The users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
View 4 RepliesCurrently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
View 2 Replies View Relatedi am having wirless controller cisco 2500 series. i want to know how many web authentication users i can create in the 2500 series controller with time out option for each users.
i know it will support the web authentication for internet access for the users but i need to know how many it will accept at a time with hours specification.
I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
Does the LDAP authentication work across W2K3 Active Directory domains and multiple ASA5510 firewalls? Or do I need to setup another type of authentication? If I use another type of authentication can I get specific portals with special bookmarks based on login account?
View 4 Replies View RelatedI have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
View 24 Replies View RelatedMy client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Does CISCO WLC 2500 support EAP TTLS, if yes then how to configure. So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP. But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius. My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC
View 8 Replies View RelatedMy client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Will CISCO WLC 2500 support EAP TTLS, if yes then how to configure.
So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.
My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC?My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
Is it possible for Windows 7 to host multiple domains? I have seen that it is available for plenty of other OSs and I am sure that it is. I just wanted to make sure.
View 2 Replies View Relatedjoin multiple domains in windows xp?
View 2 Replies View RelatedI'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
I have a customer with three rooms where teh access layer aggregation switches are run back to.
Access Switch Stack A -> room 1 + room 2
Access Switch Stack B -> room 2 + room 3
Is it possible to have three Nexus 7000s ie one in each room (1,2 and 3) and have them setup like this:
Nexus 7000#1 vPC domain 1
Nexus 7000#2 vPC domain 1 + vPC domain 2
Nexus 7000#3 vPC domain 2
Thus gving all access switch stacks redundant links to the core withouit spanning tree.
I know its not ideal but its a campus site and thats how the existing fibre runs go.
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
View 2 Replies View RelatedWe are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. Is this possible to change the web authentication method from HTTPS to HTTP.
View 1 Replies View RelatedI have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies View RelatedWe currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
1) VPN client (via ASA5510)
2) Wireless (EAP-PEAP)
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
We would like to try achieve the following in ACS:
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies View RelatedThe original network had a Zylex router, Netgear Switch. There was 2 pc's, one XP and Win 7. There is also 3 tills connected too. There is VPN network connected too. This emits a wireless signal to connect to a scanning gun and is also used to administrate the entire network. I was told by the Administrator of that network that it shouldn't interfere with the wifi network.
The job I was requested to do was to install 3 new wall plates as the Win 7 pc was using a Belkin wireless adapter. There was 2 put inside the office where the XP and Win7 pc's are located. The 3rd was just outside the office.
Now all the ethernet connections work 100%. The wifi is another story though. It will show up in the connect too, when you try connect it will disappear/no response from AP/connect then disappear, these are random too. No order to when each is error is displayed. Even when I put in another router the exact same issues happen.
I have tried to connect to both routers wifi when it wasn't plugged into the switch. Just the router's turned on with no cables plugged in separately of course, no joy same issue with both.
I have a WPA2/AES network with PEAP MsChapv2 authentication. I have 2 ACS servers for authentication. The problem I have is dropped clients. Both ACS servers are setup identical. The database replcation has been preformed.A series of 10 clients connects wirelessly and they are all successful. ACS server 1 is the primary and ACS server 2 is the backup. We verified that the 10 users authenticated to the primary ACS. My time out to reauth is 30 minutes on the WiSM. 10 minutes into the test we took down the Primary server. This should have had no impact on the clients. 5 minutes later the clients lost thier authentication and were dropped from the network. They were able to reconnect by shutting down thier wireless client and reconnecting. The authentications were seen on the Backup ACS server.on a test of falling back to the primary the same thing happened again to the clients.
View 2 Replies View RelatedWe have multiple RA VPN groups on a 3845 router.RADIUS authentication is currently happening between the 3845 and a single Windows 2008 server. We have a specific windows group that AD users are members of, and they are allowed to connect via VPN.
I'm creating a new RA VPN Group, which should only allow different AD users. Is it possible to create another RADIUS association to the same server, or do I need to authenticate against a different Windows server?
The original network had a Zylex router, Netgear Switch. There was 2 pc's, one XP and Win 7. There is also 3 tills connected too.There is VPN network connected too. This emits a wireless signal to connect to a scanning gun and is also used to administrate the entire network. I was told by the Administrator of that network that it shouldn't interfere with the wifi network.The job I was requested to do was to install 3 new wall plates as the Win 7 pc was using a Belkin wireless adapter. There was 2 put inside the office where the XP and Win7 pc's are located. The 3rd was just outside the office.Now all the ethernet connections work 100%. The wifi is another story though. It will show up in the connect too, when you try connect it will disappear/no response from AP/connect then disappear, these are random too. No order to when each is error is displayed. Even when I put in another router the exact same issues happen.I have tried to connect to both routers wifi when it wasn't plugged into the switch. Just the router's turned on with no cables plugged in separately of course, no joy same issue with both.
View 2 Replies View Related I've set up my E3000 (and the WRT54g it replaced) to use dynamic DNS (using dyndns.org) to forward a domain to a particular IP address on the network. Works awesomely.
I now have a situation where I am setting up a local network (no internet access) where I want a few other local users (an iPad and a laptop) to be able to access a couple websites (let's say x.me and y.me) on a machine also connected to the router.
As an aside, It seems (just from casual testing) that if I am on a machine on my local network and I try to access my dynamic domain (that I route through dyndns.org) and it seems to resolve right away without going out to the internet. Is this correct? Does it automatically route anything on lan directly?
I've been having a weird issue lately with my WRT310Nv2. Sometimes when we, and by we, I mean two different computers (one Mac, one XP PC), try to go to a website, it will point us to an entire diffrently website. For example, earlier today I attempted to go to Twitter and twitter.com appeared as some random Blogger website. I've had issues where Amazon.com kepting point to UPS.com, or Facebook.com pointing to MySpace.com, etc.
I haven't been able to pinpoint a regular pattern, except the fact that it is most likely the wireless network, since the Windows PC (Server 2003) plugged directly into the router has never had this issue.
So i see tons of threads here and on google talking about dns issues with their linksys router but I never see a solution other than to locally change the dns servers on the client machine to prevent it from using the linksys router dns. My router is the WRT310Nv2 running the latest firmware but I see others are affected as well. url...My issue is this router continues to fail dns resolutions and I have to either reset it or tell my client machine not to use my router as a point of dns resolution.
1. Why is my router failing to resolve domains correctly?
2. Is there anyway to fix this from the router?
We are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
My company bought another company and moved them into our building. the company moved in but are on an entirely different network all together. wired separately, different domains.what i would like to do is be able to have them communicate with each other. have users on company A be able to use printers on company B's side of the network.
View 15 Replies View RelatedI am having trouble adding a new controller(2500) to the WCS.
-My WCS version 6.0.196.0
-My WLC version 7.0.116.0
If i upgrade my WCS i may add the new contoller? Even if in cisco DATA-SHEET there isnt any mention regarding this WLC(basicly it says that the WCS does not support this WLC)
Monitoring and migration of selected Cisco Aironet standalone (autonomous) access points. Monitoring of the standalone access points of Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers.
I have a scenario where we have
Cisco 1300 Outdoor APs
Cisco 3600 Indoor APs
WLC 2500
Now i need to integrate the WLC with Windows 2008 AD for authentication.The idea is to let the users authenticate via AD for accesing the wireless network.
Will the integration work with NPS?
I'm configuring a 2500 series WLC to test some wireless configuration changes we'd like to make on our 5500's that are currently in prodcution.
The 2500 and the 5800's interfaces are configured as a LAG.
One of the primary goals of these configuration changes is to move the LAPs from their current VLAN (the same subnet as our primary WLAN) to two separate VLANs. Were choosing to move the LAPs to 2 APs based on the WLC best practices document's suggestion to limit the number of LAPs per vlan to 60-100. We've had several issues in the past with LAPs failing to join with their static IPs, releasing them and then joining with DHCP addresses.
LAP's will be on separate vlans using subnets 10.10.10.0/25 and 10.10.10.128/25. WLC management interface is in the 10.10.1.0/25 subnet.
Should we continue using static IPs for the LAPs or DHCP?
What subnet should the AP management interface be on?
Is it possible to have mutiple AP management interfaces with LAG?
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
View 2 Replies View Related