OK thanks Jason for clearing that one. I remembered this slightly incorrectly. My TAC question back in 2009 was about co-existing local user database in the WLC and then a Radius authentication for others. It was a case for 7921's using local database and PC data peap access for external radius. And this is what TAC gave me at the time: The reason Is that we wante the 7921's to use EAP-Fast and the external radius was "just" Microsoft IAS.
"It is actually not a supported configuration. http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml Note: If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP." So this is a slighly different schenario as I want local and remote to work at the same time. If any radius has network selected , the local database won´t work. But in this case I didn´t select networ user on any of the radius servers and that works for this schenario. Sorry about that was not the same issue, but I give it to you for the reccord as this is interesting to know. However today I am told by Cisco people that PEAP mcchapv2 and fast-secure roaming works for the 7921's. And that was a surprise as I have learned that ACS is (was) the only solutoin that made fast-secure-roaming work. Actually I have configured a couple of cases with 7921's and PEAP and it seems to go smoothly... regards. Kristjan From: Jason Boyers [mailto:[email protected]] Sent: 26. apríl 2011 14:32 To: Kristján Ólafur Eðvarðsson Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] CCIE_Wireless Digest, Vol 25, Issue 15 A few things to respond to :) The "eap request-timeout" is for the response from the RADIUS server, whereas "eap identity-request-timeout" is for the response from the supplicant. And, while the RADIUS server itself may respond quickly, that doesn't mean that the EAP response will be as quick. For instance, when the RADIUS server is provisioning a PAC for an EAP-FAST client, that takes some time to do. So, the "eap request-timeout" needs to be increased from the default 1 second. I agree with you that it should normally be set to 20 seconds as best practice. As for the RADIUS Authentication, it will indeed use the server(s) selected under the WLAN and then go to any other RADIUS authentication servers that have "network user" checked. It seems strange that TAC would not support this, given that it is the way the product was designed to work. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected]<mailto:[email protected]> 2011/4/26 Kristján Ólafur Eðvarðsson <[email protected]<mailto:[email protected]>> Regarding the 'config advanced eap request-timeout 6' parameter. Most documentation and reccomendation require to have this parameter 20 sec instead of the 6 sec that seems to be enough to answer just this question below. I usually take it to 20 sec like the Cisco documentation says. But I suppose that I wouldn´t get it wrong in this case and also 20 sec is less likely to fail than just 6 sec. The issues behind this solution is often the phone which has a slower cpu and might respond to late when doing PAC phases with the ACS and WLC. Regarding webauth with Radius. I knew about the network user checkbox that it globally enables that Radius server. But if you select one particular at the WLAN confinguration (aaa servers) It shold first check that one (under WLAN/aaa servers) before going to the global list of "network checked" radius servers. Can anyone confirm that this is true ? Else to be sure, security wise It is probably best to uncheck the network user box on the radius and select it specifically in the WLAN config. While ago I asked TAC about this schenario, they responed that this was possible to do (uncheck the network user) but it was sort of not supported. I wonder if that has changed, this was when code 5.x was available if I remember correctly. regards. Kristjan -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of [email protected]<mailto:[email protected]> Sent: 26. apríl 2011 09:17 To: [email protected]<mailto:[email protected]> Subject: CCIE_Wireless Digest, Vol 25, Issue 15 Send CCIE_Wireless mailing list submissions to [email protected]<mailto:[email protected]> To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected]<mailto:[email protected]> You can reach the person managing the list at [email protected]<mailto:[email protected]> When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Workbook1: Lab 4.5, 4.6, 4.7 (Leigh Jewell) 2. Re: Workbook1: Lab 4.5, 4.6, 4.7 (Gabriel) 3. Re: Workbook1: Lab 4.5, 4.6, 4.7 (Leigh Jewell) 4. Workbook1: Lab 4.6 WLAN Security (Leigh Jewell) 5. Re: Workbook1: Lab 4.6 WLAN Security (Victor Platov (viplatov)) 6. Workbook1: Lab 4.10 Multicast - IGMP Query interval (Leigh Jewell) ---------------------------------------------------------------------- Message: 1 Date: Tue, 26 Apr 2011 10:14:28 +1000 From: Leigh Jewell <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]<mailto:t2dq7uuv%2bqakbczh%[email protected]>> Content-Type: text/plain; charset="iso-8859-1" This lab is all about configuring a number of SSID's on the group of controllers. Looking at WLC1 you are asked to create three SSID's: IPX1: web-auth (must not use radius) IPX2: WEP Key IPX4: WPA with EAP-TLS on an ACS server The problem is the requirement for not to use Radius for the web-auth SSID (IPX1). My understanding is with web-auth the local database is checked first and then it will check any Radius servers configured. In the solution guide for this lab it work around this by unchecking the 'Network' box against the defined radius server and just leaving the management selected. The problem I can see with that Radius authentication is still needed for IPX4 and unchecking this box effectively stops this SSID from working. Comments and thoughts welcome. Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/4590c642/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 25 Apr 2011 22:02:30 -0400 From: Gabriel <[email protected]<mailto:[email protected]>> To: Leigh Jewell <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]<mailto:[email protected]>> Content-Type: text/plain; charset="iso-8859-1" Configure the per-wlan radius servers in the config options for the IPX4 SSID. It'll use specifically-selected radius servers even if the network box is not checked. On Mon, Apr 25, 2011 at 8:14 PM, Leigh Jewell <[email protected]<mailto:[email protected]>>wrote: > This lab is all about configuring a number of SSID's on the group of > controllers. Looking at WLC1 you are asked to create three SSID's: > > IPX1: web-auth (must not use radius) > IPX2: WEP Key > IPX4: WPA with EAP-TLS on an ACS server > > The problem is the requirement for not to use Radius for the web-auth SSID > (IPX1). My understanding is with web-auth the local database is checked > first and then it will check any Radius servers configured. In the solution > guide for this lab it work around this by unchecking the 'Network' box > against the defined radius server and just leaving the management selected. > > The problem I can see with that Radius authentication is still needed for > IPX4 and unchecking this box effectively stops this SSID from working. > > Comments and thoughts welcome. > > Cheers, > Leigh > > -- > CCIE Blog - http://leigh-cciewireless.blogspot.com/ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com<http://www.ipexpert.com/> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://www.platinumplacement.com/> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110425/d98caafe/attachment-0001.html> ------------------------------ Message: 3 Date: Tue, 26 Apr 2011 12:57:50 +1000 From: Leigh Jewell <[email protected]<mailto:[email protected]>> To: Gabriel <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.5, 4.6, 4.7 Message-ID: <[email protected]<mailto:[email protected]>> Content-Type: text/plain; charset="iso-8859-1" Now that does makes sense. Did you find this in the configuration guide or trial and error ? Thanks for the quick response. Regards, Leigh On 26 April 2011 12:02, Gabriel <[email protected]<mailto:[email protected]>> wrote: > Configure the per-wlan radius servers in the config options for the IPX4 > SSID. It'll use specifically-selected radius servers even if the network box > is not checked. > > On Mon, Apr 25, 2011 at 8:14 PM, Leigh Jewell > <[email protected]<mailto:[email protected]>>wrote: > >> This lab is all about configuring a number of SSID's on the group of >> controllers. Looking at WLC1 you are asked to create three SSID's: >> >> IPX1: web-auth (must not use radius) >> IPX2: WEP Key >> IPX4: WPA with EAP-TLS on an ACS server >> >> The problem is the requirement for not to use Radius for the web-auth SSID >> (IPX1). My understanding is with web-auth the local database is checked >> first and then it will check any Radius servers configured. In the solution >> guide for this lab it work around this by unchecking the 'Network' box >> against the defined radius server and just leaving the management selected. >> >> The problem I can see with that Radius authentication is still needed for >> IPX4 and unchecking this box effectively stops this SSID from working. >> >> Comments and thoughts welcome. >> >> Cheers, >> Leigh >> >> -- >> CCIE Blog - http://leigh-cciewireless.blogspot.com/ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com<http://www.ipexpert.com/> >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com<http://www.platinumplacement.com/> >> <http://www.platinumplacement.com/> >> >> > -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/2ab32d6b/attachment-0001.html> ------------------------------ Message: 4 Date: Tue, 26 Apr 2011 14:21:49 +1000 From: Leigh Jewell <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security Message-ID: <[email protected]<mailto:[email protected]>> Content-Type: text/plain; charset="iso-8859-1" The question states: "The ACS Server is slow in respondind, with replies up to 5 seconds after a request" The answer talks about extending the eap request timeout 'config advanced eap request-timeout 6' I am not sure about the answer. Is this request timeout between the WLC and the client, or the WLC and the radius server ? Also wouldn't the default radius timeout of 2 secs kick in and timeout the radius request ? Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/3c0d596c/attachment-0001.html> ------------------------------ Message: 5 Date: Tue, 26 Apr 2011 08:23:12 +0200 From: "Victor Platov (viplatov)" <[email protected]<mailto:[email protected]>> To: "Leigh Jewell" <[email protected]<mailto:[email protected]>>, <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security Message-ID: <[email protected]<mailto:[email protected]>> Content-Type: text/plain; charset="us-ascii" As far as I understand the timer between WLC and a client is called "eap request identity timeout". So the answer seems to be correct. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Leigh Jewell Sent: Tuesday, April 26, 2011 8:22 AM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.6 WLAN Security The question states: "The ACS Server is slow in respondind, with replies up to 5 seconds after a request" The answer talks about extending the eap request timeout 'config advanced eap request-timeout 6' I am not sure about the answer. Is this request timeout between the WLC and the client, or the WLC and the radius server ? Also wouldn't the default radius timeout of 2 secs kick in and timeout the radius request ? Cheers, Leigh -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/3898a16e/attachment-0001.html> ------------------------------ Message: 6 Date: Tue, 26 Apr 2011 19:16:49 +1000 From: Leigh Jewell <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Wireless] Workbook1: Lab 4.10 Multicast - IGMP Query interval Message-ID: <[email protected]<mailto:rjie1%[email protected]>> Content-Type: text/plain; charset="iso-8859-1" The question asks: "IGMP queries should be sent at 40 seconds intervals" The answer sets the IGMP timeout to 40 seconds. Checking the command reference<http://www.cisco.com/en/US/partner/docs/wireless/controller/4.2/command/reference/cli42c1.html#wp4915845> : "*The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group*" So to get the queries to be sent out at 40 secs you would need to set the timeout on the WLC to 3 x 40 = 120 secs. Thoughts ? Cheers, Leigh. -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110426/ca63089f/attachment.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected]<mailto:[email protected]> http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 25, Issue 15 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.platinumplacement.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
