we updated our NAC appliances from 4.8.1 to 4.9 and have noticed that web authentication is no longer woking on Apple IOS devices. We had setup a user page for the MAC_ALL OS and iphones etc. were able to authenticate using thier browser ok. Now (after the upgrade) after they authenticate they receive the below warning.
There doens't seem to be any other config changes we can make for the IOS device.
Cisco Air 1131 AP. Having problems with Apple products. Even tried no security.
View 2 Replies View RelatedI have a small home network currently using a cisco 841 which is working great. Host a web site and Exchange plus all 10 computers access the net using Verizon FIOS all works. I can even VPN in to my newtwork remotely.I can only VPN using the Cisco client. I would like to use the Native Windows Client and Ipads and Iphones. I believe they use PPTP and the Cisco client is using IPSEC.Which Cisco router can I get that would support all the above?
View 14 Replies View RelatedI'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View RelatedAll, I am the wireless administrator for a rather large school district in Oregon, and we are seeing numerous issues with iPad's connecting and staying connected to our lightweight AP's in an HREAP configuration. Our iPad carts have about 20 iPads a piece and an AIR-LAP1142 supporting them. We have no issues with getting non-Apple products to connect and stay connected, but for some reason the iPads are creating a major issue. We currently run 8 4400 WISM blades via two 6509's, running code 7.0.116.0.Our AP's are running 7.0.116.0 as their primary software and their IOS is 12.4(23c)JA2.
View 12 Replies View RelatedWe installed a DIR-615 Vers. E1 FV. 5.00NA and since then i-Pods and i-Pads keep dropping wi-fi connections. All wireless PC's and printers are working fine. We have configured the wireless as:Mixed 802.11 n,g and b. Auto channel csan enabled, using channel 6. Wireless security is WPA-Personnal. WPA is configured as Auto, TKIP and AES with a pre-shared key.
View 5 Replies View RelatedWe are using cisco 3502i AP's and 5508 controler. We have two SSID's. "SA Wireless" and "Guest Wireless". SA Wireless is WPA2 enterprise security and the "Guest Wireless" is open. The iPads will disconnect from "SA Wireless" and join "Guest Wireless" at random. Is there a way to force them to stay on "SA Wireless" and only change if you actually tell the iPad to change?
View 1 Replies View RelatedHere at work i am using 2 Cisco 1100 series Aironet (811G) (intalled in august 2005)
Product informations :
AIR-AP1121G-E-K9 Top Assembly Serial Number:FCZ0921V07A System Software Filename:c1100-k9w7-tar.123-4.JA System Software Version:12.3(4)JA Bootloader Version:12.3(2)JA3
All I-phones 4S OS6 are kind of loosing connection, if i am using google i will be able to use it once but never twices, the second time google will always time out, but the users are still able to receive and send their emails so the connection is still up.
On the manager i can see every Iphone, and everything seems to be ok, the "secutrity" is a simple 128bits wep key and i have a macadress filter activated and finally the SSID is not broadcasted.
The iphones are working smoothly with any modern wifi.So my questions are, is it a firmware problem? a configuration problem? or it is time to upgrade the hardware?
Ever since I started using iPads at the house I have had to reboot the router about once a week because the download speeds drops by approximately 90%. As soon as the reboot completes all is right with the world for about another week. During the course of the week, but not all at once, we will have 4 iPads, 3 iPhones, 2 laptops and one desktop(wired), a Verizon signal booster and house guests. I have updated the firmware.
View 1 Replies View RelatedAll the firmware is updated. This router will drop the connection with the devices every 30min to 1hr. The devices do not have any issues with other routers.
View 1 Replies View RelatedI have a small home LAN of four hard-wired PCs and two iPads and two notebooks which are connected by wireless. At the heart of it all is a Linksys X3000 wireless router. Any of the four PCs that are hard wired to the X3000 have no problems talking to each other but none of the wireless-attached iPads or notebooks are able to see any other machine on the network. All machines are able to access the Internet.
View 9 Replies View RelatedI have it set up as Capri (2.4 GHz) and CapriHD (5 GHz). CapriHD was intended only for HD video traffic. My wife's iphone 4S can only use 2.4 GHz, and it suddenly quit connecting after 1-2 months of use. My iphone 5 can use either band and it can only connect on 5 GHz. This problem MIGHT correspond to the recent firmware upgrade? I was traveling a lot around that time so can't be sure that is a culprit.Really thought the problem was the hardware, so I replaced it with a new EA6500 and getting the same result.
View 2 Replies View RelatedI work at a small private school that is going to implement about 20 ipads for classes. Students bring their ipods and iphones and are connecting to the existing unsecured wireless access points and are taking up the remaining IP addresses in the DHCP scope. I am running out of IP addresses and was wondering if I could set up a VLAN using the Cisco WRVS4400N for all of these wireless devices the students will be using. I plan to pull out all unsecured wireless AP's and replace with what ever solution we come up with. I will need about 6 access points/routers to cover the entire school. There is not a lot of money for technology and the ipods were donated. I have never set up a VLAN before. Is there an inexpensive way to allow the students with their personal ipads/ipods and the 20 ipads owned by the school to connect to a VLAN to keep from using up our DHCP IP addresses from the server.
View 1 Replies View RelatediPhones and iPad don't want to connect.
View 1 Replies View RelatedAll of us connect effortlessly to wifi via the EA3500. All of us, however, also have iPhones, and yet none of us can get on wifi with our iPhones. Apple insists the problem is on the Cisco side, not the Apple side, and I have to agree with them because all of the iPhones connect effortlessly to wifi everywhere else it is available. I tried contacting Cisco support, but they wound up telling me that if I paid them they might be able to assist, since the router is outside the warranty period. (I tried explaining to them that I didn't know about the extent of the problem until 10 days ago My wife simply uses her mac; none of my daughters lives here and only one of them had an iPhone until ten days ago when I purchased the other ones. But that was to no avail.) Why no one can get on wifi with iPhones when they can, simply and effortlessly, with the PC, the iPad, and their macs?
View 5 Replies View RelatedHave issue with iPhones and other smart phones being considered as excluded clients for the reason of Identity Theft? I am looking at one of my controllers and there are almost 680 excluded clients and most of them are smart phones and they are all being excluded for the same reason. It seems to be mostly iPhones but not all of the iPhones are experiencing the same behavior.
There is a mix of AP types (AP1010s, 1131s and 3502s) and also a mix of controller types (44XX and 3508). I have not been able to find any information to explain this behavior on the phone side and/or the wireless side.
We have a new RV100W Router. I would like to use it for iPhones,PC's, and MAC's to connect via IPSec (QuickVPN) or PTTP. Everytime I go to setup VPN, it tells me I must change to a 10.x.x.1 network. How can I use VPN without doing so?
View 6 Replies View RelatedI am having problems connecting to my wireless internet. We were getting a poor signal so we moved our router to our living room where we always are, but now we can't connect. We tried resetting everything, turned on and off several times. Went to the linksys wireless set up page, changed SSID and password. Still can't connect with the computer or our iphones. It shows our SSID is there but won't connect. My internet when plug directly to the computer works fine (I am using it now). My computer can connect to the router Linksys WRT54G, we just can't get it to connect to the wireless.
View 1 Replies View RelatedA customer of ours has the following access points and wireless lan controllers on site. They want to use the Apple Bonjour service with Apple TV's and iPads. I have enabled multicast feature of the 5508 globally and one the SSID.The Apple TV has an ethernet connection and the iPads connect over the wifi. The Apple tv is on the same subnet as the iPad's - the Bonjour features do work for approx 5/10 minutes then it stops working for some reason. The Access Points plug into a Cisco 2960 Layer 2 switch, the 5508 controllers plug are in LAG mode and plug into a Nortel Layer 3 stack which I have enabled IGMP snooping.I've read that the Apple Bonjour service isnt designed to work on a multi subnet network - but both the Apple TV and iPad are connected on the same subnet. Sounds like some kind of timeout but not too sure.
View 5 Replies View RelatedI got a question about ACS 5.3 and WLC We have now the ACS 5.3 running for MAB (good working) and TACAS for device AAA.But now our WLC’s will not work.I have created already a special “custom attribute” => role1 / mandatory / ALL Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
[code]....
I have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies View RelatedI have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
View 3 Replies View RelatedI have to created command set under "Policy Elements>Authorization and Permissions>Device Administration" for limited access user in ACS 5.3. Like i triyed to give them permission to only few show commands. I have set user priviledge 1, 7, 10 however either of the priviledge level user was able to run those commands. I works like the shell priviledge level.
View 1 Replies View RelatedWe have a Cisco Access Control Server (TACACS+ version 5.1) with an additional 2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).After initial setup of the ACS server with an IP address on G0, I connected a Windows 7server with IE8 to G0. The ACS web interface appears (after accepting certificate) and Ientered some user accounts and NDGs.I then connected the ACS server to a configured port with port-security on our 6500switch. The port becomes err-disabled since the MAC address does not match up. It appearsthat the onboard NIC on the ACS server is bonded thus producing the MAC address issue.To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port works fine. I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping the ACS server but the web interface is now unavailable unlike before. I do not get a certificate warning on IE, it just states that internet not available. On ACS, the 'show' status of acs shows all the processes are running and initialized. It has got me stumped as all I did was change NIC configurationon the ACS server.
View 8 Replies View RelatedI configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message. The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication host-mode multi-domain authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFCSep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication
[Code].....
I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
aaa accounting exec default start-stop group tacacs+aaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 1 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+
logging origin-id iplogging facility sysloglogging source-interface GigabitEthernet1/1logging host 1.1.1.1 transport udp port 20514
logging monitor informational
epm logging
On the ACS, when I open the dashboard --> ACS health -> I get Status not available.Global Instance under Logging Categories been configured for local logging?
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies View RelatedI'm trying to configure a timeout for network connection, but when it suppose to disconnect client, it's not working. Is it possible to do this??
Only works when the client is connecting and is denied if the time is not valid. But how could I do this if the client is already connected, enable re-authentication?
I configure my Cisco ACS5.2 using Command set policy and providing Shell access 15.I allow user only “show * ” command.It works fine with Telnet. User Group cannot execute any command apart from “Show * ”But when I connect the device using Console user group has full permission on the devices.I believe Command set policy is not working on Console. Is it normal behavior or do I need to update some changes in ACS or Network devices ?
My network device configuration is as below :
tacacs-server host 10.x.x.x key test123
tacacs-server host 10.y.y.y key test123
tacacs-server timeout 1
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
[code].....
I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.on the second tab is the password expire for users and I configured to expire after 90 days.
I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR,I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers
even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.,As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?
I have a cisco 3845 running 12.4(15)T10.
I can send a POD and disconnect my session. But when I try to send a COA, I always get back the same error. Here is the debug log:
*Sep 14 17:25:16.017: COA: 172.16.XX.XX request queued
*Sep 14 17:25:16.017: ++++++ CoA Attribute List ++++++
*Sep 14 17:25:16.017: 66F2DBEC 0 00000009 string-session-id(337) 8 0000007F
*Sep 14 17:25:16.017: 670B3394 0 00000009 sub-qos-policy-out(346) 11 POLICE-TEST
[code]....
C4948-10G switch running IOS 15.0(2)SG ?ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
[code]....
