we are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: url... Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data): [code]
I am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.
I'm trying to install a webauth certificate -- it works fine when unchained, however once I add the additional information the installation fails. I am using the same root and intermediate certificate information as last year, and it worked fine then. I can recreate last year's pem file with the chained information and it installs fine, so it's only when I include the new device certificate information that it fails. The certificate installs fine when it's not chained, I'm not receiving any openssl errors, and I'm not using openssl 1.0.
We have 2 WLCs, 4402 (main) and 5508 (backup). While we turn on both devices, 4402 have 10 APs, and 5508 have 10 APs as well. Total connected clients will be 120+, but when we turn off either 1 wlc, let's say only 4402 is power on, total 20 APs joined, but the total client will be 90+, never reach over 100 clients. The same happened on 5508, is there any maximum associated connection on WLC?
When on the management interface the clients can't get dhcp but the AP's can on the same vlan. I've tried enabling and disabling dhcp proxy, and using a remote dhcp server as well as the internal server. This same config works on the 4402 we're replacing with version 5.2.193 on it.
Recently (within the past 2 months) I've been having some issues with my 4402 wLAN controller.
The issue is thus:
1) New wireless clients (those without exsisting DHCP leases) are unable to properly connect to our wireless network.
2) Those same systems (and other systems) have no issue getting online via a wired connection (where available).
3) Devices like iPad, tablets, laptops partially connect but do not get a valid IP address.
Our config:
1) DHCP is handled by a seperate server (NOT the 4402 - it's DHCP setting is disabled)
2) Our wLan is not on a seperate network than our wired LAN
3) Wireless devices attempting to connect include iPads and laptops mostly.
4) We're a school with about 300 systems (primarily Windows XP machines).
5) 25 access points controlled by the 4402 (our only wLAN controller)
Important Notes:
1) No configuration changes have been made to DHCP or the 4402 device in a couple years.
2) 4402 Software Version = 4.0.217.0
The problem first showed up a bit over a month ago. I first thought the issue was DHCP server related , so I started there and didn't find any obvious issues. I did restart the DHCP server (which at that point had an uptime of somewhere over 700 days).
I then also checked the web interface of the 4402 to see what it was reporting. I noticed a somthing:A) As shown in the "WLAN_Issue_EDIT.png" the client count on the controller is showing 628 current clients. We don't have many devices in our entire campus.
I rebooted the controller after hours and that seemed to allievete the issue. Since then, the current client count hasn't ever gone above 60.
Now today I'm having the same issue regarding new clients getting IP addresses. The client count isn't real high on the WLAN controller and I don't see any other obvious issues. I'm torn between this being a DHCP issue or the controller issue (or a combination of the two).
The reason I don't think it's directly DHCP related is that all wired clients seem to be getting address fine.Plus, I've set my tablet device to a static address and it still cannot connect via wifi.
**Update** I've now rebooted the controller and the problem persists (at least on the nearby iPad - Will confirm other devices shortly).
I have a 4402 which is connected to a 4506 Switch int Gig 3/1 via a trunk port. The Managment and AP-manger interfaces are on vlan 6 [code] I have a 1142N AP also connected to the switch and it pulls a DHCP IP Address and configs etc and registers to the WLC. It too is on Vlan 6 and it is connected to the 4506 on int gig 4/33 which is an access port. [code] I am doing local authentication, so i have added users to the WLC.. My problem is that the first client that connected was able to get an IP address and connect to anything internal and external.I then connected another client on another laptop and that client could connect but not get an IP address, it just self assigned.When i look at the clients i can see the MAC address of both Clients on the WLC, but doing a show mac address-table dynamic i only see the MAC of the client that works properly. The client that doesnt get an IP has no entry in the 4506 switch.I am stumped, from what I understand, is that the 2nd clients traffic is being trunked to the WLC , hence it has the MAC address. But I dont know why its not getting a DHCP assigned IP address.
I have 2 4402 WLC's and a central office and was trying to configure an H-Reap Ap but now the entire wireless network is down. Clients arent getting IP's. I cant see anything that is wrong but things are not working like they should.
I have a 4402 (version 7.0.235) working with 10 units of 1121 APs connected to it. The WLC is not configured to work in LAG mode. Physical portt #1 is connected to the Main Switch (trunk). I have 3 WLAN mapped to 3 Different VLAN and Everything (security and internal, external DHCP) is working swell...Now- I have connected Physical port #2 directly to an ADSL Router (giga port), Configured Port 2 as untaggedwith the proper IP details.I have configured this interface to receive DHCP from the ADSL Router and for some reason, Clients are not getting addresses.When I assign a Static address to my laptop I get internet access and all is nice. I tried configuring The WLC internal DHCP server (instead of the ADSL router) and that didn't work. It seems like a DHCP problem but I dont understand the source of the problem of think of the solution.When turning off the proxy settings I noticed that it worked. Is there anything to do with that? The problem was that after a while the other WLANs starting causing DHCP issues as well.
cisco 2811 IOS CA as server cisco vpn client + etoken (aladdin) as client
certificate enrollment from cisco vpn client and vpn connection with it works at present, but I don't know how to use etoken with it, how to write the client's cert. to a token.i used this doc:Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates[URL]in chapter "Certificate Enrollment for the Cisco VPN Client", in section 3 there is a screenshot with an example of a certificate enrollment, where the specified name (CN) as vpnclient, but in section 5 "view the certificate ", common name specified as Joe Smith, etc.where this client's data is obtained? it's not clear to me... how to generate and write a client's certificate on etoken, who uses cisco vpn client with it for connect to server?
I have installed a new SSL certificate on our ASA 5500. I removed the old one, installed the new one. And associated the trust points with the interface we use for Web Connect and Any Connect connections.
They are still seeing the old expired certificates. Users can still log in and authenticate but I would rather them see the correct certificate.
I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA. ,
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
We have a controlled setup comprising of a 4402 WLC in our Data Centre and 1242AG LWAPs in our branches.The Wireless works well with a mixture of locally switched (h-reap) and centrally switched WLANs.I have a problem where Android devices don't seem to function as they should.I have been using an Android phone (HTC Desire, currently running 2.3.4 OS, but has been a persistant issue since 2.1) and it connects to my home wireless (and others) fine, but when connecting to the Wireless LAN at the office, it connects fine and gets assigned an IP address, but NO data flows. None, like there is no connection at all. I have just been using it on 3G. I figured it might have just been an issue with the hardware, so didn't bother too much.I have just purchase a new tablet (ASUS Transformer, Currently running 3.1 OS) and this does the same thing.I have tried publishing a new WLAN and have tried all types of encryption and authentication al the way down to open and still, no data flow. I have tried statically setting the IP details and still nothing.Interestingly, When I attended the last Cisco Live conference in Melbourne this year, I had my phone and it displayed the same behaviour on the Cisco supplied wireless, BUT, there was a second IPv6 enabled, when connected to that everything worked fine.
We are attempting to use LDAP for web authentication on a WLC 4402.
[URL]
You are able to connect to the SSID and it reidrects you to the login page as it should. When you enter your username and password you get a message that "the username and password combination you have entered is invalid." Based on the following log it looks like the LDAP bind is the issue.
*LDAP DB Task 1: Dec 19 11:19:26.584: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
We are able to test the following configuration with ldp.exe successfully,
Server: ***.***.***.*** Port Number: 389 Bind Username: CiscoBYOT
I have a guest network and lately I have been experiencing troubles with some users.The symptom, as I create a username and password and type'em in a laptop the authentication fields in the web authentication page don't keep the data as if I didn't type anything
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.
I have configured SSLVPN on a asa5520 with aaa and certificate authentication.Both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.
I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0 Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
Currently the ACS 5 is authenticate the iPhone/iPad by using the MAC address (which is entered manually) and AD user/password, i need to do that with certificate, so it will be scalable.