Cisco :: Wireless User Session Authorization With WLC 5508
Oct 8, 2012
I have a user authentication issue with our WLAN deployment. My issue relates to the guest access WLAN. First a brief descrition of our setup. We have a local WLC in the branch office (5508) with two SSIDs configured, CorpNet for the internal network and GuestNet of external guest access. We also have a WLC (5508) in the DMZ to provide the guest access. We are using Cisco ISE server to authenticate guest users via a web portal.
The authentication process works as it should. An external client gets an IP in the DMZ and is redirected to the web portal to authenticate their account. When they do they are able to access and browse the internet. No problems. My issue is that if we disable their account (ie suspend or delete it) in ISE it does not seem to terminate the users session and they can continue to have internet access. What I would like to happen is that when the account is disabled in ISE then the associated device's access to the internet is removed.
View 2 Replies
ADVERTISEMENT
May 31, 2012
I am running a guest wireless network on a Cisco 5508 WLC with 6.0.202.0 code. My syslog is filling up with the following error message:
WLC: *May 15 12:32:59.244: %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:3968 Guest user session validation failed for guest_user10. Index provided is out of range..
The user that is assigned to the guest_user10 account works fine and has no idea this error is occurring.
This error message is occuring exactly every 15 minutes 24x7.
I believe I have a rogue user who has setup a device to try and login to the guest network automatically, every 15 minutes with the guest_user10 credentials. I need to track this device down. I need a way to find either the MAC or IP address of the device that is causing this error message. I have tried turning on AAA debugging on the controller but I dont get anything more than the above error. I have also tried using WCS to look at the client history but it only show the normal activity.
View 3 Replies
View Related
Jul 13, 2012
I would like to authorize a friend in my house to access my wifi I was told to go to http://192.1.1 and enter the MAC address of my friend. However on the site I was unable to enter the information into the box - how can I authorize my friend to use my wifi?
View 1 Replies
View Related
Apr 18, 2013
I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...
View 3 Replies
View Related
Nov 17, 2011
I have two WLC-5508 for 50 AP's deployed. One is primary controller & other is secondary.Recently noticed an unknown "authorization failed, no sufficient privileges for user" message poping up while making configuration changes in WLC. Specificly when trying to create an new SSID. WLC Authentication is local. This message poped up earlier once or twice but it didnt prevent from making changes that time.
View 3 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Jan 30, 2013
I am quite new to wireless side and had a small Q regarding watching debug output while i am ssh to the WLC? I tried the other day and did not see any messages, now this could be for the reason that nothing triggered or perhaps it needs something like terminal monitor?? i couldnt find any such command. my WLC is 5508 running 7.3 version.
View 2 Replies
View Related
Jan 8, 2013
I am getting Authorisation requests failed log entries for a user however there aren't any successful authentication logs.
The user would never be able to authenticate as it no longer exists in ACS (it was the user for someone who left the company 3-4 month ago)
The other wierd thing is that the caller-id is 0.0.0.0 BTW the NAS is a Cisco ASA firewall running 8.0(3)
View 4 Replies
View Related
Apr 10, 2012
I have installed the ACS 5.1 and linked to my WLC, and when I enter my Logeo I agree Signature: User and password whenever you want from different devices, I want to do is only allow a user to one session at a time.
View 7 Replies
View Related
Apr 9, 2013
I have a strange issue with clients connected to a WiFi network.I have configured AP in FlexConnect mode and 2 SSID's. After a reboot of the AP the network is stable for almost 45 mins. Then each client will go UP and Down, mostly with a delay of 5 mins.
What could be the source of this. The clients are Windows CE handheld with fixed IP adres. I already configure persitent client and have play arround with APR timers as well. Thereby an Windows desktop or an iPad has less connectivity issues but even they expert pakcteloss once in severall minutes.
Session timer is turned off
The iPad for example can play music, but each 5 mins you hear a little hickup and 2 subsecond ping are loss.
Controller version is 7.3
View 6 Replies
View Related
May 30, 2013
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is referring to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which corresponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
What are the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Run time AAA & prrt-JNI.
I do not want to enable too much debug logs, so what is the specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
View 3 Replies
View Related
Jul 7, 2012
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
View 1 Replies
View Related
Mar 22, 2011
I am configuring remote access VPN on a cisco router 3845. Works fine.
I was looking for configuring session and idle time configuration for groups and eventually users.
I am using the following Cisco VPN remote access configuration :
crypto isakmp client configuration group mygroup
key xxx
pool mypool
acl 101
max-logins 3
banner ^CHelloo ^C
Is there any command in cisco ios similar to Cisco ASA vpn group 1 session-timeout?
View 1 Replies
View Related
Aug 27, 2012
For guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page .
We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
View 5 Replies
View Related
Feb 23, 2012
In my Wireless network, I have two appliances WLC 5508 running version 7.0.116.0.I have a WCS running version 7.0.172.0, deployed on a windows 2003 server.I've imported the two WLCs in my WCS in order to centralize the monitoring and the configuration tasks.Now I'm facing an issue when I want to create a guest user from the WCS, rather than creating this user access on each WLC. The creation of the user account is working good, the replication is done on the both WLCs, but on one of my WLC the guest user account is deleted after one hour(around).On the second WLC, the same user account remains during all its life time.In attachment a screen shot of the advanced parameter of the guest user.You can see that the user was created on the both WLC but is only active on one ... and unfortunately the wrong because the AP is associated with the other WLC.
View 2 Replies
View Related
Dec 19, 2012
I've got a WLC5508 (7.0.116.0) that is managed by WCS (7.0.172.0). I set up another WLC5508 with the same code and managed by the same WCS. Now I'd like to export all the 800 guest user accounts with the passwords from the old WLC and import them into the new WLC.
View 10 Replies
View Related
Jul 24, 2012
I just get to hands-on on my new WLC 5508?
1) I'm using a single subnet eg 192.168.1.0/24 for my wireless clients and i'm assigning them via the DHCP server from the WLC. As the clients are however made up of laptops and scanners, i would like to assign a range from 50-150 for the laptops and 151-250 for the scanners for easier identification. But it seems that from the WLC DHCP menu i'm not able to do this unless i segment them into a different network with different gateways.
2) Is there anyway to change the WLC user accounts password too? I dont seems to be able to find the option unless i delete the account and re-create it with the new password.
View 5 Replies
View Related
Aug 12, 2011
how to set WLC 5508 to allow single create web authentication user account to get connected in a same time. i found that i can use the same username and password combo to be login in 2 machine in the same time.
View 4 Replies
View Related
Jan 18, 2013
I work at a campus and use the WCS to control access to my network for staff and only internet access for students. The Staff are assigned Username/password thru active directory and the student uses another SSID with only WPA --a password for all. I was tasked with adding more securing for students -- by adding a user/password. I do not want them connecting to my Active Directory for two reason--security risk and I have too many to input (over 1000). So, I wanted to use our internal database to validate users. I create a webpage with "WebAuth" that opens my logon page from my site and validates the login fields against the database. It works and this allows the user to navigate thru my website but not outside the site. If they try an outside url it redirect them to my logon script. I now understand why, so I'm looking for code I can add to my logon page that would allow me to redirect me to the controller's (once users are authenticated by my database) to call the WCS controller so I can enter a preset username/password so the policy management file would allow them access. I presently use "External" and don't know if "Custom" would work. Finding a way in using a database instead of adding one person at a time?
View 3 Replies
View Related
Aug 20, 2012
This first started when a user said they were getting disconnected and reconnected a few times a day to our wireless network. He is in a remote office with a 1142 which is set to H-Reap talking back to our 5508. Our WLC is running 7.0.166 The laptop has an intel ulitmate 6300agn wireless card with the latest 15.x drivers.
We are using an SSID with wpa2 and 802.1x auth back to our ACS server using PEAP with our windows credentials.attached is what i am seeing on the wcs troubleshooting page.When i do a debug client on the WLC i see many reauthentications coming from the client on the different radio.
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Reassociation received from mobile on AP 0c:85:25:f3:7d:40
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific IPv6 override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying IPv6 Interface Policy for station 00:24:d7:d1:16:6c - vlan 2, interface id 0, interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Applying site-specific override for station 00:24:d7:d1:16:6c - vapId 512, site 'VH-GasWorks', interface 'management'
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c 10.24.8.108 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c STA - rates (8): 140 18 24 36 48 72 96 108 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Aug 22 12:59:36.762: 00:24:d7:d1:16:6c Processing RSN IE type 48, length 38 for mobile 00:24:d7:d1:16:6c
[code]....
Now this may be not be the issue thats causing our dropouts a couple times a day as this is happening every 5 mins.
View 12 Replies
View Related
May 25, 2013
I have 5508 controller in my lab. I am working on a project to set up a public internet but with some condition.
- User should able to connect to the SSID without any authentication.
- Once user will connec to the SSID it should redirect to an external URL which indicates terms and condition and email address field.
- User should enter his/her email address in email addrss filed and click I accept button.
- Once that is done then he/she is allowed to access internet.
We are not sure how can we achive this as I do not know what should be the return value for WLC to allow that user to go through or what should be the settings on the WLC to redirect to the page.
I have seen a settings on web authentication for external URL but I guess it is only for username passwor or Radius authentication. While in this case I do not want to use any authentication just an accept buttor or Decline button and all good to go.
View 2 Replies
View Related
Jul 24, 2012
When a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
View 12 Replies
View Related
Aug 26, 2012
I was having users on a Cisco WLC 440x controllers. Some service accounts were logged several time with the same AD-Account.Since I migrated them on the new controller (5508), it seems that we cannot have the same AD user logged several time.
I changed the Radius server with the one we were using on the old 440x but situation seems to be same,I checked the error message when trying to start a second similar connection they looks like :
*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client xxxxxxxxxxx
*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447
Authentication aborted for client xxxxxxxxxxx
If I move back to the other 440x similar logins are allowed without any problems.
View 3 Replies
View Related
Dec 2, 2012
I have a 5508 WLC running on 7.0.116, I need to be able to pull all configured users off the WLC and import into excel, I have 900 odd users configured. When I run a show net user summary it only displays a third of users. I'm hitting space to tab through each page, then eventually I just get dumped back to the command prompt.
View 5 Replies
View Related
Apr 18, 2012
I'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?
View 15 Replies
View Related
Nov 21, 2012
Is it configurable to allow wifi user to user traffic on WLC 5508?
View 4 Replies
View Related
Jul 21, 2012
I have cisco wlc 2125 and external web autherthation was configured on it. When user disable the java script in browser cisco wlc do not redirect on my external page instead of wlc show page http://1.1.1.1/login.html with cisco logo. How can i resolve this problem? How to configure wlc redirect to external web auth site with disabled java in users browser?
View 3 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Mar 27, 2013
I'm working on a 892W router.To close the session between the wireless device and the router's console, the command Control-Shift-6 x is required.The Issue is that this command is not working for me. I'm using a SuperPuTTY connecting tool.
View 7 Replies
View Related
Feb 5, 2013
We have Cisco WLC 7.0 with private and public accesses. Is it possible to limit guest session time? For example, any visitors’ connection will be disconnected after 1 hour.
View 3 Replies
View Related
