WLC 4402 impossible to authenticate correctly with ACS 5.2

For some reason, I can't WLC to authenticate correctly with ACS 5.2. It's very strange in the sense that when I checked the log. ACS authenticates and authorizes the WLC 4402, but I can't log on the WLC. login screen appears, if I typed the username that he jumped

Controller of >

user:

password:

No matter what I typed (internal or external users), nothing seems to work.

It comes to my frustration, I have no problem with authentication of routers and switches except WLC 4402.

Hello

Please delete privilege on the ACS level settings.

Elements of strategy > authorization and permissions > peripheral Administration > Shell profiles > common tasks

By default the privilege - do not use.

Maximum privilege - not in use

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages

Tags: Cisco Security

Similar Questions

Impossible to describe correctly with DG4MSQL
I installed Oracle gateway for Microsoft SQL Server version 11.2.0.2.0 (on AIX 6.1 L 64-bit), as I understand it should be faster and provide more features than DG4ODBC. I am the access to Microsoft SQL Server 2008.
However, when using the gateway, I can not properly "describe" tables in MSSQL. What I get is:

--------
SQL > s4user@imosprod desc;
ERROR:
ORA-12663: Services required by the customer not available on the server
ORA-02063: preceding the line of IMOSPROD
--------

Apparently, as a result, I can't use COUNT() in SQL function, also because it returns binary data.
-------
SQL > select count (*) in the s4user@imosprod;

COUN
====
B
SQL > select dump (count (*)) in the s4user@imosprod;

DUMP (COUNT (*))
=================
Typ = 2 Len = 2: 193,67
--------

After doing a "select" of the MSSQL table, I can describe, but then all columns are displayed as type VARCHAR2.

-------
SQL > s4user@imosprod desc;
Name Null? Type
======================================
_sqlid VARCHAR2 (21) NOT NULL
userNo VARCHAR2 (4)
username VARCHAR2 (128)
Citation VARCHAR2 (5)
userPassword VARCHAR2 (100)
userType VARCHAR2 (10)
userFullName VARCHAR2 (100)
userEmail VARCHAR2 (128)
userFlags VARCHAR2 (4)
userDomain VARCHAR2 (100)
ldapUserName VARCHAR2 (128)
ldapGuid VARCHAR2 (36)
imosGuid VARCHAR2 (36)
-------

It seems to me like a problem of translation of data type. There is an error in the trace file, which occurs whenever I do a query or describe for tables MSSQL:
----------
DBMS name: Microsoft SQL Server DBMS Version: 10.00.4000
.....
hgopoer, line 231: had native error 1007 and sqlstate 22003; message follows...
[Oracle] [ODBC SQL Server driver] [SQL Server] The number "042100421004210042110421104211042190421904219" is out of reach for rep digital
strongmen (maximum precision 38). {NativeErr 22003, 1007 =} [Oracle] [ODBC SQL Server driver] [SQL Server] Incorrect syntax near ' 04210042100
4210042110421104211042190421904219'. {10103, NativeErr = 102}
Release of hgopoer, rc = 0 to 2013/06/05-09: 22:19
hgoulcp, line 1957: call SQLGetTypeInfo obtained sqlstate 22003
Out of hgoulcp, rc = 28500 to 2013/06/05-09: 22:19 with the ptr error FILE: hgoulcp.c LINE: 1957 ID:SQLGetTypeInfo: LONGVARCHAR
Entry hgouldt to 2013/06/05-09: 22:19
NO translation of DD for instance have been downloaded
Release of hgouldt, rc = 0 to 2013/06/05-09: 22:19
------------

However, later in the trace file, I can see an adequate description of the columns:
----------
hgodscr, line 457: print hoada @ 1107a8e88
MAX: 13, REAL: 13, BRC:100, WHT = 5 (SELECT_LIST)
hoadaMOD bit-values found (0x200: TREAT_AS_CHAR)
DTY NULL-OK LEN MAXBUFLEN PR/SC CSE IND MOD NAME
3 21 21 19 DECIMAL N / 0 0 0 0 _sqlid
4 INTEGER Y 4 4 0 / 0 0 0 0 userNo
12 Y VARCHAR 128 128 0 / 0 0 0 200 userName
12 VARCHAR Y 5 5 0 / 0 0 0 200 citation
12 years of VARCHAR 100 100 0 / 0 0 0 200 userPassword
VARCHAR Y 10 10 12 0 / 0 0 0 200 userType
12 years of VARCHAR 100 100 0 / 0 0 0 200 userFullName
12 Y VARCHAR 128 128 0 / 0 0 0 200 userEmail
4 INTEGER Y 4 4 0 / 0 0 0 0 userFlags
12 years of VARCHAR 100 100 0 / 0 0 0 200 userDomain
12 Y VARCHAR 128 128 0 / 0 0 0 200 ldapUserName
CHAR Y 36 36 1 0 / 0 0 0 0 ldapGuid
CHAR Y 36 36 1 0 / 0 0 0 0 imosGuid
Release of hgodscr, rc = 0 to 2013/06/05-09: 22:19
----------

Anyone got a clue on how to proceed with the troubleshooting?
works for me using 11.2.0.3 and 11.2.0.2 gateway release:
SQL > desc 's4user"@DG4MSQL_EMGTW_1122_DB '.
Name Null? Type
----------------------------------------- -------- ----------------------------
_sqlid NUMBER (20) NOT NULL
userNo NUMBER (10)
username VARCHAR2 (128)
Citation VARCHAR2 (5)
userPassword VARCHAR2 (100)
userType VARCHAR2 (10)
userFullName VARCHAR2 (100)
userEmail VARCHAR2 (128)
userFlags NUMBER (10)
userDomain VARCHAR2 (100)
ldapUserName VARCHAR2 (128)
ldapGuid CHAR (36)
imosGuid CHAR (36)

It would be wise to clean the HS catalog first.

Connect to your database to Oracle as a sysdba, then run them scripts located in $ORACLE_HOME/rdbms/admin
1. to delete the HS catalog, please run catnohs
2. run a commit
3. now recreate the catalog using caths
4. still once, perform a commit.

then the output of all the sessions and open a new SQL * more and test the data link using the gateway (the gateway will determine now there is no gateway class in HS catalogue and abilities again in the HS download catalog).

If it still doesn't, thanks for posting your file init bridge.
-Klaus

Impossible to authenticate the user to ACS 5.1 with LDAP as identity outdoor store

Hi, I have a server and Open-LDAP running ACS on my corporate network.
Now, I'll set up a new linksys WAP - 54G and select WPA2-Enterprise with ACS as radius server.
the first thing first, I created new internal user to ACS and trying to join the network wireless from my computer. I did it...

then I move on an external entity (LDAP server). I set up the sequence of configuration and the LDAP identity, also select the access service. but when I tried to authenticate from my computer, an error has occurred. I received:
the following error 22056 object was not found in the store identities applicable (s)

Ask me ' bout this thing, I implemented a cisco router 1841 to become customer of AAA. and surprise... it works!
Yes, there is problems to authenticate to the windows of ACS (pointing to LDAP) platform?
any suggestion?
Thank you

Hello

Looks like you haven't mschap authentication is enabled on the ldap server. You can use eap - gtc instead, but need you:

1 enable eap - gtc under protocols allowed on your ACS access policy

2. install an eap - gtc "supplicant" on the windows box - if you have a wireless network card intel, the intel proset client supports eap - gtc

This could mean a fair bit of work according to the number/type of wireless clients you have - could be useful on the LDAP mschap authentication activation.

HTH

Andy

problem with the guest in WLC 4402 account

I created a single guest in WLC 4402 version 4.2 account and distribute to every visitor that comes in our society. However, when we receive a lot of visitors, the WLC end authenticate. Anyone know if there is a limit using a guest account?

Properly refuse authentication? Or the page of connection stop appearing or something?

There was a bug with the webauth die under a heavy load, regardless of the number of accounts used the same.

A good way for you to check, if problem, would be to create a second user backup comments and see if that has started to work. If not, the account is not the problem.

I'm not aware of any use of the same account maximum.

4.2 what exactly are you running?

HOWTO to Setup wpa2 + aes + psk with mac-filter WLC 4402 (RADIUS)

Hello

I'm trying to Setup wpa2 + aes + psk with mac-filter (RADIUS) on WLC 4402 (6.0.182), with Lap - 1142

on security, the value L2 security wpa + wpa2 and make sure MAC filtering

Uncheck the WPA

check the WPA2, AES, TKIP to unckeck

Mgmt PSK auth key

PSK ASCII marker

L3 no

Uncheck the political web

AAA servers

Select enable accounting radius server server

It's work fine, when I use WEP with mac-filter (radius)

but when I select WPA2 is it fail and no newspaper both WLC server and RADIUS

Is this limitation or bug...

Thanks in advance for your help

This sounds like it should work. Maybe your client likes not wpa2/aes or does not match the PSK. I would try to associate with this same configuration, but without enabled mac filtering to try to identify the problem.

-John

Cisco AIR-LAP1041N-E-K9 does not not with WLC 4402 version 7.0.116.0

Hi all

appreciate your support for a problem I started to deal with today. I have a Cisco WLC 4402 running the 7.0.116.0 version and it's great to work with 25 Cisco 1252 access points. We received a new 20 Cisco 1041N APs today and I installed one in our site, but it does not work. He well worked and loaded the flash image and obtained WLC ip through DHCP option address and began to show the below error:

* 00:00:10.021 Mar 1: % SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: crypto IOS FIPS self-test passed

* 00:00:10.033 Mar 1: * CRASH_LOG = YES

* 00:00:10.333 Mar 1: 1 Port is not presentSecurity base.

MAC Ethernet address of base: C8:9 C: 1 D: 53:57:5E

* 00:00:11.373 Mar 1: % SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: crypto RADIO FIPS self-test passed on Dot11Radio interface 0

* 00:00:11.465 Mar 1: % LWAPP-3-CLIENTEVENTLOG: reading and initialized AP event log (contains, 1088 messages)

* 00:00:11.494 Mar 1: State of the voice_diag_test of WLC is false

* 00:00:12.526 Mar 1: % LINK-3-UPDOWN: Interface GigabitEthernet0, changed State to

* 00:00:13.594 Mar 1: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed State to

* 00:00:13.647 Mar 1: % SYS-5-RESTART: System restarted.

Cisco IOS software, software C1040 (C1140-K9W8-M), Version 12.4 (23 c) JA2, VERSION of the SOFTWARE (fc3)

Technical support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Updated Thursday, April 13, 11 12:50 by prod_rel_team

* 00:00:13.647 Mar 1: % SNMP-5-start COLD: SNMP agent on host APc89c.1d53.575e knows a cold start

* 00:08:59.062 Mar 1: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 1 Mar 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio

* 00:08:59.138 Mar 1: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset

* 00:08:59.837 Mar 1: % SSH-5-ACTIVATED: SSH 2.0 has been activated

* 00:09:00.145 Mar 1: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs

* 00:09:09.136 Mar 1: % ADDRESS_ASSIGN-6-DHCP: Interface GigabitEthernet0 assigned address DHCP 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e

* 00:09:17.912 Mar 1: % PARSER-4-BADCFG: unexpected end of the configuration file.

* 00:09:17.912 Mar 1: State of the voice_diag_test of WLC is false

* 00:09:17.984 Mar 1: message logging LWAPP to 255.255.255.255.

* 00:09:19.865 Mar 1: % CDP_PD-4-POWER_OK: full power - supply NEGOTIATED online

* 00:09:19.886 Mar 1: % LINK-3-UPDOWN: Interface Dot11Radio0, changed State to

* 00:09:20.873 Mar 1: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to

* 00:09:20.874 Mar 1: % SYS-6-LOGGINGHOST_STARTSTOP: logging to host started 255.255.255.255 - initiated CLI

Translate "CISCO-CAPWAP - CONTROLLER.atheertele.com"... the domain server (172.16.40.240)

* 00:09:29.029 Mar 1: % CAPWAP-5-DHCP_OPTION_43: the 172.16.100.102 drive address obtained by DHCP

* 08:27:02.000 may 25: % CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:02.001 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to

* 08:27:03.175 may 25: % CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:03.177 may 25: % CAPWAP-5-SENDJOIN: send request to join 172.16.100.101

* 08:27:03.177 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to ADHERE

* 08:27:03.329 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state CFG

* 08:27:03.333 may 25: % DTLS-5-ALERT: WARNING received: close notify alert from 172.16.100.101

* 25 May 08:27:03.333: % PEER_DISCONNECT-5-DTLS: Peer 172.16.100.101 has closed the connection.

* 08:27:03.333 may 25: % DTLS-5-SEND_ALERT: send FATAL: close notify alert at 172.16.100.101:5246

* 08:27:03.378 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 08:27:03.378 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 25 May 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio

* 25 May 08:27:03.448: State of the voice_diag_test of WLC is false

* 08:27:14.000 may 25: % CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:14.001 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to

* 08:27:15.185 may 25: % CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:15.186 may 25: % CAPWAP-5-SENDJOIN: send request to join 172.16.100.101

* 08:27:15.186 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to ADHERE

* 08:27:15.330 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state CFG

* 08:27:15.333 may 25: % DTLS-5-ALERT: WARNING received: close notify alert from 172.16.100.101

* 25 May 08:27:15.334: % PEER_DISCONNECT-5-DTLS: Peer 172.16.100.101 has closed the connection.

* 08:27:15.334 may 25: % DTLS-5-SEND_ALERT: send FATAL: close notify alert at 172.16.100.101:5246

* 08:27:15.379 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 08:27:15.379 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 25 May 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio

* 25 May 08:27:15.450: State of the voice_diag_test of WLC is false

* 08:27:26.000 may 25: % CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:26.001 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to

* 08:27:27.182 may 25: % CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:27.183 may 25: % CAPWAP-5-SENDJOIN: send request to join 172.16.100.101

* 08:27:27.184 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to ADHERE

* 08:27:27.329 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state CFG

* 08:27:27.333 may 25: % DTLS-5-ALERT: WARNING received: close notify alert from 172.16.100.101

* 25 May 08:27:27.333: % PEER_DISCONNECT-5-DTLS: Peer 172.16.100.101 has closed the connection.

* 08:27:27.333 may 25: % DTLS-5-SEND_ALERT: send FATAL: close notify alert at 172.16.100.101:5246

* 08:27:27.377 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 08:27:27.377 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 25 May 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio

* 08:27:27.433 may 25: % LINK-5-CHANGED: Interface Dot11Radio0, changed state down administratively

* 08:27:27.446 may 25: % PARSER-4-BADCFG: unexpected end of the configuration file.

* 25 May 08:27:27.447: State of the voice_diag_test of WLC is false

* 08:27:27.448 may 25: % LINK-3-UPDOWN: Interface Dot11Radio0, changed State to

* 08:27:27.456 may 25: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset

* 08:27:38.000 may 25: % CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:38.001 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to

* 08:27:39.183 may 25: % CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:39.184 may 25: % CAPWAP-5-SENDJOIN: send request to join 172.16.100.101

* 08:27:39.184 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to ADHERE

* 08:27:39.326 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state CFG

* 08:27:39.329 may 25: % DTLS-5-ALERT: WARNING received: close notify alert from 172.16.100.101

* 25 May 08:27:39.329: % PEER_DISCONNECT-5-DTLS: Peer 172.16.100.101 has closed the connection.

* 08:27:39.330 may 25: % DTLS-5-SEND_ALERT: send FATAL: close notify alert at 172.16.100.101:5246

* 08:27:39.375 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 08:27:39.375 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 25 May 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio

* 25 May 08:27:39.446: State of the voice_diag_test of WLC is false

* 08:27:49.000 may 25: % CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:49.001 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to

* 08:27:50.179 may 25: % CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 172.16.100.101 peer_port: 5246

* 08:27:50.180 may 25: % CAPWAP-5-SENDJOIN: send request to join 172.16.100.101

* 08:27:50.180 may 25: % CAPWAP-5-CHANGED: CAPWAP changed State to ADHERE

* 08:27:50.323 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state CFG

* 08:27:50.326 may 25: % DTLS-5-ALERT: WARNING received: close notify alert from 172.16.100.101

* 25 May 08:27:50.326: % PEER_DISCONNECT-5-DTLS: Peer 172.16.100.101 has closed the connection.

* 08:27:50.326 may 25: % DTLS-5-SEND_ALERT: send FATAL: close notify alert at 172.16.100.101:5246

* 08:27:50.370 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 08:27:50.370 may 25: % CAPWAP-5-CHANGED: CAPWAP changed state of DISCOVERY

* 25 May 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio

* 08:27:50.425 may 25: % LINK-5-CHANGED: Interface Dot11Radio0, changed state down administratively

* 08:27:50.438 may 25: % PARSER-4-BADCFG: unexpected end of the configuration file.

I searched the difference in regulatory areas between AIR-LAP1041N -E- K9 and AIR-LAP1041N -A- K9 and no difference was found which may affect the operation of this access point.

to cite our WLC configuration for regulatory areas is:

Country set AR codes

Area of regulation 802. 11A:-A

802.11bg:-a

My question is should I just include my country in the WLC (IQ) add the field of requlatry (-E) to solve this problem? or change the country will affect the operation of all APs workers?

Appreciate your kind support,

Patrick Q.

Try adding a European country to your regulatory domain.

Problem AP1522 with WLC 4402

Hello

I have a problem installing a 1522 AP to the WLC 4402, it is not recognized, what can be? Check all connections and all is well

thank me for help

For MESH AP, you need to add the mac address of the MAC filter on the Security tab. To RAP, you can use the mac ethernet, a map layer, you must use the mac of 5 GHz radio

About WLC 4402 LDAP client authentication

Hello

I'm install a WLC 4402, the client wants to authenticate users with the LDAP and what he expected to use current users in AD, however

I just read some documents as reference 'Local EAP authentication server on the Wireless LAN Controller with EAPFAST and LDAP
Configuration example"and «Web authentication via LDAP on LAN Protocol wireless controllers (WLCs) example Configuration»

Require both the then to define a new OU and define a new user and select anonymous feature of Bind.

My question is, should I add all current on AD users on the new ORGANIZATIONAL unit in order to be authenticated as a wireless client?

I hope that someone of you can clear my doubt

Kind regards

Note that LDAP with AD requires no methods EAP-mschapv2. If you can't do PEAP-mschapv2 with AD as LDAP backend. EAP-FAST EAP-FAST (GTC) and no EAP-FAST (mschapv2). It is a limitation due to the way in which AD works in LDAP mode.

The anonymous bind is not required at all, that it is to be like this in the example. Usually, anonymous bind is not allowed by default on the current version of windows server.

You are not forced to push all the users in an OU. Simply give a search base DN to the WLC where the WLC can reach all customers on AD. If all your users organizational units are at the root of your domain, you will need to give "DC = domain, DC = com" as base DN and it means that each search will arrive on your entire ad, which isn't super effective. That's all.

Nicolas

WLC 4402 is rejection of applications for converted LWAPP 1131 AG AP

WLC does not show the AP.

WLC 4402 is configured using lwapp-L3. Management interface is in vlan 20 and interface ap - manager is in vlan 100. AP is in vlan 50. AP is getting dhcp ip. option 43 and 60 have been configured.

debugging shows

activate the debug lwapp events on WLC

(Cisco Controller) > Fri 25 Jul 20:51:57 2008: received 00:19:55:5f:cb:52 LWAPP DISCOVERY REQUEST of AP 00:19:55:5f:cb:52 to c 00:1f:9e:9 b: 8:03 on port "1"

Fri Jul 25 20:51:57 2008: throw L3 Mode LWAPP DISCOVERY REQUEST on intf '1', vlan = "100", management vlan = "20".

debugging access point

debug events customer lwapp

1 00:58:16.716: LWAPP_CLIENT_EVENT: spamHandleDiscoveryTimer: could not find any MWAR

1 00:58:16.716: LWAPP_CLIENT_EVENT: spamResolveStaticGateway - bridge found

Debug ip udp

1 00:58:16.716: UDP: sent src = 172.16.50.151 (64693), dst = 172.16.100.100 (12223), length = 69

Can correct a pl guide where can I do wrong?

Try to put the AP Manager interface in the same vlan as the management interface. Also look at the date and time on the controller to ensure that the certificates are validated correctly on the APs.

Integration of ASA with ACS

Hi all

I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

SH run | in aaa
RADIUS Protocol RADIUS AAA server
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (management) host 10.243.14.24
GANYMEDE + LOCAL console for AAA of http authentication
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet authentication GANYMEDE + LOCAL AAA
AAA accounting console GANYMEDE + ssh
AAA accounting command 15 GANYMEDE privilege +.
Console telnet accounting AAA GANYMEDE +.
AAA authorization exec-authentication server
AAA authorization GANYMEDE + loCAL command

The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

I have the same sets of commands and the shell profiles created for switches and it works perfectly.

This is the behavior of ACS journals

1. once I am having authenticated, I can see the logs in ACS with my username
2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

Can someone help me identify what the problem is

Thank you
Reverchon

This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

AAA authentication enable console LOCAL + GANYMEDE

After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

~ Jousset

Windows XP Home Edition on WLC 4402

Hello

I have a WLC 4402 Wireless LAN Controller with several 1231 AP on LWAPP. WLAN security setting a WPA + WPA2 with PSK share key. All computers in the domain are fine, wireless connections are stable. I have a group of students use Netbook under Windows XP Home SP3 got connection and drop situation. On XP event IDS has continuous case 4201 and 4202 and journal WLC I also continuous newspaper in the form

* Apr 19 10:35:44.046: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 broadcasts exceeded for client 00:26:5e:eb:fd:0 has

I understand that XP Home has no certificate of domain environment so I didn't install any server AAA service. How can this problem be solved? Keep trying on the combination of security, but no luck. Help, please. Thank you.

Attachment is WLC configuration file without encryption.

Bill,

Is it chance ASUS EeePC Netbook 1005 HA?

If so, check the drivers.

How to add additional capacity for WLC-4402-12-K9-V02

Hello

End-user has a WLC-4402-12-K9-V02 with 8 towers is currently working, in short time will need to add more towers that will be more than 12.

How we can increase capacity to support 25 laps.

concerning

Hello

The WLC we currently supports maximum 12 APs, if you want to support more then to buy a WLC that supports several APs...

http://www.Cisco.com/en/us/prod/collateral/wireless/ps6302/ps8322/ps6307/product_data_sheet0900aecd802570b0_ps6366_Products_Data_Sheet.html

Let me know if this answers your question!

Concerning

Surendra

my hp presario says 'boot mrg is missing' and only load windows 7 can correct with the recovery disk

my hp presario says 'boot mrg is missing' and only load windows 7 can correct with the recovery disk

Hello

Here is the vista forums

Try the repost in Forum windows 7 the link below

http://answers.Microsoft.com/en-us/Windows/default.aspx#tab=2

Answers by topic

Permission of AAA with ACS Shell-games

Hi all

I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

I have difficulty getting permission to AAA to work properly with ACS.

I am able to configure ACS fine users and assign them shell and private level 7.

I then install a set of Shell Auth and enter the issuance of orders and configure.

When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

to access global configuration mode by typing in conf (or set up) terminal or t.

If I type con? It is the only command connect, configure is never an option...

The only way I can get this to work is by entering the command:

privilege exec level 7 Configure terminal

I thought the whole purpose of the ACS Shell Set to provide this information to the router?

It's frustrating

The ACS server is set up with the Shell Set named Level_7 order authorization

It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

The "unmatched Args allowed" is also selected.

See an extract of my IOS config below:

AAA new-model

!

!

AAA group Ganymede Server + ACS

Server 10.90.0.11

!

AAA authentication login default group local ACS

AAA authorization exec default group ACS

AAA authorization commands 7 by default local ACS group

!

Cisco radius-server host 10.90.0.11 keys

!

!

privilege exec level 7 Configure terminal

privilege exec level 7 set up

privilege exec level 7 show running-config

privileges exec level 7 show

!

Hope you can help me with this one...

PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

Hello

So now,

You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

That's what I suggest that orders back to a normal level.

Provided below are the steps to set up the shell command authorization:

-------------------------------------------

Follow these steps on the router:

-------------------------------------------

! - is the desired username

! - is the password

! create - us a local user name and password

! - in case we are not able to get authenticated via

! - our Ganymede server +. To provide a backdoor.

password username 15 privilege

! - To apply the aaa on the router model

AAA new-model

! - Following command is to specify our ACS

! - location of the server, where is the

! - ip address of the ACS server. And

! - is the key which must be the same during the FAC and the router.

radius-server host key

! - To get the authentication of users through ACS, when they try to log - in

! - If our router is unable to join the ACS, we will use

! - our local user name & the password that we created above. This

! - we prevent locking.

AAA authentication login default group Ganymede + local

AAA authorization exec default group Ganymede + local

AAA authorization config-commands

AAA authorization commands 0 default group Ganymede + local

AAA authorization commands 1 default group Ganymede + local

AAA authorization commands 15 default group Ganymede + local

! - Sequence of commands are for posting to the activity of the user.

! - When the user connects to the device.

AAA accounting exec default start-stop Ganymede group.

AAA accounting system default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

--------------------

ACS configuration

--------------------

[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

Provide any name at all.

provide sufficient description (if necessary)

(a) for full administrative access set.

In the unmatched controls, select 'allow '.

(b) for all access limited.

In the unmatched controls, select "decline."

And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

For example: If we want the user to only have access to the following commads:

opening of session

Logout

output

Enable

Disable

Show

Then, the configuration should be:

-----------------------------------------------

-Allowed unparalleled Args.

-----------------------------------------------

connection permit

permit disconnection

exit permits

Select the permit

disable the permit

license terminal configuration

ethernet interface license

permits 0

to see the running-config

------------------------------------------------

in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

[2] press 'submit '.

[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

(more...)

WLC 4402

I have a WLC 4402 and reading it says that it can handle 12, 25 or 50 AP how do I know how my camera will actually controll?

On the page of monitor in the user interface at the top to right above the picture of the controller, you will see the number of supported access points. (at least in 4.2.207.0 anyway). Or you can do a 'show sysinfo' of the CLI.

-John

WLC 4402 impossible to authenticate correctly with ACS 5.2

Similar Questions

Maybe you are looking for