Cisco Wireless :: ACS 5.3 Users Not Authenticate With Wi-Fi SSID
Aug 26, 2012
i have configured acs 5.3. i integrated wth active directory also it got suceeded in test connection.but when am trying to conncet ssid its not getting authenticate, wat r the users i created on acs they can able to login on wifi ssid
I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.
we are using ACS4.2 to authenticate wireless users for ssid : copr-wireless. the acs authenticate users via windows database (acs is a member of the windows doamin) no local user defined in acs. there is a mapping between all windows users and a local group in acs (wireless_group) in wireless group i defined the vlan as 80 so that corp-wireless clients will be in vlan 80 and they can take an ip address from one DHCP server in the network. vlan 80 is in our core switch. the dhcp also.
now we added a guest anchor WC with ssid: guest-wireless. we need to auth guests also via ACS/Windows. guests are the same users as corp-wireless but corp for lan only and guest for internet only my prob is that ACS will map guests to vlan 80 because they are member of the domain, however guest users should not have any vlan. it is like if they are in DMZ. they will take ip address from the anchor WC.
I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC?
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
We have a customer with ACS 4.2 Appliances who currently uses the Layer 3 web-redirect guest function to authenticate users against AD via ACS and LDAP to the AD, its a mixture of un-managed Windows, Mac & linux clients.
They want to move to an 802.1x solution.
Now MS-CHAPv2 is proably the obvoius choice (maybe it isnt considering Linux and MAC clients ... comments???). However the only option to integrate with AD is LDAP i.e remote agents or an upgrade to 5.x is out of the question.
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server. Starting from today, ACS fails to authenticate users. Using the same external user (andrea-meconi) I can verify successfull and failed authentication. This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi] AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting
I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
I have ACS 4 integrated with RSA 6.1, where users of ACS can authenticate their passwords with the rsa server.I am migrating users to ACS 5, and I want to integrate with rsa.
I am configuring rsa as “rsa secureID token servers”.But how should I configure the users on acs to authenticate the password with rsa?
Previously on acs 4, on the user page, in password field, I select authenticate with external DB, Also, any guide for the config on rsa 6.1 side (with acs 5)
I have successfully set up a windows 2008 box as a Radius server and use it to authenticate VPN users against ta AD database.I have also set up a similar policy that permits authentication for management purposes to all my networking devices (routers,switches and the ASA).Both policies work fine.Of course I don't want every VPN user to have administrative access to the ASA and every other device on my network.How can I discriminate between the 2 groups (VPN users and Network administrators)
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
I have an AP Aironet 1140 that have two (2) SSID: (ZDE) and (GUEST). Guest is working fine but ZDE is not giving IP addresses to users attached in this AP. I atached the sh tech of the Ap. From the configuration cisco guide of Aironet 1140 i understand that by default, access points are configured to receive IP settings from a DHCP server on your network. But i don´t know if i have to configure the dhcp server ip addres in the Ap, similar to the ip helper address in switches
Configuring the Access Point to Provide DHCP Service. These sections describe how to configure the wireless device to act as a DHCP server:
•Setting up the DHCP Server, page 5-22 •Monitoring and Maintaining the DHCP Server Access Point, page 5-24 •Setting up the DHCP Server
By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both your wired and wireless LANs.
The 1100 series access point becomes a mini-DHCP server by default when it is configured with factory default settings and it cannot receive IP settings from a DHCP server. As a mini-DHCP server, the 1100 series access point provides up to 20 IP addresses between 10.0.0.11 and 10.0.0.30 to a PC connected to its Ethernet port and to wireless client devices configured to use no SSID, and with all security settings disabled. The mini-DHCP server feature is disabled automatically when you assign a static IP address to the 1100 series access point. Because it has a console port to simplify initial setup, the 1200 series access point does not become a DHCP server automatically.
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
I want to setup my wap321 to not go to the Captive potal login page ,I want everyone to be authenticated automatically. I just want them to be redirected to my home page the first time they try and visit any page.i have the CP setup but I dont see any way to not request a user page and just redirect.I am using the latest firmware.
We use a Flex7500 with local switching and centeral authentication. My question is can i use the Customer's radius server in order to authenticate? or should my WLC have IP conncetivity to any radius server im adding?I guess what i'm really asking is should my WLC know the radius server or does the request can go back to the AP and from there to customer radius on his subnet?
Trying to authenticate a Wireless 1242 AP to a switch port with Dot1x enabled. It seems like the switch can't get the mac or doesn't ever start authentication for the port when I plug in an ap. The ap is configured to pull dhcp on start for fa 0, however never gets an address, even though the port should fail into guest network after auth fails.Any thoughts,, a debug only shows this...
*Mar 1 00:19:27.127: %IF-3-VLAN_NOT_CONFIGURED: Received dot1Q VLAN tagged packet on interface which does not have VLAN configured.
We replaced a WLC2106 with a WLC2112 and the 2112 can't authenticate anything. Both WLCs have the exact same configuration on them. We are using a RADIUS server to do MAC authentication. Both WLCs have been set to use no delimiter in the MAC filtering.
When the 2106 is in place, we have no issues and all allowed devices can authenticate without issue. However, when the 2106 is removed and the 2112 is powered up, every single device fails authentication and is put on the exclusion list. When we check RADIUS, it tells us the devices fail because they are locked. We unlock the device's account, and 5 minutes later the 2112 has screwed something up and they are locked again.
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
I have been trying to set this up for like 4 hours. What a waste of time. This should be as easy as punching in the IP and password for the radius server. It isn't.I have a brand new SG-300-10. LATEST firmwawre, I just updated it about 5 minutes ago. 1.2.7.6 I think.This is what I have done so far in the GUI: (I have CLI access too if necessary)
Security > RADIUS and entered my radius IP/secret there. Security > Access Management Profiles > Create new template called ALL that permits access to all applications. Set it as active also. Security > Management Access Authentication > For HTTP and SSH
I put RADIUS first then Local second.My radius server works. As I type this message I am logging in via radius with OpenBSD/Centos even Fedora. (If OpenBSD can do it, these switches can do it.)But whenever I try to login with RADIUS credentials to my switch, I get no logs or any connectivity reports on my radius server? Is the switch even attempting to contact the server? The logs dont show anything regarding RADIUS. I am trying a reboot now, but I don't think that should be necessary.Is there a step I missed? When first looking at this I expected it to be done in 5 minutes. I have been on this for lik 4 hours. Isimply want to login to the administration console (web gui) using RADIUS credentials.
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like [URL]. Anyway the content in the browser is changed to the URL that being configured such as url...How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
I have 1142 with W7 (c1140-k9w7-mx.152-2.JB)I have it configured WPA2+AES on the 2.4GHZ interface (Config below)I have my PC and Mac and phoens connected, all good.However I also have a Wi-Fi radio (url...), when I try to connect the radio to the wireless net, I keep authentication failed.If I configure my old Linksys router as the network, also using WPA2/AES, all works.Just something do to with Cisco pass and this radio.I tried TKIP > same but when I tried Tried WEP > working good!.
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
Have set up a pair of ACS 5.3 servers and have set up device administration authentication be passed through to an RSA server via RADIUS. All works great.
What we want to do is go a step further and set the system up so that ACS Administrators also have to authenticate to the ACS system by RSA via RADIUS (the same as the Device Authentication we've set up) for ACS administration tasks.
Looking at the options available in the ACS Administration setup (administrator accounts etc) there doesn't seem to be an option to authenticate via another method apart from a local administrator account on the ACS.