802.1x anchor mobility

Similar Messages

• Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

  It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
  We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
  Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

  I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
  Laptop: Windows 7 32bit
  I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
  continues as the laptop reconnects.
  **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
  Message was edited by: Michael Dunki-Jacobs
  **Edit Solved:***
  The problem is in deed solved by turning the "DHCP Address Required" but why?

• Anchor mobility between WLC 5508 and Aruba/Clearpass

  Hello. I have a question regarding the abiltiy to configure anchor mobility between a 5508 WLC and an Aruba controller. To date, my understanding is it has never been possible and I have never found any documentation that says it can be done.
  Scenario: My organization and a partner organization co-own a hospital. We coexist on a large campus, with each org having a number of buildings that the owning org maintains the network presence in. We also maintain back-to-back firewalls between us and do not hand-off any direct layer 2 interfaces to each other. However, the two orgs do partner to provide each others business SSID's in each other's WiFi networks using anchor mobility. Our current solution utilizes an A/M tunnel between my org's 5508 controllers and the partner orgs 2504 controller and we explicitly permit the tunnel traffic between partner controllers for A/M to work. Last year, the partner org retired some old WiSM's and changed their wireless solution to Aruba and recently implemented Clearpass. In order to maintain A/M with us they left a 4404 operational, but due to the newer code we were running they were forced to purchase a 2504. So now they are only maintaining a limited footprint in their network with a few Cisco AP's and the rest of their coverage areas use Aruba AP's and they have indicated that they want to completely retire their Cisco WLC's. Because we host some of their SSID's on our controllers and can tunnel them to their 2504, they get all of their WiFi traffic coming from our network, however my org can only connect to our SSIDs on their campus in certain areas.
  The solution I have been asked to provide is to find a way to continue providing some sort of anchor mobility services between our WLC's and their Aruba controllers. My org maintains that we do not want to simply hand them a layer 2 interface for security reasons, but they want our SSIDs to be available in all areas of the partner org's campus and vice versa. So far I have stalled the partner org's plans to retire their WLC's by telling them that retiring their WLC's will completely break WiFi between orgs, but they are adamant that some sort of A/M solution must be found.
  Is there any way to do some sort of A/M between a WLC and Aruba controller and if so, is there any documentation showing configuration examples etc?
  Thanks,
  John

  Hi John,
  I do not think it will work. Even if it get working somehow, it will be operation nightmare to troubleshoot & fix a issue since both vendor will say it is NOT supported solution.
  What about if you ask them to advertise your SSID (assuming it is dot1x) on their APs as another SSID on their network, but pointing it to your RADIUS & DHCP for IP connectivity (you do not have layer 2 requiremnt for this & can do this as long as you have L3 communication between each other)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Layer 2 security with WLAN auto-anchor mobility

  Hello,
  I was wondering if Layer 2 security can be used with auto-anchored WLANs.
  I need to deploy two new isolated WLANs which will terminate in two DMZ environments.
  I was hoping to use the existing WCS-managed infrastructure with 4404 and 4402 WLCs and just throw on a couple more WLANs.
  However, I've built a little test environment and while I can get the new VLAN traffic tunneled and origininating from the correct anchor controller with no layer 2 security - as soon as I turn on WEP or WPA security options it stops working. I can't find anything in documents or this forum to show auto-anchor mobility with anyhing other than unsecured guest WLANs.
  Am I trying to do somethng unsupported or is it just an error on my part?

  Hi Greg,
  no, the users are internal so I only want to use L2 security. I can't see that L3 should be a problem to add on though. I'm using 3.2.x of the WLC code - so there is no "Guest LAN" mode - I was playing with the new versions and it looks like L2 security is disabled in that mode?
  If you want to see how I got my bit working I would be happy to share my doco when I'm done.
  regards,
  Aaron

• !! Warning !! Guest anchor mobility fails in 5.0.48, Single Foreign

  Finally some 5.0 chat showing up so I'll add this nugget. All controllers migrated from 4.2 to 5.0.48. All site (foreign) controllers = MOBGRP-CORP, anchor controller in central dmz = MOBGRP-DMZ..
  Found that my first site where I implemented Guest via anchor mobility worked ok. Tried to bring up 2 new sites with their own foreign controller against same (working) anchor. NO GO. All debugs & shows indicate mobgroup, mobgroup anchor, etc all good. Debugs reveal mobility anchoring messages never being initated by foreign to anchor.
  Reviewed with TAC for 3 hours last night. Finally found a bugID that related against 5.0.48.
  Bottom line is that our site that was working had 2 foreign controllers. Site that wouldn't come up only had 1 foreign. Weird bug that if site has only 1 mobility member (beside anchor definition) then mob anchor plumbing messages won't exchange from foreign to anchor. Instead, debugs show foreign as anchor. Workaround = move anchor controller into same mobility group as the internal (foreign) controllers. All good now.
  Hope this helps someone avoid 3 hrs w/ TAC. (And I felt I had a GOOD tac guy).
  Now if I could just figure out how to have multiple profile/wlan definitions on anchor controller but have the same ssid on them all so that our guest ssid @ sites can be uniform. Currently won't let me define multiple wlans on anchor with same ssid, even if profile name is unique. Guess despite it not running APs it's still checking wlans for uniqueness. Not very 'enterprise' as we want to have each site a) Have standard guest ssid and b) Have their own IP address space for firewall log purposes, etc. A & B seemingly mutually exclusive in current situation, assuming central anchor controllers of course.

  Well I guess now I need to follow up on my own post. After moving dmz anchor controller into "internal' mobility group, we ran into some weird issues.
  1) New APs at the site we were bringing on were somehow getting joined up to another site's controller. Only thing in common between sites was mobgrp name and the fact that they both anchored guest to the same central anchor controller.
  2) At the new site, guest seemed to work OK now but we were experiencing problems with hosts on one of the controllers internal wlans. They were not getting IPs. Debugs revealed that foreign (site) controller was bringing up guest tunnel to itself for this local, non-anchored wlan.
  Opened another tac case. This tac engineer advises that while bug CSCsm71840 exists, the other engineer should not have told us the workaround was to put dmz anchor controller into internal mobility group. Rather, he advised, we should go into any controller (on dmz anchor end or internal foreign end) where there was only 1 controller in the mobility group and add a 'dummy' entry into the mobility group.
  We changed the dmz anchor back to his own mobility group and then made the dummy entries and the mobility anchor worked correctly & so far appears that previously problematic internal wlan also works correctly.
  This whole thing should make for some 'interesting' conversation with the BU shortly.

• Anchor Mobility

  Hi
  I have created SSID's that remote users can log onto to that point to thier own Radius servers. Someone suggested that I need to use Anchor Mobility. Can you please tell me what this is in WLC and where I can find this.
  Thank you            

  You only use anchor if you have another WLC and its part of the design. Here is a document that will explain auto anchor.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_mobility.html
  Sent from Cisco Technical Support iPhone App

• WLC 4404 Anchor mobility

  Hi,
  i've 2 wlc lan controller 4404
  1 wlc is in the DMZ area. On This controller i've configured the SSID named TEST (for the internet), that is connected at the cisco switch (id vlan 120)
  If i try connect and work very well.
  i must use this SSID over DMZ , in the other WLC in the other LAN SEGMENT.
  I configured the anchor mobility.
  i following the explain that i find on cisco. I don't understand if i must create che vlan also in the other LAN Segment.
  I had configured this:
  I created on the remote wlc the SSID TEST (= at the WLC in the DMZ)
  I created the vlan 120 on the remote switch , and also i created this vlan in the remote WLC. In the Wlan SSID TEST i set the interface TEST(vlan120)
  After this step, I created the anchor mobility (that is up) in the DMZ site and in the Remote site.
  If i connected my pc on the SSID TEST in the remote wlc , the connection don't work.
  is ok my configuration or i don't understand how to configure the anchor feature?
  thanks for your help
  fcostalunga

  Take a look at this doc. You have to have the guest ssid configured the same for the foreign (inside) and anchor controller. The only difference is that you have to map the ssid to the management interface on both controllers. This is where the tunnel is created from. Ports have to be opened up on the dmz for the foreign and anchor controller to communicate:
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html

• Basic Intel iMac with 802.11n - no mobile devices or broadband. What do I need in Australia. mrcos

                                 Saturday 7 January 2012
  I am writing to ask for some advice regarding the best course of action to take with regard to my current computer situated in Sydney Australia.
  I have been a Netspace customer for many years with an old iMac until I purchased a new iMac in the latter part of 2011. All this time I have been a dial-up participant with no broadband, gaming or little or no downloading. This account will expire late next month.
  My main usage has been in the areas of email together with internet access mainly to my financial interests. I am still using dial-up after purchasing an exterior V92 modem which can only operate in 32 bit mode rather than the 64 bit mode for which the new iMac normally operates.
  The advice I need now is with regard to the best method I should now adopt in order to take advantage of the facilities I now have available and whether or not I need more hardware and/or software, to utilise such things as wireless using 802.11n.
  Should I stay with Netspace or switch to another server such as Telstra who already have my home telephone and Foxtel accounts.
  I intend to make similar enquiries to Telstra, Netspace and other suppliers.
  Unfortunately, I am an old dinosaur and am enquiring because I have not been bothering to keep track of what is available until my latest computer purchase posed a number of questions as well as my own ability to take it all in.
  I have no mobile devices and do not require any nor am I particularly looking for broadband.
  Yours faithfully,
  malfromsydney

  Hi Peter Ducklow-
  Charles offers good advice-you need a router.
  This document may be helpful: Creating a small Ethernet network
  Luck-
  -DaddyPaycheck

• Guest anchor mobility group

  I have 2 anchor controllers in a DMZ to provide redundancy for guest access. They are configured with the same default Mobility group name which is different from the local controller Mobility names. My local controllers include both anchor controllerss in their mobility groups configuration. The anchor controllers provide DHCP for guest access, but with different IP subpool addresses.
  Do I have to include both DMZ anchor controllers as well as the local controllers in the mobility groups which are configured on the DMZ controllers?
  Would the DMZ controllers communicate with each other - if so, what information would be exchange e.g. client status?
  Does symmetric tunnelling have to be configured?
  Thanks

  I would add both DMZ controller to eachother's mobility group list.  This way if a client roams from a controller that is anchored to WLC-A to a controller anchored to WLC-B the client's session could be handed off.

• Auto anchor mobility WLAN interface

  Hello, I'm in doubt if I can associate the mgmt interface to my GUEST WLAN in anchor controller also. I know that must do it on foreign controller. Since my mgmt interface on ANCHOR CONTROLLER are configured in my DMZ if I realy need to configure the GUEST WLAN with a dynamic interface, I will need to create other Vlan and this make no sense. 

  Hi a.azambuja,
  Yes - you can associate your guest WLAN to your management interface - however I would not recommend this.
  You would be much better off creating a new VLAN that will manage the guest user traffic so that it is segmented away from any managemnt traffic.
  Cheers,

• Cisco 3850 Mobility Agent unable to connect clients

  Hi
  We are trying to use Cisco 3850 as Mobility agents with 5760. We can't seem to get the clients to authenticate to the radius server. We don't even see them appear in the radius logs.
  We have defined the radius server and the profile
  wlan Wireless 2 WAP
  aaa-override
  accounting-list Radius
  client vlan wireless
  security dot1x authentication-list Radius
  session-timeout 1800
  no shutdown
  radius server Primary
  address ipv4 x.x.x.x auth-port 1812 acct-port 1813
  timeout 5
  retransmit 2
  key 7 ........
  radius server Primary
  address ipv4 x.x.x.x port 1812 acct-port 1813
  timeout 5
  retransmit 2
  key 7 .........
  The client appears to connect to the AP but can't authenticate so gets kicked off
  If we do a test aaa group username password then it says that it's sucessful.
  In the debug we get 802.1X required but then it never seems to get any further.

  Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
  What is Mobility Anchor?
  A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

• 5760 Mobility

  Hi All
  I'm using a Cisco 5760 with 3.3 code with a Cisco 2504 acting as an anchor. The 2504 is running 7.5 code and has 'New Mobility' (Converged Access) enabled.
  I can't fine any reference to what ports are now used between the controllers. I'm assuming it's still UDP 5246/5247. I know EoIP isn't used with the new mobility.
  Can anyone confirm the port requirements for new mobility please?
  Regards
  Roger

  Hi Steve,
  I think bit of confusion here. Yes I agree everything is CAPWAP, but UDP port number is different depend on what type of communication it is.
  As per my understanding UDP 5246 & 5247 used for WLC to AP communicaton. Not for WLC-WLC mobility communication. So still I belive UDP 16666/16667 uses for Control plane & data plane traffic between controllers.
  Here is one of my 3850 mobility summary output confirming it is using 16666 as UDP port.
  3850-1#show wireless mobility summary
  Mobility Controller Summary:
  Mobility Role                                   : Mobility Controller
  Mobility Protocol Port                          : 16666
  Mobility Group Name                             : LTU-CA
  Mobility Oracle IP Address                      : 0.0.0.0
  DTLS Mode                                       : Enabled
  Mobility Domain ID for 802.11r                  : 0x34c9
  Mobility Keepalive Interval                     : 10
  Mobility Keepalive Count                        : 3
  Mobility Control Message DSCP Value             : 48
  Mobility Domain Member Count                    : 1
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Cisco Flex 7500 and anchor

  Hello, I couldn't find this on the Cisco Flex 7500 specs
  http://www.cisco.com/en/US/partner/prod/collateral/wireless/ps6302/ps8322/ps11635/data_sheet_c78-650053.html
  Do anybody know if I can set up an anchor mobility group between the Flex 7500 and the WLC 5508?
  Kind regards

  Yes, 5508 can be used as anchor controller for static anchoring while 7500 as foreign using central swtiching.
  For Mobility:
  Fault Tolerance
  It is recommended to use Flex 7500 as both the primary and backup controllers.
  Flex 7500 primary and backup controllers must be in the same mobility domain.
  Ref:
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

• Mobility agent, benefits? or am i doing it wrong.

  Hello,
  I am just at the point of labing a wireless setup. I have configured a 3850 as a wireless controller. I have another stack of 3850's that will be going in the same building that I was thinking of making a Mobility agent that points at the controller. What is the actual benefit of a mobility agent, it doesn't seem to get any of the configs i made on the Controller, it seems like i have to configure all WLANS and AP groups on both anyway, so why would I even bother with a mobility agent? It seems like it would be easier to to just make both stacks controllers.  Am I doing it wrong or should they  replicate configs?  One thing I am not sure about is the DHCP pool on the agent i set it as the controller for that pool, but that maybe wrong, I attached configs as well.
  Thank you
  Mobility Controller Summary:
  Mobility Role                                   : Mobility Controller
  Mobility Protocol Port                          : 16666
  Mobility Group Name                             : **********
  Mobility Oracle IP Address                      : 0.0.0.0
  DTLS Mode                                       : Enabled
  Mobility Domain ID for 802.11r                  : 0x89f
  Mobility Keepalive Interval                     : 10
  Mobility Keepalive Count                        : 3
  Mobility Control Message DSCP Value             : 48
  Mobility Domain Member Count                    : 1
  Link Status is Control Link Status : Data Link Status
  Controllers configured in the Mobility Domain:
  IP               Public IP        Group Name       Multicast IP     Link Status
  192.168.100.1    -                **********    0.0.0.0          UP   : UP
  Switch Peer Group Name            : **********
  Switch Peer Group Member Count    : 1
  Bridge Domain ID                  : 100
  Multicast IP Address              : 0.0.0.0
  IP               Public IP             Link Status
  192.168.100.129  192.168.100.129       UP   : UP
  Mobility Agent Summary:
  Mobility Role                                   : Mobility Agent
  Mobility Protocol Port                          : 16666
  Mobility Switch Peer Group Name                 : **********
  Multicast IP Address                            : 0.0.0.0
  DTLS Mode                                       : Enabled
  Mobility Domain ID for 802.11r                  : 0x89f
  Mobility Keepalive Interval                     : 10
  Mobility Keepalive Count                        : 3
  Mobility Control Message DSCP Value             : 48
  Switch Peer Group Members Configured            : 1
  Link Status is Control Link Status : Data Link Status
  The status of Mobility Controller:
  IP              Public IP            Link Status
  192.168.100.1   192.168.100.1        UP   : UP
  Switch Peer Group members:
  IP              Public IP            Data Link Status
  192.168.100.129 192.168.100.129      UP

  If you configure those two as MC, then roaming between those two won't be optimum. Best way to configure is given building switches in a single SPG as MA (obviously in your case one stack has to be MC if there is no centralized MC).
  If these switch stacks are separated in L3 (unlikely if it is in a single building), & you put them as MC, then those two should be in different mobility group. (as 1MC per one mobility sub domain). 
  This gives some idea how this CA setup works. In that case 5760 acting as MC, but you can think of as a 3850 stack in your case.
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Anchor controller configuration in 8.0.110 code

  Hi Experts ,
  We have upgraded our controllers to 8.0.110 code . Post which our guest network is down . All the tunnels between our Foreign and Anchor controller shows down. eping commnad is not supported . mping we are unable to to do.
  Any suggestion on this.

  You can use auto-anchor mobility (also called guest tunneling) to improve load balancing and security for roaming clients on your wireless LANs. Under normal roaming conditions, client devices join a wireless LAN and are anchored to the first controller that they contact. If a client roams to a different subnet, the controller to which the client roamed sets up a foreign session for the client with the anchor controller. However, when you use the auto-anchor mobility feature, you can specify a controller or set of controllers as the anchor points for clients on a wireless LAN.
  In auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a WLAN. You can use this feature to restrict a WLAN to a single subnet, regardless of a client's entry point into the network. Clients can then access a guest WLAN throughout an enterprise but still be restricted to a specific subnet. Auto-anchor mobility can also provide geographic load balancing because the WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so on), effectively creating a set of home controllers for a WLAN. Instead of being anchored to the first controller that they happen to contact, mobile clients can be anchored to controllers that control access points in a particular vicinity.
  When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.
  When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the client is announced to the other controllers in the mobility list. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller decapsulates the packets and forwards them to the client.
  In controller software releases prior to 4.1, there is no automatic way of determining if a particular controller in a mobility group is unreachable. As a result, the foreign controller may continually send all new client requests to a failed anchor controller, and the clients remain connected to this failed controller until a session timeout occurs. In controller software release 4.1 or later releases, mobility list members can send ping requests to one another to check the data and control paths among them to find failed members and reroute clients. You can configure the number and interval of ping requests that are sent to each anchor controller. This functionality provides guest N+1 redundancy for guest tunneling and mobility failover for regular mobility.
  If multiple Controllers are added as mobility anchors for a particular WLAN on a foreign Controller, the foregin Controller internally sorts the Controllers by their IP address. The Controller with the lowest IP address is the first anchor. For example, a typical ordered list would be 172.16.7.25, 172.16.7.28, 192.168.5.15. If the first client associates to the foreign controller's anchored WLAN, the client database entry is sent to the first anchor Controller in the list, the second client is sent to the second Controller in the list, and so on, until the end of the anchor list is reached. The process is repeated starting with the first anchor Controller. If any of the anchor Controllers is detected to be down, all the clients anchored to the Controller are deauthenticated, and the clients then go through the authentication/anchoring process again in a round-robin manner with the remaining Controllers in the anchor list. This functionality is also extended to regular mobility clients through mobility failover. This feature enables mobility group members to detect failed members and reroute clients.