Cisco Wireless :: WLC 5508 No Further RADIUS Authentication Requests?
Mar 18, 2013
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
View 4 Replies
ADVERTISEMENT
Feb 16, 2012
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
View 1 Replies
View Related
Apr 8, 2013
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
View 3 Replies
View Related
May 6, 2013
I'm a trainee in Network and Telecommunication, and I have to do a "model" with a controller, an AP, and a RADIUS server. Communication and configuration of the lightweight AP has been done.
I use an autonomous access point 1220 as the RADIUS server (no considering it as an AP), and I'm a beginner in RADIUS configuration. I get a "Processing AAA Error 'No Server' (-7) for mobile 00:24:d6:8f:2c:7e" when I launch a debug targetting my PC, connecting to the LAP.
Precursory : 10.137.125.71 is the IP address of the ap1220, working as the RADIUS server 10.137.125.15 is the IP address of the controller. 00:24:d6:8f:2c:7e is the MAC address of my PC, connecting to the Wi-Fi. ping works to the RADIUS, to the controller. Each devices are connected by a layer 3 Switch, and ping each others. The Wi-Fi works when I don't use 802.1X (or when I don't use RADIUS authentication at all)
What I did on the RADIUS server (ap1220 autonomous) :
aaa new-model
radius-server local
nas 10.137.125.15 key password
[Code]......
View 5 Replies
View Related
Oct 30, 2011
I'm using Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and AAA RADIUS (ACS 3.3) and AD.Each time, when client connects, ASA issues 2 RADIUS requests, first - correct one which is successfully authenticated by ACS and immediately - second which always fails. I couldn't find any information related to this strange behaivor. "Double authentication" feature (most likeable to its name) is accessible only to Anyconnect clients which we don't use. When I'm authenicated using group password, there is only one RADIUS request.What is the source of such behavior?The negative impact is that my logs are filled with spurious failed auth attempts, and users are incrementig failed attemps counter in AD.
Debug from ASA:
----First request----
RDS 10/24/2011 16:16:01 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=22, length=145 on port 1025
RDS 10/24/2011 16:16:01 I 2519 14884 [001] User-Name value: user1
RDS 10/24/2011 16:16:01 I 2519 14884 [002] User-Password value: B2 A9 D0 2D 15 5F B8 BB DB 1E 3A 38 F5 24 72 B5
RDS 10/24/2011 16:16:01 I 2538 14884 [005] NAS-Port value: -1072693248
RDS 10/24/2011 16:16:01 I 2538 14884 [006] Service-Type value: 2
[code]....
View 2 Replies
View Related
Feb 15, 2013
I have a school with 550 iPads. We are using two 5508 WLCs sharing the number of APs. The DHCP server and the default gateway for the network are on the firewall. The clients are able to get a DCHP. After some time, maybe about longer than a month, the clients are no longer able to get DCHP addresses. A reboot of both controllers takes care of this. Presently we are runing 7.2.110 OS. I am going to upgrade to the latest 7.4.100, and reload tonight.
View 1 Replies
View Related
Mar 17, 2011
I am using ACS5.1 connected to WLC (v7.x) and frequently see host auth requests in the ACS logs. I am not interested in seeing host auth requests at all. Is there anyway just to ignore these.The issue is that these will always fail. If I enable the lock out facility within WLC and a host continually tries to auth the WLC will lock-out that mac address meaning that when the user is ready to connect with their own credentials they are unable to as the WLC is blocking that mac address from connecting to the wireless network.I tried disabling the 'process host lookup' option, but this apparently only changes the type of request to appear like a standard PAP auth request which again fails, filling up my RADIUS logs and stopping me from enabling the WLC lookout feature.So, as I say, I want to simply ignore host requests. I have no control over the end points so am unable to go and update config etc of these devices.
View 4 Replies
View Related
Jun 5, 2013
Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.My setup:
-3600 AP's
-Internal 5508 Controller
-DMZ 5508 Controller (acts as a DHCP server for wireless clients)
Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.
View 3 Replies
View Related
Jul 4, 2012
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies
View Related
Mar 28, 2012
I try to setup a 1141 aironet AP to authenticate my user through our Ms Radius Server ( Win 2008 R2).Everything is fine with small Bussiness AP WAP4410N with the following configuration:But I can't setup successfully the aironet 1141 with the same settings and getting it works.Here is my configuration for the Aironet 1141 Vlan 1 is the ssid I want to get it work with Radius.
View 1 Replies
View Related
Sep 3, 2011
I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs.
View 1 Replies
View Related
Jun 20, 2012
I configured the 2504 with 2 SSIDs for staffs and guests.I also configured the Lobby admin with web auth. But if a guest wants to connect our wireless he/she has to enter the PSK key and then only they are able to connect with the user id and password given by Lobby admin. Can we avoid this key and let the guests connect straightaway with the web auth?I’m planning to configure 802.1x & Radius dual authentication for staffs SSID..
View 5 Replies
View Related
Apr 30, 2012
Below is he output from debug radius authentication from my AP.
I can see request is forwarding from AP to radius but Radius is not sending any response.Not sure why its not responding.
I also did not under stand few out outputs also
no sg in radius-timers and
RADIUS/DECODE: parse response no app start; FAIL
what does it mean.
I restarted radius server , changed secret key but no luck.
019639: May 1 16:15:08.727: RADIUS: User-Name [1] 32 "host/3KYGRH1.idcap.intdata.com"
019640: May 1 16:15:08.727: RADIUS: Framed-MTU [12] 6 1400
019641: May 1 16:15:08.727: RADIUS: Called-Station-Id [30] 16 "0012.01d6.f691"
[Code]...
View 4 Replies
View Related
Jan 9, 2013
i am trying to connect clients to my AP1231 which is running C1200 Software (C1200-K9W7-M), Version 12.3(8)JED. Client authentication is against RADIUS server. [code]
View 3 Replies
View Related
Nov 1, 2012
Would like to check out some client side setting on Wireless 802.1x authenticaiton.
Network setup is using
- Cisco WLC 7.2 and AP3500,
- ACS 5.3
- Microsoft Windows server 2008 hosting AD and CA services (same machine)
- Client OS is Microsoft Window 7.
Authentication mehtod would use PEAP-MSChap V2 Combo.
My question :
01. In AD environment, should ACS 5.3 be part of the domain computer?
02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?
View 3 Replies
View Related
Aug 1, 2012
I'm fighting for a few days now to setup the captive portal of 2 wireless access point WAP321. I was able to make it work with local user authentication but now, I want to manage my guest users on active directory. So I setup the captive portal to authentication user with NPS on Windows 2011 SBS.
The problem is that my guest SSID in not encrypted, so the NPS server do not let me login. I try to setup the NPS server like that :
Uncrypted authentification (PAP, SPAP)
Service-Type : Login
View 2 Replies
View Related
Sep 11, 2012
Can we enable ssh on 3500 /3600 APs along with use radius for login authentication? idea here is to that ssh will provide another method to access the AP for troubleshooting purposes.I know with autonomous mode APs this should not be an issue but not sure with lightweight APs.
View 2 Replies
View Related
Feb 1, 2012
i have configured 35 APs 3502i in 5508 WLC, now i want to get access to ap via radius. Currently i can connect to them via SSH with both user and password set in wireless> access point > global configuration, well, how do i configure the management AP user through RADIUS?
View 2 Replies
View Related
Jun 5, 2013
I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server. It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS. I've found this is related to the client table in the WLC. The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds).
For example:
1. I connect my tablet to the test WLAN. It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session. If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out. The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table. I can force the session to close much earlier by manually removing the client from the WLC.
2. Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC. The user session in the accounting DB never closes. If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting. Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC? How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
View 1 Replies
View Related
Jan 30, 2013
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
View 9 Replies
View Related
Dec 18, 2012
Can I use WLC 5508 with OpenLDAP directly (without radius) ?
View 1 Replies
View Related
Oct 9, 2012
I'm running version 7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers. On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ?
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius EAP/Local WLAN 3.
View 6 Replies
View Related
Jan 23, 2013
I am trying to follow the Fips guide for the WLC5508 and it wants to encrypt the connection to the Radius, either with PSK key wrap or IPsec. I have the options for Ipsec only as the Windoes NPS does not support Key wrap from what a previous user confirmed for me here on the board.. But then found another post that states that the 5508 does not support IPsec?
View 5 Replies
View Related
Apr 28, 2013
I would like to know if microsoft 2008 server RADIUS server could be use for authentication on Cosco 5508 instead of Cisco ACS.
View 4 Replies
View Related
Sep 18, 2011
Since I moved our WLC Controller ( 5508 ) from Version 7.0 to Version 7.2.111.3 I got above failure messages. Until now I changed the radius timeout from 2 to 10 seconds and also I disabled the aggressive failover without success. What else it could be ?
View 3 Replies
View Related
Apr 25, 2011
I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
View 5 Replies
View Related
Aug 6, 2012
Any software to measure Authentication time between client and Radius serverr.
View 8 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
Nov 14, 2011
I'm running WCS 7.0.220.0.I would like to authenticate users that are able to logon the WCS, through MS Network Policy Service (RADIUS).I would like all my domain users to be member of the local group on the WCS "Lobby Ambassador", so all domain users has access to generate guest access accounts, for the web auth... I can see under the WCS Administration under AAA that it should be able to use RADIUS - but i'm not sure how to setup the NPS policy?
View 1 Replies
View Related
Mar 10, 2011
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
View 1 Replies
View Related
Jan 3, 2013
I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130.
View 13 Replies
View Related
Aug 11, 2011
I'm in the process of moving some of our remote access vpn to an asa5520 and anyconnect.
The problem I've come across is that when using radius as authentication, I choose any one of my connection profiles in anyconnect and log in with any username regardless of the group on radius.
How do I map the connection profile to a group on radius so that i can separate the users?
View 1 Replies
View Related
May 17, 2011
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies
View Related
