Cisco Wireless :: WLC 2106 Only One User Authentication
Mar 4, 2010
I have a WLC 2106 and 1242AG.it's a hotspot configuration.So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip (1.1.1.1) and my hotspot network range ip.I set also a DHCP range for the hotspot network.
In Wlans tab, i set my hotspot wlan, with no layer 2 security and for layer 3, i set none for layer 3 security and i use web policy authentication.I use local authentication and i created under security menu, under AAA tab, 3 local net users.
From pc number 1, i get ip from dhcp, and i have authentication web page, authentication is ok and i can surf on web.From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.when i try https:1.1.1.1/login.html, i have no answer.
And when user 1 is de-authenticated, the user 2 can surf on web.So only one user can surf at the same time. not good for a Hotspot.
In the WLC there are two groups (say A and B). How would I take group B and point it to a RADIUS server for authentication? The server is ping reachable. I have searched but did not see any definitive answer.
I would like to be able to have a few "guest" users on the Wireless network for visitors. Is there any method to have a prompt for "Username / password"? I would like the user accounts to have different expiry periods if this is possible. My current config is attached. The SSID "test" appears on the network. The SSID "test111" does not appear.
how to set WLC 5508 to allow single create web authentication user account to get connected in a same time. i found that i can use the same username and password combo to be login in 2 machine in the same time.
E2000 has the guest account feature. Not sure if all guests shares the same login credentials. I would like to have guests account use seperate logins. Is this feature available? Another thing, I read the manual and it is indicated that only up to 10 maximum guest acccounts is allowed. I am looking for more than 10 - kinda like a hotspot software.
I've been looking everywhere. I've seen hotspot system, ddwrt, chillspot, etc. But it's complicated as firmware needed to be flashed.
We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
On our guest wireless, at times when a user shuts down their laptop and powers back up they are not asked to re-authenticate.The only security is a login and password then the user is tunneled to our 440 in our DMZ then out the internet pipe.My question is if the user shuts the laptop off then starts it back up shouldn't they be prompted for the user login and password?
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group. 2) Add the AAA server to this group (here its RADIUS). 3) create an LDAP-cisco ASA group mapping (for authorization) 3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here). 4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?
While configuring LDAP , I got struck in “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.
We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
I have a remote access VPN profile configured on an ASA 5540. This profile is almost identical to the same profiles configured on other ASA 5540. The profile is linked to Active Directory for authentication. For some reason, users are not being prompted for the domain name field when connecting to the firewall, on the other firewalls they get prompted for all three (user/pass/domain).
All the firewalls are running 8.0(4) 32. And the following is the configuration of the firewall that I am experiencing issues with:
ip local pool TESTVPN 10.244.124.1-10.244.127.254 mask 255.255.252.0
group-policy TESTCERT internal group-policy TESTCERT attributes banner value **** WARNING **** banner value You are Now Successfully Connected (code)
I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
I`ll get straight to the point. I have at work a domain of computers. on one of the computers (I have admin rights) I want to share a folder that can be accessed by other computers that are not in the domain. By default accessing that share requires a user/pass. My question is: can I configure something on the computer (running windows 2008 server) to the shared folder so that other computers that are not from the domain will gain access to without user/pass requirement (like a normal share)?
how I can find out what version of SSH that a cisco 2106 wireless LAN controller is using?Is there a CLI I can type to figure that out or do they only support one version?
We recently purchased a bundle of 3 1042N AP's with a 2106 WLC. I am able to get the controller on the network and am able to manage it through the https web gui. I am now trying to add one of the AP's to the controller and am getting an infinite loop on the AP upon bootup. I tried looking up the solution but could not find a good article that pertained to the problem I was having. One thing I did notice is the time on the AP is way offset, but when I do a clock set to change it to the actual date it doesnt stick on the next reload.
Here is the output:
using ÿÿÿÿ ddr static values from serial eeprom ddr init done
I got my final assignment from school, and my teacher asked me to configure 2 Access Points (1200 series) directly on a Wireless Controler (Cisco 2106). I can't ask my teacher for any questions, cause he doesn't know how to configure it also, THAT's why he's asking me to do it.I've learned a lot of things about the default static interfaces (the "management" and "ap_manager" interface), but i can't seem to fully understand how to configure it.I want to use the Internal DHCP server of the WLC. How I can get those 2 Access Points working on the WLC. I only seem to get DHCP issues.
This is what i've done:
- Leave the configuration of the "management" and the "ap_manager" default (172.16.1.30 and 172.16.1.30). Bound to port 1
- Made a new interface "AP1" with IP-Address 10.0.0.10 (/24), default gateway 10.0.0.1. Primary DHCP server: 172.167.1.30
- Made a new interface "AP2" with IP-Address 192.168.1.10 (/24), default gateway 192.168.1.1. Primary DHCP server: 172.167.1.30
- Made 2 DHCP scopes within the 192.168.1.0 and 10.0.0.0 networks.
For some reason, when i boot up both AP's, the won't get any DHCP address.
We have a 2106 that was configured by a former employee. No one left in the company is qualified to configure it. The wireless guest access used to work fine. We'd configure a guest user account. They would connect to the guest wireless, open a web browser and login. For some reason now there is no prompt for login. People can connect to it and get an IP address, but that's it. No login prompt or anything else from there.User Login Policies was set to 0 and I put it to 8. That didn't do anything. Under Web Auth > Web Login Page it's set to Internal (Default).
I setup a mini wireless LAN network lab with a not for resale 2106 wireless lan controller and a sales air-lap1242ag access point. I do not have a DHCP and DNS in my lab environment. I have configured the WLC with the basic configuration using the CLI wizard, i also configured the WLC as a DHCP server for clients that will be connecting to the APs associated to the controller.
I powered up the AP and connect the ethernet port directly to the controller, the controller issued an IP address to the AP, the AP downloaded a new operating system from the controller but failed to join the controller.
I check both debug message on the controller console and the trap messages on the controller's GUI and it say the AP could not download a configuration from the controller and it is beacuse of invalid license. Below is the trap message:
Configuration Phase Statistics Requests ReceivedResponses SentUnsuccessful Request ProcessedReason For Last Unsuccessful AttemptLast Successful Attempt TimeLast Unsuccessful Attempt TimeLast Error SummaryLast AP Message Decryption FailureLast AP Connection FailureLast Error Occurred Last Error Occurred ReasonLast Join Error Timestamp
Also, I tried to log into the GUI of the AP using the both the username and password ''Cisco'' but I cannot get into the device. I can only get in through the CLI. In the CLI, almost all the commands I enter gives an error the it is disabled. I don't know what to do any more, I want to know if the access point is faulty or i am not doing the right thing.
I am trying to get one AP to join the 2106 controller, it did join once then never again!! Now all I get is: *Jan 22 11:16:22.088: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
