2504 Wireless Controller and Server 2008 NPS

Similar Messages

• EAP-TLS problems with Cisco AP541N and Server 2008 NPS

  Hi,
  I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
  I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
  Oct 18 15:42:58
  info
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
  Oct 18 15:42:58
  warn
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
  Oct 18 15:42:58
  info
  hostapd
  The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
  NPS logs this:
  Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
  Netzwerkrichtlinienname: XXXXXX
  Authentifizierungsanbieter: Windows
  Authentifizierungsserver: XXXXX
  Authentifizierungstyp: EAP
  EAP-Typ: -
  Kontositzungs-ID: -
  Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
  Ursachencode: 22
  Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
  I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
  I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
  Did anybody encounter something like this before? Or just knows what to do?
  Thanks in advance
  Lenni

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• How do I configure the 2504 Wireless controller with AP?

  I recently purchase the 2504 wireless controller and the 1602i AP. I was able to do the basic setup of the controller and can now access the web interface, but the AP is not being detected and I am unable to add it.

  First of all: 1602 AP need minimum software version on WLC: 7.4.100.0
  paste this info:
  sh sysinfo from WLC
  sh version from AP.
  Did you create a DHCP pool for APs to get IP ?
  Try to to be keep AP and WLC on same subnet.
  regards

• Manually add Access Point to 2504 Wireless Controller

  We have a 2504 Wireless Controller and it works great!
  We currently have 6 Access Points (Aironet 1252) connected.
  We just added the sixth one a few weeks ago and with a properly configured and fully functioning Wireless Controller, it was super easy.
  Now, I have been assigned to add another Access Point, but at a remote site.
  The plan is to have up to three or more APs at this remote location and we want them to talk back to the Wireless Controller.
  We have plenty of licences on our current Wireless Controller.
  Do do not want to spend the funds for another Wireless Controller and more licenses.
  1. How does one manually add a Aironet 1252 to the 2504 Wireless Controller
  2. If the AP is on a different subnet than the Wireless Controller, how does one get it registered?
  3. The best for last: Can a Aironet 1252 talk to a 2504 Wireless Controller over a WAN link?
  If so, how?
  Thank you!
  Bryan Smith

  Here are some links
  AP join
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml
  FlexConnect
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html
  Sent from Cisco Technical Support iPhone App

• WAP321 & Aironet 2602e & 2504 Wireless Controller?

  Hello,
  I am new to Cisco networking. I am currently in an environment with no Wireless Controller and the wifi uses two Cisco WAP321's.  The company wants to expand the wireless and has bought a Cisco 2504 Wireless Controller and a Cisco Aironet 2602e Controller-based WAP.  My question is once we start using the controller can it control the formerly controller-less WAP321's or will that have to be replaced with another Cisco Aironet 2602e?  Thank you.

  My question is once we start using the controller can it control the formerly controller-less WAP321's
  WLC 2504 will not support AP321s.  Talk to your authorized Cisco reseller and see if they will accept if you trade-in the AP321 for the AP 2602.
  Make sure your AP 2602 have the correct regulatory domain.  If you are un-sure DO NOT open the boxes. 
  For more information, go here: 
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sheet0900aecd80537b6a_ps10981_Products_Data_Sheet.html
  Another thing, for AP 2600, your 2504 should have the minimum firmware of 7.2.110.X.  IF you don't have it, then talk to the authorized Cisco reseller who sold you the controller and kindly ask them (nicely) if they could download the correct firmware for you.

• Newbie 2504 Wireless Controller Software Connection

  Hi Everyone,
  I've just placed an order for a 2504 Wireless controller and access point. My supplier has asked what software load I require? Can someone explain to me what the options are? Is he just talking about licensing or is it something else?
  Thanks for your help.

  Is he asking what software Version?
  Most people who have an existing Cisco Wireless infrastructure have a specific version of code running (not neccessarily the latest) so when ordering additional controllers they might be given the option of what code to run (6.0 vs 7.0 for example).
  If they are asking you what software version, I'd just have them put the latest 7.0 on it (7.0.220.0).
  Or are you buying the AP 3600? If you are buying the AP 3600, you must go with the 7.1 code.

• Wireless Controller and Microsoft Windows 2008 NPS

  Hello Community,
  Got a Nightmare project to convert our Wireless over to Windows 2008 NPS for AP, Controller and User Athenication.  Anyone have a link to a good Deployment Guide/How To on what is needed for the NPS Server (esp the attributes for AP, Contoller and Users)?
  Thank You
  Michael

  So you are looking to use RADIUS to authenticat the managment users and the actual wireless clients?
  RADIUS Managment
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
  This goes over what attribute you need to return from the RADIUS server.
  For the users:
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• 3702e AP and 2504 wireless controller

  Hey,
  If I want to deploy a number of 3702e AP which support 802.11ac am I ok to use the 2504 wireless controller?
  Thanks,
  Jonathan

  I agree with Rasika's post about the minimum software you'll need, however, you say you want to deploy 3702e.  What is the antenna you're going to be using and how will the antennas be deployed. 
  Remember that you'll find some distinct limitation when you want to employ 802.11ac nowadays.  Your first quest is to find clients which can FULLY support 802.11ac.  Don't look at the ads.  I mean there are some smartphones and tablets who claim to suppport 802.11ac but if you look closely at the product specifications there is only ONE wireless antenna.  
  Your next hurdle will be your network.  Understand what bandwidth a single 802.11ac can push thorugh the ethernet cable.  Next multiply that by, say, three (three wireless clients associated to three different APs and all three running 802.11ac).  Now let's say all three APs are connected to ONE switch.  

• Question about 2504 Wireless Controller

  Hello,
  I am tasked with configuring a 2504 wireless controller.  Is it possible to assign an SSID to an interface that has dynamic ap management enabled?
  Scenario:
  Location1:
  1) 10.0.0.0/24
  2)192.168.0.0/24 DMZ
  Location 2:
  1) 10.0.5.0
  Both locations are routable using network 1 at each location.  However, I need to configure several access points and send them to location 2.  These access points will communicate with the controller at location 1 on network 1.  Two SSIDs will need to be on network 1 at location 1.  The other SSID will be on Network 2 at location 1.  This network is not routable. 
  Thank You for your help.

  So this is how you want this to be setup:
  Scenario:
  Location1:
  1) 10.0.0.0/24
  2)192.168.0.0/24 DMZ
  Location 2:
  1) 10.0.5.0
  Both locations are routable using network 1 at each location. However, I need to configure several access points and send them to location 2. These access points will communicate with the controller at location 1 on network 1. Two SSIDs will need to be on network 1 at location 1. The other SSID will be on Network 2 at location 1. This network is not routable.
  Since location 1 is a flat network with only one subnet (internal) and one in the DMZ, you will configure WLC management/ap-manger port 1 on the 10.0.0.0/24 subnet.  You can then map your SSID#1 to the management interface.  Create a new dynaminc interface on the WLC and assign it an ip in the 192.168.0.0/24 subnet and place that on port 2.  Connect port 2 to the DMZ.  Now since you want everything to tunnel back to the WLC from location 2, you would leave the ap's in local mode.  Devices in location 2 associating on SSID #1 will obtain an ip address in location 1 and tunnel back to the WLC and traffic will egress out of port 1.  Devices that associate in location 1 or location 2 to SSID#2 (Guest) will tunnel back to the WLC in location 1 and traffic will egress out of port 2.
  Since you want to tunnel traffic back to the WLC from location 2, you need to make sure your link has enough bandwidth or else the ap's will be bouncing.
  If you setup the AP's in location 2 in h-reap mode, then you can place devices that associate to SSID #1 on the 10.0.50.0 subnet.  Devices that associate to SSID #2 at location 2 will tunnel back to the WLC and egress out of port 2.

• 2504 wireless controller

  They gave us a configured 2504 wireless controller to reconfigure.  I was able to login via the console and issue "show run-config" and I got the IP address for the management.  I connected an ethernet cable to laptop and gave it an IP in the same subnet but unable to ping it or access the controller via http or https.  I have also attempted via ssh and no luck.  Any idea how I can access the controller to be able to tftp a file from it.

  Well you are able to access the wlc from the console which is a good thing. The issue might be the vlan assigned to that management interface. It might be tagged or it might be configured as a vlan id of '0' which is untagged. You need your switchport setup correctly in order to manage the wlc.
  Sent from Cisco Technical Support iPhone App

• Intel 82801BB/GR (ICH7 Family LPC Interface Controller 27B8 - Server 2008 will not load this driver

  I have downloaded the latest driver from Intel, Ver. 9.1.1.1016 for the Intel 82801BB/GR (ICH7 Family LPC Interface Controller 27B8 and Server 2008 Standard will not recognize the controller or hardware (Code 0028) I have checked on every possible thread discussing this event and no one has seemed to resolve this issue. The Mainboard being used is a Asus P564WS WS Professional LGA775
  NOTE: All of the latest MS Server updates are downloaed and installed.

  Hi,
  It seems there is no Windows sever 2008 compatible driver for Asus p5w64 motherboard.
  For your information, you can check if hardware is compatible with Windows Server from the following website:
  Windows Server catalog
  http://www.windowsservercatalog.com/default.aspx
  Thanks.
  This posting is provided "AS IS" with no warranties, and confers no rights.

• AiroNet 1140 Authentication Issues Windows Server 2008 NPS

  Hello,
  We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL

  Hi Steve, Here is the config for the AP.  Some screenshots of the NPS config are below, too.  Please let me know if you need more information from our NPS server.  Thanks, Doug
  ap#sh run
  Building configuration...
  Current configuration : 2971 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
  aaa new-model
  aaa group server radius rad_eap
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid wifi
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
  username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
  m8. m9. m10. m11. m12. m13. m14. m15.
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  dfs band 3 block
  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
  . m12. m13. m14. m15.
  channel dfs
  station-role root access-point
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.40.0.200 255.255.0.0
  no ip route-cache
  ip default-gateway 10.40.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    no authentication mac
    nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
  677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• Anybody know a reseller that would download/sell a firmeware for 2504 wireless controller or what service to buy to be able to get it?

  anybody know a reseller that would download/sell a firmeware for 2504 wireless controller or what service to buy to be able to get it?

  Be aware that you do not need to purchase SmartNET for your APs.
  Thanks for the ratings, Marek.
  Be aware that nearly all 802.11n APs (some exclusion to AP1250) are covered under the new Cisco Limited Lifetime Warranty.  Read through the link provided.  This is why I posted that you do not need maintenance contract for the APs.  The main thing to understand is that if you need to RMA your AP, it'll take 10-business days for the replacement part to be sent.
  I have spoken to some Cisco Authorized Reseller and some Cisco TAC engineers who insist that the Cisco LLW don't exist or doesn't apply to BLAH model.  Don't be fooled.

• 2504 Wireless Controller Map Support

  Does the 2504 Wireless Controller support cad or jpg drawings? I have not been able to find in any of the menus.

  No... WCS/NCS/PI does that feature.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Enterprise Hotfix Rollup for Win7 and Server 2008 R2 via WSUS

  I stumbled across the fact that Microsoft released a hotfix rollup for Win7 and Server 2008 R2 that contains 90 hotfixes
  http://support.microsoft.com/kb/2775511/en-us
  The articled I linked above talks about after installing 2775511 (the big hotfix rollup containing 90 hotfixes) it is also necessary to install three more hotfixes:
  After this update is installed, you must install update 2732673 to fix a regression issue in the Rdbss.sys file
  After this update is installed, you must install update 2728738 to fix a regression issue in the Profsvc.dll file
  After this update is installed, you must install update 2878378 re-released on November 11, 2013 to fix a regression issue in the Advapi32.dll file
  I have imported all four of these hotfixes into my WSUS server. Do I need to install 277551 first and then install the other three or can all four be approved and go out at once? I guess I am hung up on the language of "After this update is installed
  .... ". I want to put all 4 of these on our Win7 machines as well as my 40+ WinServer 2008 R2 machines

  I read somewhere that over half of the updates included in Win7 SP1 and WinServer 2008 R2 SP1 were originally released as hotfixes. This means Microsoft made the decision that a large number of hotfixes would benefit every user of these two OSs
  I think your conclusion is flawed. The only thing that you can draw from the presented statistic, is that Microsoft determined that a significant percentage of updates originally released as hotfixes warranted the additional investment in regression testing
  to subsequently release those hotfixes as updates.
  The fact that they bundled these 90 hotfixes together leads me to the same conclusion.
  In fact, exactly the opposite conclusion applies: What you have in this package is all the rest of the stuff that didn't make that cut. What you have in this package are still NOT-regression tested hotfixes, they've just been bundled up for easy deployment
  (and note that three of them got further broken in the process of bundling), causing yet three more hotfixes to have to be released.
  In fact I read the MS Team Blog about this big hotfix release and they say the same thing, all users of these OSs would benefit from the installation of this hotfix rollup, not just a subset of users.
  I suspect there are a notable number of patch administrators and systems administrators who would disagree with that self-serving promotion. If, in fact, it's true that "all users" would benefit, then the product team should have invested the effort in properly
  regression testing those hotfixes, and releasing them as REAL updates. They did not; ergo the *actual* value is less than claimed.
  Of course the bugaboo here is the fact that three other individual hotfixes need to be installed after the big hotfix rollup is installed.
  Exactly! (And those are just the attempted fixes that broke something. Who knows how many other "fixes" may still result in newly discovered "broken stuff" that was never broken in the first place.)
  The second part of this question should revolve around an itemized review of the hotfixes contained in this rollup with one simple question asked for each:
  Have we actually *experienced* the issue addressed by this hotfix.
  Where hotfixes are concerned one very simple but important rule applies:
  If it ain't broken, don't try to fix it!
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.