Ref : http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

MAC Address Filter (MAC Authentication) on WLCs

When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use.

There are two types of MAC authentication that are supported on WLCs:

  • Local MAC authentication
  • MAC authentication using a RADIUS server

With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.

By default, the WLC local database supports up to 512 user entries.

The local user database is limited to a maximum of 2048 entries. The local database stores entries for these items:

  • Local management users, which includes lobby ambassadors
  • Local network users, which includes guest users
  • MAC filter entries
  • Exclusion list entries
  • Access point authorization list entries

Together, all of these types of users cannot exceed the configured database size.

In order to increase the local database, use this command from the CLI:

<Cisco Controller>config database size ?
<count>        Enter the maximum number of entries (512-2048)

Alternatively, MAC address authentication can also be performed using a RADIUS server. The only difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the database it has. If the client authentication is successful, the client is granted access to the WLAN. Any RADIUS server which supports MAC address authentication can be used.

Configure Local MAC Authentication on WLCs

Complete these steps in order to configure local MAC authentication on the WLCs:

  1. Configure a WLAN and Enable MAC Filtering
  2. Configure the Local Database on the WLC with Client MAC AddressesNote: Before you configure MAC authentication, you must configure the WLC for basic operation and register the LAPs to the WLC. This document assumes that the WLC is already configured for basic operation and that the LAPs are registered to the WLC. If you are a new user trying to set up the WLC for basic operation with LAPs, refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC).

    Note: There is no special configuration needed on the wireless client in order to support MAC authentication.

Configure a WLAN and Enable MAC Filtering

Complete these steps in order to configure a WLAN with MAC filtering:

  1. Click WLANs from the controller GUI in order to create a WLAN.The WLANs window appears. This window lists the WLANs configured on the controller.
  2. Click New in order to configure a new WLAN.In this example, the WLAN is named MAC-WLAN and the WLAN ID is 1.

    mac-filters-wlcs-config-01.gif

  3. Click Apply.
  4. In the WLAN > Edit window, define the parameters specific to the WLAN.mac-filters-wlcs-config-02.gif
    1. Under Security Policies > Layer 2 Security, check the MAC Filtering check box.This enables MAC authentication for the WLAN.
    2. Under General Policies > Interface Name, select the interface to which the WLAN is mapped.In this example, the WLAN is mapped to the management interface.
    3. Select the other parameters, which depend on the design requirements of the WLAN.
    4. Click Apply.mac-filters-wlcs-config-03.gif

The next step is to configure the local database on the WLC with the client MAC addresses.

Refer to VLANs on Wireless LAN Controllers Configuration Example for information on how to configure dynamic interfaces (VLANs) on WLCs.

Configure the Local Database on the WLC with Client MAC Addresses

Complete these steps in order to configure the local database with a client MAC address on the WLC:

  1. Click Security from the controller GUI, and then click MAC Filtering from the left side menu.The MAC Filtering window appears.

    mac-filters-wlcs-config-04.gif

  2. Click New in order to create a local database MAC address entry on the WLC.
  3. In the MAC Filters > New window, enter the MAC address, Profile Name, Description and the Interface Name for the client.Here is an example:

    mac-filters-wlcs-config-05.gif

  4. Click Apply.
  5. Repeat steps 2-4 in order to add more clients to the local database.Now, when clients connect to this WLAN, the WLC validates the clients MAC address against the local database and if the validation is successful, the client is granted access to the network.

    Note: In this example, only a MAC address filter without any other Layer 2 Security mechanism was used. Cisco recommends that MAC address authentication should be used along with other Layer 2 or Layer 3 security methods. It is not advisable to use only MAC address authentication to secure your WLAN network because it does not provide a strong security mechanism.

Configure MAC Authentication using a RADIUS Server

Complete these steps in order to configure MAC authentication using a RADIUS server. In this example, the Cisco Secure ACS server is used as the RADIUS server.

  1. Configure a WLAN and Enable MAC Filtering
  2. Configure the RADIUS Server with Client MAC Addresses

Configure a WLAN and Enable MAC Filtering

Complete these steps in order to configure a WLAN with MAC filtering:

  1. Click WLANs from the controller GUI in order to create a WLAN.The WLANs window appears. This window lists the WLANs configured on the controller.
  2. Click New in order to configure a new WLAN.In this example, the WLAN is named MAC-ACS-WLAN and the WLAN ID is 2.

    mac-filters-wlcs-config-06.gif

  3. Click Apply.
  4. In the WLAN > Edit window, define the parameters specific to the WLAN.
    1. Under Security Policies > Layer 2 Security, check the MAC Filtering check box.This enables MAC authentication for the WLAN.
    2. Under General Policies > Interface Name, select the interface to which the WLAN is mapped.
    3. Under RADIUS servers, select the RADIUS server that will be used for MAC authentication.mac-filters-wlcs-config-07.gif

      Note: Before you can select the RADIUS server from the WLAN > Edit window, you should define the RADIUS server in the Security > Radius Authentication window and enable the RADIUS server.

      mac-filters-wlcs-config-08.gif

    4. Select the other parameters, which depend on the design requirements of the WLAN.
    5. Click Apply.mac-filters-wlcs-config-09.gif
  5. Click Security > MAC Filtering.
  6. In the MAC Filtering window, choose the type of RADIUS server under RADIUS Compatibility Mode.This example uses Cisco ACS.
  7. From the MAC Delimiter pull down menu, choose the MAC delimiter.This example uses Colon.
  8. Click Apply.mac-filters-wlcs-config-10.gif

The next step is to configure the ACS server with the client MAC addresses.

Configure the RADIUS Server with Client MAC Addresses

Complete these steps in order to add a MAC address to the ACS:

  1. Define the WLC as an AAA client on the ACS server. Click Network Configuration from the ACS GUI.
  2. When the Network Configuration window appears, define the name of the WLC, the IP address, the shared secret and the authentication method (RADIUS Cisco Aironet or RADIUS Airespace).Refer to the documentation from the manufacturer for other non-ACS authentication servers.

    mac-filters-wlcs-config-11.gif

    Note: The shared secret key that you configure on the WLC and the ACS server must match. The shared secret is case sensitive.

  3. From the ACS main menu, click User Setup.
  4. In the User text box, enter the MAC address in order to add to the user database.mac-filters-wlcs-config-12.gif

    Note: The MAC address must be exactly as it is sent by the WLC for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is reported by the WLC. Do not cut and paste the MAC address, as this can introduce phantom characters.

  5. In the User Setup window, enter the MAC address in the Secure-PAP password text box.mac-filters-wlcs-config-13.gif

    Note: The MAC address must be exactly as it is sent by the WLC for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.

  6. Click Submit.
  7. Repeat steps 2-5 in order to add more users to the ACS database.Now, when clients connect to this WLAN, the WLC passes the credentials to the ACS server. The ACS server validates the credentials against the ACS database. If the client MAC address is present in the database, the ACS RADIUS server returns an authentication success to the WLC and the client will be granted access to the WLAN.

Use the CLI to Configure the MAC Filter on WLC

This document previously discussed how to use the WLC GUI to configure MAC filters. You can also use the CLI in order to configure MAC filters on the WLC. You can use these commands in order to configure the MAC filter on WLC:

  • Issue the config wlan mac-filtering enable wlan_id command in order to enable MAC filtering. bEnter the show wlancommand in order to verify that you have MAC filtering enabled for the WLAN.
  • config macfilter add command:The config macfilter add command lets you add a macfilter, interface, description, and so forth.

    Use the config macfilter add command in order to create a MAC filter entry on the Cisco Wireless LAN controller. Use this command in order to add a client locally to a wireless LAN on the Cisco Wireless LAN controller. This filter bypasses the RADIUS authentication process.

    config macfilter add MAC_address wlan_id [interface_name] 
    [description] [IP address]

    Example:

    Enter a static MAC-to-IP address mapping. This can be done to support a passive client, that is, one that does not use DHCP and does not transmit unsolicited IP packets.

    >config macfilter add 00:E0:77:31:A3:55 1 lab02 "labconnect" 10.92.125.51
  • config macfilter ip-address commandThe config macfilter ip-address command lets you map an existing MAC-filter to an IP address. Use this command in order to configure an IP address into the local MAC filter database:
    config macfilter ip-address 
    	 MAC_address IP address

    Example:

    >config macfilter add 00:E0:77:31:A3:55 1 lab02 "labconnect" 10.92.125.51

Configure a Timeout for Disabled Clients

You can configure a timeout for disabled clients. Clients who fail to authenticate three times during attempts to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again.

Enter the config wlan exclusionlist wlan_id timeout command in order to configure the timeout for disabled clients. The timeout value can be from 1 to 65535 seconds, or you can enter 0 in order to permanently disable the client.

Verify

Use these commands in order to verify if the MAC filter is configured correctly:

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis ofshow command output.

  • show macfilter summary—Displays a summary of all MAC filter entries.
  • show macfilter detail <client MAC Address>—Detailed display of a MAC filter entry.

Here is an example of the show macfilter summary command:

(Cisco Controller) >show macfilter summary

MAC Filter RADIUS Compatibility mode............. Cisco ACS
MAC Filter Delimiter............................. None

Local Mac Filter Table

MAC Address               WLAN Id          Description
-----------------------   --------------   --------------------------------
00:40:96:ac:e6:57           1              Guest

(Cisco Controller) >show macfilter detail 00:40:96:ac:e6:57

Here is an example of the show macfilter detail command:

(Cisco Controller) >show macfilter detail 00:40:96:ac:e6:57

MAC Address...................................... 00:40:96:ac:e6:57
WLAN Identifier.................................. 1
Interface Name................................... mac-client
Description...................................... Guest
Advertisements

This content is password protected. To view it please enter your password below:


Experiencing this issue first thing in the morning while provisioning some VD in an existing pool . Then also tried to create a new pool and issue remains the same . Tried the following KB from vmware but doing some mistake at the end while editing pae_moid attribute . Please note you need to put vm-<MOID> to get it work . I need to log call with vmware support for this .

KB location : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2004269

In View Administrator a View desktop has a status of “Provisioned (Missing)”

Symptoms

  • In View Administrator, a View desktop has a status of Provisioned (Missing).
  • In vCenter, the View desktop is present and is fully functional.
  • You cannot log in into the View desktop.

Cause

A common cause for this issue is if a vSphere/vCenter administrator had previously removed a View VM from inventory and later added it back into inventory. This can cause the View VM to get a different MOID (Managed Object ID) within vCenter. The VM’s MOID now differs between the vCenter database and VMware View’s ADAM database.

Resolution

To resolve this issue, you must make the VM’s MOID in the ADAM database match the vCenter MOID. To make the MOIDs match:

Note: The MOID in vCenter is in the form of a number. In the ADAM database, the number is preceded by vm-.

  1. Determine the VM’s MOID within the vCenter Database:
    1. Connect to the vCenter Database.
    2. Execute this query:

      Select id from vpx_entity where name='<Name of the VM>'

      This returns the VM’s MOID as seen by vCenter.

  2. Determine the VM’s MOID in the ADAM database on the View Connection Server:
    1. Log in to the machine hosting your VMware View Connection Server through the VMware Infrastructure Client or Microsoft RDP.
    2. Open the ADAM Active Directory Service Interfaces Editor:
      • Windows 2003: Go to Start > Programs > ADAM > ADAM ADSI Edit.
      • Windows 2008: Go to Start > All Programs >Administrator Tools > ADSI Edit.
    3. Right-click ADAM ADSI Edit and click Connect to.
    4. Ensure that Select or type a domain or server is selected and that Destination points to localhost.
    5. Select Distinguished Name (DN) or naming context
    6. Type dc=vdi, dc=vmware, dc=int.
    7. Run a query against OU=Servers, DC=vdi, DC=vmware, DC=int with this string:

      (&(objectClass=pae-VM)(pae-displayname=<Virtual Machine name>))

      Note: The <Virtual Machine Name> can use * or ? as a wildcard to match multiple desktops.

    8. Double-click the CN record for the VM you want to edit.
    9. Scroll down until you see the pae-MOID attribute.
    10. Double-click pae-MOID
    11. Change the pae-MOID to match the VM’s MOID as seen in vCenter.
    12. Restart the Connection Server service for the changes to take effect.

1 – Allow the vlan to the physical interface on Cisco core switch ( Find out what ports and port channel are use for uplink from Blade switch ) ( eg gi3/45,gi4/45,gi5/45 )

– switchport trunk allowed vlan add XXX

-Add it to the port-channel that the interface is in (same command as above)

2 – Create the VLAN on blade switch ( if not already exists ). Exam ple below to add vlan 110 :

– (AUGS-PCHAS02-SW07)#conf

(AUGS-PCHAS02-SW07)(Config)#vlan dat

(AUGS-PCHAS02-SW07)(Vlan)#vlan 110

(AUGS-PCHAS02-SW07)(Vlan)#vlan name 110 User110

(AUGS-PCHAS02-SW07)(Vlan)#exit

3 – Allow the VLAN  on interface range

-(AUGS-PCHAS02-SW07)(Config)#int range 0/1 – 0/48
(AUGS-PCHAS02-SW07)(if-range)#sw allowed vlan add 110
(AUGS-PCHAS02-SW07)(if-range)#sw tagg 110
(AUGS-PCHAS02-SW07)(if-range)#exit

 

4 – Allow and tag the vlan on port channel .

(AUGS-PCHAS02-SW07)(Config)#int 1/1

(AUGS-PCHAS02-SW07)(Interface AUGS-PCHAS02-SW07/1/1)#sw allowed vlan add 110

(AUGS-PCHAS02-SW07)(Interface AUGS-PCHAS02-SW07/1/1)#sw tagg 110

(AUGS-PCHAS02-SW07)(Interface AUGS-PCHAS02-SW07/1/1)#exit

(AUGS-PCHAS02-SW07)(Config)#exit

5- Copy the config


(AUGS-PCHAS02-SW07)#copy run start
Configuration Saved!

 


Each disk drive for a virtual machine consists of a pair of .vmdk files. One is a text file containing descriptive data about the virtual hard disk, and the second is the actual content of that disk. For example, a virtual machine named examplevm has one disk attached to it. This disk is comprised of a examplevm.vmdk descriptor file of under 1 KB, and a 10 GB examplevm-flat.vmdk flat file which contains virtual machine content.

This article helps you to recreate a lost virtual disk descriptor file.

Detailed steps

To create a virtual machine disk:

  1. Log into the terminal of the ESXi/ESX host:
  2. Navigate to the directory that contains the virtual machine disk with the missing descriptor file using the command:# cd /vmfs/volumes/myvmfsvolume/mydir

    Note:

    • If you are using a version of ESXi, you can access and modify files and directories using the vSphere Client Datastore Browser or the vifs utility included with the vSphere CLI. For more information, see the section Performing File System Operations in the vSphere Command-Line Interface Documentation.
    • If you are using VMware Fusion, the default location for the virtual machine files is the home/Documents/Virtual Machines.localized/virtual_machine/ folder, where home is your home folder, and virtual_machine is the name of the virtual machine.
  3. Identify the type of SCSI controller the virtual disk is using. You can do this by examining the virtual machine configuration file (.vmx). The controller is identified by the line scsi#.virtualDev, where # is the controller number. There may be more than one controller and controller type attached to the virtual machine, such as lsisas1068 (which is the LSILogic SAS controller), lsilogic, or buslogic. This example uses lsilogic:scsi0.present = “true”
    scsi0.sharedBus = “none”
    scsi1.present = “true”
    scsi1.sharedBus = “virtual”
    scsi1.virtualDev = “lsilogic”
  4. Identify and record the exact size of the -flat file using a command similar to:# ls -l vmdisk0-flat.vmdk

    -rw——- 1 root root 4294967296 Oct 11 12:30 vmdisk0-flat.vmdk

  5. Use the vmkfstools command to create a new virtual disk:# vmkfstools -c 4294967296 -a lsilogic -d thin temp.vmdk

    The command uses these flags:

    • -c sizeThis is the size of the virtual disk.
    • -a virtual_controllerWhether the virtual disk was configured to work with BusLogic, LSILogic (for both lsilogic and lsilogic SAS) or IDE.
    • -d thinThis creates the disk in thin-provisioned format.

    Note: To save disk space, we create the disk in thin-provisioned format using the type thin. The resulting flat file then consumes minimal amounts of space (1 MB) instead of immediately assuming the capacity specified with the -c switch. The only consequence, however, is the descriptor file contains an extra line that must be manually removed in a later step.

    The temp.vmdk and temp-flat.vmdk files are created as a result.

  6. Delete temp-flat.vmdk, as it is not needed. Run the command:# rm temp-flat.vmdk
  7. Rename temp.vmdk to the name that is required to match the orphaned .flat file (or vmdisk0.vmdk, in this example):# mv temp.vmdk vmdisk0.vmdk
  8. Edit the descriptor file with a text editor:
    1. Under the Extent Description section, change the name of the .flat file to match the orphaned .flat file you have.
    2. Find and remove the line ddb.thinProvisioned = “1” if the original .vmdk was not a thin disk. If it was, retain this line.# Disk DescriptorFile
      version=1
      CID=fb183c20
      parentCID=ffffffff
      createType=”vmfs”

      # Extent description
      RW 8388608 VMFS “vmdisk0-flat.vmdk”

      # The Disk Data Base
      #DDB

      ddb.virtualHWVersion = “4”
      ddb.geometry.cylinders = “522”
      ddb.geometry.heads = “255”
      ddb.geometry.sectors = “63”
      ddb.adapterType = “lsilogic”
      ddb.thinProvisioned = “1”

      The virtual machine is now ready to power on. Verify your changes before starting the virtual machine.

      If powering on the virtual machine is not successful, see Troubleshooting a virtual machine that is unable to power on (2001005).

  9. To check the disk chain for consistency, run this command against the disk descriptor file:For ESXi 5.0:
    # vmkfstools -e filename.vmdk

    For a complete chain, you see output similar to:
    Disk chain is consistent

    For a broken chain, you will see a summary of the snapshot chain and then an output similar to:
    Disk chain is not consistent : The parent virtual disk has been modified since the child was created. The content ID of the parent virtual disk does not match the corresponding parent content ID in the child (18)

    For ESXi 3.5/4.x:
    # vmkfstools -q filename.vmdk

    For a complete chain, you see output similar to:
    filename.vmdk is not an rdm

    For a broken chain, you see output similar to:
    Failed to open ‘test-000001.vmdk’ : The parent virtual disk has been modified since the child was created (18)

Ref : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002511


We were getting the following error at the summery tab on each ESXi host .

  • ESXi host shows the error:

    ESXi Shell for the Host has been enabled

  • ESXi host shows the error:

    SSH for the host has been enabled

Go the solution from this KB. Hope this helps.

 

Ashraf


Just a quick solution on a error while I was installing vMa 5 . The ovf was deployed ok but while trying to power the vMa on , it was coming up with the following error on the screen .

“Power On virtual machine <VM name> Cannot initialize property ‘ vami.DNS0.vSphere_Man- agement_Assistant_(vMA)’ , since network ‘<network name>’ has no associated IP pool configuration.”

Solution :

– Edit the vMA virtual machine’s properties .

– go to Options, vApp Options and select disable.

– Acknowledge the warning and click OK to close the VM properties.

-Start vMa . It should be ok now.