We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. Is this possible to change the web authentication method from HTTPS to HTTP.
View 1 RepliesMy client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
View 2 Replies View Relatedi am having wirless controller cisco 2500 series. i want to know how many web authentication users i can create in the 2500 series controller with time out option for each users.
i know it will support the web authentication for internet access for the users but i need to know how many it will accept at a time with hours specification.
I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
View 24 Replies View RelatedMy client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Does CISCO WLC 2500 support EAP TTLS, if yes then how to configure. So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP. But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius. My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC
View 8 Replies View RelatedThe users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
View 4 Replies View RelatedMy client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Will CISCO WLC 2500 support EAP TTLS, if yes then how to configure.
So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.
My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC?My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
I have follow below URL to disable the https over web authentication:
[URL]
What i want to achieve is disable https over web authentication due to certificate issue, but it seems like even we have disable the http over web management as above URL describe, still https while doing web authentication. Or it is possible to configure use port other than 80, like 8080 for web authentication? (need to reboot the wlc?)Is there any bug that related to this CSCsy32145?
WLC Software Version 6.0.196.0
We have ASA 5520 as SSL VPN concentrator so users can access internal web from outside. Our internal web also has several internet URL. What we want is when user click internet URL in our internal web, ASA forward those request to internal proxy server. I already config proxy using port 8080 and username "companyuser" and password, but always have authentication failed on ssl vpn browser. We uses forefront TMG as proxy. Username and password have right to access Internet.
View 2 Replies View RelatedI have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.
Here is the config:
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
ip http server
ip http authentication aaa login-authentication none
[code]....
I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...
Config is as follows:
aaa new-model
aaa authentication login VTYSandHTTP group radius local
aaa authorization exec VTYSandHTTP group radius local
ip http server
ip http authentication aaa login-authentication VTYSandHTTP
[code]...
This is what I get when I try to log on to HTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP: Authentication failed for level 15
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none
[Code]......
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
View 7 Replies View RelatedI am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
[Code].....
I have a Cisco Aironet 1041 , what a good repeater/wireless extender that works with it to cover an area of 50 squared meters ?
View 4 Replies View RelatedI have two access points that I recently purchased from ebay. I updated them both to c1140-k9w7-mx.152-2.JB and I have been unsuccessful at getting either of them to connect at faster than 39MBps. After scouring google for answers I found several with the issue of not using the correct WPA2/AES configuration and that was me. However after changing the configuration, I am still unable to connect to either of the APs at faster than the 39Mbps. [code]
View 4 Replies View RelatedI have 2 SSIDs mapped to 2 VLANs (other VLANs are configured, but not used) Security is set to WPA2
What do I need to change to get higher connection speed? What is the highest for this model? Why won't it let me select 40Mhz channel width? Telnet says on 20Mhz available (GUI says it is in "Least congested" mode even though it is not)
I am trying to setup a Cisco Aironet 1041 on my network for WiFi authinentication and access and I do not have a Radius server and was wondering if it is possible to configure the 1041 to authenticate with just WPA or WPA2 and a PSK without any of the other configurations? This setup is only going to be temporary untill I can get the appropriate infrastructure in place to facilitate the Radius server setup I really want in 12 to 18 months from now.
View 9 Replies View Relatedconfigure WPA2 on a 1041 access point? I am trying to get it configured through the GUI and part way through I keep getting locked out of the AP due to WPA2 being partially configured..
View 1 Replies View RelatedThere is WLAN with Nortel APs witha captive portal. We are migrating to a Cisco Solution and we have AP 1041 / 1042
How can I configure Captive Portal in the 1041/1042 APs
I set up one AP-1041 that runs standalone IOS. No controller. I have three more that I want to copy the setup configuration over to. I have the right document, but which commands will get my set configuration from AP one FTP'd to my computer and how to copy that configuration back to another AP of the same model. This way I will only need to tweak a couple settings on the additional AP's instead of starting from scratch.
View 3 Replies View RelatedI have a wireless network using the cisco ap 1041 converted into the anonymous. however it seems like every morning or evening I have to attached it back to the SSID all over again. it will not give me an ip address. I also would have to put the encryption key in again. I am using WEP 40 bit.
View 4 Replies View RelatedIs it possible to convert a 1041 in Autonomous AP mode to Lightweight? Since on the cco page there is no upgrade tool under the 1040 series AP,and also i didnt find any document with the procedure.
View 1 Replies View RelatedI have done a wireless site survey at a library and one AP541N will cover everything pretty well. They do have one spot where the radio strenth is not quite as strong, but you would never buy a second access point for just that one area. I did the SIte Survey using a 541N Access point.
Here is my question. I see that the Aironet 1041 is very similar in price and according to the documentation has a stronger power rating and higher antenna gain. Why would I not buy an Aironet 1041?
We are just mounting to a wall and are planning on using the pwrin4 to provide POE for whichever we buy.
We are experiencing problems with Apple Ipads on a large scale network that we install and maintain, the Ipads seem to join the network with no problems (bit slower than laptops etc) but will then disconnect for no apparent reason at random intervals. We have ran laptops on the same AP's and in the same area and no similar probems occurred, we are using IOS Cisco 1041's and 1042's, we have seen one of the Ipads's sitting quite happily on a 1042 2,4ghz radio and then it disconnected and went to the 5ghz radio. We are getting similar disconnects on the single radio 1041.
View 13 Replies View RelatedWe have recently converted 1 Cisco Lightweight AP 1041 to Autonomous mode for site-survey purposes. We now want to convert it back to lightweight mode.
View 1 Replies View RelatedI'm having a little trouble with a router I have got my hands on to practice for my CCNA.Im connected via serial>USB adapter and via XP HT on Win7. Router boots and I then break the boot sequence with ctrl-break. But then it does not go into ROMMON mode. It simply says this:
-System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
-Copyright (c) 1986-1995 by cisco Systems
-2500 processor with 2048 Kbytes of main memory
How I get it into ROMMON to reset the password on it.
I am having trouble adding a new controller(2500) to the WCS.
-My WCS version 6.0.196.0
-My WLC version 7.0.116.0
If i upgrade my WCS i may add the new contoller? Even if in cisco DATA-SHEET there isnt any mention regarding this WLC(basicly it says that the WCS does not support this WLC)
Monitoring and migration of selected Cisco Aironet standalone (autonomous) access points. Monitoring of the standalone access points of Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers.
I have a scenario where we have
Cisco 1300 Outdoor APs
Cisco 3600 Indoor APs
WLC 2500
Now i need to integrate the WLC with Windows 2008 AD for authentication.The idea is to let the users authenticate via AD for accesing the wireless network.
Will the integration work with NPS?
I'm configuring a 2500 series WLC to test some wireless configuration changes we'd like to make on our 5500's that are currently in prodcution.
The 2500 and the 5800's interfaces are configured as a LAG.
One of the primary goals of these configuration changes is to move the LAPs from their current VLAN (the same subnet as our primary WLAN) to two separate VLANs. Were choosing to move the LAPs to 2 APs based on the WLC best practices document's suggestion to limit the number of LAPs per vlan to 60-100. We've had several issues in the past with LAPs failing to join with their static IPs, releasing them and then joining with DHCP addresses.
LAP's will be on separate vlans using subnets 10.10.10.0/25 and 10.10.10.128/25. WLC management interface is in the 10.10.1.0/25 subnet.
Should we continue using static IPs for the LAPs or DHCP?
What subnet should the AP management interface be on?
Is it possible to have mutiple AP management interfaces with LAG?
I’m going though dot1x implementation using Cisco WLC 2500 series and ACS 4.2 but I have problems with joining to the SSID. I revised the configuration many times as attached but don’t know what is wrong
log 2013.02.05 17:34:02=
(Cisco Controller) >
(Cisco Controller) >debug dot1x all enable
(Cisco Controller) >*apfMsConnTask_2: Feb 05 07:27:19.865: 00:26:c7:3b:dc:d8 apfMsAssoStateInc
*dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Station 00:26:c7:3b:dc:d8 setting dot1x reauth timeout = 0
*dot1xMsgTask: Feb 05 07:27:19.867: 00:26:c7:3b:dc:d8 Stopping reauth timeout for 00:26:c7:3b:dc:d8
[code]...