Acs 5.3 and wlc 2504 config with restricted network access

Similar Messages

• Set up a mixed platform wifi sub-network with restricted network access

  Hi,
  We're considering a Time Capsule for our office, but we've never used one and have a few questions about whether the TC can accomplish what we want to do.
  Our office is in a private suite that shares a wifi network with other private suites on the same floor. In our suite we have two immediate needs - a shared private (sub)network backup hard drive and shared network printer(s). We have a mix of OSX and Windows computers that will be on our suite's network.
  *Here's what we'd like to try:*
  1) Connect the Time Capsule to the wired LAN on our office floor's network.
  2) Connect our computers to the office floor's network, wirelessly through the Time Capsule.
  3) Connect our printer(s) to the Time Capsule for wireless printing.
  *Additonally we want to:*
  1) Block other office floor network users from accessing/seeing our office suite's Time Capsule Hard Drive.
  2) Block other office floor network users from using/seeing our Time Capsule networked printer.
  I know that we could easily connect everything with the Time Capsule and set it up as a separate network. But then we have to move from our suite's wifi to the Time Capsule network every time we want to print or access the TC backup - not ideal.
  Any ideas are greatly appreciated!

  Never mind. Picked up a TC and got everything worked out and running perfectly.

• WCS and WLC WLAN Config not fully in sync

  Hi,
  We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC  showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even  after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.

  You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
  If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• C3850 WLC enabled and WLC 2504, which one should be Primary controller.

  I have 2 designs to make a better solution, please advise me.
  I have C3850 and WLC 2504.
  1. I will use C3850 as mobility controller (MC) and mobility agent (MA) for WLC 2504. Does it work? or
  2. I will use WLC 2504 as MC and MA for C3850.
  Can I do both of design?
  Which one is better?
  Please recommend me a solution.
  Thank you in advance.

  Hi
  2504 (or any legacy WLC) itself having MC/MA & we cannot separate that role on it. You can seperate MC & MA functionality in Converged Access product platforms (3850/3650) only.
  Therefore here are the answer to your queries
  1. You can have a 3850 with MC/MA functionality. But your 2504 will be a separate controller on your mobility domain. You can allow roaming between these two systems configuring them as mobility peers. You cannot register 3850 connected APs to any other controller other than 3850 WLC itself.So you cannot use these two different system as high availability for AP.
  You need to have min 7.6.x  on your 2504 in order to configure mobility between 2504 & Converged Access system.
  Here is a reference post how you configure roaming between 5508 & Converged Access MC (5760/3850/3650)
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  2. None of the documents listed the 2504 could act as MC for 3850/3650(MA). So my understanding is you should have 5760/5508/WiSM2/8500 as MC. But you can test it & see whether 2504 could act as MC which I doubted.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC 2504 problems with one IP address range

  I am having an interesting issue configuring a new 2504.
  How it is setup:
  Port 1 management with vlan tagging on vlan 111
  Port 2 trunking with ap-manager2 on vlan 3, 102 on vlan 102 (Not ap-manager), and 1001 on vlan 1001.
  All of the vlans have distinctive and unique IP ranges. Vlan 111 is running 172.16.128 /20, 102 is 172.19.252 /23 and vlan 1001 should be running 172.17 /16.
  Here is my problem. I can setup all of the dynamic interfaces on the appropriate ip ranges, but for some reason when I configure the 1001 vlan dynamic interface with the /16 address space, I lose connectivity to the GUI managment interface. I have to go in through the CLI and remove the interface or change the IP range. I have tried other /16 address space on that vlan and do not have a problem with them. the 172.17 space appears to be the only one that will not work.
  I have attached the config from the controller (Minus some site specific stuff like the SNMP community and wpa stuff.) The config is using a 172.20 /16 right now on the 1001 interface so that I could get into the controller and download the config. It should be 172.17 /16. The acutal IP info should be 172.17.4.253 255.255.0.0 172.17.0.254
  My computer is on the 1001 vlan and I have verified the IP is not in use and am using the same subnet, gateway etc as I am trying to configure the wlc with.
  Switch config:
  Port 1 is plugged into g0/2 with the following config
  interface GigabitEthernet0/2
  switchport trunk allowed vlan 1,3,102,111,1001
  switchport mode trunk
  spanning-tree portfast
  Port 2 is plugged into fa0/47 and just has switchport mode trunk.
  How can I get the interface to work with the proper IP range for vlan 1001?

  I finally had a chance to fiddle around with this issue again and have some more information on the problem. It appears to not be an issue with the IP address, but rather with the VLAN. The 172.17.0.0/16 subnet is on VLAN 1001 which it appears the WLC does not care for. This problem is repeatable on the following versions of code that I have tried:
  7.0.220.0
  7.1.91.0
  7.4.110.0 (Not in use for production until we upgrade from WCS to Prime.)
  Any thoughts? Moving the 1001 VLAN to another number would be a HUGE undertaking so if there is not an answer within the firmware on the WLC, I will have to bridge two VLANs with bpdufilter enabled... Not my first choice for sure...

• Savant and WLC 2504

  The customer have 1x WLC 2504 and 7x AP 3502i.
  He are installing a automation system called Savant, this system use the Bonjour protocol to discovery the services on the network.
  I've configured the multicast group on controller and switch (SG300) with IP 239.xxx.xxx.xxx, but the Savant (on iPad) don't finds the service.
  Somebody has gone through a similar scenario?
  I've used this document: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  PS: The customer haven't VLAN
  Best regards.

  #Disable mdns/bonjour on wlc. place the WLC Management and AP vlan on same subnet. keep the savant server and iphone on same wlan and try.
  #WLC 2500 supports only Multicast to Multicast for AP mode, be sure that wired side Multicast is configured properly and working.
  #Try with any standard app to verify bonjour and AP mode multicast works.
  #it is possible there may be any specific string that require to be added onto bonjour profile for savant to work. do debug mdns all enable and see what is missing.
  it is suggested to open TAC case for troubleshooting.

• WLC 2112 and WLC 2504

  This might be a really stupid question but I need to ask just so that I get a definitive answer. I have a customer that is using a WLC 2112 and has maxed out the licenses for the WLC. I have suggested for him to purchase a 2504 with 30 or 40 licenses to replace the existing 2112. He doesn't want to purchase 30 to 40 licenses and doesn't want to remove the 2112 from the network environment. He would rather purchase a WLC 2504 with 15 licenses and just add that into the network.
  My question is, will there be a problem running a 2504 and a 2112 on the same network? Or can I just make one a primary and one a secondary?

  That should be fine. Just make sure the WLCs are running the same code version and everything should work fine. This is required for APs failover from one WLC to another. You don't want the APs upgrading or downgrading code versions every time the ap moves from the primary to the secondary WLC.
  Sent from Cisco Technical Support iPhone App

• Can unlocked iphone 5s be purchased in the U.S. and used in China with local networks?

  I was told that China is working with different network standards regarding mobile phones, so I was wondering if I could buy an unlocked iphone here and use it with a Chinese simcard (which are also different sizes...?)
  How would it work?
  Thanks!

  Hello Katze30,
  Thanks for using Apple Support Communities.
  To unlock your iPhone from your current carrier please follow the steps in the article below.
  iPhone: About unlocking
  http://support.apple.com/kb/HT5014
  Take care,
  Alex H.

• ACS 5.3 - 11033 Selected Service type is not Network Access

  I have some older devices on the network that only support RADIUS (not TACACS) for authentication and would like to have them use SecureACS 5.3 
  I understand that by default, ACS only supports TACACS for device administration.  So I'll get this error when trying RADIUS:
  11033 Selected Service type is not Network Access
  Description:
  RADIUS requests can only be processed by Access Services that are of type Network Access
  Resolution Text:
  Verify that the Service Selection Policy rules are correct
  However, even after adjusting the Service Selection rules and seeing hits, I still see the same message in the logs, as if it has no affect.  Any Ideas?

  If you use the protocol as radius you can not use a device admin service. You can only use network access. That will allow you for authentication to the devices.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Request help with restricting site access

  I have posted before, and received a mix of condescension and
  such, but I am okay with that. I know very little about web design,
  but I am willing to learn.
  I built a website for my lab (home.uchicago.edu/~beilock) and
  the professor for whom I work would like a password protected
  portion of the site. Previous advice led me to try PHP/MySQL (for a
  newbie like me, these terms were foreign), and I downloaded and
  followed all of Dreamweaver's help section and to no avail (it says
  cannot connect to FTP host)...and I have tried many things to fix
  that, but could not.
  Anyway, so this post is for multiple purposes. 1.
  Opinions/Advice on the website; 2. Solutions to my connection
  problem; 3. simpler alternatives to making a site restricted (I
  know nothing of ColdFusion, but if it is easier, please let me
  know)
  I don't mind being condescended to or berated if you help me
  out successfully, in fact, let that be your motivation.
  Any help appreciated,
  Jamie

  Use coldfusion it is the best out there/ quick and easy to
  learn. Check out easycfm.com (they have a great tutorial about
  security and restricting access)and post any questions there or on
  the adobe coldfusion forum.
  If you don[t know anything thenm the quickest language to
  learn is coldfusion. You then have to decide if you are going to
  use access database or mysql. If it is a huge site use mysql if not
  use access. Access is like excel and is easy to use, mysql you will
  need to use a program like navicat (google it) to connect to the db
  and be able to display it like access. They both come with nearly
  all hosts. Who does your hosting ask them how to connect via ftp.
  You will need a username, password and hostname as minimum. I
  imagine you arent trying to connect to RDS at this stage most hosts
  dont allow this(remote development)
  Well Good luck!!

• Prime Infrastructure and WLC 2504 N+1 config syncronization

  I've setup 2 cisco 2504 WLC's in a N+1 configuration, before we purchased Prime Infrastructure.  Now I'm trying to syncronize the configurations between the two devices in PI.  I've setup a configuration group, and it seems using templates will keep the configuration syncronized between the two devices.  Is it possible for PI to automatically create the templates based on the current configuration of the device.  Plus with PI 2.1 it seems like I have to create a template for every section of the configuration, shouldn't there be just one large template that has all the configurations.

  Yes, you should be able to discover templates from the WLC
  HTH,
  Steve

• WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

  Hello,
  In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
  On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
  I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
  Thanks,

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• Cisco Trustsec using only ACS 5.2 and a 65k SXI with 802.1X

  Hi
  I hope that this is the correct place for this Q.
  I have setup an ACS 5.2 Server and enaled 802.1X authentication on a 65k running SXI5, as per the following section; Assigning SGT Using IEEE 802.1X User Authentication
  The link can be found below;
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.html
  I can sucessfully get a PC to authenticate using dot.1x and according to the monitoring on the ACS box, the SGT is passed to the 65k, however when I do a "sho cts role-based sgt-map all", I can't see the SGT passed to the 65k. Is this because I don't have a Nexus to create the sxp link to?
  Sorry if this is a noddy Q, but I'm trying to do my best to get to grips with trustsec, but not having a 7k means I'm really struggling.
  many thanks

  Hi Nicolas
  Thanks for taking the time to respond. Although Nexus is needed, if a device authenticates using 802.1x and this is configured for SGT, should the SGT configuration not update on the 65k? This is something that I would presume would happen without the need for the Nexus.
  Once again, sorry if this is vague and a very newbie Q.
  Many thanks

• Adding (dynamic) interfaces to WLC 2504 causes loss of network

  I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
  And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No

  So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
  config wlan disable 2
  config wlan delete wlan 2
  config interface delete lan
  Nmap scan report for 10.99.0.60
  Host is up (0.0037s latency).
  PORT    STATE SERVICE
  22/tcp  open  ssh
  443/tcp open  https
  So... here's me adding the dynamic interface in cli AGAIN:
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        someotherssid / someotherssid              Enabled   management  
  (Cisco Controller) config> interface create lan 33
  (Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
  (Cisco Controller) >config wlan disable 1
  (Cisco Controller) >config wlan interface 1 lan
  (Cisco Controller) >config wlan enable 1
  Voila, management access lost again:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  This time, there's no physical port assigned to the dynamic interface 'lan':
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              -    33       10.99.12.4      Dynamic No     No   
  management                       1    31       10.99.0.60      Static  Yes    No   
  virtual                          N/A  N/A      1.1.1.1         Static  No     No   
  Adding that:
  (Cisco Controller) config interface port lan 1
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              1    33       10.99.12.4      Dynamic No     No   
  Still no management access..:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
  interface GigabitEthernet0/28
   description cisco_wlc
   switchport trunk encapsulation dot1q
   switchport mode trunk
  And the vlans in question are present:
  31   enet  100031     1500  -      -      -        -    -        0      0   
  32   enet  100032     1500  -      -      -        -    -        0      0   
  33   enet  100033     1500  -      -      -        -    -        0      0   
  34   enet  100034     1500  -      -      -        -    -        0      0   

• Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

  i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
  Cisco Asa 5505
  I
  Outside  == 155.155.155.x
  Inside  =      192.168.7.1
  VPN POOL Address =   10.10.10.1   -   10.10.10.20
  Layer 3 Switch Config
  Vlan 2
  interface ip address =  192.168.1.1
  Vlan 2
  interface ip address =  192.168.2.1
  Vlan 2
  interface ip address =  192.168.3.1
  Vlan 2
  interface ip address =  192.168.4.1
  Vlan 2
  interface ip address =  192.168.5.1
  ip Routing
  So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
  Thank You all

  When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
  But i can't reach the rest of the VLAN - example
  192.168.1.1
  192.168.1.2
  192.168.1.3
  192.168.1.4
  192.168.1.5
  But i can reach the Connected Interface Vlan to My ASA ..
  So here i think iam miss configuration to my Route
  Any Help Please this is urgent