Anchor-Foreign Configuration

Dear All,
I have a doubt on SSID Security configuration in Anchor-Foreign solution.
Is it required to configure the web authentication server details and redirection details in foriegn controller WLAN also..?  Or Only on Anchor configured for web authentication is enough..?
Foreign will tunnel all the traffic from client to anchor. It does not need to have the same security config on WLAN ..?

Thank you Scott,
I hope so, for L3 security features the authenitcation happens at Anchor controller and L2 Security authentication happens at Foreign itself.. We configured web auth for guest users in only Achor and it works ... 
KVS

Similar Messages

  • Anchor controller configuration in 8.0.110 code

    Hi Experts ,
    We have upgraded our controllers to 8.0.110 code . Post which our guest network is down . All the tunnels between our Foreign and Anchor controller shows down. eping commnad is not supported . mping we are unable to to do.
    Any suggestion on this.

    You can use auto-anchor mobility (also called guest tunneling) to improve load balancing and security for roaming clients on your wireless LANs. Under normal roaming conditions, client devices join a wireless LAN and are anchored to the first controller that they contact. If a client roams to a different subnet, the controller to which the client roamed sets up a foreign session for the client with the anchor controller. However, when you use the auto-anchor mobility feature, you can specify a controller or set of controllers as the anchor points for clients on a wireless LAN.
    In auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a WLAN. You can use this feature to restrict a WLAN to a single subnet, regardless of a client's entry point into the network. Clients can then access a guest WLAN throughout an enterprise but still be restricted to a specific subnet. Auto-anchor mobility can also provide geographic load balancing because the WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so on), effectively creating a set of home controllers for a WLAN. Instead of being anchored to the first controller that they happen to contact, mobile clients can be anchored to controllers that control access points in a particular vicinity.
    When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.
    When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the client is announced to the other controllers in the mobility list. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller decapsulates the packets and forwards them to the client.
    In controller software releases prior to 4.1, there is no automatic way of determining if a particular controller in a mobility group is unreachable. As a result, the foreign controller may continually send all new client requests to a failed anchor controller, and the clients remain connected to this failed controller until a session timeout occurs. In controller software release 4.1 or later releases, mobility list members can send ping requests to one another to check the data and control paths among them to find failed members and reroute clients. You can configure the number and interval of ping requests that are sent to each anchor controller. This functionality provides guest N+1 redundancy for guest tunneling and mobility failover for regular mobility.
    If multiple Controllers are added as mobility anchors for a particular WLAN on a foreign Controller, the foregin Controller internally sorts the Controllers by their IP address. The Controller with the lowest IP address is the first anchor. For example, a typical ordered list would be 172.16.7.25, 172.16.7.28, 192.168.5.15. If the first client associates to the foreign controller's anchored WLAN, the client database entry is sent to the first anchor Controller in the list, the second client is sent to the second Controller in the list, and so on, until the end of the anchor list is reached. The process is repeated starting with the first anchor Controller. If any of the anchor Controllers is detected to be down, all the clients anchored to the Controller are deauthenticated, and the clients then go through the authentication/anchoring process again in a round-robin manner with the remaining Controllers in the anchor list. This functionality is also extended to regular mobility clients through mobility failover. This feature enables mobility group members to detect failed members and reroute clients.

  • Custom webauth settings in between Anchor & Foreign

    Hi techies,
    We have implemented a new wireless mobility guest SSID in between the anchor and multiple foreign controllers.
    We are using a custom webauth page, written by the customer, which was working great.
    Since we've upgraded to 7.2.115.2, we receive a couple of complaints from users saying that they receive the default Cisco web auth login page, instead of the custom. But, after they successfully logged on, they see the successfull page of the custom webauth package? Which seems quite strange. It seems like the webauth pages from the default Cisco one and our custom are getting mixed during the authentication process.
    I have read in the mobility design guide about which settings should be absolutely identical in between the anchor & foreign controller(s).
    So I've checked them and I see a difference in the web auth settings, under the security tab in the WLC, which tells the controller if it must use the default internal page, or a custom one. We've uploaded the custom web-auth package only to the anchor controller. The foreign controller have this option set to "Internal (default)".
    Do we need to upload the same custom webauth .tar package to all of the foreign controllers to mitigate this?
    It seems I can't find it in any ofthe cisco docs available..
    Thanks!
    Dion Dohmen

    I think there was an issue with what you are seen with versions of 7.2. The webauth should be in the anchor WLC no matter what. You can search the forums as others have ran into that issue also.
    Sent from Cisco Technical Support iPhone App

  • Foreign configuration found on adapter

    Getting foreign configuration found on adapter" error on Dell Poweredge R410. Perc6i, 4 300GB SAS drives, RAID 0. In PERC 6i Adapter BIOS Configuration Utility under Physical Disk Management it says Foreign under State for Drive ID 03 (fourth one).
    F2 brings up a menu: Rebuild, Replace, LED Blinking, Force Online, Force Offline, Make Global HS, Remove Hot Spare.
    I don't have an extra controller on hand, but I do have another Dell Server that I *might* be able to scavenge a controller from - not sure yet.
    There are two VERY IMPORTANT VMs on this server. I don't want to lose data. Which choice do I pick?
    Cathy Burnham, MCSA

    The message means that RAID configuration data was found on the disk. If you're replacing disk controller, then you can choose to import this "foreign" configuration. If you're just reusing a disk that was a part of raid before, then you can
    clear foreign configuration and configure a new virtual disk.
    Gleb.

  • Mobility Anchor/Foreign WLC code versions

    I am trying to setup a mobility anchor (5500 version: 7.2.111.3). I need this version as to support the Bonjour gateway.
    The foreign WLC is a WiSM-1 (version: 7.0.220.0).
    I have control/data path up. I am able to ping through it. I am, however, getting invalid mobility packets to the foreign WLC from the Anchor.
    Do the code versions have to be identical for a mobility anchor? I do not plan on perofrming any AP roaming to the anchor.
    Thanks.

    Output below. Anchor first.
    (Cisco Controller) >show wlan 1
    WLAN Identifier.................................. 1
    Profile Name..................................... pn
    Network Name (SSID).............................. pn_test
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Disabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-dmz
    --More-- or (q)uit
    Multicast Interface.............................. guest-dmz
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    --More-- or (q)uit
       Authentication................................ Disabled
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
    LDAP Servers
       Server 1...................................... 10.4.21.177 389
       Server 2...................................... 10.4.21.178 389
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    IPv4 ACL........................................ Unconfigured
    IPv6 ACL........................................ Unconfigured
    Web-Auth Flex ACL............................... Unconfigured
    Web Authentication server precedence:
    1............................................... local
    --More-- or (q)uit
    2............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Enabled
       FlexConnect Local Switching................... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    1           10.241.15.5           Up                             
    --More-- or (q)uit
    802.11u........................................ Disabled
      Access Network type............................ Not configured
      Network Authentication type.................... Not configured
      Internet service............................... Disabled
      HESSID......................................... 00:00:00:00:00:00
    Hotspot 2.0.................................... Disabled
      WAN Metrics configuration
        Link status.................................. 0
        Link symmetry................................ 0
        Downlink speed............................... 0
        Uplink speed................................. 0
    Mobility Services Advertisement Protocol....... Disabled
    (Cisco Controller) >show interface detailed virtual
    Interface Name................................... virtual
    MAC Address...................................... 68:ef:bd:93:bd:00
    IP Address....................................... 1.1.1.1
    DHCP Option 82................................... Disabled
    Virtual DNS Host Name............................ Disabled
    AP Manager....................................... No
    Guest Interface.................................. No
    (WiSM-slot4-1) >show wlan 11
    WLAN Identifier.................................. 11
    Profile Name..................................... pn
    Network Name (SSID).............................. pn_test
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Disabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Disabled
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    LDAP Servers
       Server 1...................................... 10.4.21.177 389
       Server 2...................................... 10.4.21.178 389
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
    --More-- or (q)uit
       Auto Anchor................................... Enabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    11          10.241.15.5           Up                             
    (WiSM-slot4-1) >show interface detailed virtual
    Interface Name................................... virtual
    MAC Address...................................... 00:1a:6c:20:51:60
    IP Address....................................... 1.1.1.1
    DHCP Option 82................................... Disabled
    Virtual DNS Host Name............................ Disabled
    AP Manager....................................... No
    Guest Interface.................................. No

  • Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

    It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
    We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
    Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

    I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
    Laptop: Windows 7 32bit
    I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
    continues as the laptop reconnects.
    **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
    Message was edited by: Michael Dunki-Jacobs
    **Edit Solved:***
    The problem is in deed solved by turning the "DHCP Address Required" but why?

  • Load-Balancing between Foreign and two Anchors

    Hi, we have two foreign controllers (one active, one standby) and two anchor controllers. All APs are connected to the active foreign controller. The layer 3 networks for the wlan clients on both anchors are different for the same SSID. SSID: Internet, anchor 1: Subnet A, anchor 2: Subnet B. So when a client is getting anchored to Anchor 1, the clients will get an ip from subnet A and when the client is getting anchored to anchor 2, the client will get an ip from subnet B.
    This is so far not a big problem because we only have a few accesspoints in some rooms. But what will happen, when we have a full covered wlan and the client roams from one AP to the other AP? Is there a possibility, that the client will anchored to a different anchor while roaming? I think this will result in a lack of connectivity because without a real disconnect the client will not ask for a new IP address.
    Other question: Is it possible to disable this load-balancing between anchor controllers? Or can i make a client sticky to only one anchor as long as an access-session is established?
    All controllers are 5760 with 3.3.3 software.

    Hi acontes, 
    It's an interesting question. 
    In this case, if all AP's are on WLC-A and there is no possibility that an L3 inter-subnet roam will occur between WLC-A and WLC-B, I would just forward WLC-A to Anchor A and WLC-B (in the event of fail over) to Anchor B (if Anchors reside on different subnets). If you must specify Anchor A and Anchor B on each WLC for redundancy purposes, it's important to understand the guidelines and limitations with regard to Foreign / Anchor Design.  
    As Scott mentioned, the limitation with Anchoring design is that there is no primary / secondary configuration for an Anchor on the Foreign WLC.
    If WLC-A has two entries (1) for Anchor-A and (2) for Anchor-B, the EoIP tunnels are establish and load-balancing occurs in a round robin fashion.
    Keep in mind the following with regard to guest N+1 redundancy:
    •A given foreign controller load balances wireless client connections across the list of anchor controllers configured for the guest WLAN. There is currently no method to designate one anchor as primary with one or more secondary anchors.
    •Wireless clients that are associated with an anchor WLC that becomes unreachable are re-associated with another anchor defined for the WLAN. When this happens, assuming web authentication is being used, the client is redirected to the web portal authentication page and required to re-submit their credentials.
    Since traffic is transported at Layer 2 via EoIP, the first point at which DHCP services can be implemented is either locally on the anchor controller or the controller can relay client DHCP requests to an external server. Since the IP address directly correlates to the DMZ subnet or the interface where the traffic egresses, it is possible for some clients to get IP's from both Subnet A or Subnet B in the event that WLC-A is building EoIP to both anchors.
    1) What happens if my clients roam?
    Nothing... since all AP's are on WLC-A, it's Intra-Controller Roaming
    Each controller supports same-controller client roaming across access points managed by the same controller. This roaming is transparent to the client as the session is sustained, and the client continues using the same DHCP-assigned or client-assigned IP address. The controller provides DHCP functionality with a relay function. Same-controller roaming is supported in single-controller deployments and in multiple-controller deployments.
    Would it be better to choose the same DHCP Pool on both anchors?
    It's probably better to have redundant anchors on the same subnet, but it's not required. 
    3) How would you design this :-)
    WLC-A <--EoIP--> Anchor A (DHCP Pool A)
    WLC-A <--EoIP--> Anchor B (DHCP Pool A)
    It's important to remeber what Scott mentioned about the lack of a primary / secondary relationship. If multiple controllers are added as mobility anchors for a particular WLAN on a foreign controller, the foreign controller internally sorts the controller by their IP address. The controller with the lowest IP address is the first anchor. For example, a typical ordered list would be 172.16.7.25, and 172.16.7.28. If the first client associates to the foreign controller's anchored WLAN, the client database entry is sent to the first anchor controller in the list, the second client is sent to the second controller in the list, and so on, until the end of the anchor list is reached. The process is repeated starting with the first anchor controller.
    If any of the anchor controller is detected to be down, all the clients anchored to the controller are deauthenticated, and the clients then go through the authentication/anchoring process again in a round-robin manner with the remaining controller in the anchor list. This functionality is also extended to regular mobility clients through mobility failover. This feature enables mobility group members to detect failed members and reroute clients.

  • Mobility Anchor connection drops during authentication

    Hi,
    I have a strange situation, hopefully someone can help. I have a WLAN setup with foreign - anchor controllers and MAC address authentication using central RADIUS server. In some cases for some clients the foreign export cannot build up because during the 802.11 process the foreign disconnects the client due to a session timer expires. Some clients can connect, others experience this issue. Sometimes client can get IP address via the anchor DHCP proxy but then foreign disconnects it with expiring message. (foreign sw version 6.0.202, anchor sw version 6.0.188 but we have same situation with other foreign which has 7.4.110 version)
    Debug shows the following (suspicious part is in red):
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Reassociation received from mobile on AP e8:04:62:f6:bf:00
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying site-specific IPv6 override for station 60:c5:47:99:b0:a6 - vapId 3, site 'default-group', interface 'management'
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying IPv6 Interface Policy for station 60:c5:47:99:b0:a6 - vlan 850, interface id 0, interface 'management'
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 STA - rates (6): 24 164 48 72 96 108 0 0 0 0 0 0 0 0 0 0
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [e8:04:62:f6:cd:d0]
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Updated location for station old AP e8:04:62:f6:cd:d0-0, new AP e8:04:62:f6:bf:00-0
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 apfProcessAssocReq (apf_80211.c:4270) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Probe to AAA Pending
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 2
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Initializing policy
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP e8:04:62:f6:bf:00 vapId 3 apVapId 3
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from AAA Pending to Associated
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 49) in 7200 seconds
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Sending Assoc Response to station on BSSID e8:04:62:f6:bf:00 (status 0) Vap Id 3 Slot 0
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfProcessRadiusAssocResp (apf_80211.c:1956) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Associated
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Applying post-handoff policy for station 60:c5:47:99:b0:a6 - valid mask 0xb00
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     Session: 7200, User session: 7201, User elapsed 104  Interface: (null) ACL: N/A
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 16
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 55) in 7200 seconds
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4245
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Adding Fast Path rule  type = Airespace AP Client on AP e8:04:62:f6:bf:00, slot 0, interface = 29, QOS = 0  ACL Id = 255, Jumbo Frames = NO, 802.1
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Jan 15 12:07:01.332: 60:c5:47:99:b0:a6 Set bi-dir guest tunnel for 60:c5:47:99:b0:a6 as in Export Foreign role
    *Jan 15 12:07:01.335: 60:c5:47:99:b0:a6 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMmProcessDeleteMobile (apf_mm.c:531) Expiring Mobile!
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Disassociated
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Disassociated to Idle
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [e8:04:62:f6:bf:00]
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 Deleting mobile on AP e8:04:62:f6:bf:00(0)
    *Jan 15 12:07:11.894: 60:c5:47:99:b0:a6 0.0.0.0 Removed NPU entry.
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Adding mobile on LWAPP AP 68:bd:ab:48:80:f0(0)
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 60:c5:47:99:b0:a6 on AP 68:bd:ab:48:80:f0 from Idle to Probe
    Question: Why is that 10 sec timer still ticking at that phase when client already reached RUN state?
    On a foreign wlc with sw 7.4.110 using anchor with sw 6.0.188 the situation is even worse, all clients have this issue and cannot connect.
    Thanks
    Hege

    Hi,
    Yes, that was the first thing to check. We don't use the DHCP required option (unchecked on both sides). The only difference between acnhor and foreign configuration is that in foreign L2 macfiltering is enabled and radius servers are specified while on anchor it is not enabled and specified. I have tried it on anchor with enabling macfiltering (without radius servers specified there) but I have the same behaviour. AAA override is also enabled on both sides.
    I have also increased the authentication timeout in advanced timers options from 10 sec to 40 secs but no luck, debug shows the same 10secs.
    I am thinking on 2 options. 1st option is that the anchor software is too old (6.0.188) and needs to be upgraded to 7.0.240 (anchor is a 4400 wlc). 2nd option is that there might be too much delay between anchor and foreign?
    On the same setup if we use guest access with web authentication on the anchor side (no MAC authentication), then eveyrthing is fine.
    Thanks
    Hege

  • 3850 as MC and 5508 as Anchor Guest

    Can i use a 5508 WLC with relase 7.4.121.0 as anchor guest for a 3850 configured as Mobility Controller?
    The Converged access (new mobility) is supported only in 7.3.112 or 7.5 and later relase, but i don't need to configure the 3850 as Mobility Agent.
    I need to configure the 3850 to connect to my anchor guest controller 5508 in DMZ.

    Hi
    You need to run 7.6.110.0 on your 5508 & enable "New Mobility" feature on your 5508 if you want to have Anchor-Foreign setup between 3850 & 5508.
     NB: 7.3.x & 7.5.x codes are differed & 7.4.x code does not support this "new mobility"
    HTH
    Rasika
    **** Pls rate all useful responses *****

  • Anchor wireless setup

    Hello,
    We have been handed over a setup that involves a WLC running 7.0.230 and another WLC connected to this.
    Second WLC is having a different SSID compared to the first one.
    I was told this is known as anchor controller setup. I tried reading documentation, but due to my limited understanding couldn't understand this.
    What is anchor controller exactly means and which controller acts as the anchor ( the original controller or the second controller )?
    Secondly, following errors come up often and connections get disconnected,
    Controller ' 192.168.51.18'. All anchors of WLAN 'intuser' are down
    Message: Controller '192.168.51.18'. An anchor of WLAN 'intuser' is up.
    Please help with inputs on these. thank you all.

    Guidelines for Using Auto-Anchor Mobility
    Follow these guidelines when you configure auto-anchor mobility:
    •You must add controllers to the mobility group member list before you can designate them as mobility anchors for a WLAN.
    •You can configure multiple controllers as mobility anchors for a WLAN.
    •You must disable the WLAN before configuring mobility anchors for it.
    •Auto-anchor mobility supports web authorization but does not support other Layer 3 security types.
    •You must configure the WLANs on both the foreign controller and the anchor controller with mobility anchors. On the anchor controller, configure the anchor controller itself as a mobility anchor. On the foreign controller, configure the anchor as a mobility anchor.
    •Auto-anchor mobility is not supported for use with DHCP option 82.
    •When using the guest N+1 redundancy and mobility failover features with a firewall, make sure that the following ports are open:
    –UDP 16666 for tunnel control traffic
    –IP Protocol 97 for user data traffic
    –UDP 161 and 162 for SNMP

  • Can sleeping clients just be on anchor controller 7.6

    Can sleeping clients just be on anchor controller 7.6? Can the foreign controller not have sleeping clients configured and it still work as long as the anchor is configured for sleeping clients? The other question is.. Do all user use sleeping clients or only user who have actually web authed? We have a lot of people in webauth required state not sure if they count against the sleeping client count.

    A sleeping client does not require reauthentication in the following scenarios:
    Suppose there are two controllers in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller.
    Suppose there are three controllers in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller.
    A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_010111.html#concept_F70A46E44FFB41CA9C2A4FC60A81B0A2

  • WLC2x06 auto-anchor to 4400 appears to fail

    Hi, has anyone seen this problem, or is this a bug:
    Auto-anchor is configured for guest mobility and has been working fine on a number of 4400 controllers in a mobility group. Guests get auto-anchored to a 4400 with access to the guest DMZ
    we have now introduced both 2006 and 2106 controllers into the mobility group, however clients are net getting DHCP when coming through these controllers.
    debugs show an apparent disinterest on the part of the 4400 to respond to mobility anchor requests from the 2x06, and mobility statistics report increase in 'ignored' requests
    mobility debug on 4400 for unsuccessful request from 2106:
    Wed May 23 15:31:34 2007: Mobility packet received from:
    Wed May 23 15:31:34 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
    Wed May 23 15:31:34 2007: type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 200 seq: 200 len 120
    Wed May 23 15:31:34 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
    Wed May 23 15:31:34 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
    Wed May 23 15:31:34 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
    Wed May 23 15:31:35 2007: Mobility packet received from:
    Wed May 23 15:31:35 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
    Wed May 23 15:31:35 2007: type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 200 seq: 200 len 120
    Wed May 23 15:31:35 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
    Wed May 23 15:31:35 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
    Wed May 23 15:31:35 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
    Wed May 23 15:31:36 2007: Mobility packet received from:
    Wed May 23 15:31:36 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
    Wed May 23 15:31:36 2007: type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 201 seq: 201 len 244
    Wed May 23 15:31:36 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
    Wed May 23 15:31:36 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
    Wed May 23 15:31:36 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
    Wed May 23 15:31:36 2007: Received Anchor Export request: 00:19:d2:d5:eb:39
    from Switch IP: 192.168.156.2
    Mobility debug on 4400 with successful request/resonse from another controller:
    Wed May 23 15:31:41 2007: Mobility packet received from:
    Wed May 23 15:31:41 2007: 192.168.160.13, port 16666, Switch IP: 192.168.160.13
    Wed May 23 15:31:41 2007: type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 243028 seq: 29509 len 244
    Wed May 23 15:31:41 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
    Wed May 23 15:31:41 2007: mobile MAC: 00:12:f0:82:57:00, IP: 0.0.0.0, instance: 0
    Wed May 23 15:31:41 2007: VLAN IP: 192.168.160.13, netmask: 255.255.255.0
    Wed May 23 15:31:41 2007: Received Anchor Export request: 00:12:f0:82:57:00
    from Switch IP: 192.168.160.13
    Wed May 23 15:31:41 2007: Received Anchor Export policy update, valid mask 0x0:
    Qos Level: 3, DSCP: 0, dot1p: 0 Interface Name: , ACL Name:
    Wed May 23 15:31:41 2007: Mobility packet sent to:
    Wed May 23 15:31:41 2007: 192.168.160.13, port 16666, Switch IP: 192.168.160.12
    Wed May 23 15:31:41 2007: type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 243028 seq: 40918 len 272
    Wed May 23 15:31:41 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
    Wed May 23 15:31:41 2007: mobile MAC: 00:12:f0:82:57:00, IP: 192.168.191.16, instance: 1
    Wed May 23 15:31:41 2007: VLAN IP: 192.168.191.2, netmask: 255.255.255.192
    Wed May 23 15:31:41 2007: 00:12:f0:82:57:00 192.168.191.16 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 192.168.160.13
    as Export Anchor (VLAN 191)
    all help appreciated!
    Graeme

    Hello
    I don?t think the 20x6 controller support that.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn40216.html#wp44028
    These software features are not supported on 2000 and 2100 series controllers:
    ?Termination of guest controller tunnels (origination of guest controller tunnels is supported)

  • Prime Infrastructure 2.0 no 'Add a WLAN' option

    Hello,
    I've started to pay with PI 2.0 and I've noticed that there is no option to add new WLAN.
    I am following manual:
    Step 1 Choose Configure > Controllers.
    Step 2 Click the IP address of the appropriate controller.
    Step 3 From the left sidebar menu, choose WLANs > WLAN Configuration.
    Step 4 From the Select a command drop-down list, choose Add a WLAN.
    but there is no 'Add a WLAN' option. The only ones I've got there are:
    Delete WLAN(s)
    Schedule status
    Mobility Anchors
    Foreign Controller Mappings
    Does anyone know how to get that option there?
    Thanks
    Tomasz

    Hi,
    you're right that this can only be done with the template but to create one I needed to go to:
    Design --> Feature Design
    and then under Templates:
    Features and Technologies --> Controller --> WLANs --> WLAN Configuration
    There I've created new template for WLAN and then deployed it to controllers.
    Maybe that's better way to do it, when you have many controllers.
    Thanks
    Tomasz

  • VMclients unable to get the IP address

    We have a anchor Foreign WLAN setup . The SSID is using the L3 webauth security . The SSID is anchored to the anchor controller . The setup is working fine that the clients get the webpage from the anchor controller and the IP as expected . The issue is that VM clients in the nettwork is not able to get the ip address .
    Documents states that this is a limitation of cisco and inorder to overcome the issue we need to enable the Passive client option on the SSID .
    Since we are using the L3 security i am not able to enable the Passive client option .
    Hence i need to configure a SSID with L2 prifile in the anchor foreign setup ( need to get the IP range from the Anchor dynamic interface ) and the VM should get the IP . Please help me to get this done
    thanks in Advance
    Nishad

    Hi Nishad,
    See this post:
    https://supportforums.cisco.com/thread/329343
    https://supportforums.cisco.com/thread/2065405
    https://supportforums.cisco.com/thread/2087163
    Starting in 7.0.116.0, cisco added support for non-cisco WGBs with the  passive client feature on a wlan. This feature will also apply to VMware  and virtual clients -- it is available on the 2100, 2500, 5500 WLCs,  although it is not available on the 4400 series (WISM/3750) due to  architecture limitations.
    you can try enabling the passive client feature on your WLAN to see if this helps resolve the issue.
    Regards

  • CWA with guest controller?

    Existing environment has a dedicated guest controller. Principal would like to retain the guest controller in the DMZ and open ports for CWA to ISE inside the firewall. The question is on configuration of the wireless LAN. Should the foreign controller be configured for MAC auth? Obviously the anchor would need to be but not sure about the foreign.

    When you have anchor/foreign, the web auth traffic always go to the anchor, so  with CWA, the traffic from the anchor to the ISE will need to be permitted . go through the following link this may of help
    https://supportforums.cisco.com/docs/DOC-26442

Maybe you are looking for

  • I want to ask what can I do if I have broken the broad of my iphone at the back near the camera?

    I want to ask what can I do if I have broken the broad of my iphone at the back near the camera? And how much does it take the repair it?

  • How do I structure Information in three Levels in MDM 7.1?

    Hi, I am creating a Service Catalogue for a customer. They require three levels in the catalogue: "Packed Services" that are built up by several "Services", that can have several "Supporting Services". I am thinking  of using two main tables, and tup

  • Search Help in an ALV OO

    Hi Please: 1) I have a transparent table with the field MATNR and others fields; 2) There is an ALV OO where the user  input data at this transparent table; 3) Now the user is requesting to create a new field at this ALV to show the description of th

  • Using Time Machine in Corporate Environment

    Hi, I have a question regarding time machine in a corporate environment. Instead of purchasing a time capsule, I thought it would be straight forward to share a large drive and have our ten Mac Pro computers share that drive for a time machine. This

  • Field selection for Blanket PO

    Hi, We are using Blanket Purchase Orders in our system, we have a requirement that user should not have access to activate the No limit check box Over all limit. Could you please let us know what is the best way to do it. Thanks, Swapna.