Migrating AP's from WLC 4400 v.4.0.179.11 to WLC 5508 v.7.2.110.0

Hi,
I am replacing an old 4400 series WLC running version 4.0.179.11 to a new 5508 WLC running version 7.2.110.0.
We currently have 70 x 1131 Access points on the 4400 WLC.
With this upgrade, do i need to upgrade the old 4400 to version 6.0 so the AP's get an up to date IOS or can i directly migrate all AP's over to the new 5508 without any version incompatabilities on the AP's?
I am abit worried that the AP's are running a very old IOS on the 4400 v.4.0.179.11 to go straight to the new 5508 v.7.2.110.0.
Thanks

Hi,
Check out this release note
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2_110_0.html#wp976667
You'll need to get up to a supported version of 6.0 first as per the release notes.
You'll need to check out the 6.0 release notes too to make sure there are no other intermediate upgrade steps required too.
Nigel
Sent from Cisco Technical Support iPad App

Similar Messages

  • Trouble with WLC 4400 to 5508 Migration

    We recently received a 5508 WLC and are in the process of migrating AP's from a 4402. The ios versions on the 5508 is 7.6.100.0 and the 4402 is 7.0.240.0. On our new WLC the 5508 we decided that we wanted to create new SSIDs and new vlans for better management. Is there an easier way to migrate ap's from the 4402 to the 5508? When we move one at a time it's tedious and sometimes we run into certificate issues, I've been doing as much research as possible as I'm helping someone with this move but many findings come to placing the new 5508 in the same mobility group as the 4402 then  move the ap's from the 4402 to the new 5508. The new 5508 is in a mobility group of it's own separate from our 4402's. We have several but are only moving ap's from one 4402 at a time. Is this logical to place the 5508 in the same mobility group and move the ap's to it? If so how do I move the ap's from the 4402 to the 5508? Any suggestions, comments, help would be more then appreciated, thanks!

    The fastest way to move APs from one controller to another (without using WCS/NCS/PI) is via CLI.  
    The command is very simple:  config ap primary-base [5508 name] [AP name] [5508 Management IP address]
    All you need is to put this in a spreadsheet and concatenate the AP name and you're set.  Cut-and-paste to the 5508 and wait for the APs to start swinging across.

  • IDS feature on WLC 4400 series

    Hi Everyone,
    I'd like to ask about the IDS feature on WLC 4400 series.
    What will the WLC do if it detects an attack specified in the Standard IDS signature ? Will the WLC shutdown the client or just report it ?
    Thank you

    The intrusion-detection-system (IDS) signature engine on controllers and on the Cisco WCS automatically eliminates duplicate alerts for rogue access points, rogue clients, and IDS signatures that previously occurred when two or more access points detected the same attacker. Now instead of one IDS alert from each detecting access point, a single alert is generated for the attack.
    Intrusion detection, location, and containment preserve the integrity of wireless networks and sensitive corporate information. When an associated client sends malicious traffic, a Cisco wired IDS device detects the attack and sends shun requests to Cisco Wireless LAN Controllers, which then disassociate the client device.

  • Config migration from WLC 4400 to WLC 4400

    Hi all
    My customer has made a trade-in from a WLC 4400 to a WLC 5500. How do I migrate the existing config from the old to the new platform? Can I use the backed-up config of the WLC 4400 (I guess not due to the hardware-parameters which are different)? Or is there a conversion tool?
    The WLC 4400 already runs a 6.x release.
    Thanks
    Toni

    Thanks for your replies, guys. Just for you to let you know, my local Cisco channel systems engineer confirmed that there's no tool available and that you could try to copy&paste some parameters of the text config, yet there's no guarantee for success for that.
    So the only recommended thing to do by now is to build the entire config on the WLC 5500 from scratch.

  • Migrate WLC 4400 to WLC 5500

    Hi experts,
    I want to Migrate WLC 4400 with WLC 5500, But i don't know how to do this.
    Should i create new configuration or use my  WLC 4400 config ?
    I want to know about IOS for WLC 5500, should I upgrade my Access Point to connect with new WLC ?
    I need a good method to migrate this WLC. So my WLC 5500 can run properly.
    Thankyou for your help.

    I have no idea how Ravi's answer is considered "correct" when he didn't address the most important aspect of your thread.  
    As far as I'm aware, you need to ensure both controllers are running the same firmware or 7.0.250.X. 
    Take a copy or export the config of the 4400 configuration to your TFTP server.  Edit the file and change the necessary settings.  Go to the 5500 and download this configuration file.  Upgrade the firmware and the bootstrap if necessary.

  • Move AP from WLC 4400 to 2500

    I have wlc 4400 running on 6.0.196.0, get new wlc 2500 with 7.0.220.0, on 4400, 12 AP only one will register onto 2500.
    Both 4400 and 2500 on the same subnet. how to let AP register on 2500 rather than 4400
    AP model:
    on 4400 now:  AIR-AP1242AG-A-K9, AIR-LAP1242AG-A-K9, AIR-LAP1142N-A-K9
    on 2500 is AIR-LAP1242AG-A-K9

    on 4400
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    ap-manager                       1    untagged 10.10.1.23      Static  Yes    No  
    management                     1    untagged 10.10.1.22      Static  No     No  
    service-port                      N/A  N/A         10.1.1.10       Static  No     No  
    virtual                               N/A  N/A          1.1.1.1         Static  No     No  
    on 2500
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    m2                               2    10       10.10.1.92      Dynamic Yes    No  
    m3                               3    10       10.10.1.93      Dynamic Yes    No  
    m4                               4    10       10.10.1.94      Dynamic Yes    No  
    management                 1    10       10.10.1.90      Static  Yes    No  
    virtual                          N/A  N/A      1.1.1.1         Static  No     No 

  • WLC 4400 to WLC 5508

    Hi All
    I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
    any tool to migrate wlc 4400 config to wlc 5508
    cheers
    Vishal 

    Thanks Scott, some more inquiry
    how to reboot the AP from the controller. ( I see 'Reset AP' -  this option to reboot or something else)
    how to disconnect all users connected to specific SSID from controller
    Can AP model 3702 work with WLC  5508, do we need specific software version
    cheers
    Vishal

  • Troubleshoot Cisco Airlap 1242 with WLC 4400 Series LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response

    I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
    after debug in my airlap it shows :
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
    File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
    executing...
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    Image text-base: 0x00003000, data-base: 0x004051E0
    Initializing flashfs...
    flashfs[1]: 9 files, 3 directories
    flashfs[1]: 0 orphaned files, 0 orphaned directories
    flashfs[1]: Total bytes: 15998976
    flashfs[1]: Bytes used: 5062144
    flashfs[1]: Bytes available: 10936832
    flashfs[1]: flashfs fsck took 4 seconds.
    flashfs[1]: Initialization complete....done Initializing flashfs.
    cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
    Processor board ID FCW1411U0FZ
    PowerPCElvis CPU at 266Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    2 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 68:EF:BD:5F:9A:18
    Part Number                          : 73-10256-07
    PCA Assembly Number                  : 800-26918-06
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC14093XU3
    Top Assembly Part Number             : 800-29152-03
    Top Assembly Serial Number           : FCW1411U0FZ
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-LAP1242AG-E-K9
    Press RETURN to get started!
    *Mar  1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
    *Mar  1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
    *Mar  1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
    *Mar  1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
    *Mar  1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar  1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
    *Mar  1 00:00:09.326: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    *Mar  1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
    *Mar  1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
    *Mar  1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
    *Mar  1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar  1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
    *Mar  1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
    *Mar  1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
    *Mar  1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
    *Mar  1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
    *Mar  1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
    *Mar  1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
    *Mar  1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
    *Mar  1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
    *Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
    *Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
    *Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
    *Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
    flashfs[0]: 9 files, 3 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 15998976
    flashfs[0]: Bytes used: 5062144
    flashfs[0]: Bytes available: 10936832
    flashfs[0]: flashfs fsck took 26 seconds.
    Base ethernet MAC Address: 68:ef:bd:5f:9a:18
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    and after that i check in my WLC that shows
    AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
    The reulatory domain configured on it '-e' does not match the controller's country
    code: USA
    i found that the problem about the region.
    question :
    1. is it possible to change the region in AIRLAP 1242 or in WLC?
    2. if possible how to change it?
    INFO :
    my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9

    WLC GUI >> Wireless >> Country >> Select the country.
    Regards
    Surendra

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • WLC 4400 and IDS attacks

    Hi,
    I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
    Thanks a lot.

    Thanks Sschmidt,
    I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
    Thanks

  • WLC 4400 : some of the clients are stuck in 802.1x REQD ( Auth - no but status is Associated ) in PEM process

    Hi ,
    I have wlc 4400 with 1010 AP's wireless set-up.
    Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
    If I see the status of respective client  in WLC :
    status : Associated
    Auth : No
    Policy manager : 802.1X REQD
    I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
    how do i resolve this issue ?

    Hi Vinod,
    The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
    If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
    debug client
    debug aaa event enable
    Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • How to disable Password Recovery in WLC 4400

    Hi All,
    I need your help to disable the password Recovery for the WLC 4400, in case of the hardware stolen or hacking by internal hacker,
    Thanks in advanced for your help,
    Ahmed

    Gee whiz.  This is the second post you've made in regards to disable password-recovery mechanism.  For the WLC, I agree with Nic, it's not possible.   And, for the record, there are ways to bypass a disable-password-recovery mechanism.  This is mainly due to prevent un-authorized use of this mechanism by, for example, a disguntled network administrator from shutting down a network.

  • WLC 4400 - Different minor versions same mobility group?

    Hi all,
    i have 2 WLC 4400 integraded in 3750G.
    One has 6.0.202 and the other 6.0.188.
    They are in different places but now i want to put them in the same mobility group.
    Will this difference be a problem?
    BR
    Anthony

    Yes it will be an issue. You have to remember that the AP gets it firmware from the WLC image. So if an AP has to mi e from one to the other, it will either upgrade or downgrade each time. Best practice is to keep the firmware the same.
    Sent from Cisco Technical Support iPhone App

  • WLC 4400 question

    Hi
    The scenario is as follows:
    We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.
    No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!
    The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.
    Can this be done?
    I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.
    Any idea or suggestion is quite welcome
    Roger

    Hi Roger,
    You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.
    You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.
    HTH
    Ankur
    *Pls rate all helpfull post

  • WLC 4400 Not authetnicating between GUEST and Private networks

    Hello,
    I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
    Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
    I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
    Thanks for the help
    Tony

    Thanks for the help.
    Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
    Change the lease for 8 hours and set the time correctly and the issue got solved.
    Thanks.

Maybe you are looking for