Cisco Wireless :: 2500 Series Machine Authentication With IAS
Jun 2, 2013
I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
I have 2500 series wlc which is crashing again and again. I attach the log of crash as well.Also in License location the base-ap-count license " is not in use ".
i am having wirless controller cisco 2500 series. i want to know how many web authentication users i can create in the 2500 series controller with time out option for each users.
i know it will support the web authentication for internet access for the users but i need to know how many it will accept at a time with hours specification.
Do you know if the new 2500 series controller supports things like mobility groups? Could I use 2 of these and do inter-controller roaming. Also do you know if this would work with a 2106 controller and a 2505 controller or are they 2 completely independent controllers only knowing about their own APs??
I want to download the Cisco 2500 Series Wireless Controllers Release 7.3 Software AIR-CT2500-K9-7-3-112-0.aes.I have CON-SMB for it, when I try to download it I am not to download it. I have mentioned the message given by Cisco" The category for this contract does not include the feature or the benefit for software download that you are requesting at the moment, this means that even if the contract is a support assistant (8X5XNBD) does not support the the mentioned feature for you to update the device you need, please refer to your partner directly to be able to acquired a Cisco Service Contract that supports and include the software download feature to be able to upgrade and update your device as you need."Is there any seprate contract for downloading the Software.
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Does CISCO WLC 2500 support EAP TTLS, if yes then how to configure. So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP. But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius. My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC
The users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Will CISCO WLC 2500 support EAP TTLS, if yes then how to configure.
So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.
My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC?My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
I have a customer whom has six LAP1131AG-K9 but no controller and they are interested in one of the new 2500 series, specifically a AIR-CT2504-5-K9 with a 5 AP add-on license to bring total AP capacity to 10. I can't determine clearly if this controller will work for these older AP's prior to them making the jump to 802.11n via the 3500 or 3600 series, looking to the community to confirm.
I am planning to implement wireless network in my work place. Plan is to have two networks one for guests and one for employee. I am trying to find a guide for 2500 WLC but couldn't find one.I've been reading couple of articles about setting up radius server and CA. I want to know what the best way to approach this.In my environment I got a CA server windows server 2003 and current DC's are windows server 2008 R2.I got 2500 WLC with POE switch and 4 aironet AS 1142.
I am planning to implement wireless network in my work place. Plan is to have two networks one for guests and one for employee. I am trying to find a guide for 2500 WLC but couldn't find one.
I've been reading couple of articles about setting up radius server and CA. I want to know what the best way to approach this.
In my environment I got a CA server windows server 2003 and current DC's are windows server 2008 R2.
I got 2500 WLC with POE switch and 4 aironet AS 1142.
we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting . I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.Is there a way I could configure this without having to disable machine authentification for SSID B?
which differences exist between 7.0 and 7.2 firmwares? I have to decide/choose which of them to run, before continuing to configure my WLAN infrastructure.
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. Is this possible to change the web authentication method from HTTPS to HTTP.
I have set up an ACS (5.2) to do EAP-TLS Machine and User Authentication.I am getting intermittent results with the machine authentication using the same laptop as a test client.When the machine authentication succeeds the RADIUS name shows as host/xxx-yyy.When the machine authentication fails the RADIUS name shows as xxx-yyy without the host/.
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
I am currently authenticating wireless clients using PEAP User Authentication through a Cisco Wireless LAN Controller and Cisco ACS 4.2, which points to a Microsoft Active Directory external database. This does not keep users from configuring thier personal devices with thier Active Directory login information and connecting to the corporate wireless network. I can setup a client to use a certificate, machine authentication and user authentication, but I havent been able to REQUIRE the certificate and or machine authentication to authenticate to my wireless network.
>I now have the Windows External Database Configuration, ACS External Database setup with Enable PEAP Machine Authentication and Enable machine access restrictions. With the client configuration set to use Computer Authentication, it passes the authentication through ACS (and AD), but the client can also be configured for User Authentication and also pass authenticaiton. Is there a way to only require Computer Authentication through a Cisco WLCCisco ACS?
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
we have a customer with a wifi deployment aruba 3600 controller based. Corporate SSID authentication is EAP-TLS double machine and user authentication through ACS 4.2 against AD and Microsoft AC PKI infraestructure based; it was working ok. After migrating from ACS 4.2 to 5.2, both authentication (machine and user) are reported as succeed by ACS but aruba controller does not recognize machine authentication. It seems that controller sees two authentication users and not an machine followed by and user one. We have revised configuration in detail and it seems correct. We begin thinking it could be a bug .
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.