3850 WLC Admin GUI Authentiaction with AAA
Hi all. I'm making myself a little nutty this morning. I've had a 3850 with the WLC function enabled in my lab for quite some time. Just bumped it to 03.07.00E and I'm having a devil of a time getting in to the Wireless GUI - particularly when I have 'ip http authentication aaa' enabled. I can still access the wired gui using my AAA setup just fine.
Up until going to 3.07, I could get in to the wired or wireless GUI using AAA with no issues.
So I know it's something in my aaa setup that needs to be tweaked - either on the switch side or somewhere inside my ACS setup. Anyone run in to this yet? And if so, any pointers?
Thanks!
Hi Viten,
You're right - this isn't related to my problem. And we've successfully done 'split' authentication where CLI uses AAA and Web uses local. But it's a little cumbersome to set up, and sort of silly to do when there's a centralized AAA system available.
Prior to 3.07, centralized AAA authentication for CLI and Web (for both the switch GUI and the wireless GUI) worked as expected for us.
3.07 has introduced a 'Prime' style web page, with a 'Domain' choice for wireless or wired. Choosing Wired as the domain causes the device to ask for a traditional Level 15 account, (as an extra set of prompts outside the 'Prime' style uname/password window) and after entering proper AAA credentials, you get the switch configuration GUI as expected.
However, when you chose Wireless as the Domain, you can only enter a uname/pwd in the 'Prime' style authentication window. Using the same AAA credentials as always, the device generates an authentication failure due to bad username/password. An error in the python wnweb process is also generated in the switch logs.
I've looked at my ACS logs - username/pwd is fine, and authentication is passing as expected in the ACS system. The switch doesn't seem to be processing the returned TACACS+ authentication info correctly.
Similar Messages
-
Authenticate 2*3850 WLC on an ACS with on IP ?
Hi all !
I am currently looking at the Cisco 3850 Catalyst+WLC. I saw that they could be stacked, but you can only have 50 APs registered.
What happens if you link 2 3850 using HSRP ? I suppose you'll be able to register up to 100 APs, but when you want to authenticate your 3850s on an CS, will you be able to register only the "virtual IP" of both devices ? I mean, can you authenticate the 2 devices as one device on the ACS ? (I hope I was able to explain my problem !)
Thanks a lot for your help.Interesting question :)
I do not think you can do this
Two 3850 act as two WLCs & have to register them using each of them wireless management IP on ACS.
But this setup will add complications when defining wireless user subsets (as one 3850 will be the STP root & HSRP primary, so both cannot handle same vlan traffic at given time).
So my suggestion is NOT to do HSRP when enable WLC functionality on it. you can still use 100AP even those two switches acting as two different stacks (without HSRP)
HTH
Rasika
**** Pls rate all useful responses **** -
"apex/apex" URL problem with accessing admin GUI
Hi,
I've been searching the forums for answers to why I can't access my XE admin GUI, including a post today on this forum discussing a 404 error, but with no success so far. I've followed all the suggestions but to no avail. THIS WAS WORKING fine up until recently which is very frustrating.
The symptom is, when I try load the admin page using the following URL...
http://127.0.0.1:8080/apex OR http://my_machine_hostname:8080/apex
... the URL gets redirected to http://127.0.0.1:8080/apex/apex and the page won't load.
I've tried an ./oracle-xe force-reload to no avail and when I check for the tns listener all looks fine as follows:
[root@gwydlvm2 scripts]# lsnrctl status
LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 25-AUG-2009 02:04:45
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))
STATUS of the LISTENER
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 - Production
Start Date 25-AUG-2009 01:39:26
Uptime 0 days 0 hr. 25 min. 18 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Default Service XE
Listener Parameter File /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/admin/listener.ora
Listener Log File /usr/lib/oracle/xe/app/oracle/product/10.2.0/server/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC_FOR_XE)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=gwydlvm2.cisco.com)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=gwydlvm2.cisco.com)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "XE" has 1 instance(s).
Instance "XE", status READY, has 1 handler(s) for this service...
Service "XEXDB" has 1 instance(s).
Instance "XE", status READY, has 1 handler(s) for this service...
Service "XE_XPT" has 1 instance(s).
Instance "XE", status READY, has 1 handler(s) for this service...
The command completed successfully
The listener.ora file is as follows:
# listener.ora Network Configuration File:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /usr/lib/oracle/xe/app/oracle/product/10.2.0/server)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(ADDRESS = (PROTOCOL = TCP)(HOST = gwydlvm2.cisco.com)(PORT = 1521))
DEFAULT_SERVICE_LISTENER = (XE)
It looks like all services that I need are up and the listener. I can do sqlplus queries from the command line.
Any suggestions would be very welcome!
Thanks,
Liam.I ran through the commands as advised in the last post but the bahaviour is the same. The listener.log file shows the following:
I notice that the HOST parameter value is set to fqdn in some cases and just hostname in other cases, but I'd guess that this isn't the issue. I can't see any errors in the logfiles for this restart.
Started with pid=27987
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC_FOR_XE)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=gwydlvm2.cisco.com)(PORT=1521)))
Listener completed notification to CRS on start
TIMESTAMP * CONNECT DATA [* PROTOCOL INFO] * EVENT [* SID] * RETURN CODE
25-AUG-2009 16:03:09 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=gwydlvm2)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) * status * 0
25-AUG-2009 16:03:21 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=gwydlvm2)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) * status * 0
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=gwydlvm2.cisco.com)(PORT=8080))(Presentation=HTTP)(Session=RAW))
25-AUG-2009 16:03:31 * service_register * XE * 0
25-AUG-2009 16:13:31 * service_update * XE * 0
25-AUG-2009 16:23:32 * service_update * XE * 0 -
How to use a macro with AAA Authorization set?
So!
We have ACS version 4.1, and one goal is to start working on authorization sets for groups. I am able to get basic commands to work, but was curious about making a macro work without having to allow all of the commands that are actually contained wihtin the macro itself.
I'm looking into this to promote standardization and minimize confiugration issues/inconsistencies on ports accross swtiches in our environment.
The macro I created is used for configuring a port on a swtich to change its VLAN. Basically as follows:
macro name T2
Description $DESC
switchport mode access
no cdp enable
switchport access vlan $STATIC
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 25.00
storm-control action trap
switchport nonegotiate
no lldp transmit
no lldp receive
#macro keywords $DESC $STATIC
In ACS I've created a shell command authorization set, and allowed 'macro' with 'permit apply T2' and 'permit trace T2'. This works fine and allows me to use those macro commands. The problem I'm having is that every command in the macro is not allowed in the authorization set, so when I run the macro it fails for each command.
I don't want to allow each individual command in the authorization set as it would then allow jr. admins the ability to make config changes on ports that would be outside of our standard. For example they could get into a port and forget to disable CDP and LLDP, casuing inconsistencies accross the envrionment. Is there a way to run these macros without putting all of the commands in the authorization set?Hello Eric,
Please see the below link for configuring Macro and how you can use them with AAA
http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html -
I just updated to 10.8.4 and my mail program is showing a series of boxes with AAAAs inside them instead of the email addresses. Also when on Safari web pages are displaying the same AAAAAs instead of type. Firefox displays fine. Can someone help me?
Restart your Mac and immediately hold down the Shift key when you hear the startup chime to boot into Safe Mode. Keep holding the Shift key until you see a progress bar towards the bottom of the screen. You can let go of the Shift key at that point.
OS X asks you to log in (you will get this screen on a Safe Mode boot even if your Mac is set to automatically log in). Let the Mac finish booting to the desktop and then restart normally. This will clear Font Book's database and the cache files of the user account you logged into in Safe Mode.
Next, close all running applications. From an administrator account, open the Terminal app and enter the following command. You can also copy/paste it from here into the Terminal window:
sudo atsutil databases -remove
Terminal will then ask for your admin password. As you type, it will not show anything, so be sure to enter it correctly.
This removes all font cache files. Both for the system and the current user font cache files. After running the command, close Terminal and immediately restart your Mac. -
Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP
Hello folks,
I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
Best Regards
Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
But you will need to configure AES on the client as well to support N rates.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
We're testing version 6.1 and are seeing really slow response times on the admin GUI. It appears to be related to using SSL, which we need on of course. Here's what we're seeing:
+ Some introductory pages -- pages that just display a form, not those that take an action -- take 12 to 19 seconds to display. When we turn off SSL, they snap up in one second.
+ With SSL on on the primary instance of the server, pages fetched via http or https pop up instantly.
+ Our test hardware is a Sun 420R with four CPUs and 4 GB of memory with nothing else running on it; It doesn't seem like the processing demands of SSL should be slowing it down.
Is there some setting we need to set to make the https pages in the GUI perform a little better?
DaveWhat's happening on the machine when this poor performance is noted? High CPU use? Memory swapping?
What kind of SSL are you using (e.g. just straigh SSL, or are you doing client-auth, etc)? -
WLC Web GUI Certificate type displayed
Hi,
We Converted some APs from IOS to LWAPP and had them successfully Join a WLC.
We have, to date, never bought owned or otherwise possessed an AP which talks LWAPP out of the box.
However the WLC Web GUI says, under the Wireless heading, that AP Certificate Type is "Manufacture Installed" .
Shouldn't it say "Self-Signed" ?
regards, MHThankyou for your reply.
Looking at Cisco document,
"Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode"
I can see where it confirms what you said about MIC,
"Factory installed certificates are referenced by the term MIC, which is an acronym for Manufacturing
Installed Certificate. Cisco Aironet access points shipped before July 18, 2005, do not have MIC, so
these access points create a self-signed certificate when upgraded to operate in lightweight mode."
Most of this document talks about SSC not MIC and is indisciminate about the age of the AP.
So if I'm converting 1131AG APs bought in 2006 from Autononous to LWAPP am I dealing with MIC not SSC?
Regards, MH -
Hi All
I am hoping someone is able to help on the following, I would expect the banner to be presented when the user first connects as per the Cisco link below:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html
ASA-1(config)# sh run banner
banner motd ** W A R N I N G **
banner motd You have logged in to a secure device. If you are not authorized to access
when I have a Banner MOTD configured with AAA I get the following:
ASA-1# logout
Logoff
Username: cisco
Password: *****
** W A R N I N G **
You have logged in to a secure device. If you are not authorized to access
YOUR LOGGING ONTO A ASA
Type help or '?' for a list of available commands.
ASA-1>
The message is given after the user logs in.
Now when AAA is disabled the following happens:
ASA-1(config)# no aaa authentication serial console LOCAL
ASA-1(config)# exit
ASA-1# logout
Logoff
** W A R N I N G **
You have logged in to a secure device. If you are not authorized to access
Type help or '?' for a list of available commands.
ASA-1>
Am I reading the documentation incorrect as I thought this should be given if someone connected to the console? as this is what I am after.
Regards CraigHi Craig,
For me it is coming before entering password and which is actually correct functionality.
login as: admin
# Authorized access only
# Unauthorized users will be prosecuted
[email protected]'s password:
Let me know if you need the configuration..!!
Regards,
Siraj -
2602i does not Join to 3850 WLC
Trying to join 2602i to 3850 wlc but after join to WLC, the access point keeps rebooting
AP Console log:
APc067.afa7.1ee4#
*Nov 29 23:32:55.027: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:32:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:33:13.415: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:33:13.415: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:33:19.299: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:33:19.319: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:33:19.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:33:19.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:19.347: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:20.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:20.351: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:33:20.359: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:33:21.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:33:21.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:33:21.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:21.387: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:33:21.395: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:33:22.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:33:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:22.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:23.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Not in Bound state.
*Nov 29 23:34:14.847: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 29 23:34:19.847: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.
*Nov 29 23:34:19.967: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.212, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 29 23:34:25.847: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Nov 29 23:34:34.847: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Nov 29 23:35:04.847: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:35:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:35:22.411: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:35:22.411: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:35:27.479: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:35:27.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:27.527: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:28.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:28.531: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:35:28.539: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:35:29.523: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:35:29.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:35:29.559: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:29.567: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:35:29.575: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:35:30.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:35:30.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:30.595: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:31.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
WLC Log:
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.470: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.471: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254#
Nov 29 23:40:46.474: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:40:46.474: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xd670c00000002a for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
Nov 29 23:41:09.584: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254(config)#
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
and sometimes:
Nov 30 21:16:56.781: *%CAPWAP-3-ALREADY_IN_JOIN: 1 wcm: Dropping join request from AP c025.5c68.7f10 - AP is already in joined state
Nov 30 21:16:56.785: *%CAPWAP-3-DATA_TUNNEL_DELETE_ERR2: 1 wcm: Failed to delete CAPWAP data tunnel with interface id: 0x0 from internal database. Reason: AVL database entry not found
Sh Wirless Country Configured:
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Sh version (AP):
LWAPP image version 10.1.100.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:67:AF:A7:1E:E4
Part Number : 73-14588-02
PCA Assembly Number : 800-37899-01
PCA Revision Number : A0
PCB Serial Number : FOC17353HXS
Top Assembly Part Number : 800-38356-01
Top Assembly Serial Number : FCZ1743P1VC
Top Revision Number : A0
Product/Model Number : AIR-SAP2602I-E-K9
Configuration register is 0xF
APc067.afa7.1ee4#
APc067.afa7.1ee4#^C
Not in Bound state.
*Nov 30 20:04:56.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 30 20:05:01.019: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.c
*Nov 30 20:05:01.139: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.211, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 30 20:05:07.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Sh ver (Switch):
Base Ethernet MAC Address : d0:c7:89:75:c3:00
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC172896LQ
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1729V133
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24T 03.03.00SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.03.00SE cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime : 5 days, 23 hours, 2 minutes
Base Ethernet MAC Address : ec:e1:a9:df:93:80
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17236GD1
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1725V0FT
Configuration register is 0x102Hi,
3850 is in MC mode.
The AP is connected to an access switch which is connected via trunk port to 3850. the access port is in a same vlan as wireless management VLAN.AP is not connected directly to 3850 as this switch is not poe capable.
Country code is set to GB as th AP is ion Europe domain.
NTP has been configured
1- show license right-to-use summary :
ipservices permanent N/A Lifetime
apcount base 0 Lifetime
apcount adder 4 Lifetime
License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 4
AP Count Licenses In-use: 1
AP Count Licenses Remaining: 3
the one which is in use is my AP which has issue. keeps rebooting:
2. show wireless mobility summary
Mobility Controller Summary:
Mobility Role : Mobility Controller
Mobility Protocol Port : 16666
Mobility Group Name : BSTAR
Mobility Oracle IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x276d
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 48
Mobility Domain Member Count : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP Public IP Group Name Multicast IP Link Status
10.129.0.254 - BSTAR 0.0.0.0 UP : UP
3- Show run | in Wireless
qos wireless-default-untrust
wireless mobility controller
wireless mobility group name BSTAR
wireless management interface Vlan10
wireless wps ap-authentication -
Very slow ADMIN gui (/console) and ADMIN mode problems
The admin gui is painfully slow for us for some reason. We're currently running three clusters in on one admin server. There are 55 applications installed spread out pretty evenly on all clusters.
Listing the 10 first deployed applications takes around 50-60s. CPU usage and so forth is fine. This seems to get worse when more applications are added. Some of our other admin servers works fine but they have far less applications installed.
Perhaps not much to go from but has anyone else experienced this ? Possibly cause, solution ?
Note:
version: 10.3
jdk: 1.6_06 (64 bit)
os: solaris
We're also experiencing some serious problems when deploying application, possibly because of the problems with the admin server and that the deployment sometimes just halts (activate changes times out). Servers can all of a sudden be in ADMIN mode, applications can be in ADMIN mode. And servers and/or applications in ADMIN mode is not a good thing since the load-balancers can't handle this situation because the server still listens on the http port while in ADMIN mode. Not sure why this happens but it seems to be connected to when we deploy application, and that part seems to be a hit'n miss thing. It works perfectly sometimes, sometimes it justs halts. A restart of the admin server and then it might work again. Other times it's a restart of all the servers and then the admin server before it works again.
Same as the first question, anyone that has experienced these problems ?
/LabanSupport has "support patterns" to work through these issues and I definitely recommend opening a case. Various things can contribute such as networking issues causing the clustered communication to not work properly. Thread dumps can also be helpful to see where the time is being spent.
-
Hi Team,
I have a customer that has APs that are connected off a Switch and this switch has uplinks to two 3850 wlcs. So the APs are not directly connected to the 3850s but are connected to a switch and vlan that does connect back to the 3850 WLC. The issue they are having is that the APs continously bounce back and worth between the two 3850 wlc. I read somewhere that APs not directly connected to 3850 wlc are not supported currently. Is this really the case? Is this why the APs are bouncing every 2 seconds or so between 3850 WLC?
Thanks, AngelHi
This is what you should forward to your client
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/qa_c67-722110.html
Q. Does the Cisco Catalyst 3850 support indirectly connected access points?
A. No. The Cisco Catalyst 3850 switch will always terminate the CAPWAP tunnel locally. Pass-through mode or indirectly connected access point is not supported at this time. Note that a Cisco Catalyst 3850 12-port or 24-port SFP model can be a good choice to act as mobility controller for a stack of Cisco Catalyst 3850 switches that terminate CAPWAP tunnels locally.
If you are satisfy with the response, you can mark this thread as "answered". If not give us a shout.
HTH
Rasika
*** Pls rate all useful responses **** -
Server Admin GUI not displaying complete information
Recently, the Server Admin GUI stopped displaying complete information for one of our servers. It works fine for the other.
All servers are set up very much the same, other than one is an Xserve and one is a G5 tower. The one giving the grief is the G5 tower.
Server Admin is version 10.4.7 and was working fine until a few days ago.
When I click on the computer name (or IP) in the "Computers and Services" list, then look at any of the tabs > "Overview" "Logs" "System" "Graphs" or "Update" no information is retrieved. With the exception of Hard Drive capacity.
All other services (Web, VPN, Mail) report all info without problems.
Weird, hey? Any thoughts appreciated.
Message was edited by: mebs2Well it pretty easy. I've taken out the code that is unused so you can see what is going on.
import javax.swing.* ;
public class Shareddilog extends JDialog
public static void main(String[] args)
Shareddilog s=new Shareddilog();
s.show();
}This is the only code that is executed in your program. It created a JDialog and then shows it. What you want to do, I imagine, is to put all the GUI stuff in your constructor and make sure you call pack() on it before you are done. -
After "wadm pull-config" the Admin gui still shows deployment pending
After doing a manual edit of my webserver 7.0u3 instance config files I run wadm with the pull-config subcommand. After the command successfully completes I go into the admin gui and it shows that I have a deployment pending. Why is this? Doesn't this command sync the instance config with the config-store?
pull-config command pulls the configuration from the node to the config-store and then the user is supposed to deploy the configuration using deploy-config command to propagate those changes to the other instances if any.
pull-config information from Web Server CLI reference:
http://docs.sun.com/app/docs/doc/820-4842/pull-config-1?a=view -
ACS 4.2.1 - after fresh install - admin GUI comes up blank
Greetings:
ACS server: Windows server 2003R2 (VM)
Browser: IE 8
Installed ACS 4.2 (0.124)
Immediately installed ACS 4.2.1 patch 15 on top
Restarted server to kick services
All service started except CSAdmin - which sucessfully started manually
Admin GUI opens to a blank page.
Any ideas?
Thanks.hi,
Please trust the site in the browser. Also please ensure java is latest on the machine.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
Maybe you are looking for
-
Hi ! There is no sync from my contacts from the icloud to my iphone :-( i tried a lot of settings and reboots nothing works
-
How do you connect to a FIOS router via a 3 com LAN 10/100 switch
-
Hi, I've got two edit bays with two editor's that work on the same project at different stages from their respective machines. I'm trying to come up with a way to manage this, from both a network standpoint ie. all media on the same drive, file permi
-
First wanted to say thank you to the people who post on these forums. About 2 years ago I started on my journey with a 589 and am well on my way to what I hope is north of 700. I would not have been able to get there without the adivce I found her
-
Hello, I noticed that my printer cannot copy neither from the feeder nor the glass. Whenever i put a apapr it says on screen initiating copying but dosnt make any sounds. I checked for paper jam, updated drivers but no success. I can print, send and