Cisco :: 5508 - 802.1x Authentication On PSK Key Management?
Aug 20, 2009
I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:
Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?
I want to configure managment-access authentication to the WCS via tacacs+. The AAA Server is Cisco ACS 5.2.I made it and it works, but only with PAP Authentication Type. Chap doesn't work 4 me.The Access Service is configured with allowed protocols PAP and CHAP.The ACS Monitor just display an error with these steps:Received TACACS+ Authentication START Request
I have a 5508 deployed, what I'm trying to do is configure it so that it can be accessed with AD credentials, I'm not talking about accessing the wifi network, I'm talking about logging onto the controller itself for management purposes. We havea few people our team, and it would be alot easier if each of us could log into the controller with our own AD logins. Is there a link that can assist me in accomplishing this, I haven't been able to find one.
I setup a WLC5508 with 2 SSIDs, one for guest traffic and another for internal users. They are in separate subnets and are routed out to the internet via 2 different isps, with the guest network going over a bonded t1 and the internal users going out the primary internet connection for the company. While this works as desired and we've verified that while on the guest network we're going out the right isp, we've encountered an issue with saturation of the bonded t1 pipe by guests. We'd like to find a way to limit a guest to a capped down/up stream if possible, with downstream being the most important. The infrastructure includes 3560 switches and AIR-CAP3502I-A-K9 access points.
I'm having an issue with the 5508 management port .. I can't seem to ping it from the switch connected to it .. ( the Show cdp command shows that the two can see each other .. but no ping is possible ! [code]
We faced one recent issue with WLC configuration behavior and explaining our observation and workaround we did.Requirement is to manage the WLC (5508 with 7.4 code) using two SNMP managers in different locations. Also these two Servers should use the same community string to manage WLC.
We were able to configure the SNMP community string for one server IP (to allow access) through GUIWhile trying to add another Server – IP with same community string – it didn’t allow As per the configuration guide, Controller can use only one IP address range to manage SNMP community. So we cannot configure the same community string to allow only two different server IP addresses [code] We currently configured the major subnet ( 10.x / 8 - two match both server addresses) and it works fineAlso when we tried 0.0.0.0 / 0.0.0.0 , it didn’t work (SNMP was failing)But this creates a security issue wherein anybody can poll the WLC.
I'm setting up a new 5508. I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface. In this case, port 1.
The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem. I can access the 5508 via https using the SP. However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x). Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect. We are using WCS and I cannot add the device from the WCS. About all I can do is ping that interface.
I didn't design the job, but is pretty straight forward, except the following, the design has a single wlc 5508 with 2 physical connection between two non cisco switches. There are 2 initial WLANs to be created. I am ok with most of the wlc config execpt the following:
Now from my understanding of everything I have read recently, you can't use LAG on the 2 physical connections if they connect to 2 seperate switches, unless, although not offically supported, the 2 connections are on either 2 3750s in the same stack or a pair of 6500s running VSS. So I believe that in my case 2 seperate connections from the wlc to 2 non cisco switches will not work with LAG. Is my understanding of this correct?
Is there a way to maintain the 2 physical connections from the wlc to the 2 non cisco switches to maintain redundancy?The wlc will have a management interface obviously, but from what I have read, the 2 WLANs that are going to be created have to have their own interface on the WLC. Which I understand as the managment int and each of the 2 WLANs are on different subnets.
If I don't use a single uplink to one of the non cisco switches (either 1 or 2 physical connections) using LAG, it appears to me that each of the interfaces ( management, wlan1 and wlan2) need to have a physical connection from the WLC to the switch, with each interface mapped to a physical port on the WLC, so correct me please if I am wrong, but this would mean I need 3 physical connections between the wlc and the swtich?
After I've upgraded software to the v7.3 and applied AP-SSO it made imposible to access the controller's gui via Service-port. So we tried to access it by management-port, but there is some problem too. It is not working from another subnets. But default gateway on management vlan is set correctly and I even tried to turn of all acl's on switch. WLC is only accessible from the same network. But at the same time wlc is replying on ping fine.All other protocols cannot connect to the controller.
I'm trying to verify some behaviors I'm seeing with my 5508 controller setup, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1 I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet I can connect to the controller via 10.10.8.200 both through the web interface and telnet while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
I configure IP address on the management interface port 1 of 5508 controller when i connect it direct to my laptop i can't ping or access controller from my laptop even i connect through layer 2 switch still i can't not.
IP Address of management interface : 10.21.0.50 Laptop IP Address : 10.21.0,51
I have 2 x 5508 Wireless Controllers, 1 mgmt port on each as standard. I noticied something different between these controllers running the same code.I can bound a physical port to the mgmt interface on one controller but not the other (both interfaces are untagged)see below, this config appears on one controller but not the other? Is this something to do with the initial setup? How can I add Phyiscal information to the other controller mgmt interface, I cannot delete the mgmt interface. Physical InformationPort Number Backup Port Active Port Enable Dynamic AP Management?
Local DHCP (via the 5508) is for the guest network while the management and voice use the Windows DHCP server.
My problem, Voice and guest work fine. I have two SSID's (one 802.1X and the other PSK) that use the management interface that will not get an IP. I have enabled dhcp proxy from the cli on the controller. I tried with the management VLAN tagged and untagged.
I've got a new 5508 wireless lan controller and can ping the ip address of the management interface, but can't access the GUI at the management interface's ip address. I can access the GUI on the service-port interface. No static routes in the controller; trunk appears to be set up correctly.
My 5508 WLC which runs version 7.4 is configured as a DHCP server for the AP management and here's my problem: My AP can get to the address, and can ping the address of the WLC management，But my AP prompts the following log： [code]
In the switch dhcp we can use to do the WLC option43 specified address, but in this case how the address specified WLC, the AP can be registered up?
I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.
The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue. I followed the example document for OOB WLAN (VLANs and mapping etc) but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)
The client is shown in the wireless clients on the device page of the CAM, If i close down either of the CAS interfaces the client connectivity is broken.
Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.
I have follow below URL to disable the https over web authentication:
What i want to achieve is disable https over web authentication due to certificate issue, but it seems like even we have disable the http over web management as above URL describe, still https while doing web authentication. Or it is possible to configure use port other than 80, like 8080 for web authentication? (need to reboot the wlc?)Is there any bug that related to this CSCsy32145?
We have a 5508 WLC with a few WAP's (1131's and 1242's). Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required). However, from time to time I see clients being associated but not authenticated as reported by the WLC. Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated? Perhaps I'm not quite clear about the concept.
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.
I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread
I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 184.108.40.206). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
I'm a trainee in Network and Telecommunication, and I have to do a "model" with a controller, an AP, and a RADIUS server. Communication and configuration of the lightweight AP has been done.
I use an autonomous access point 1220 as the RADIUS server (no considering it as an AP), and I'm a beginner in RADIUS configuration. I get a "Processing AAA Error 'No Server' (-7) for mobile 00:24:d6:8f:2c:7e" when I launch a debug targetting my PC, connecting to the LAP.
Precursory : 10.137.125.71 is the IP address of the ap1220, working as the RADIUS server 10.137.125.15 is the IP address of the controller. 00:24:d6:8f:2c:7e is the MAC address of my PC, connecting to the Wi-Fi. ping works to the RADIUS, to the controller. Each devices are connected by a layer 3 Switch, and ping each others. The Wi-Fi works when I don't use 802.1X (or when I don't use RADIUS authentication at all)
What I did on the RADIUS server (ap1220 autonomous) :
aaa new-model radius-server local nas 10.137.125.15 key password
I have two WLC5508 controllers configured with multiple SSIDs and a VLAN associated to each of them. Now I am deploying a pilot for Web-Authentication and everything seems to be fine except for the LDAP authentication part. I have done all the steps for enabling anonymous bind on Active Directory (AD) and the configuration on the controller is properly in place. I know the configuration is working fine because I have isolated the problem to some sort of routing or communication problem:
AD is on Vlan 2 (Student Interface range)Each interface has its own IP in a different IP range.
If there is an IP address configured on the Vlan2 interface, LDAP wont work. If there isnt an IP address on the Vlan 2 Interface LDAP works!So you may think I just should not configure an IP for that particular Vlan, but if do this, the controller wont allow to associate any WLAN to that particular Vlan interface and unfortunately I am using it.
I think the Controller uses the Management interface to send traffic to the LDAP server and it gets confused of getting a reply from a device which belongs to the Vlan 2 Interface IP range (AD is on Vlan 2).
I know the controller is a Layer 2 device, so I am not sure why it should need an IP address to be configured for each interface, I read it is used just for roaming purposes but it seems to be somehow related to LDAP communication process as well.
The strange thing is that I can access the management interface IP from the Vlan 2 range and there is not problem at all.
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
Currently in the process of migrating from psk to 802.1x radius environment using a mix of 4400 and 5508 controllers with WCS using Microsoft ias. The problem I have is there is a lot of shared iPads and tablets in the environment. Is there a way to force these user to relogin to radius after a certain time period so they are not sharing unames and passwords?
Having issue with WLC 5508 using ACS 5.2 tacacs+ protocol to do device management.The problem statement is after key in the username and password on the WLC login page, it is endlessly prompt for authentication on WLC. Whilst on ACS monitoring and reporting i able to see it is successfully authenticated, shown at AAA protocol > TACACS+ Authentication.On ACS, the shell profile for this is setting role1 , value = ALL.
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?