AP to WLC connectivity

Similar Messages

• WLC connect LDAP for Authentication, but could not connect to server

  Hi Everyone, I got a problem when I use WLC 5508 connect to LDAP for authentication, but no luck there, it's a simple config, but not easy to work on my job, I got the following messgae:
  Service Port - Not connected
  Distrubution port include:
       Management Interface - in AP Management VLAN - 30
       Student AP interface - in Student VLAN - 20
       Staff AP interface - in Staff VLAN - 10
  AD is in Staff VLAN - 10
  WLC LDAP Server setting
  Base DN:OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  User Attribute: sAMAccountName
  User Object Type: Person
  Debug aaa all enable message
  *LDAP DB Task 1: Jul 09 01:40:58.969: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapInitAndBind [1] configured Method Anonymous lcapi_bind (rc = 1005 - LDAP bind failed)
  *LDAP DB Task 1: Jul 09 01:41:00.969: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to IDLE
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP server 1 changed state to RETRY
  *LDAP DB Task 1: Jul 09 01:41:00.969: LDAP_OPT_REFERRALS = -1
  WLC GUI Log:
  *LDAP DB Task 1: Jul 09 02:56:13.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:11.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  *LDAP DB Task 1: Jul 09 02:56:09.045: %AAA-3-LDAP_CONNECT_SERVER_FAILED: ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
  LDP Message of LDAP BaseDN:
  Expanding base 'CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk'...
  Result <0>: (null)
  Matched DNs:
  Getting 1 entries:
  >> Dn: CN=Frankie F. Yeung,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk
  4> objectClass: top; person; organizationalPerson; user;
  1> cn: Frankie F. Yeung;
  1> sn: Yeung;
  1> givenName: Frankie;
  1> initials: F;
  1> distinguishedName: CN=Frankie F. Yeung,OU=OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  1> instanceType: 0x4 = ( IT_WRITE );
  1> whenCreated: 8/10/2011 10:28:14 China Standard Time China Standard Time;
  1> whenChanged: 8/10/2011 10:31:26 China Standard Time China Standard Time;
  1> displayName: Frankie F. Yeung;
  1> uSNCreated: 3850555;
  1> uSNChanged: 3850571;
  1> name: Frankie F. Yeung;
  1> objectGUID: 6ebfc7e9-6989-4f11-bae7-62c23af67edc;
  1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD );
  1> badPwdCount: 0;
  1> codePage: 0;
  1> countryCode: 0;
  1> badPasswordTime: 0;
  1> lastLogoff: 0;
  1> lastLogon: 0;
  1> pwdLastSet: <ldp error <0x0>: cannot format time field;
  1> primaryGroupID: 513;
  1> objectSid: S-1-5-21-3867848445-1581729766-1247451615-2172;
  1> accountExpires: <ldp error <0x0>: cannot format time field;
  1> logonCount: 0;
  1> sAMAccountName: fckyeung;
  1> sAMAccountType: 805306368;
  1> userPrincipalName: [email protected];
  1> objectCategory: CN=Person,CN=Schema,CN=Configuration,OU=wws_ou,DC=ww,DC=yc,DC=com,DC=hk;
  Hope I can resolve this problem ASAP, thanks!

  Your AD is in the Staff Vlan so maybe the WLC uses the Staff interface instead of management to contact the AD. I don't know how you sniffed exactly.
  The comment about eap methods you saw is when you use LDAP with dot1x security. It is the same as saying "You cannot do peap-mschapv2 or eap-fast-mschpv2 with LDAP".
  But you can do LDAP for web authentication, that has no eap methods.
  Your original problem was a binding problem from the WLC, so we can expect that the WLC really is sending traffic towards AD.

• CISCO WLC , connecting SSID with local net user

  Dears,
  Created Local Net User
  created SSID and Broadcasted, users can connect to SSID with PSK
  But not able to connect using Local net user created in WLC
  Edwin

  Hi,
  What kind of Layer 2 Security are you using on your SSID?
  You can't have both PSK and Local user database authentication on the same SSID.
  Best regards,
  Sebastian

• Cisco3750G WLC connection issue

  wireless connection drops quit frequently on random APs. We have reloaded the WLC and the router but it is still happening.
  Any ideas to why this is.

  How many APs do you have? Are they in the same subnet as the controller Management interface? There is a Cisco doc saying that you should not have more than 16 APs in this subnet... are your APs still connected to the controller? Which code do you use? What do you see in the controller logs?

• UTP to Fibber Media converters for WLC connection to a Catalyst fiber blade

  Hi Netpros,
  Just wondering whether any of you have used a media converter to connect the WLC to a catalyst fibber port ..? If so which model have you used ? I am looking at something like this
  http://www.omnitron-systems.com/downloads/datasheets/4370DS-C.pdf
  Your response is much appreciated

  Hi Fernando,
  This would work. Why don't you purchase a GLC-TX instead?

• WLC connection to Switches

  Hi,
  I have two installation with WLC 4402 to Cisco Switches 3750. The Connection is Fibre with GLC-SX and channeld. The Problem I have is, tha 10% of the Packets are underruns. Has anybody encounterred the same issue?
  I also have two other installaions with 4402 and 4404 and the connected switches are 6509 and there it is working with G-Bics and SFPs.
  Thanks for your help

  Hi Ankur,
  Here is the config snippet of te Port config.
  SH1-2OG-SWI01#sh run int Po 1
  Building configuration...
  Current configuration : 201 bytes
  interface Port-channel1
  description *** sh1-2og-wlc01 ***
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4
  switchport trunk allowed vlan 4,20,29,31
  switchport mode trunk
  end
  SH1-2OG-SWI01#sh run int g1/0/1
  Building configuration...
  Current configuration : 233 bytes
  interface GigabitEthernet1/0/1
  description *** sh1-2og-wlc01 ***
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4
  switchport trunk allowed vlan 4,20,29,31
  switchport mode trunk
  channel-group 1 mode on
  end
  SH1-2OG-SWI01#sh run int g1/0/2
  Building configuration...
  Current configuration : 233 bytes
  interface GigabitEthernet1/0/2
  description *** sh1-2og-wlc01 ***
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4
  switchport trunk allowed vlan 4,20,29,31
  switchport mode trunk
  channel-group 1 mode on
  end
  SH1-2OG-SWI01#
  Thanks your reply
  regards
  ray

• How to change operational status of a WLC-connected AP?

  Hello everybody.
  I'm noticing two of my 30+ APs having the 802.11a radio with "Operational Status = DOWN". The Admin Status is ENABLED, but I don't know where to act to put the op. stat. UP!
  WLC is running 7.5.102.0, as well as the APs. The affected ones are 3502 models.
  Any help will be much appreciated.
  Thanks and regards,
  Flavio.

  Hello Sandeep.
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.5.102.0
  Bootloader Version............................... 1.0.16
  Field Recovery Image Version..................... 7.0.112.21
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console                                               2.2
  Build Type....................................... DATA + WPS
  System Name...................................... VXWLC1
  System Location.................................. Ibach, Serverraum 2
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  Redundancy Mode.................................. Disabled
  IP Address....................................... 172.30.0.100
  Last Reset....................................... Software reset
  System Up Time................................... 36 days 21 hrs 46 mins 1 secs
  System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin,                                               Rome, Vienna
  System Stats Realtime Interval................... 5
  System Stats Normal Interval..................... 180
  Configured Country............................... Multiple Countries:CH,US
  Operating Environment............................ Commercial (0 to 40 C)
  --More-- or (q)uit
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +44 C
  External Temperature............................. +24 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 9
  Number of Active Clients......................... 144
  Burned-in MAC Address............................ 50:3D:E5:AE:92:A0
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Present, OK
  Maximum number of APs supported.................. 37
  ap52#sh inv
  NAME: "AP3500", DESCR: "Cisco Aironet 3500 Series (IEEE 802.11n) Access Point"
  PID: AIR-CAP3502I-E-K9 , VID: V01, SN: FCZ1553W027

• Connectivity to WLC failed

  We have a WLC connected to a 6500 Switch, when tried to enable LAG the connectivity goes down, the switch can't ping the controller nor the controller to the switch, we check tha cables, the minigybics, we changed them for new ones,the status of the interfaces is UP UP, we tried revert the config, using LAG disabled and no success, i can't reach the management interface. with the service port i can connect to the controller.
  Thanks, Regards

  Make sure you have the management and ap-manager interface set to "0" untagged and also make sure the trunk ports are set to native vlan . Also make sure that the trunk port is set to channel-group X mode on.

• Connect an AP to a Guest Anchor WLC?

  We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
  Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
  Thanks
  Sankung

  Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
  Sent from Cisco Technical Support iPhone App

• Cann't connect to WLC 2504

  Good day.
  I have new installation of AIR-CT2504. I try to connect by console, but no response on terminal. (Use notebook+ USB -COM + console cable). When connect ethernet cable to 1st port of WLC and switch port(SF200) i see controller by CDP. At first, when I  see IP-address of WLC, connect notebook to it's port, and configure controller with Web-interface (maybe somthing incorrect). I change IP-address of management interface. WLC reboot, and now i cann't connect  to it anymore.
  By CDP I see new IP and native VLAN 0, but cann't ping it.
  How can I configure WLC now? Or what trouble with console?
  P.S. Sory for my bad english.

  Well the wireless equipment is different. If you console into the AP, does it work? If not, then double check your settings.
  Make sure of this. This can be different from the switches and routers.
  No hardware flow control
  Sent from Cisco Technical Support iPhone App

• Connecting WLC to 6509 Core ... Connectivity Issues

  Hi,
  I have all four ports of a 4404 WLC connected to a 6509 via fiber cables. However, I am not able to ping the WLC or see it.
  I have a couple questions about this ... First, if I want to do LAG it is necessary that all ports are active and plugged in, correct?
  Second, in the switch config, to my knowledge all ports should be trunk ports, however the customer has configured them as "switchport trunk encapsulation isl" instead of "switchport trunk encapsulation dot1q" ... does this matter? I have never used the isl command so I am really wondering if this is supported in the WLC?
  Any help would be greatly appreciated!
  Thanks!

  You can do it either way. I do not use Lag currently on my 4402 controllers, instead, I use two ap-managment interfaces.
  Yes, etherchannel reference = portchannel

• WLC Physical COnnection and security

  Currently our wireless environment inclued 1200ap and a wds. we have maxed our and want to upgrade to a more conrolled environment. I am suggesting and putting togather a diag. for 4404 wlc and the ap will work with the version 12.3.7 version. My question is about the physical design. Will all 4 ethernet port on the WLC connect to the switch? all on the same vlan as the AP's? also we are using eap-tls Want to migrate to eap-Fast does this require a foot print on the client laptop?

  The ports on the 4404 will trunk with the switch. You can put them in LAG mode which is the equivilent of ehterchannel. You will have to put the switch ports in trunk mode either way.
  You don't have to connect all 4 ports, but it is recommended for failover & maximum possible AP support. You will need assign the management interface on the 4404 (ap-management interface if operating Layer-3 mode) to a vlan/subnet that
  the APs will reside in. All other dynamic interfaces that you create on the controller to bind with wlans will reside in other vlans that get pushed thru the trunk links between the 4404 & the switch(s). be sure to prune out any vlans that you don't need or want to cross the trunk to the 4404. for lwapp APs assign the switch-ports that the APs connect to the same vlan as the management ports on 4404. Not sure about your 1200s. It will work if you trunk the interfaces to the APs as well, but that is more of a shotgun approach for lwapps APs. the last time I had to work with an autonomous AP, it was a stand alone unit and not combined with a WLC. That scenario required a trunk link.
  have you confirmed that you can convert your 1200s to lwapp mode?
  Correct me if I am wrong, but I believe you will need to place a cert on the client laptops for eap-tls. I did this a while back using XP & freeradius and got it to work, but it has been a while.

• Web authentication on WLC fails to redirect when we enter URL i browser

  I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble .....
  The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web-browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this:
  https://cisco6a19c4/login.html?redirect=nyttintranet.sem10.se/
  I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems.
  A little more info:
  2x WLC5508 runnnig r7.0.116.0 and APs are 1142
  WLCs connected to Cat4503 via LAG
  Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.
  DHCP to guest-users from separate broadband-router which is def gwy and "DNS".
  On the virtual interfaces no hostname is configured.
  ANY ideas??!?!?!???
  Best Regards
  Göran Blomqvist

  Ooop....  waddyaknow....  As it turned out, one of the WLC _did have_ a name configured under the virtual interface, of course it was NOT the one that "our" AP was associated with....
  That has now been corrected and the guest access is working as intended......
  (Oh, yes we tried  with 3 PCs and 2 smartphones when we discovered the 'malfunction'....)
  Thanx for the mental push Stefan!!
  Regards
  Göran

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• WLC 2106 problem

  Hello,
  I have problem with new one WLC 2106 controller. I make this basic configuration (after reset):
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ap-manager                       1    10       10.10.10.21     Static  Yes    No
  management                       1    10       10.10.10.20     Static  No     No
  virtual                          N/A  N/A      1.1.1.1         Static  No     No
  At this point, everything works OK. Controller is accesible via HTTPS, AP (one 1130) is connected too. But next I need create new WLAN and another interface VLAN - named ak-lan
  config interface create ak-lan
  config interface port ak-lan 1
  HTTPS acces is still working, but when I configure IP adress:
  config interface address dynamic-interface ak-lan 10.10.11.10 255.255.255.0 10.10.11.1
  HTTPS acces stops. In fact, it seem like HTTPS starts on new interface - it's accesible via 10.10.11.10, but (after certificate warning) shows only empty page (Page is not accesible..)
  I dont have an idea why. I tray downgrade software (originaly comes with 7.0.98.0) to 6.0.196.0, whitch I use on another same controller, but the behavior is the same. Now I use software 6.0.199.4. Again the same behavior.
  "show interface summary" says:
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ak-lan                           1    11       10.10.11.10     Dynamic No     No
  ap-manager                       1    10       10.10.10.21     Static  Yes    No
  management                       1    10       10.10.10.20     Static  No     No
  virtual                          N/A  N/A      1.1.1.1         Static  No     No
  (Cisco Controller) >
  All interfaces (excluding virtual) matched to ping. All ïnterfaces have netmask 255.255.255.0.
  There was another strange thing - "show sysinfo" says that I use sw 6.0.199.4 and emergency is 7.0.98.0, but "show boot" says:
  (Cisco Controller) >show boot
  Primary Boot Image............................... 6.0.199.4 (active)
  Backup Boot Image................................ 6.0.196.0
  (Cisco Controller) >
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 6.0.199.4
  RTOS Version..................................... 6.0.199.4
  Bootloader Version............................... 4.0.191.0
  Emergency Image Version.......................... 7.0.98.0
  Build Type....................................... DATA + WPS
  System Name...................................... ak-wlc
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.828
  IP Address....................................... 10.10.10.20
  System Up Time................................... 0 days 0 hrs 46 mins 35 secs
  System Timezone Location.........................
  Configured Country............................... DE  - Germany
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +55 C
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 0
  3rd Party Access Point Support................... Disabled
  Number of Active Clients......................... 0
  Burned-in MAC Address............................ E0:5F:B9:63:7B:00

  Switch is C2960, port Gi0/2:
  Gi0/2     T wlc              connected    trunk      a-full  a-100 10/100/1000BaseTX
  interface GigabitEthernet0/2
  description T wlc
  switchport trunk allowed vlan 10,11,100
  switchport mode trunk
  end
  VLANs are set properly. Router is ASA 5510, and routing is fine. Morever, interfaces on WLC is accesible via ping (I dot't try telnet or ssh).