Cisco Wireless :: 3502 - AP Authentication Via ACS
Apr 2, 2012
Just a basic question regarding MAC based authentication of AP with ACS. The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorized to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Data center. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
View 9 Replies
ADVERTISEMENT
Nov 14, 2012
I have a Cisco Wireless LAN Controller AIR-CT5508-K9 running Software Version 7.0.98.218. This WLC has registered ten AP model 1240.Now I have configured fiive CAP3502 with static capwapp commands, when I connect the CAP-3502 in the network, in the WLC I see the status "downloading" then the CAP restart, and the console show the message *Mar 1 00:15:39.033: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER, and never the CAP3502 is registered in the WLC. [code]
View 1 Replies
View Related
Feb 8, 2013
i have 2504 controller with 7.0.116.0 software and some 3502 APs. I also using 5 APs now and few days ago I bought some additional 3502 APs and I can't get them connected to the controller. My company admins decided to using DNS controller discovery instead of using DHCP option 43. I'm connecting APs to access ports of Linksys switches and APs not in the same subnet as ap-manager interface of controller. AP succesfully get IP and DNS from DHCP and could ping cisco-capwap-controller. However, I have such messages.
*Mar 1 00:12:32.014: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.Not in Bound state.
*Mar 1 00:12:40.533: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
I can succesfully ping controller from AP AP30f7.0d2e.9a58#ping cisco-capwap-controller Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.23.16.30, timeout is 2 seconds:
View 6 Replies
View Related
May 12, 2012
There are a total of 25 Cisco 3502 APs installed. 24 APs were discovered except for 1 AP. I run SH CDP NE on the switch and the AP was discovered by the switch but it does not have an IP address. On the output of the SH CDP NE DE, I noticed that on the AP that is not joining, the Platform is "cisco AIR-SAP3502E-E-K9" while the APs that joined the WLC, the Platform is "cisco AIR-CAP3502E-E-K9". The software versions are also different but this could be because the WLC already upgraded the IOS when the APs joined.Why is the Platform "SAP3502E" for the AP that did not join.
View 9 Replies
View Related
Mar 15, 2012
Using WISM with 7.0.220 and 1240 and 3502 APs. Just found that some of our 3502 AP didn't enbale their clean air and CDP when installed. This only happened on a few new APs. But the area these APs where we seem to have had a few problems with PCs. The only PCs effected where Computer On Wheels (COWs), Dell 780 Desktop with a Cisco Wireless Card.
Using an interl wireless card and others in thes areas worked.Once I enabled the CDP and Clean Air, the COWs worked.My question is with the APs not having CDP enabled, could this affect the cisco wirelss card in the COWs?
View 6 Replies
View Related
Oct 7, 2010
I have a Cisco WLC5508 controller which I recently upgraded to software 7.0.98.0 because I tried to add a Aironet 3502 and it gave me an invalid software. After the upgrade this is the error I get from the AP when I try to add. [code]
View 5 Replies
View Related
Jan 27, 2013
Our newly installed WAP's are constantly downloading code and seem to lose contact with our wism 1 version 7.0.235.3, causing them to restart the downloading process, over and over.
View 12 Replies
View Related
Jan 31, 2012
We have a secure ssid and a guest ssid. Is the a way to prompt for a single username and password and if that name is guest it will automatically connect to the guest ssid? If active directory user and password it will automatically use the secure ssid? we are using Microsoft NPS/Radius, 3502 ap's, and 5508 controller.
View 3 Replies
View Related
Aug 9, 2012
I found the 3502 waps are plenum rated, I found the cable on the antenna are plenum rated, but are the antenna plenum rated?
AIR-ANT5160NP-R?
AIR-ANT2451NV-R?
AIR-ANT2460NP-R?
View 8 Replies
View Related
Jul 5, 2012
I have one 5500 and about 15 Cisco 3502 APs.
The problem is that one of the clients loses the connection to the network time to time ,The error in the WLC logg is
*Dot1x_NW_MsgTask_0: Jul 06 17:42:38.934: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START state - invalid secure bit; KeyLen 24, Key type 1, client 00:21:6a:af:be:70
View 4 Replies
View Related
Oct 19, 2011
I have got a 3502 setup and functioning in Office Extend mode. I have found one issue though. I have to set the checkbox on the my Management Interface to Enable NAT Address and put the external address in the box. Once this occurs no internal APs can join the controller.
Need setting this up with a single controller behind a router and not having to set the NAT Address for the Management interface? Should I setup a second interface on the controller to be for external management?
View 9 Replies
View Related
Mar 5, 2013
I have a 3502 AP that I am attempting to set back to factory default including clearing the username and password. It is going to work off of 4400 controllers. I have read numerous documents no how to clear the config and password but so far nothing has worked. I can get it into ap: mode but not sure what to enter here. When I do a dir there doesnt seem to be any files. It will pull an IP address via the local router but cannot communicate with WLC.
View 28 Replies
View Related
Feb 7, 2013
I am trying to configure a 1242 or 3502 WGB with PEAP. There is not ACS server involved as Windows RADIUS is used. I can get the WGB to work with OPEN Authentication but when I attempt to add in the authentication/security piece I get "no association." Below is my current config. The WLAN is set to use WPA/WPA2 802.1x + CCKM.
Current configuration : 1812 bytes
!
! Last configuration change at 00:56:39 CST Tue Mar 2 1993
version 15.2
[Code].....
View 1 Replies
View Related
Sep 25, 2012
We have installed a number of Cisco Wireless 3502-07 in China and i can not get the Clean Air Oper status to change to UP. At the meoment i have ERROR. I have have tried to disable and enable the the Clean Admin Status from the Access Point 802.11b/g/n and then select the AP and change configuration.
View 2 Replies
View Related
Oct 24, 2010
I am trying to locate the radiation pattern for a 3502 with an internal antenna. We have some high ceilings so the elevation pattern could impact our placement strategy.
View 6 Replies
View Related
Mar 2, 2012
I bought a used Aironet 3502 (air-cap3502i-a-k9) on craigslist last week and the seller said it was set up for autonomous mode. It has ap3g1-k9w7- tar. 124-25d.JA, which does allow it to run without a controller. I know it's not the latest version, but without a service contract I'm unable to access the latest firmware. When I go into the web management console, it only shows wireless N, without letting me enable A/G. The product sheet shows it should do A/G/N - is this just a byproduct of putting the autonomous ios on a 3502, or am I missing a setting somewhere to enable it?
View 3 Replies
View Related
May 20, 2012
I recently upgraded our controllers to the latest version 7 software, as I read this was one of the requirements to get them to connect. But I am not having any luck getting into a controller. Normally I plug them in to the network, they pop into the controller listed as something like AP5057.a844.xxxx and then I can finish configuring them, but a static IP on them, etc. This is the first of this model AP I have tried to deploy, so I am wondering what is different with these. or what I might be missing in the default config in the WLAN controllers. Niether of which are set to "Master" either.
View 10 Replies
View Related
Jul 30, 2012
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ. Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid. As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version7.0.230.0
View 3 Replies
View Related
Feb 21, 2012
I try to remplace WLC because the old wlc (7.0) is capacity full.but the AP (3502) do not "registered" to new WLC (7.3),If you have a idea, without make a reset factory to AP.
View 1 Replies
View Related
Mar 11, 2013
I try to replace WLC because the old wlc (7.0) is capacity full. but the AP (3502) do not "registered" to new WLC (7.3). Don't want to make a reset factory to AP..
View 3 Replies
View Related
Oct 8, 2012
I have 2 SSIDs being broadcasted out in my campus, one for computers, macs etc and other for just cell phones, Is there a way we can restrict the cellphones from not connecting to the SSID used by computers. I do not have an identity management system like ISE. My controllers are WISM2 and I use 3502 APs.
Following is the detail from one of my controllers
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.2.110.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.43.32
Firmware Version................................. FPGA 1.6, Env 0.0, USB console 2.2
Build Type....................................... DATA + WPS
View 1 Replies
View Related
Feb 25, 2013
I am in the process of migrating from ACS 4.1.1.23 to ACS 5.4.I have migrated our users and Network Device Groups and configured external Identity stores like AD and RSA.I want to authenticate our Wireless users with AD and VPN users through RSA.I am unable to create policies to get this UP and working.
View 9 Replies
View Related
Feb 9, 2013
There is a feature in WLC 7.3.0 like Configuring a Fallback Policy with MAC Filtering and Web Authentication .We have an option to configure mac filtering and we can create a policy that if mac filtering failes redirect it to web authentication
Here i am using mac filtering is only for my mac caching process. But when i tried this its not working.
My mac address is not there in the WLC, so it should prompt me the web authentication page.But its not happening. As long as my mac is not there in the table, i am not able to connect to the SSID.
So what is this feature (Configuring a Fallback Policy with MAC Filtering and Web Authentication) meant for ?
View 4 Replies
View Related
Jun 13, 2012
Error: AAA Authentication Failure for UserName:radiususername User Type: WLAN USER
I am using a window radius server. I have added my WLC 4402 as a radius client on my radius server.
I followed the instructions on the MS link : [URL]
I want to use my windows raduis authentication for WLC management login and Web-Auth for guest WLAN user login.
View 2 Replies
View Related
Sep 23, 2012
I have a small wireless network, which consists of three AP1121G with c1100-k9w7-mx.123-8.JEB1 ios and one 871w with c870-advipservicesk9-mz.124-24.T1. I've configured two different ssid's with individual authorisation types - ssid_1 with eap, ssid_2 with wpa. All three ap's works as it should be, but 871w authorises only eap connections, and all other types are rejected
View 3 Replies
View Related
Apr 4, 2013
I want to disable the MAC authentication that is configured in my Aironet 1200 Cisco Access Point, now set to "Local list only". I want that any wireless device can connect if the user knows the wep password.
I cannot find the option to disable the MAC authentication.
View 1 Replies
View Related
Dec 18, 2011
We are attempting to use LDAP for web authentication on a WLC 4402.
[URL]
You are able to connect to the SSID and it reidrects you to the login page as it should. When you enter your username and password you get a message that "the username and password combination you have entered is invalid." Based on the following log it looks like the LDAP bind is the issue.
*LDAP DB Task 1: Dec 19 11:19:26.584: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
We are able to test the following configuration with ldp.exe successfully,
Server: ***.***.***.***
Port Number: 389
Bind Username: CiscoBYOT
[Code].....
View 2 Replies
View Related
Feb 27, 2013
We're not getting the authentication webpage from the WLC, Normally the webpage would appear with a 1.1.1.1 url and you are presented with the username and password boxes. It authentics those, which are Active Directory credentials , and lets you in.Now we're not getting that page at all just the browser message about unable to display.I've phyically checked the WLC card in our 6500 and lights are green no alarms and I'm able to log on to the WLC as well.I was told someone had rebooted the controller to try to resolve the problem but its' still the same.Is it the case that the web page has just stopped and needs to be restarted some how?
View 3 Replies
View Related
Jul 24, 2012
I am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, wireless client authentication part.
1. There are 25 departments around the campus, each will be given one or two access points.
2. One Cisco AIR-CT5508-50-K9 Controller shall be used.
3. Single SSID/ VLAN shall be used for entire campus.
4. Wireless Authentication credentials used by one department shouldn’t work for other department
View 7 Replies
View Related
Sep 9, 2012
How do we configure our controllers/radius-servers to use MAC-addresses instead of authenticate against a certain group in the AD? We would, if possible, like to combine these two ways of authentication in on SSID.We're running 7.0.116.0 on our controllers (5500-series) and our radius-servers are one W2k8 and one W2k3.
View 10 Replies
View Related
Feb 29, 2012
I have a new WET200 wireless bridge and cannot authenticate to our WPA2 EAP-TLS freeradius server. Here are the steps that I have taken so far:
1. Renamed my pkcs12 client certificate to .pfx extension and imported it into the WET200.
2. Used the client certificate import password as the "Private Key Password"
3. Typed in the client "Login Name"
The freeradius server recognizes the WET200 with the entered credentials but will not authenticate. The freeradius debug log gives the following error:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3e833be03884222b... did not finish!
WARNING: !! Please read [URL]
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Normally, with other wireless devices the CA (ceritificate authority) certificate needs to be installed to the client as well as the pkcs12 client certificate? Is there a way to place a CA and client certificate into the WET200?What is the proper method to install certificates into the WET200 for FreeRadius EPA-TLS authentication?
View 1 Replies
View Related
Apr 4, 2013
We have a WLC 2504, since a few months, it was working fine, we have a guest Wlan configure with web authentication and the DHCP scope for this in the WLC. The problem today is that its no redirecting the web browser to 1.1.1.1, we try it with 3 laptops and they recieve a correct IP from the DHCP but still can not get redirect to the web authentication portal. Have the default configuration Internal (Default).
In laptops we check the firewall, dont have a proxy activate and have google DNS.. 4.2.2.2 8.8.8.8. In fact this laptops connected to this ssid before.
View 1 Replies
View Related
Sep 8, 2011
how can i remove webauth files from WLC?I have few versions of login.tar file used for web-authentication. After uploading a new login.tar file, the wlc still show old webauth bundle files. I tried to remove customized webauth login from wireless LAN, issue clear webauth-bundle and show>custom-web webauth-bundle WebAuth Bundle does not contain any files but when i upload new login.tar that does not include files from previous login.tar, i still get the old webauth. Is it possible to delete extracted webauth files from the controller using CLI?
WLC is running 7.0.116.0 code.
View 8 Replies
View Related
