We have configured an 2801 to aggregate some VPN clients. The problem is that between 20 and 50 minutes it asks for re-authentication even though the connection is not idle. Is there a timer that creates this problem?
Below the applied configuration :
crypto isakmp policy 1
encr 3des
authentication pre-share
[Code].....
We have configured an cisco 2800 for vpn clients. The weird thing is that after some time (not specific time interval and no idle connection) asks for re-authentication. Some times after re-authenticating session disconnects.
View 2 Replies View RelatedSecurity during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
View 7 Replies View RelatedI am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills up my logs and makes them unusefull.
switch version: cat4500-ipbasek9-mz.122-53.SG3.bin
port config:
interface FastEthernet2/25 switchport access vlan 107 switchport mode access switchport voice vlan 502 switchport port-security maximum 3 switchport port-security switchport port-security aging time 1 switchport port-security aging type inactivity no logging event link-status load-interval 60 speed 100 duplex full qos vlan-based authentication event fail action authorize vlan 109 authentication event server dead action authorize vlan 101 authentication event server alive action reinitialize authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 30 dot1x timeout server-timeout 25 dot1x timeout tx-period 15 dot1x timeout supp-timeout 25 dot1x max-req 3 tx-queue 3 priority high no cdp enable spanning-tree portfast ip dhcp snooping limit rate 10end
I'm trying to replace a ASA 5505 with a Cisco 2801 w/ security bundle.I have gone through a pretty basic set up of configuring what I could and letting the Cisco Config Prof do the security audit to lock it down. I have everything working just fine except for the bandwidth.
As soon as I plug the router in it seems to give all the bandwidth to one computer and the rest of the campus slows down to a crawl.I turned on "fair-queue" and even tried the QoS wizard in CCP, but it seems like thats if you want to prioritize voice over data - which we aren't running VOIP so I don't need.
I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.
I am using Cisco AnyConnect VPN Client v2.3.0254 and ever since i upgraded my laptop from the Lenovo T420 to the Lenovo T430 the time it takes to connect via VPN has increased drastically. Connecting via VPN on my Lenovo T420 would take as little as 5 seconds to authenticate and connect while connecting with my T430 is now taking at minimum of 5 minutes, sometimes upwards of 15 minutes only to report back an error!
The screen the AnyConnect VPN Client seems to hang on is "Establishing VPN - Initiating Connection..."
The server is enforcing that McAffee is installed and up to date, however i have already made sure that my McAffee install is valid and up to date.
I have already taken these steps to try to correct the issue: Re installed Cisco AnyConnect VPN ClientRe installed & updated virus definitions for McAffeeRan CheckDisk on my primary OS partitionRan RAM validation utility to verify no bad sectors I have attached a screenshot of the error log from AnyConnect as well as the log html file.
I'm trying to change the DHCP Client Lease Time from 1440 minutes to 480 minutes. When I try to apply the new settings, I'm getting a message that says "Invalid Characters" and it won't stick. I've tried this in three different up-to-date browsers (ie10, Chrome and Firefox). Also, I'm connecting locally through LAN and I have the latest EA6500 Firmware: 2.1.39.145204
View 2 Replies View RelatedThe IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.
View 9 Replies View RelatedI am using Cisco 1812 as EZVPN server. I want to use Active directory for VPN user authentication. I am trying from couple of days but no success.With ASA, i am able to authenticate against AD, but not with IOS router. Below are my configurationsIf kerberos authentication is not possible, I would like to know the possibility of using AD as ACS external database. I am running both AD and ACS in the same server. If i can integrate AD with ACS, i can use TACACS or RADIUS for the authentication.
View 3 Replies View RelatedI am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, wireless client authentication part.
1. There are 25 departments around the campus, each will be given one or two access points.
2. One Cisco AIR-CT5508-50-K9 Controller shall be used.
3. Single SSID/ VLAN shall be used for entire campus.
4. Wireless Authentication credentials used by one department shouldn’t work for other department
My ISP has just implemented a new network on the cable infrastructure which uses a PPTP authentication method. It works on my Cisco RVS4000 router as there is an option to set PPTP as the WAN type. The only trouble with the RVS4000 is that the performance is very poor, hence I am trying to get it working with a Cisco 1921. I have looked high and low and I cannot find an sample of a Cisco router functioning as PPTP client to a ISP.Enclosed is the screen shot of my Cisco RVS400 with the options etc.
View 2 Replies View RelatedI have this scenario, AS5510 ver 8.4(3), VPN Client 5.0.07, RADIUS authentication with IAS on Windows 2003 Server.The issue is that, establishing the connection with the VPN Client, if the user credentials are correct every things works fine, but if we introduce a wrong password I don't receive an error message or a again the authentication form.Nothing happens the VPN Client keep trying to "contact security gateway", after about 5 minutes it stops without any message.Debugging the authentication process in the ASA I see that if the password is incorrect the radius authentication response is "reject". I have also tried with a different version of VPN Client but nothing change.Using AnyConnect client every things works fine.
View 1 Replies View RelatedI want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies View Relatedwant to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
i am trying to connect clients to my AP1231 which is running C1200 Software (C1200-K9W7-M), Version 12.3(8)JED. Client authentication is against RADIUS server. [code]
View 3 Replies View RelatedI'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies View RelatedI need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL].
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.
I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.
The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue. I followed the example document for OOB WLAN (VLANs and mapping etc) but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)
The client is shown in the wireless clients on the device page of the CAM, If i close down either of the CAS interfaces the client connectivity is broken.
Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.
I have two xp pro machines that im trying to share an accounting system on one machine is the sage accounting and i want to join another machine to it the sage is working on both machines except the one is not allowing reports, comes up with an erro when i map drives i have to put in a user name and password (only once) then it works but im suspecting this is causing a problem for the reports on the previous two machines that worked fine...(we have just upgraded both) it asked for a windows password but you just pressed enter and it logged in.how do you get two xp machines to talk without password prompt i have run the networking wizard on both, and they are both on the same workgroup
View 2 Replies View RelatedI have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.
View 9 Replies View RelatedInstalled a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
View 2 Replies View RelatedI have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
View 8 Replies View RelatedWhen trying to connect a laptop to my router it asks for my password. I am sure I am putting in the correct word but every time my connection fails. Is their anyway of checking my password
View 1 Replies View RelatedMy whole college Campus is enabled with WiFi facility.But the officials said that u cannot connect it through mobile.U can only connect it via laptop.i tried connecting it via mobile, but it asked many other things other then id & password, i Have the id & password, but i dont know what to write in other things.
View 1 Replies View RelatedMy dlink wireless has a WEP consisting of 40 numbers (or 4 lines of 10 numbers)When I connected a PC to the dlink it asked for the key and I entered all 40 numbers and it connected without problemI also had to enter all 40 digits for my Wii to connect to it.But when I connected my PS3 I only entered in the first 10 digits and it connectedI have connected various devices to the dLink and some ask for the first 10, some 20 and some require all 40.I have just bought a new phone Samsung Galaxy Ace and trying to connect to the dlink is impossible. I have entered all 40 digits and it wont connect, it just says "authenticating" then "disabled". I have tried the first 10, then 20, then 30 and it still says disabled.The problem then is I don't know whether the phone is faulty or the dlink just wants a particular line of my key.
View 14 Replies View RelatedWell there are 2 PC in my LAN:NBNotebook WiFi connection to my router NETGEAR DGN2200v3 Windows 7 Professional x64 SP1 DSKDesktop Cabled connection to my router NETGEAR DGN2200V3 Windows XP Home Edition 32bit SP3 If from DSK I try to access NB shared folders through network, everything is fine.If from NB I try to access DSK shared folders through network, the following window appears:The strange thing is that this problem seems to occur randomly! Sometimes it occurs, sometimes not (during the same session of usage of NB). This is annoying because usually I need to work with NB on files which are stored in DSK through local network, so if I need to apply a change to a file, sometimes I won't have a chance to do that.
Some minutes ago I configured DSK and NB so that the account for both has the same username and password.When on NB I try to access DSK shared folders, the window I posted above appears, I fill the data but neither this time I have granted access...This is what happens:- I reset NB WiFi connection- Using NB I try to access DSK shared folders --> everything is ok- About 5 minutes passes- Using NB I try to access DSK shared folders --> the authentication window appears, I fill the username and password fields but they won't be recognized
I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.
View 5 Replies View RelatedI am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
View 2 Replies View RelatedI am trying to get a NAC demo running and am having some issues with a Layer 2 OOB, Virtual GW configuration. Currently I have 3560G switches and would like to assign ports to a vlan based on user roles.
My Auth VLAN is 110 and maps to VLAN 11
Guest VLAN is 11 (172.16.1.0/24)
Employee VLAN is 1
NAS Mgmt VLAN is 20 - CAS is 10.10.20.5 (this ip is setup on both eth0 and eth1 per documentation for L2 OOB Virtual GW)
NAM Mgmt VLAN is 30 - CAM is 10.10.30.5
Untrusted (Eth1) switchport is setup as a trunk allowing only vlan 110 and has a native vlan 999 to blackhole traffic.
Trusted (Eth0) switchport is setup as a trunk allowing vlan 1, 11, 20 and has a native vlan 998 to blackhole traffic.
I also setup a Managed Subnet on the CAS with IP 172.16.1.254 and VLAN 110.Switchport controlled by NAC is access vlan 110. When a machine connects an snmp trap is sent to CAM and is forced into vlan 110. If I try to put the port in another vlan CAM puts it back to 110 immediately. This all seems to be working well.The machine connected to the port gets a DHCP address from VLAN 11. When I initiate traffic from this machine, everything is blocked. If I open a web browser I do not get an authentication page. I also installed CCA 4.1.10 on the machine but it does not find a discovery host and the Login option is grayed out. The only way to get this machine to send traffic is to add a filter for it and force it to the ALLOW option. I did setup a default web login page but I seem to be missing something to get authentication to work. I am running version 4.1.8 with a demo license. The host running CCA is Windows Vista.
I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies View Related
