Cisco AAA/Identity/Nac :: Endless Prompt For Authentication On WLC 5508
Jan 9, 2012
Having issue with WLC 5508 using ACS 5.2 tacacs+ protocol to do device management.The problem statement is after key in the username and password on the WLC login page, it is endlessly prompt for authentication on WLC. Whilst on ACS monitoring and reporting i able to see it is successfully authenticated, shown at AAA protocol > TACACS+ Authentication.On ACS, the shell profile for this is setting role1 , value = ALL.
I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.
I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not work. I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.
1.) How can I figure out, if I will get the correct password from my WLC ? Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or how to get the received password from the chap challenge of the debug ?
2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius log file? Is it correct that the password in the debug file is empty ? raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
I am having a ASR 1002 V 12.2(33)XND2t which is running on Tacas?I want when i login it shoudl directly go into the # prompt. I am not interested in typing enable on > prompt.
The configs are:
aa new-model aaa authentication login default group tacacs+ local aaa authentication enable default none !aaa authorization console !aaa authorization config-commands
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.
The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue. I followed the example document for OOB WLAN (VLANs and mapping etc) but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)
The client is shown in the wireless clients on the device page of the CAM, If i close down either of the CAS interfaces the client connectivity is broken.
Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.
I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:
Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?
I have follow below URL to disable the https over web authentication:
[URL]
What i want to achieve is disable https over web authentication due to certificate issue, but it seems like even we have disable the http over web management as above URL describe, still https while doing web authentication. Or it is possible to configure use port other than 80, like 8080 for web authentication? (need to reboot the wlc?)Is there any bug that related to this CSCsy32145?
We have a 5508 WLC with a few WAP's (1131's and 1242's). Our wireless clients use certificate base authentication against our AD (i.e. both computer cert and user cert are required). However, from time to time I see clients being associated but not authenticated as reported by the WLC. Could it be possible, as some literatures indicate that a client can only be "associated" after it's successfully authenticated? Perhaps I'm not quite clear about the concept.
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.
I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread
I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 7.0.98.0). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
I'm a trainee in Network and Telecommunication, and I have to do a "model" with a controller, an AP, and a RADIUS server. Communication and configuration of the lightweight AP has been done.
I use an autonomous access point 1220 as the RADIUS server (no considering it as an AP), and I'm a beginner in RADIUS configuration. I get a "Processing AAA Error 'No Server' (-7) for mobile 00:24:d6:8f:2c:7e" when I launch a debug targetting my PC, connecting to the LAP.
Precursory : 10.137.125.71 is the IP address of the ap1220, working as the RADIUS server 10.137.125.15 is the IP address of the controller. 00:24:d6:8f:2c:7e is the MAC address of my PC, connecting to the Wi-Fi. ping works to the RADIUS, to the controller. Each devices are connected by a layer 3 Switch, and ping each others. The Wi-Fi works when I don't use 802.1X (or when I don't use RADIUS authentication at all)
What I did on the RADIUS server (ap1220 autonomous) :
aaa new-model radius-server local nas 10.137.125.15 key password
I have two WLC5508 controllers configured with multiple SSIDs and a VLAN associated to each of them. Now I am deploying a pilot for Web-Authentication and everything seems to be fine except for the LDAP authentication part. I have done all the steps for enabling anonymous bind on Active Directory (AD) and the configuration on the controller is properly in place. I know the configuration is working fine because I have isolated the problem to some sort of routing or communication problem:
AD is on Vlan 2 (Student Interface range)Each interface has its own IP in a different IP range.
If there is an IP address configured on the Vlan2 interface, LDAP wont work. If there isnt an IP address on the Vlan 2 Interface LDAP works!So you may think I just should not configure an IP for that particular Vlan, but if do this, the controller wont allow to associate any WLAN to that particular Vlan interface and unfortunately I am using it.
I think the Controller uses the Management interface to send traffic to the LDAP server and it gets confused of getting a reply from a device which belongs to the Vlan 2 Interface IP range (AD is on Vlan 2).
I know the controller is a Layer 2 device, so I am not sure why it should need an IP address to be configured for each interface, I read it is used just for roaming purposes but it seems to be somehow related to LDAP communication process as well.
The strange thing is that I can access the management interface IP from the Vlan 2 range and there is not problem at all.
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
Currently in the process of migrating from psk to 802.1x radius environment using a mix of 4400 and 5508 controllers with WCS using Microsoft ias. The problem I have is there is a lot of shared iPads and tablets in the environment. Is there a way to force these user to relogin to radius after a certain time period so they are not sharing unames and passwords?
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?
I am configuring my 5508 WLCs with SW version 7.0.116.0. I configured a guest ssid with web-authentication enabled, but I cannot retrieve the login page on the controller. I configured the virtual interface with the addredd 1.1.1.1 SSID Layer 2 security: None SSID Layer 3 security: Web Policy enabled
I join the ssid with clients, receive the IP address correctly however when I try to open a web page, the login page does not appear. When I check the client status I see that it stuck in WEBAUTH_REQD state.
We are using WLC-5508 in our corporate. For authenication we have implemented ACS with LDAP configured as external user database. We can able to get authenicated for Web based authenication. When it is configured for EAP-FAST, authenitication is not happening.
web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
WLC 5508: software version 7.0.98.0 Windows 7 Client Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at URL with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate.
I need to configure EAP-FAST without certificate and authenticate to the corporate Microsoft AD database, Do I need a Cisco ACS server in the middle to forward the authentication to the AD? Or I can do the authentication to the AD directly? I am using a WLC5508.
I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
