Access Point Switchport configuration for OOB NAC

Hello.
Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
Greettings.

Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Similar Messages

  • Cisco 1242AG Access Point proper configuration

    Hello everyone,
    Here is the situation:
    Recently we decide to create a small WLAN in our business.We choose the Cisco AIR-AP1242AG-E-K9 with 2x2.4GHz 2.2dbi Swivel Dipole Antenna.
    For better managability a new routable VLAN (ID:20) added to our Router with IP 192.168.55.1 and SNET 255.255.255.0
    Next, I made the followings configurations in the autonomous AP through WEB Console:
    Static IP:192.20.10.35, SNET:255.255.254.0, GWY:192.20.10.200
    VLAN1 (Native) and VLAN20 (Radio0-802.11g) added into Services.
    I set the Encryption Mode to None for VLAN1 and Cipher AES CCMP for VLAN20
    Into Server Manager I defined a new RADIUS server 192.20.10.35 (AP IP) and a shared secret and left the default ports for Authentication and Accounting (1645 and 1646). Also, in Default Server Priorities section I set as Priotity 1 both for EAP and MAC authentication the Access Point IP (Radius Server) 192.20.10.35.
    In Local RADIUS Server General Set-Up, I add as current network access server (AAA client) the same IP and shared secret like the ones I use during RADIUS server configuration above. Into Enable Authentication Protocols I left checked only the LEAP and MAC. Also, into Individual Users section 2 new users created with text passwords.
    Into SSID Manager a new hidden SSID created for interface Radio0-802.11g, associated with VLAN20 and into Client Authentication Settings section I left as accepted Method Open Authentication with MAC authentication and EAP. Also, I left the Use Defaults option both for EAP and MAC Authentication Servers in Server Priorities Section and finally into Client Authenticated Key Management section I choose Mandatory for Key Management and checked the Enable WPA option.
    I can ping both the AP and VLAN20 IPs from any PC which is a member of the native VLAN
    As wireless clients I use 2 Motorola MC5574 with Windows Mobile 6.1 professional. Both of them have a Jedi WLAN adapter configured with the followings:
    IPs:192.168.55.10 and 192.168.55.11
    SNET:255.255.255.0
    GWY:192.168.55.1
    Also, a unique profile has been created on each one of them to be used for AP association-authentication. Each profile has been configured for WPA2 Enterprise with AES and LEAP and the predefined user credentials (those defined into AP for Individual Users)
    The problem:
    Clients association with AP is always succesful but, Authentication fails and I can't ping from the clients AP IP,  VLAN20 IP, neither each other.
    What am I missing here? I'm sure that it is somenthing quite simple but although I tried several different setups (i.e. WPA2-PSK, WPA-PSK even with TKIP) I always end up without a proper solution for ping inability.
    Thank you in advance for any help

    Hello Madhuri,
    below is the latest run config output from the access point
    Building configuration...
    Current configuration : 3743 bytes
    ! Last configuration change at 03:56:04 +0200 Sun Nov 28 2010 by Cisco
    ! NVRAM config last updated at 03:58:07 +0200 Sun Nov 28 2010 by Cisco
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname RCT_THP_AP1
    enable secret 5 $1$26u0$emaUzNvvihCCZeKeooQ8M0
    aaa new-model
    aaa group server radius rad_eap
    server 192.20.10.35 auth-port 1645 acct-port 1646
    aaa group server radius rad_mac
    server 192.20.10.35 auth-port 1645 acct-port 1646
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone +0200 2
    ip name-server 192.20.11.2
    dot11 ssid RCTHP
       vlan 20
       authentication open mac-address mac_methods eap eap_methods
       authentication key-management wpa
    power inline negotiation prestandard source
    username Cisco password 7 00271A150754
    username 00236867a192 password 7 101E594B56414A5D5B057B7276
    username 00236867a192 autocommand exit
    username 00236867a19b password 7 091C1E5B4A534F445C0D557329
    username 00236867a19b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 20 mode ciphers aes-ccm
    ssid RCTHP
    channel 2462
    station-role root
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.20
    encapsulation dot1Q 20
    no ip route-cache
    bridge-group 20
    bridge-group 20 subscriber-loop-control
    bridge-group 20 block-unknown-source
    no bridge-group 20 source-learning
    no bridge-group 20 unicast-flooding
    bridge-group 20 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    shutdown
    no dfs band block
    channel dfs
    station-role root
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    interface FastEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface FastEthernet0.20
    encapsulation dot1Q 20
    no ip route-cache
    bridge-group 20
    no bridge-group 20 source-learning
    bridge-group 20 spanning-disabled
    interface BVI1
    ip address 192.20.10.35 255.255.254.0
    no ip route-cache
    ip default-gateway 192.20.10.200
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    snmp-server view dot11view ieee802dot11 included
    snmp-server community public view dot11view RO
    snmp-server contact IS
    radius-server local
      no authentication eapfast
      nas 192.20.10.35 key 7 03130807055F2C1F
      user motomob1 nthash 7 15315B29557B0D767E111074455E332022000F0D0A725C223B300C7A0E760A0371
      user motomob2 nthash 7 075E716D6C2F49514636532A5C0B0A067C1567003224335553047F0C710058263E
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.20.10.35 auth-port 1645 acct-port 1646 key 7 120E561B115B0157
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    sntp server 192.20.10.2
    sntp broadcast client
    end
    Regards
    Vasilis

  • Access Point Bridge Configuration

    I have two 1262N access points with 5Ghz antennas, and I have configured one of them as a root bridge and the other as a non-root bridge; both using the same ssid.  I have enble both dott11Radio interfaces on each access point.  The problem I am having is that they do not associate.  I have not configured them for any encryption or security.  I just want to make sure the connect before I add any other configuration.  Is there anything else that I need to configure to make them associate.

    Wrong forum, post in "wireless". You can move your post using the actions panel on the right.

  • AP541 Access Point Best config for multiple VAPS Advice

    Hi
    I have several AP541 (on different site locations) which I have currently configured for WPA enterprise using windows 2008 as the Radius server. This works fine for staff members who use the wireless when roaming around the offices.
    I would also like to setup another VAP for guests to allow them to access our internet but nothing else on the network. I was wondering what approach would be the best one to adopt to achieve this. Would I be best to setup a WPA Personal VAP and allow guests to access the wireless this way. Or is there a better approach? If we did adopt this approach I presume this would mean that we have to log onto each AP in turn and then change the WPA key on each one everytime we decide to change the key? Or is there some clever software I could use to change them all in one go.
    Any help would be appreciated
    Thanks
    Colin

    Hello Simon,
          I would keep them all in Access Point mode if you are planning on having them all hardwired into your network. That is the best setup.
         As for Wireless WDS repeater or Wireless Client/Repeater, you would use these features if you are trying to extend your wireless signal at a certain location in your building but you are not able to run a ethernet cable to that location. So all you would do is power up the WAP4410n and it will help increase the wireless signal in that location if set in repeater mode. The draw back to this is it will cut your througput by half.
    Wireless WDS bridge, you would use this feature if you are wanting to extend your network to a location were you are not able to run a ethernet cable to. Once you set up the bridge you would place it in the location were you are wanting to extend your hardwire network. If you plug a PC into the ethernet port on the Bridged WAP then you should be able to pull a IP address from the main network. When set in this mode it will not broadcast a wireless signal.. so you will not be able to connect wirelessly to the device once it is in Wireless Bridge mode.
    Wireless Monitor.. not sure about this feature.. never used it.
    This keep in mind that these devices will usually only bridge or use repeater with themselves and not other devices.
    If you are wanting to start adding VLANs in the future you will need to stick to Access point mode since that mode will allow you to set up more than one VLAN the WAP can look out for. If you use repeater or bridge mode feature you will only be able to use 1 vlan.
    I hope that helps you out!
    Thanks,
    Clayton Sill

  • What is the recommenden access port QoS configuration for 8900/9900 video enabled phones

    Hi all,
    we are currently starting to roll out some video enabled 9900 and 8900 phones in our network. In the past we did not use video and configured the access ports on our Catalyst 2960 switches with "auto qos voip ciscp-phone". This however creates a policy which does not include a class-map to correctly handle the AF41 video traffic coming from those phones. I have thougth about extending the autoqos policy with a AF41 class-map but am not sure if this is the right way to do it. 
    That's what I have in mind:
    class-map match-all AUTOQOS_VIDEO_DATA_CLASS
      match ip dscp af41
    class-map match-all AUTOQOS_VOIP_DATA_CLASS
      match ip dscp ef
    class-map match-all AUTOQOS_DEFAULT_CLASS
      match access-group name AUTOQOS-ACL-DEFAULT
    class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
      match ip dscp cs3
    policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
     class AUTOQOS_VOIP_DATA_CLASS
       set dscp ef
      police 128000 8000 exceed-action policed-dscp-transmit
     class AUTOQOS_VIDEO_DATA_CLASS
       set dscp af41
      police 1500000 8000 exceed-action policed-dscp-transmit
     class AUTOQOS_VOIP_SIGNAL_CLASS
       set dscp cs3
      police 32000 8000 exceed-action policed-dscp-transmit
     class AUTOQOS_DEFAULT_CLASS
       set dscp default
      police 10000000 8000 exceed-action policed-dscp-transmit
    How do you guys do it ? Is there some documentation for this ? 
    Thank you for your kind help
    best regards
    Andreas

    Hi
    You have to keep this table on your mind. Your configuration is fine if your configuration for SD video , but if for HD video , it is not ok you have to change video bandwidth at least 5M.
    Traffic Type
    Layer 2 CoS
    Layer 3 IP Precedence
    Layer 3 DSCP
    Voice RTP1
    5
    5
    EF
    Voice control
    3
    3
    AF31
    Video conference
    4
    4
    AF41
    Streaming video (IP/TV)
    1
    1
    AF13
    Data
    0-2
    0-2
    0-AF23
    *Interactive Video "AF41"- Sensitive but can tolerate packet loss of about 1% and latency almost same as voice.
    *Streaming Video "AF13" - Less sensitive - can tolerate about 4-5% packet loss and latency of about 4-5 seconds.
    *HD video conference will require between 5M to 16M , but SD video conference will use 384K to 1 M
    Note:-Video QOS , if you will assume that your video conference will use around 384K , you have to add 20% because video conference include voice so the total bandwidth 460K.
    Kindly check the below link
    http://www.sdcug.com/wp-content/uploads/2011/04/Campus-QoS-for-Voice-and-Video.pdf
    Thanks
    please rate all useful information

  • Which access point is better for hospital environments?

    Folks,
    I have a customer in hospital, who requires to have wireless deployed everywhere. The fact is , customer is budget concious, so I designed in such a way to place it in corridors , so that wireless coverage could get inside the rooms, but the doors are fire-proof which blocks RF .
    What are the best practices in deploying AP's in hospital, for eg: is it safe to install AP's next to Medical Imaging Room or other devices which may cause interference
    Which model is suitable for this sort of installation?
    Thanks,
    SID

    Hi SID,
    Please consider in your budget for a Wireless LAN Site Survey. WLAN Site Survey will allow you to better understand WHERE to deploy your AP's and HOW MANY AP's to deploy. When deploying an AP, also bear in mind for AP failures. You can address this issues with either keeping "spare" stocks or putting additional AP's per floor so when an AP would fail, the WLC will calculate and increase the transmission power to cover the loss of an AP.
    In regards to what models to buy, I'd recommend looking at the 1140 or the 1250. These AP's are geared up for Draft N (2.0 Ratified).
    For AP's that are geared up for 802.11N (Draft 2.0):
    Data Sheet Cisco Aironet 1140 Series Access Point
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10092/datasheet_c78-502793.html
    Data Sheet Cisco Aironet 1250 Series Access Point Data Sheet
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6973/ps8382/product_data_sheet0900aecd806b7c5c.html
    If you are going to choose the 1250, note that the Antennaes are optional. Here's some information regarding them.
    Antenna Product Portfolio for Cisco Aironet 1250 Series Access Points
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/at_a_glance_c45-513837.pdf
    The AP1250, when operating with 2 radio modules on Autonomous IOS, requires a minimum of 18.5 watts (ePoE). So you'll need either a Power Injector or PoE switch that will support enhanced PoE such as the 3560-E or 3750-E.
    Cisco Nurse Connect Solution
    http://www.cisco.com/web/strategy/docs/healthcare/nurse_connect_aag.pdf
    Hope this helps.

  • E71 Access Point Choice Mail for Exchange

    I am used to using the iPhone where whenever you go somewhere, the phone detects available networks and you choose the one you want to connect to. I don't understand why in Mail for Exchange you must define an access point. Is there a way to have the access point selected whenever you enter a new area? And when there is no wireless network available, should it automatically use the GPRS network?
    Thank you.

    I would have to agree with you on that, it's my one and only complaint about the current S60 software.. Just about all other plaforms offer this function and Nokia used to with connection groups.

  • Access Point 1240 Support for BBSM5.3

    Hello,
    I have 3 ap 1240 for install with bbsm 5.3, but when I add the access-point to the bbsm , the bbsm does not recognise has a valid access-point.
    Does any one know in what version of bbsm is supported ap1240.
    Thanks

    Hello there,
    I have a customer who has a BBSM 5.3A which is running the latest patch (5332) and it cannot discover 1242 series AP's as valid network elements. They get the following:
    2009/01/07 12:01:53 Pinging X.X.X.X...
    2009/01/07 12:01:53 X.X.X.X is ACTIVE
    2009/01/07 12:02:18 X.X.X.X: not a Network Element or SNMP password is not ******
    2009/01/07 12:02:18
    2009/01/07 12:02:18 Pinging X.X.X.X...
    2009/01/07 12:02:23 X.X.X.X: no response
    2009/01/07 12:02:23
    2009/01/07 12:02:23 Pinging X.X.X.X...
    2009/01/07 12:02:23 X.X.X.X is ACTIVE
    2009/01/07 12:02:47 X.X.X.X: not a Network Element or SNMP password is not ******
    2009/01/07 12:02:47
    2009/01/07 12:02:47 Pinging X.X.X.X...
    2009/01/07 12:02:47 X.X.X.X is ACTIVE
    2009/01/07 12:03:12 X.X.X.X: not a Network Element or SNMP password is not ******
    2009/01/07 12:03:12
    2009/01/07 12:03:12 Pinging X.X.X.X...
    2009/01/07 12:03:12 X.X.X.X is ACTIVE
    2009/01/07 12:03:37 X.X.X.X: not a Network Element or SNMP password is not ******
    They have assured me that the SNMP info is correct as they have checked it several times but the BBSM still doesn't recognise the 1242's. I know that the document link above specifies that 1200's are supported but don't Cisco class the old 1200's, 1230's and 1242's as different? Also, the BBSM didn't recognise some of their 2960-24 switches as valid network elements either but they selected the object type themselves from the list.
    Thanks in advance.
    Leigh

  • HWIC-AP-AG-A, Access Point HWIC Configuration

    Hi All,
    I have a Hwic-AP-AG-A  in my 2811 Router. However I don't know how to configure this particular Model.
    Can anyone assist ?
    Cheers
    WIC Slot 1:
            Dual Band 802.11 A+B/G Radio Access Point HWIC
            PCB Serial Number        : FOC09363ZMA
            Hardware Revision        : 1.0
            Part Number              : 73-9388-03
            Board Revision           : A0
            Top Assy. Part Number    : 800-25210-01
            Deviation Number         : 0
            Fab Version              : 03
            CLEI Code                : IPUIANDRAA
            RMA Test History         : 00
            RMA Number               : 0-0-0-0
            RMA History              : 00
            Product (FRU) Number     : HWIC-AP-AG-A

    Go to:  https://supportforums.cisco.com/thread/2028286

  • Cisco 1242AG Access Point backup configuration

    Hi everyone,
    Is there any way to export the running or startup configuration of the Access Point but in a way that I'll be able to reload it in case something goes baddly wrong?
    Thx
    VP

    If you want to manually send a copy of your startup or running config to your TFTP server you can use the command (base on IOS version):
    sh start | redirect tftp:///filename.extension
    Note:  The first time you've downloaded the file to your TFTP server, do not use Notepad to open it (because Notepad can't understand UNIX carriage return).  Open the file using WordPad and save it.  The next time you can use Notepad.

  • Access Point Specific Configurations

    Hi All,
    just a question of a thumb...
    If i had a 2 Controller Scenario with some AP Specific Configurations, for example AP Groups VLAN, and one Controller fails, the APs move to the other Controller. What about the specific config? Assume that the Controller Config (dyn Interfaces lets say) is correct.
    Any Hint Welcome
    BR, Michael

    If you keep specific configurations same on both controllers, in this example, if the backup controller has the same AP-Group, SSID configurations and same dynamic interface names with primary controller, when the AP join the backup controller, the AP will be put into the same AP-group and everything stays same for the AP. You don't have to configure APs on difference controllers. You only need to specify primary, backup controller and AP-Group for the AP from WCS.

  • 871 Switchport Configuration for Phone and Data

    I am having a problem connecting my 7960 to a switchport of my
    871 (12.3(14) Advanced IP Services). When configured as shown, the phone is correctly placed into vlan 3, but
    a PC plugged into the phone does not end up into vlan 800, but rather vlan 1.
    interface FastEthernet1
    switchport access vlan 800
    switchport mode trunk
    switchport voice vlan 3
    switchport priority extend trust
    If I remove the switchport mode trunk, the phone ends up in VLAN 800.
    What is the proper configuration on this 871 to have the phone in vlan 3, and
    the PC plugged into the phone in vlan 800?
    Thanks.

    Hi,
    The only thing you need to change is to add the command "switchport trunk native vlan 800"
    The reason the PC is showing up in vlan 1 is because that is the default native vlan for the trunk, and thus is the only vlan that is untagged. Since the PC doesn't understand dot1q tagging, its DHCP requests will wind up being received in vlan1 on the switch. Once you change the native vlan to 800, the PC should correctly connect in vlan 800.
    HTH,
    Bobby

  • Switchport Configuration for NEC Phones

    Having an issue setting up a switch for NEC ip phones.  If I use something like this:
    int gi 0/23
    description Phone and PC, no hubs
    switchport mode access
    switchport access vlan 10
    switchport access voice vlan 5
    spanning-tree portfast
    lldp transmit
    lldp receive
    The phones boot up fine, but get ips from the dhcp pool for vlan 10.  My pc behind that also gets an ip in vlan 10.  I went to a test phone and enable cdp and when I went back to my switch I saw the phone in cdp neighbors, but the phone still grabbed the ip from the other vlan.  If I manually key in the vlan on the phone it gets the correct ip and the pc behind it gets the correct ip as well.  Just wondering if there is a better to go about this as they are deploying 150 phones.

    Have a look at table-10 and make sure you have configured all the options (150, etc.) correctly.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/5_0_4/ccmcfg/b02dhsrv.html#wp1050520
    HTH

  • 802.1x access points using ISE for trigger

                       We are deploying AP's with 802.1x ports. We do not want ot have static AP ports. When plugged into a switch port with 802.1x configured the AP does not kick up the smart port trigger. How do I link the trigger from ISE to send the response for the trigger on the swutch to reconfigure the switchport for an AP?
    thanks,

    Hello,
    Please check this link for "802.1x using Cisco ISE", it may help you in this.
    https://supportforums.cisco.com/docs/DOC-29409

  • How can i access web sites configured for internet explorer?

    I try to access web sites thatwork with internet explorer from my mac and cannot load the home page.  How can i access these pages?

    Not sure if you're using a different browser than Safari. If not try Firefox or Chrome.

Maybe you are looking for

  • Meaning only field does not work when querying

    Hi I am working with Designer 6i R4.11 In my generated forms I have columns/fields based on "domains/lovs". The domain property "dynamic list" is set to yes and I have all my values in a cg_ref_codes table. Now when I am doing a query in my form and

  • A way to amend the lightbox style - all lightboxes automatically update?

    hi guys, im setting up a video portfolio site and i was initially going to have multiple thumbnails on each page each triggering a lightbox containing one video. at a later stage i might want to change the size of the black box surrounding the video

  • Best Way to Share Premiere Pro Project Between Computers

    I have Premiere Pro on a Mac. In Final Cut Pro we use Media Manager to move projects and it works pretty great. Is there a Premiere Equivalent? I have media from a shoot that is duplicated on two computers. Each computer has a different project and e

  • Powercycle the WRV200 via SNMP ?

    Is there an OID in the WRV200's SNMP MIB to powercycle the unit with an SNMP PUT command ? When the web UI stops responding it can be handy to powercycle the unit without having physical access to the unit....

  • Reusing SQL

    I'm trying to write a function that will call an SQL query from a file, what I have works, but I was wondering if there was a more elegant way to do it? - I am particularly concerned with the "dump" part. another query to do the dump does not sit wel