Similar Questions

• configuration cisco air-ap1142n-a-k9 problem wpa2 wireless access point

  HI people,

  I am brand new to Cisco Wireless, just that I bought new wireless access point air-ap1142n-a-k9 cisco, try to configure the configuration of wpa2 for security reason, but impossible to configure in any mode security. So my AP is currently no security / encryption mode.

  Could someone can help and suggest me I will appreciate if I get all documents, so the security problem can be solved.

  Concerning

  Sanjeev

  OK great

  ----------------------------------------------------------------------------------------------------------------------

  Be sure to note the correct answer and mark the thread as answered

• SG300: Cant assign aw vlan 802. 1 x + freeradius

  We recently got SG300-10 and try to get the assignment of vlan dynamic works via 802.1 x and freeradius. We got it so that the client connected to the SG300 would correctly auth, IE, I see this in "see the dot1x users:

  MAC               Auth   Auth   Session        VLAN
  Port     Username         Address           Method Server Time
  -------- ---------------- ----------------- ------ ------ -------------- ----
  gi7      testuser         58:55:ca:24:19:d4 802.1X Remote 00:04:39
  

  However, the client does not seem to be at all on the vlan correct or any vlan. If I change the port of "dot1x - radius attributes vlan static" to "dot1x - radius attributes vlan" then the customer cant auth at all (which is expected because it cannot retrieve the information of vlan).

  The freeradius users file looks like this:

  testuser  Cleartext-Password := "testpassword"
  ##Tunnel-Tag = 0,
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Type = VLAN,
  Tunnel-Private-Group-Id = "104"
  

  There is this whole line in the eap.conf file:

  copy_request_to_tunnel = yes
  

  Running config:

  net055#show running-config
  config-file-header
  net055
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  @
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  !
  vlan database
  default-vlan vlan 3333
  exit
  vlan database
  vlan 1,100,104,111
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  hostname net055
  line console
  exec-timeout 30
  exit
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x
  radius-server host source-interface vlan 100
  management access-list mlist2
  permit ip-source 172.16.202.0 mask 255.255.255.0
  permit ip-source 172.16.200.0 mask 255.255.255.0
  exit
  management access-class mlist2
  logging buffered debugging
  aaa authentication enable default enable none
  aaa accounting dot1x start-stop group radius
  enable password level 15 encrypted #REMOVED
  no service password-recovery
  no passwords complexity enable
  passwords aging 0
  username #REMOVED password encrypted #REMOVED privilege 15
  username #REMOVED password encrypted #REMOVED privilege 15
  ip ssh server
  ip ssh password-auth
  ip http timeout-policy 1800 https-only
  no ip http server
  tacacs-server timeout 10
  clock timezone " " 0 minutes 0
  clock source sntp
  !
  interface vlan 100
  ip address 172.16.200.21 255.255.255.0
  no ip address dhcp
  !
  interface vlan 104
  name gen-0-Gnv-204.0
  !
  interface vlan 111
  name guest-0-Gnv-10-66-61.0
  dot1x guest-vlan
  !
  interface gigabitethernet1
  switchport trunk allowed vlan add 100,104,111
  !
  interface gigabitethernet7
  dot1x guest-vlan enable
  dot1x reauthentication
  dot1x radius-attributes vlan static
  dot1x port-control auto
  switchport mode general
  switchport general allowed vlan add 104 untagged
  no macro auto smartport
  !
  exit
  ip default-gateway 172.16.200.1
  

  Looks like there was a similar questions here, but it seems to have never been resolved:

  https://supportforums.Cisco.com/message/3336810#3336810

  Hi all

  I'm working with Colin and that ends up being a problem of RADIUS. In the file eap.conf, for peap (auth phase 1).

  We need to enable copy_request_to_tunnel AND use_tunneled_reply:

  {PEAP

  # The syringe EAP session needs a default value
  # Type of EAP that is distinct from that of
  # module EAP-tunneled.  Inside of the
  # PEAP tunnel, we recommend that you use MS-CHAPv2,
  # as the default type is supported by
  # Windows clients.
  default_eap_type = mschapv2

  # module has PEAP also of these configuration
  Articles of #, which are the same as TTLS.

  copy_request_to_tunnel = yes
  use_tunneled_reply = yes

  Subsequently, we could see the answers of the test with id user vlan posting it once by response.

  See you soon!

• AIR-AP1142N-T-K9

  Hi all

  I'm brand new on wireless and I would like to findout if AIR-AP1142N-T-K9 is stand-alone or light weight. I read some documents and they say that the series 1140 is autonomous, but nothing special to 1142 NTK9. If it is a stand-alone can become light weight and which WLC series support the converted AP.

  Thank you.

  I am brand new to wireless and i would like to findout whether AIR AP1142N-T-K9 is standalone or light weight

  Your product code says it is autonomous (independent aka), but the best way to check is to console in the AP and see the IOS.  If your IOS is "C1140-K9W8- M", so he focuses on the controller of IOS.  If your IOS is "C1140-K9W7- M", then it is autonomous.

  Conversion from IOS autonomous (aIOS) is quite easy.  Everything you need to do is copy the file "RRS" TAR in the AP, it starts from him.

• AP1142N "AP not supported" error converting to LWAPP

  Try to update a standalone AP-AIR-AP1142N-E-K9 (C1140-K9W7M software, version 12.4 (21a) JA1) with the tool to upgrade but get the error message "unsupported AP.  Version of the tool is: CiscoAironet-AP-to-LWAPP-Upgrade-Tool-v205.exe

  What is conversion taken Lwapp supported for the AP1142N and how can I convert?

  Thanks for any help.

  Alexander

  Here's another method:

  Copy the IOS LWAP (with a prefix "RRs" in the name of the file) for the AP and let to the AP that the boot image.  Your AP can now join a WLC.

• SSID is not see on the pc (ap1142n, 802.11n).

  AP is AIR-AP1142N.

  SSID & RADIO 1 configuration is that...

  Enable ssid on the radio 0-> I see the ssid (but 72mbps..)

  but, close radio 0 after activate the radio 1-> I do not see the ssid

  802.11n configuration is open authentication or encryption wpa2 and aes on radio 1 (5 GHz)

  Help, please

  CONFIGURATION

  !

  dot11 ssid TestN2
  open authentication
  Comments-mode
  !

  interface Dot11Radio0
  no ip address
  no ip route cache
  Shutdown
  !
  !
  SSID TestN2
  !
  gain of antenna 0
  long guard interval
  channel 2412
  root of station-role
  Bridge-Group 1
  Bridge-group subscriber-loop-control 1
  Bridge-Group 1 block-unknown-source
  No source of bridge-Group 1-learning
  unicast bridge-Group 1-floods
  Bridge-Group 1 covering-disabled people
  end

  !

  interface Dot11Radio1
  no ip address
  no ip route cache
  !
  !
  SSID TestN2
  !
  no block of dfs
  width of the channel above 40
  channel 5745
  root of station-role
  Bridge-Group 1
  Bridge-group subscriber-loop-control 1
  Bridge-Group 1 block-unknown-source
  No source of bridge-Group 1-learning
  unicast bridge-Group 1-floods
  !

  brief AP #show ip interface
  Interface IP-Address OK? Method State Protocol
  BVI1 YES DHCP 192.168.1.108 upward upwards
  Dot11Radio0 unassigned YES NVRAM administratively down down
  Dot11Radio1 unassigned YES TFTP upward upwards
  GigabitEthernet0 unassigned YES NVRAM up up

  Sounds stupid, but are you sure that the customer's cell phone is capable of 5 GHz?

  Nicolas

• FreeRadius user-password encoding

  Hello

  I'm trying to configure a RADIUS server to authenticate my users on a couple of routers.

  Now, I did my initial configuration on a router in 1811 and everything works correctly, moving to 2801 production router that I get into trouble. Try our second production 2801 it works fine again. I'm breaking my head over what could be bad, but can't find anything!

  What I see in my outputlog FreeRadius:

  rad_recv: package of access request to the host 10.1.1.25:1645, id = 172, length = 96

  Username = 'sander.

  Reply-Message = "" password: ".

  User-Password = "\204p\034\272\345\346K^\250s\346\200gN\035\250".

  NAS-Port = 194

  NAS-Port-Id = "tty194".

  NAS-Port-Type = virtual

  Calling-Station-Id = "10.2.1.112".

  NAS-IP-Address = 10.1.1.25

  (sql) rlm_sql: socket reserving sql id: 3

  Therefore, the GET of the user-password is encrypted somehow by Cisco. The password is 'test' for now. If I connect my two other Cisco routers, I see the password for plaintex in FreeRadius log (as I expect).

  Is there a reason why this 2801 router is acting weird and put a username-password different encoding in the mix?

  The two 2801 running the same version of IOS.

  Help, please!

  Hello

  Single password in encrypted with RADIUS. I would say key

  Kind regards

  Vivek

• How to mount an AP1142n above a ceiling suspended?

  Hello

  You want to know that:

  (1) adapter LWAP

  (2) mounting hardware / media

  have been used for deployments of LWAP 1142n above a suspended ceiling.  Our installation will not work with the t-rail included mounting material and are looking for alternate mounting above a suspended ceiling options.  Hardware Guide Cisco mentions an adapter to use with an adapter of Erico Caddy 512 t shaped.  Has anyone had experience with this option?

  Thank you

  James

  I used 512 Erico support in a brand new, that we have built.  For aesthetics, they wouldn't have the visible APs.  Anyway, they are not as smooth as the t-shaped suspension hooks that are included with the APs, but they do the job.  Make sure you get the 512 which has a height of 8 "that you can adjust for the AP is not hit the top of the ceiling plate.

  Oberon Wireless also makes very nice enclosers for different models of AP if you are wanting something a bit nicer and easier to access with a lock and key.

  http://www.oberonwireless.com/index.php

• The AIR-AP1142N-E-K9 deployment options

  Hello

  I intend to buy two or three 1142N aironets and would like to know if they support root bridge & access point and bridge no root & Access point modes simultaneously the different SSID.

  So the plan is to create a wireless bridge between two 1142N aironets more a SSID more on each other for wireless clients.

  Is this possible?

  Yes.

• RADIUS server with no devices of the airport

  Is there a way I can set up a radius server by using the OS X application but not a Terminal airport at el capitan? Thank you

  See if that helps.

  Mavericks of OS X Server - setting up FreeRADIUS

• Key WPA - EAP business Wifi for OSX 10.11?

  I'm looking for months for a Wifi key that supports OSX 10.11 WPA - EAP Enterprise. I ordered about 10 already, but most of them only support OSX 10.9 or lower. But I need 10.11. Those who work with OSX only sustained 10.11 until this WPA - PSK.

  Any ideas? Any help?

  (I know that my mac supports WPA - EAP, but I need a stick to place it as close to the point of access to a public network - which can't change, I can't use repeaters etc..)

  I may be wrong since I have to confess I used only once WPA2-Enterprise, but I think that EAP would be part of the 802. 1 x security suite. EAP stands for Extensible Authentication Protocol.

  OS X took in charge WPA2-Enterprise and 802. 1 x for a long time and don't always work. I believe that as long as the WiFi adapter supports WPA2 then it will also support WPA2-Enterprise and therefore 802.1 x and EAP.

  Note: WPA2-Enterprise and 802. 1 x means also using a RADIUS authentication server. In theory it could be run on a Mac server and in fact Apple Server.app includes a copy of FreeRadius, even if you need to configure it manually.

  I found the following https://eshop.macsales.com/item/Edimax/EW7711MAC/ which is listed as Mac, El Capitan, WPA2 and 802.1 product compatible x.

  This adapter to the Web site less OWC is listed as including El Capitan drivers although the product on the Edimax website page lists only up to Yosemite.

  (Update - I have now found a driver Edimax list download page which is El Capitan - see http://www.edimax.co.uk/edimax/download/download/data/edimax/global/download/for _home/wireless_adapters/wireless_adapter... )

  This is why I feel that this adapter is admissible as Mac-compatible, El Capitan compatible and produced compatible WPA - EAP.

• RADIUS tools admin

  Hello

  I would like to configure FreeRadius on my server OS X El Capitan. Someone did for me a couple of links on how to do this by using Terminal.

  But I saw this on the App Store

  http://servicemax.com.au/tips/admin-tool-RADIUS/

  IT seems simple enough. I tried and I'm not able to make it work

  My question is - anyone have this working? If Yes, what are the step-by-steps instructions on how to configure it?

  I solved it by adding the router Wireless 'network access server. And use a SSL certificate purchased.

• PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem

  We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.

  This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
  Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
  Can someone help me with this problem?

  Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
  The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.

  But I studied a bit on the net and found this site useful:
  http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html

  1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
  a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
  b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
  c. use ping to check the accessibility of router-server.
  d. package watch LAN account to verify that RADIUS and answers queries are fluid.
  e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
  f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.

  2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
  Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection.

• Pwerconnect 5448, Windows Server 2008 R2

  Hello from France,

  One of my projects for a client is to create authentication secure via 802. 1 X. I chose to use freeradius.

  But the customer would not integrate a linux solution.

  So, I went to Microsoft Windows server 2008 R2 and the NPS. I've implemented two solutions

  First of all, a NAP. The solution works without any problem.

  But the second Setup dell powerconnect peripheral authentication via active directory active a does not. I have found and tried many HOWTO on the web, but none are compatible with my device.

  someone must deploy this solution with the Microsoft NAP? Is there a CEP of dell, which allow to solve?

  Thanks for your help

  Theo

  I'm looking for information here, and I don't see anything that could change the configuration of the switch. Everything works fine until we add the RADIUS of Windows in the mixture. With the Wireshark that you see even to make the request to the server, but then the server never sent a rear package to authenticate the user and the switch has expired for authentication and it connected as rejected.

• Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

  Setup

  Cisco Catalyst 2960-S running 15.0.2 - SE8

  Under Centos freeRadius 6.4 RADIUS server

  Client (supplicant) running Windows 7

  When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
  Here is my config running. Any advice would be greatly appreciated.
  #show running mySwitch-
  mySwitch #show running-config
  Building configuration...

  Current configuration: 2094 bytes
  !
  version 12.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname myswitch
  !
  boot-start-marker
  boot-end-marker
  !
  activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
  !
  !
  AAA new-model
  !
  !
  AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
  !
  !
  AAA - the id of the joint session
  1 supply ws-c2960s-24ts-l switch
  !
  !
  !
  !
  !
  control-dot1x system-auth
  pvst spanning-tree mode
  spanning tree extend id-system
  !
  !
  !
  !
  internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
  GigabitEthernet1/0/1 interface
  !
  interface GigabitEthernet1/0/2
  !
  interface GigabitEthernet1/0/3
  !
  interface GigabitEthernet1/0/4
  !
  interface GigabitEthernet1/0/5
  !
  interface GigabitEthernet1/0/6
  !
  interface GigabitEthernet1/0/7
  !
  interface GigabitEthernet1/0/8
  !
  interface GigabitEthernet1/0/9
  !
  interface GigabitEthernet1/0/10
  !
  interface GigabitEthernet1/0/11
  !
  interface GigabitEthernet1/0/12
  switchport mode access
  Auto control of the port of authentication
  dot1x EAP authenticator
  !
  interface GigabitEthernet1/0/13
  !
  interface GigabitEthernet1/0/14
  !
  interface GigabitEthernet1/0/15
  !
  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20
  !
  interface GigabitEthernet1/0/21
  !
  interface GigabitEthernet1/0/22
  !
  interface GigabitEthernet1/0/23
  !
  interface GigabitEthernet1/0/24
  !
  interface GigabitEthernet1/0/25
  !
  interface GigabitEthernet1/0/26
  !
  interface GigabitEthernet1/0/27
  !
  interface GigabitEthernet1/0/28
  !
  interface Vlan1
  IP 10.1.2.12 255.255.255.0
  !
  IP http server
  IP http secure server
  activate the IP sla response alerts
  recording of debug trap
  10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
  Line con 0
  line vty 0 4
  password password
  line vty 5 15
  password password
  !
  end

  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20

  Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

  Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

  line "aaa dot1x group service radius authentication" and this by using instead:

  "aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.