Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About BJCiscoUser
Stats
Member since
10-24-2012
6
Posts
0
Helpful
0
Solutions
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-25-2012
09:08 AM
10-25-2012
09:08 AM
Hi Steve, As an update to my own post, I remember having read somewhere that if we implement CCKM, having the AAA server handing out the vlan id is not allowed/supported, so I disabled that option. That seems to have made things better... Anyway, we are not completely satisfied with our testing. Is there a command we can run to see if CCKM is working? I remember having read about a command showing the CCKM id assigned to the client?? But I do not remember the exact syntax. Thanks once again for your time.
... View more
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-25-2012
07:12 AM
10-25-2012
07:12 AM
Hi, The fast roaming is not working on the VOIP WLAN. We are not testing with a phone, but with a Lenovo laptop (softphone), running CCXv4 and configured with (Intel PROSet) WPA - Enterprise, TKIP, TSL with User certificate. If we run the cmd: show wlccp wds ap, all AP shows up as registered . If we run the cmd: whow wlccp wds mn detail, the client (associated to another AP) shows up with the following details: BSS: c8f9.f9a6.f270, SSID: VOIP Vlan Assigned by AAA: 3 Ntwrk-ID: - Key Mgmt: CCKM, Authentication: EAP Posture Token: Up-time: 00:33:36, Lifetime: 127 We have this in the WDS master config, is this ok? radius-server local no authentication eapfast no authentication leap no authentication mac radius-server local no authentication eapfast no authentication leap no authentication mac radius-server local no authentication eapfast no authentication leap no authentication mac radius-server local no authentication eapfast no authentication leap no authentication mac Thanks for your help.
... View more
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-25-2012
01:59 AM
10-25-2012
01:59 AM
Hi again Steve, Yesterday we tried the new configuration per your suggestions. But the fast roaming (CCKM) is not working. We are not exactly sure of what we have wrong in our configuration. I drop in here two configuration examples, one for our WDS master, and one for a client AP - all test configurations. We would appreciate if you would have an idea of what we have wrong here. Thanks in advance! ## AP-WDS MASTER CONFIG ## ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname AP2 ! logging rate-limit console 9 enable secret MyEnableSecret ! ! aaa new-model ! ! aaa group server radius rad_eap server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_acct server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa group server radius infra_devices server 10.12.1.109 auth-port 1812 acct-port 1813 ! aaa group server radius client_devices server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login method_infra_devices group infra_devices aaa authentication login method_client_devices group client_devices aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! ! dot11 syslog dot11 vlan-name Network1 vlan 7 dot11 vlan-name Network2 vlan 6 dot11 vlan-name Network3 vlan 5 dot11 vlan-name Network4 vlan 4 dot11 vlan-name VoIP vlan 3 ! dot11 ssid Network1 vlan 7 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii MyWPAGuestKey ! dot11 ssid Network2 vlan 6 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa cckm ! dot11 ssid VOIP vlan 3 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa cckm ! dot11 ssid Network4 vlan 4 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 ! eap profile TLS method tls ! eap profile FAST method fast ! ! ! username Me privilege 15 password 0 MySpecialPassword ! ! ! policy-map VoIPTraffic class class-default set cos 6 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 7 mode ciphers aes-ccm ! encryption vlan 6 mode ciphers tkip ! encryption vlan 5 mode ciphers aes-ccm ! encryption vlan 3 mode ciphers tkip ! encryption vlan 4 mode ciphers aes-ccm ! ssid Network5 ! ssid Network4 ! ssid VOIP ! ssid Network6 ! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 bridge-group 7 subscriber-loop-control bridge-group 7 block-unknown-source no bridge-group 7 source-learning no bridge-group 7 unicast-flooding bridge-group 7 spanning-disabled ! interface Dot11Radio0.4 encapsulation dot1Q 4 no ip route-cache bridge-group 4 bridge-group 4 subscriber-loop-control bridge-group 4 block-unknown-source no bridge-group 4 source-learning no bridge-group 4 unicast-flooding bridge-group 4 spanning-disabled ! interface Dot11Radio0.6 encapsulation dot1Q 6 no ip route-cache bridge-group 6 bridge-group 6 subscriber-loop-control bridge-group 6 block-unknown-source no bridge-group 6 source-learning no bridge-group 6 unicast-flooding bridge-group 6 spanning-disabled ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 subscriber-loop-control bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled service-policy input VoIPTraffic service-policy output VoIPTraffic ! interface Dot11Radio0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 bridge-group 7 subscriber-loop-control bridge-group 7 block-unknown-source no bridge-group 7 source-learning no bridge-group 7 unicast-flooding bridge-group 7 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface GigabitEthernet0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 no bridge-group 7 source-learning bridge-group 7 spanning-disabled ! interface GigabitEthernet0.4 encapsulation dot1Q 4 no ip route-cache bridge-group 4 no bridge-group 4 source-learning bridge-group 4 spanning-disabled ! interface GigabitEthernet0.6 encapsulation dot1Q 6 no ip route-cache bridge-group 6 no bridge-group 6 source-learning bridge-group 6 spanning-disabled ! interface GigabitEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 no bridge-group 3 source-learning bridge-group 3 spanning-disabled service-policy input VoIPTraffic service-policy output VoIPTraffic ! interface GigabitEthernet0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 5 no bridge-group 5 source-learning bridge-group 5 spanning-disabled ! interface BVI1 ip address 10.12.1.109 255.255.255.0 no ip route-cache ! ip default-gateway 10.12.1.1 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 radius-server attribute 32 include-in-access-req format %h radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey109 radius-server vsa send accounting bridge 1 route ip ! radius-server local no authentication eapfast no authentication mac nas 10.12.1.101 key 0 WDSKey101 nas 10.12.1.102 key 0 WDSKey102 nas 10.12.1.103 key 0 WDSKey103 nas 10.12.1.104 key 0 WDSKey104 nas 10.12.1.105 key 0 WDSKey105 nas 10.12.1.106 key 0 WDSKey106 nas 10.12.1.107 key 0 WDSKey107 nas 10.12.1.108 key 0 WDSKey108 nas 10.12.1.109 key 0 WDSKey109 user wdsuser password wdspassword radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey109 radius-server attribute 32 include-in-access-req format %h ! ! wlccp wds priority 254 interface BVI1 wlccp ap username wdsclientap password wdspassword wlccp authentication-server infrastructure method_infra_devices wlccp authentication-server client eap method_client_devices wlccp authentication-server client leap method_client_devices ! ! ! line con 0 line vty 0 4 ! end ## AP CLIENT CONFIG EXAMPLE ## ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname AP1 ! logging rate-limit console 9 enable secret MyEnableSecret ! ! aaa new-model ! ! aaa group server radius rad_eap server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_acct server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa group server radius infra_devices server 10.12.1.109 auth-port 1812 acct-port 1813 ! aaa group server radius client_devices server 10.12.12.12 auth-port 1645 acct-port 1646 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login method_infra_devices group infra_devices aaa authentication login method_client_devices group client_devices aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! ! dot11 syslog dot11 vlan-name Network1 vlan 7 dot11 vlan-name Network2 vlan 6 dot11 vlan-name Network3 vlan 5 dot11 vlan-name Network4 vlan 4 dot11 vlan-name VoIP vlan 3 ! dot11 ssid Network1 vlan 7 authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii MyWPAGuestKey ! dot11 ssid Network2 vlan 6 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa cckm ! dot11 ssid VOIP vlan 3 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa cckm ! dot11 ssid Network4 vlan 4 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa version 2 ! eap profile TLS method tls ! eap profile FAST method fast ! ! ! username Me privilege 15 password 0 MySpecialPassword ! ! ! policy-map VoIPTraffic class class-default set cos 6 ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 7 mode ciphers aes-ccm ! encryption vlan 6 mode ciphers tkip ! encryption vlan 5 mode ciphers aes-ccm ! encryption vlan 3 mode ciphers tkip ! encryption vlan 4 mode ciphers aes-ccm ! ssid Network5 ! ssid Network4 ! ssid VOIP ! ssid Network6 ! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 bridge-group 7 subscriber-loop-control bridge-group 7 block-unknown-source no bridge-group 7 source-learning no bridge-group 7 unicast-flooding bridge-group 7 spanning-disabled ! interface Dot11Radio0.4 encapsulation dot1Q 4 no ip route-cache bridge-group 4 bridge-group 4 subscriber-loop-control bridge-group 4 block-unknown-source no bridge-group 4 source-learning no bridge-group 4 unicast-flooding bridge-group 4 spanning-disabled ! interface Dot11Radio0.6 encapsulation dot1Q 6 no ip route-cache bridge-group 6 bridge-group 6 subscriber-loop-control bridge-group 6 block-unknown-source no bridge-group 6 source-learning no bridge-group 6 unicast-flooding bridge-group 6 spanning-disabled ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 subscriber-loop-control bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled service-policy input VoIPTraffic service-policy output VoIPTraffic ! interface Dot11Radio0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 bridge-group 7 subscriber-loop-control bridge-group 7 block-unknown-source no bridge-group 7 source-learning no bridge-group 7 unicast-flooding bridge-group 7 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface GigabitEthernet0.7 encapsulation dot1Q 7 no ip route-cache bridge-group 7 no bridge-group 7 source-learning bridge-group 7 spanning-disabled ! interface GigabitEthernet0.4 encapsulation dot1Q 4 no ip route-cache bridge-group 4 no bridge-group 4 source-learning bridge-group 4 spanning-disabled ! interface GigabitEthernet0.6 encapsulation dot1Q 6 no ip route-cache bridge-group 6 no bridge-group 6 source-learning bridge-group 6 spanning-disabled ! interface GigabitEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 no bridge-group 3 source-learning bridge-group 3 spanning-disabled service-policy input VoIPTraffic service-policy output VoIPTraffic ! interface GigabitEthernet0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 5 no bridge-group 5 source-learning bridge-group 5 spanning-disabled ! interface BVI1 ip address 10.12.1.108 255.255.255.0 no ip route-cache ! ip default-gateway 10.12.1.1 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 radius-server attribute 32 include-in-access-req format %h radius-server host 10.12.12.12 auth-port 1645 acct-port 1646 key NPSKey108 radius-server vsa send accounting bridge 1 route ip ! radius-server host 10.12.1.109 auth-port 1812 acct-port 1813 key 0 WDSKey108 radius-server attribute 32 include-in-access-req format %h ! ! wlccp ap username wdsuser password wdspassword ! ! ! line con 0 line vty 0 4 ! end
... View more
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-24-2012
07:33 AM
10-24-2012
07:33 AM
Thank you very much, this solved our issues. Very nice support! Erik-Benjamin Povlsen
... View more
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-24-2012
07:16 AM
10-24-2012
07:16 AM
Hi Stephen, Thank you for taking time to answer our questions! So just to be sure of our setup then, using CCXv4, something like this will be ok?..: dot11 ssid VOIP vlan 5 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa cckm dot1x eap profile TLS mobility network-id 5 interface Dot11Radio0 no ip address no ip route-cache encryption vlan 5 mode ciphers tkip And then for the client setup just simple EAP-TSL - with certificates... Thanks again for helping us out! Erik-Benjamin Povlsen
... View more
Created by
BJCiscoUser
in Wireless Security and Network Management
in Wireless Security and Network Management
10-24-2012
01:10 AM
10-24-2012
01:10 AM
Hi, We are rolling out 20+ APs (1042N-E-K9) and one of the VLANs is used for VoIP. We would like to enable CCKM, but are a little unsure of how to go about it after reading through many of all the documentation. We have successfully enabled one AP to serve as a WDS master, and APs shows up as registered. Below are some of our questions 1. On the AP, what should be the settings for the SSID on which we want to enable CCKM? a. What Encryption Modes are allowed - can we use TKIP or AES-CCMP, or are we obliged to use CKIP-CMIC? b. For the SSID, can we enable both CCKM and WPA? And is CCKM with WPA2 supported (chipper AES-CCMP) c. For AP Authentication, what Method should we chose? TSL, FAST, or is any of them allowed? 2. On the client machines (we are testing with a Lenovo laptop, ccx c4, and Intel pro-tools): a. We understand that we can choose EAP-TSL for the clients and that should be ok, is that correct? b. Do we need to use EAP-FAST or LEAP? And if that is the case, then it seems that MS NPS server as RADIUS is not supported… We would very much appreciate any help with the above questions, as mentioned we read through the various documentation, but we are still unclear on the above mentioned points. Greetings! Erik-Benjamin Povlsen
... View more
10-25-2012
Hi Steve,As an update to my own post, I remember having read somewhere
that if we implement CCKM, ha...
10-25-2012
Hi,The fast roaming is not working on the VOIP WLAN. We are not testing
with a phone, but with a Len...
10-25-2012
Hi again Steve,Yesterday we tried the new configuration per your
suggestions. But the fast roaming (...
10-24-2012
Hi Stephen,Thank you for taking time to answer our questions!So just to
be sure of our setup then, u...
Public Statistics
| Date Registered | 10-24-2012 12:53 AM |
| Date Last Visited | 08-18-2017 03:53 AM |
| Total Messages Posted | 6 |
