Cisco Wireless :: AP 541n Clustered With Different RADIUS Servers
Oct 2, 2012
I have 4 Cisco AP541N access points in a a cluster, and everything has been working great. We have been directed by our parent company to change our wireless to utilize RADIUS authentication with our wireless. I have been able to take an AP541N as a standalone (not clustered) and configure it to their standards, configure the 2 RADIUS servers they use with the RADIUS keys I was given for this access point, and everything works great with it. I was able to get them to setup their RADIUS server (which I have no access to) to allow authentication from the 3 other access points now, but they all have different RADIUS keys. I'm finding that when they are clustered they all seem to share the same RADIUS key, but I need them to have different ones.
So the question is, can I cluster 4 AP541N access points together, but allow each one to have it's own unique RADIUS key?
If not, then I think I'll either need to get the RADIUS admins to make them all the same key (which is not likely), or I'll have to uncluster them.
View 1 Replies
ADVERTISEMENT
Jul 20, 2010
I have several controllers, including a 4402 running 6.0.188.0 software and I need to modify the Radius servers that it uses. Currently I have three servers listed;
1 - 10.246.194.16
2 - 10.200.31.78
3 - 10.247.50.56
I would like to delete server 1 which is being retired and replace it with a new server 1. I suspect, once i get servwe 1 deleted, the server 1 option would become available when I create a new server. I went into the controller and disabled server one, but every time I try and delete it, I get the "Server in use either on a specific WLAN or Mesh Radius Server Configuration" error. I can't find anywhere this server is still in service and being used, either by a WLAN or a Mesh. I've tried several different variances to modify this. What I hope to avoid is the need to reset the controller. I have a total of seven controllers that I need to make this modification to, and It will be ugly if I have to reboot these units. Hospital mission critical stuff.
View 4 Replies
View Related
Jan 21, 2013
I have RADIUS servers configured to authenticate administrative users and authorize them at a low level. This is working well. I also have a local level-15 user in case all of my RADIUS servers time out and someone needs to change something. This also works well. The issue I'm having is that a low-level user can log on using the RADIUS severs, then issue the "login" command and enter the local level-15 user's credentials and then operate at level 15.
I do not want the local account to work at all, except in the case that all RADIUS servers are unavailable. What I've described above works around this. How to disable the "login" command or force it to try RADIUS servers first? This is for ASA 8.2
View 4 Replies
View Related
Mar 29, 2012
What is the maximum number of supported RADIUS servers on the Flex 7500 Cloud Controller?
View 2 Replies
View Related
Feb 5, 2013
I have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?
View 10 Replies
View Related
Oct 6, 2010
I just set up a new 541n WAP and am having trouble getting it to connect to my network. I set it up with a static IP and have triple checked the settings.
View 2 Replies
View Related
Sep 2, 2012
We have got 3 Cisco APs 541N with firmware version 9.2.2 and want to set up the cluster function for those APs.Here is the problem:Before enabling the cluster you can ping all three APs located in the same local network with a delay of 1ms or below.If the cluster is enabled the pings for one AP rise above 200 ms in a random way (see attached file).Moreover users connected to that AP are more likely to lose the connection or experience delay.Do the APs communicate through LAN or WLAN ?
View 3 Replies
View Related
Feb 16, 2011
How many Ap's I can have in a 541N Cluster? I have heard 6 or 10.
View 2 Replies
View Related
Jan 22, 2012
will the AP 541N work without cluster if i purchase one AP.Does it support the bridge mode?
View 4 Replies
View Related
Nov 29, 2010
I recently purchased a couple of these WAPs and also purchases some PoE injectors to connect them. The PoE injectors supply them with power, but not networking. I've tried multiple injectors and verified they are not defective. Is there any type of setting that needs to be adjusted to make this work? If I power them using traditional methods they work fine. Here's a link to the PoE injectors that I'm using: URL
View 2 Replies
View Related
Aug 2, 2011
if the Cisco Power Injector (AIR-PWRINJ3=) is compatible with the 541n AP ? I find info about compatility with other AP models but didn't find any related with this SMB model.
View 2 Replies
View Related
Jan 28, 2011
I have both working in a cluster and traffic is flowing but now I desire to seperate my intranet from internet guest traffic only. Having an issue with understanding how to accomplish this task. I have one 2003 server in the intranet that supports DHCP and using a private network address.
View 4 Replies
View Related
Feb 14, 2012
I have one AP541N and need to extend the wireless network with a second wireless AP. Which models of AP can I use with the AP541N to achieve a 'cluster', please? Is it just with a second AP541N or can I use other Cisco APs to achieve the cluster?
Am I correct in thinking that doing this will allow wireless clients to 'roam' seamlessly between the two APs?
View 2 Replies
View Related
Jun 11, 2013
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
View 6 Replies
View Related
Mar 20, 2012
I Have exented vlan 120,121 from DC-1 to DC-2,the DC-1 and DC-2 are connected using L2 Trunk over fiber terminated on Cisco 6513 on both site ,the distance around 40 Km ,on the DC-2 i just assigned server-1 TO VLAN 120 while server-2 in vlan 121 ,but these servers unable to communicate neither with DC-1 Servers or betwen them locally on DC-2 ,pls note that the servers at dc-2 rely on DC-1 for routing.
View 7 Replies
View Related
Apr 16, 2011
i'm trying to connect 5 servers together to create a private network.Each server has a network of it's own and i'm trying to make all 5 servers communicate with each other to share and search data simultaneously..
View 16 Replies
View Related
Feb 1, 2012
i have configured 35 APs 3502i in 5508 WLC, now i want to get access to ap via radius. Currently i can connect to them via SSH with both user and password set in wireless> access point > global configuration, well, how do i configure the management AP user through RADIUS?
View 2 Replies
View Related
Jul 4, 2012
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies
View Related
Feb 9, 2011
I have 3 Cisco 1242 WAPs that I have deployed at a site that has NO RADIUS/AAA devices. I have given all of them a different channel (1,6,11), but the same SSID and crypto (WPA2-PSK). The issue is when a machine boots up it associates with the closest/strongest AP, but as the device "roams" it does not which to a different AP. It stays associated with the original AP until that signal is gone. Then it quickly associates with the closest AP with no problem.
How do I get the device to associate with the strongest WAP? I have research "fast roaming and WDS" but it seems like you need EAP/LEAP and they do NOT have that at all.
View 3 Replies
View Related
Jun 5, 2013
I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server. It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS. I've found this is related to the client table in the WLC. The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds).
For example:
1. I connect my tablet to the test WLAN. It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session. If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out. The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table. I can force the session to close much earlier by manually removing the client from the WLC.
2. Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC. The user session in the accounting DB never closes. If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting. Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC? How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
View 1 Replies
View Related
Mar 28, 2012
I try to setup a 1141 aironet AP to authenticate my user through our Ms Radius Server ( Win 2008 R2).Everything is fine with small Bussiness AP WAP4410N with the following configuration:But I can't setup successfully the aironet 1141 with the same settings and getting it works.Here is my configuration for the Aironet 1141 Vlan 1 is the ssid I want to get it work with Radius.
View 1 Replies
View Related
Apr 19, 2012
End user has APs config with Radius server, working fine
-server 10.42.1.21 auth-port 1645 acct-port 1646
-server 10.36.1.46 auth-port 1645 acct-port 1646
In some weeks all APs will be migrated to WLC. My doubt is regarding the config in RADIUS Athentication Server port number field. There is only one option for adding.Which port number should I use? , When a new server is added always show 1812 port number; documentation states that is for authentication and 1813 for accounting.
View 8 Replies
View Related
Jan 30, 2013
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
View 9 Replies
View Related
Jul 12, 2012
I want to know if its nessary to install Certificate authority on your radius server. If we have a CA server already in the domain can we use that for this purpose or we have to install certificate authority on our DC.
View 1 Replies
View Related
Jun 7, 2012
I have a WLAN with 5 1200 Series AP (A/G) configured for Fast Roaming using the Cisco supplied documentation. Can I use one user name for all of my devices to connect to the Internal Radius Server? This would be similar to having a passphrase for WPA.
View 3 Replies
View Related
Sep 3, 2011
I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs.
View 1 Replies
View Related
Mar 18, 2013
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
View 4 Replies
View Related
Dec 18, 2012
Can I use WLC 5508 with OpenLDAP directly (without radius) ?
View 1 Replies
View Related
Jun 20, 2012
I configured the 2504 with 2 SSIDs for staffs and guests.I also configured the Lobby admin with web auth. But if a guest wants to connect our wireless he/she has to enter the PSK key and then only they are able to connect with the user id and password given by Lobby admin. Can we avoid this key and let the guests connect straightaway with the web auth?I’m planning to configure 802.1x & Radius dual authentication for staffs SSID..
View 5 Replies
View Related
Feb 16, 2012
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
View 1 Replies
View Related
Oct 9, 2012
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ?
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
View 6 Replies
View Related
Apr 30, 2012
Below is he output from debug radius authentication from my AP.
I can see request is forwarding from AP to radius but Radius is not sending any response.Not sure why its not responding.
I also did not under stand few out outputs also
no sg in radius-timers and
RADIUS/DECODE: parse response no app start; FAIL
what does it mean.
I restarted radius server , changed secret key but no luck.
019639: May 1 16:15:08.727: RADIUS: User-Name [1] 32 "host/3KYGRH1.idcap.intdata.com"
019640: May 1 16:15:08.727: RADIUS: Framed-MTU [12] 6 1400
019641: May 1 16:15:08.727: RADIUS: Called-Station-Id [30] 16 "0012.01d6.f691"
[Code]...
View 4 Replies
View Related
Jan 9, 2013
i am trying to connect clients to my AP1231 which is running C1200 Software (C1200-K9W7-M), Version 12.3(8)JED. Client authentication is against RADIUS server. [code]
View 3 Replies
View Related