Cisco :: WLC5500 - Disable Dynamic Channel Assignment (DCA) For Group
Jan 6, 2013Is it possible to disable DCA for a couple of APs and manually force the channels assignment ?
View 3 Replies
ADVERTISEMENT
Cisco :: WLC5500 Mobility Group Fail-over
Mar 22, 2012I have a Question i am testing mobility group with Failover for redundend connection between 2 Cisco 5500 Wlc.On both the controllers i got the mobility working And both the controllers have the same version.And configuration. But when i unplug the main controller the access-Points don't convers to the second one .The just keep on creaming can't find the main controllerAlso with this thus the second wlc need to have the same.Interface ip address like management.
View 8 Replies View RelatedCisco VPN :: ASA 8.2 - ACS 5.2 With Dynamic VPN IP Pool Assignment?
Aug 7, 2011I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
View 1 Replies View RelatedCisco :: WLC 4.0 - Dynamic VLAN Assignment And DHCP
Jan 16, 2011I have just upgraded our WLC from 4.0 to 7.0 (via 4.2). Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?
Cisco :: Dynamic Vlan Assignment With 1242AG And IAS Not Working
Dec 13, 2012I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. IAS and AD is running on Windows Server 2003.Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately,[code] I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.
View 16 Replies View RelatedCisco Wireless :: WAP4410N 802.1x Dynamic VLAN Assignment?
Nov 27, 2012Does the WAP4410N support Dynamic VLAN assignment by means of 802.1x authentication?
The reason why I ask this; I am able to configure a SSID on a WAP4410N with WPA2-Enterprise, in combination with 802.1x PEAP network authentication. I can succesfully connect Windows, Windows RT, Windows Phone, iOS and Android devices. But.. I am unable to designate them to another VLAN based on access/connection policies. For example; I want mobile devices such as iPhone and Windows Phone to be assigned to a specific VLAN. The Wireless Access Point (authenticator) must be able to support that.
This is my setup:
Spplicants: Windows 8 / iPad / ...
Authenticator: WAP4410N
Authentication Server: Microsoft NPS (Network Policy Server)
I used 802.1x PEAP (Protected EAP) with password (domain user) authentication. In fact, the suplicants communicate with 802.1x to the authenticator. The authenticator communicates with RADIUS to the authentication server. NAP is not in between. It's just plain 802.1x authentication.
wether dynamic VLAN assignment is supported?
Cisco AAA/Identity/Nac :: ACS4.1 - Radius Dynamic VLAN Assignment Not Working?
Jan 28, 2013When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500
Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A"
Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D"
Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
[code]....
Cisco Switches :: Dynamic VLAN Assignment And Layer 3 Switching On 300 Series?
Jul 11, 2012I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right? Doesn't this limitation significantly reduce the usefulness of the DVA feature?
Cisco AAA/Identity/Nac :: 3750x / Dynamic VLAN Assignment For Wired Campus Network
Nov 23, 2012I`m working on Dynamic Vlan Assigmenton the basis of end user authenticatedwhoc are part of specific AD Group in c ampus enviorment.Objective: Need to assign the vlan on switch port on the basis of authenticated users OU Group in Active Directory. Eg: There are 2 OU groups in AD, Sales and Administration. Authenticated user in Sales group should get Vlan 10 and user in Admininstration Group shoudl get Vlan 20.
Components:
Cisco 3750x/Cisco 4500
ACS Version 5.2
Microsoft AD
Cisco AAA/Identity/Nac :: Use 802.1x To Authenticate Clients On Network With Dynamic VLAN Assignment From RADIUS?
Apr 11, 2013I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
Cisco WAN :: 2800 - Limit Of T1s In Channel Group
Jun 22, 2011I can't find the theoretical limit of T1s in a channel group on a 2800. I know that you can have 2 channel groups per V Wic 2, but it doesn't say how many T1s I can have bonded. I think it's 8, but I can't find it in writing anywhere.
View 3 Replies View RelatedHow To Disable Usb Using Group Policy
Feb 1, 2011how to disable usb using group policy
View 1 Replies View RelatedCisco WAN :: How Maximum Channel-group Supported By VWIC2 1MFT G.703
Jun 14, 2012How maximum channel-group supported by VWIC2 1MFT G.703? And the CISCO1941/K9 ?
View 0 Replies View RelatedGroup Policy Disable Default Favorites?
Oct 5, 2012Is it possible via Group Policy to prevent the domain computers from automatically creating default favorites when the users log in? Currently on the Favorites Bar it creates "Web Slice Gallery" and "Suggested Sites", as well as a "Websites for United Kingdom" folder. The domain controller is running Windows Server 2008 R2, and the clients are running Windows 7.
View 4 Replies View RelatedCisco Switching/Routing :: 3750 - Procedure To Modify Channel Group Settings?
Nov 16, 2011We need to change the Channel-group settings in 3750 switch from Mode ON to Mode Active. We have tried once by removing the physical interfaces from the port-channel group but we lost the connectivity to the secondary switch. Any step by step procedure without losing the connectivity between switches.
View 2 Replies View RelatedDisable Domain Printer Password In Work Group?
Mar 22, 2011Disable domain printer password in workgroup?????
View 1 Replies View RelatedCisco Switching/Routing :: 2560 Create Dynamic VLAN For Specific Group Of Users
Feb 6, 2012We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
Cisco Wireless :: WLC5500 Tcp Port 80 Access Only?
Apr 4, 2012One of the SSIDs in WLC 5500 (SV:7.2.103.0) is configured in web authentication mode. After authentication (local database) users can access http sites and can't access, for example, https sites.
View 2 Replies View RelatedCisco :: WLC5500 - Add Third DHCP Server To WLAN Interface?
Aug 2, 2012I'm running a system that requires a third (and potentially fourth) DHCP server to be setup on each network in my network. The first two devices are Windows DHCP servers serving IPs from different address ranges for failover. The third DHCP is just a listener to receive OS information and device names to be logged in a database.
Currently this works like a charm for my wired clients as I can add in the third and fourth ip helper-address on each vlan and the information is received by the listeners. However, I cannot find anywhere in my WLC5500 to setup these extra two DHCP helper addresses.
The wireless vlan on my layer 3 switch has all the ip helper-addresses, but this doesn't seem to work, and the devices just use the DHCP servers set on the interface in the WLC.
Cisco Wireless :: Maximum Number Of Active SSIDs On WLC5500 With 3500i
May 20, 2012I have a question regarding to the maximmum number of active SSID's on a WLC 5500 with 3500i, it's my understanding that the 3500i can support 16 active SSID's is it the same when connected to the WLC? Also, if possible would the WLC shutdown un-used Radios or maybe after hours?
View 1 Replies View RelatedCisco Wireless :: WLC5500 And 1140 APs Not Associating - DTLS Error Messages
Dec 25, 2012I have a WLC 5508 and several 1142 access points. The APs are not showing up in the WLC. When i console into the APs, im getting the following errors,
*Dec 26 23:04:28.035: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 65.125.15.212:5246
*Dec 26 23:04:28.074: %CAPWAP-5-CHANGED: CAPWAP changed state to
[Code]....
Ive tried resetting the WLC, reloading the APs. I even factory defaulted one of the APs and still getting the same message.Ive verified that the WLC is set to accept MICs and SSCs.
Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?
Jul 31, 2012I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
WNDR3700 IP Assignment?
Apr 1, 2012In the settings, there is a spot in which you can set the range of IPs to assign to connected computers and other devices. This particular option is available under the "LAN" options. What I am seeing is that the only IP that is assigned within the range is the one and only device hardwired to the router. Everything else is being assigned IP addresses outside of the range. Am I missing something? I was under the assumption that any IP addresses assigned dynamically would be within the range whether they were wired or wireless
View 10 Replies View RelatedCisco AAA/Identity/Nac :: ISE - WLC 7.2 VLAN Assignment?
Sep 10, 2012The Wireless_Employees authorization profile,assign vlan 666 for wireless employees.ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg then I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
Cisco :: ASA Dhcpd Server Assignment Based On Mac
Sep 24, 2011is it possible to use the asa dhcp server function to assign based on mac address (yet)? I have read numerous places that it was not possible (as of 8.2) at least, but I am workin in 8.4. I should have mentioned that I've already tried commands (asa 5510 btw)
View 4 Replies View RelatedCisco :: Fictional Network Design Assignment
Mar 5, 2013I have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
View 6 Replies View RelatedCisco Wireless :: VLAN Assignment Without ACS On 5508
Apr 8, 2013I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?
View 3 Replies View RelatedCisco WAN :: ACL NAT 3845 Static Assignment Has No Wan Connectivity
Mar 29, 2011I'm having a strange issue with a Cisco 3845 ISR router. I am setting up basic ACL and NAT but 2 issues occur. When using pat (overload) and a static nat assignment on the same subnet, the host with the static assignment has no wan connectivity except for icmp. The host is not reachable via the wan and the static public ip. Running show ip nat translations show the correct inside local and inside global addresses. The other issue is when applying an extended ACL to the outside or WAN interface coming in. No host on the inside has connectivity (icmp, tcp etc.) even to the gateway. I've cleared out all the ACL's as well as the ipsec tunnel settings and created only the nat overload and a single static assignment with the same results.I'm posting the running config below.
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
D-Link DIR-655 :: External IP Address Assignment?
Mar 3, 2011I have a home desktop, home laptop, and work laptop that I use. I have Ultra VNC setup on my work laptop that allows me to remote into that machine when I am traveling for work. I have always been able to use the external IP address (not private) to login into the machine with no problem. This week, for some reason, I can no longer do that. When I started doing some discovery, I noticed that when I have all 3 machines booted up at home that the exact same external IP address is assigned to all 3 machines. The internal IP addresses are all different as they should be.Shouldn't each machine have a seperate external IP address assigned as well? Or is this working the way it should? I didn't change any setting on my router or DSL model. But I think the conflict that VNC is having on my work laptop is that it has the exact same IP as the destination computer and it fails. I can remote in if I use the private IP address (192.168.x.x) just fine.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Secure ACS 5 For IP Address Assignment Via RADIUS?
Jan 13, 2013I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?
Dec 1, 2011my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Static IP Assignment For Local User
Jun 7, 2011how I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
View 1 Replies View RelatedCisco :: AIR-LAP-1242G APs Not Obeying Static IP Address Assignment
Feb 8, 2011I've got a network of several AIR-LAP-1242G LWAPP access points controlled by a 2112 WLC. I assign static IP addresses to each LWAPP, but every few weeks, a couple of them (at random) revert back to grabbing a DHCP-assigned dynamic address for themselves, despite the fact that they're supposedly solidy configured to have static IPs. What's going on here? Is this a bug in their firmware or the WLC's firmware? If I reboot the APs, then they come up with their static IPs, but after running some random number of days/weeks, will spontaneously change their own management IP addresses and grab a DHCP address for themselves.
The 1242G APs version numbers reported by the WLC's web GUI are:
"Software version" 5.2.193.0
"Boot version" 12.4.13.0
"IOS version" 12.4(18a)JA2
"Mini IOS version" 3.0.51.0
The 2112 WLC is running software version 5.2.193.0
