WLC 4402 with 1231g

Similar Messages

• WLC 4402 with Ap 1131Ag Urgent

  Hi,
  Im trying this frist time and gone through the documenet during the installtion.
  I have configured the WLC 4402 as below
  (Cisco Controller) >show interface summary
  Interface Name Port Vlan Id IP Address Type
  ap manager 1 2 52.234.57.132 Dynamic
  management 1 untagged 52.234.57.8 Static
  service-port N/A N/A 192.168.1.1 Static
  virtual N/A N/A 1.1.1.1 Static
  (Cisco Controller) >show interface detailed management
  Interface Name................................... management
  MAC Address...................................... 00:21:a0:38:69:80
  IP Address....................................... 52.234.57.8
  IP Netmask....................................... 255.255.255.128
  IP Gateway....................................... 52.234.57.3
  VLAN............................................. untagged
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  Primary DHCP Server.............................. 52.225.1.2
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  But after onnecting my APs im getting an error...
  *Mar 1 00:18:48.839: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not
  resolve
  CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com
  Translating "CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com"...domain
  server (52.2
  24.13.1) (52.225.1.2)...
  Can you please help me .. to solve this

  Hi,
  Can you tell me what will be the best way to configure my WLAN setup.
  Our set up is
  1. 2 Cores switch 4506 with HSRP 52.234.57.3/25 (MNGMT VLAN 1)
  2. 52.234.57.128/26 (For WLANusers VLAN 2)
  3. C 3750 PWR in Access 52.234.58.0/24 USER1 (VLAN4)
  4. C 3750 PWR in Access 52.234.59.0/24 USER2 (VLAN5)
  Our DNS and DHCP server sits in HO with IP adrs 52.225.1.2 and 52.234.15.12.
  I have did the basic WLC configuration.
  and when i connected the LAP in my access i found the error of NOT able to resolve with DNS server. i.e CISCO-LWAPP-CONTROLLER.hyderabad2.XXXXX.com.
  I'm getting this error when try both L2 and L3 setup.
  We are using C4402 WLC and 1131 AG LAP
  Please advice how to overcome this.
  Thanks in advance...
  Vj

• WLC-4402 with PEAP-TLS

  Hi,
  I need to set a WLAN with the following requirements
  laptops must be configured  via Active Directory, with the following parameters:
  WPA2-Enterprise
  AES Encryption
  Authentication with EAP type "Protected EAP-TLS (PEAP-TLS)”
  Validating Certificate Authority for the RADIUS server certificate is ACME Corporate Internal Root CA
  Authentication
  Device security and user authentication must take place through Active Directory (AD).
  The AD infrastructure must be configured for auto-enrolment of ACME devices into the integral AD internal Public Key Infrastructure (PKI).
  The local site wireless controller must directly authenticate both the user and the device using a standard Microsoft RADIUS server enabled
  on the local AD controller.
  Connection must be authenticated authorised using both the AD machine objectcertificate, confirming that the device is in AD and is a valid ACME device and the user cached Kerberos (AD) credentials, confirming a valid ACME user is logged in to that device.
  I have already configured WLAN security options ;Layer2  and AAA servers (authentication server, and LDAP server)
  Based on the requirements I do not know how to set the option for certificates.
  Should I load to WLC a CA certificate and Device certificate?
  I don´t manage the RADIUS and AD controller so I don´t know If the administration staff have already set all the things in order to support PEAP-TLS
  Which questions should I ask them in order to be sure all the things necessary are set on their side??
  What additional setting are necesary if the requirements is for EAP- TTLS
  Regards,

  OK so basically what you need to do is doing EAP-TLS with Machince authentication.
  Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
  Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• SNMP traps with WLC 4402

  Currently using WLC 4402 with about a dozen WAPs. I would like to start logging some messages to troubleshoot some association issues. The syslog does not seem adequate for this the issues I am having. I noticed the default SNMP traps but is only holds 255 traps. I have tried to setup an SNMP server to get the traps but I get no data, only OID values. I was successful in getting the MIBs for the OIDs but still not all the data that I see on the brief traps screen.

  Hi,
  I have tried it with solarwinds and works fine for me. Talking about the traps. But they are too many.
  The OID is : 1.3.6.1.4.1.14179.1.1.2.4.1.22
  snmp info for polling:
  MIB Value Type: Raw Value
  Format: None
  SNMP Get Type: Get Table
  Polling Type: node
  On WLC go to Managemnet (top TAB)
  Right hand select > SNMP > Traps Control.
  In this menu select what traps to need to be logged.
  These traps will be shows on the oid polled.

• 1131 LWAP not join WLC 4402

  I am deploying WLC 4402 with LWAP 1131 but AP fail to join the WLC .The resone that I dont have DNS server.The error message in the AP is :
  AP001d.451f.8582>
  *Mar 1 00:00:38.005: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned D
  HCP address 172.26.5.12, mask 255.255.255.0, hostname AP001d.451f.8582
  Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
  *Mar 1 00:00:49.371: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve
  I tried to configure the Controller address in LAP but I fail ,The error when I tried to configure AP is below:
  AP001d.451f.8582#lwapp ap controller ip address 172.26.5.10
  ERROR!!! Command is disabled.
  my question is :
  is it possible to make LAP join WLC with out DNS,if yes how ?

  Hi Yhab,
  There are other ways besides DNS to help in the AP and WLC Discovery process. Have a look in this good doc;
  Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml#topic2
  For the Static entry problem;
  If this AP was ever registered you can use this command from the LAP CLI to clear the LWAPP configuration on the LAP:
  clear lwapp private-config
  This allows you to use the AP LWAPP static configuration commands again.
  Here is an example:
  Enable (enter password)
  AP1240#clear lwapp private-config
  AP1240#lwapp ap hostname AP1240
  AP1240#lwapp ap ip address 10.77.244.199 255.255.255.224
  AP1240#lwapp ap ip default-gateway 10.77.244.220
  AP1240#lwapp ap controller ip address 172.16.1.50
  Note: You cannot use the clear lwapp private-config command when the LAP is registered with the controller.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml#t2
  Hope this helps!
  Rob

• Wlc 4402 and 1010 Aps

  Hi,
  I have 2 vlans (wired-side) in my corporation: the first one for Data (vlan 1, native) and the second one for voice (vlan 2). We've just get a wlc 4402 with 1010 Aps and I would like to know one thing:
  Could I create 2 Ssids(one for voice and another for Data) and map each one to its wired Vlan?.
  Does the 1010 Ap support 802.1q?
  Thanks in advance for your help

  The 1010 aps connect to the switches as hosts
  (switchport mode access; switchport access vlan ...)
  The controller has 2 ports that connect to the network as trunks. You can connect them as port 1 and 2, or put them in a lag group [aka etherchannel)
  All the vlan trunking is done at the controller port to switch port. The AP sends the info down to the controller over the vlan specified for the aps
  In your case, you should create another vlan for the APS.
  The 4402 controller mgmt interface would sit in the same vlan as the APs. You would then create dynamic interfaces on the controller that have a vlan id and ip address for the desired network per your needs. You would then create a wlan on the controller and then bind it to the dynamic interface you just created.
  I am oversimplfying this process quite a bit, but it should get you started. There is now a good bit of info on cisco.com for the wireless products

• WLC 4402 and 802.1x How to...

  We have an WLC 4402 with the latest code on it. We also have LAP1131AG as our AP's. We have an MS IAS as our RADIUS server. Is there a document on how to implement 802.1x for the internal Laptop users to use wireless networking in the office?
  Thanks.

  Hi Kendo,
  See f this link helps you
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig41/c41sol.htm#wp1086421
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig41/c41sol.htm#wp1086421
  HTH
  Ankur
  *Pls rate all helpfull post

• WLC 4402 vlan questions

  I am trying to implement a Cisco Wireless solution. I have some Cisco knowledge, but it is limited. I did successfully configure the WLC 4402 with 1200 series APs. Created two WLANs, each with its own SSID. SSID ?guest? uses WEP, and gets addresses via the internal DHCP server. The DCHP range I chose exists within out current network, something I need to change according to the documentation I have read. This network should not see our network, but can browse the internet. SSID ?secure? uses WPA with MAC authentication. I can connect to either SSID and access all network resources. However this only works with two caveats.
  1) I have to use the management interface
  2) The DHCP range for the guest network needs to fall within our network
  Trying to implement any kind of security for the ?guest? network has not gone so well. I have problems just about at every point. After reading some documents, I decided I needed to add 2 interfaces for the 2 WLANs. My interface info is below.
  Interface Name Mgr Port Vlan Id IP Address Type Ap
  ap-manager LAG untagged 10.1.104.154 Static Yes
  guest LAG 10 192.168.10.10 Dynamic No
  management LAG untagged 10.1.104.153 Static No
  production LAG 20 192.168.20.20 Dynamic No
  service-port N/A N/A 192.168.1.1 Static No
  virtual N/A N/A 1.1.1.1 Static No
  My intention was to apply an access list the guest VLAN so as to limit its traffic. If I apply the guest interface ?VLAN 10 (instead of the management-VLAN 0) it doesn?t work. I found a doc that addresses this so I added trunking to the interface the WLC is attached to on our 6509 (CatOS)switch.
  MySwitch (enable) set trunk 2/6 on dot1q
  Trunking is enabled, but no dice. I thought this might be a routing issue between my switch and my gateway. So I changed the VLAN on the management interface. I thought this would at the very least allow me to ping the switch, but I was wrong. I changed that back and added this entry into our gateway
  interface Vlan10
  ip address 192.168.20.1 255.255.255.0
  I thought that way the wireless controller would be able to see the IP address, on the router, but it didn?t work.
  Also I cannot use the new DHCP range I chose (192.168.10.x), I assume because it is not 10.1.x.x, so it can?t find it.
  I would really appreciate some help from someone who has done this. I am very confused.

  Hi
  Okay number of things here.
  Firstly you are correct about needing a trunk interface between the WLC and your switch. Make sure that all the vlans you have created are allowed on the trunk link.
  On the 6509 run
  "sh int trunk" and confirm that the status is up.
  You will need to create vlan interfaces for each of your WLC vlans on the 6500. You say you have created vlan 10 interface on the 6500.
  What is the default gateway on the WLC set to ?
  For DHCP addressing to work you will need to us eth "ip helper-address "DHCP IP address" under the vlan interface eg
  vlan 10
  ip address 192.168.20.1 255.255.255.0
  ip helper-address "DHCP server address"
  You need to do this for all vlan interfaces you want to pick IP addresses up for clients.
  HTH
  Jon

• Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

  Hi All,
  appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
  *Mar  1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
  *Mar  1 00:00:10.033: *** CRASH_LOG = YES
  *Mar  1 00:00:10.333: Port 1 is not presentSecurity Core found.
  Base Ethernet MAC address: C8:9C:1D:53:57:5E
  *Mar  1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
  *Mar  1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
  *Mar  1 00:00:11.494:  status of voice_diag_test from WLC is false
  *Mar  1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
  *Mar  1 00:00:13.647: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Wed 13-Apr-11 12:50 by prod_rel_team
  *Mar  1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
  *Mar  1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Mar  1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
  *Mar  1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
  *Mar  1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
  *Mar  1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
  *Mar  1 00:09:17.912:  status of voice_diag_test from WLC is false
  *Mar  1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
  *Mar  1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
  *Mar  1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
  Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
  *Mar  1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
  *May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
  *May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
  *May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
  *May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
  *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
  *May 25 08:27:03.448:  status of voice_diag_test from WLC is false
  *May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
  *May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
  *May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
  *May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
  *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
  *May 25 08:27:15.450:  status of voice_diag_test from WLC is false
  *May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
  *May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
  *May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
  *May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
  *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
  *May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
  *May 25 08:27:27.447:  status of voice_diag_test from WLC is false
  *May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
  *May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
  *May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
  *May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
  *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
  *May 25 08:27:39.446:  status of voice_diag_test from WLC is false
  *May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
  *May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
  *May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
  *May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
  *May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
  *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
  *May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
  i searched for the regulatory domains difference between  AIR-LAP1041N-E-K9 and  AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
  just to mention that our configuration in WLC for regulatory domains is:
  Configured Country Code(s) AR 
  Regulatory Domain  802.11a:  -A
                               802.11bg: -A
  My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
  Appreciate your kind support,
  Wisam Q.

  Hi Ramon,
  thank you for the reply but as shown in the below link:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
  the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
  Thanks,
  Wisam Q.

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Create a point to point link with a wlc 4402

  Hi to all,
  i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
  but on the wlc configuration page i cannot found some configuration step.
  Someone have configured this type of behaviour or can give me some hints?!
  How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
  Thanks and best regards,
  Carlo Sagratella.

  The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
  Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

• WLC 4402 username and password expires automatically

  Hi,
  We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
  Whether it is the hardware issue or software bug.
  Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
  Kindly suggest on this issue.
  Regards
  S.Manikandan

  Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
  I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
  Regards
  Surendra

• WLC-4402+AIR-LAP1142N problem

  Hello all,
  I've got a following problem with bringing up simple wireless configuration. There is a WLC-4402 controller and several remote locations (I am testing one so far). Two WLAN configured (one for employee and the other for guest access - no mobility anchoring used, guest is just mapper to VLAN restricted on the firewall). WLC serves DHCP pools for wireless clients. Problem I am experiencing at the moment is that user with laptop is able to connect to guest WLAN, got an IP but can communicate (ping) only its own IP, the controller IP in guest subnet and default gateway (which is the firewall interface). Traffic to any other destinations never hit gateway (I am running tcpdump on it to confirm). I double checked controller config but no luck so far. Could that be caused by missconfigured tunnel? No ACL or restriction set on WLC - see attached config.
  Thank you in advance,
  Peter

  Is this an open network or have you enabled layer 3 security? Web Auth? I can see you have created a lobby admin account so expect that you use this for guest account creation with web auth..
  When you associate/receieve IP address to the open guest network have you then opened a web browser and authenticated? Until you enter your login details created on the WLC I would imagine that you wouldn't be able to send any data.
  If you have authenticated already, can you check on the WLC that the client is associated/authenticated and is the Corp network ok? Also what is the topology between the WLC/Firewall/Remote sites.
  Cheers
  Mat

• WLC 4402 7.0.220.0 compatability.

  hello friends,
  Could you please let me know if Windows 8 laptops machine are conpatible with the WLC IOS Version 7.0.220.0.
  My client has WLC 4402 Version 7.0.220.0.
  The message that appears is AAA authentication failed.
  Your help will be highly appreciated.
  Warm Regards
  Nelson Mathias

  You need 7.0.235.3 as a minimum. Here is a reference guide.
  https://supportforums.cisco.com/docs/DOC-27213
  Sent from Cisco Technical Support iPhone App