Regarding the 'config advanced eap request-timeout 6' parameter. Most documentation and reccomendation require to have this parameter 20 sec instead of the 6 sec that seems to be enough to answer just this question below. I usually take it to 20 sec like the Cisco documentation says. But I suppose that I wouldn´t get it wrong in this case and also 20 sec is less likely to fail than just 6 sec.
The issues behind this solution is often the phone which has a slower cpu and might respond to late when doing PAC phases with the ACS and WLC. Regarding webauth with Radius. I knew about the network user checkbox that it globally enables that Radius server. But if you select one particular at the WLAN confinguration (aaa servers) It shold first check that one (under WLAN/aaa servers) before going to the global list of "network checked" radius servers. Can anyone confirm that this is true ? Else to be sure, security wise It is probably best to uncheck the network user box on the radius and select it specifically in the WLAN config. While ago I asked TAC about this schenario, they responed that this was possible to do (uncheck the network user) but it was sort of not supported. I wonder if that has changed, this was when code 5.x was available if I remember correctly. regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 26. apríl 2011 09:17 To: [email protected] Subject: CCIE_Wireless Digest, Vol 25, Issue 15 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Workbook1: Lab 4.5, 4.6, 4.7 (Leigh Jewell) 2. Re: Workbook1: Lab 4.5, 4.6, 4.7 (Gabriel) 3. Re: Workbook1: Lab 4.5, 4.6, 4.7 (Leigh Jewell) 4. Workbook1: Lab 4.6 WLAN Security (Leigh Jewell) 5. Re: Workbook1: Lab 4.6 WLAN Security (Victor Platov (viplatov)) 6. Workbook1: Lab 4.10 Multicast - IGMP Query interval (Leigh Jewell) ---------------------------------------------------------------------- Message: 1 Date: Tue, 26 Apr 2011 10:14:28 +1000 From: Leigh Jewell <[email protected]> To: [email protected] Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" This lab is all about configuring a number of SSID's on the group of controllers. Looking at WLC1 you are asked to create three SSID's: IPX1: web-auth (must not use radius) IPX2: WEP Key IPX4: WPA with EAP-TLS on an ACS server The problem is the requirement for not to use Radius for the web-auth SSID (IPX1). My understanding is with web-auth the local database is checked first and then it will check any Radius servers configured. In the solution guide for this lab it work around this by unchecking the 'Network' box against the defined radius server and just leaving the management selected. The problem I can see with that Radius authentication is still needed for IPX4 and unchecking this box effectively stops this SSID from working. Comments and thoughts welcome. Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/4590c642/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 25 Apr 2011 22:02:30 -0400 From: Gabriel <[email protected]> To: Leigh Jewell <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Configure the per-wlan radius servers in the config options for the IPX4 SSID. It'll use specifically-selected radius servers even if the network box is not checked. On Mon, Apr 25, 2011 at 8:14 PM, Leigh Jewell <[email protected]>wrote: > This lab is all about configuring a number of SSID's on the group of > controllers. Looking at WLC1 you are asked to create three SSID's: > > IPX1: web-auth (must not use radius) > IPX2: WEP Key > IPX4: WPA with EAP-TLS on an ACS server > > The problem is the requirement for not to use Radius for the web-auth SSID > (IPX1). My understanding is with web-auth the local database is checked > first and then it will check any Radius servers configured. In the solution > guide for this lab it work around this by unchecking the 'Network' box > against the defined radius server and just leaving the management selected. > > The problem I can see with that Radius authentication is still needed for > IPX4 and unchecking this box effectively stops this SSID from working. > > Comments and thoughts welcome. > > Cheers, > Leigh > > -- > CCIE Blog - http://leigh-cciewireless.blogspot.com/ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110425/d98caafe/attachment-0001.html> ------------------------------ Message: 3 Date: Tue, 26 Apr 2011 12:57:50 +1000 From: Leigh Jewell <[email protected]> To: Gabriel <[email protected]> Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Now that does makes sense. Did you find this in the configuration guide or trial and error ? Thanks for the quick response. Regards, Leigh On 26 April 2011 12:02, Gabriel <[email protected]> wrote: > Configure the per-wlan radius servers in the config options for the IPX4 > SSID. It'll use specifically-selected radius servers even if the network box > is not checked. > > On Mon, Apr 25, 2011 at 8:14 PM, Leigh Jewell <[email protected]>wrote: > >> This lab is all about configuring a number of SSID's on the group of >> controllers. Looking at WLC1 you are asked to create three SSID's: >> >> IPX1: web-auth (must not use radius) >> IPX2: WEP Key >> IPX4: WPA with EAP-TLS on an ACS server >> >> The problem is the requirement for not to use Radius for the web-auth SSID >> (IPX1). My understanding is with web-auth the local database is checked >> first and then it will check any Radius servers configured. In the solution >> guide for this lab it work around this by unchecking the 'Network' box >> against the defined radius server and just leaving the management selected. >> >> The problem I can see with that Radius authentication is still needed for >> IPX4 and unchecking this box effectively stops this SSID from working. >> >> Comments and thoughts welcome. >> >> Cheers, >> Leigh >> >> -- >> CCIE Blog - http://leigh-cciewireless.blogspot.com/ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> >> > -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/2ab32d6b/attachment-0001.html> ------------------------------ Message: 4 Date: Tue, 26 Apr 2011 14:21:49 +1000 From: Leigh Jewell <[email protected]> To: [email protected] Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" The question states: "The ACS Server is slow in respondind, with replies up to 5 seconds after a request" The answer talks about extending the eap request timeout 'config advanced eap request-timeout 6' I am not sure about the answer. Is this request timeout between the WLC and the client, or the WLC and the radius server ? Also wouldn't the default radius timeout of 2 secs kick in and timeout the radius request ? Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/3c0d596c/attachment-0001.html> ------------------------------ Message: 5 Date: Tue, 26 Apr 2011 08:23:12 +0200 From: "Victor Platov (viplatov)" <[email protected]> To: "Leigh Jewell" <[email protected]>, <[email protected]> Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" As far as I understand the timer between WLC and a client is called "eap request identity timeout". So the answer seems to be correct. From: [email protected] [mailto:[email protected]] On Behalf Of Leigh Jewell Sent: Tuesday, April 26, 2011 8:22 AM To: [email protected] Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security The question states: "The ACS Server is slow in respondind, with replies up to 5 seconds after a request" The answer talks about extending the eap request timeout 'config advanced eap request-timeout 6' I am not sure about the answer. Is this request timeout between the WLC and the client, or the WLC and the radius server ? Also wouldn't the default radius timeout of 2 secs kick in and timeout the radius request ? Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/3898a16e/attachment-0001.html> ------------------------------ Message: 6 Date: Tue, 26 Apr 2011 19:16:49 +1000 From: Leigh Jewell <[email protected]> To: [email protected] Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.10 Multicast - IGMP Query interval Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" The question asks: "IGMP queries should be sent at 40 seconds intervals" The answer sets the IGMP timeout to 40 seconds. Checking the command reference<http://www.cisco.com/en/US/partner/docs/wireless/controller/4.2/command/reference/cli42c1.html#wp4915845> : "*The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group*" So to get the queries to be sent out at 40 secs you would need to set the timeout on the WLC to 3 x 40 = 120 secs. Thoughts ? Cheers, Leigh. -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/ca63089f/attachment.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 25, Issue 15 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
