Cisco :: 5508 - Configure ACS To Allow 802.11 Phones To Authenticate?
May 19, 2011
I am trying to configure my ACS to allow 802.11 phones to authenticate. I have searched high and low for documentation on doing this with no luck. We are using unified wireless with a mix of 5508 and wism controllers. I am able to authenticate windows devices against active directory via the acs but can't seem to get anything working with the phones.
View 3 Replies
ADVERTISEMENT
Aug 20, 2012
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
View 6 Replies
View Related
Sep 8, 2011
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
Sep 23, 2012
I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges.
When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error message saying that my privileges are not enough.When I use local account, it works well.
At the begining, I thought it was a TACACS issue, but I have the same problem with WCS and SNMP. Cleanair doesn't appears in config menu, and I have an error message for security function.
View 10 Replies
View Related
Dec 18, 2011
I have a question regard to switch SFE2010P, i have 2 vlan ( data and voice) and we want to configure Ip phones SPA502G, the question here is how can i make to suport 2 vlans on the same switch port, like the catalyst IOS switch port acces vlan x and switch port voice vlan x, if i set up the switch with the voice vlan like tagged doesn't work, but if i set up the voice vlan like untagged vlan its works but the PC attached to the data port on the SPA502G doesn't work?
View 1 Replies
View Related
Sep 13, 2011
I an currently running Cisco (ACS 5.2.0.26.3) and attempting to get my Cisco 5508 WLC's (7.0.98.0) loaded into ACS for TACACS+ authentication for managment users.
However I keep getting the following error:
*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.
Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)
[URL]
Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much useful either.
View 6 Replies
View Related
Apr 16, 2013
I have ACS 4 integrated with RSA 6.1, where users of ACS can authenticate their passwords with the rsa server.I am migrating users to ACS 5, and I want to integrate with rsa.
I am configuring rsa as “rsa secureID token servers”.But how should I configure the users on acs to authenticate the password with rsa?
Previously on acs 4, on the user page, in password field, I select authenticate with external DB, Also, any guide for the config on rsa 6.1 side (with acs 5)
View 1 Replies
View Related
Feb 15, 2012
I am having problem setting up SGE2000P switches to work with my default data VLAN and additional voice VLAN. I am configuring it to pick IP address for phones from voice VLAN which is working fine but when I connect a PC on phone port it is also picking up an IP from Voice VLAN while default VLAN is data with different scope of IP.
I pack these switches and purchase ESW 500 series. I have ESW 500 at another client and they are working fine out of the box but this guy is giving me hard time.
View 1 Replies
View Related
Jul 12, 2012
Our ISP has set up a Cisco 2431-16fxs IAD (dual WAN) in one of our locations. It is used to connect the devices (PCs and SIP phones) on our LAN to internet (via 1st WAN port) and ISP's MPLS-based voip network (via 2nd WAN port).
We have 2 LAN subnets - the first subnet (PCs) requires internet access only, so it goes out via the 1st WAN port. The 2nd subnet (SIP phones) is connected the MPLS network (via 2nd WAN port).
We would like to have the SIP phones (that connects to MPLS-based network 192.168.1.x) to be able to access the internet. Is it possible to configure the IAD so that the phones are routed based on destination network; i.e. anything to 192.168.1.x via 2nd WAN port, anything else to the internet via the 1st WAN port?
View 1 Replies
View Related
Jan 4, 2012
I have a CUCM BE environment with a number of remote users with 8961 phones connecting to an ASA 5501 via AnyConnect. The phones register fine and can make inbound/outbound calls as well as four digit dialing to other users at the corporate site.
The problem is when a remote user tries to four digit dial another remote phone. The called phone will ring but there is dead air once answered and then the line goes dead.
This sounds like a routing issue to me. How to get AnyConnect clients to be able to reach each other?
View 3 Replies
View Related
Sep 12, 2012
I am getting little confuse about the configuration of my second WLC .I have a project going on with main office and 10 sites . I have placed my primary WLC 5508 with software 6.0 and all the branches i deployed ap . I put all the AP in Hreap mode did VLAN MAPPING . And i Created Groups based on the location and i put this AP's insde those group .All the sites seems perfectly working. Now I have to place my sedcond WLC in one another branch . I did all the initial configuration of my 2nd WLC .
But am worried if my primary wlc fail how could it can be taken to second WLC . And if i put inside wireless--> hight avaliabilty--primary ip and secondary ip .Again do i need to configure those WLAN , AP GROUPS , everythink in this WLC sepretely or any option . If i need to create the group do i need to select the ap's which already added to primary wlc groups.
View 1 Replies
View Related
Jun 9, 2012
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
View 6 Replies
View Related
Jun 11, 2013
How are certain settings/config transfered across to the AP's from the WLC, e.g. username and passwords, snmp strings etc.... I assume this is when the AP joins the WLC.More to the topic of the original question I had in mind, is it possible and if so, how? - to configure snmp read and write string from the WLC and push this config out to AP's. I can't believe someone will have to sit down (me) and SSH to 150+ AP's per WLC to configure SNMP.
One of the buildings lost connectivity to the WLC's breifly a couple of days ago and all seemed to have lost their SNMP settings. Connectivity was restored, but couldnt poll the APs. When I SSH'd on to a couple of AP's, and manually configured the snmp-server community xxxx ro - SNMP started working again. Since there are many, there must be an easier way of doing it.I've tried resetting the AP from the WLC and also powering down AP's and bringing them back up.
Using WLC 5508 on 7.4.100
Using AP's 2602 on IOS 15.2(2)JB$
View 1 Replies
View Related
Dec 14, 2011
How to, for the most part, setup 802.1x via wireless. I'm using two 5508 WLCs, and Cisco ACS. I will setup the user account/password information via Cisco ACS and User Identity and Hosts. I know from the WLC 5508 web admin tool that I can choose 802.1x in the security parameters. I only have a few question. We have two wireless networks, one is wide open and provides internet access, the other will provide internal access for select users. I am setting up 802.1x on the internal wireless lan. Do I need to configure any 802.1 configuration commands on the switch in order for this to work, if so where would be the locations to do this at? Also, if there is a MAC isolation configuration option I can configure to not allow other hosts on this specific wireless network to communicate with each other?
View 3 Replies
View Related
Dec 13, 2011
I have been unable to get IPSec working between my WLC 5508 and a server 2008 NPS radius server. Any luck configuring this? I have opened tickets with both Microsoft and Cisco, but so far have not been able to configure it properly.
View 2 Replies
View Related
Jan 29, 2013
I'm trying to do configuration archiving in Prime Infrastructure 1.2 with a 5508 WLC (7.4).The job always fails (Admin -> Background Jobs) with the following error (see attachement):"SNMP: Failed to establish SNMP connection xxxx - Cause: Device is Unreachable. Check the ReadOnly community string." I double checked the SNMP credentials, they do match. For testing I also added a Public community just for the PI. Same result.Am I missing something?Is this not intended for Wireless Controllers?
View 5 Replies
View Related
Jul 19, 2011
I have 2 Cisco 5508 Wireless LAN Controllers.They are NOT connected to a WCS.Is there a way to configure the 5508's to send email notifications when an AP drops off line?Is not is this functionality available with either a WCS or new NCS?
View 1 Replies
View Related
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Mar 17, 2011
We replaced a WLC2106 with a WLC2112 and the 2112 can't authenticate anything. Both WLCs have the exact same configuration on them. We are using a RADIUS server to do MAC authentication. Both WLCs have been set to use no delimiter in the MAC filtering.
When the 2106 is in place, we have no issues and all allowed devices can authenticate without issue. However, when the 2106 is removed and the 2112 is powered up, every single device fails authentication and is put on the exclusion list. When we check RADIUS, it tells us the devices fail because they are locked. We unlock the device's account, and 5 minutes later the 2112 has screwed something up and they are locked again.
View 3 Replies
View Related
Jun 20, 2011
I' trying to access my Gmail account from my IP Phone (Cisco IP Communicator, don't have an actual device at the moment). The services work greatly (I tested berbee services and they work fine) I came across the Gmailcheck service. [URL] I downloaded all the files and added the "statusMsg.php" in my services list. Now when selecting Gmailcheck on the IP Communicator, it just shows the PHP code script : No interface, no gmail...
So I'd like to know : How to do to make this PHP script work ? Or is there a better way to access my Gmail accounts ?
View 2 Replies
View Related
Jun 14, 2011
I have a new install with 3 SF300 switches, setup as vlan 2, the switch connected directly to the 2901 router has no problems, plug in a phone and it gets an IP, but if connected to either of the two swtiches behind the first switch, they do not get an IP. I am seeing the DHCP request hitting the router, and the router sending the IP to the phone, but it never gets the IP.
*Jun 15 10:40:20.040: DHCPD: client's VPN is .
*Jun 15 10:40:20.040: DHCPD: Sending notification of DISCOVER:
*Jun 15 10:40:20.040: DHCPD: htype 1 chaddr 40f4.ecef.bded
[Code]....
All ports are setup as trunk on vlan 2 including the ports that connect the switches together. Not sure what the problem is, but they are going live tomorrow and only have 48 out of 120 phones.
View 1 Replies
View Related
Jun 22, 2012
why our PBX system would freeze up the phones. There is no real reason why this happens. We have the PBX on its own circuit board, so its not sharing any power, we only have about 200 phones on the system, so that is not the issues. Its properly cooled. It just seems to happen that our phones freeze, and when they start freezing it seems to happen in pairs.
View 1 Replies
View Related
Aug 30, 2012
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
View 4 Replies
View Related
Jan 30, 2013
I have been trying to set this up for like 4 hours. What a waste of time. This should be as easy as punching in the IP and password for the radius server. It isn't.I have a brand new SG-300-10. LATEST firmwawre, I just updated it about 5 minutes ago. 1.2.7.6 I think.This is what I have done so far in the GUI: (I have CLI access too if necessary)
Security > RADIUS and entered my radius IP/secret there.
Security > Access Management Profiles > Create new template called ALL that permits access to all applications. Set it as active also.
Security > Management Access Authentication > For HTTP and SSH
I put RADIUS first then Local second.My radius server works. As I type this message I am logging in via radius with OpenBSD/Centos even Fedora. (If OpenBSD can do it, these switches can do it.)But whenever I try to login with RADIUS credentials to my switch, I get no logs or any connectivity reports on my radius server? Is the switch even attempting to contact the server? The logs dont show anything regarding RADIUS. I am trying a reboot now, but I don't think that should be necessary.Is there a step I missed? When first looking at this I expected it to be done in 5 minutes. I have been on this for lik 4 hours. Isimply want to login to the administration console (web gui) using RADIUS credentials.
View 5 Replies
View Related
May 24, 2011
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
View 2 Replies
View Related
Feb 14, 2012
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
View 25 Replies
View Related
Nov 17, 2011
If you have some clusters with +8000 phones, how would you plan a strategy to upgrade the firmware of all the phones?
If the 8000 phones are reset the network BW could be come a real mess. Besides the CM could hang with so many tftp downloads.
The approach is going resetting phones in little sets, like ten phones a time.
View 2 Replies
View Related
Mar 31, 2013
I have a problem with my Cisco 7961 phones not registering on my CUCM 8.6 install on ESXi 5. Weird because I have Cisco IP communicator phones that register with no problem. You guys know what I can be missing. I have restarted the CUCM and services multiple times. The phone log on my phones say it can't find dhcp and DNS unknown host but my CUCM is configured by IP address. I also attached some screenshots
View 3 Replies
View Related
May 13, 2012
I am working in Private IT company. The facility is having 4000 users and it is a high resliency site having two core switches and nearly 40 access switches. All core and access switches are 4506E switches and odd vlan is taking core-1 and even vlan is core-2. We are having cisco ip phones 6921 connected as daisy chain.( Phone is connected to access switch and the desktop is connected to ip phones). The Ip phone are getting registered cisco call maneger server. The call manager one leg is connected to one core switch and another one is core 2 same like my DHCP server.
For all vlans the the default gateway is my firwall. The voice needs to hit the call manager, hence we have implemented a source routing to call manager for the voice vlans. the problem is once we down the Core-1 some of the IP phones are not getting registered no matterit is on odd or even vlan. The same issue for Core-2. We suspect that there might be some issue in the DHCP server for voice vlan routing. But server team is saying that there is no issue with the DHCP server.Now network is vulnerable that if any core switch is down my voice ip phones will be down.
View 3 Replies
View Related
Jun 5, 2009
I have some Catalyst 3560 PoE switches running the latest 12.2(50)SE1 image. I have a working configuration for STP, QoS, Voice & Access VLANs, Port-Security & IGMP snooping - I stress this is working PERFECTLY. Now I have been playing with wired 802.1x port authentication for a while which again I have sucessfully deployed on ports without IP Phones. I did some more testing with 802.1x clients behind some Cisco IP Phones and after understanding the issues and workarounds I thought I had a working environment. The environment is XP SP3 with the new separate wired 802.1x supplicant, workstations are all in a 2003 AD Domain and the wired 802.1x settings are configured through group policy. I had issues with Windows Server 2003 SP2 not working behind IP Phones but this I put down to the supplicant being different from the new one in XP SP3. MS don't have any plans for Server 2003 SP3 (or XP x64 SP3?) nor can I find any hotfixes to resolve this so it's a 'caveat'.Anyway I have tested this many times and with XP SP3 and the new supplicant it all seems to work well (only the access VLAN is using 802.1x Authentication, I am not authenticating the IP Phones via 802.1x).
Now today it stopped working and 802.1x clients behind the 7970 IP Phones no longer authenticate. I have spent an hour or so looking at this and the IOS is the same, as is the configuration on the IAS (Radius) server, as are the XP clients. I was scratching my head a bit and then looked at the IP Phone - the software on the phone has been upgraded to 8.5(2) - previously it was 8.4(4). I managed tp downgrade the software via CUCM to 8.4(4) and it now works. I have retested it several times so this is obviously an issue (either a new feature or a bug?) with the latest code for the 7970. I have checked and it's the same codebase for all the latest IP Phones - 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971 & 7975 which was released on 1st June. I have looked through the release notes and EAP-FAST has been added but this is an update to the EAP supplicant on the phone and not a feature of the 802.1x pass-thru from the attached device. I can find no other 802.1x or EAP references.
View 9 Replies
View Related
May 29, 2011
PoE works fine with C 1131/1141 Access Points and C-7975 IP phone but PoE does not seem to work on 7960 Phones nor on the C-1121 Access points
All devices work properly with the Cisco power injectors or on a Cisco Cat-29XX switch
Is there a trick to make PoE work for older devices ?
View 7 Replies
View Related
Jul 14, 2011
I want to connect a 6911 IP Phone to a SG 300 switch. This is my scenario: vlan 3 data, vlan 9 voice, vlan 10 admin.I have a trunk on port 10 of the SG 300 (vlan 1 untagged, vlan 3,9,10 tagged) and it is connected to a switch 3560, this switch has all the L3 configuration of the vlans and the SG 300 switch has an IP on the admin vlan (10).Also i added the OUI of my IP phones an created an LLDP Policy. Right now I have a 7941 IP Phone working but 6911 is not working. Iam using the new version 1.1.0.73 that supports CDP.
Also I noticed that even when my PC and IP phone receive IP address they can not ping each other nor the SG 300. They only can ping the default gateway or IP addresses in diferent vlans but connected on 3560 switch.
View 5 Replies
View Related