the non-root bridge.
I can see communication with the radius server (I'm using FreeRadius) and the radius server even sends a SUCCESS back to the root bridge. However I'm seeing this error on the non-root bridge: DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL and the bridges do not authenticate.
I was handed a Cisco 2106 WLC and 6 AIR-LAP1131AG-A-K9 acess points a few days ago and was told to get it working. My problem is i have never worked with cisco products, so i have been stumbling setting this up. Here is what I did get working Web interface into the 2106 WLC I flashed the 2106 from version 4.x to 7.0.116.0 I get green connected lights on numbers where AP are plugged in I configured the ap-manager area to settings of
Port Number=6
Vlan Identifier=0
IP Address=10.0.0.254
Netmask=255.255.248.0
Gateway=10.0.0.1
Primary DHCP Server=10.0.0.18
[code]....
I have logged into the console port on both the WLC and AP but i do not understand how to see reports or enable reports on either device to see what is wrong. I read that the AP can be set to lightweight or anon mode but i do not know how to check to see what mode they are currently in.
I have a problem with pinging APs that are connected to WLC 2106. We have a TRUNK with VLAN50, VLAN51 and VLAN71 (all tagged) connected to our WLC 2106. VLAN50 is our management network. We have configured bot management and AP-management interfaces on WLC with IP addresses from our management network and we have set both to VLAN 50. We have also configured static IP addresses on every AP, connected to WLC.
The problem is we cannot ping APs. This means that APs can’t connect to any other device on the management network and we would like to use RADIUS for WiFi client authentication.
How can we solve this problem? I guess if we configure VLAN50 as native untagged VLAN in our TRUN, this would work? Is there any way to configure this without using native VLAN?
We also have problem with IPv6 connectivity. We have configured DHCP and we are using 1.1.1.1 DHCP proxy and it works great for IPv4, but how can we configure DHCP proxy for IPv6 addresses? Our WiFi clients need to get also IPv6 addresses. I have enabled “IPv6 enabled” option on the WLC.
I've just installed a 2106 Controller at a remote site. The Controller is seen by the WCS at the main site so, connectivity is good and I'm able to login from the main site. I've configured the DHCP server which is at the Main site on the AP manager interface and the Manager interface and on the WLAN of the new controller but, APs are not getting addresses.
View 6 Replies View RelatedI have been trying to upgrade my WLC 2106, but it is stuck at rommon/grub mode.The steps are as follows
rommon #5> tftpdnldROMMON Variable Settings: ADDRESS=192.168.100.1 SERVER=192.168.100.10 GATEWAY=192.168.100.10 PORT=Ethernet0/0 VLAN=untagged IMAGE=AIR-WLC2100-K9-6-0-196-0.aes CONFIG=
[Code].....
I bought a brand new 2106 WLC and a 1142AP. After going through the standard setup, the 1142 LAP was blinking red, yellow and green. I checked the logs and found the following message; [code]
I requested the latest IOS and Boot image for the controller from the supplier but he has provided only AIR-WLC2100-K9-7-0-220-0.aes, no equivalent boot image and has insisted that it is enough to upgrade the controller.
Is the AIR-WLC2100-K9-7-0-220-0.aes compatible with the 1142 LAP? And would I be able to upgrade the controller with only the AIR- WLC2100-K9-7-0-2 20-0.aes IOS and no equivalent boot image?
how I can find out what version of SSH that a cisco 2106 wireless LAN controller is using?Is there a CLI I can type to figure that out or do they only support one version?
View 1 Replies View RelatedWe recently purchased a bundle of 3 1042N AP's with a 2106 WLC. I am able to get the controller on the network and am able to manage it through the https web gui. I am now trying to add one of the AP's to the controller and am getting an infinite loop on the AP upon bootup. I tried looking up the solution but could not find a good article that pertained to the problem I was having. One thing I did notice is the time on the AP is way offset, but when I do a clock set to change it to the actual date it doesnt stick on the next reload.
Here is the output:
using ÿÿÿÿ ddr static values from serial eeprom ddr init done
Running Normal Memtest...
Passed.
IOS Bootloader - Starting system.
FLASH CHIP: Numonyx P33
[Code].....
I hava installed a WLC 2106 with 4 1252 Aps. Some laptops has dual radio wireless card, but others has just 2.4 Ghz card.
I have one SSID with WPA2/AES and 802.11X authentication.
With the laptops with dual radio the speed is in 300 Mpbs, but when is single 2.4 radio the max speed is 70Mpbs
If i use a 1252 ap with autonomous IOS, SSID with WPA2-PSK/AES this laptops single in 2.4 works to 144 Mbps
is there a knowed issue about 802.11x in 2.4 Ghz or i need to make a different configuration to can work in 2.4 with a speed of 144 Mbps?
I got my final assignment from school, and my teacher asked me to configure 2 Access Points (1200 series) directly on a Wireless Controler (Cisco 2106). I can't ask my teacher for any questions, cause he doesn't know how to configure it also, THAT's why he's asking me to do it.I've learned a lot of things about the default static interfaces (the "management" and "ap_manager" interface), but i can't seem to fully understand how to configure it.I want to use the Internal DHCP server of the WLC. How I can get those 2 Access Points working on the WLC. I only seem to get DHCP issues.
This is what i've done:
- Leave the configuration of the "management" and the "ap_manager" default (172.16.1.30 and 172.16.1.30). Bound to port 1
- Made a new interface "AP1" with IP-Address 10.0.0.10 (/24), default gateway 10.0.0.1. Primary DHCP server: 172.167.1.30
- Made a new interface "AP2" with IP-Address 192.168.1.10 (/24), default gateway 192.168.1.1. Primary DHCP server: 172.167.1.30
- Made 2 DHCP scopes within the 192.168.1.0 and 10.0.0.0 networks.
For some reason, when i boot up both AP's, the won't get any DHCP address.
I had a 2106 running 4.x software. It was upgraded to 7.x but will not read the config. How to downgrade the software?
View 4 Replies View RelatedWe have a 2106 that was configured by a former employee. No one left in the company is qualified to configure it. The wireless guest access used to work fine. We'd configure a guest user account. They would connect to the guest wireless, open a web browser and login. For some reason now there is no prompt for login. People can connect to it and get an IP address, but that's it. No login prompt or anything else from there.User Login Policies was set to 0 and I put it to 8. That didn't do anything. Under Web Auth > Web Login Page it's set to Internal (Default).
View 5 Replies View RelatedI setup a mini wireless LAN network lab with a not for resale 2106 wireless lan controller and a sales air-lap1242ag access point. I do not have a DHCP and DNS in my lab environment. I have configured the WLC with the basic configuration using the CLI wizard, i also configured the WLC as a DHCP server for clients that will be connecting to the APs associated to the controller.
I powered up the AP and connect the ethernet port directly to the controller, the controller issued an IP address to the AP, the AP downloaded a new operating system from the controller but failed to join the controller.
I check both debug message on the controller console and the trap messages on the controller's GUI and it say the AP could not download a configuration from the controller and it is beacuse of invalid license. Below is the trap message:
Configuration Phase Statistics Requests ReceivedResponses SentUnsuccessful Request ProcessedReason For Last Unsuccessful AttemptLast Successful Attempt TimeLast Unsuccessful Attempt TimeLast Error SummaryLast AP Message Decryption FailureLast AP Connection FailureLast Error Occurred Last Error Occurred ReasonLast Join Error Timestamp
Also, I tried to log into the GUI of the AP using the both the username and password ''Cisco'' but I cannot get into the device. I can only get in through the CLI. In the CLI, almost all the commands I enter gives an error the it is disabled. I don't know what to do any more, I want to know if the access point is faulty or i am not doing the right thing.
I have a WLC 2106 and 1242AG.it's a hotspot configuration.So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip (1.1.1.1) and my hotspot network range ip.I set also a DHCP range for the hotspot network.
In Wlans tab, i set my hotspot wlan, with no layer 2 security and for layer 3, i set none for layer 3 security and i use web policy authentication.I use local authentication and i created under security menu, under AAA tab, 3 local net users.
From pc number 1, i get ip from dhcp, and i have authentication web page, authentication is ok and i can surf on web.From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.when i try https:1.1.1.1/login.html, i have no answer.
And when user 1 is de-authenticated, the user 2 can surf on web.So only one user can surf at the same time. not good for a Hotspot.
we operate a number of 2106 WLC's some of which are in training centres, we have been requested by one customer that the SSID used for the users in the training rooms is only enabled between the hours of 9am - 6pm Monday to Friday.
As such im trying to find an automated method of disabling said WLAN automatically outside of these hours including weekends.
Im aware that the commands:
config wlan disable "WLAN ID"
config wlan enable "WLAN ID"
Can be used to perform the required function but getting them to trigger at the appropriate time is proving more of a challenge.
I am trying to get one AP to join the 2106 controller, it did join once then never again!! Now all I get is:
*Jan 22 11:16:22.088: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
[Code]....