Cisco :: 4402 - WCS User Names Sometimes Incorrect With 802.1x FreeRadius
Feb 29, 2012
I'm not sure if this is a recent issue for our setup, but I've only just noticed it. Although most authenticated users are shown by their correct user names (which are required for 802.1x authentication), a few users show up in the WCS reports as "anonymous", and one as "anonymous@myabc.com", which are not valid usernames on our network.
I can track these users by MAC via our network registration database, but have not yet figured what makes their systems unique. All three in yesterday's report are Win 7. I don't see anything strange in the RADIUS logs, but have not yet caputured "debug" traces of wireless authentication from an anonymous user.
We are running WCS 7.0.172.0 , with a pair of WLC 4402 controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP, with the SecureW2 supplicant for Windows.
View 1 Replies
ADVERTISEMENT
Jun 22, 2011
I want to access server with different account names at times. After google search, I found that it is something related to "net use drive: /delete" but we usually access different drives so I wonder how to cancel all the drives and what is the exact command.
View 1 Replies
View Related
May 29, 2013
I have a Cisco 4402 Wireless LAN Controller and 4 x AIR-LAP1131AG-A-K9 access points.We run a combination of [WPA +WPA2]Auth(802.1x) as well as [WPA2]Auth(PSK), most people have their own login credentials...The primary client devices are MacBooks and iPhones, with some Windows and other mobile manufacturer being the minority.
The Issue I have one user (using a recent MacBook Air, latest OS, using Auth(802.1X) ), that keeps getting disconnected for no apparent reason, the user account has been setup exactly the same as every other user and his laptop doesn't have this issue when connected to other WiFi networks.It's worth noting: I noticed this particular user has a lot of "Decrypt Failed" (currently 213) associated with his MAC address, no other user on our network has a single "Decrypt Failed" associated with their MAC...
View 4 Replies
View Related
Mar 13, 2012
need an access point configured in the user minimum because I was looking and some had up to 49 LAP connections at the same time. I have a WLC 4402 VERSION 7.0.98
View 1 Replies
View Related
Nov 27, 2012
How do we setup ip pools in freeradius?
View 1 Replies
View Related
Jun 20, 2011
We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
View 2 Replies
View Related
Feb 29, 2012
I have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:
1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.
2. Used the client certificate import password as the "Private Key Password"
3. Typed in the client "Login Name"
The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read [URL]
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?
View 1 Replies
View Related
Mar 2, 2011
I have two 1310 bridges. one configured as root and the other as non-root. Authentication Settings: Open with EAP and Network EAP with no addition. Set up: when non-root bridge tries to associate with root bridge, root bridge checks with radius server if it's ok to associate with the non-root bridge.
I can see communication with the radius server (I'm using FreeRadius) and the radius server even sends a SUCCESS back to the root bridge. However I'm seeing this error on the non-root bridge: DOT1X_SHIM-3-PLUMB_KEY_ERR: Unable to plumb keys - Eap key struct is NULL and the bridges do not authenticate.
View 2 Replies
View Related
Jun 22, 2011
I'm polling a few thousand locations using IP SLA, I have responder enabled on all destinations, and I'm using 60 byte voice packets with a QoS policy.When I run an IP SLA Summary availability report, I have a bunch of locations showing 9% availability 8.5% etc. When I go to the actual collector, and pull up a graph of the same time period, that graph shows 100% availability.
Same collector, same data, just different views giving completely different results. I have to assume that the IP SLA summary report is wrong, these sites were not down 90% of the time.
Just a random though to go with that, I do have the IP SLA to only pull information during the locations operational hours, and I did pull the report from midnight to 11am, the statistics should have been gathered for 4 hours of the 11, which is still higher than 9%, and I would expect all of my locations to report like that, not just a few hundred.
All of the devices are similar in hardware and IOS, and I have verified on a handful that IP SLA responder is enabled, and I see the connections, I have also verified the source configuration via command line.
View 5 Replies
View Related
Apr 30, 2011
i want to access my application via FTP on internet. so i type the my ip address is a url.. but it will not get my ip . it ll says 421 login incorrect error ... how to solve this problem...
View 1 Replies
View Related
Jun 10, 2011
I have an older Buffalo NAS that I use as an FTP server. Never had any problems, even after I changed my ISP to Qwest DSL last week. But I had wireless problems with the modem, and they swapped out my modem, and now with the new modem, I get a 421 Login Incorrect error when it tries to connect to the FTP Server address Though this version of WS_FTP Pro is not really compatible with Windows 7, I have been using it successfully up until my modem change.It keeps giving me a "421 Login Incorrect" error. I have reset the password on the NAS, and the modem is configured to accept FTP traffic via the NAS which is connected via Ethernet to the modem. All settings are the same as on the old modem, but no FTP.
View 5 Replies
View Related
Mar 16, 2011
so I've been getting disconnected from the Internet many times in a day,can't even count it and it's starting to bug me as I have online quizzes and assessments that I need to complete each week. Whenver I get disconnected I'll have to connect again to the modem (wireless) and each time I am told that I have the wrong security key but its correct, I am sure! It's only when I switch off the modem or my computer and restart either both or one of them that I can (by luck i guess?) get the Internet back again. I've been told by a friend that my period/session expired so I can't connect..and that the modem keeps relisting/refreshing (sry forgot what the exact term was) every hour or smth? What exactly is wrong[CODE]
View 1 Replies
View Related
Jan 6, 2012
Just planning my move to 8.4(2) and I'm looking for some input. In the past, I have a text file with name commands for every host on my network that I know about. I would then deploy this list to all ASAs so that I could create ACLs on any firewall using a name, which would correlate to the same IP on any firewall.Now, the names from the name command no longer work as a host entry in ACLs, therefore I'm required to switch all of my active name command entries over to objects.My question is, have any of you found an easy way to change all name commands to objects? Since the name command doesn't specify the mask of the entry, I think this may not be possible without manually updating thousands of records. I know that once I migrate, there will be some objects auto-created, but those will only be host and or networks which have NATs associated with them.
View 7 Replies
View Related
Apr 1, 2012
I have a NAM appliance that generates captures with incorrect timestamps. It looks like it's adding 3 extra zeros after the period, turning miliseconds into microseconds.
Here are the capture settings, and attached a sample capture.
View 1 Replies
View Related
Jun 20, 2011
I have a wi-fi adapter with incorrect MAC address FF-FF-FF-FF-FF-FF.
Adapter has a Realtek RTL8188SU chipset.
Is an any program to flash a new MAC in my adapter?
View 2 Replies
View Related
Nov 7, 2012
Incorrect password attempts in ACS 4.2.
1) Can I specify the time in "Incorrect password attempts" ? means if the 3 incorrect password attempt was made with in 05 minutes, then only the account will be locked ?
2) Is it possible to RESET automatically the "Incorrect password attempts counter" (when the account locked) into ACS?
View 0 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
May 13, 2012
Initially there were 3 SSIDs configured but all of them were assigned a single interface and this interface was configured with the controller management IP address as DHCP server so that the WLC could assign IP addresses to wireless clients, guns and printers etc.
Issue: As part of PCI initiative, we decided to segment the traffic in multiple subnets based on type of wireless clients; so now there are 3 interfaces configured and each SSID is assigned a specific dynamic interface and each interface is configured to use the controller management IP address as DHCP server.
There are 3 scopes configured for each of the dynamic interfaces/SSIDs and DHCP proxy is enabled but wirelss clients are still being allocated IP addresses from the original DHCP scope that was associated with the dynamic interface originally assigned to all 3 SSIDs.
I verified the following:
1. Each SSID is assigned a different dynamic interface (Users, Voice and Handhelds)
2. Each dynamic interface is configured to use controllers management IP address as DHCP server
3. DHCP scopes configured with correct network information for each dynamic interface and enabled
View 2 Replies
View Related
Oct 2, 2012
In the Ciscoview, the uplink SFP interfaces of 2960S stack are represented incorrectly. The two uplink interface should be Ten1/0/1 and Ten4/0/1 but proved to be Ten1/0/1 and Gi4/0/25. There is no 1G SFP module, so that the interface gi4/0/25 doesn't exist. [code]
View 3 Replies
View Related
Sep 15, 2011
How to Configure "Incorrect password Attempts Disable login for 30 minutes after 3 successive failed attempts" on ASA-5510???
View 3 Replies
View Related
Feb 12, 2012
I have an issue with LMS 4.1 where the DCR names of several devices repeatedly revert to the IP address. I am trying to stage some devices for deployment. The initial 5 devices were staged and are now off-line. A subsequent set of 6 devices is on-line and accessible from LMS4.1. The device names on the off-line devices are stable. The device names of the on-line devices revert back to an IP address every day. From device management, I go in and change the display name and the host name from the IP address to an alphabetic host name. When I go back and look at it the next day, it has reverted to the IP address.
View 2 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Sep 8, 2012
I am running Windows 7 and have a Ralink 802.11n wireless LAN card. I have had no issues with this and a month ago my roommate randomly decided to switch from Verizon to Brighthouse. This switch took 3 weeks but everything is hooked up and working (almost) fine now.
My computer picks up the wireless signal fine but when I type in the password it says the password is incorrect (Ive tried 100 times, case sensative, yada yada). That same password works fine for my roommates computer to connect and fine for my iPhone to connect. If I connect through an actual cable, the internet works fine on my desktop.It seems to me like an issue with Windows. Windows is updated and all of the appropriate drivers and updates are current as far as I can tell.
View 7 Replies
View Related
Sep 17, 2011
Is it possible to give me NAS and Xbox 360 Host names so that they show up in my DHCP Client list? Currently there are 13 devices connected, 11 of which have a host name but these two do not. It also shows the IP and MAC addresses of each connected device.I just want to make sure that all of the devices that are connected are what I would expect.
View 1 Replies
View Related
Sep 30, 2011
I have been asked to do is locate some computers on the network and run a security scan on them. Well i pinged the host name and got an IP address. Then the network admin me look up the switch port that the computer is located on and so on. So i find 3 of the computers im looking for and when i get on the computer and look up the name but it does not match the name given to me. So i do an ipconfig /all and see that the computer has the right IP address and MAC address but not the same name. So my main question is, are these computers one in the same or is something messed up?
View 1 Replies
View Related
Oct 29, 2012
I have a problem on a Cisco ASA5520 version 8.2(5). A customer has set up a syslog to keep tracks of tcp sessions made by vpn users. On the syslog we filter %ASA-6-302013 and %ASA-6-302014 log messages, respectively: Built inbound TCP connection and Teardown TCP connection. When the connection is made by a vpn user, at the end of the log line you see the vpn username which should be the same in both the messages for the same connection. I have verified that when a user, let's say UserA, disconnects from the vpn, their tcp sessions are not properly closed; if another user, let's say UserB, establish a VPN immeditaely after and gets the same IP address previously assigned to UserA, the log sessions are recored with UserA in the %ASA-6-302013 message and UserB in the %ASA-6-302014 message. I presume this is due to the fact the tcp sessions are not tore down when the first user disconnects and it looks like a bug to me but I didn't find it referenced anywhere. Is there a way to have all tcp session tore down when a user disconnects the VPN connection?
View 2 Replies
View Related
Sep 7, 2012
I am attempting to monitor bandwidth utilization of the WAN port for the RV180 via SNMP and I am getting strange results. If a 256MB file is transferred from a remote server (without compression), the ifInOctets counter doesn't increment by anything resembling 256MB:
$ snmpget -v2c -c public 192.168.1.1 IF-MIB::ifInOctets.5 IF-MIB::ifOutOctets.5
IF-MIB::ifInOctets.5 = Counter32: 365402138
IF-MIB::ifOutOctets.5 = Counter32: 32610053
[Code].....
I'm reasonably certain that the .5 interface is the WAN port based on the value of ipAdEntIfIndex.X.X.X.X, but even if that were not the case, none of the other interfaces increment by a value close to the amount of data transfered. SNMP monitoring of a WAP121 on the same subnet returns expected results. I can only assume that SNMP on the RV180 is completely broken.
The router has the latest firmware available (1.0.1.9). There is only one network connection and the RV180 is the default gateway for all internal hosts.
View 4 Replies
View Related
Jun 26, 2011
I have an ASA 5505 with software version 8.2(1). It is making DHCP requests for IPSec clients that connect to the ASA. The DHCP requests packets the ASA makes have an extra '00' appended to the hostname field, and the length field is the size of the hostname + 1. The DHCP server is Microsoft Server 2003 and this causes the hostname to be registered with an unknown character which appears as []hostname. Then when server 2003 tries to update the DNS record, it fails because of the invalid character in the hostname. Is there anyway to have the ASA have the correct length for the hostname field in the DHCP packet, or a workaround that will solve this problem?
View 5 Replies
View Related
Sep 19, 2011
how the Cisco VPN works, as i already have a post on here about not being able to connect an android device to my firewall, i am now struggling to get an Iphone 3gs iOS v4.3 (8F190) connected to the VPN Either.I have checked the Network (client) Access settings on the firewall, and confirmed the group names im after including the protocols it supports L2TP is Disabled so it looks like i can only connect via IPsec.so i fill out the required details in the IPhone but keep getting a message back from the phone
"The VPN Shared Secret is incorrect"
Now im sure i have this right as i use the same details on my laptop which connects to the VPN perfectly fine. but i am starting to bang my head against the wall, no matter what i try and do i cannot seem to get either device to connect to the firewall.i have a pair of ASA 5520 boxes running cisco software 8.2
View 4 Replies
View Related
Jun 13, 2012
When we setup a connection between two hosts we receive the message "TCP checksum incorrect" , This is between a settop box on the outside and a server inside the firewall. This STB used to communicate with the server on port 443 which is NAT-en to port 12697.With a new settop box image which uses on the inside and outside port 12697 we receive this TCP checksum incorrect on the Firewall with wireshark.
Strange is that on the outside of the firewall we see an MSS of 1460 and on the inside it is 1380 (don't know if there is a relation with this and the issue we have)
View 1 Replies
View Related
May 21, 2012
I have cisco's CUCM version System version: 7.1.5.10000-12 when I do a corporate lookup (form my 7970 I hit Directories - 5) Corporate Directory) I see all sort of accounts that have no phone extensions I.E. our windows service accounts, our administrator accounts that have no number associated with them. is there a way for me to hide them?
View 1 Replies
View Related
Jun 8, 2011
Is it possible somehow to define externally administred DNS namese in ASA 8.4 in within object groups?i know that we can use name XXX, but some idea popped up using this kind of configuration.
View 3 Replies
View Related
