Warning page on Cisco Wireless Lan Controller for guest access

Similar Messages

• Cisco Wireless LAN Controller Always disconnect

  Dear All,
  Please help to assist my issue.I used Cisco Wireless LAN Controller model: 5508 with version 7.0.98.0 and I got issue with connection always disconnect ping always loss or some time client can't get DHCP from Controller. 
  - I configure as Internal DHCP Server with 1 SSID.
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html
  - DHCP least is not full and I also try to clear-lease all but still not work.

  1. Config dhcp proxy enable
  2. In case of internal Dhcp, try debug for clients
   using,
  debug client <MAC ADDRESS OF CLIENT>

• How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?

  I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC  and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
  Best Regards,
  Alan

  Unfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings.  The WLC2106 is a traditional Cisco product.  You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
  Best Regards,
  Glenn

• Unable to Push the Config Frm NCS prime to CIsco WIreless Lan Controller

  Hi Guys,
  We have an issue with NCS prime, in our Network.
  We run NCS prime 1.3  and Around 10 Wireless Lan Controllers (5508 & 4404) Models.
  We are trying to Push a ACL Config Template from NCS to Wireless lan Controllers.
  This ACL is already created before  in WLCs, now we created the templates in  NCS with few rules added and planning to push Configs from NCS template.
  We are receiving errors SNMP operation to device failed. I am pretty sure it is not an SNMP  issue.
  Any inputs on this is much appreciated

  Hi Scott.
  I
  I tried deleting the ACL from Controller totally and tried pushing it. it was  not working neither 
  Raised a case with Cisco. They asked for few trace logs from NCS , told will check and get back to me.
  IS there any more inputs, you can provide, which i can try to test it?
  Regards
  Safwan

• Advantages of using a seperate controller for guest access?

  Can someone give me a good reason to use a seperate controller in a DMZ for guest users versus just trunking a DMZ VLAN to the controller. Certainly it makes sense to have a guest controller when you DMZ is not accessable to the controller locations (or you have a bunch of remote locations, but only one internet connection), but in the event that the controllers are located in a place that it can hit the DMZ is there a good reason to use a guest controller.

  I'm not even sure if that is a good reason. You can alway trunk to another non-routed VLAN and stick a cable modem and firewall to give guest user access. I'm working with someone now that thinks this is the way to go, but I've got to add a 4402-12, a switch (need GB connectivity for the controller) at a minimum. Again, it would make perfect sense if the location of the internet was not in the same building.

• Really bad example in Cisco Wireless LAN Controller FlexConnect Configuration Guide, Release 7.4

  I was just reading up on FlexConnect, and found this seriouly flawed example config. How does something like this manage to get published?
  Really!!!
  http://www.cisco.com/en/US/partner/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect_chapter_01.html#ID358
  Same subnet on three different interfaces.
  Both DHCP scopes are the same.
  There is no spanning tree when a switchport is in routed mode.
  Wrong mask on vlan 101.
  You don't need a helper if the switch is the dhcp server.
  There is no dns in the DHCP scope.
  Configuring the Switch at a Remote Site
  Step 1  
  Attach the access point that will be enabled for FlexConnect to a trunk or access port on the switch.   
  Note   
  The sample configuration in this procedure shows the FlexConnect access point connected to a trunk port on the switch.
  Step 2  
  See the sample configuration in this procedure to configure the switch to support the FlexConnect access point.In  this sample configuration, the FlexConnect access point is connected to  trunk interface FastEthernet 1/0/2 with native VLAN 100. The access  point needs IP connectivity on the native VLAN. The remote site has  local servers/resources on VLAN 101. A DHCP pool is created in the local  switch for both VLANs in the switch. The first DHCP pool (NATIVE) is  used by the FlexConnect access point, and the second DHCP pool  (LOCAL-SWITCH) is used by the clients when they associate to a WLAN that  is locally switched. The bolded text in the sample configuration shows  these settings.
  A sample local switch configuration is as follows:ip dhcp pool NATIVE
     network 209.165.200.224 255.255.255.224
     default-router 209.165.200.225
  ip dhcp pool LOCAL-SWITCH
     network 209.165.200.224 255.255.255.224
     default-router 209.165.200.225
  interface FastEthernet1/0/1
  description Uplink port
  no switchport
  ip address 209.165.200.228 255.255.255.224
  spanning-tree portfast
  interface FastEthernet1/0/2
  description the Access Point port
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport trunk allowed vlan 100,101
  switchport mode trunk
  spanning-tree portfast
  interface Vlan100
  ip address 209.165.200.225 255.255.255.224
  ip helper-address 209.165.200.225
  interface Vlan101
  ip address 209.165.200.226 255.255.255.225
  ip helper-address 209.165.200.226
  end

  Hi Gary,
  Is the following config correct?
  ip dhcp pool NATIVE
     network 209.165.200.250 255.255.255.224
     default-router 209.165.200.225
    dns-server 192.168.100.167
  ip dhcp pool LOCAL-SWITCH
     network 209.165.201.20 255.255.255.224
     default-router 209.165.201.1
    dns-server 192.168.100.167
  interface FastEthernet1/0/1
  description Uplink port
  no switchport
  ip address 209.165.201.25 255.255.255.224
  interface FastEthernet1/0/2
  description the Access Point port
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport trunk allowed vlan 101
  switchport mode trunk
  interface Vlan100
  ip address 209.165.200.250 255.255.255.224
  ip helper-address 209.165.202.128
  interface Vlan101
  ip address 209.165.201.20 255.255.255.224
  ip helper-address 209.165.202.128
  end
  >

• Cisco Wireless LAN Controller 4402 under Cisco Works RME 4.0?

  I am trying to manage a Cisco 4402 using non-default snmp communities from Cisco Works RME 4.0.  RME Credential Verification fails with “Device Not Supported” recorded against selected option; however, the controller does respond to snmp queries.  The 4402 has snmpv1 through snmpv3 enabled; and the snmp communities are associated with the correct client IP.  Is the WLC only responsive to snmp from the WLS and should the box be manageable via it’s management interface.  ICMP and telnet to the WLC from RME works OK.
  Advice and Guidance would be greatly appreciated.

  What firmware version are on the WLC's..... minimum is 5.0.148 per the RME Table.
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0.5/device_support/table/RME405.html

• Cisco Wireless Control System need wireless Lan Controller ?

  Cisco Wireless Control System need wireless Lan Controller , for Rogue detection

  Hi Joao,
  The WCS is used in conjuntion with the WLC (Wireless Lan Controller) for Rogue Detection. It is not a must for this function but more of an add-on :)
  The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance.
  From this doc;
  http://www.cisco.com/en/US/products/ps6305/index.html
  Overview of WCS
  The Cisco Wireless Control System (WCS) is a Cisco Unified Wireless Network Solution management tool that adds to the capabilities of the web user interface and command line interface (CLI), moving from individual controllers to a network of controllers. WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points.
  WCS runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers. On both Windows and Linux, WCS can run as a normal application or as a service, which runs continuously and resumes running after a reboot.
  The WCS user interface enables operators to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 6.0 or later. Operator permissions are defined by the administrator using the WCS user interface Administration menu, which enables the administrator to manage user accounts and schedule periodic maintenance tasks.
  WCS simplifies controller configuration and monitoring while reducing data entry errors with the Cisco Unified Wireless Network Controller autodiscovery algorithm. WCS uses the industry-standard SNMP protocol to communicate with the controllers.
  From this good doc;
  http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00806b7270.html#wp1131195
  Detect and Locate Rogue Access Points
  From this WCS doc;
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806f070a.shtml#new5
  Rogue Detection under Unified Wireless Networks
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
  Hope this helps!
  Rob

• Wireless lan controller

  Hello,
  In our company we have a cisco wireless lan controller. the managemant interface (untagged 192.168.10.240) is able to ping to all te vlan's. When i add a interface (for example vlan 20 voice 192.168.20.240 255.255.255.0 192.168.20.254) i cant ping that network anymore from my controller while the ip and vlan configurations are good. Can someone help me to solve this problem?

  Because you have more than one VLAN, you need to TAG the uplink.  On the switch you need to enable Dot1Q Trunking and allow the required VLAN.

• 2504 with new-architecture enabled breaks MAC auth for guest access

  Hello,
  We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
  When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
  Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
  Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

  You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
  HTH
  Rasika

• Software Version Upgrade for Cisco 4402 Wireless Lan Controller

  Hi,
  We have Cisco 4402 Wireless Lan Controller with Software Version 3.2.171.6 and we want to upgrade it to latest version.
  So can anyone please let me know the latest version to upgrade the WLC?
  Also since WLC is running on very lower version is it possible to upgrade to the latest version directly or we have to move it step by step to upgrade this to latest version?
  Thanks

  Take a look at the compatibility matrix below:
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  7.0.235 is the latest that you can go to:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_235_0.html
  The release notes outline the upgrade process.
  "Upgrade to 4.0.206.0 or later 4.0 release, then upgrade to 4.2.176.0, before upgrading to 7.0.235.0."

• Best Practice for DHCP when Anchoring to a Guest Wireless LAN Controller

  Hi all,
  I'm interested in the communities opinion in relation to DHCP provisioning when using auto-anchor/guest tunneling.
  As far as I can tell, one cannot use the internal DHCP on the anchor controller when using auto-anchor due to incompatibility between the auto-anchor feature and DHCP Option 82.
  The scenario is as follows:
  Guest controller is the anchor which provides Internet access to guests.
  There is a foreign controller which is configured to anchor to the guest controller.
  The internal DHCP server is configured on the guest anchor controller, therefore DHCP proxy must be enabled for DHCP to work.
  DHCP proxy enables Option 82.
  The guidlines for guest tunneling state that DHCP Option 82 isn't supported. (Ref: Deploying and Troubleshooting Cisco Wireless LAN Controllers - Ch14)
  So, the internal DHCP server requires DHCP proxy to be enabled; this in turn enables Option 82, which stops DHCP leases being made to clients connected to the foreign controller.
  Given that a guest WLC would normally be placed in a DMZ, the internal DHCP server may often be the only DHCP solution available.
  I look forward to hearing your opinions.
  Thanks
  Rhodri Jenkins

  There are a couple of options here if you need to get proxy disabled
  1) pinhole with an ACL that allows dhcp to pass your internal servers
  2) run dhcp on a switch, router, or firewall in the dmz
  3) if you are using a cab,e modem or dsl for the guest users, you can let that do the dhcp
  In general I've seen most of these in play, but I like option 2 myself
  Sent from Cisco Technical Support iPad App

• AIR-CAP3501I access point not joining the Cisco 2100 Wireless Lan controller.

  Hello All,
  I am installing a new LAP (AIR-CAP3501I ) through the wireless lan controller (AIR-WLC2112-K9) with software version 7.0. I have an external ADSL modem which will act as the DHCP server for the wireless clients and the LAP.
  Please find my network setup as below:
  The ISP ADSL modem , WLC and LAP are connected to a unmanaged POE switch. The LAP gets its power through the POE switch. When i connect the LAP and the WLC to the switch along with the ADSL modem, the LAPs are getting the ip address from the ADSL modem, however they are not joining the WLC for further process.
  ADSL Modem ip address: 192.168.1.254
  Management ip address on the LAP: 192.168.1.1 ( Assigned to port 1, untagged Vlan).
  Ap Manager ip address: 192.168.1.1 ( Assigned to the same port i.e port1, Untagged Vlan).
  The LAP is getting an IP address from the ADSL modem in the range of the DHCP scope.
  I will paste the logs very soon.
  Please let me know if i am doing anything wrong oe what will be the issue.
  Thanks in advance,
  Mohammed Ameen

  Hello All,
  Please find the logs for  "debug capwap event" from the WLC below:
  *spamReceiveTask: Sep 26 19:44:59.196: e8:04:62:0a:3f:10 Join Version: = 117465600
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 Join resp: CAPWAP Maximum Msg element len = 92
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 Join Response sent to 192.168.1.156:45510
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 CAPWAP State: Join
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 capwap_ac_platform.c:1216 - Operation State 0 ===> 4
  *apfReceiveTask: Sep 26 19:44:59.198: e8:04:62:0a:3f:10 Register LWAPP event for AP e8:04:62:0a:3f:10 slot 0
  *spamReceiveTask: Sep 26 19:44:59.341: e8:04:62:0a:d1:20 DTLS connection not found, creating new connection for 192:168:1:158 (45644) 192:168:1:2 (5246)
  *spamReceiveTask: Sep 26 19:45:00.119: e8:04:62:0a:d1:20 DTLS Session established server (192.168.1.2:5246), client (192.168.1.158:45644)
  *spamReceiveTask: Sep 26 19:45:00.119: e8:04:62:0a:d1:20 Starting wait join timer for AP: 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.121: e8:04:62:0a:d1:20 Join Request from 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.123: e8:04:62:0a:d1:20 Join Version: = 117465600
  *spamReceiveTask: Sep 26 19:45:00.123: e8:04:62:0a:d1:20 Join resp: CAPWAP Maximum Msg element len = 92
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 Join Response sent to 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 CAPWAP State: Join
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 capwap_ac_platform.c:1216 - Operation State 0 ===> 4
  *apfReceiveTask: Sep 26 19:45:00.125: e8:04:62:0a:d1:20 Register LWAPP event for AP e8:04:62:0a:d1:20 slot 0
  *spamReceiveTask: Sep 26 19:45:00.273: e8:04:62:0a:d1:20 Configuration Status from 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.273: e8:04:62:0a:d1:20 CAPWAP State: Configure
  *spamReceiveTask: Sep 26 19:45:00.273: Invalid channel 1 spacified for the AP APf866.f2ab.24b6, slotId = 0
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Updating IP info for AP e8:04:62:0a:d1:20 -- static 0, 192.168.1.158/255.255.255.0, gtw 192.168.1.254
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Updating IP 192.168.1.158 ===> 192.168.1.158 for AP e8:04:62:0a:d1:20
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Setting MTU to 1485
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Finding DTLS connection to delete for AP (192:168:1:158/45644)
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Disconnecting DTLS Capwap-Ctrl session 0xa06d6a4 for AP (192:168:1:158/45644)
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 CAPWAP State: Dtls tear down
  *spamReceiveTask: Sep 26 19:45:00.277: spamProcessGlobalPathMtuUpdate: Changing Global LRAD MTU to 576
  *spamReceiveTask: Sep 26 19:45:00.277: e8:04:62:0a:d1:20 DTLS connection closed event receivedserver (192:168:1:2/5246) client 192:168:1:158/45644).
  The Acess point joins the Controller for 2-3 seconds and then unjoins again. I am not sure what i am doing wrong here. The access points are getting the IPs from the ADSL modem through the switch, then it talks to the WLC, however it does not join the controller for further process.
  Note:
  The Managemnet interface and the AP manager interface are assigned to the same port 1 with unassigned Vlan as mention above.

• Can cisco CAP2702i connect to Cisco3850 switch with wireless LAN controller license via another switch ?

  If i connect cisco AP - CAP2702i to another switch, and use trunk port between Cisco3850 and the other switch , can the AP able to register with Cisco3850 with wireless LAN controller  ?   or the AP has to directly connect to Cisco3850 in order to register?

  The AP and 3850 wireless management are in same Vlan( vlan202). The AP is new unit and did not join MC before. 
  What i did on 3850 :
  input command - wireless management interface vlan 202
                            - ap cdp
                            - wireless mobility controller
  Is there any config i miss out on 3850 and any config need to be set on AP ?
  From Ap console output show me "could not discover WLC using dhcp ip". Is it due to AP dont have IP address? If AP register with WLC through layer 2 , i believe there is no related with IP.Correct me if i'm wrong.
  Due to the 3850 is not a POE, the AP unable directly connect to 3850  . I guess have to use power adapter to power on the AP.

• Password Recovery for Wireless Lan controller

  Hi, I am new to Wireless Lan Controller.
  I just wanted to reset the password for the Controller. Can anybody help me with this. link/procedure anything will be appreciated.
  Thanks & Regards,
  Jvalin

  I think they mean that they can not type "reset system" since they can't log in in the first place.
  The key point to be made is that you need to restart the controller. So power it off if you can't login. Then console in to the controller and type "Recover-Config" as the username. This will default the configuration and allow you to start over with a new username/password.
  There is no other password "recovery".