Cisco :: Configure ACS 4.2 To Only Allow Certain EAP-type Of Authentication Per SSID?
Mar 13, 2012
Is there away to configure ACS 4.2 to only allow certain EAP-type of authentication per SSID? For example: SSIDA - only allows EAP-TLS and SSIDB - only allows EAP-PEAP on the same ACS server?
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
I just purchased a Linksys WRT120N and have a couple of issues, one of them may force me to return it to the point of purchase.Once WPA2 is enabled, on the Wireless-Advanced Wireless Settings screen,, the Authentication Type (which was greyed out by default) changed from Auto to Open and remained greyed out. I want to change this back to Auto.The other issue is that on the Status screen, the IP addresses of the domain name servers (DNS) are incorrect. This screen displays the DNS server addresses sent by the ISP and are not displaying the DNS addresses that are hard coded on the main Setup screen - although if I run nslookup, the DNS server address displayed in the console window, is the one that is displayed on the Setup screen.
The more important of the two is the Authentication Type being Open and greyed out. If this is something that cannot be changed, then I will be forced to return this for credit as it was the last unit on the shelf. I had reset the router back to the factory defaults and reconfigured it again, but this did not resolve either issue. I'm tempted to think that both issues may be the result of defective firmware, which shows version 1.0.06.
I'm trying to configure a VPN remote access type on a SA520-k9 but i don't know why doesn't work.
My Internal network is 192.168.131.0/24 and my Wan Ip is 87.216.xxx.xxx.
on Remote WAN's IP Address / FQDN i put the WAN IP 87.216.xxx.xxx on Local WAN's IP Address / FQDN I put the cisco SA520 Ip. I think this is the problem.
I create a IPsec user. I create a firewall rule from WAN interface to SA520 Ip with IPSEC-UDP-ENCAP service.
I'm using an ASA5510 with AP1130 and attempting to set up a public and a corporate WiFi-network. The corporate one should allow users to authenticate with Radius running on MS ISA for access.
VLAN70 security level 1 (IP-range 10.10.70.0/24) for open guest WiFi. VLAN71 security level 100 (IP-range 10.10.71.0/24) for corporate users WiFi. VLAN100 security level 100 (IP-range 10.10.100.0/24) server network (only wired servers).
ASA is gateway at 10.10.70.1, 10.10.71.1 and 10.10.100.1. It is also DHCP-server for VLAN70 and 71.
Radius server is at 10.10.100.5, listening on port 1645 and 1646 for EAP/PEAP and MS-CHAP v2.
I get both WiFi-networks with VLAN 70 and 71 working without encryption, ie. open networks. Traffic flows fine and get network access without problems.
The problem I run into is that it seems the Radius server must be on the same network as the WiFi-clients for them to be able to authenticate with it. That is, I tried to use VLAN100 as the corporate WiFi network and then I am able to connect, authenticate and get network access if I also enable DHCP for that range. However with VLAN70 as WiFi I am unable to authenticate with Radius on VLAN100. It seems the AP can reach the Radius server but clients never get connected and eventually fail with an error.
I can ping the Radius server from the AP. All traffic should be allowed from VLAN71 to VLAN100 in the ASA. Packet tracing shows no errors there.
The switch is a 2960G with the following interface config:
I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
AD.com Group : Corporate's User : 1. C_USER1 2. C_USER2 3. C_USER3 4. C_USER4 5. C_USER5
[code]....
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.
I can't configure the SSID more than one in the web UI of the WAP4410N. Except I can type the first SSID1, the rest SSID2 - 4 are grey which not allow me to type in anything. ( See attached the screen shot ) My current version is 2.02.1 and I was using IE8 under windows 7.
Any configuration example where i have a Cisco 1140 connected with a trunk to one router and with the Cisco 1140 i broadcast one SSID per vlan, one with WPA2 and other "open".?I ask because i see that when i turn on cipher, i cant configure an SSID without encryption.
I have around 60 , 1142 N APs . As of now i have only management VLAN ( for IP ) & one user vlan 350 configured on the access point . All the users connect to VLAN 350 and they get IP as required.However in our new set up there are couple of requirements have come up were in SSID will be the same however we have created many VLANs for different kind of user group and all these VLANs should be mapped to this single SSID and pick the IPs from their respective VLANs .
We have done configuration on the RADIUS server side were in we have mapped the users in their respective VLANs and they are getting authenticated via AD . Now how do i map my these 4-5 VLANs in a single SSID in Access Point.
I just bought a Linksys E2500, and I'm trying to configure multiple SSID's on it. The "guest mode" won't work for me because I want one SSID to use WPA and the other to use WEP, but the option to set different encryption based on the GHz frequency of the connection won't work for me because I only want the WEP one to be used by my Nintendo DS (which doesn't support WPA); I don't want to force ALL devices that don't support 5GHz to use the WEP one!
I have two WRT54GS routers. I want to extend my WiFi from the router connected to my upstream in the office to a second router in the living room. I want devices configured for the SSID and passphrase of my current WiFi (which is find in the office) to work seamlessly in the living room. I understand I can do this by running a cable and configuring router 2 as a client of router 1 with router 2 exposing the same SSID and passthrase on a different channel.
But I really don't want to run a cable.There is a point where a client can see router 1 where an AP would cover the living room.
Can I put router 2 at that point, have it connect wirelessly as a client to router 1, and have it expose as an AP using the same SSID and passphrase? Can this be done without wiring the router?
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Does CISCO WLC 2500 support EAP TTLS, if yes then how to configure. So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP. But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius. My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Will CISCO WLC 2500 support EAP TTLS, if yes then how to configure.
So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.
My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC?My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
I want to configure managment-access authentication to the WCS via tacacs+. The AAA Server is Cisco ACS 5.2.I made it and it works, but only with PAP Authentication Type. Chap doesn't work 4 me.The Access Service is configured with allowed protocols PAP and CHAP.The ACS Monitor just display an error with these steps:Received TACACS+ Authentication START Request
I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
I need to configure WPA or WPA2 authentication on cisco 1042N access points. But I believe that for this requirement I need to have either an internal or external RADIUS server, but my customer want to just a normal WPA/WPA2 authentication like what we configure on cisco WAP200 or WAP4410 accesspoints, is there any work arounds to configure WPA/WPA2 authentication in a simpler manner rather than configuring RADIUS server option?
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.