I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 7.0.98.0). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.
Just installed 2 E4200v2's for a customer today. Was very optimistic because they worked great in my lab, both for my Win7 laptop a MacBook. And after installing 1 on-site and testing w/ my laptop, it worked fine.BUT problems arose when I installed both at the same time (I don't think I ever did this in the lab) and then I tested some computers. Every computer that I tested (except mine of course), cannot authenticate correctly using the WPA2 password.
For the Mac's they get the error "The wi-fi network... requires a WPA2 password" then after entering the *correct* pswd, it says "Invalid password". They're a Mac shop, but I did try one other Win laptop and that also had a problem, and the error was something like "security mismatch" although I was rushed and didn't write it down.
I am having issues registering Cisco 3502 APs with a WLC 5508. They initially register and then disassociate with the controller and fail to re-register. Is it possible to telnet to AP and factory rest the AP. I get connection refused when I try
I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.
Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.
Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth. I know I can get around this by just creating two separate SSIDs. But the business is used to just having the one SSID for all guest traffic. Is this a known limitation when anchoring SSIDs to controllers in the DMZ ?
I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.
Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.
Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth.
I'm using the Cisco ANM 5.2 version and I'm trying to import the configurations from ACE modules of Cisco switches. The first step is to import the configuration from Cisco switch and the second one is to import the ACE module in the ANM software. I'm getting an authentication problem to import the configuration from Cisco switch and of course I cannot import the ACE as well. The switches and the ACE are using AAA authentication and I have created a specific username to authenticate and import the configurations in the ANM. If I remove the AAA configurations from the switches and ACE modules it works fine.
Is there some problem with the AAA configurations in the switches or ACE module?
I am trying to get CiscoWorks LMS 4.0 to connect to my routers in order to back up configurations, but I am getting SSH authentication failures reported in the router logs (and archiving fails).
The credentials LMS is using is a username and password with priviledge 15: the account is established in TACACS+. I can log into the devices directly with this user account.However, I cannot TFTP from the routers to the LMS either (I get a permission denied message in the router).
LMS did manage to fetch some configs, but 90% of my devices are having this issue.
I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
Then I have change the profile XML file of my anyconnect in this way: [code]
I've my ACS linked with AD to give administration access to few network devices and I've created an access policy to link my AD groups with those network devices and command sets.
Unfortunately I found I can use any user from my AD to login to my devices. Only LOGIN, the authorization definition is restricting the command set for those users.
How can I restrict the LOGIN to an specific AD group?
I have a Cisco Small bussiness RV120w and I setup the radius server , WPA2 Enterprise with a windows 2008 NPS radius server . The big problem is that the authentication fails .This is the error that I see in event viewer / server roles / Network policy and access services: reason-code 49 "The connection attempt did not match any connection request policy".The radius key is matching between the server and the client . The radius server is reachable and I don't find any routing issues .Does anybody tested this router with this type of wireless security?
we have ACS 4.2 and 2851 router with IOS 15.0(1)M4. There is authentication failure with error no 254. Is there any compatibilty issue with 15.0(1)M4 IOS
We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.
I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
I have a question about ACS RADIUS authentication with Alteon 3408 L4 Switch.
I configured a ACS 4.2.1(build 15 patch 4) software for windows on Windows Server 2008 Server STD.TACACS authentication with CISCO product was successfully passed.but RADIUS (IETF) authentication with NORTEL 3408 Switch was failed. ACS Authentication Failure Code was a " ACS password invalid "
I read the post that RADIUS VSA is needed in my environment.but i can not search any sample Nortel VSA dictionary configuration. Need Notel specific VSA configuration.
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?
We are using WLC-5508 in our corporate. For authenication we have implemented ACS with LDAP configured as external user database. We can able to get authenicated for Web based authenication. When it is configured for EAP-FAST, authenitication is not happening.
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate.
I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
I am running WLC 5508 and WCS version 7.0.98. We are noticing with some of our handheld devices that have Sychip Wireless cards that they constantly have issues communicating. The error I see on the WCS side is shown below:
Client '00:0b:6c:2f:d0:32 (0.0.0.0)' failed to associate with interface '802.11b/g' of AP 'HO-BRSales'. The reason code is '0(null)'.
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
Should I trunk the port to the AP or not. I have a WLC 5508 in the head office and have AP in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local sub net at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different sub nets?
I have studied many guides but I can't find out if there is a down-side to setting the timeout this high.Could it result in slow roaming or re-authentication if there is a connection error? The customer have large areas with high client density and some outdoor areas with low client density.
