I am trying to setup EAP-TLS authentication for my wireless access points, but I can't sign my ACS certificate with my enterprise CA certificate.If I generate a self-signed certificate on the ACS server, and try to sign it on my CA, I get an ASN tag error. It looks like that is because the ACS server is not in the certificate path of the CA server.If I generate a certificate on the CA and try to import it into ACS, I get a "unable to parse certificate" error. Is there a way to edit the Certificate Trust List in 5.2? It looks like that was possible with 4.2, but not with the latest version.
If laptop/desktop goes on sleep mode or keep connected with interface configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator..for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!but before restarting i am able to ping all DNS, DHCP, OCS, everything..[code]
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
Installed a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
I have an existing setup of older 1242AG-E-K9 access points with Air-ANT-ANT5160 antennas connected to them. Goal is to replace old AP's with new AIR-LAP1262N-E-K9 model. Question is that can I use only one antenna per radio? Does it work? I know that N-standard requirement is 3 antennas per radio (3 x 2.4G and 3 x 5G) but we need only B/G to work. Plan is to re-use existing AIR-ANT-ANT5160's and order new AIR-ANT2506 antennas. Setup per AP would be 1 x 2.4G and 1 x 5G.
I need to configure WPA or WPA2 authentication on cisco 1042N access points. But I believe that for this requirement I need to have either an internal or external RADIUS server, but my customer want to just a normal WPA/WPA2 authentication like what we configure on cisco WAP200 or WAP4410 accesspoints, is there any work arounds to configure WPA/WPA2 authentication in a simpler manner rather than configuring RADIUS server option?
I am having some difficulties on finding information on how to setup two Cisco 1252 autonomous access points, via the command line. I am not having any luck finding steps on how to go about doing this and was curious if any one would be willing to give some insight. I am working on taking two of them setting one up as the root bridge and the other as non-root.
I recently bought 6 airo net 1041N standalone access points for a customer of mine. It's an academy of barely 200 students. I'll be installing an access point in every room, to ensure better signal, since they use video for there classes. The reason why i decided to install an access point in every room is because the walls are armed concrete and they had a terrible experience with a past company in which they spend a lot of money for a antenna system that didn't work.These access points will be connected to a switch, which I have to buy also.Every student is going to bring there own laptops in order to connect to the network.
The reason why I'm writing is because I have a few questions to clarify.
1) What is the best position for better signal, top side wall or corner ceiling?
2) How many client mac address filtering can i do per access point?
3)I plan on doing ESSID but can I mac filter clients to a particular access point or should I mac address filter all permitted devices in all access points. The problem is that students come with iPods and phones and as you know on windows they will be able to see the wpa2 key and enter it on the particular UN-authorized device.
4) Any graphic user interface for configuring these access points or do i have to use Cisco IOS(kind of familiar with it)? (I'm used to GUI)
5)How can I configure these access points, through Ethernet browser or do I have to use console port cable?
6)Do I have to use POE injector or can I connect the access points directly to the switch with PoE and QoS?
7)I was planning on buying a small business switch sg100 d-8 but they recommended me that I should use the catalyst 2960 series, which would be best for handling video data? don't have to be much features, just QoS.
8) Can CCp software be used in these access points?
I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
Is it possible to setup a Cisco 1200 AP with 802.1x to drop users into the corprate network if they have a certificate or if not to put them on the guest network?
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius server 10.15.10.20 auth-port 1812 acct-port 1813 ! aaa authentication login default group corp-radius local aaa authentication login radius-localfallback group corp-radius enable aaa authorization exec default group radius
I would like to disable NAC policy control from my ACS 4.0.I would like only 802.1x AAA on my switch ports.Also I'd like to assign a different VLAN to different MAB devices by RADIUS user attribute, in order to differentiate vlan for printers, clocks and so on. Any document for ACS 4.0?
I am new to v5.3, and I am not good at VPN.I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details? OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from. I have a ASA 5520.
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
I am in the process of migrating from ACS 4.1.1.23 to ACS 5.4.I have migrated our users and Network Device Groups and configured external Identity stores like AD and RSA.I want to authenticate our Wireless users with AD and VPN users through RSA.I am unable to create policies to get this UP and working.
We have a Cisco ASA5505 here that provides DHCP and routing to all our devices in our network. We also have a few other switches and wireless access points connected directly to the back of the ASA5505.For the past year all the wireless network signals has been working fine however starting last month, none of the wireless access points (we have three WRT54G) would allow proper connection (dropping connection, slow internet).I thought this maybe all THREE wireless access points are toast/bricked. So i went out and bought brand new Netgear WN604 and even with the new WAP i'm having same connectivity issues (really slow internet).When hardwired directly to the switches we get BLAZING fast internet & connectivity, no issues.
I called CISCO TAC and they automatically said "our ASA5505 is fine, it has to be your wireless access points" not working properly. I explained to them that i also purchased two brand new access points and they are doing the samething now, how can that be?
I've had some long standing issues that I've tried various things to fix. I have two WAP4410N access points set up at a smaller sister company. Wireless clients (laptops) are not receiving DHCP assigned IP addresses. If I type in an IP manually, it works fine.The sister company has a point to point T-1 connection to our main building. Our main building has the DHCP server. The router on the sister company end is configured as the DHCP relay.
I've upgraded the firmware three different times in the past to hopefully resolve the issue, but no luck. Just today, on one of the WAP4410N's, I upgraded to the 2.0.6.1 firmware (backing up config, reset to factory default, upgraded firmware, reset factory default again, restored config). After the first reset to factory defaults, the Access Point itself picked up a DHCP address from the server, and I verified this in the DHCP console on the server, so I know that the DHCP relay is working. However, my laptop would not get a DHCP address when connecting wirelessly through that access point. It is a Windows 7 Enterprise laptop. I also could not get a DHCP IP with my iPhone connecting to wireless, to rule out specific issues with just a laptop.I have the DHCP lease times for the subnet that these WAP4410Ns are on set to 2 hours.
To put a cherry on top, there is one laptop that stays in a lab area at all times, connecting wirelessly, and it DOES get a DHCP IP address (I can see in the DHCP console that the lease for this laptop continually renews as needed). I do remember on initial config when I couldn't get it to work, that I did a manual set up, gained connection, then switched it to DHCP...but that doesn't work for any other laptop.Why would the access points get DHCP address, but not anything connecting to the Access Points?
Using WISM with 7.0.220 and 1240 and 3502 APs. Just found that some of our 3502 AP didn't enbale their clean air and CDP when installed. This only happened on a few new APs. But the area these APs where we seem to have had a few problems with PCs. The only PCs effected where Computer On Wheels (COWs), Dell 780 Desktop with a Cisco Wireless Card.
Using an interl wireless card and others in thes areas worked.Once I enabled the CDP and Clean Air, the COWs worked.My question is with the APs not having CDP enabled, could this affect the cisco wirelss card in the COWs?
At my school we have a lot of access points, but sometimes the computer use the wrong access point. How can I solve that? Is there a program for switching access point?
BTW the halls are next to each other.The house and the 3 halls are in the vicinity however not attached together(i.e. wall to wall). The distance between the house and the first hall is approx 1 road width distance.ISP is Virgin and the internet was installed this year hence has the latest Virgin Home Hub.I am aware that i probably require 3 wireless access points (1 for each hall).The first wireless access point will need to be connected with a RJ-45 cable running from Home Hub. Can i connect the Wireless access points up together or do they all need to come from the ADSL hub?I am not sure what Wireless access points would be best and how to go about connecting this all up
I have New Pace 4111n Wireless Router that I got from AT&T and is setup on 1st floor, but its wireless range does not get me to 2nd floor. I also have the 2Wire wireless router from AT&T. In Addition, I have ethernet connection from level 1 to level 2 as well.
I was wondering if it is possible to have the Pace Wireless N router to work as modem and wireless access point, at the time use the 2Wire router to broadcast wireless and act as access point for 2nd floor.
IF its doable, how should the two be configured and connected.
I am trying to deploy several AIR-CAP3502E-E-K9 access points from a cisco 5508 wire lan contoller running ver 7 code. However iam having difficulty registering the access points with the WLC. The wlc is connect to a 3650 switch, and each access point is connected to a 2960 switch. A bad update was not allowing the access points to get their correct firmware.
I am having an issue here. I have 2x 5508 that each have 100 AP license and a little under 200 access points. Basically all of the access points are using DNS to connect to the primary controller that has the DNS entry. Basically half of my access points need to be on the second controller and in order to do this I have been using the high availability mode of each access point to push them to the second controller IP address.It was working perfectly until now. I have pushed 28 access points to the second controller and the last two I need to push at this location just keep resetting on the primary controller. Neither controller is configured as master controller.
I need an Wireless Access Point.Two SSID simultaneously in different IP Rangeit is with a simple browser GUI to manage? (not console and controller)a distance of about 50 (we can place multiple APs)N speedDual BandWhich series meets the above requirements?It can also Wireless-N Gigabit Router as 4400N, but it does not support Dual Band.
I have access points deployed across several buildings that each have a different IP scheme and their own T1 line. Is it possible to configure the 5508 controller to allow these access points to use the IP scheme assigned for that particular building or will dhcp always assign an IP address to the connecting client based on the IP scheme of the building that the controller resides in?
I need an official document from Cisco saying the APs models supported by the WLC 5508. Specially, I need to know if the AIR-AP1242AG-T-K9, converted from standalone, will be supported by the 5508.
We have a couple of Access Points which are not registering with WLC 2500. I followed-up on the two LAPs in the dorm. They were cycling through red, amber, green, indicating they were trying to join the controller but could not.
Recently, we have changed our IP Schema for the Wireless Devices and I believe there is an IP Conflict between APs and WLC. Earlier APs were cofigured with Static IP Address assignment, thus they can't change their IP Address.
how to reset the Access Point? I know we can hard reset them by pressing the Mode button manually.
Is there another way via which this can be done witout removing the Access Points from their enclosures?
I have multiple cisco 1130ag access point at one of my clients villa. The issue I am facing is when moving throughout the buildingthe laptop and smartphones will not switch between AP’s unless it loses its connection with its existing AP then it will see the other AP that is closer and connect to it.
For example, I start at one end of the building where it connects to AP#1 , if I then slowly go to another section of the villa, it it will not switch over to AP#2 until the signal is lost from AP1
I have following settings
AP's are Cisco 1130AG Single SSID with WEP Security
Situation: I have a store where there is already installed an AP1042N. In the back of the building there is no wireless signal. I want to install a second access point to extend my range;
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
