Cisco Wireless :: 5508 EAP-TLS With Wireless Before Windows Log On
May 20, 2013
Ill start with a list of equipment;
5508 WLC
3502i AP's
Cisco ACS 5.3
Windows 7 clients
WLAN is configure with WPA2/AES with 802.1x for key management.Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication. The client is configured to use a certificate on the computer. "It only works if user or computer auth is seected." If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.ACS is configured to only allow for protocol EAP-TLS.We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials. Once I log off the Windows 7 client, I lose connection to the WLAN. We would like to stay logged on to the WLAN. PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
View 3 Replies
ADVERTISEMENT
Mar 8, 2013
I recently upgraded to firmware version 7.1.91.0 on my 5508 controllers to allow support for 3600 WAPs and WCS. We have recently run into bug CSCua29504 which prevents Windows 8 devices from joining my wireless network due to a Management Frame Protection issue.
Firmware updates have been released for 7.0,7.2,7.3 and 7.4 trains to resolve the fault, however there hasn't been a release for 7.1. Any update for the 7.1 firmware to address bug ID CSCua29504?
View 2 Replies
View Related
Mar 4, 2012
I'm having problem with windows sharing (file/printer sharing) from Wireless lan client which is connected to AP3500 and WLC 5508 then to Nexus 7010. It's already using ip command, for example \192.168.84.65 WLC os version 7.0.116.0 (using AP groups) Nexus os version 4.2(6) The weird thing is i can connect using windows sharing from wired LAN to wireless user however not vice versa. f
-Wireless lan to wired LAN using windows sharing - failed
-Wired LAN to Wireless lan using windows sharing - success.
I've been analyzing by making sure that all the to end, there would be no firewall within source pc(s) and destination pc(s) and also the ACL inside Nexus. Been dying here to find solution for this, due to the customer is using it for file and printer sharing service.
View 2 Replies
View Related
Dec 5, 2012
We have a 5508 controller authenticates with WPA2-enterprise to 3 possible AAA servers. Today I tried migrating our DHCP server from a Windows 2003 machine to Windows 2008 R2. Migration went smoothly and all wired clients could get IP's. Reservations intact, scopes intact, etc.. you name it. I though it was a great success.
Fast forward about an hour when people started coming into work for the day. Calls started coming in about their laptops not able to connect to the network. I double checked with a spare laptop in our IT department and also my iPhone. Same issue. Seems the only thing I changed today was the DHCP server (from 10.1.1.1 to 10.1.1.2).
After racking my head on it for awhile, I re-enabled the "old" dhcp server (10.1.1.1) and disabled it on the new (10.1.1.2). Instantly wireless clients were able to connect.
Am I missing some configuration step in the 5508 controller when moving DHCP servers? I do plan on running 2 DHCP servers (10.1.1.2 and 10.1.1.10) for redundancy once I get the primary one moved over and working correctly.
I want to decommision the older 2003 server. Its time to raise the domain functional level.
View 6 Replies
View Related
Oct 10, 2011
I'm currentlly running Both Wired and Wireless GPO via Win2008r2, on my WIRED connections after clt-alt-del logoff my network connection stays open (pingable)While connected via wireless (WLC 5508 and WCS) Windows AD 2008r2 ;Radius Server 2003.
All Clients authenticate using Network Authen (Wireless Network Connection Properties) WPA2 Data encryp AES EAP type PEAP.Authentication Method (EAP-MSCHAP) I have no problems connecting via SSID etc... my Question is how do I keep the TCP connection open after initiating a logoff from Windows. (Closing network connection) OPEN!
I need to maintain a tcp(pingable) connection open in order to access Manufacturing clients that are connected via WIFI. (WLC).All wireless clients are issued and auto-enrollment cert via IAS .
View 8 Replies
View Related
Jul 14, 2011
I'm having a problem with a WLC 5508 and a LDAP on windows server 2008, I already config everything on the WLC, but when a user try to authenticate I have this debug result:
*aaaQueueReader: Jul 15 19:27:07.384: 00:1b:77:7b:19:aa Returning AAA Error 'No Server' (-7) for mobile 00:1b:77:7b:19:aa
*aaaQueueReader: Jul 15 19:27:07.385: AuthorizationResponse: 0x3c9ceac4
*aaaQueueReader: Jul 15 19:27:07.385: structureSize................................32
*aaaQueueReader: Jul 15 19:27:07.385: resultCode...................................-7
[code]....
View 8 Replies
View Related
Mar 26, 2013
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
View 6 Replies
View Related
Nov 6, 2012
output are here
*Mar 1 01:28:21.018: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 01:28:21.022: %LWAPP-3-CLIENTERRORLOG: bsnSetCurrentBHRate : fail to set
radio control and data rate
*Mar 1 01:28:21.179: %CDP_PD-2-POWER_LOW: All radios disabled - AC_ADAPTOR (00
00.0000.0000)
*Mar 1 01:28:21.984: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0, changed state to up
*Mar 1 01:28:34.341: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
d DHCP address 192.168.10.244, mask 255.255.255.0, hostname AP2c54.2d0d.c3c4
View 1 Replies
View Related
May 1, 2012
I have a WLC 5508, AIR-LAP1142N APs and a SSID for students to connect to who bring their own device. I am still testing this and it has not been rolled out but I am running into some serious issues with joining the network. I am authenticating them through a RADIUS server (2008 R2). Problem: many of them cannot connect because they are lacking the certificate.
1. What is a good setup for authentication in a BYOD environment
2. If my setup is good what can I do to allow kids to use their computers on the wireless either without the certificate (which I know is unlikely) or what do I need to have them do to connect. I am hoping it does not involve hard wiring and getting the certificate from the server.
View 1 Replies
View Related
Oct 24, 2011
have a Cisco 5508 controller (version 6.0.199.4) that when I enable global multicast mode it will work for an hour or two and then it will kill the network. All internet both wired and wireless, access to server everything dead. I then have to directly connect to the service port and disable the global multicast mode. Then two reasons for enabling it are Docs2Go and LanSchool both require multicast to be enabled. I have it enabled on our wired network and it works OK there. ted.
View 10 Replies
View Related
Oct 23, 2012
I just turned on 2 Wirelless LAN Controllers 5508 and I am getting this message on both of them:
Loading primary image (Image not found)
** Unable to read "linux.pri.img" from ide 0:2 **
Loading backup image (Image not found)
** Unable to read "linux.bak.img" from ide 0:2 **
And it is taking me to the BootMenu. I selected option 4 to Clear Configuration and the controller seems to restart the system but I still get the same error. I checked the LEDs status and Sys is Amber and Alarm is OFF which according to the documentation is a System Crash.
View 1 Replies
View Related
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Apr 15, 2012
Interface management on WCL 5508 is assigned ip 192.168.255.200 and from a PC ( on different subnet), i can ping but cannot access https to WCL but From a PC ( in the same subnet) i can ping and https.
View 11 Replies
View Related
Aug 1, 2012
I want to install a pair of 5508 to manage the whole wireless solution and I have a few questions regarding deployment, Please refer to the topology. The management and ap manager interfaces are conifgured with the same ip address range and thus the same vlan which is 10.160.254.X/24 also all the APs(1,2,3) in that building have the same IP address range for management which will be manually conifgured. The AP's (4 and 5) on the other building have another range of IP address for management and here is the first question. Will the AP's 4 and 5 join the WLC if I manually configure them to point to it? I know I can group interfaces and use them with the same SSID BUT the WLAN vlan in both sides are different and are separated by a router and hence the next question: Can this be done even if they are separated? and if I can, how is this possible, should I configure a dynamic interface in the WLC with an IP of that network even if it doesn't exists on that side? I'm kind of confused with this.
View 5 Replies
View Related
Jul 30, 2012
I have a Cisco 5508 setup at a host site with 3 other sites connected using hreap on 1252APs. When doing testing of network speed I find that the throughput from the wireless to wired network is at about 18mbps yet the same test on wired side is 85-100mbps and wireless to wireless is 18mbps
View 4 Replies
View Related
Oct 2, 2011
I am running 5508 controller with version 7.0 and 1142N access points.. I am facing a problem on user connectivity.
Wireless Users are getting frequent connection and disconnection. These users are not getting connected to the access point nearby although this access point is up and running. I have tried reducing the power level, configured the AP after resetting it.
View 2 Replies
View Related
Apr 24, 2012
we have a working wireless network managed by a 5508 WLC and nearly a hundred AP in different buildings. We want to integrate several apple-tv in different WLAN. We enable global multicast mode and igmp snooping on the WLC. When clients connect to these wlan airplay functionnality operates for 2 or 3 minutes max and after the airplay icon disappears on iDevices. If i want airplay to work again i need to reboot the Apple-TV but again it can't work for more than 2-3 minutes.
View 8 Replies
View Related
Mar 7, 2012
I am using guest solution with two WLCs , one inside and one as anchor in DMZ.we have also NAC guest server to authenticate the guest users. inside WLC is 5508 and had been updated to latest version 7.2.103.0 last Thursday.
now we facing problem with the guest SSID , after the user authenticate, immediately disconnected and to access again he has to authenticate again and so on.
Is there any Bug with the new version because the setup was working fine before upgrading.
View 1 Replies
View Related
Aug 8, 2012
i have a wlc 5508 with code 7.0.220, with multicast enabled in it and on the lan too.I am having a bit of confusion getting bonjour to work on the wireless side. Looking at some of the cisco docs, i still have some questions on how to get it working in my specific enviroment.
I have the wlc conected to the lan via a port-channel. 2 wlan (ssid1 and ssid2) each wlan maps to a specific vlan (dynamic int), the management int (also used for dynamic ap-manager) on a third vlan (vlan x).
I need to get Bonjour working between ssid1 and vlan-x, so my wireless clients (in ssid1 can use bonjour with their laptops) can synch between wireless and wired. I know that you can do this within the same wlan (ssid) but in this case, when a user has a laptop wired into the network he cant comunicate to the wireless device. I read about Vlan Select and Multicast Optimization however, from what i understand i need to setup an interface group and just assign my wlan1 and management int to it, correct?
when or if i need a different segment (vlan y) in my lan to also "bonjour" with ssid1? For this i assume i would need to create a dynamic interface on the wlc using the same IP segment and do the a new interface group?
View 5 Replies
View Related
Apr 17, 2012
I have a new wireless configuration on a 5508 WLC. the controller is licensed for 12 AP's. I have plugged 8 AP's into the wireless vlan and 6 out of 8 come up with IP address and connect to the controller, broadcast two configured SSID's all seems good with them, but i have two AP's that do not get IP addresses. they are in the correct vlan i can plug a laptop into the group of ports in the val and get an IP address. So it seems to be just the AP's that don't. if i look at the consol of the AP it says: Waiting for PHY to auto negotiate . then it say timed out and continues to "boot with errors" then it continues to complain that it has no ip address. I have rebooted a few times and changed ports, and patch cables.
View 3 Replies
View Related
Jun 12, 2013
I have 2 x 5508 WLCs in place with around 50 APs split between the 2.
As there is currently a low uptake of using wireless devices all of which we own I have up until now been using WPA2 and MAC filtering to control access to the network.
This all needs to change as we are about to embark on the B.Y.O.x revolution. This means being able to support a wide range of OSes from Windows to Android. This in itself presents a whole series of issues but right now I'm trying to explore how much of the burden the WLCs can take.
For instance I was thinking about setting up web auth on the controllers that would authenticate against an external RADIUS server - this seems fairly straight forward.
If this was to be a bog standard windows network I could set up a Microsoft NPS server that could control and define policies to mobile devices, but as this is going to be a mixed environment that's not a solution I can use.
What other features do the controllers provide that would be useful in my situation - can you for instance automatically direct data to a specific vlan based on authentication information?
View 1 Replies
View Related
May 14, 2012
We have a situation where wireless access points are just going down randomly on our network. The situation is as follows:
We have 2 Cisco 5508 WLCs (licensed for 250 APs each, with more licenses en-route), both running software version 7.2.103.0. Then we have a large-ish number (±300) of Cisco AIR-CAP3502I-E-K9 APs connecting to these two controllers. The APs are either connected to Cisco WS-C2960S switches, or in "older" areas of the network they are connected to WS-C2950 switches. We do not have PoE switches installed yet, so all APs are powered by power injectors (AIR-PWRINJ4=).
Anyhaw, all the access points are in FlexConnect (previously HREAP) mode, and they all connect via trunk ports to the switches in order to get the VLAN per SSID working. Both controllers are in the same mobility group, and both are in the DNS as "cisco-capwap-controller" as they are load balancing. The APs are installed about 25m apart in most areas. There is one installation where two APs are about 10m apart, but this is due to the shape of the building in which they are installed. We have no autonomous APs deployed at all...
The problem is that some access points work for about a day, and then they just disassociate with whichever controller they were associated to, and then they just fall off the network completely. Both WLCs, the NCS, and the network monitoring system (WhatsUp Gold) show the affected APs as physically unreachable. Looking at the trunk port on the switch, it shows that the port is up and the line protocol is up, input rate is 0 bits/sec, and output rate is up to 70,000bits/sec. There are no input or output errors on the switch port. Here is the output from one such switch port: [code]
Connecting a console cable to an affected AP is fruitless, as the AP appears to be unresponsive while it is "down". Rebooting the AP, then connecting a console cable works, but then you've lost your syslogs. Looking at the Ethernet interface on the AP, it appears as if the interface is picking up a lot of errors, especially CRC errors, which would indicate a physical cable problem.
I got our cabling contractor out to do a cable test again, and it passes every time. We have them test both the Systimax and the Molex cable installations of affected APs, and all is OK. They use a Fluke MicroScanner² cable tester which certifies the Cat 6 cable from patch lead to flylead. No problems there, and I trust that the cable is 100% as tested.
So I swap the power injector of an affected AP (let's call it AP A) with an AP that is not affected by this (let's call this one AP B), and AP A goes down again after a day, or sometimes only a couple of hours. AP B remains operational as usual. If I swap AP A out with a new AP (AP C), then AP C starts showing the same symptoms after about a day, and then it also just goes down. When "suspect" AP A is installed somewhere else, then it works and stays operational for, well, 58 days now. Changing the switch/switch port also makes no difference.
This happens to one of the APs that are part of the "10m apart deployment", but it also happens to another AP that is completely on its own in a building far away from any other wireless source, so I cannot think that this could be the problem. I happens to an AP that is less than 100m away from its closest WLC, and it happens to an AP that is more than 350km away from its closest controller. All the other APs deployed in our remote campus (350km fibre link) are 100% OK. It happens to APs connected to the older WS-C2950 switches as well as the brand new WS-C2960S switches.
I am at wits end with this one. Where could the problem be? I trust the "Big Green" company that does our cable installations, and I trust the equipment they use. I also trust both Systimax and Molex to be very good products. And I do trust Cisco, as this is the only network equipment we deploy.
View 9 Replies
View Related
Nov 25, 2012
My new Windows 8 computer is not wi-fi capable, I bought the adapter but it only works with Windows 7, they have a link to upgrade to Windows 8 but I don't know where to go from there.
[URL]
View 1 Replies
View Related
Apr 4, 2013
I have a WLC5508 with around 70 AP's (LAP1042N) connecting over an MPLS WAN network. WLC and AP's are running 7.4.100
From time to time I have an AP which disassociates from the WLC with the logging beneath. This is a problem with the AP, or is this due to network saturation between the AP and the WLC ?
And if so, should I change the default retransmit values ?
View 1 Replies
View Related
Apr 25, 2013
I am planning to upgrade WLC from 7.2.103.0 to 7.2.110.0 due to some bug, but I wanted to know if it is compatible with WCS - 7.0.240.0 and NAC Guest server version 2.1.0, I am made some search but I couldn't get to proper conclusion.
View 8 Replies
View Related
May 26, 2013
I have a wlc 5508 running version 7.0.116.0 that I need to uppgrade to use the CAP2602I AP. I understand that I need to upgrade it to version 7.0.240 before 7.4.100 to avoid loosing HREAP VLAN mappings, and I have also read that i need to install the FUS image [URL]. In what order should this be done? Shlod the FUS image be installed before new firmware ore after firmware or after 7.0.240 but before 7.4?
View 1 Replies
View Related
Apr 24, 2013
since few weeks i configure my APs on the new WLC5508, and then, the lights are off on the AP, is it normal? however they seems to work fine. What does this light means? FW version: 7.0.22,Is it important?
View 2 Replies
View Related
Mar 25, 2013
In order to enbale HA SSO on our two 5008 WLC's, I plan to upgrade them to 7.3 / 7.4 (currently 7.2)Right now 7.3.112.0 is the latest release. We do not have any 1600 series AP's, which requires 7.4.any reason going for 7.4 directly..or not going for it?
View 5 Replies
View Related
Jun 4, 2013
I am trying to setup SSO between my primary and secondary 5508 controller, and it doesn't appear to be working. I lose connection to both devices after the reboot and then have to console in and disable redundancy manually to regain connectivity. Is there something special required for this to work that isn't apparent?
View 4 Replies
View Related
Sep 13, 2011
I've just gotten in two new 5508 controllers that have come preinstalled with code version 7.0.116.0. My issue is that when I go to downgrade these to 7.0.98.218 I get an error after the Image version check is passed stating the following:ERROR: Incompatible SW image. ERROR: Please install the Data Payload Encryption licensed image.I've tried multiple times to no avail, I've also gone as far as installing the LDPE image of 7.0.116.0 thinking it needed that before downgrading but it still didn't work.
View 5 Replies
View Related
Dec 3, 2012
I am planing to upgrade 2 of my 5508 series WLC from 7.0.116 to version 7.2.111.3. I understand that legacy AP's are no longer supported. Is the upgrade straight-forward just like other code upgrades?
View 19 Replies
View Related
Feb 9, 2012
We have two WLC 5508 and i want to know if it is possible to get an accesspoint ( eg. 1131) to connect to a controller over internet, without VPN-connection. I have read documents about HREAP but that needs, if I understands it correcly, a VPN tunnel or a dedicated WAN-link. I know that ARUBA has this function, but I cant find it with CISCO.
View 2 Replies
View Related
Nov 13, 2012
I am very interested in the new 7.3 feature HA.Also I can read that it is recommended to connect the two WLCs directly. How to use a L2-VLAN between them, in fact to bridge a distance between two data centres?
View 3 Replies
View Related
