Cisco Wireless :: 1242 Or 3502 WGB With PEAP And Windows RADIUS
Feb 7, 2013
I am trying to configure a 1242 or 3502 WGB with PEAP. There is not ACS server involved as Windows RADIUS is used. I can get the WGB to work with OPEN Authentication but when I attempt to add in the authentication/security piece I get "no association." Below is my current config. The WLAN is set to use WPA/WPA2 802.1x + CCKM.
Current configuration : 1812 bytes
!
! Last configuration change at 00:56:39 CST Tue Mar 2 1993
version 15.2
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ? *Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
I have 3 Cisco 1242 WAPs that I have deployed at a site that has NO RADIUS/AAA devices. I have given all of them a different channel (1,6,11), but the same SSID and crypto (WPA2-PSK). The issue is when a machine boots up it associates with the closest/strongest AP, but as the device "roams" it does not which to a different AP. It stays associated with the original AP until that signal is gone. Then it quickly associates with the closest AP with no problem.
How do I get the device to associate with the strongest WAP? I have research "fast roaming and WDS" but it seems like you need EAP/LEAP and they do NOT have that at all.
I bought 2 Cisco 1140 series Access Points a couple of months ago. We would like to use PEAP to autheticate with Microsoft IAS Radius Server & Active directory. I cannot find a document which describes how to setup this type of configuration. The only document which is close is how to setup LEAP & with ACS: [URL] I initially followed the 'TechReplublic's Ultimate Guide to Enterprise Wireless LAN Security' which has all the steps to setup Radius server, client side configuration, Certificates and finally a handy excel script to generate a config for the AP. This did not work. [URL] I am now trying to configure the AP using the Web GUI. I can see the network on the client machine but when I try to connect it timesout.
I can't seem to get the SSID RadiusTest to work properly.
Windows PC's show "Windows was unable to find a certificate to log you into the network". Macs don't authenticate either. Radius server isn't seeing any requests at all. Radius server is working because we are authenticating other things to it.
On my test 1231, IOS is 12.3(8) JEB1.
version 12.3 no service pad service timestamps debug datetime msec
configure PEAP for wireless with Windows 2008. The doc we have only mentions Windows 2003. When we follw that document we get a faulure when we try to bind the certificate to we have generated to ACS 5.0 .
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
I have two Windows 7 computers and neither one will successfully upgrade a 1242 AP to LWAP. However, I go to a coworker's XP machine and run the tool without issues. On Windows 7 I keep receiving the error message of ACL or Firewall is blocking. I have added rules and then even tried disabling the firewalls completely on both computers and still no success.
I have some aironet 1200 AP's. I want to use this with a windows 2008 radius server. I followed the guide on [URL]. Unfortunately I can not get this working. In the securtiy log of the event viewer there is always the message "authenication was not succesful because an unknown username or incorrect password".
- Is it possible to get this working?
- If yes, is there a manual how to configure the AP's and the radius server, or are there any hints?
- Is this the best way to setup a wireless network or is there a better way?
I saw there is also a local radius server inside the 1200. Can all the 1200's work together? I suppose that if I use the built-in radius server than I can't make a connection to my AD database, correct?
I am trying to connect an AP541N to a radius server for Domain authentication but cannot figure out how to Configure the widows 2008 Radius server to authenticate users but cannot seem to get the AP541N to do this, how to configure both the 2008 radius server and also the AP541N?
I have a Cisco Wireless LAN Controller AIR-CT5508-K9 running Software Version 7.0.98.218. This WLC has registered ten AP model 1240.Now I have configured fiive CAP3502 with static capwapp commands, when I connect the CAP-3502 in the network, in the WLC I see the status "downloading" then the CAP restart, and the console show the message *Mar 1 00:15:39.033: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER, and never the CAP3502 is registered in the WLC. [code]
i have 2504 controller with 7.0.116.0 software and some 3502 APs. I also using 5 APs now and few days ago I bought some additional 3502 APs and I can't get them connected to the controller. My company admins decided to using DNS controller discovery instead of using DHCP option 43. I'm connecting APs to access ports of Linksys switches and APs not in the same subnet as ap-manager interface of controller. AP succesfully get IP and DNS from DHCP and could ping cisco-capwap-controller. However, I have such messages.
*Mar 1 00:12:32.014: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.Not in Bound state. *Mar 1 00:12:40.533: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
I can succesfully ping controller from AP AP30f7.0d2e.9a58#ping cisco-capwap-controller Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.23.16.30, timeout is 2 seconds:
There are a total of 25 Cisco 3502 APs installed. 24 APs were discovered except for 1 AP. I run SH CDP NE on the switch and the AP was discovered by the switch but it does not have an IP address. On the output of the SH CDP NE DE, I noticed that on the AP that is not joining, the Platform is "cisco AIR-SAP3502E-E-K9" while the APs that joined the WLC, the Platform is "cisco AIR-CAP3502E-E-K9". The software versions are also different but this could be because the WLC already upgraded the IOS when the APs joined.Why is the Platform "SAP3502E" for the AP that did not join.
Just a basic question regarding MAC based authentication of AP with ACS. The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorized to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Data center. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
Using WISM with 7.0.220 and 1240 and 3502 APs. Just found that some of our 3502 AP didn't enbale their clean air and CDP when installed. This only happened on a few new APs. But the area these APs where we seem to have had a few problems with PCs. The only PCs effected where Computer On Wheels (COWs), Dell 780 Desktop with a Cisco Wireless Card.
Using an interl wireless card and others in thes areas worked.Once I enabled the CDP and Clean Air, the COWs worked.My question is with the APs not having CDP enabled, could this affect the cisco wirelss card in the COWs?
I have a Cisco WLC5508 controller which I recently upgraded to software 7.0.98.0 because I tried to add a Aironet 3502 and it gave me an invalid software. After the upgrade this is the error I get from the AP when I try to add. [code]
Our newly installed WAP's are constantly downloading code and seem to lose contact with our wism 1 version 7.0.235.3, causing them to restart the downloading process, over and over.
We have a secure ssid and a guest ssid. Is the a way to prompt for a single username and password and if that name is guest it will automatically connect to the guest ssid? If active directory user and password it will automatically use the secure ssid? we are using Microsoft NPS/Radius, 3502 ap's, and 5508 controller.
The problem is that one of the clients loses the connection to the network time to time ,The error in the WLC logg is
*Dot1x_NW_MsgTask_0: Jul 06 17:42:38.934: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START state - invalid secure bit; KeyLen 24, Key type 1, client 00:21:6a:af:be:70
I have got a 3502 setup and functioning in Office Extend mode. I have found one issue though. I have to set the checkbox on the my Management Interface to Enable NAT Address and put the external address in the box. Once this occurs no internal APs can join the controller.
Need setting this up with a single controller behind a router and not having to set the NAT Address for the Management interface? Should I setup a second interface on the controller to be for external management?
I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44 Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1) Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44 Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44 Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44 Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state
I have a 3502 AP that I am attempting to set back to factory default including clearing the username and password. It is going to work off of 4400 controllers. I have read numerous documents no how to clear the config and password but so far nothing has worked. I can get it into ap: mode but not sure what to enter here. When I do a dir there doesnt seem to be any files. It will pull an IP address via the local router but cannot communicate with WLC.
We have installed a number of Cisco Wireless 3502-07 in China and i can not get the Clean Air Oper status to change to UP. At the meoment i have ERROR. I have have tried to disable and enable the the Clean Admin Status from the Access Point 802.11b/g/n and then select the AP and change configuration.
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
I have this scenario, AS5510 ver 8.4(3), VPN Client 5.0.07, RADIUS authentication with IAS on Windows 2003 Server.The issue is that, establishing the connection with the VPN Client, if the user credentials are correct every things works fine, but if we introduce a wrong password I don't receive an error message or a again the authentication form.Nothing happens the VPN Client keep trying to "contact security gateway", after about 5 minutes it stops without any message.Debugging the authentication process in the ASA I see that if the password is incorrect the radius authentication response is "reject". I have also tried with a different version of VPN Client but nothing change.Using AnyConnect client every things works fine.
I am trying to locate the radiation pattern for a 3502 with an internal antenna. We have some high ceilings so the elevation pattern could impact our placement strategy.
we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting . I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.Is there a way I could configure this without having to disable machine authentification for SSID B?
I bought a used Aironet 3502 (air-cap3502i-a-k9) on craigslist last week and the seller said it was set up for autonomous mode. It has ap3g1-k9w7- tar. 124-25d.JA, which does allow it to run without a controller. I know it's not the latest version, but without a service contract I'm unable to access the latest firmware. When I go into the web management console, it only shows wireless N, without letting me enable A/G. The product sheet shows it should do A/G/N - is this just a byproduct of putting the autonomous ios on a 3502, or am I missing a setting somewhere to enable it?
I recently upgraded our controllers to the latest version 7 software, as I read this was one of the requirements to get them to connect. But I am not having any luck getting into a controller. Normally I plug them in to the network, they pop into the controller listed as something like AP5057.a844.xxxx and then I can finish configuring them, but a static IP on them, etc. This is the first of this model AP I have tried to deploy, so I am wondering what is different with these. or what I might be missing in the default config in the WLAN controllers. Niether of which are set to "Master" either.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ. Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid. As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
How to be able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?We are using WPA2 - PEAP with Verisign Signed Server Certificate.
We have multiple RA VPN groups on a 3845 router.RADIUS authentication is currently happening between the 3845 and a single Windows 2008 server. We have a specific windows group that AD users are members of, and they are allowed to connect via VPN.
I'm creating a new RA VPN Group, which should only allow different AD users. Is it possible to create another RADIUS association to the same server, or do I need to authenticate against a different Windows server?
