Is it possible to setup a Cisco 1200 AP with 802.1x to drop users into the corprate network if they have a certificate or if not to put them on the guest network?
View 3 Replies
I want to disable the MAC authentication that is configured in my Aironet 1200 Cisco Access Point, now set to "Local list only". I want that any wireless device can connect if the user knows the wep password.
I cannot find the option to disable the MAC authentication.
Is there a way to configure client/user to AP authentication without using encryption for joining to an wireless network? What we need to do here is protect network access at our hotspots by enforcing a password to get connected. The other part is making it compatible with every possible device so we need to have encryption off. We have a mixed environment at this time until everything is upgraded. Aironet 1200 series and some new Aironet 1142 models. No controller, all standand alone AP's
View 2 Replies View RelatedI would like to be able to have a few "guest" users on the Wireless network for visitors. Is there any method to have a prompt for "Username / password"? I would like the user accounts to have different expiry periods if this is possible. My current config is attached. The SSID "test" appears on the network. The SSID "test111" does not appear.
View 1 Replies View RelatedI have cisco aironet 1200 series Acess point i want to configure wep with mac authentcation .
If any document with GUI configuration
I am trying to setup EAP-TLS authentication for my wireless access points, but I can't sign my ACS certificate with my enterprise CA certificate.If I generate a self-signed certificate on the ACS server, and try to sign it on my CA, I get an ASN tag error. It looks like that is because the ACS server is not in the certificate path of the CA server.If I generate a certificate on the CA and try to import it into ACS, I get a "unable to parse certificate" error. Is there a way to edit the Certificate Trust List in 5.2? It looks like that was possible with 4.2, but not with the latest version.
View 1 Replies View RelatedI have been looking for a new router that can handle intensive bandwidth for my office which can handle vlans, QoS, bandwidth management, VPN/VPN Passthrough, and perhaps multi-WAN/Load Balance. A friend has recommended the Mikrotik RB 1200 for my application, having looked at the product the feature set seems to be quite extensive and the price point is very attractive. The router is also rack mountable (a big plus!!!), my question is wether the router is relatively easy to configure/manage. I have managed/installed other routers such as the Cisco SMB series but I have no experience with Mikrotik. I am very tech savvy and have a moderate knowledge of network infrastructure. I have heard so may different responses to the simplicity and I would like y'all to weigh in before I purchase the router. (OR WHATEVER RACKMOUNTABLE ROUTERS YOU RECOMMEND FOR SMB)
View 10 Replies View Relatedsetting up two VLANs for my WAP: one for all local network and internet traffic and one for just (guest) internet traffic. I just purchased both devices but I don't know if I have the option for free Cisco phone support.
View 1 Replies View Related I've got an iPad2, which works without issue at home (1130 AP/ASA5505), but at my office, we have a 1200 series AP. It's hit and miss, but other people who bring iPads in have noticed the same issue--our internal SSID is non-broadcast. Even though the SSID is previously configured and works on occassion, there are times where it won't even see the SSID at all to connect.
This happens with iPad and iPad2, iOS4 and iOS5...
LIke i said, works fine on my non-broadcast SSID at my home on an 1130 AP...
I recently purchased a Ciso 1200 Series WAP and I want to bridge this to my existing Cisco Wireless Router So I can extend my coverage. I have done some research but keep coming up short as to where I need to start. Note*(I do not want a physical connection to the WAP, I simply want to be able to bridge the connection from my existing Wireless router to my WAP.
View 1 Replies View RelatedI have a cable broadband installed in my home i just bought cisco 1200 series access point...now how to configure my access point. I believe I have to plugged fastethernet cable coming out of my cable modem to access point after that? What I have to do ....do I have to configure the cable modem as wlel or not???
View 2 Replies View RelatedThe client currently has DAS solution integrates with cisco ap1200 which has been eos. As per my knowledge DAS mobile access 2000 doesn't support. 802.11n, is this correct? We are planning to separate the dad environment with cisco. Basically positioning new 3600 n indoor AP to replace existing eos 1200. What are the pro and cons of separating two brands and solutions? Other cabling.The client having coverage issue and adding an amplifier and cable loss may add more issues to existing environment.
Also, based on experience 80211n AP are required is higher density vs 1200.What are your thoughts or best design option to separate das from WLAN environment?
We recently acquired a 4404 Cisco controller for our network and have been adding our 1200 and 1130 Access points to the controller.This was accomplished by upgrading the APs to LWAPP and then they would automatically be discovered by the controller and then join. Lately, new 1131 APs that have undergone the same process, are not joining the controller. They are discovered but then the close the connection. We are running a flat network so all devices are in the same subnet.Software Version of the controller 6.0.188.0. [code]
View 5 Replies View Relatedwe have 6 access points in production and we want to chnage the IP addresses of them. So what would be the procedure for that.
View 17 Replies View RelatedI has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan? I has 4 VLANs and I want a MAC address has access to a VLAN, but not to another.
I used ACLs, but this will block the access to the access point, How to get the mac address will have access to a VLAN, eg no other Vlan?
I work for a school system and we are currently entertaining the idea of BYOD. We have a Cisco 4404 controller and what I would like to do in order to prepare for BYOD is to create a wireless network that can be connected to with AD credentials. So basically, on any device, when users try and connect to this specific WLAN they will be prompted to put in their AD username and password to get access, that’s it, no other passwords. I will be using the Network Policy Server role in Server 2008 R2 as my radius server. how to actually set up the policy within NPS for this type of authentication. Also, on the controller side, am I basically just setting up the WLAN and then setting up the authentication server on the AAA Servers tab for security? Leave Layer 2 and Layer 3 tabs blank if I only want to use AD credentials?
View 3 Replies View RelatedI am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies View RelatedI am trying to get a NAC demo running and am having some issues with a Layer 2 OOB, Virtual GW configuration. Currently I have 3560G switches and would like to assign ports to a vlan based on user roles.
My Auth VLAN is 110 and maps to VLAN 11
Guest VLAN is 11 (172.16.1.0/24)
Employee VLAN is 1
NAS Mgmt VLAN is 20 - CAS is 10.10.20.5 (this ip is setup on both eth0 and eth1 per documentation for L2 OOB Virtual GW)
NAM Mgmt VLAN is 30 - CAM is 10.10.30.5
Untrusted (Eth1) switchport is setup as a trunk allowing only vlan 110 and has a native vlan 999 to blackhole traffic.
Trusted (Eth0) switchport is setup as a trunk allowing vlan 1, 11, 20 and has a native vlan 998 to blackhole traffic.
I also setup a Managed Subnet on the CAS with IP 172.16.1.254 and VLAN 110.Switchport controlled by NAC is access vlan 110. When a machine connects an snmp trap is sent to CAM and is forced into vlan 110. If I try to put the port in another vlan CAM puts it back to 110 immediately. This all seems to be working well.The machine connected to the port gets a DHCP address from VLAN 11. When I initiate traffic from this machine, everything is blocked. If I open a web browser I do not get an authentication page. I also installed CCA 4.1.10 on the machine but it does not find a discovery host and the Login option is grayed out. The only way to get this machine to send traffic is to add a filter for it and force it to the ALLOW option. I did setup a default web login page but I seem to be missing something to get authentication to work. I am running version 4.1.8 with a demo license. The host running CCA is Windows Vista.
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies View RelatedI was attempting to setup our 7204 Cisco router to use RADIUS for authentication via the AAA commands. I must have messed up when configuring it as it comes up via TELNET asking for a username and password but doesn't take my AD credentials. How might I login to this router to fix the config? Do I need to do a password recover process?
One note, I didn't save the running-config to startup-config, so if I restart the router will it load the startup-config, thus overwriting the running-config that wasn't working?
I currently have two AP541N access points. Both are configured for internal access and one unit is configured with a Guest VAP. I want to configure the Guest VAP to redirect to an authentication page so that the user connecting has to log in to get internet access. I'm fairly certain the AP541N doesn't offer this out of the box. I know I can redirect, but what is needed to force a user to authenticate to gain internet access. I want to find out what additional hardware/software I will need in order to create Guest Services of this VAP.
View 1 Replies View RelatedI am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
I am in need to setup a VPN tunnel to a vendors hosted network for AD authentication.To prevent RFC1918 Address overlap we are trying to NAT into a VPN Transit Network.I was given 209.235.17.232/19 and need to NAT these addresses:
209.235.17.233 <> 172.20.0.42
209.235.17.234 <> 172.20.0.43
The vendor is using 209.235.17.224/29 and NAT'ing to some 10.122.xx.xx addresses.
The Phase 1 requirements are:
Pre-Shared DH-Group2-AES256-SHA1 86400 seconds
The Phase 2 requirements are:
NOPFS-AES256-SHA1 3600 seconds
I have many l2l VPN tunnels configured using esp-3des esp-sha-hmac This is what I have configured on my ASA:
static (INSIDE,OUTSIDE) 209.235.17.233 172.20.0.42 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 209.235.17.234 172.20.0.43 netmask 255.255.255.255
access-list VPN-TO-JIVE extended permit ip 209.235.17.232 255.255.255.248 209.235.17.224 255.255.255.248
access-list VPN-TO-JIVE extended permit ip 209.235.17.224 255.255.255.248 209.235.17.232 255.255.255.248
[code].....
Currently my side is trying to initiate the tunnel, but we are getting this message:
15 IKE Peer: 65.168.255.157
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
I am configuring the transit network for the tunnel properly or performing the NAT for my 2 devices.I am still trying to determine what device the Vendor has on their end.
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
We have a 1200 Aironet just go down hard for no reason through out the day, we replaced the Power Injector with a C2960 POE Switch, we also replaced the cabiling. When it goes down hard all three lights are still green as if the AP is still up. We verified the IOS with other stores and everything is the same on the configurations, versions, and IOS.
View 35 Replies View RelatedInstalled a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
View 2 Replies View RelatedI got my final assignment from school, and my teacher asked me to configure 2 Access Points (1200 series) directly on a Wireless Controler (Cisco 2106). I can't ask my teacher for any questions, cause he doesn't know how to configure it also, THAT's why he's asking me to do it.I've learned a lot of things about the default static interfaces (the "management" and "ap_manager" interface), but i can't seem to fully understand how to configure it.I want to use the Internal DHCP server of the WLC. How I can get those 2 Access Points working on the WLC. I only seem to get DHCP issues.
This is what i've done:
- Leave the configuration of the "management" and the "ap_manager" default (172.16.1.30 and 172.16.1.30). Bound to port 1
- Made a new interface "AP1" with IP-Address 10.0.0.10 (/24), default gateway 10.0.0.1. Primary DHCP server: 172.167.1.30
- Made a new interface "AP2" with IP-Address 192.168.1.10 (/24), default gateway 192.168.1.1. Primary DHCP server: 172.167.1.30
- Made 2 DHCP scopes within the 192.168.1.0 and 10.0.0.0 networks.
For some reason, when i boot up both AP's, the won't get any DHCP address.
I have two wireless networks configured in the AP1200, both SSIDs are configured with WPA.
SSID 01: configured whit WPA
SSID 02: configured whit WPA
I have configured the access-list number 700, and I would like to apply to a single network. Achieving the following:
SSID 01 : WPA + Mac Filter, using the ACL number 700.
SSID 02: WPA
How I can apply the list 700 to the first SSID only ??
I am looking at deploying a Cisco Virtual Wireless LAN Controller (vWLC 7.3).Do I need Prime Infrastructure to manage the environment, or can I manage my AP's (1200 series) using the vWLC alone?
View 6 Replies View RelatedI am using 5 Cisco 1200 Series APs with both an A and G radio. Is there a benefit/problem to running both simultaneously? I would have one SSID and is setup for Fast Roaming as well.
View 1 Replies View RelatedFor the past week, I've been looking to implement wireless technology at our educational site. We've conducted some tests with an AP1200 and we were satisfied with the performances of 802.11a standards.
Since one of our requirements is bandwidth, we are looking to implement a 802.11g standard for that need. Unfortunately, Cisco does not offer any client access adapter for that 11g standard as opposed of the competition. What kind of client adapter (PCMCIA) can Cisco recommend to work with AP1200 under the 802.11g ?
