Thanks Tracy, appreciate the feedback.
On 3/17/14 10:02 AM, "[email protected]" <[email protected]> wrote: >Send CCIE_Wireless mailing list submissions to > [email protected] > >To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless >or, via email, send a message with subject or body 'help' to > [email protected] > >You can reach the person managing the list at > [email protected] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of CCIE_Wireless digest..." > > >Today's Topics: > > 1. Re: CCIE_Wireless Digest, Vol 59, Issue 15 HREAP and AAA > Override (Tracy Sutton) > 2. Re: HREAP - AAA Override (Jay Killion (jakillio)) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Mon, 17 Mar 2014 07:37:33 -0700 >From: Tracy Sutton <[email protected]> >To: "[email protected]" > <[email protected]> >Subject: Re: [OSL | CCIE_Wireless] CCIE_Wireless Digest, Vol 59, Issue > 15 HREAP and AAA Override >Message-ID: > <f706b26167167c42a024d5631fe5fe47333dc74...@sv-exchange1.corp.fc.LOCAL> > >Content-Type: text/plain; charset="us-ascii" > >Not sure if this answers you concerns or not but "AAA override is not >supported with H-REAP". This is a direct quote from the WLC config guide >version 7.0.116.0 which is the level used in the lab exam. I also >confirmed this is true when I was preparing for my exam a few years ago. > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of >[email protected] >Sent: Monday, March 17, 2014 10:22 AM >To: [email protected] >Subject: CCIE_Wireless Digest, Vol 59, Issue 15 > >Send CCIE_Wireless mailing list submissions to > [email protected] > >To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless >or, via email, send a message with subject or body 'help' to > [email protected] > >You can reach the person managing the list at > [email protected] > >When replying, please edit your Subject line so it is more specific than >"Re: Contents of CCIE_Wireless digest..." > > >Today's Topics: > > 1. HREAP - AAA Override (Jay Killion (jakillio)) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Mon, 17 Mar 2014 14:18:46 +0000 >From: "Jay Killion (jakillio)" <[email protected]> >To: "[email protected]" > <[email protected]> >Subject: [OSL | CCIE_Wireless] HREAP - AAA Override >Message-ID: <cf4c6e73.165b3%[email protected]> >Content-Type: text/plain; charset="windows-1252" > >I'm having some strange issues with HREAP and AAA Override's, hoping >someone can shed some light? > >I've created a Network Access Policy to match on HREAP called-station-ID >and provide different VLANs based on EAP method, see below - > >[cid:1B9A67FF-41D1-442A-A803-7310A267BF5E] > >When using Anyconnect to connect to the SSID using EAP-Fast, auth >succeeds and the client sees things as all good. > >[cid:3D070F00-58A6-4C8D-8B81-6504AD2919E9] > >When using PEAP, ACS says auth succeeds and it shows the expected >authorization profile. > >[cid:4821EA8A-7810-4D11-A836-F3358EC0192F] > >However, Anyconnect says "authentication failed" even with ACS saying it >succeeds ? but only when using PEAP (FAST works fine). Any thoughts? >I've stopped / started ACS, but no luck. > >Thanks - > >Jay Killion, CCIE #17873 R/S >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: ></archives/ccie_wireless/attachments/20140317/1310e009/attachment.html> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 1B9A67FF-41D1-442A-A803-7310A267BF5E.png >Type: image/png >Size: 99173 bytes >Desc: 1B9A67FF-41D1-442A-A803-7310A267BF5E.png >URL: ></archives/ccie_wireless/attachments/20140317/1310e009/attachment.png> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 3D070F00-58A6-4C8D-8B81-6504AD2919E9.png >Type: image/png >Size: 129584 bytes >Desc: 3D070F00-58A6-4C8D-8B81-6504AD2919E9.png >URL: ></archives/ccie_wireless/attachments/20140317/1310e009/attachment-0001.png >> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 4821EA8A-7810-4D11-A836-F3358EC0192F.png >Type: image/png >Size: 127000 bytes >Desc: 4821EA8A-7810-4D11-A836-F3358EC0192F.png >URL: ></archives/ccie_wireless/attachments/20140317/1310e009/attachment-0002.png >> > >------------------------------ > >_______________________________________________ >Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >iPexpert on YouTube: www.youtube.com/ipexpertinc > >End of CCIE_Wireless Digest, Vol 59, Issue 15 >********************************************* > > >------------------------------ > >Message: 2 >Date: Mon, 17 Mar 2014 14:51:17 +0000 >From: "Jay Killion (jakillio)" <[email protected]> >To: Jeff Rensink <[email protected]> >Cc: "[email protected]" > <[email protected]> >Subject: Re: [OSL | CCIE_Wireless] HREAP - AAA Override >Message-ID: <cf4c7501.165bb%[email protected]> >Content-Type: text/plain; charset="windows-1252" > >Thanks for the reply, Jeff. I wouldn't think it's a PAC issue since FAST >is working, just PEAP that's failing. But I did console to the HREAP AP >and see the following logs. It certainly tells me that HREAP sees this >as a failure, but I'm not sure why? Guess my next step is to debug >RADIUS from the AP. Interesting that ACS shows success and the AP shows >failure ? maybe it is bug related? > >*Mar 17 14:24:02.233: %DOT11-4-NO_VLAN_ID: Vlan id 17 from Radius server >is not configured for station 2477.033d.da08 >*Mar 17 14:24:03.268: %DOT11-7-AUTH_FAILED: Station 2477.033d.da08 >Authentication failed > > > >From: Jeff Rensink <[email protected]<mailto:[email protected]>> >Date: Monday, March 17, 2014 8:29 AM >To: Jay Killion <[email protected]<mailto:[email protected]>> >Cc: >"[email protected]<mailto:[email protected] >m>" ><[email protected]<mailto:[email protected] >m>> >Subject: Re: [OSL | CCIE_Wireless] HREAP - AAA Override > >It could be one of 2 issues from what I can see. > >First, AnyConnect doesn't support anonymous PAC provisioning by default. >You have to use the NAM profile editor and enable that option. So you >could be getting a success on the authentication during Phase 0, but the >PAC never provisions (resulting in the failure on AnyConnect). > >Another issue could be stemming from trying to do a AAA override on a >locally switched WLAN. I have run into issues where the AAA override >actually causes a failure. Assuming you are running lab code >(7.0.116.0), AAA overrides do not work on locally switched WLANs on HREAP >APs. And in my experience, anything beyond just a plain Permit result >can result in no connectivity. It's been a while since I last tried >though, and I cannot remember 100% if this result happened with central >or local authentication. > > >Regards, > > > >Jeff Rensink : Sr Instructor : iPexpert<http://www.ipexpert.com/> > >CCIE # 24834 :: Wireless / R&S > >:: World-Class Cisco Certification Training > > >Direct: +1.810.326.1444 > >:: Free Videos<http://www.youtube.com/ipexpertinc> > >:: Free Training / Product Offerings<http://www.facebook.com/ipexpert> > >:: CCIE Blog<http://blog.ipexpert.com/> > >:: Twitter<http://www.twitter.com/ipexpert> > > >On Mon, Mar 17, 2014 at 9:18 AM, Jay Killion (jakillio) ><[email protected]<mailto:[email protected]>> wrote: >I'm having some strange issues with HREAP and AAA Override's, hoping >someone can shed some light? > >I've created a Network Access Policy to match on HREAP called-station-ID >and provide different VLANs based on EAP method, see below - > >[cid:1B9A67FF-41D1-442A-A803-7310A267BF5E] > >When using Anyconnect to connect to the SSID using EAP-Fast, auth >succeeds and the client sees things as all good. > >[cid:3D070F00-58A6-4C8D-8B81-6504AD2919E9] > >When using PEAP, ACS says auth succeeds and it shows the expected >authorization profile. > >[cid:4821EA8A-7810-4D11-A836-F3358EC0192F] > >However, Anyconnect says "authentication failed" even with ACS saying it >succeeds ? but only when using PEAP (FAST works fine). Any thoughts? >I've stopped / started ACS, but no luck. > >Thanks - > >Jay Killion, CCIE #17873 R/S > >_______________________________________________ >Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >iPexpert on YouTube: >www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc> > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: ></archives/ccie_wireless/attachments/20140317/ca6b4954/attachment.html> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 4821EA8A-7810-4D11-A836-F3358EC0192F.png >Type: image/png >Size: 127000 bytes >Desc: 4821EA8A-7810-4D11-A836-F3358EC0192F.png >URL: ></archives/ccie_wireless/attachments/20140317/ca6b4954/attachment.png> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 1B9A67FF-41D1-442A-A803-7310A267BF5E.png >Type: image/png >Size: 99173 bytes >Desc: 1B9A67FF-41D1-442A-A803-7310A267BF5E.png >URL: ></archives/ccie_wireless/attachments/20140317/ca6b4954/attachment-0001.png >> >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: 3D070F00-58A6-4C8D-8B81-6504AD2919E9.png >Type: image/png >Size: 129584 bytes >Desc: 3D070F00-58A6-4C8D-8B81-6504AD2919E9.png >URL: ></archives/ccie_wireless/attachments/20140317/ca6b4954/attachment-0002.png >> > >------------------------------ > >_______________________________________________ >Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >iPexpert on YouTube: www.youtube.com/ipexpertinc > >End of CCIE_Wireless Digest, Vol 59, Issue 17 >********************************************* _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
