AAA, WLC, and AP Groups, Anchor Controller, Problem

Similar Messages

• WLC 7.x GuestNet Anchor Controller Certificate Warning

  Customer wants to remove the Certificate Warning for GuestNet.
  One the anchor under Controller > Interfaces > Virtual > DNS hostname do I put the FQDN  CLT111DMZWLC01.acme.com or just the hostname CLT111DMZWLC01 then do a Certificate Signing Request via CLI and then send off to Entrust?
  DMZ DNS Server Test/Verification
  C:\Users\jaarons>nslookup
  Default Server:  dc01.acme.com
  Address:  10.32.11.100
  > set type=ptr
  > 1.1.1.1
  Server:  dc01.acme.com
  Address:  10.32.11.100
  1.1.1.1.in-addr.arpa       name = CLT111DMZWLC01.acme.com
  >
  WLC 7.0.116.0
  Clients Redirected to External Web Authentication Server Receive a Certificate Warning
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#t2

  Jason,
       In my experience there are a couple of steps that need to be considered. Are there any ap's running H-REAP? if so you need a certificate for each wireless controller. Secondly do you want a wildcard certificate or a specific certificate for each controller?
       I have done the guest access both ways as either a dedicated certificate for the controller or using a wildcard (ie: *.didata.com versus guestwlc1.didata.com)
  Once you know what type of certificate you want, configure the DNS name of the virtual interface as you have describe: ie: CLT111DMZWLC01.acme.com
  Assuming the virtual interface is 1.1.1.1 makes sure external DNS has CLT111DMZWLC01.acme.com resolving to 1.1.1.1
  Then you can use OPEN SSL 0.9.8 to create the certificate signing request.
  then request your certificate and then you will need to compile the certificate and/or certificates into a certificate package to upload into the controller.
  George Stefanick did a great Step-by-step of this on his blog
  http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
  also here is the cisco link for the steps.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  Hope this helps!!
  Please rate useful posts.

• WLC and LDAP Groups

  Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication.  I have this url that explains local authentication and LDAP...  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml .  That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC.  Any ideas?

  You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
  If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
  The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Guest vlan dhcp not working from anchor controller

  Hi All
  I have set up my foreign and anchor WLC, however for some reason im not getting any DHCP addresses from my anchor controller even though the scope is setup etc.
  any ideas why not ?
  cheers
  Carl

  Carl
  Keep things simple - as always.
  Set up the foreign controller with the Guest SSID.
  Point this SSID to the management interface.
  Create a mobility group and add the anchor controller to the group.
  On the SSID - set it to point to the anchor controller.
  On the anchor controller set up an interface for the Guest SSID.
  Point the interface to a DHCP server, be it external or the controller itself.
  Set up the Guest SSID and point it at the interface.
  Create the mobility group and add the foreign controller to the group.
  Make sure the data and control paths come up.
  Set your DHCP scope.
  Point the anchor controller guest SSID to be 'local' (On the WLAN page - far right drop down arrow).
  It should work - no need for an interface on the foreign. Everything is tunnelled via the management interface to the anchor. Any problems - email me!

• Guest Anchor Controller DNS issues

  Hi,
  I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
  The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
  Change required (which were attemped).
  1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
  2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
  Problems
  The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
  The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
  Diagnosis
  It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
  A reboot of the controller did not make any difference.
  Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
  Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
  We had to roll back the changes to the original configuration in order to bring the service back on-line.

  Hello Eoin
  Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
  laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
  Check the release notes for any bugs on this software:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
  Raj

• Guest Traffic Segregation without using Anchor Controller

  Hi
  I need help in calrifiing , is there any other option avaialble to segregate the guest traffic from CORP on internal WLC itself without using anchor controller ?

  Well really can't tell you or else it would be a book. You either have use ACL's on your layer 3 to deny traffic from your guest subnet to your internal. Nothing has to change on the WLC. If you want to connect one port of the WLC to the DMZ, then disable LAG on the WLC and use port one as primary for the internal traffic which includes management and another port in the WLC as primary for the guest.
  Sent from Cisco Technical Support iPhone App

• AP Groups - Guest Access - Anchor Controller

  Need clarification - I think it does work
  Does the AP Group feature work with the anchor controller guest access feature
  SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
  ie
  Guests in Building 1
  SSID guest VLAN 10
  Guests in Building 2
  SSID guest VLAN 11
  Mark

  Hi,
  As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
  Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
  Kind regards
  Johan

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• WLC and AAA - one SSID and more VLANs

  hi,
  i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server
  Switch Interface Config:
  interface Vlan10
  ip address 10.70.170.1 255.255.255.0
  ip helper-address 192.168.12.10
  interface Vlan20
  ip address 10.70.171.1 255.255.255.0
  ip helper-address 192.168.12.10
  at the WLC i have configured one SSID with
  - Allow AAA Override
  - Layer2 Sec: [WPA1,TKIP+WPA2,AES]
  - ACS 4.1 AAA
  - Key Management: 802.1x
  one SSID mapped to the management interface. and 2 VLANS with different interfaces:
  VLAN-ID1: 10
  Interface-1:
  IP Address 10.70.170.2
  Netmask 255.255.255.0
  Gateway 10.70.170.1
  DHCP: 192.168.12.10
  VLAN-ID2: 20
  Interface-2:
  IP Address 10.70.171.2
  Netmask 255.255.255.0
  Gateway 10.70.171.1
  DHCP: 192.168.12.10
  at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.
  [006] Service-Type: Authenticate only
  [064] Tunnel-Type: VLAN
  [065] Tunnel-Medium-Type: 802
  [081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>
  my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,
  but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,
  and the right interface and the right IP Adress and the communication is right.
  but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).
  what can it be?
  thx

  FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Do Anchor controller and foreign controller have to run on the same code version?

  Hi All,
  I have a 4402 anchor controller and 8 4402/4404 foreign controllers all running on code 4.2.61.0 for 1 year without any problem. All guest users are connected to the foreign controllers and then tunneled back to the anchor controller. Right now I need to replace a 25-AP license 4402 foreign controller with a 50-AP license 4402 controller. The new controller is running on code 7.0.116.0. I am wondering if the new controller can join the mobility anchor group so that guest users won't lose connectivity after the swap.
  Please advise. Thank in advance.
  Robert

  Hi,
  The below link will answer ur question!! (Inter Release controller Mobility )
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp568458
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Replace WLC Mobility Group Anchor

  We have 2 5508 and 1 4402 WLCs and all belong to the same mobility group. The 4402 does not have any access points and does nothing more than serve as a mobility anchor for our public wireless SSID. We are planning to replace the 4402 with a new 2504 unit which will have the same configuration including IP as the 4402. Is there anything I need to do with the mobility groups when we remove the 4402?
  Thanks for any help.
  Jeff

  you'll need to add the MAC of the 2504 to the mobility group, and remove the entry for the 4402.
  Out of Curiosity...how many concurrent guest users to you have usually?
  Steve

• Trunk with WLC and 1400BR problem

  hi everybody,
  i have the next proble, i hope someone can help me
  Actually I wrok with a 1522 Mesh Network,1130 LWAPP and Bridge 1400 point to point. 1522 and 1130 are asociated with WLC.
  I have a WLC4402 (4.1.192.22M (Mesh)image) this wlc is conected via trunk to Sw3750 ex:
  interface GigabitEthernet1/0/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  RAP1 is connected to the sameSw3750 ex:
  interface FastEthernet1/0/23
  description RAP1
  switchport access vlan 10
  **(VLAN 10 is Mgmt)**
  AP1(1130) is connected to the same Sw3750 ex:
  interface FastEthernet1/0/1
  description AP1
  switchport access vlan 10
  The 1410BR Root is connected via trunk to same Sw3750 ex:
  interface FastEthernet1/0/19
  description BR-1400R
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport mode trunk
  In the other point is the Non-Root connected to a Sw2960 ex:
  interface GigabitEthernet1/0/1
  switchport trunk native vlan 10
  switchport mode trunk
  AP2(1130) connected to the same Sw2960 ex:
  interface fa0/23
  descriptipon AP2
  switchport access vlan 10
  The network is work fine, Mesh UP (RAP and MAPs), and 1130 too.I connected the 1400 Bridge point after the Mesh is up, and the link between Root and Non Root is UP
  Now, when the Sw3750 goes down or reboot,the RAP and AP1(1130) can't associated to WLC. The ports of RAP and 1130 are down and up many times, so can't associated to a WLC. Only the Bridge point 1400 Root and Non-root are UP, and the AP2(1130) in the other side can associated to the WLC.
  When shutdown the port of the Root Bridge, Now the RAP1 and AP1(1130) can associated to the WLC and the Mesh Net is UP. Then no shutdown the Root Bridge port and the link between Bridges are UP, AP2(1130) up to the controller too.
  But after several minutes the Bridge down, and the event log in the Root is:Interface Dot11Radio0 Radio transmit power out of range.
  So i have this problems
  1) Trunks between WLC and 1400 BR
  2) Bridge conectivity range.
  Regards
  Antonio

  The Outdoor Bridge Range Calculation Utility uses parameters that include regulatory domain, device type, data rate, antenna gain, and a few others as inputs.
  You can avoid connectivity problems with the Outdoor Bridge Calculation Utility, as this tool helps you to predict the distance between devices. In a wireless environment without a tool like this, you cannot predict the distance between the bridges, the height at which you must place the antennas for maximum throughput, and other variables. This utility also helps you decide on the type of antenna that you must use in order to cover the distance between the bridges.

• WLC user rate limit on guest ssid anchor controller

  Hi,
  I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
  We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
  Both the foreign and anchor controller are here at my location.
  I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
  As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
  We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
  I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
  So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
  Thanks guys!           
  Oh and here is my hardware & software levels.
  5508wlc - forgeign
  4402wlc - anchor
  Software Version
  7.0.230.0

  Amjad,
  Thank you for taking the time to respond as well as the document link.
  It was pretty clear on the steps and what it would impact.
  Two things that push me for a different solution (assuming their is one).
  Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
  As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
  #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
  The idea is to limit WAN utilization.
  #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
  Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
  ***One last question about this and any other changes***
  Will any change I make be on the "Foreign, Anchor" or both Controllers?