Authentication Radius ACS with WLC 5508 and AD 2012 5.5 failure

Similar Questions

• ACS RADIUS timeout with WLC 7.0 5.0

  Hi guys,.

  I'm setting up a device Cisco Secure ACS 1120 running 5.0.0.21 ACS to manage the RADIUS of a Cisco WLC 5508 device query running the 7.0.116.0 version.

  • These devices have open communication on all ports - no firewall or ACL
  • they have successful ping communication

  The following statements illustrate some but not all debugging I did to make sure that each device works properly in isolation.

  • Using the simple windows (radserv2.exe) instead of the Cisco ACS RADIUS server
    • This works and the WLC gets answer my fortune Server RADIUS
  • Using a simple windows EAP client to query the ACS using the RADIUS protocol
    • This works and the FAC processes the RADIUS request and sends a response
  • Placed a customer wireshark on the network to inspect the time-out.
    • Wireshark saves the package to the WLC for GBA using port 1812 but does not see responses to GBA package

  At the moment I have the

  1. WLC accepting wireless client association and
  2. sending the query RADIUS (EAP - TLS, PEAP and EAP-FAST) for GBA,
  3. the WLC receives no answer and generates a timeout message and separates the client.
     1. Note this is not a rejection or a similar message, the simple ACS does not even the package. i.e. There is absolutely nothing in the logs of ACS to suggest that he had even received a package of radius of the WLC.

  In summary the WLC and GBA properly operate independently, but they do not communicate via radius.

  Any help appreciated thanks

  It seems that you use ACS 5.0 without tasks.

  For your information, the version of the product is now up to 5.2 and 5.3 ACS should soon be released

  I recall there was a problem with ACS 5.0 with WLC operations that has been resolved in patch for 5.0

  I'm not sure of the specific CDETS but can be:

  CSCsy17858 Any manipulation of Tunnel-Type & Tunnel-Client-Endpoint uploading incorrect

  ACS 5.0 has a rollup with all the patches being accumulated approach

  My recommendation would be to download the patch 8 for ACS 5.0: 5.0.0.21.8

  Patch can be downloaded from CEC

  To install a patch set a repository on ACS (cumulative patches are larger than 32 MB, you can not use TFTP to it), copy the patch file in the repository, click ACS CLI:

  # acs patch installs repository

• ISE 1.4 compatible with WLC 5508 version 7.6.130.0 and 8.0.115.0

  Hi Expert,

  We check in on Cisco ISE 1.4 online document below we found this case WLC 5508 version 7.6.130 support
  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-4/compatibility/ISE _...

  But as control with Cisco WLC5508 version 7.6.130.0 version found takes in charge only ISE 1.2
  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/c...

  And for WLC 8.0.115.0 show support ISE1.3
  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/c...

  But on the compatibility matrix Wireless show that the version ISE1.3
  http://www.Cisco.com/c/en/us/TD/docs/wireless/compatibility/matrix/Compa...

  We want to know what the WLC version 7.6.130.0 and 8.0.115.0 can support ISE 1.4 or not?

  See you soon,.

  FN

  Yes, they both work with ISE 1.2, 1.3 and 1.4, it's probably just the case of this version specific WLC has been tested with the ISE version that was going out at the time.

• Authentication Radius Cisco with Windows NAP with encrypted authentication

  I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

  Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

  According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

  Hello

  You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

  If you want to encrypt the user name and password, then you would use GANYMEDE

  Thank you

  John

• Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

  Hello

  Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

  The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

  A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

  IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

  IF CSSC "Validation of server" is checked, the authentication will fail.

  The problem, it appears that the customer refuses the server certificate:

  "Server certificate chain is not valid.

  The GBA, in the 'fail' authentication logs, message the following is stated:

  "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

  Any ideas?

  When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

  Also, the certificate name must match host name of GBA?

  i.e." CN ="

  Any advice or pointers would be appreciated.

  Thank you

  Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

  You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

  This doc will give you an overview:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

• Setting up authentication Radius ACS 4.0.2

  Dear Experts,

  I have GBA 4.0.2 to my network, I want to use for 802. 1 x Radius for customers on the methodology of PEAP-MSCHAPv2 authentication.

  According to the documentation "" EAP authentication with RADIUS server ", Doc ID: 44844 "

  I have configured Network Configuration and populated by AAA client IP address range and the key secret.

  Question 1:

  Under option to authenticate using, there are various flavors available for the selection RANGE. For a Non AAA Cisco client, choose IETF RADIUS?

  

  Question 2:

  In the snapshot above, it has an option called Global authentication configuration, where we can configure EAP configuration. Under subsection PEAP, there is an option to 'allow EAP-MSCHAPv2' checkbox.

  After checking that a restart is required on the ACS server? It would cause disruptions to existing services on GBA?

  Kindly help that she is not mentioned in the documentation available with me.

  Kind regards

  Knockaert

  Hello

  Question 1:

  3 rd-Party devices should generally conform to the RADIUS standards. In this case select RADIUS (IETF) should be fine. If specific attributes of 3rd-party (for example the VLAN ID) are required and then contact support for 3rd - Party device to confirm if a RADIUS dictionary must be added to the RADIUS server in order to send vendor specific attributes.

  NOTE: We can add dictionaries of RADIUS for GBA in the case described above, but you will need to file the appropriate dictionary usually provided by 3rd - Party device support.

  Question 2:

  To enable PEAP or EAP 4.x GBA any other method, we need to use the option send + apply. ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the candidate countries to apply the changes. It is not a reboot of the server, but a restart of the services instead.

  I hope this helps.

  Kind regards.

• Port of WLC 5508 and 4510 - channels

  LACP and PAgP are not based on the controller and it seems that the 4500 series will use no LAG.

  Interface Port-channel10
  Description Port-Channel WLC
  switchport
  switchport mode trunk
  service-policy input AutoQos - 4.0 - entry-policy
  service-policy output OUTPUT-PRIORITY-POLICE-ETHERCHANNEL

  interface GigabitEthernet3/1

  Cisco 5508 wireless controller description
  switchport mode trunk
  active in mode channel-group 10
  point to point spanning tree-type of link
  !
  interface GigabitEthernet3/2
  Cisco 5508 wireless controller description
  switchport mode trunk
  active in mode channel-group 10
  point to point spanning tree-type of link

  I get the error message "lacp not enabled on the remote port..". I removed the 2nd fiber cable and removed the channel group so I can get the WLC online. Any help would be greatly appreciated.

  In order to get the channel of ether to work with the WLC, you must change your configuration of:

  !

  interface GigabitEthernet3/1
  active in mode channel-group 10
  !
  interface GigabitEthernet3/2
  active in mode channel-group 10
  !

  Mode it

  !

  interface GigabitEthernet3/1
  channel-group 10 mode on
  !
  interface GigabitEthernet3/2
  channel-group 10 mode on
  !

  Mode IT is said the switch to Link Aggregation Protocol try and negotiate by using one of two LACP or PAgP control protocols.

  using ONE fits in the configuration guide when you enable the option Cisco WLC LAG.

• problem with the connectivity of customers after mixing several models with WLC 5508 Setup WLAN ap

  Hello

  I have 2 5508 wlc and AP 1130 and 1200 in my test harness.

  Currently, WLAN set is in place and works very well but the customer become a frequent problem with the power of the weak signal same AP is installed very near the place of the customer.

  I have my doubts, if I have a question because I use several models of AP in my set-up?

  How to rectify the same question?

  Some time customer gets limited connectivity, means that they usually get IP also.

  What are all the parameters to check in WLC?

  (1) very difficult for a person on a forum to respond. Check if your AAA server was indeed seen as inactive at the same time for other devices.

  If this is not the case, check the network connectivity between the 2. Maybe packets are lost between wlc and aaa server...

  (2) as I mentioned, it may have nothing to do with clent near or far from the AP. What happens if your DHCP server is not responding to the client? What happens if the dhcp request never reaches the level of the DHCP server for some reason any?

  You must investigate all along path to find out why the customer is not getting an ip address.

  Troubleshooting involves trace of sniffer, debug, client, etc...

• authenticate the cisco WLC 5508 with cisco ACS 1120 (version 5.0) using GANYMEDE +.

  My installation has cisco WLC 5508 and ACS 1120 ver 5.0. How to authenticate users who access to the WLC via the ACS 1120 users GANYMEDE +. I am able to authenticate users for routers and cisco switches, but when I try the same for the CMT, it fails.

  Can someone explain please the config/basic steps that must be configured on both services ACS & WLC.

  You use plain vanilla 5.0 or have installed patches?

  the ACS 5.1 has new GANYMEDE related functionaity, including support for custom services and attributes. If they are necessary for the WLC yo need support it would improve.

  He could also relevant corrective patch from calendar 5.0 but I can't find any relevant specific at this stage CDETS

• WLC 5508

  Hi all

  who knows how many users can manage with WLC 5508?

  Can the finally user change his or her password at the first loging or later?

  Thank you

  Hello

  change of password is a feature that you need to search on the authentication server (radius). The radius server that resides on the WLC is all the features that ACS can have for example.

  The 5508 supports up to 500 access points. The customer table is limited, I think, about 7,000 customers (it's 4000 for the 4404).

  Nicolas

• Interface WLC 5508 AP-Manager

  Hi, I own a WLC 5508 and (probably), I do not understand the AP Manager interfaces. I have a laboratory with 2 x 1242AG and 1 x 1252AG connected to c2960. APs in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to interface 'switchport access mode. C2960 is connected via a trunk to c4506 and WLC is plugged into article gi1/3 and article gi1/4 (both through twingig). The two ports are configured as 'switchport mode trunk ". WLC management interface is IDE oucederomsurlesecondport WLC 8 (linked to article gi1/4), and AP-Manager is on port 1 (connected to article gi1/3) WLC. WLC management interface has 'Management dynamic AP' set to off, and AP-Manager defined activated. The two are interfaces to management and AP-Manager tag, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP through DHCP configuration (server located in vlan 20, 192.168.20.0, in use ip helper-address) and try to discover DNS resolution WLC (CISCO-CAPWAP - CONTROLLER.some.domain resolves to AP-Manager IP correctly). But AP has the status "not connected" in monitor/statistics/AP join APs do not join to the controller, said WLC "Discovery request Ignoring received on the management interface".

  But if I put management interface as "Dynamic AP activated" and change the DNS to resolve CISCO-CAPWAP... it's IP everything works well - AP is associated with the time. Please help, how to reach the KNEES a AP-Manager interface? Sign up for the Manager of WLC is simple, but my design requires at least 2 interfaces AP Manager.

  If you have a 5508, why you have the AP Manager?

• Backup the IOS on a WLC 5508

  Hello

  Hope someone can help me, I have a Cisco 5508 WLC and wanted to backup the IOS.

  Is there an easy way to do it? or a Cisco restrict this function with the new IOS licensing model?

  Second question, with WLC 5508 IOS version 7.0.98 I see that there is no field recovery Image, is that correct?

  See you soon,.

  Ron

  I guess that you Q #1 has been addressed above.

  For your Q n ° 2 'the second question, with WLC 5508 IOS version 7.0.98 I see that there is no field recovery Image, is this correct?"

  Yes that is correct

  -->

  (w-5508-1) > show sysinfo

  Name of the manufacturer... Cisco Systems Inc..
  Product name... Cisco controller
  Version of the product... 7.0.98.0
  Bootloader Version... 1.0.1
  Retrieving Image Version field... N/A

  And it's a CSCth43373 bug

  5508 7.0 running shows the version of field recovery images by n/a

  Symptom:
  
  5508 shows Field Recovery Image version as N/A.
  
  Conditions:
  Upgrade 5508 to version 7.0.98.0
  Workaround:
  None
  
  

  --

  You will have to wait for the new 7.0 code to appear on Cisco.com

  Be sure to mark the thread as solved if you feel that your issue has been addressed.

  Thank you

  Serge

• High availability with two 5508 WLAN controllers?

  Hi all

  We are considerung to implement a new wireless solution based on Cisco WLC 5508 and 1262N Access Points. We intend to buy about 30 access points and have two options: either buy a WLC 5508-50 or, for redundancy to, two controllers 5508-25.

  Is it possible to configure two WLC 5508 as a high availability solution, so that all access points are distributed on the two WLCs and during breaks WLC one another case manages all the APs?

  If we have 30 access points, and one of the two WLC 5508-25 breaks of course that not all access to 30 but only 25 points can be managed by one remaining. Is there some sort of control to choose the access points must be managed and which do not?

  How does such a configuration looks like in general, is the implementation of an installation of two controller quite complex or simple?

  Thank you!

  Michael

  Hi Michael,

  Do not forget that the 5508 works with a system of licensing. The hardware can support up to 500 APs, but it depends on the license that you put in.

  I think 2 5508 with 25 APs license will be more expensive than a 5508 with 50 APs license.

  If you have 2 WLCs, the best is NOT to spread access between the WLCs points. In doing so, you increase the complexity of homelessness (WLCs have to discount customers to each other all the time). If your point was to gain speed, it really doesn't matter as the 5508 can have up to 8 Gbit/s of uplink speed and has the ability of UC to treat 50 APs with no problems at all. So I find it best to have all the access points on 1 WLC, then if something goes wrong, all the APs migrate anyway for the other WLC.

  If you want 50 APs at a 25-degree WLC failover, you can select who will join Yes. The APs have a priority system, so you assign priorities. If the WLC sees it's full capacity but higher priority APs are trying to join, it will kick down-prio APs for the high prio allow to connect.

  WLCs is not exactly "HA." It's just that if you have 2 WLCs work together (as if you had 700 APs and needed to put 2 WLCs) and delivered to customers. Or all APs sat on a WLC and when it breaks down, they join the other available controller.

  The only thing to do is to put each WLC in the same group of mobility so that they know.

• failure of restoration of 7201tx dv7 help im ready to hit it with a hammer and fix it forever

  My DV7 7201tx fails to restore it all goes the way to restart and loading of software etc. and even in windows 8, but only once and then it tells me that the restoration failed and locks the admin VAC and from there it just request the recovery media every time the computer starts, and it's like it goes , it will not go in the bios setings it will not choose a different boot device, it won't do anything except ask the media to restore which I give, but it does nothing. After the call to support the guy on the ph HP tells me that my restore media is defective. If I order and get the complete set of recovery DVD and try again with the same result. I forgot to mention to recover all over again, I have to remove the hard drive and put it in my Acer and then boot from a live cd of ubuntu and use Gparted to format the drive, so I can go through the whole process again... with the same results. I tried so many times now with the same result. Strange thing is I can load on my copy of win7 and it works fine, I can load on linux and it works fine, but try and load the media that come with the laptop and it's a total failure... This lappy is only 2 months old and im ready to cut my losses and smash with a hammer... This is my last resort to operate properly with the system, it came with... not that there will be a new vid on youtube to destroy me this laptop... Thank you and please someone HELP

  you are a man of legend... He worked freekin, the restoration went as it should have, and I have my computer back to factory settings... You saved my lappy to get a severe beating... awesome

• Cisco ISE 2.0 and WLC 5508 with 7.6.130.0

  I have looked on the release notes and compatibility n for ISE 2.0 and have not seen the answer to that. For the WLC 5508, the minimum AirOS is 7.0.116.0 but he limited the AAA authentication and support for comments. The recommended version of AirOS is 8.0.121.0.

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/compatibility/ISE _...

  What airos 7.6.130.0? I know that AirOS release works with 1.3 and 1.4, even if they show the same support for version 2.0. I'm just afraid that something may have changed with 2.0. I am concerned only about the AAA authentication and guest access. No BYOD, posture or MDM is necessary.

  No change. Works well.