I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
I am using an external web server and my client are authenticated with ldap.
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.
Is it possible to configure WLC so that only one user can connect to wireless network at a time with one login? We have WLC5508 (7.2.103.0) web authentication with LDAP (Active Directory).
View 2 Replies View RelatedI have an ASA 5510 with IOS 8.4. I want that only authenticated active directory users can pass the firewall.
View 3 Replies View RelatedI work on a college campus that has thousands of students a day accessing our wireless network. We have broadcast SSID that the students use to connect to the internet. The students usually have more than one WiFi enable device on them and their laptops and phones both take an IP address, but they are only using the laptop to authenticate while the phone is associted, but not authenticated. In the meantime, I have several thousand IPs being used by their phones/iPods etc. Is there a way to revoke the DHCP lease if the client does not authenticate within a specified time frame (i.e. 10 minutes)?
View 3 Replies View Related how snmp monitoring works when we have WLC in the networking.Before the WLC 5508 instalation, we had the Nagios monitoring each Access Point in the networking. Today, the Nagios still monitoring the networking, but the Nagios cannot get the same information of the APs (CPU, status interface, memory, etc).Now, the WLC controls each AP, the IP address, netmask, community (of all AP) are the same before the WLC instalation. I have tried to configure the SNMP information in Management>>SNMP>>Communities, but these configuration are from WLC and not from each AP.
How can I configure the SNMP setting in my AP to still use the Nagios to monitoring the networking?
How are certain settings/config transfered across to the AP's from the WLC, e.g. username and passwords, snmp strings etc.... I assume this is when the AP joins the WLC.More to the topic of the original question I had in mind, is it possible and if so, how? - to configure snmp read and write string from the WLC and push this config out to AP's. I can't believe someone will have to sit down (me) and SSH to 150+ AP's per WLC to configure SNMP.
One of the buildings lost connectivity to the WLC's breifly a couple of days ago and all seemed to have lost their SNMP settings. Connectivity was restored, but couldnt poll the APs. When I SSH'd on to a couple of AP's, and manually configured the snmp-server community xxxx ro - SNMP started working again. Since there are many, there must be an easier way of doing it.I've tried resetting the AP from the WLC and also powering down AP's and bringing them back up.
Using WLC 5508 on 7.4.100
Using AP's 2602 on IOS 15.2(2)JB$
We had a system outage due to power problems a few days ago, and now our WLC is showing short term packet loss when monitoring it using SNMP. We also monitor it using ICMP, but that shows no packet loss. I looked at the interface statistics on the WLC and all of the switches in between and there are no errors to be seen. is there any way to troubleshoot this problem on the WLC? I am more familiar with IOS than the WLC CLI.
View 10 Replies View RelatedWe faced one recent issue with WLC configuration behavior and explaining our observation and workaround we did.Requirement is to manage the WLC (5508 with 7.4 code) using two SNMP managers in different locations. Also these two Servers should use the same community string to manage WLC.
We were able to configure the SNMP community string for one server IP (to allow access) through GUIWhile trying to add another Server – IP with same community string – it didn’t allow As per the configuration guide, Controller can use only one IP address range to manage SNMP community. So we cannot configure the same community string to allow only two different server IP addresses [code] We currently configured the major subnet ( 10.x / 8 - two match both server addresses) and it works fineAlso when we tried 0.0.0.0 / 0.0.0.0 , it didn’t work (SNMP was failing)But this creates a security issue wherein anybody can poll the WLC.
I am working on a wlc 5508 in a lab environment doing snmp reporting & i was wondering if there is anyway to after the timing on how quick the snmp traps appear on the trap log page? I have looked through the gui but cant seem to find anything, so not too sure if there is a cli command, the traps come in very quickly on the nms way before they appear on the trap log page.
View 1 Replies View RelatedHaving an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies View RelatedI have WLC 5508 and 18 1242 APs are connected to WLC. I am getting following error messages in all APs.
*Jul 3 02:53:18.263: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jul 3 02:53:18.320: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Jul 3 02:53:18.326: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to
[Code]......
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
View 1 Replies View RelatedWe are required to change passwords every so often at my job. I am trying to change the password for one of the local user accounts on a 5508 WLC running 7.0.98.218 - How can I accomplish this task? The option I get is to remove the users.
View 1 Replies View RelatedIs it possible to limit what users are able to do and view in the webconsole of a WLC 5508 via ACS. I have ACS setup to restrict what commands can be run depending on user on the CLI however when they log into the webconsole they can access everything?
View 2 Replies View RelatedWe are implementing a WLC infrastructure in our company following the below scenario:
- WLC 5508, OS 7.2
- APs AIR-LAP1142N-T-K9
- 3 Wlans (1Open w/ Web Auth, 1 WPA2 and 1 802.1x)
Issues:Everything seems to be fine, but some users loses connectivity (when connected to 802.1x network) at least 3 times by day.
- I cannot see anything at WLC logs concerning the association/deassociation of any of these users.
- Only strange line in the logs is "RADIUS server 172.21.44.50:1646 deactivated in global list" (authorization server config)
- Also I see some "Coverage hole pre alarm for client" but that doesn't look like a problem...
Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?
View 13 Replies View RelatedI have a wireless 5508 with license base to 50 aps, i use a deployment flex connect. I already registered all my access points, I use web authentication to authenticate users guest, and the service dhcp is in the central site.
My issue is the users in each remote site, can not get an ip address by dhcp from the central site, they can authenticate in the guest ssid, but any users can not get an ip. The request is passing by the wan in this way
Central Site DHCP - Router WAN - Remote Site - Users with notebooks. I use flex connect central deployment (all the traffic consulting to the wlc) .
perhaps i should use local deploy? The wireless is in the central site.
I work at a campus and use the WCS to control access to my network for staff and only internet access for students. The Staff are assigned Username/password thru active directory and the student uses another SSID with only WPA --a password for all. I was tasked with adding more securing for students -- by adding a user/password. I do not want them connecting to my Active Directory for two reason--security risk and I have too many to input (over 1000). So, I wanted to use our internal database to validate users. I create a webpage with "WebAuth" that opens my logon page from my site and validates the login fields against the database. It works and this allows the user to navigate thru my website but not outside the site. If they try an outside url it redirect them to my logon script. I now understand why, so I'm looking for code I can add to my logon page that would allow me to redirect me to the controller's (once users are authenticated by my database) to call the WCS controller so I can enter a preset username/password so the policy management file would allow them access. I presently use "External" and don't know if "Custom" would work. Finding a way in using a database instead of adding one person at a time?
View 3 Replies View RelatedRecently i have setup a WLAN with inside and anchor 5508 controllers. Standard setup. However, one issue I have is I wish to extend the length of time between password changes for users connected in on the guest wlan. At the moment, 30 is max. I dont have an option on the controller to creat accounts for any longer than that. How to I extend it to 90 days or 120 days?
View 1 Replies View RelatedI have a Cisco 5508 running version 7.0.116.0. This controller hosts an open public wifi that requires users to accept a terms agreement via a Web-Passthrough setup that redirects them to the terms splash page. For most people this works without any issue. However, if a user has their homepage for their default browser set to a https site, such as [url]..., then they are never redirected to the terms splash page. The page will just spin and spin until finally they get a timeout error.
View 7 Replies View RelatedI´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
View 7 Replies View RelatedAt one of our locations we are experiencing some problems getting connected to our wireless networks.
It is possible to sit right next to an AP (AIR-LAP1131AG) and only have limited access to the network.
I have attached a snapshot from inSSID from the wireless networks in the area. All of them are broadcasted by our controller and I can´t figure out how it is possible to see SSIDs in other channels than the ones in the 2.4GHz band (11-14)?
I have a cisco ACS 4.0 build 27 on windows 2003 server . My site was working fine when i was having a AD on 2003 server . Recently i have migrated my AD servers is 2008 .
After the migration the ACS is not authenticating the users . Now i have made a server with 2003 and made the site working . I need a solution to make it work using 2008 server is there any compatiblity issue between ACS 4.0 and 2008 server .
We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
View 3 Replies View RelatedWe have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same: [code]
But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more: So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
(mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
Client MAC Address............................... 60:c5:47:07:b6:5a
Client Username ................................. N/A
AP MAC Address................................... 00:1e:13:42:16:a0
AP Name.......................................... mcm-208dorm-wap1
[code].....
Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS. r debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
On my wireless network, I am running guest access that I want to have as authenticated. If I enable WLAN, security, layer 3 web policy, when an iPAD / iPhone connects, they get directed to the Web Auth splash page, on where they must enter username & password. My users do not want to be directed to this page everytime they login - just select the SSID and connect - is there a way of authenticating guests via a WLC4400 without going through the splash page everytime?
View 6 Replies View RelatedAt this moment I'm trying to connect 2 router rv042 and i received the following error message
(g2gips0) #23: ERROR: asynchronous network error report on eth1 for message to 190.199.164.144 port 500, complainant 190.199.164.144: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
in the other router i don't see any error . what would be the problem.
I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...
View 3 Replies View RelatedActually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies View RelatedI'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop