5760 WLC & ISE 1.2 PEAP Issues

Similar Messages

• How to Sync clock on WLC ISE and AD

  Hi there,
  I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
  The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
  I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
  I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
  Please help..
  Thanks in advance           

  You mean I should sync AD and all my cisco devices with global NTP server?
  Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
  The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

• HA clarification in cisco 5760 WLC

  Hi Experts ,
  We want to establish HA between two 5760 WLC's. These controllers will be there in seperate building . So IS there anyway that we can establish HA without using stacking cables?

  Hi guys! We have 2 WLC 5760 and one of them is a HA SKU and they HAVE to be in different buildings. Can we configure the HA SKU WLC as standalone and use mobility groups for redundancy? Is there a License issue in this scenario?
  Thanks in advance!

• 5760 WLC Features

  The release notes for the new 5760 WLC mention that "profiling and on boarding" are not yet supported.
  http://www.cisco.com/en/US/docs/wireless/controller/3.2_0_se/release_notes/OL28115_3_2_se_rn.html
  Does this mean that when using ISE with Guest Server features, device profiling or guest self registration isn't supported ??

  Yes It is true that 5760 does not support "profiling and on boarding". But when you use ISE for the same it will support the entire feature which you looking for.

• 5760 WLC and 5760 HA WLC question

  Hi everyone,
  I assume this information must exist... I just cannot locate it. Customer purchasing two 5760 WLCs:
  1     AIR-CT5760-500-K9
  1     AIR-CT5760-HA-K9
  I am looking for info on how to configure these 2 WLCs to work together.  How do you inform the production WLC that a HA WLC is available to sync with? Do WLCs have to be L-2 adjacent, or will HA operate at L-3?  How does this HA setup work? etc.
  Any help would be really appreciated.

  Hi,
  Any news regarding this issue?
  We've have the same scenario:
  1     AIR-CT5760-500-K9
  1     AIR-CT5760-HA-K9
  Both running
  IOS XE 03.03.01SE
  I've activated Global AP Failover Priority in both WLC and from a total of 47 APs, i've configured 8 with Priority Critical, 7 APs with Priority High and  3 APs with Priority Medium.
  We've issued an reload to the primary WLC and it took 7 minutes for the APs recover from the Secondary to the Primary
  13:14 - reload issued on the primary WLC
  13:15 - service granted by the secondary WLC (required an shut/no shut to the "Network Status" of the radio interfaces)
  13:22 - service recovered to the primary WLC
  Edit - Forgot to mention that the priority values mentioned above didn't show much improvement in the AP recovery time...

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• 5508 as mobility anchor to 5760 WLC

  I have 4 5508 WLCs in my environment now, installed at various locations. One 5508 is acting as an anchor for guest access.  All other 5508s connect back to the anchor for the same SSID, the guest wireless WLAN.  A new office is opening up with several new APs using a newer 5760 WLC running as an MC.  Currently the 5508's do not have New Mobility enabled.  I'm pretty sure I need to enable this on the anchor at least, but the question is do all 5508 WLCs need to be changed to support New Mobility; and if so, does it require any new configuration so that I don't break the guest wireless SSID?  I am new to New Mobility so I am not sure what to expect.  Other than rebooting a few WLCs to turn on New Mobility.
  All 5508's run 7.6.130.0.  The newer 5760 runs 03.06.02E. 
  Thanks
  Jeff

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Attach WAP4410N as WGB to Cisco 5760 WLC with LWAP 3702

  I have 5760 WLC with 3702 wireless infrastructure. Can i connect a WAP4410N AP as WGB to be attached to my current wifi network so i can provide connectivity to some wired devices? Any tips on doing so? And any limitation can be imposed for using this WAP instead of any other AP that are supported by WLC5760? If the wired clients are passive, configuring passive-client on WLC will work normally?

  Thanks Eric for the reply, however, this AP is not expected to be controlled by WLC as you mentioned since it is not lightweight and not supported by this WLC for compatibility. But in this scenario, i'm talking about operating it in WGB mode to be attached to the unified wireless infrastructure. In this scenario, it is just attached as a client that pass the traffic of its clients to the other side.
  I have noticed the below statement in this guide page (539)
  http://hcsdemo.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/consolidated_guide/b_37e_consolidated_3650_cg.pdf
  When non-Cisco WGBs are used, the switch has no information about the IP address of the clients on the wired segment behind the WGB. Without this information, the switch drops the following types of messages:
  • ARP REQ from the distribution system for the WGB client.
  • ARP RPLY from the WGB client.
  • DHCP REQ from the WGB client.
  • DHCP RPLY for the WGB client.
  Accordingly, if the switch will drop all this traffic, then no traffic will be passed from the WGB clients to the network ! what I’m missing here?!!!

• 5760 WLC Clean Air question

  Hi,
  My customer Cisco 5760 WLCs running as a HA pair. Clean Air has been configured on these boxes but when I do a sh ap dot11 5ghz cleanair summary all the APs show Spectrum Oper State as Down:-
  CPIT-5760-WLC-1#sh ap dot11 5ghz cleanair summary
  AP Name               MAC Address         Slot ID  Spectrum Capable  Spectrum Intelligence   Spectrum Oper State
  AP1                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  AP2                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  AP3                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  Anyone got any ideas as to how I overcome this little obstacle?
  Thanks
  Alan

  Thanks for the reply. As far as I can tell all the radios are operational:-
  and Clean Air has been configured:-
  ap dot11 24ghz cleanair
  ap dot11 5ghz cleanair
  Also the link you sent was for release 7 on the old series controllers whereas this is a HA pair of the 5760s running release 3.03.
  I have been through the configuring Clean Air chapter for this release and it doesn't suggest anything I haven't already tried.
  Alan

• Cisco 5760 WLC initial config

  Hi,
  I am configuring up a Cisco 5760 WLC and wondering if it is required to put in a default route? In this document it says to put one in but i dont see why it is needed as it is connected to a switch via a layer 2 Trunk.
  Reference:
  https://supportforums.cisco.com/docs/DOC-34430
  Another question, since there is no more Dynamic Interfaces and they are replaced with Layer 2 & 3 interfaces instead. Do all Layer 2 interfaces you create require a layer 3 interface IP address to be configured also? As shown below:
  Thanks

  So by default the 5760 has IP routing enabled so you will need to put in a default route. A default gateway won't work unless you disable IP routing first.
  Sent from Cisco Technical Support iPhone App

• 5760 WLC cross-satck port-channels?

  Hi would anyone know if cross-stack port-channels can be configured on a stack of 5760 WLC's?
  I need to aggregate x4 20Gb port-channels comprised of x8 10Gb 10G-LR SFP's
  Thanks

  Please check the below link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/layer2/command_reference/b_lay2_3se_5700_cr/b_lay2_32se_5700_cr_chapter_010.html

• 5760 WLC compatability with 887 routers in unified mode

  Hi,
  I was wondering if cisco 5760 WLC is compatible with APs in 887 router when switched to unified mode? It seems like WLC is rejecting it says unsupported AP
  Cheers

  Not supported.
  Here is the supported AP list as of IOS-XE 3.6.0 (1700 & 1570 series support added in 3.7.0E)
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Supported_Features.html#pgfId-1071753
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• WPA2 Auth on WLC 5760 using ISE 1.2

  Hello there,
  I am trying to configure WPA2 802.1x authentication on my WLC that should use ISE as radius server which is set to authenticate AD users.
  The issue is that when I try to connect the SSID, it does not forward the authentication request to ISE. Therefore, I dont see any authentication request on ISE coming from the client.
  I am using the following cli config for the SSID.
  wlan TESTSTAFF 70 TESTSTAFF
  aaa-override
  client vlan Floor_WL
  security dot1x authentication-list WPA-Auth
  session-timeout 1800
  no shutdown      
  aaa authentication dot1x WPA-Auth group ISE_Group
  aaa group server radius ISE_Group
  server name ISE
  radius server ISE
  address ipv4 <ise_ip> auth-port 1812 acct-port 1813
  key <key>
  On ISE, I have added the WLC as network device. CWA authentication is working fine it is just Layer2 WPA 802.1x authentication which is not forwarding requests to ISE.
  Can you please suggest?
  Thanks in advance.

  is ur wlc and iSE is connected???
  is ur Radius Shared secret is correct or same on both side?
  Please check these: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  Regards

• Cisco WLC ISE integration issue

  Dear all,
  We have wlc 5508 and ISE integration, out wireless clients can connect to Guest or Corporate SSID
  When connecting to Corporate SSID, they can obtain IP address and successfully associate, to use internal service like (email, corporate service and etc) user need to download Airwatch agent and etc, but initially he can use ONLY internet connection, so the issue is client randomly reassociate, downtime of client less than a second, for example Android phone shows that periodically it disconnecting and reasociating again to SSID, i dont know if it is bug or some timers need to be configured, any ideas ?

  There is no problem with non-802.1x SSID
  The problem is on ISE timers ?