Cisco Security :: ACS 5.1 802.1x Authentication Fails On LAN When WLAN Connected
Aug 23, 2012
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
View 2 Replies
ADVERTISEMENT
Jan 21, 2013
I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".
View 2 Replies
View Related
Jan 9, 2012
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
View 16 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Jul 15, 2011
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10
[code]...
View 14 Replies
View Related
Oct 19, 2011
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
View 6 Replies
View Related
Oct 24, 2011
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
View 1 Replies
View Related
Jan 16, 2012
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
View 8 Replies
View Related
Nov 13, 2010
Just purchased an E2000 (Firmware version 1.0.03) to use with DDNS. Much to my surprise there seems to be a problem with saving the password at the configuration screen. [code] With the above settings entered and the Update button pressed favorable results are obtained; the router reports that DynDNS.org updates okay. However once the "Save Settings" button is pressed an update fails with the error "Authorization failure bad ID or password".Is anyone else experiencing this issue? Is the password field limited to certain characters?
View 9 Replies
View Related
Jul 4, 2012
I have Cisco WLC 2504.I was configured one wlan with external web-authentication.External web server is apache on freebsd.When user connect to wlan and open web browser, wlc redirects client to external web page, where client must input hist credentials.When client click "submit" button on external web auth page, wlc initiates RADIUS request to radius server.Radius server(freeradius) is on the same server, where apache running.
sometimes, when client enter credentials on external page and click "submit" button, wlc suddenly redirect client on internal default auth page.
View 14 Replies
View Related
Nov 16, 2011
I have a 3845 router. Setup SSH Version 2generated rsa keys (1024)set login localtransport input ssh and telnet is enabled since I can't get ssh connection working When I connect using SSH, I get the following error. server refused authentication protocol.
View 21 Replies
View Related
Aug 28, 2012
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
View 4 Replies
View Related
Feb 8, 2011
how to chance the web authentication certificte on WLAN 2100 controller. My users are complaining that they need to accept the security certificate before proceeding to the actual authentication?
View 4 Replies
View Related
Jul 18, 2012
I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.
View 5 Replies
View Related
Apr 4, 2013
I have several 2602 AP's that I want to operate in FlexConnect mode. The WLC is at a central HQ and the Ap's are remote. There are central radius servers at the HQ for the wlans. At the remote lcoation, there is a local radius server we want to use for the primary radius server for these AP's. This radius server has been added to the WLC. I have setup a FlexConnect Group, designated the the primary and secondary servers, and then added the AP's to the group. It does not look like radius requests are being sent to the local controller.
For this to work, do we have to check the box under the wlan for FlexConnect Local Auth? Currently, we only have FlexConnect local switching selected.
View 8 Replies
View Related
Feb 24, 2013
Bought multiple WAP121s which are physically connected via CAT5 to the Ethernet NIC of a printer. Printer is in a warehouse with no Ethernet cabling -- but there is a wifi signal provided by a Cisco wireless router -- which is why we got the WAPs -- so PCs could get their jobs sent to the printer via Wifi > WAP > printer NIC.
Problem is the printers only stay visible on for about 15 min or so -- then disappear. Only way to get them visible again is to do a powercycle on the printer (not the WAP121). Then it stays visible for for another 15 minutes or so -- then disappears. If a Workstation sends a continues (-t) ping to the printer IP -- the printer will stay online and get print jobs.... but if activity is idle for 10-15 minutes... it disappears (power-save is off on the printer).
Firmware on WAP121 is current.
What setting on the WAP could be enable to keep the printers alive? have been trying to operate in bridge mode... What is the "best practice" here for connecting a printer to a WIFI via these WAP121s?
View 1 Replies
View Related
Aug 13, 2012
We have 4 switches C3560 running EIGRP. We have PBR in one of them in this way: [code]We have conneceted a dedicated circuit in FastEthernet0/23.
The question is: ¿what would happen if circuit fails but FastEthernet0/23 remains in connected state? 192.168.1.6 will be unavailable.PBR will maintain forwarding traffic to IP 192.168.1.6? This involve that this traffic will fail.
View 4 Replies
View Related
Feb 6, 2013
Am using a RV042G with a Fiber Optic connection terminated on WAN1 It was working fine untill received a new IP pool . When we configure with the ip on wan 1 and connect the SG300 the WAN Status shows connected but no internet connection. The wan ip doesnt work. If i replace the RV042G with a Netgear Firewall router The connection works fine with the WAN IP.
The network connection is very simple. What is that is not letting RV042G work with SG300?
View 4 Replies
View Related
Nov 12, 2012
My Vista computer and my XP computer had been happily "talking" to each other, sharing files and printers. I got tired of paying $70 a year for Norton Internet Security, so I uninstalled it (using the Norton removal tool) and selected the Windows Firewall. I also installed Avast! and SuperAntiSpyware. Now neither computer talks to the other. When I run "\FamilyRoomHPOfficeJet" I get "Windows cannot access \FamilyRoomHPOfficeJet" . Check spelling, etc. Get error code 0x800704b3 "The network path was either typed incorrectly, does not exist or the network provider is not currently available..." What have I messed up by going from the Norton firewall to the Windows one.
[code]....
View 14 Replies
View Related
Apr 14, 2011
My wlan says connected but cannot access the internet. LAN does not work either. I suspect there is a virus somewhere but I cannot update any antivirus software to remove the virus.
View 1 Replies
View Related
Jul 2, 2011
I have one wlc 5508 running on latest IOS 7.116, there is one wlan abc which i have disable status and disable broadcast, but randomly still i can see from wlc dashboard there is one client connected to this wlan abc. The moment i check on the client details, there is no client connected to that wlan and when return to dashboard, no more client connected to that wlan abc.
View 3 Replies
View Related
Mar 18, 2013
Recently had an external security scan done on my DIR 655 and scan results are stating I have an accessible TFTP Server running. i've been through all the settings, and even upgraded to the latest firmware. Yet security scans are telling me I've got a TFTP Server running. Why would one be showing on the external interface, and how can I stop it?
View 7 Replies
View Related
Jun 23, 2011
I have a bsnl wireless modem but I can't access internet through my phone.Though i have enabled the wlan and set up all the configurations I can't connect using the wireless.
View 1 Replies
View Related
Jun 24, 2012
I have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
View 2 Replies
View Related
Feb 27, 2011
Just bought two new LAP1041N APs to add to a dead spot on our campus. Well when trying to set them up the will not stay connected to the WLAN Controller (model 4402). The new APs boot fine, and will even appear in the controller for brief moments, but after a few seconds they dissapear and start showing the discovery status light pattern (green, red, amber). Just wondering if I am doing something wrong with these APs, or what the issue could possible be.We have 10 other APs that as soon as we connected to network were detected by controller and we configured from there. Most of those are 1010 or 1020s, we have a few 1131s and 1100s.
View 7 Replies
View Related
Dec 31, 2011
my network isn't the most optimal at the moment. Starting from the router, it's a Thomson TG789vn my roommate has set up in his room. The service is DSL. I've connected my laptop to said WLAN from which I connect my access point turned DIR-600 to the internet and share it to my PC and Xbox 360.It works pretty well most of the time with 28 ping to a ~150 miles far server, yet sometimes I lose connection overall, or partly. For example, the Battlefield 3 beta stays connected to the internet while 3 different browsers are unable to load a single page. It seems like ongoing connection are unaffected while new ones don't work. The problem is usually fixed in a few seconds when I disconnect and reconnect the WLAN on my laptop.
View 1 Replies
View Related
Oct 5, 2011
As the title might suggest, my network isn't the most optimal at the moment. Starting from the router, it's a Thomson TG789vn my roommate has set up in his room. The service is DSL. I've connected my laptop to said WLAN from which I connect my access point turned DIR-600 to the internet and share it to my PC and Xbox 360.
It works pretty well most of the time with 28 ping to a ~150 miles far server, yet sometimes I lose connection overall, or partly. For example, the Battlefield 3 beta stays connected to the internet while 3 different browsers are unable to load a single page. It seems like ongoing connection are unaffected while new ones don't work. The problem is usually fixed in a few seconds when I disconnect and reconnect the WLAN on my laptop.So yeah, it's not pretty but I have to work with what's available. I'm actually surprised it even works this well. how to optimize the whole thing or how to fix the partial lack of connectivity?
View 5 Replies
View Related
Sep 18, 2011
My company has chosen to allow our employees to bring in and use their own personal electronic devices such as i Pads, i Phones, tablet PC's, etc... We intend to allow them to access our network with these devices. My question is if an employee decides to enable a WiFi hotspot on an iPhone, i Pad or other device and then share out that network connection we have provided to them to allow other devices to tether to it, how do we prevent or mitigate this issue with our W LAN environment?
Our current environment consists of 4400 series WLC's and 1131, 1231 and 1242 series AP's using version 7.098.218 code. We plan on migrating to 5500 series WLC's and 3500 series AP's but this will not happen overnight.
View 2 Replies
View Related
Sep 8, 2012
I am implementing wireless lan controller for a customer's site. This site uses Cisco WLC2112 and AIR-LAP1041. I configure via start-up wizard and WLAN security configuration. The client joining via WLAN seems to work fine, able to browse Internet. But when adding a shared printer or sharing files, the machine's unable to find the computer name. When test pinging, it replies when pinging by IP only. This is not happened when using a LAN wire.
View 3 Replies
View Related
Dec 15, 2011
I am struggling with the following issue. I have 6 1130 Accesspoints in lightweight mode connected to a 2106 wlan controller which runs software version 7.0.98.0. Everything seems to work fine. Clients can connect to the wifi network. However, they don't get an ip address from the dhcp server which is on the same subnet as the wlan controller. See attached screenshots for configuration. I have also tried the internal dhcp server of the wlan controller, but the same problem remains.
The logs says: Dropping primary discovery request from AP e8:b7:4x:xx:xx:xx - maximum APs joined 6/6 There are 6 AP's connected
View 4 Replies
View Related
Mar 4, 2012
Cisco 881W WLAN module running in autonomous mode. How do I list connected wireless clients?
View 1 Replies
View Related
Nov 22, 2010
I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.
The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue. I followed the example document for OOB WLAN (VLANs and mapping etc) but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)
The client is shown in the wireless clients on the device page of the CAM, If i close down either of the CAS interfaces the client connectivity is broken.
Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.
View 6 Replies
View Related
Dec 20, 2012
Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
View 7 Replies
View Related
