Cisco :: 5508 / 1142 - Machine Certificate Will Not Be Recognized
Dec 10, 2010
i have a Setup as Follows
- 5508/1142
- heterogenous Client with WZC, XP, SP3, SSO
- ACS 5.2, MS AD
Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
View 4 Replies
ADVERTISEMENT
May 23, 2011
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
View 1 Replies
View Related
Jul 11, 2011
Looking for the steps to configure wired clients using certificate authentication only
- i.e., once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.
No need to tell me about switch configuration.
View 3 Replies
View Related
Aug 2, 2011
We plan to use machine certificates on our notebooks with Windows Vista. Our authenticating server is Cisco ACS 5.1. To access the wireless network we want to use the machine certificate of the notebook and a verification of the corresponding computer account in the Active Directory. What authentication method is the best to check the machine certificate and if in the Active Directory exist the enabled corresponding computer account ? How to configure the ACS and the notebook to use it like described ?
View 1 Replies
View Related
Apr 14, 2013
We have deployed a WLC 5508 w/ SW version 6.0.199.4, 1142 AP's & open authentication w/ MAC filtering. Clients are randomly getting dropped with "Limited Access" shown in Win 7. In this state, the client machine is unable to ping the gateway and sometimes lose their DHCP assigned IP as well. A manual disconnect/re-connect to the SSID is required everytime.I ran a debug on one the clients stuck in the "Limited Access" state (debug client xx:xx:xx:xx):
*Apr 15 16:59:23.205: e0:91:53:60:1f:e4 Adding mobile on LWAPP AP 3c:ce:73:c5:1e:b0(0)
*Apr 15 16:59:23.205: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Apr 15 16:59:23.205: e0:91:53:60:1f:e4 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile e0:91:53:60:1f:e4 on AP 3c:ce:73:c5:1e:b0 from Idle to Probe
[code]....
View 7 Replies
View Related
Sep 22, 2012
We recently had a power outage where most of our AP's were down as well as our controller. When everything came back up most of the AP's didn't rejoin the controller without me resetting all of them. It seems as if the AP's might have booted up before the controller was up, but shouldn't they just try to rejoin at a later time? They didn't rejoin for 48+ hours on there own so I'm assuming that they were not ever going to re-join. All I had to do to fix it was power them off and back on and everything worked.
DHCP is on the local switch where the AP's are powered from so that's not a problem, and they had connectivity to the controller the whole time.
5508, and 1142's.Software version 7.2.103.0 on the controller.
View 12 Replies
View Related
Jul 26, 2012
We did wireless coverage testing using some 1142 units in autonomous mode, and got a satisfactory result, but upon converting these test units to Lightweight and adding them to our WLC5508 controller, the coverage has decreased noticeably.
Any tips or tricks to getting lightweight 1142 APs to have a range as far as the same hardware with autonomous firmware?
View 3 Replies
View Related
Dec 26, 2012
Doing segregation of SSIDs Base on AP , I have the following scenario:
Head Office :
2 SSIDs (HO_WiFi , Guest) , Access Points which are working in connected mode and grouped on the default ap group .
Remote site:
2 SSIDs (Branch_Wifi , Guest) , Access Points working in flex connected mode and locally switching the traffic .
As shown above , I will be having Head Office , and other 20 Remote Sites with Access Points working in Flex connected mode. What is the best way to group AP and segregate SSID base on location. Above Scenario are build base on WLC 5508 and AP 1142.
View 9 Replies
View Related
Sep 2, 2010
Access points 1142 controller 5508 running code 6.0.196.0 When you set the access point port speed with "config ap duplex full speed 1000 all" the access points leave the controlle and do not rejoin. I have had to reset the the access points manually with a power down and hold the reset button.
View 13 Replies
View Related
Feb 19, 2013
After the upgrade of the WLC 5508 to version 7.4 the 1142 access-points LED blinking rapidly cycling through blue, green, and red. I found the following information to this behavior: "Access point location command invoked"
The configuration didn't change. How can I switch this function?
View 1 Replies
View Related
Aug 20, 2012
This first started when a user said they were getting disconnected and reconnected a few times a day to our wireless network. He is in a remote office with a 1142 which is set to H-Reap talking back to our 5508. Our WLC is running 7.0.166 The laptop has an intel ulitmate 6300agn wireless card with the latest 15.x drivers.
We are using an SSID with wpa2 and 802.1x auth back to our ACS server using PEAP with our windows credentials.attached is what i am seeing on the wcs troubleshooting page.When i do a debug client on the WLC i see many reauthentications coming from the client on the different radio.
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Reassociation received from mobile on AP 0c:85:25:f3:7d:40
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific IPv6 override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying IPv6 Interface Policy for station 00:24:d7:d1:16:6c - vlan 2, interface id 0, interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c STA - rates (8): 140 18 24 36 48 72 96 108 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Processing RSN IE type 48, length 38 for mobile 00:24:d7:d1:16:6c
[code]....
Now this may be not be the issue thats causing our dropouts a couple times a day as this is happening every 5 mins.
View 12 Replies
View Related
Mar 27, 2013
We are moving forward with a mobility project which requires our network to authenticate/authorize based on certificates.
WLAN_1 has 802.1x enabled passing the cert through to the MS CA which authorizes the cred, which in turn passes the AD creds of the user to the MS RADIUS server for authenticate/authorization.
Hardware: WLC 5508 running 7.2.110.0 3600 APs ACS 5.2 not used for AAA
1. As we turn up additional SSIDs, we need Mobile SSID to accept ONLY the Mobile Cert, our Internet SSID to only accept the Internal Cert and our GUEST SSID to deny ANY Cert issued by our CA.I know ISE makes this much easier, but I dont have it and need this to work as best we can until next fiscal cycle..
View 3 Replies
View Related
Jan 5, 2013
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
View 1 Replies
View Related
Apr 10, 2013
get a installed certificate work on a 5508 WLC Controller without rebooting. Is there a way? Is it possible to just reload a process to get the certificate work?
View 1 Replies
View Related
Feb 12, 2013
I am using webauth and need to install a SSL cert to prevent the "There is a problem with this website's security certificate" message. I have a Wildcard cert that was issued by Network Solutions that I use on a couple web servers I run, and want to know if I can use that for the WLC? It's a pks cert and I think the WLC needs to use a pem cert, so I converted the wildcard to pem. Or do I need to purchase a cert that is not a wildcard and is in pem format?
View 7 Replies
View Related
Jul 1, 2012
I have two Cisco WLC 5508 controllers that I'm trying to set-up for our new corporate WLAN. I've gone through most of the configuration fine but have ran into an issue uploading a signed certificate to one of my controllers. I should point out that I have managed to upload the certificate successfully to one of the controllers, I just can't seem to upload it to the second.The issue is as follows:
- I've logged into the controller, gone to Security -> Web Auth -> Certificate -> Download Certificate
- I've specified my tftp server details and selected apply
- the process begins and I can see through my tftp client that the controller is attempting to copy and install the certificate
- The controller tries to install the certificate but fails, reporting the same
View 9 Replies
View Related
Sep 13, 2012
I have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:
*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 (code)
These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.
View 19 Replies
View Related
Sep 3, 2012
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
View 2 Replies
View Related
Feb 13, 2011
I have 3 WLC 5508 and a NAC guest server. We want to download a wildcard certificate after a few seconds at the download of this certificate I got the failure message download failed.
Accept the WLC wildcard certificates or must I generate a SAN (Subject Alternative Name) Certificate.
View 5 Replies
View Related
Mar 26, 2013
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
View 6 Replies
View Related
Jul 24, 2012
When a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
View 12 Replies
View Related
Aug 2, 2011
I have a strange error on my home network that I cannot find a solution to.I have an Huawei SmartAX MT882 from TalkTalk acting as a modem connected to a D-Link DSL-G624T acting as a router/switch. Connected to the D-Link I have a Windows 7 Pro machine (64-bit, SP1) and an XP (home i think) machine (sp 2 i think).The SmartAX modem is set up to perform DHCP and DNS relaying and the D-Link has DHCP turned off and DNS relay turned off.The Win7 machine can access the network, get an IP address and access the internet without problems, regardless as to the status of the XP machine.The XP machine can access the network, get an IP address and access the internet with no problems ONLY of the win7 is powered up. When the win7 machine is off, the XP machine seems to drop about 25% of the ping packets between it and the D-Link router and has no internet access (because of this i assume). [code]
View 8 Replies
View Related
Jul 20, 2011
New Win-7 machine set up. I used the printer set-up wizard to install a networked printer in the new machine with absolutely no problem. Proved it would print from that machine.Now, I get a call informing me that her old XP machine, which had been printing to the network printer with no problems, will no longer print.Documents go into the print queue, but they don't get printed.No error messages show up.I did some messing around via remote access, and finally removed the printer with the intention of reinstalling it.Scanning for network printers turned up several redundant instances of the same printer with different names. Some are identified as "invalid" some a "access denied". Bottom line. I can't get any of the selections to install.On the Win-7 machine I did find a window that indicated that the printer is designated as being shared, but I didn't explicitly set it for sharing when I installed it. Also, I somehow got to a window that told me that for printers that were to be shared with other versions of windows I could optionally install drivers to support such machines. Didn't have the driver disk handy and took the window down. Now I can't even find it again.I need sorting this all out.Part of the problem is that out there in "network land" there are redundant remnants of previous installations that are being remembered inappropriately.
View 11 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Apr 29, 2012
I have a network problem. My windows 7 machine is not detecting win xp machine whereas win xp machine is detecting win 7 machine. They are in the same workgroup named Home. And the networking system is set to work. I have left the homegroup I was previously in. I enabled file sharing for devices that use 40 bit and 50 bit encryption. On XP I have enabled NetBios over TCP/IP. File sharing is enabled on both computers. I think it's something obvious as both instalations on different computers are really fresh and both windows haven't been tampered with.
View 12 Replies
View Related
Feb 17, 2013
The onboard NIC on my Asrock Extreme6 Z77 has stopped working. I had recently moved my system in to a newer and better home, and after moving it in to the new case the NIC stopped working. I had originally thought that I may have zapped it, but looking at the device manager I saw that it was enabled and recognized by Windows. So I tried some trouble shooting.
- Uninstall and re-install drivers.
- Different cables (5 in total, 3 of which work on other machines)
- Disable and re-enable.
- Went out and bought a wireless USB, allowed me to connect to the internet this way.Then yesterday it started to work again after not using the computer for most of the day.Could play some Battlefield 3, and about 2 hours in to gameplay it stopped working.Ran trouble shoot on Windows, something quickly popped up saying something about ip wasn't reconfigured/updated/some BS like that.Finished for the night happy it was working again and then came back on tonight and now it's not working again.
- Updated BIOS.
- Deleted McAfee
- Verified it was turned on in UEFI (doesn't show connected in system browser in UEFI)
Windows IP Configuration
Host Name . . . . . . . . . . . . : Crosby-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
[code]...
View 4 Replies
View Related
Oct 26, 2011
I just installed a fresh copy of Windows XP Pro SP3 on one computer. Now my other PC has Windows7. I connected the two with a LAN cable, and in 'Network' the Windows 7 PC picks up the shared folder of the XP PC automatically, but the XP PC does not show the Windows 7 Shared(Public) folder. Can it be the Antivirus? XP PC has MS Security Essentials and Windows 7 PC has ESET.
View 1 Replies
View Related
Jul 4, 2011
I'm running on LMS 3.2 and RME 4.3.0 and one type of device was not recognized.this is NME-X-23ES-1G (IOS : 12.2(35)SE5) in a 3825 url... this module is supported with the OID 1.3.6.1.4.1.9.1.703,but in the device center I've found something which seems to be the right equipement :
- Cisco Interfaces and modules
- Cisco Network Modules
- Cisco 2800,3800 series 23-port EtherSwith Service module with OID 1.3.6.1.4.1.9.1.664
View 1 Replies
View Related
Jun 10, 2013
I have Prime 4.1 on windows with the latest update, it is up and running except for few devices ASR903 routers that are not being recognized in the Fault (DFM). These devices are supported in this release, The fault is showing that the devices are stuck at 10% learning state. The strange issue is that when i click on the routers that are in the learning state some shows in the device type as N/A ans others are showing "routers". Anyway i followed the steps mentioned in "How can I troubleshoot device discovery stuck at 10%"
View 1 Replies
View Related
Apr 3, 2012
I have a 2921 router, with UCK9 services on it. I've installed a VWIC2-2MFT but the system is not seeing it. I've been told there is a command required to enable the card, is this true? I've always done most of my UC work on the 2800 range and never had to run an enable command, it just saw the card.
View 5 Replies
View Related
Jan 24, 2012
I noticed in RME inventory, my ASR1001 hardware is not recognized. I checked my Ciscoworks and it only knows ASR1002, 1004, and 1006 routers.
I checked the supported device table for LMS 3.2 and did not find ASR1001. Is there a separate device package I can download. This is not a deal breaker, but it's unnerving to see the question mark icon next to the name of my router in the Cisco works GUI.
View 1 Replies
View Related
Jan 4, 2012
We have CAM/CAS 4.8.2, NAC agent 4.8.2.3 and compliance module 3.4.27.1. AVG 2012 cannot be recognized by NAC agent. From the link below, it should work: [URL].
View 1 Replies
View Related
