Cisco :: Aironet 600 Can Remote LAN Interface Be Configured To Skip Authentication For IP
Feb 3, 2013
On an AIRONET 600 AP (officeExtend) with the remote LAN interface is configured to use 802.1x authentication:If a Cisco IP Phone is connected, 801.x authentication challenges for credentials. The AP does not seem to have a way to detect that this is an IP Phone and to skip the challenge (as Cisco switches/routers would do) Is there any way around this? Can the remote LAN interface be configured to skip authentication for IP Phone and only authenticate PCs etc..?
View 5 Replies
ADVERTISEMENT
Jan 18, 2012
I have cisco 851 using ccp to configure EASY VPN
I click on TEST VPN SERVER then click start the status shows successfull
when I tried to connect a client I get mm_no_state
When I reviewed the report from the test I found
AAA authentication : Not configured
My AAA
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authorization network tgcsvpn local(code)
View 24 Replies
View Related
Aug 5, 2012
I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.
I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication. I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?
View 7 Replies
View Related
Jul 4, 2012
I have Cisco WLC 2504.I was configured one wlan with external web-authentication.External web server is apache on freebsd.When user connect to wlan and open web browser, wlc redirects client to external web page, where client must input hist credentials.When client click "submit" button on external web auth page, wlc initiates RADIUS request to radius server.Radius server(freeradius) is on the same server, where apache running.
sometimes, when client enter credentials on external page and click "submit" button, wlc suddenly redirect client on internal default auth page.
View 14 Replies
View Related
Apr 12, 2011
We have a high availability pair of ASA 5510's in Data Centre where we have configured remote access to allow users log in via SSL VPN, now we want to add further security to our environment we are adding endpoint assessment licenses...the question I have would I need two sets of the license ASA-ADV-END-SEC ?
I learned the hardway before with ASA SSL VPN licenses breaking other failover pair as it needed identical licenses on both units! Will I need 2 separate license sets to keep my firewalls in a HA pair?
View 1 Replies
View Related
Mar 14, 2011
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration [code]The vpn goes up and I get an ip address, but it's impossible to reach the internal network. [code]
View 9 Replies
View Related
Aug 2, 2011
I've set up a Cisco Aironet 1301 AP to be used for a guest network. I've got several other of the Aironet 1140-series around the business but none of them are in reach of this one at the moment.
The problem I have is that clients that try to connect to the AP are either not able to connect at all or lose their connection after some seconds. The config is more or less copied from the other APs with the same guest VLAN.
View 2 Replies
View Related
Sep 13, 2012
I have 3 Aironet 1260's with the same SSID and set with Open Authentication with MAC Authentication. Can I designate one of the 1260's as the MAC Authentication Server? I have all 3 now working with MAC Address Authenticated ty Local List Only and have to put the new MAC address in all 3.
View 3 Replies
View Related
Apr 14, 2012
I currently have a Cisco 2621 powering a network at our co-location facility... It's a simple setup and is working well. The colo provides a redundant HSRP uplink, so I have their two uplinks going into a Dell switch. From that Dell switch I have a uplink into FastEthernet0/0 on the 2621, configured with my routing network, and then FastEthernet0/1 gets an address from my block of routable IP. FastEthernet0/1 then plugs into another Dell switch where I have all my servers connected. The servers get public routable IP addresses and use the address on FastEthernet0/1 as their default gateway.
It's time to upgrade off the 2621, so I aquired a Cisco 2811 which has two FE interfaces, as well as a modular HWIC-4ESW switch. My question is, can I get rid of the Dell Switch A in the setup above and just use the internal switch on the 2811 to accomplish the same thing? And I if I did this, would my two uplinks from the colo plug into ports 1 and 2 of that HWIC, and then port 3 would physically connect into FE 0/0? Or can I logically do that via configuration in the Cisco? I'm not sure how all this works and haven't received the new router yet, so I thought I'd get a head start and reach out to the experts.
My second question is unrelated, but each port on the HWIC switch cannot be configured as a network interface right? I'm pretty sure they can't as they aren't considered network interfaces but just thought I'd ask.
View 11 Replies
View Related
Mar 28, 2012
I try to setup a 1141 aironet AP to authenticate my user through our Ms Radius Server ( Win 2008 R2).Everything is fine with small Bussiness AP WAP4410N with the following configuration:But I can't setup successfully the aironet 1141 with the same settings and getting it works.Here is my configuration for the Aironet 1141 Vlan 1 is the ssid I want to get it work with Radius.
View 1 Replies
View Related
Jun 3, 2012
I have a Cisco Aironet 1140 with ENABLED broadcasting SSID, encryption is WPA2(personal). Ubuntu 12.04 and Windows 7 are authenticated, but MACBooks never be authenticated. Any specific configuration for MAC books?
View 6 Replies
View Related
Aug 14, 2011
Is there a way to configure client/user to AP authentication without using encryption for joining to an wireless network? What we need to do here is protect network access at our hotspots by enforcing a password to get connected. The other part is making it compatible with every possible device so we need to have encryption off. We have a mixed environment at this time until everything is upgraded. Aironet 1200 series and some new Aironet 1142 models. No controller, all standand alone AP's
View 2 Replies
View Related
Jan 22, 2013
I would like to be able to have a few "guest" users on the Wireless network for visitors. Is there any method to have a prompt for "Username / password"? I would like the user accounts to have different expiry periods if this is possible. My current config is attached. The SSID "test" appears on the network. The SSID "test111" does not appear.
View 1 Replies
View Related
Sep 14, 2012
I'm using the Express Security Set-up tab to configure an Aironet 1142 (stand-alone) access point with EAP.
Objective is to make it a RADIUS client and have laptops authenticate through this access point to a Windows 2008 NPS (Network Policy Server) using computer (machine) certificates - EAP-TLS.
When I select "EAP Authentication" under the "SSID Configuration" I was literally floored to see mention of WEP encryption (a security joke) and no possibility to prefer some variant of WPA (well, apparently not with EAP).
WPA2-Enterprise is what I've selected for "Authentication" and "AES" for encryption in Group Policy (so the laptop clients automatically connect to the access point).
WEP? I bought a Aironet 1142 access point for WEP encryption? How can I configure this securely?
These are currently configured settings as displayed under the "SSID Table" heading:
SSID - "MYSSID"
VLAN - none
Encryption - WEP Mandatory !!!
[Code].....
View 6 Replies
View Related
May 1, 2012
I have configured policies to shape the traffic on the interface of cisco 7206 router. Now my managemet wants to configure these policies on time based ie policy should be applicable during specified time period onle. Is it possible? if yes how to configure it?
View 11 Replies
View Related
Jan 9, 2012
we have cisco 6500 series switch and configured port channel on both switches with 2 gig interfaces on both switches.
When we enable the port channel mode to as desirable to the interfaces on both side and applied the port channel to physical interfaces switch will go down and if we remove on any one side switch will come up. we have enabled globally the following commands. [code]
View 10 Replies
View Related
Feb 22, 2013
I am evaluating a Cisco wireless solution for our building. The building is occupied by two separate but related companies, which share some basic network infrastructure (some switches, an Internet connection, a DMZ environment), but which have two completely separate "Windows networks" with separate Active Directories. Each of these two networks are placed behind separate Microsoft TMG firewalls, each of whose external NIC are connected to the same DMZ network.
a) Acquire a set of Aironet 2600 APs and a controller, b) establish a BYOD SSID to be share between the two companies and guests, connected to the shared DMZ network, c) establish two additional separate SSIDs - one for each company’s staff, each authenticating against the appropriate AD-environment (incidentally, one is a straight Windows Server 2008 R2 environment with a TMG 2010 firewall and the other uses Windows Essential Business Server, so based on Window Server 2008).
Is that even possible with a single WLC?We are on 3 floors and about 60 people total. I am thinking that we can make do with 5 or 6 APs. Without having looked into it much, the 2500 controller looks good. Agree?
View 2 Replies
View Related
May 8, 2007
I am an IT professional that is installing my first extended range wireless AP in my companies warehouse. I am very excited!
Now I have set up many a linksys and repeater wireless networks, so when I was looking into the Aironet 1240AG I thought ?No Problem!?
And at first, it is not!
I have the AP and antenna set up here in my office before I take it out and mount it in the warehouse. And I can get connected to it, no security for now, no filters, I just want to connect and make it work.
I stay connected for maybe 3 minutes, I can get to the internet, I can ping all my servers. Full connectivity. But then for no reason the connection fails and I cannot reconnect.
The error I get in the log is
Interface Dot11Radio0, Deauthenticating Station 0006.2510.bbe3 Reason: Previous authentication no longer valid
So strange! So I have reset the AP to factory defaults and then set the SSID, and I can connect, again for a second, then nothing.
I have tried with multiple wireless cards, even laptops. Thinking maybe the problem was on the computer side.
View 12 Replies
View Related
Aug 17, 2011
I need information about the Aironet 600 access point.I got a customer who want to deploy a guest WLAN on branch office with an authentication with a captive portal that is centralized. I would like to use the OfficeExtend functionnality with Aironet 600 Acces point & WLC 5508 or 2504 to centralize the traffic from all access points on the controller.
On those branch offices, there were a few "free access desktops" that need a copper link. I want those devices to be also authenticated by captive portal, so I want to connect them on the four 10/100 port of the access point. But it seems that we can only use one port as "corporate remote LAN", the threee others are just for "home LAN". Is it correct ? Is there any solution to configure the four ports as remote LAN interface ?
View 3 Replies
View Related
Jan 17, 2013
I have a Cisco 1142N configured in autonomous mode.I'm running on:Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 15.2(2)JA, RELEASE SO FTWARE (fc1)
I can loggon to the web interface but it won't show me th expected status information.
View 2 Replies
View Related
Jul 21, 2011
I am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
View 3 Replies
View Related
Jul 24, 2012
We have 4x AP1142 standalone APs in WDS mode with roaming and RADIUS from Windows AD for auth.Everything works as expected apart from two APs that frequently reset Dot11Radio0 interface. The other two are fine.
The config on all APs is identical, version of IOS is the same accross all APs (12.4(23c)JA3). The only way to get reset inteface back up is to "reload". [code]
View 10 Replies
View Related
Sep 27, 2011
We have an aironet 1130ag in a remote office connected to the data centre over MPLS. The Radius server is based on server 2003.We have hundreds of these points set up exactly the same but this is the only one giving me issues, I even stripped the config and rebuilt it and then swapped with a new access point
The issue is that clients can't authenticate when connecting to the access point but provides nothing in event viewer. Checking the RADIUs server provides nothing either.The access point error logs just state station: authentication failed
On looking deeper into the problem I enabled RADIUS debugging on the access point and got some interesting results, in particular is the line:
no sg in radius-timers: ctx 0x12EF0A4 sg 0x0000.I can't find out what no SG in Radius-timers actually means, but after that line appears I just see more retransmits and no sg fails.
I inspected the packets on the RADIUs server and found lots access requests coming from my access point and lots of access-challenges returning back from my RADIUS server - I'm not sure how often that's supposed to happen or if it's a one time occurance. I did however see directly after the first access-request that the RADIUS server returns with UDP and is fragmented, length is 1514...... could this be the problem? If so why cannot it hanlde fragmented packets?
View 2 Replies
View Related
Mar 17, 2012
How can I enter into "interface configuration" on Aironet 1130AG, AIR-LAP1042N?When I put following commands in enable conf tinterface Dot11Radio1 but, it fails and I cannot enter into "interface configuration".How can I do this ?The reason why I enter into conf tinterface Dot11Radio1 because I want to disable cdp via CLI ( serial console).
View 9 Replies
View Related
Feb 13, 2012
Our office has 4 Cisco Aironet 1140 access points mounted on the ceiling. They are all powered via PoE. Every few days 3 of the 4 access points hang and have to be rebooted. When they hang I am not able to connect to their web interface to check the logs. The fourth, for some reason, always seems to stay alive.
I checked the configuration for all AP's and "Hot Standby" is disabled They are all using static IP addresses. I've tried 2 different banks of static IP addresses and 3 of 4 still hange so I don't think this is an IP conflict. I have saved the configurations and compared them and they are all identical, where possible.
They all have software version: 12.4(21a)JA1
They all have bootloader version: 12.4(23c)JA1
I have tried to download the latest software/firmware, but unfortunately I do not have a valid service contract in place with Cisco and therefore can't download the latest version. All of our CISCO hardware was purchased from Amazon resellers but no luck. I have also tried to contact Cisco and they can't seem to assist either. How I can get a valid service contract that information would also be very useful!!!
why 3 of our 4 access points would hang? When they hang, I can't login to the web interface and the logs seem to reset when I reset each access point. I have also set up an rsyslog server and I don't see a log entry that would indicate a problem.
View 2 Replies
View Related
Mar 15, 2011
wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
View 3 Replies
View Related
Sep 12, 2012
Cisco 3750 with IP Service Image 12.2.55, Trying to enable Web Authentication on Layer 3 interface:
!
ip auth-proxy name bp_auth_proxy http inactivity-time 60
!
interface GigabitEthernet1/0/5
no switchport
ip address 192.168.1.27 255.255.255.0
ip access-group 101 in
View 1 Replies
View Related
May 17, 2012
I'm dealing with a 4506 switch that whn I try to apply "sh auth sess int xx" I get "Invalid Input Detected" ... Is there any way that I can get the authenticated session over a port even if I can't apply "sh auth sess int"?
View 1 Replies
View Related
Jun 8, 2013
how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.Refer to the diagram i attached; 01 topology.png
Concern 1: if the 3com switch with 802.1X feature, but still without the full feature to support FlexAuth, policy encforcement, DACL etc. In this kind of situation, will user still able to authenticate (using method PEAP-MSCHAP v2), but authorization just grant with permit any any?
Concern 2: Can i assume i authenticated the 3com switch using MAB? But this will cause endpoint with no 802.1X, am i right?
Concern 3: cisco switch C4507-E, loaded with IOS version Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC?
View 2 Replies
View Related
Apr 28, 2011
I'm having extreme issues in getting my vpn client to connect to a cisco router with a hwic-3g-hspa cellular interface
I have tested the config remotely by traversing the tunnel I have setup with a cisco vpn client and the client does connect, however when out on the road it doesn't respond, I'm litterally hitting my head against a brick here, everything just seem right I can't explain it.
I have done debugs and there is no sign of life, its as though when the vpn client connects to the router its not responding any way here is my config for the vpn clients part that is.
aaa new-model
!
!
aaa group server radius vpn-client-server-group-1
[Code].....
View 2 Replies
View Related
Aug 17, 2011
I have an ASA 5505 running 8.2
I used the ASDM wizard (6.3) to set up a remote VPN. After slightly adjusting the wizards configuration the VPN is working well.
Now I need to change the Outside interfaces IP address. When I do that the VPN no longer works. If I change it back to the original value the VPN works again.
What configuration changes do I have to make regaurding the remote VPN after changing the outside interfaces IP address?
View 11 Replies
View Related
Dec 19, 2012
I have a Cisco 5510 which has remote access VPN configured.Now I have new block of IP address, is there a way I can just change the outside interface IP so that people can remote in without doing anythng else?Or if I coulds be taught to create a new one.Or best way to approcah this issue?For example: it was 67.64.x.x now I need to change to 64.44.x.x.
View 1 Replies
View Related
Jun 4, 2013
Our ASA 5510 was configured with a public interface, a DMZ interface, and a private interface. I have a remote access VPN using AnyConnect client and LDAP authentication for Active Directory. We are changing ISP (groan!), which means all new public IP addresses. The new circuit is installed, so I have a second public interface (same security level as the first public interface, wholly different IP address range) enabled on the ASA. I hope to transition whatever I can, which means get the VPN access through either public interface. Can I just enable client access on the second public interface at the Anyconnect Connection Profiles tab in ASDM? That seems too simple. Can they share the one address pool?
View 1 Replies
View Related
