I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user. WLC 4402 version 4.1.171.0 [URL]
View 2 Replies
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
We have a 1231 AP and a Freeradius Server.Now we are using MAc authentication.The thing is that the AP sends two parameters to the RADIUS:
User-Name = "000ff855df2e"
User-Password = "000ff855df2e"
both are the MAC of the wireless client.I want that the AP send:
User-Name = "00-0f-f8-55-df-2e"
User-Password = "mykey"
Note that the MAC is dash separated and the password is forced to the key that I want.
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
I have a 4402 (version 7.0.235) working with 10 units of 1121 APs connected to it. The WLC is not configured to work in LAG mode. Physical portt #1 is connected to the Main Switch (trunk). I have 3 WLAN mapped to 3 Different VLAN and Everything (security and internal, external DHCP) is working swell...Now- I have connected Physical port #2 directly to an ADSL Router (giga port), Configured Port 2 as untaggedwith the proper IP details.I have configured this interface to receive DHCP from the ADSL Router and for some reason, Clients are not getting addresses.When I assign a Static address to my laptop I get internet access and all is nice. I tried configuring The WLC internal DHCP server (instead of the ADSL router) and that didn't work. It seems like a DHCP problem but I dont understand the source of the problem of think of the solution.When turning off the proxy settings I noticed that it worked. Is there anything to do with that? The problem was that after a while the other WLANs starting causing DHCP issues as well.
View 7 Replies View RelatedI am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
View 9 Replies View Relatedwhich is the best RADIUS server for 802.1x wired authentication?
View 1 Replies View RelatedCan the 2504 WLC be configured to work with one RADIUS Server for Authentication of Management Users and with a second server for 802.1x EAP-TLS certificate authentication for the end users.
Management Users will authenticate on RADIUS Server 1.Wireless End users will request 802.1x EAP-TLS authentication certificate from AAA server 2.
Below is he output from debug radius authentication from my AP.
I can see request is forwarding from AP to radius but Radius is not sending any response.Not sure why its not responding.
I also did not under stand few out outputs also
no sg in radius-timers and
RADIUS/DECODE: parse response no app start; FAIL
what does it mean.
I restarted radius server , changed secret key but no luck.
019639: May 1 16:15:08.727: RADIUS: User-Name [1] 32 "host/3KYGRH1.idcap.intdata.com"
019640: May 1 16:15:08.727: RADIUS: Framed-MTU [12] 6 1400
019641: May 1 16:15:08.727: RADIUS: Called-Station-Id [30] 16 "0012.01d6.f691"
[Code]...
I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.Then the enable password.
View 1 Replies View Relatedi am trying to connect clients to my AP1231 which is running C1200 Software (C1200-K9W7-M), Version 12.3(8)JED. Client authentication is against RADIUS server. [code]
View 3 Replies View RelatedIn the WLC there are two groups (say A and B). How would I take group B and point it to a RADIUS server for authentication? The server is ping reachable. I have searched but did not see any definitive answer.
View 3 Replies View RelatedWe have a business case where we have a group of ASA 5505's in 3 locations with anyconnect user licensing on all 3 for redundancy.The problem we are facing is that when we need to authenticate our anyconnect clients we use active directory servers located at site 1 and the other 2 sites need to contact these MS AD Servers over an already connected VPN tunnel to site 1 (IPSec l2l) but cannot.So the layout is as follows:Site 1 (houses AD servers) has l2l tunnels to site 2 and 3Site 2 (any connect essentials enabled) has l2l tunnel to site 1 and 3Site 3 (any connect essentials enabled) has l2l tunnel to site 2 and 3AD servers are ip'd as 10.1.1.11 and 10.1.1.4If I use anyconnect to site 1 it authenticates fine - as expected.Site 2 and site 3 fails to contact AD serverAny thoughts on how we can accomplish this(or is it even possible to do?) without exposing the AD server in a DMZ or via external ip?
View 1 Replies View RelatedWe have multiple RA VPN groups on a 3845 router.RADIUS authentication is currently happening between the 3845 and a single Windows 2008 server. We have a specific windows group that AD users are members of, and they are allowed to connect via VPN.
I'm creating a new RA VPN Group, which should only allow different AD users. Is it possible to create another RADIUS association to the same server, or do I need to authenticate against a different Windows server?
I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.
View 1 Replies View RelatedWe have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies View RelatedRecently we've been receiving the following log entries on our WLC 4402. Unfortunately Cisco's documentation is less than useful as to what this message means or what could be causing it. [code]
View 9 Replies View RelatedI have several controllers, including a 4402 running 6.0.188.0 software and I need to modify the Radius servers that it uses. Currently I have three servers listed;
1 - 10.246.194.16
2 - 10.200.31.78
3 - 10.247.50.56
I would like to delete server 1 which is being retired and replace it with a new server 1. I suspect, once i get servwe 1 deleted, the server 1 option would become available when I create a new server. I went into the controller and disabled server one, but every time I try and delete it, I get the "Server in use either on a specific WLAN or Mesh Radius Server Configuration" error. I can't find anywhere this server is still in service and being used, either by a WLAN or a Mesh. I've tried several different variances to modify this. What I hope to avoid is the need to reset the controller. I have a total of seven controllers that I need to make this modification to, and It will be ugly if I have to reboot these units. Hospital mission critical stuff.
I have a Cisco 4402-25 WLC with the below information that is having an interesting issue. When you log into the GUI interface with the local account and click on WIRELESS, then choose a accesspoint it brings up a menu where you have three buttons below for the following options (Hardware Reset - Reset AP Now), (Set to Factory Defaults - Clear All Config), and (Set to Factory Defaults - Clear Config Except Static IP). The problem I am having is we access all of our WLC's using Radius and when you enter your AD username and password and go to bounce a access point the GUI interface is missing the buttons, they however appear fine when logged in with the local account.
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.220.0
RTOS Version..................................... 7.0.220.0
Bootloader Version............................... 4.0.206.0
Emergency Image Version.......................... 5.2.157.0
I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:
-AAA Authentication Failure for UserName:821 User Type: WLAN USER
-AAA Authentication Failure for UserName:200 User Type: WLAN USER
-AAA Authentication Failure for UserName:209 User Type: WLAN USER
Security info on client page is:
Security Policy CompletedNo ###Policy TypeWPA###Encryption CipherTKIP-MIC###EAP TypePEAPSNMP NAC State Access ###Radius NAC State8021X_REQD .
What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
we are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: url... Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data): [code]
wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
I am looking to port legacy ACS 4.2 "proxy distribution tables" to ISE 1.1.1 and I am currently a little at a loss where to start. I know I have to add the External RADIUS Server, Configure a RADIUS Server Sequence that will skip local authentications then send to the External RADIUS server. How do I match this authentication and how do I match it to an authorization rule? Is this the Network Access:Use Case equals proxy?
View 5 Replies View RelatedError: AAA Authentication Failure for UserName:radiususername User Type: WLAN USER
I am using a window radius server. I have added my WLC 4402 as a radius client on my radius server.
I followed the instructions on the MS link : [URL]
I want to use my windows raduis authentication for WLC management login and Web-Auth for guest WLAN user login.
We are attempting to use LDAP for web authentication on a WLC 4402.
[URL]
You are able to connect to the SSID and it reidrects you to the login page as it should. When you enter your username and password you get a message that "the username and password combination you have entered is invalid." Based on the following log it looks like the LDAP bind is the issue.
*LDAP DB Task 1: Dec 19 11:19:26.584: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
We are able to test the following configuration with ldp.exe successfully,
Server: ***.***.***.***
Port Number: 389
Bind Username: CiscoBYOT
[Code].....
I have a guest network and lately I have been experiencing troubles with some users.The symptom, as I create a username and password and type'em in a laptop the authentication fields in the web authentication page don't keep the data as if I didn't type anything
WLC 4402-50
Version 7.0.98.210
I am using wireless system with certificate athentication ( CA Server ) and RADIUS server.
I want to know if certificate is not installed and configured in wireless client laptop.
Do client get athenticate in wireless system and get access of wireless network ?
Also want to know any configuration required in WLC CISCO 4402 for authentication with CA server of client laptop.
I've got a pair of Cisco ACS 4.2 servers running on our corporate LAN. Currently they are doing TACACS+ for the network gear, and wireless authentications for internal users.
We have contracted with an external web site for an application - They can run RADIUS from their site to our LAN for the user authentications. How can I best do this?
1. NAT the traffic on my ASA firewalls to the internal servers, send the RADIUS traffic to/from the external site?
2. Is this secure?
3. Should I have a RADIUS server in the DMZ instead?
4. Any issues with doing this on ACS 4.2?
I am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.
View 3 Replies View RelatedWe added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
[Code].....
I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC. The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly. I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.
View 1 Replies View RelatedI am getting the below error on my new switch though I can’t find out A. why I am getting the error and obviously B. how to resolve said error as I need to ensure I am operating under the letter of the law and compliance. The switch is a WS-C3750X-48T-S running C3750E-IPBASEK9-M, per my research IP base is the correct IOS for a T-S switch, the label on the outside of the switch matches the show ver (WS-C3750X-48T-S) so I know that IPBase is the right IOS for the hardware. Could it be that I don’t have the license file installed? Below is what I get when I do a show license. Lastly is there a place that I can find what IOS ships default with what switches, not version but type like c3750e-ipbasek9-mz.150-1.SE vs c3750e-ipbase-mz.150-1.SE
Error“%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization. This product may contain software that was copied in violation of Cisco's license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.”
[code].....
