AP1220B and WLC 4400

Similar Messages

• Wism's and WLC 4400 Controllers on V4.2.61.0

  Hi, I've multiple Wism's in 6504 chassis and several 4400 wlc controllers all on ver 4.2.61.0 all in the same mobility group.
  ten in total. Recently we have had to create multiple mobility groups. I've applied access point templates to specify which controller to connect to
  as a primary. For some unknown reason after i've created the separate mobility groups some devices go back to the original hosting controller even though it is now in a different mobility group and the wireless Lan id for the Ap is no longer on the blade/controller the devices attached to the Ap just probes
  Can you please advise if there is anything I can do about this? I've tried pushing a another template to the Ap with it's new controller which reboots the Ap but it still goes back to the original host in the other mobility group.
  Kind Regards,
  Carl

  Hi Carl,
  Your LAPs joins the wrong WLC even when you've configured the primary/secondary controllers name OR IP address and you are using v4.2.61.0.  Is this correct?
  If so, then it's a well-known bug of the v4.x.  Unfortunately, the workaround is CLI.  It's unfortunate because you have to type the command on the WLC and specify the LAP.
  The command is:  config ap controller primary
  This bug has been fixed on the 5.X and 6.X firmware.
  Hope this helps.

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.

• WLC 4400 4.2.176.0 Ver and Windows Vista

  We recently upgraded our WLC 4400s to 4.2.176.0. This was requested by Cisco. When the students returned from Christmas break, any student running Vista is able to authenticate to the AP, get an appropriate IP address and DNS configuration, but cannot get to any network resources, including Internet. If we hard code the DNS information in the wireless card TCP/IP Properties, the user can get to some Internet sites, but no HTTPS pages.
  All XP and MAC machines appear to be working fine.
  Any thoughts?

  The problem is that its not deauthenticating the user, its just dropping completely and disabling the windows zero configuration in the services.  I do not know how or what in the WLC would do this?  I really dont think this is anything that I can control.  I am guessing that there is an internal conflict on the pc.  I have been told that the image used to image the machine has had the manufacturers wireless client utility removed.  I did find a DW Utility in the services list.  I think that is my problem.  I did however go ahead and upgrade them to 5.2.193.  All I can do is have the customer monitor and see what happens.  Will post an update when I get one.

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• WLC 4400 (SW ver: 7.0.235.3) and 1242 AP connectivity issue

  Hi ALL..,
  I got the problem with WLC and APs, APs cannot get IP and can't connect to WLC, it show folloing error,
  *Oct 24 14:45:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:28.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
  *Oct 24 14:45:29.419: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:29.420: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.2.11
  *Oct 24 14:45:29.420: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Oct 24 14:45:29.595: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *Oct 24 14:45:29.602: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.2.11
  *Oct 24 14:45:29.602: %DTLS-5-PEER_DISCONNECT: Peer 192.168.2.11 has closed connection.
  *Oct 24 14:45:29.602: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.2.11:5246
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.756:  status of voice_diag_test from WLC is false
  My Management Int IP : 192.168.2.50
  AP Mangement interface :192.168.2.11
  DHCP server Pri : 192.168.2.12 Sec 192.168.2.13
  There are reachability betweent SW and WLC. Do you have any idea about my issue?
  Thanks and Regards
  CSCO11872447

  It seems your LAP AP is not getting the iP of the management subnet and LAP is in different subnet than your management IP.
  Please try keeping the static IP on the LAP and then try joining it to the controller first and later on keep it on the DHCP.
  when AP is plugged into a switch, the switch port needs to be access with the right VLAN allowed

• Troubleshoot Cisco Airlap 1242 with WLC 4400 Series LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response

  I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
  after debug in my airlap it shows :
  Reset done!
  ethernet link up, 100 mbps, full-duplex
  Ethernet port 0 initialized: link is up
  Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
  File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
  executing...
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Mon 19-Mar-07 01:42 by hqluong
  Image text-base: 0x00003000, data-base: 0x004051E0
  Initializing flashfs...
  flashfs[1]: 9 files, 3 directories
  flashfs[1]: 0 orphaned files, 0 orphaned directories
  flashfs[1]: Total bytes: 15998976
  flashfs[1]: Bytes used: 5062144
  flashfs[1]: Bytes available: 10936832
  flashfs[1]: flashfs fsck took 4 seconds.
  flashfs[1]: Initialization complete....done Initializing flashfs.
  cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
  Processor board ID FCW1411U0FZ
  PowerPCElvis CPU at 266Mhz, revision number 0x0950
  Last reset from power-on
  1 FastEthernet interface
  2 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 68:EF:BD:5F:9A:18
  Part Number                          : 73-10256-07
  PCA Assembly Number                  : 800-26918-06
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC14093XU3
  Top Assembly Part Number             : 800-29152-03
  Top Assembly Serial Number           : FCW1411U0FZ
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-LAP1242AG-E-K9
  Press RETURN to get started!
  *Mar  1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
  *Mar  1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
  *Mar  1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
  *Mar  1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
  *Mar  1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
  *Mar  1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
  *Mar  1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
  *Mar  1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
  *Mar  1 00:00:09.326: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Mon 19-Mar-07 01:42 by hqluong
  *Mar  1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
  *Mar  1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
  *Mar  1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
  *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
  *Mar  1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
  *Mar  1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
  *Mar  1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
  *Mar  1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
  *Mar  1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
  *Mar  1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
  *Mar  1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
  *Mar  1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
  *Mar  1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
  *Mar  1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
  *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
  *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
  *Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
  *Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
  *Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
  *Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
  flashfs[0]: 9 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 15998976
  flashfs[0]: Bytes used: 5062144
  flashfs[0]: Bytes available: 10936832
  flashfs[0]: flashfs fsck took 26 seconds.
  Base ethernet MAC Address: 68:ef:bd:5f:9a:18
  Initializing ethernet port 0...
  Reset ethernet port 0...
  Reset done!
  and after that i check in my WLC that shows
  AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
  The reulatory domain configured on it '-e' does not match the controller's country
  code: USA
  i found that the problem about the region.
  question :
  1. is it possible to change the region in AIRLAP 1242 or in WLC?
  2. if possible how to change it?
  INFO :
  my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9

  WLC GUI >> Wireless >> Country >> Select the country.
  Regards
  Surendra

• Wired guest access on WLC 4400 with SW 7.0.240.0

  Hello,
  after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
  wired guest access don't work anymore.
  All other things works fine, incl. WLAN guest access!
  When we try wired guest access, we get the web-authentication page and can log in.
  On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
  to RUN.
  But then there is no access to the internet.
  We tried also SW 7.0.250.0, same problem!
  Log Analysis on the WCS:
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
  Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
  Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
  Has someone a idea how to solve this problem?
  Regards
  Manfred

  Hi
  Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
  The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

• ISE WLC 4400 configuration

  Up until now, my experience has been with 5500 controllers and ISE.
  My customer is using 4400 controller, on 7.0.240 code.
  I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
  Does anyone know of any documents, or have experience that can assist with this configuration?

  Michael,
  Depending on the version of ISE software you are running, you may be in luck.  The information below is for 1.1.x.  If you are using v 1.2, you may have to tweak a bit.
  In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat:  “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
  http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
  Of course, with an IPN, your posturing  (and CoA) is handled here.
  DACLs are also supported on the WLC 4400.
  Per User ACLs are covered in the following document:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
  I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
  Please feel free to ask any additional or follow-up questions.
  Also, please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.
  Charles Moreton

• WLC 4400 : some of the clients are stuck in 802.1x REQD ( Auth - no but status is Associated ) in PEM process

  Hi ,
  I have wlc 4400 with 1010 AP's wireless set-up.
  Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
  If I see the status of respective client  in WLC :
  status : Associated
  Auth : No
  Policy manager : 802.1X REQD
  I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
  how do i resolve this issue ?

  Hi Vinod,
  The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
  If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
  debug client
  debug aaa event enable
  Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Move AP from WLC 4400 to 2500

  I have wlc 4400 running on 6.0.196.0, get new wlc 2500 with 7.0.220.0, on 4400, 12 AP only one will register onto 2500.
  Both 4400 and 2500 on the same subnet. how to let AP register on 2500 rather than 4400
  AP model:
  on 4400 now:  AIR-AP1242AG-A-K9, AIR-LAP1242AG-A-K9, AIR-LAP1142N-A-K9
  on 2500 is AIR-LAP1242AG-A-K9

  on 4400
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ap-manager                       1    untagged 10.10.1.23      Static  Yes    No  
  management                     1    untagged 10.10.1.22      Static  No     No  
  service-port                      N/A  N/A         10.1.1.10       Static  No     No  
  virtual                               N/A  N/A          1.1.1.1         Static  No     No  
  on 2500
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  m2                               2    10       10.10.1.92      Dynamic Yes    No  
  m3                               3    10       10.10.1.93      Dynamic Yes    No  
  m4                               4    10       10.10.1.94      Dynamic Yes    No  
  management                 1    10       10.10.1.90      Static  Yes    No  
  virtual                          N/A  N/A      1.1.1.1         Static  No     No 

• How to disable Password Recovery in WLC 4400

  Hi All,
  I need your help to disable the password Recovery for the WLC 4400, in case of the hardware stolen or hacking by internal hacker,
  Thanks in advanced for your help,
  Ahmed

  Gee whiz.  This is the second post you've made in regards to disable password-recovery mechanism.  For the WLC, I agree with Nic, it's not possible.   And, for the record, there are ways to bypass a disable-password-recovery mechanism.  This is mainly due to prevent un-authorized use of this mechanism by, for example, a disguntled network administrator from shutting down a network.