NetStumbler 4 and WLC 5.1

Similar Messages

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

  Hello,
  We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
  I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
  I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  11027
  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - Internal Endpoints
  24210
  Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
  24216
  The user is not found in the internal users identity store
  24209
  Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
  24211
  Found Endpoint in Internal Endpoints IDStore
  22037
  Authentication Passed
  15036
  Evaluating Authorization Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - Guest Redirection
  15016
  Selected Authorization Profile - Test_Profile
  11002
  Returned RADIUS Access-Accept
  I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
  Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
  Thanks in advance.
  Jay

  The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  Thank you for rating helpful posts! 

• Rogue AP - Not in sync with WCS and WLC

  WCS - 7.0.164.0 and WLC - 7.0.98.0.
  For some reason, I am seeing rogue ap alert on WLC and am not seeing on WCS.   How do I clean up database and sync with WCS and WLC.
  I am seeing same thing with coverage holes.
  - Allen -

  Allen,
       On the WLC go to Management > SNMP > Trap Controls, make sure that you have the traps checked.
  HTH,
  Steve
  *Please remember to rate helpful posts*

• WCS and WLC AP values not fully in sync.

  I have recently added several new aps on my network,after they connect to the controller, I set a hostname, and change the ip address to a static. However, WCS still sees the aps by the old ip and host name despite going into each one, hitting audit, and then save, any way to fix this? Thanks.

  You may want to also consider the following:
  1) Both the WCS and the WLC need to be at the same major revs (i.e.: The if the WCS is at v4.2, then the WLC should also be at 4.2). Failure to do so results in some significantly bizarre behavior such as errors after an audit - at least that was my experience.
  2) You may have better success if you make the change from the WCS which pushes the change to the WLC and that way the WCS is already aware of the change. (Normally, this should work - I know of one instance where it does not: changing Master Controller Mode from the WCS).
  3) If you feel strongly about making the change in the WLC (and are running a newer version of code in the WCS/WLC - i.e.: 4.x), there is a setting that forces the WLC to send configuration changes to the WCS once APPLY and "Save Configuration" are clicked:
  From the *WCS*, click on Configure->Controllers and click on the controller you wish to change, and check the "Refresh on Save Config Trap" check box and click OK.
  This will cause the controller to push any configuration changes up to the WCS after an APPLY and "Save Configuration" are clicked.
  4) In terms of getting the WCS to actually synch up with the controller (assuming the WCS and WLC are at the same rev. levels), you may need to do what I did (this was subsequent to upgrading to v4.2 in both the WLC and WCS and having chronic "mismatch" status between the WCS and WLC):
  From the WCS:
  Configure->Controllers, check the controllers you wish to synch up. From the dropdown, select "refresh config from controller"
  Next, select the DELETE option (instead of the RETAIN option). I believe that there are bugs in the software that upgrades earlier revisions to 4.2. I know that it might seem undesirable to DELETE information in the WCS, however, if you choose "DELETE", it seems to get rid of the residual information from the previous revisions that did not upgrade properly and the WCS will now be in synch with the controllers. DELETING the other settings makes the audit errors go away.
  Subsequent audits may go better for you after performing the step shown above. However, you may need to repeat this process in item 4 above once or twice more until the database gets cleaned up, but after that my own experience has been that the WCS and WLC will eventually stay in synch.
  It is unfortunate that we are forced to come up with workarounds like these when the software should clearly be able to handle this on its own, but we do what we must to get the job done.
  Hope this helps,
  - John
  (Please rate helpful posts)

• WCS and WLC WLAN Config not fully in sync

  Hi,
  We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC  showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even  after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.

  You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
  If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• ISE and WLC

  Dear friends,
  We are using ISE and WLC integrity in our network, we have Corporate and Guest SSID, we configured it but client cant connect to this ssid and cant be authenticated, please see attached files and tell me if i done something wrong in configuration of WLC
  10.10.17.201 is ISE
  Thank you for attention

  Hi,
  After viewing the Trap logs it seems you have checked on validate machine.
  On the client side, make sure you don't check validate machine and then try.

• ISE and WLC SRE module compatibilty matrix

  Hi all,
  We are running SRE module on router with code of 6.x release .Is there any compatibilty matrix available for ISE and WLC code to support CWA . because as of now , the wireless clients are not redirecting to the ISE login page.
  Kindly suggest.
  Thanks,
  Regards,
  Vijay

  The doc is for wireless guest using CWA. For wired guest, I don't know since you can do wired guest from a WLC that supports it or from a switch.
  Sent from Cisco Technical Support iPhone App

• Wireless controller ha between wlc5508 and wlc 4402

  We have 2 wlc:  a wlc 5508 ( license 100 AP ) and  wlc 4402 ( license 12AP).
  We try to setup when 5508 down, 12 identify AP (important AP -Group A) will join 4402 and all other AP (not improtan AP -Group B)
  wont joint  wlc 4402.
  First, all AP join wlc 5508, 2 WLC have same mobility group.
  After that, we  config 12 APs belongto group A have primary and secondary wlc, group B only has primary wlc.
  When wlc 5508 down, some of APs of GroupA and   some of APs of GroupB join wlc 4402. We test many times and we have differnet result each times.
  is theare any way to resolve our problem?
  Thanks.

  Just to add, make sure that the WLC is running the same code, if not, then make sure the ap is supported on the code that is running on the 5508. The issue with mixed code is the ap will upgrade and downgrade very time they switch to a different WLC.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  Sent from Cisco Technical Support iPhone App

• Prime, MSE and WLC NMSP Status

  I have a 5508 WLC and have loaded a demo of Prime 2.1 and MSE 8.0.
  The NMSP status is showing as inactive in Prime and MSE and therefore the clients are not showing on the map I have loaded.
  Any ideas?

  MSE doesn't sync with WLC when added with PI 2.1.1
  CSCup93101
  Description
  Symptom:
  NMSP is not active between MSE and WLC when added using PI 2.1.1.
  Conditions:
  This applies to only MSE added Prime Infrastructure after upgrade to 2.1.1 on Prime Infrastructure.
  If the MSE was already added to Prime Infrastructure in 2.1 or previous releases, and then upgrade to PI 2.1.1 was performed customers will not run into the NMSP problem between MSE and WLC after the PI upgrade to PI 2.1.1.
  Workaround:
  Push a template (Templates > Features and Technologies > Controller > Security > AAA > AP or MSE Authorization) with MSE MAC address and key hash.
  Please contact Cisco TAC for a patch.
  Last Modified:
  Dec 11,2014
  Status:
  Fixed
  Severity:
  2 Severe
  Product:
  Network Level Service
  Known Affected Releases:
  (1)
  2.1(1)

• Using WLS 6.1 and WLCS 3.5

  We are looking to migrate a WLS 5.1 Sp8 and WLCS 3.2 environment to a later
  release.
  We are only using the Personalization components of WLCS. Has anyone used
  the combination of WLS6.1 and WLCS 3.5, yet? What sort of problems are you
  seeing? What sort of personalization problems are you seeing?
  I know that WLCS 3.5 is only certified for WLS 6.0 sp2. My reason for
  pushing WLS 6.1..
  We have built an application that uses a lot of XML including XALAN-j 2.1.0,
  (xalan.jar, xalanj1compat.jar, xerces.jar, xml.jar, xmlservlet.jar and
  xsltc.jar). To get this working on WLS 5.1 SP8 with WLCS 3.2 was quite a lot
  of work. In fact it only works if the WebLogic classpath is in a very
  particular order. My initial read of WLS 6.1 would suggest that it includes
  the XALAN features that we use. My concern with WLS 6.0 is that I may be
  unable to get XALAN 2.1.0 working with it.
  Let me know your experience,
  Thanks
  David Marshall

  We are looking to migrate a WLS 5.1 Sp8 and WLCS 3.2 environment to a later
  release.
  We are only using the Personalization components of WLCS. Has anyone used
  the combination of WLS6.1 and WLCS 3.5, yet? What sort of problems are you
  seeing? What sort of personalization problems are you seeing?
  I know that WLCS 3.5 is only certified for WLS 6.0 sp2. My reason for
  pushing WLS 6.1..
  We have built an application that uses a lot of XML including XALAN-j 2.1.0,
  (xalan.jar, xalanj1compat.jar, xerces.jar, xml.jar, xmlservlet.jar and
  xsltc.jar). To get this working on WLS 5.1 SP8 with WLCS 3.2 was quite a lot
  of work. In fact it only works if the WebLogic classpath is in a very
  particular order. My initial read of WLS 6.1 would suggest that it includes
  the XALAN features that we use. My concern with WLS 6.0 is that I may be
  unable to get XALAN 2.1.0 working with it.
  Let me know your experience,
  Thanks
  David Marshall

• Can we create Mobility group between WISM2 and WLC 5500

  Dears,
  I need your feedback urgent please,
  Can we create Mobility Group between WISM2 and WLC 5500
  Firmware for WISM2 > 7.4.121.0
  Firmware for WLC5500 > 6.0.196.0
  I created Mobility Group with (IP address , MAC Address and Mobility group name) for Foreign Controller. if any configuration required from my side.
  Wait your feedback urgent please
  Regards,

  Hi,
  Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
  Thats enough :)
  Regards
  Dont forget to rate helpful posts

• Encrypted L3 Communications Between LAP and WLC?

  Hi All,
  I am working with a client that wants to put LAPs remote to their WLC (a 4402). The rub is that the communications between the LAP and WLC must be secure even across their private WAN! I have a couple of resulting questions if anyone is able to help;
  I can't find out if and what encryption method is (is it AES etc.?) used on the backhaul between LAPs and the WLC and what's involved?
  Terminology may be wrong here, this is not a wireless mesh, just conventional LAP to WLC
  The client's WAN is already encrypted (IPSec VPN over VPLS) in parts - what's the consequence of running AP<-->WLC with end-to-end encryption (if possible) over a WAN with IPSec, i.e. double encryption?
  Strange but true - any pointers will be much appreciated.... Phil.C

  With a 4400 series controller the control traffic between the AP and controller is already AES encrypted.  The user traffic is not encrypted.  If you use a 5508 controller all traffic between the AP and controller is AES encrypted.
  As for running the traffic through a VPN, that should work.  The issue I typically see with this is with the MTU.  The controller will drop any packets with a data payload less than 32bytes.  Depending on the MTU over the VPN I have seen packets get fragmented and this to be an issue.  If you are using one of the CAPWAP versions (5.2 or newer) dynamic MTU discovery is part of the protocol and this MTU issue really doesn't exist.

• Aironet 1200 LWAPP Conversion and WLC Authorization Issues

  Please excuse the length of this.
  I am trying to convert several Aironet 1200 series APs to the LWAPP Recovery image and register them with a WLC. There is no WCS involved.
  All of the 1200s have b/g cards in them, specifically MP21G and MP31G, so per the "Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode" guide, I am good. The 1200s are older and obviously do not have the manufacturer certificate.
  The WLC is running the latest code, AIR-WLC4400-K9-3-2-116-21.aes.
  The APs are running 12.3(7)JA2 or 12.3(7)JA3, all of which per the upgrade document and the Upgrade Tool utility meet the minimum requirements being 12.(7)JA or greater.
  I will first dive into the disaster of the conversion process.
  First, I upgraded a 1200 with a MP21G radio module. As far as the Upgrade Tool, I specified everything mandatory (AP credential file, recovery image, time source) while leaving the WLC and DNS server information absent. It successfully loaded the image and created all the necessary keys. Soon after I upgraded the image, the AP started rebooting continuously. I downgraded the AP to IOS, and found that the AP no longer has visibility of it’s radio module. It is simply gone. I upgraded and downgraded the code on the AP, hoping in the process that it would rediscover the radio module but it never did. I have not taken it apart yet to see if there is anything physically wrong and I will, but it was working fine previously, so even though it is possible that the radio module has checked out, my mind just can’t go there. Scratch one.
  So, AP number two has the same hardware. After attempting to convert it seven times with complete failure, on the eighth it successfully converted. I changed nothing is the upgrade process. Cool. So, with this success, I wanted to add it to WLC.
  Network overview: the AP and WLC (Management and AP-Manager) are in the same broadcast domain.
  Ok, the WLC configuration. The WLC is in Layer 3 mode which per the documentation is the only supported configuration that the converted Aironet APs will support. The Management and AP-Manager interfaces have been defined and are up and pingable by the converted AP. The AP information (AP MAC address, SSC, SHA key hash) has been entered in the WLC AP Authorization list as well. SSC certificates have been allowed.
  As far as DHCP options 43 and 60, none have been defined. Per the documentation, even if the WLC Controller is in Layer 3 mode, as long as the AP is in the same broadcast domain, the AP should do a LWAPP discovery and make a join request to the controller. Again, the AP can ping both the Managment and AP-Manager interfaces.
  So far, the AP has not been able to join the WLC. There is nothing in the logs. I have failed to do a debug on the WLC to see what is going on, but one thing I have seen is on the AP debug, a “AP-Manager not enough interfaces” message.
  All the documentation I have been referring to is the "Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode" guide.
  I will put the AP on a different segment tomorrow and try the DHCP route.
  It is probably something simple.
  Any ideas? :)

  Jason
  From your post I belive you've done everything the right way...excetp: Have you activated Master Controller Mode? If you haven't, no AP is ever gonna be able to register with a controller. You need to activate it temporarily when you want to add new (converted only?) radios. Once the AP is visible on the master controller (in the Wireless tab), define the primary / secondary / tertiary controller for it. If you're finished with registering any new radios, disable it again.
  You can find it under Controller -> Master Controller Mode
  And yes...always keep the AP you want to convert in the same subnet as the management int (so you don't have to use DHCP and fumble around with the option 43 setting to find the controller). To help the Upgrade Tool work troublefree: Enable Telnet mode on the controller. Also, don't forget to enter the mgmt IP / user name / password in the Upgrade Tool. At least with this I was able to complete my upgrading and registering process successfully in my own environment.
  Hope this helps...
  Toni

• How to change IP addresses of APs and WLC to the ones from different VLAN

  I'm trying to figure out what is the best practice to change IP addresses on all my access points connected/managed by the WLC.
  I have one WLC2504 controler and three AIR-LAP1041N access points the idea is to change management IP of the WLC from 192.168.2.100 (vlan1) to 192.168.12.100 (vlan79) and all access points accordingly:
  ap1 192.168.2.101 (vlan1) to 192.168.12.101 (vlan79)
  ap2 192.168.2.102 (vlan1) to 192.168.12.102 (vlan79)
  ap3 192.168.2.103 (vlan1) to 192.168.12.103 (vlan79)
  FYI all my APs obtain IP from DHCP server which sits in the vlan1 and each AP is connected to trunk port on Catalyst switch, trunk port (vlan1, vlan79, vlan80, vlan81, vlan82) carries traffic for different WLANs, so my question is what is the best way to change management IP on each device with the minimal downtime.
  Thank you for your advice,
  Luu Manioro

  Well, you will have downtime anyways, but how I would do this is the following:
  Make sure the WLC trunk port has vlan 79 being allowed
  Change the high availability on each AP to point to the hostname of the WLC and the new ip address, you don't need the old ip address anymore
  Console into the WLC or use the service port and change the management ip address and at the same time if possible, move the AP's to the new vlan 79, since they have already joined the WLC, they will know of the ip address of the WLC
  Reboot the AP by shutting down the PoE port or powering off/on the AP
  The AP will find the WLC since you have defined the high availability and also since the AP and WLC are on the same subnet.
  Scott

• Location Appliance 2700 - is it supported with v7 WCS and WLC?

  The compatibility matrix shows no support for a Location Appliance 2700 for any version 7.0.x.x for WCS and WLC. However, I did see a thread here where a v6.0.x.0 had compatibility. v6.0.202.0 is MD. Is it compatible with v7 WCS and WLC?
  Can any of the experts please comment? Thank you.

  Hi,
  here is the link that will answer ur question!!
  http://www.cisco.com/en/US/docs/wireless/controller/4400/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp78062
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra