i'm having some trouble pushing CLI templates to controllers in my lab. i get an invalid credentials error but it is random. sometimes i can push the template fine but 30 seconds later if i push the same template it will fail with error. several minutes later try it again and it fails. i have verified the credentials by reconfiguring them consistantly accrosss the devices but if the credentials were actually wrong it should fail every time, not intermittently. there are also 2 controllers i am testing this against and it is also random which controller fails. on the instances where i don't get the credential error my CLI template fully executes without error.
i am using WCS 7.0.230.0 on WIN2K and two 4400 controllers running 7.0.230.0.both controllers are configured with SNMPv3 and SSH. telnet and lower versions of SNMP are disabled.
I am setting up a new ASA. Actually it's an old 5510, but this is a new temporary install until the one we ordered comes in. Everything is working except for SSH. I have SSH open on the inside and outside interfaces and I get a prompt when I try to SSH to it from either the inside or outside. But after I put in my username and password it tells me that my credentials are invalid. I am using a local username/password, not AAA and it accepts that username and password for the console. Console and telnet (password only) both work so I can get in to make changes. When I debug SSH, the error states that my username and password are incorrect. But this happens even when I create a new, simple username/password to test. I've even gone so far as to copy/paste the username and password into the login window just to be safe (making sure I don't copy spaces, etc). Below is a copy of the SSH Debug output followed by a sanitized copy of the config. I have AAA configured for remote VPN users, but not for access to the ASA. Also, this problem existed before I created the AAA settings for the VPN users. Also, I have zeroized and regenerated the RSA keys a couple of times to no avail. [code]
How to upgrade from LMS 3.0 December 2007 update to LMS 3.1 or LMS 3.2. The problem is the large number of C2960S-24TS-L switches that my organization has and cannot managed them.. I tried to upgrade devices through Software Center but always Ciscoworks informs me with the following message."Error while downloading package information from [URL] for the selected products. See the log file for details". Also i can not run EOL/EOS inventory report. The message is " INVREP0102: Cisco.com user credentials are invalid. Enter correct credentials." I check my credentials and is right. The server has access to www through proxy without any restrictions. In the past I've already updated devices through the software center. Also in the past i ve run EOS/EOL inventory reports.The LMS 3.0 December 2007 has the following products LMS3.0.116 May 2008
I tried to deploy configuration templates with Cisco LMS Template Center, due to the 10 Cool LMS Tricks to better manage your network i am able to do it now.Just i don't know why, after deploying these templates the configuration is not save to the startup-config.another problem i have with the snmp-server location configuration. It seems my template does not support spaces in the textbox. Any way to put spaces in the snmp location?
<parameter name="snmp-location"> <description>SNMP Server Location</description>
how to configure netflow on cisco 12410 router in order to get valid FLOWS on a Harvester i installed, i found a documente where mention how to configure but i receive an unknow template from routers, i think that i need to configre something else but dont know what, this is the router configuration i set:
Creating several Inventory-Report Templates via Report Designer I was asking myself how to export/import these templates for use on other systems, performing backup.
To enable our receptionits to print a guest user ticket on a small A8 ticket printer I'm looking for a way to adjust the layout and formatting of the guest account credentials page.
I have searched through the javascript and css files but with no success.
We're using ISE's Sponsor/Guest Portal function.We customized the english default lanuage template.But we do not want to translate/customize all default language templates.How can I disable/remove the unwanted templates? (The delete button is disabled for them)Otherwise our users would be able to select templates that are not customized.
I need to Upgrade my NCS to version 1.1.0.58. Actually my NCS is in the version 1.0.1.4 and i have a lot of templates configured and 1500 Access Points applied.
I have 5 WLCs and will do too the upgrade in the WLCs to version 7.2.130.0.
Will I lose some configuration with these upgrades ? Because the version 1.1.0.58 has more features than version 1.0.1.4 in the NCS and the WLC was adjusted some bugs.
The configurations that i has in the NCS version 1.0.1.4 is H-REAP and in the version 1.1.0.58 will be the FlexConnect, theoretically is the same, but i don't know if the configuration is the same in the two versions.
Can i do a downgrade in the NCS from version 1.1.0.58 to 1.0.1.4 if i have problems ? I was looking for a document who show how can i do this, but i didn't find nothing about.
Does WLC 5508 has capability to create login credentials with specific time of validity? Could it be used in hotel set-up to provide prepaid access account to guest?
I need to edit device information for multiple devices using feature Edit Credentials. I'm not able to overwrite all device credentials using a new set.
I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD, I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
I have a problem when doing this report. If I do a device credentials report on a user defined group (40 devices) 11 of these devices fails to connect via SSH. I can make an SSH connection to all 11 devices from the CiscoWorks server, but 11 devices still fails on the report
Device Name Read Community Read Write Community SSH 1. 149.212.XXX.164 Ok Ok Failed to connect. 2. 149.212.XXX.153 Ok Ok Failed to connect. 3. 149.212.XXX.152 Ok Ok Failed to connect. 4. 149.212.XXX.151 Ok Ok Failed to connect. 5. 149.212.XXX.150 Ok Ok Failed to connect.
We have a Linksys WRT120N wireless router set up at one of our small offices. I noticed recently when trying to log in to the router to make some admin configurations that it will not accept the login credentials when trying to log in from IE10 browser. Works fine from Chrome, IE9, ect. logging in to a linksys router with IE10?
I am trying to copy a setup from a Nortel IAX100 where the carrier provides two ATM PVC's over ADSL - one for voice (VoIP) and one for data (IP). Relevant lines from the backup of the IAX's configuration include the following for the PPP authentication over the voice circuit:
The null username and password for the PPP connection have me a bit stumped. Does the PPP connection not use any authenetication at all? (Is that possible/likely? How could I deubg it?) Or does does the IAX100 supply a chap/pap response with null credentails? (If so, how would I duplicate that using an instruction to a dialer interface?I am configuring an 877 with 12.4T and advanced IP services.
We have a building with 6 Cisco Airnet 1140 connected to a Cisco 2100 WLC, all tied into a nice Central Certificate server and a Win2008 NPS/Radius server on a Win2008 AD. Our trusted PC wireless access is fine, with domain laptops with certificates authenticating with DHCP all round the building. We use GP to apply settings to an AD integrated Proxy server for internet access.
The problem I now have is with guest access...
We are an education establishment, so students could turn up with anything from a laptop to an iPad to an Android phone, which immediately rules out using proxy PAC files to configure the proxy.
What I really want is a method of using the radius to verify the guest user against their existing AD user account, which I believe is possible. The one snag we have is in order to avoid the user having to configure the Internet proxy we would have to switch it to a transparent mode, which immediately restricts our ability to report on AD username, we would only have an IP address to report on, which is next to useless!
We've looked at a Gateway product (Astaro), which integrates the Filtering onto the Gateway, but the downside is that you have to use their APs, so we would be replicating existing work, whilst also managing two filters.
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
I have been reading article url....wp1430161 and I am trying to get my head around the type of port authentication Methods & Modes I am going to require for a Proof of Concept using a Cisco ISE as the Authentication Server.
The switchport will have a single IP Phone in a Voice VLAN and then a Single host in a Data VLAN. Reading this article, I think I should be configuring "802.1x" authentication method using "Single Host" Mode.
However will that support a Downloadable ACL dependent on the user credentials? And will it allow a restricted ACL to be downloaded if authentication of the Machine or the User fails.? I dont really want to create & manage Guest & Remediation VLANs with thier respective ACLs on every switch in my enterprise, including our remote branch offices.
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
I have a 4400 WLC for 100APs running the 7.0.98.0software version. Now, only 48 APs are joined, and the WLC dont accept new joins. The log below are from my WLC but appear for all others APs:
%LOG-6-Q_IND: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:3a:98:ae:e3:f0 supporting CAPWAP%LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:3a:98:ae:e3:f0 supporting CAPWAP%CAPWAP-3-TX_ERR: capwap_ac_sm.c:1966 Failed to transmit discovery response to AP 00:3a:98:ae:e3:f0%CAPWAP-3-ENCODE_ERR: capwap_ac_sm.c:2269 Failed to encode Discovery (code)
i have a existing wireless network setup in my office existing wlc in 4402 and LAPs are 1130 & 1242 all are working fine but we are now planning to use new 5500 series controllers for the same access points,i want to ask that how i can done this job with very minore downtime and users disconnectivity + zero error results??
We have a WLC4400 controller with about 30 LAP. We moving to a new IP scope and was wondering what is the best way to change the IP address of the controller. We have tried doing this via GUI however we have to power cycle the controller to get it back online using the old ip address.
I was wondering if there was a way to import a large number of mac addresses into the MAC filtering of a Cisco WLC 4400. We recently purchased 150 new Mac laptops and I need to add them to the Mac filtering. I have 5 WLC's to do this to.I already have the MAC addresses and names in a spreadsheet.
According to product bulletin no 3209 for the Cisco 4400 series, the Access Point supports 802.11e WMM.
My question goes to DSCP mapping, according to IEEE and your bulletin the DSCP field in the IP header should be set to 46 (10110 00) for mapping to a 802.11 QoS voice priority 6/7.But my Wireshark trace revealed 4400N is mapping toward with 802.11 QoS is set to Priority 5 Video.
If I google DSCP mapping toward 802.11 QoS all IEEE documention I found says EF /Voice should have 46 or 101xxx in the DSCP IP field but running through Cisco and HP docs gives 46 or 48 as value, that is the correct value. [code]
We have 4 x 4xxx WLCs setup in our Core. I just created an AP group in one of WLC and in theory I should see that AP group in the other 3 x WLCs
For some reason, I do not see that AP group appear in other 3 x WLCs. Very much appreciated if someone could point me to the right information or trouble shooting steps.
