Cisco Wireless :: Can Use WLC 5508 With OpenLDAP Directly (without Radius)
Dec 18, 2012Can I use WLC 5508 with OpenLDAP directly (without radius) ?
View 1 RepliesCan I use WLC 5508 with OpenLDAP directly (without radius) ?
View 1 Repliesi have configured 35 APs 3502i in 5508 WLC, now i want to get access to ap via radius. Currently i can connect to them via SSH with both user and password set in wireless> access point > global configuration, well, how do i configure the management AP user through RADIUS?
View 2 Replies View RelatedI have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server. It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS. I've found this is related to the client table in the WLC. The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds).
For example:
1. I connect my tablet to the test WLAN. It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session. If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out. The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table. I can force the session to close much earlier by manually removing the client from the WLC.
2. Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC. The user session in the accounting DB never closes. If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting. Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC? How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
View 9 Replies View RelatedI'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
View 4 Replies View RelatedI am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ?
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
I am trying to follow the Fips guide for the WLC5508 and it wants to encrypt the connection to the Radius, either with PSK key wrap or IPsec. I have the options for Ipsec only as the Windoes NPS does not support Key wrap from what a previous user confirmed for me here on the board.. But then found another post that states that the 5508 does not support IPsec?
View 5 Replies View RelatedI would like to know if microsoft 2008 server RADIUS server could be use for authentication on Cosco 5508 instead of Cisco ACS.
View 4 Replies View RelatedSince I moved our WLC Controller ( 5508 ) from Version 7.0 to Version 7.2.111.3 I got above failure messages. Until now I changed the radius timeout from 2 to 10 seconds and also I disabled the aggressive failover without success. What else it could be ?
View 3 Replies View RelatedCisco WLC 5508
Software Version: 7.4.100.0
Windows Server 2008R2
I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc). I added the radius server on the WLC, and configured a new W LAN to use it. Both are on the same sub net. When trying to connect to the W LAN it kept failing. I installed wire shark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server. The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
I re verified that the server was enabled on both the security tab and the W LAN itself on the WLC. Rebooted the controller and the server, all to no avail. I used a radius test client, and can successfully send radius commands to the server using that utility. Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wire shark. It rejected my access, but at least I saw activity. It also registered radius statistics on the WLC as well.
So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
We are trying to integrate Cisco WLC 5508 and Microsoft NPS 2008 to allow users to use their AD username and password to authenticate to the wireless network.I basically followed the following document but with no luck (Appendix B): URL I'v went through some threads in this forum but also with no luck,Basically, we are recieving the follwoing error in NPS event viewer:A RADIUS message was received from RADIUS client a.a.a.a with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.
View 2 Replies View RelatedI've configured RA VPN on ASA5520 with OpenLDAP server authentication. It works fine for all the users existed in LDAP database, but my requirement is I want one particular group to be able to access VPN and not all the users. I have checked most of Cisco documents but all are leading to Microsoft's AD and LDAP attribute map creation. Is there any way to achieve the same thing with OpenLDAP server and not with AD?
View 4 Replies View RelatedI am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies View RelatedI have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
View 3 Replies View Relatedgetting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
I'm a trainee in Network and Telecommunication, and I have to do a "model" with a controller, an AP, and a RADIUS server. Communication and configuration of the lightweight AP has been done.
I use an autonomous access point 1220 as the RADIUS server (no considering it as an AP), and I'm a beginner in RADIUS configuration. I get a "Processing AAA Error 'No Server' (-7) for mobile 00:24:d6:8f:2c:7e" when I launch a debug targetting my PC, connecting to the LAP.
Precursory : 10.137.125.71 is the IP address of the ap1220, working as the RADIUS server 10.137.125.15 is the IP address of the controller. 00:24:d6:8f:2c:7e is the MAC address of my PC, connecting to the Wi-Fi. ping works to the RADIUS, to the controller. Each devices are connected by a layer 3 Switch, and ping each others. The Wi-Fi works when I don't use 802.1X (or when I don't use RADIUS authentication at all)
What I did on the RADIUS server (ap1220 autonomous) :
aaa new-model
radius-server local
nas 10.137.125.15 key password
[Code]......
I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server. Authenticate with a user's LDAP username and password is working fine.
I've hit Google pretty hard but can't seem to find a simple answer. It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.
We are experiencing a lot of these RADIUS failed to respond messages on our WLC's leading to a lot of RADIUS server hopping within the WLC.We are using Cisco 5508's, 1142 AP's and a Microsoft NPS RADIUS backend. SSID is WPA2+802.1xThe first workaround to this problem was to disable aggressive failover on the WLC. But this is only a temporary fix, because in the end, there will be more than 3 consequetive clients, failing to authenticate to the WLAN network. As a result, the WLC will swap to the 2nd RADIUS server configured.When we dived into this a little bit more we saw the following messages being logged on the RADIUS backend at the time we saw the RADIUS messages on the WL:Event ID: 6274: Network Policy Server discarded the request for a user.
View 16 Replies View RelatedI have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?
View 10 Replies View RelatedI got my final assignment from school, and my teacher asked me to configure 2 Access Points (1200 series) directly on a Wireless Controler (Cisco 2106). I can't ask my teacher for any questions, cause he doesn't know how to configure it also, THAT's why he's asking me to do it.I've learned a lot of things about the default static interfaces (the "management" and "ap_manager" interface), but i can't seem to fully understand how to configure it.I want to use the Internal DHCP server of the WLC. How I can get those 2 Access Points working on the WLC. I only seem to get DHCP issues.
This is what i've done:
- Leave the configuration of the "management" and the "ap_manager" default (172.16.1.30 and 172.16.1.30). Bound to port 1
- Made a new interface "AP1" with IP-Address 10.0.0.10 (/24), default gateway 10.0.0.1. Primary DHCP server: 172.167.1.30
- Made a new interface "AP2" with IP-Address 192.168.1.10 (/24), default gateway 192.168.1.1. Primary DHCP server: 172.167.1.30
- Made 2 DHCP scopes within the 192.168.1.0 and 10.0.0.0 networks.
For some reason, when i boot up both AP's, the won't get any DHCP address.
I have a wireless att dsl modum with uverse and wireless laptop connectivity. the wireless somehow stopped, but i can connect directly and reach the internet. I have ping tested the nic card and it seems fine. I have rebooted the modum, the computer to no avail??
View 1 Replies View Relatedi'm using WLC AIRCT5508-K9 software version 7.3.101.0, ISE, cisco prime infrastructure 1.2 (1.2.1.012), and using Odyssey access client manager all running well but here the problem, when a user connected to our SSID, the status of connection information especially on access point.. there appear that "Access point : WLC2-ISC-JKT-GCC".that is the WLC not the access point, is there any miss configuration from me..
View 5 Replies View Relatedsomehow connecting my PC to my home network as if it was wired. Having a wired connection just won't work because my PC is far away from my modem and router. The reason I want to connect it wired is because I am getting terrible speeds, and the slowest. [URL]
View 1 Replies View RelatedDoes Cisco have an official number of how many AP541s are supported directly by a UC560? these are standalones and I know they are configured in a max of 10 to a cluster, but how many clusters can you have? We are looking at a hospital installation with one UC560 and 25 AP541s.
View 2 Replies View RelatedMy question is how can I use this existing wi-fi as input to a router to make a sub wi-fi for four computers and a wireless printer. Some of my computers may need to be wired into the router.
View 5 Replies View RelatedI want to buy a wireless router to which I can connect my USB internet device directly, so I don't have to turn on my PC all the time if I just want to use my moble phone or iPOD or other family members wanting to connect to internet.
View 1 Replies View Relatedaccess points are directly connected to 2016 wlc.Event log from the wlc
AP event log download completed.
======================= AP Event log Contents =====================
*Mar 1 00:00:30.157: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:30.161: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:00:30.190: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:30.191: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
[code]....
but still access points are not functional ?
I've been using D-Link DIR-600 wireless router for two months with my ISP, SmartBro. A week ago my internet went down due to heavy rain and technical support had a home visit yesterday to re-activate my internet connection. My net connection came back smoothly using a direct connection from modem to laptop.When I tried to connect the modem to my wifi router, the internet was not detected. Even if I reset the router settings, no internet connection was detected. Initially, I thought there is a problem with my wifi router so I connected the modem to our Edimax wired router but still it could not detect internet access. Every time I open a browser while connected to a router, this message is shown (see attached screenshot).
I tried using another ISP, Wi-Tribe with both wired and wifi routers and everything worked well. So now I assume the problem lies with my SmartBro ISP. I called the ISP hotline but they told me that they do not provide support for router connection problems; only with single, direct connect to a PC.I asked a neighbor IT technician to look into my problem but he too could not solve the problem.
I have a Netgear WNDR3700v2 that I was very happy with until I got a nest thermostat. Apparently it is an unsupported router and I had to change it. I bought a E2700 since it was supported, but I'm having a huge dilemma...
If I connect the linksys directly to the modem, I'm not getting an internet connection. I've released and renewed IPs to no avail..
but if I hardwire the linksys to the netgear, I do get a good solid internet connection. problem is, I have no need for 2 routers setup on top of each other.
basically, I dont understand why linksys is not able to connect directly to the modem. yet it gets solid connection hardwired through another router.
I'm using Comcast and in south FL. it's a motorola surfboard modem
I recently purchased the router and got the CCC firmware on. It works fine for a while but then I can't connect to the router using my PC unless I log using the remote credentials. Generally if this were the case I wouldn't care but when I do it that way I can't run the speed test. After I reboot the router it works fine again, for a while.
For some reason, it doesn't detect my PC as being connected directly although my PC is connected by wire, directly to the router.
I recently acquired an E4200 Linksys router.Is it possible to connect to it using telnet (from LAN)? For example I would like to start a ping command directly from the router.I tried to telnet using command line shell from Windows and it failed to connect on port 23.
View 4 Replies View RelatedI have external hard drive connected to E3000. It is formatted as NTFS and working fine. However if I disconnect from router and connect to PC usb port directly, I get a message that hard drive needs to be formatted.
View 2 Replies View Related