Cisco :: WLC 4402 Not Implementing PEAP?
Jul 24, 2011
I was able to successfully implement MS-PEAP authentication with 5508 WLAN controllers and Cisco ACS v4.2. However, when I integrated 4402 WLC with version code 7.0.116, it did not pass across any authentication requests. Did a debug aaa events enable and there was no output. Configured another SSSID with PSK to test that my controller was OK and aaa debug was working, and there were CLI messages when I associated an AP.
why the 4402 is not working as I have compared configs with the 5508 and there is no difference. The shared secret is configured on both ACS and Controller and CA is downloaded on the ACS.
View 5 Replies
ADVERTISEMENT
Jun 5, 2012
The desktop team has asked me to set up multicast in our network with building PC's as they will be deploying a few hundred of them starting in two weeks. We currently do not have multicast set up, and the only experience I have with it was during my certification studies, so I have a lot to catch up on quick. They will be sending the build traffic from a single server. The network environment is simple: a 3750 stack as the router/distribution layer and mainly 3550's as access. The PC's that they will be imaging will be on one VLAN that is already designated for PXE builds. This VLAN is across multiple switches. Is it possible to just enable the multicast features on a single VLAN? I have been reading around but not finding much other that very in-depth Cisco papers.
View 5 Replies
View Related
Apr 12, 2012
I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state
[code]....
View 2 Replies
View Related
Mar 15, 2012
We have backup and other traffic over our vpn which is affecting our ip phone service between two sites. Our consultant suggested implementing QOS over the VPN to give the phone traffic priority. Is this possible with the rvs4000. Is there any good source saying how to do it. Is the setup of the QOS on this router similar to another router where this has been discussed.
View 1 Replies
View Related
May 22, 2012
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
View 12 Replies
View Related
Nov 12, 2012
I was pondering on getting a certificate fro ma public CA to maintain easier configuration for end users. There will be a multitude of devices on this wireless network configured with 802.1x PEAP. (iPhones, iPADs, Droids, and PC's of course).
If you were to get a certificate from a public CA, I'm assuming this would be just a regular server certificate from GoDaddy, or Verisgn?
View 2 Replies
View Related
Jan 23, 2012
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
View 10 Replies
View Related
Jun 29, 2011
ACS 5.1 EAP-PEAP Machine Authentication,
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
View 3 Replies
View Related
Mar 25, 2012
I have to propose/design a network system. It has 350 computer terminals/workstations out of which 300 of them are divided into two separate networks while the other 50 are to be on another network. So I assume I'd need 3 networks (or LANs) I guess (all connected ofcourse)So far I've inferred it needs a mail server, a file server, a print server, a DHCP server to assign IP addresses (C class and private ones ofcourse) and a web proxy server. Also I thought a fast Ethernet LAN network might be ideal here but I'm not quite sure on that (nor have I ascertained what sort of topology or hardware to use).
View 5 Replies
View Related
Aug 12, 2012
Existing nework New Network
I have attached some diagram here, 2911 Router configured as a zone based firewall and it works fine. I need to put ASA 5510 as an internal Firewall in to the existing network. So I need to hand-over the NATing configuration from IOS FW to ASA 5510 , are there any special configs here? I have done this but it's not working, If i bypass IOS ZB FW and ASA directly connect to internet Its works fine, If NAT configurations keep in IOS ZB FW then it works fine.
I have attached IOS ZB FW current config file below.
View 2 Replies
View Related
Feb 15, 2012
I'm attempting to configure Classification and Marking on our access switches using the MQC model. The Switches are 3750's running IPBase Version 12.2(35)SE. For some reason when I activate the policy-map on an interface, no traffic is being tagged, i've used the 3750 QoS configuration examples (url) for reference.
View 5 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Apr 2, 2013
A customer has RADIUS running on a Win Server 2008 R2 machine, has Autonomous 1140 APs and a mix of Windows 7 and XP Pro clients. Using PEAP as the authentication method the Win 7 clients can access the WLAN, but the Win XP clients cannot. The Win XP clients are at least SP2. I am doing some research before going to site on Friday and wanted to poll the community. I found an older post speaking to a MS Hotfix under KB#885453, but it referes to "third-party RADIUS servers," not MS servers URL.
View 14 Replies
View Related
Oct 12, 2012
I want to implement VoIP on my client network, currently the data network is using SG300-28P small business switches for user access. According to my design the IP Phones (Cisco 9971 and 7942G IP Phones) are to connect to the small business access switches while the user PCs connects to the IP Phones.
My concern is I really don't understand how the small busness switches will advertise the voice VLAN to the IP Phones. I understand that the switches are suppouse to use LLDP/CDP for this but it seems the model I have can only do LLDP. The IP Phones and the PCs connected to them will be recieving IP addresses from an uplink L3 managed switch.
how LLDP works (particularly regarding this scenario)? Does it matter if the small business switch is in L2 or L3 mode for the VoIP implementation?
View 4 Replies
View Related
Apr 30, 2013
Need to configure Cisco 1142 N access Point togetherwith the Cisco Switch . I have a POE Switch 4510 and Cisco 1142 N Cisco AP . I have one management vlan 5 & User VLAN for WIFI VLAN 10 . The problem is when i make the POE port which is connected to the AP as trunk port means : [code]I am not able to ping the management IP allotted from VLAN 5 . However when i make it as access i am able to ping the managament IP . But for both the VLANs to work it should be in trunk mode & in cisco i can either assign the port as access or trunk .Post this i would configure the 1142 N with Cisco SG300-10P POE Switch . I guess if issue with my 4510 gets resolved the same way i can configure SG300-10P as well .
View 6 Replies
View Related
Jan 3, 2013
We have two 2100 WLC's that support 12 access points. One has been sitting in a box for some time, but we're at the point where we need to add additional access points that will put us in excess of the 12 limitation. What is the best way to go for installing the second WLC?
View 2 Replies
View Related
Apr 25, 2012
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
View 8 Replies
View Related
Jun 11, 2012
configure PEAP for wireless with Windows 2008. The doc we have only mentions Windows 2003. When we follw that document we get a faulure when we try to bind the certificate to we have generated to ACS 5.0 .
View 1 Replies
View Related
Apr 14, 2013
I am facing problem in implementing NAT on Cisco 8.4 . the scenario is
Inside interface network 10.10.10.0/24 and 10.118.0.0/16 is also routed towards inside network
Other network 192.168.10.0/24 is routed via outside interface.
My requirement is to NAT the 192.168.10.2(real IP) to 10.10.10.2(mapped ip) so that when users from inside network (10.118.0.0/16) will come they will access the 10.10.10.2 instead of the real Ip(192.168.10.2)
So I used nat (inside,Extra net) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2 but the connection is not working but with show nat I am getting hits on the NAT statement.
cap test Ethernet-type arp interface inside real-time
1: 23:29:05.684199 arp who-has 10.10.10.2 tell 10.10.10.1
2: 23:29:09.687998 arp who-has 10.10.10.2 tell 10.10.10.1
I have also enabled the proxy arp on the inside interface but still the connection was not working.
Packet tracer output
[Code] .........
View 11 Replies
View Related
Feb 28, 2013
I have a 5520 acting as a VPN server... and 5505's acting as clients.The 5505's connect fine when using "client mode" but things go sideways when I try and use NEM.Namely, they never complete a connection.
debug vpnclient shows this repeating rather fast (this device is connected a Fios connection behind a gateway/router (it's my test environment and it does work when I have the device setup in "vpnclient mode client-mode".
Some of my remote sites are configured directly with a public IP (issued via DHCP) others are behind a 3rd party firewall/device that I have no control over... but again, these sites currently work as "vpnclient mode client-mode". [code]
View 1 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Sep 11, 2011
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
View 3 Replies
View Related
May 15, 2011
With IPv6 Coming i've been tasked with implementing M-BGP on our 7200VXR running 12.4.
View 5 Replies
View Related
Aug 9, 2012
Is it possible to strip suffix on wireless client running PEAP (MS-CHAPv2). ACS version 5.3 (patch 5) - 5-3-0-40-5
Look like ACS 5.1 does not support this - see below link [URL]
View 12 Replies
View Related
Jul 31, 2012
I have a Cisco Small bussiness RV120w and I setup the radius server , WPA2 Enterprise with a windows 2008 NPS radius server . The big problem is that the authentication fails .This is the error that I see in event viewer / server roles / Network policy and access services: reason-code 49 "The connection attempt did not match any connection request policy".The radius key is matching between the server and the client . The radius server is reachable and I don't find any routing issues .Does anybody tested this router with this type of wireless security?
View 3 Replies
View Related
Feb 9, 2013
I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate. Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?
View 4 Replies
View Related
Mar 29, 2006
We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance. That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption. If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!
View 2 Replies
View Related
Sep 30, 2012
After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies
View Related
Dec 16, 2012
implement VOIP on my router 3825 I have Ip phone 7905G and 7960.
View 2 Replies
View Related
Oct 29, 2012
I have a ASA 5510 and planning to implement multiple context in a 2 tier security level and vrf-lite. meaning I have 2xASA facing the internet and below that a 2x3560 switch for our extranet and below that is another 2xASA for intranet. See diagram below. In this kind of network I want to know how it would impact the total throughput and resources of the ASA using multiple context?
INTERNET
| |
| |
2811A 2811B
| |
| | (OUTSIDE)
ASA_A-------ASA_B
| | (INSIDE)
| |
3560A---------3560B
| |
| | (INSIDE)
ASA_C--------ASA_D
| |
| | (OUTSIDE)
3560C----------3560B
| |
INTERNAL NETWORK
View 3 Replies
View Related
Sep 26, 2012
we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting . I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.Is there a way I could configure this without having to disable machine authentification for SSID B?
View 7 Replies
View Related
May 2, 2011
i have the following scenario that i'm requesting you guys verify if it will work.I have a 3550 catalyst switch running EMI and an auotomous 1131AG aironet ap, i have two dhcp pools already setup on the switch one for the LAN and the other for the wireless clients.There are two vlans on both the switch and ap for LAN and wireless clients.I have already setup multiple SSID's to be broadcasted from the AP, is there a way i can bind one SSID to the lan dhcp pool and the other to the wireless clients dhcp pool?
View 1 Replies
View Related
Oct 9, 2012
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ?
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
View 6 Replies
View Related
