CWA with WLC Firmware 7.0.228 and ISE 1.1.1
Hello
ISE Central web authentication Cisco does support the WLC version 7.0.228?
My client has many points of access that are supported only the code of the 7.0.228 firmware.
Cisco ISE version 1.1.1
WLC 5500 Series, but the existing access cannot support 7.3
Thank you
Mathias Maneesud
After checking the ISE both the WLC release notes, it seems as if support CWA with radius of the NAC was introduced in 7.2.110
WLC-
http://www.Cisco.com/en/us/docs/wireless/controller/release/notes/crn7_2_110_0.html#wp784178
ISE-
http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/compatibility/ise_sdt.html#wp55038
Hope that helps.
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
WLC 5508 (ver >; 7,2) and ISE 1.1.2
Ciao,.
I found this interesting article:
Assignment of VLAN dynamic with server RADIUS and Wireless LAN Controller Configuration example
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
And I wonder if the same configuration will work with ISE 1.1.2.
My needs are:
-one SSID
-authentication (for guest: user\pwd in the ISE; used database certificate or user\pwd M $ AD) moved to a VIRTUAL LAN or another
Ciao e grazie!
Luciano
Philip,
My bad, I apologize for the confusion, they put so many numbers on the back
Here, this might help.
http://www.Cisco.com/en/us/products/ps10315/products_tech_note09186a0080bcb905.shtml
-
iXpand Flash Drive with firmware 4.4.7 and iPhone/iPad with iOS 9.2.
I have 5 (!) iXpand Flash Drives (all updated with latest firmware 4.4.7) and have tried on iPhone and iPad with iOS 9.2. None of them are able to find the real or videos in folders on my iPhone/iPad, just the cards where the photo files and images video.
Also - when you try to synchronize manually or automatically, a "red band" appears and disappears quickly on top of the window, telling me there's something does not.
Someone else with the same problems?
Very well. Thanks again.
For me, as a novice by using this system, I find quite confusing to find a "Red Cross" in the MUSIC folder, when this "Red Cross" just lead you to a folder that contains pictures and videos and not relatet to any music at all. In other words, I don't want it 'plug and play', or how do to save/backup of photos, videos and music and perhaps a more detailed description of what are the terms backup/backup, images, videos and music, could save other novices like me some time she discover.
However, thanks to your help, at least I am convinced now and look forward to start using the system. Thanks a lot again!
-
Hello
We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.
I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.
version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguardinterface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcpradius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authenticationany help would be really appreciated.
I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.
Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.
Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...
-
WebAuth LOCAL with Wireless Lan Controller and ISE
Greetings,
We intend to set up a centralised comments with sponsored webauth wireless network. I didn't know that this will not work with our current WLC code (6.0.199.4) as 7.2 or later version is required.
We have a project to upgrade the WLCs but he won't be ready before the deadline for the completion of the reviews wireless.
I am using local WebAuth temporarily until the WLCs are ready. My questions are:
1. am I correct that I can still authenticate ISE?
2. Since local webauth does not cost support, does that mean I can't apply a pre or post auth ACL?
3. can someone point me to a good guide for configuring local webauth?
Thank you!
Hi Leroy,
In CWA you can push the AVPs desire in the final result because of the nature of the flow:
-Comments will connect to the SSID.
-WLC send wireless MAB ask (1st authentication). In response, ISE returns accepted with url-redirect-acl and redirect url.
-WLC updates the client session and once http (s) generated WLC redirects the customer to ISE according to AVPs received at the 1st auth(MAB request).
-The customer enters the identification information in the portal. ISE valid creds and refers to WLC one type COA to re-authenticate.
-WLC re authenticates the client (2nd authentication) session, and at this point ISE can support AVPs custom as names of VLANS, Interfaces or space air dynamic ACLs.
-WLC overrides the client session with the new attributes.
Local Web Auth as you mentioned, there are 2 steps but the WLC "considers" cela a single thread.
To the LWA, the flow is as follows:
-The client connects to the SSID. Since there is no involved L2 auth client through DHCP, captures an IP and arrives at WebAuth_Required. Redirect URL is configured statically on WLC and pre auth ACL allows client access to ISE during the auth phase.
-Customer opens the browser and WLC redirects the customer to ISE, but breast of redirection, there is a 'return to WLC' action which indicates to ISE to send customer WLC virtual IP containing identification information of the client used for auth in portal comments.
-In this way the WLC now "knows" the handed creds to ISE and this way there is a formal request from RADIUS WLC sends to ISE asking these creds. ISE links in return an accept, and this is how the WLC now "knows" that auth is correct and she should move client to RUN.
LOA of the simplest way would be to define an Interface of comments and statically applying a restrictive ACL at the level of the interface rather than wait the AVP of AAA server.
LWA is supported in this version at very low level and basic, but if you want a complex flow involving the pusher of the dynamic attribute you will need something higher to 7.2.110.0.
Recommended version would be 7.6.130.0 as for now.
Kind regards
Antonio
-
ISE 1.2 CWA with several Ssnp - SessionID replication / Session expired
Hi all.
I have a nodes of Services (2) policy (NSP) in a deployment of ISE launched 1.2 patch 1. We use Wireless MAB and CWA on Wireless LAN controllers v3.3.3 running 5760.
We hit a problem in which a client comes first MAB and then is redirected to a custom portal CWA. The customer then receives a message from the Session has expired. This seems to be related to the fact that the CWA is technically an authentication of 2 floors (MAB by the WLC) and then of the CWA by the customer. Specifically, it seems to happen when the WLC makes his request to access PSN - 1 RADIUS MAB and then the customer comes to PSN - 2 to finish the CWA. This problem does not occur when a NHP is being used and all traffic authentication (RADIUS MAB and CWA) caters to a unique PSN.
Customers solve the COMPLETE domain name in the redirect URL using DNS public and a public DNS zone file (let's call it cwa - portal example .com). CWA - portal example .com has two records for the two nodes of NHP. DNS responds to queries using Robin DNS.
I have the Ssnp configured in a node group for replication of session information between PSN, but this does not seem to make a difference in the behavior.
So I ask:
What is the architecture recommended for CWA when you use more than one PSN? It seems that you must keep the stream two authentication pinned together so that they both hit the PSN even when you use more than one PSN in a deployment. A load balanced on the SessionID string balancer comes to mind (demand of RADIUS MAB and contain both the CWA URL this unique by client SessionID), but that seems awfully oversized for a seemingly simple problem. On the other hand, it seems also that by using a configuration node group should easily be able to reproduce customer SessionID to all nodes in the deployment, so that is not a problem. That is, if the WLC authenticates MAB on PSN-1, then PSN-1 should talk the group node such that when the client CWA on PSN - 2, 2 - PSN responds with a Session expiration message.
Is there a Cisco documentation which talks about this?
Maybe in relationship:
https://supportforums.Cisco.com/discussion/12131531/ISE-12-guest-access-...Justin
Hi Justin,
Node groups are mainly used for redundancy of the sessions that are waiting for status. Thus, because the controller is configured to use the PSN-1 as the first RADIUS server, PSN-1 will be the session on the client information. This information is not shared with PSN-2 that's why you see "expired session". In short, the node that processes applications MAB, must be the node that serves as the personalized Portal.
Round robin DNS is preferable for use with the sponsor of the portal and portal of my devices with an FQDN that is similar to sponosr.example.com and mydevices.example.com. For CWA, a load balancer is the best option if you want to use multiple Ssnp. Aaron Woland wrote and article covering the ISE and the load balancing. F5 has also some useful information on how to configure their loadbalancers with Cisco ISE.
Kind regards
Tim
-
With the firmware.05 router WRT110
OK, here's my problem and I searched the forum and I see that others have the same problem with the firmware.05. before we begin, I want everyone to know that I don't know how to set up my network and I am a professional network.
My problem is on my xbox 360 with the Wireless N adapter. I use to have the firmware.02 installed on my router and sometimes while on my xbox, I'd get a message telling me that the xbox live connection has been lost. I would then have to resign in xbox live and it would start working again, so I thought that the router might need a firmware flash, after searching the site of linksys, I could find the firmware.05. I installed it and the installation went well, after that I installed it I reset my router by pressing the button on the back of it. I then reset all my IP addresses and port forwarding and the WPA key. Then, I put the router in mixed mode because I still G wireless devices to connect to my network like my android phones and my laptop, so that all the devices are now connected very well. I then go to my xbox and put everything up, static IP address, manual settings for DNS. and guess what it does not allow me to connect to xbox live. I then start to do some research and find out that I'm not the only one with this problem. so I find a few posts on here say to change the MTU to manual and put in a number, I don't remember the number but I did exactly that. then I tried to connect again and guess what xbox live still does not connect. so I do some research to see if I have the correct ports passed to my xbox and guess what I got all the correct ports forwarded. so I do some research more and found a post by someone who said that they changed the router Wireless N mode only and they said it worked for them, so I try and guess what it works very well. I even put the MTU back to automotive and it still works, I also tested with the xbox set to auto automatic DNS and IP address and it still works. but then as soon as I switch the router in mixed mode, it will not connect. It's definitely a problem with the firmware.05, so please if someone at - he found a fix for this issue allow the router to run in mixed mode and still have the xbox connect please let me know what it is. and please don't try to tell me to change my DNS in the xbox 4.2.2.2 and 192.168.1.1. and please don't try to tell me to set the ip address of my xbox to 192.168.1.20 because my i put my IP from 192.168.2.1. I need a fix that works, or tell me how to return to the firmware.02
to anyone who is having these problems with this router wrt110 with the firmware.05 I flashed my router for the firmware.02 and everything works again, I can run in mixed mode and my xbox connects, and all my computers and phones connect. If someone wants the firmware.02 you can d/l here.this will probably get removed by the mods here but here goes
-
Registration with WLC Cisco 2600 TOWER
Hello
We bought new devices Cisco WLC 2500 and 2600 AP.
We used the Cisco APs in stand-alone mode and I was pretty familiar with these nodes of AP. but I do not know how to set up and attach it to my WLC with AP LWAP mode im totally new. I installed the DHCP server in my network and my 2600 TOWER can take ip from dhcp server, but he does not have part of my WLC, I know not why, and I couldn't find a good intruction on internet.
Can any send my step by step guide on how to join Cisco AP a WLC please? I have a lot of experience on the networking side but not on the wireless world please help
Another thing, my country Code is not included in the Cisco WLC, what should I do? My country is of the Afghanistan, but its code is not exist in WLC version 7.0
The AP we are installing in Afghanistan. but Afghanistan is not included on the list of regularity domains , that is why i chose US during the setup process.
And where the WLC is going to be installed? If it's in the same country, then change the country to the same regulatory domain with your access point or AP will never join the controller.
-
Cannot open the URL of the CWA with ISE
Hi people,
I have a problem when you perform the CWA with ISE so that I can give you access to the network for the guests.
Everything is fine except the URL of the CWA: when guests, open Explorer and enter a domain name after you have connected the SSID, they will be redirected to the URL like 'https://hostname.demo.com:8443 / guestportal /... ". " which begins with the hostname of the ISE and the domain name of the ISE, but for us, we have not any announcement and the LAN DNS for our network so that we cannot translate the hostname.demo.com in the IP address of the ISE, so can I just change the URL type of intellectual property like"https://10.10.10.70:8443 / guestportal?
Screenshot of an attached screenshot (sorry).
Basically it's in the authorization policy, allows you to use a static DNS or IP address
-
ACS RADIUS timeout with WLC 7.0 5.0
Hi guys,.
I'm setting up a device Cisco Secure ACS 1120 running 5.0.0.21 ACS to manage the RADIUS of a Cisco WLC 5508 device query running the 7.0.116.0 version.
- These devices have open communication on all ports - no firewall or ACL
- they have successful ping communication
The following statements illustrate some but not all debugging I did to make sure that each device works properly in isolation.
- Using the simple windows (radserv2.exe) instead of the Cisco ACS RADIUS server
- This works and the WLC gets answer my fortune Server RADIUS
- Using a simple windows EAP client to query the ACS using the RADIUS protocol
- This works and the FAC processes the RADIUS request and sends a response
- Placed a customer wireshark on the network to inspect the time-out.
- Wireshark saves the package to the WLC for GBA using port 1812 but does not see responses to GBA package
At the moment I have the
- WLC accepting wireless client association and
- sending the query RADIUS (EAP - TLS, PEAP and EAP-FAST) for GBA,
- the WLC receives no answer and generates a timeout message and separates the client.
- Note this is not a rejection or a similar message, the simple ACS does not even the package. i.e. There is absolutely nothing in the logs of ACS to suggest that he had even received a package of radius of the WLC.
In summary the WLC and GBA properly operate independently, but they do not communicate via radius.
Any help appreciated thanks
It seems that you use ACS 5.0 without tasks.
For your information, the version of the product is now up to 5.2 and 5.3 ACS should soon be released
I recall there was a problem with ACS 5.0 with WLC operations that has been resolved in patch for 5.0
I'm not sure of the specific CDETS but can be:
CSCsy17858 Any manipulation of Tunnel-Type & Tunnel-Client-Endpoint uploading incorrect
ACS 5.0 has a rollup with all the patches being accumulated approach
My recommendation would be to download the patch 8 for ACS 5.0: 5.0.0.21.8
Patch can be downloaded from CEC
To install a patch set a repository on ACS (cumulative patches are larger than 32 MB, you can not use TFTP to it), copy the patch file in the repository, click ACS CLI:
# acs patch installs repository
-
Hi all
I have cisco WLC (AIR-WLC4402-12-K9) with two LAP (AIR-LAP1131AG-A-K9) connected to move and one of the TOUR is able to register with WLC while the other was autonomous AP which has been converted to KNEES who fails to register with WLC. I see that the AP is able to enter the Ip address and even joined the WLC but fails to register. Please help us solve this problem. I have attached all papers relevant to this case. Waiting for your answer.
FYI I aimed below URL, but could not able to figureout the reason.
http://www.Cisco.com/en/us/products/ps6366/products_tech_note09186a00808f8599.shtml
I don't understand. You have TWO 2 1131AG. We joined for the last two days and another recently joined. Say the other keeps "bouncing"?
Have you checked if the WAP is declining because of the power?
-
Access points does not not with WLC
Hi all
I have a WLC 5508 in SHIFT mode and 14 1231 WAP connected on it already. However, I still spend my old controller 4404 9 WAP more towards the new 5508 controller. I can't get remaining 9 WAP register with new WLC. I found the rest of the WLC debug message. My WLC license is valid for 50 APs. If any of you guys have seen this? What I'm doing wrong here? Any advance is much appreciated.
I have install LAG with 2 port departure 8 ports. Do not understand why it gives error of not having sufficient capacity.
All reviews are much appreciated. Thanks in advance.
* spamApTask4: 21 May 18:58:29.468: 00:23:04:c9:72:00 Echo Timer expiration: received no response from AP 00:23:04:c9:72:00 heartbeat (10:4:12:26 / 36602)
* spamApTask0: 21 May 18:58:50.588: 00:13:60:7e:28:30 join priority Processing status = 0, priority of the PA entering 0, MaxLrads = 50, joined Aps = 14
* spamApTask0: 21 May 18:58:50.588: 00:13:60:7e:28:30 request for discovery refusing AP 00:13:60:7e:28:30 - no AP Manager with available capacity
* spamApTask0: 21 May 18:58:50.588: 00:13:60:7e:28:30 join priority Processing status = 0, priority of the PA entering 0, MaxLrads = 50, joined Aps = 14
* spamApTask0: 21 May 18:58:50.588: 00:13:60:7e:28:30 request for discovery refusing AP 00:13:60:7e:28:30 - no AP Manager with available capacity
* spamApTask0: 21 May 18:59:00.589: BoardDataPayload is not found
* spamApTask0: 18:59:00.636 May 21:
* spamApTask0: 21 May 18:59:05.593: BoardDataPayload is not found
* spamApTask0: 18:59:05.639 May 21:
* spamApTask0: 21 May 18:59:53.564: 00:13:60:7e:28:30 join priority Processing status = 0, priority of the PA entering 0, MaxLrads = 50, joined Aps = 14
* spamApTask0: 21 May 18:59:53.565: 00:13:60:7e:28:30 request for discovery refusing AP 00:13:60:7e:28:30 - no AP Manager with available capacity
* spamApTask0: 21 May 18:59:53.565: 00:13:60:7e:28:30 join priority Processing status = 0, priority of the PA entering 0, MaxLrads = 50, joined Aps = 14
* spamApTask0: 21 May 18:59:53.565: 00:13:60:7e:28:30 request for discovery refusing AP 00:13:60:7e:28:30 - no AP Manager with available capacity
Suppose that the CSD has been corrupted...
Run the command "debug pm pki enable" on the WLC, copy the SSC and stick it on the WLC and see if that helps... Here is the link to do the same thing!
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a00806a426c.shtml
Let me know if that answers your question and please do not forget to note the useful messages!
Concerning
Surendra
-
Is compatible with Mac OS 10.12 (Sierra) with Logic Pro 10.2.4 and the iMac (21.5 inch mid 2011)? I contemplate moving to Sierra, but not if it comes into conflict with Logic Pro. Can someone advise?
Thank you!
Matt
It was reported a number of not being able to save or to new projects with the title of the Sierra.
I would conclude some time if I were you, especially if everything is working well at the moment.
-
CCleaner shows a plugin in Firefox without the name of the program or the Publisher and with a version number of '0', and it can be disabled or deleted. It is a plugin for Firefox by default, and if so, what do I do? It does not appear in my list of Firefox addons in Firefox and a malware scan does not detect.
It is possible that the profile has become corrupted, and you can try to start a new profile.
-
My Yahoo slider went from arrowhead to a diamond with a cross in the middle and nothing in the pick - able (?) groups. How can I change back? 8.1 (latest) Windows and FireFox (latest).
You're not referring to auto scroll?
- Tools > Options > advanced > general: navigation: "use autoscrolling".
Maybe you are looking for
-
JavaScript disabled, cannot load or use Flash Player, what is the problem?
Since the installation of the latest version of Firefox on my Mac (OS X 10.8.4), I can't watch or download videos from Flash Player. Here is a part of the root of the problem: 1. I have Java Applet plugin Java 7 update 25 installed and activated.2. I
-
23 h024: 2 side usb 3.0 does not. Need drivers
Can someone tell me where I can find drivers for 2 USB 3.0 ports on my 23-h024 side while a windows 7 64 bit. Thank you. Thank you for the help, I ended up going to AMD and there I got the USB 3.0 and 4 other drivers day I needed updated. Once again
-
FarmVille has how many farms from the time?
FarmVille is one of the best game played through Facebook. It was sometimes introduced in 2009 and we simply want to know how many farms do we have since its inception. http://www.fvinterest.com/
-
Pavilion of 500-164 usb controller driver
I have a 500-164 Pavilion on which I have installed win7 because win 8 is... Well, lets not go. Now, the usb ports do not work. It is said that there is no driver. This driver does not work? BTW, some ports are labeled SS E (where E is the simbol of
-
Protection service pqservice is on or off?
Protection service pqservice is on or off? Currently off the coast! Thank you