Cisco :: SSID To Radius Without WLC (Aironet 1240)
Mar 4, 2013
I am working on setting up a new WLAN infrastructure. I have set up different SSIDs connected to different VLANs, in the AP. I also want to use Windows NPS for authenticating users on the different SSIDs, with different authentication methods based on which SSID the user/device is connecting to. To do that, NPS needs to get the SSID, but the Aironet 1240 only sends its MAC address in the Called-Station-Id. I have read a bit about this, and found out that if I have a WLC, it will add the SSID to to the Called-Station-Id. But since we do not have a WLC, I am trying to get this to work anyway. Is it possible to modify the Called-Station-Id to include the SSID on an Aironet 1240? If not, is it possible to send the SSID as a separate attribute that can be read by the NPS?
We successfully use this oid on our Aironet 1240 series AP's to list the dot11 associations to the AP:1.3.6.1.4.1.9.9.273.1.2.1.1.18 (cDot11ClientSubIfIndex).However, that oid does not work on our Aironet 1140 series AP's. Any equivalent oid?
We are using WLC4402 for our Aironet 1240AG access points. The clients are connecting to the access points and are authenticating to the RADIUS server. I am seeing the logs in Server 2008 but they are being rejected due to Network Policy on the NPS server.
Where do I see the Authentication Type on the WLC4400 or the 1240's? In order for the clients (authenticated via Active Directory user) I have to set the Authentication in the NPS Connection Request Policy to "Allow clients to connect without negotiating an authentication method".
I do not have a certificate on the server and my method options are MS-CHAP-v2, MS-CHAP, CHAP, PAP, SPAP, and allow without negotiating. This RADIUS server was moved from Server 2003 IAS to Server 2008 NPS and there were no issues in Server 2003 IAS. I have all authentication methods allowed and it still gives me the error below. Only when I check "Allow clients to connect without negotiating an authentication method" it allows the authentication to proceed.
Client Machine: Security ID: NULL SID Account Name: Fully Qualified Account Name: OS-Version: Called Station Identifier: 00-17-a2-87-54-00: SSID NAME Calling Station Identifier: 00-41-96-b6-e3-27
NAS: NAS IPv4 Address: 192.168.90.24 NAS IPv6 Address: - [code]...
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x To troubleshout it I tried [URL] but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this: [URL]Changed shared secret more times but ever not workign with ACS 4 I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database?
I'm using an ASA5510 with AP1130 and attempting to set up a public and a corporate WiFi-network. The corporate one should allow users to authenticate with Radius running on MS ISA for access.
VLAN70 security level 1 (IP-range 10.10.70.0/24) for open guest WiFi. VLAN71 security level 100 (IP-range 10.10.71.0/24) for corporate users WiFi. VLAN100 security level 100 (IP-range 10.10.100.0/24) server network (only wired servers).
ASA is gateway at 10.10.70.1, 10.10.71.1 and 10.10.100.1. It is also DHCP-server for VLAN70 and 71.
Radius server is at 10.10.100.5, listening on port 1645 and 1646 for EAP/PEAP and MS-CHAP v2.
I get both WiFi-networks with VLAN 70 and 71 working without encryption, ie. open networks. Traffic flows fine and get network access without problems.
The problem I run into is that it seems the Radius server must be on the same network as the WiFi-clients for them to be able to authenticate with it. That is, I tried to use VLAN100 as the corporate WiFi network and then I am able to connect, authenticate and get network access if I also enable DHCP for that range. However with VLAN70 as WiFi I am unable to authenticate with Radius on VLAN100. It seems the AP can reach the Radius server but clients never get connected and eventually fail with an error.
I can ping the Radius server from the AP. All traffic should be allowed from VLAN71 to VLAN100 in the ASA. Packet tracing shows no errors there.
The switch is a 2960G with the following interface config:
I try to setup a 1141 aironet AP to authenticate my user through our Ms Radius Server ( Win 2008 R2).Everything is fine with small Bussiness AP WAP4410N with the following configuration:But I can't setup successfully the aironet 1141 with the same settings and getting it works.Here is my configuration for the Aironet 1141 Vlan 1 is the ssid I want to get it work with Radius.
I have setup a Cisco Aironet 1040 to connect to our Radius server which I have also configured.
I can successfully connect up any Iphone or Ipad but I cannot get any laptop to connect.
I have attached the logs showing the Iphone Successfully logging in and the Laptop Failing. Every single failure in the Event log for NPS comes up with
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.
I have a "standart" settings of Cisco Aironet 1240AG with ENABLED broadcasting SSID, encryption is WPA2 (AES). I can see the wifi network (ssid) with windows system but with MAC OS 10.5 and MAC OS 10.7 also with iPhone the wifi is acting like hidden. But If I manually enter the wifi ssid and set the proper encryption the connection work normally. Also I have a separete windows partition on one MACbook and this windows 7 have no problem to see the SSID of my network. But If i Boot to the MAC OS the WIFI is "hidden" until the manually connection. (same problem on iphone, manuall connect with manually entered SSID is working well).
I have some aironet 1200 AP's. I want to use this with a windows 2008 radius server. I followed the guide on [URL]. Unfortunately I can not get this working. In the securtiy log of the event viewer there is always the message "authenication was not succesful because an unknown username or incorrect password".
- Is it possible to get this working?
- If yes, is there a manual how to configure the AP's and the radius server, or are there any hints?
- Is this the best way to setup a wireless network or is there a better way?
I saw there is also a local radius server inside the 1200. Can all the 1200's work together? I suppose that if I use the built-in radius server than I can't make a connection to my AD database, correct?
I wonder if there is a way to rename an existing SSID on aironet 1142 without destroying/recreating. I tried downloading configuration/ changing name/ re-uploading however that didn't have desired effect. There doesn't seem to be a way via web-GUI.
We have three Access Points, two Cisco Aironet 1260 and one 1240AG. Originally, the SSID was hidden on all three AP's and users had to go to Other Networks and type in the SSID and password to access the WAN. About a few months ago, the network started broadcasting to the public. I am trying to make the SSID hidden again. I have tried going to the Security tab, choosing the SSID Manager and setting single guest mode to none but it has not worked.
I am using a Aironet 1100 series access point (AIR-AP1142N-N-K9) with IOS version c1140-k9w7-tar.124-21a.JA1. I want to create two seperate SSID's on the access point with WEP encryption. There is no VLAN configured and i want it to be like it. Also I need to broadcast both the SSID's at the same time, so the some of my users need to login with the first SSID and the others to login through the other.
I have configure my AP with to SSID (11 & 12), but I cannot connect to 12. It authenticates, and while trying to acquire IP address from 12, it fails and connects me to 11 (if I have already saved the SSID connection).
The following is my AP status:Product/Model Number:AIR-AP1231G-A-K9 System Software Filename:c1200-k9w7-tar.123-8.JEE System Software Version:12.3(8)JEE Bootloader Version:12.3(2)JA4
The SSID 12 already have 4 clients connected, And I am tring to connect a 5th one (smart phone), but cannot connect to 12, instead coneected to 11. Also tried with a laptop, but cant get the IP address, and give Limited Connectivity error.
I configured the device manually, not even using Express Setup or Express Security setup so... it is possible I missed something.Anyway, here's the problem. Although the SSID is configured as "AP1", this SSID does not appear among available networks on the client laptop.
The connection, configured in Group Policy for the client, should actually happen automatically, based on the SSID, but since the SSID is not being broadcast, that connection is failing as well.
The Aironet does appear among the available networks as "Other Network" and if I click on "connect" I am prompted to enter the SSID -> AP1
Although, unexplicably, an error message displays (Windows cannot connect to the network, or something to that effect), the laptop *does* connect once I close that window. Network access is complete and functional - I can ping other hosts, etc..
I'd post screenshots but not knowing what setting is missing or incorrect, I'd have to print dozens. So here's the sh run output of the AP obtained via telnet (just below). This is a test network so all information is "real" (nothing changed for privacy):
Note: I even changed the hostname to "AP1" (it's still LAB1 below) but that did not resolve the problem (did not think it would).
I bought 2 Cisco 1140 series Access Points a couple of months ago. We would like to use PEAP to autheticate with Microsoft IAS Radius Server & Active directory. I cannot find a document which describes how to setup this type of configuration. The only document which is close is how to setup LEAP & with ACS: [URL] I initially followed the 'TechReplublic's Ultimate Guide to Enterprise Wireless LAN Security' which has all the steps to setup Radius server, client side configuration, Certificates and finally a handy excel script to generate a config for the AP. This did not work. [URL] I am now trying to configure the AP using the Web GUI. I can see the network on the client machine but when I try to connect it timesout.
We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560) who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11). They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)?
i've been looking for a way to isolate clients on a Cisco Aironet 1121 on a certain SSID, and i cant find anything, tried pretty much everything i coudl remember, but since im no expert on Cisco wireless.
Quote:
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(7)JA1, RELEASE SOFTWARE (fc1) Technical Support: [URL] Copyright (c) 1986-2005 by Cisco Systems, Inc.
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.
I have several autonomous 1240ag AP's that I need to enable a second ssid(Guest and VLAN2) for guest access and while I have configured the AP's according to the driections, I am not able to connect to the second ssid(Guest), but it is broadcasting. When I check the logs, I do not even see my laptop or any other device for that matter, trying to authenticate, what am I missing? I can see, connect and get an IP from the first ssid(Production and VLAN1), which is on the native VLAN and my 3COM 3C17203 switch port(14) is tagged for both VLAN's. Although I am sure that this would work better with a Catalyst switch, but it is not in my budget to replace all 4 of these, but I need this to work.
AP not booting and am not able to boot. Xmodem file system is available.flashfs[0]: unable to allocate available block.
The system has been interrupted, or encountered an errorduring initializion of the flash filesystem. The followingcommands will initialize the flash filesystem, and
Is there anyway to monitor client who is downloading , using the most bandwidth in Cisco wireless environment ? i have 1240 ap and 4400 controller environment.
I am looking into upgrading a customers wireless network and they are looking at using a few 1240 access points for both internal and external connections. Their question is can one access point support both channels simultaneously? They would like to connect an antenna on the inside of the building on the 5ghz channel and another externally on the 2.4ghz channel.
We have four VLANs that need to be accessible to wireless devices. The VLANs serve the following groups: staff, student, guest, phone
We are currently using a WEP/MAC authentication for staff and phone wireless networks.
I am looking for what your recommendation would be to provide reasonable level of wireless security, particularly with the staff network, but at the same time not require a high level of management, ex. managing active and inactive MAC addresses for MAC authentication. We have the following components available - 1240 APS, Windows AD, a 4402 WLC, and 6 campuses, and outdated Cisco ACS.We need to provide connectivity to Cisco wireless phones, laptops, iPads, cell phones.
Wireless client receives a DHCP address from central DHCP server fine. Unable to route outside of own subnet . Continuous ARP WHO HAS (Default Gateway addr) TELL (client IP) messages being received. WLC running OS 4.2.99.0.
I'm trying to find a document in Design Zone about configuring a Wireless AP and I wasn't able to find it. I have a good experience configuring switches, routers and firewalls in CLI and this is the first that I have my hands on APs (1240 AG).
I just started a project to make a guest wireless network available at every site in my enterprise. Guest wireless networks are currently available at some sites. Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution. All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points. What do I need to do/get in order to make this happen?
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
I am currently useing ACS 5.2 and have no problem using Tacacs+ with AD access.
But with Radius it seems I can only get the Local identity store to work, need to do something special to get Radius to work with active directory with Cisco ACS?
