Called-Station-ID attribute and Cisco WLC code 7.4

Hello
I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
Thanks
Andy

Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • Bonjour Discovery browser and cisco WLC mDNS

    Hello
    I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
    Multicast disabled on WLC
    wired vlan (with bonjour services) is trunked to WLC
    mdns profile configured and bonjour services are visible on WLC
    mdns profile applied to WLAN
    when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
    *Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
    *Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
    Is it possible to get Bonjour Discovery browser working with cisco WLC?
    thanks
    andy

    I have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc.  Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
    mDNS AP
    1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
    2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
    3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
    4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
    5. This  configuration also allows the user to specify the VLANs from which the  AP should snoop the mDNS advertisements from wired side. The maximum  number of VLANs that AP can snoop is 10.
    6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
    AP will send untagged packets when a query  is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN  information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
    7. If  the AP is in trunk mode, then the user has to configure the VLAN on the  controller on which AP would snoop & forward the mDNS packets. The  native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
    8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
    9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
    a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
    b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Cisco Call Manager 5.1 and Cisco VoIP Gateways

    Hi,
    I have Cisco Call Manager 5.1 with Cisco 2800 series routers as a ISDN gateways and Cisco VG224/ATA 186 as POTS gateways. While Cisco Call Manager collects call statistics from 7900 series SCCP handsets managed by the Call Manager (number of VoIP packets, dropped frames etc.), it shows only one side of the call as it does not collect statistics from the Cisco routers (configured as H.323 gateways), the Cisco VG224 (with ports configured as H.323 gateways and as a SCCP devices) and Cisco ATA 186 (configured for SCCP).
    Is the collection of these statistics possible? What needs to be done?
    Thanks,
    Paul

    Update: Logging of QoS/Call Management Records (CMR) to Call Manager CDR database is not possible with H.323 gateways; only MGCP gateways:
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_qanda_item09186a008020650a.shtml#qa4
    Anyone know how to get the Cisco router gateway to log these statistics anyway using standard router logging mechanisms (e.g. syslog)?
    Anyone know about calls to SCCP ports on Cisco VG224 or ATA 186?
    Thanks,
    Paul

  • Tablets and Cisco WLC Web Authentication

    Hi my name is Ivan
    I have a question:
    I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
    Android, Samsung, others?
    And wich are the requeriments of the tablet to use this way to authentication?
    Regards
    Ivan

    Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth.  If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS.  From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine.  Apple IOS can handle this automatically (in most cases)
    As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

  • BILLING SETUP WITH NOMADIX AND CISCO WLC

    Hai I need to implement cisco wireless controller along with nomadix box for bandwidth control and billing in a hotel . anybody implemented same ?.
    how the topology in this case ?.nessary config on wlc

    Refer the post: https://supportforums.cisco.com/discussion/11431756/wlc-and-nomadix
    https://supportforums.cisco.com/discussion/11601111/guest-ssid-redirect-nomadix-box

  • RADIUS packet-id not incrementing, called-station-id missing

    I am running v1.3.5.58 on an SG300-20.  I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy.  It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication. 
    1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation.  The packet identifier is always 0x00.
    2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP).  Instead, it is left blank.
    Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot.  Have I done something in the config to cause this to happen (see below)?  Is this a known bug?  Does it have a workaround?  Will our hero save defeat the villain and save the day?  ;-)
    config-file-header
    ausoff-sw-test1
    v1.3.5.58 / R750_NIK_1_35_647_358
    CLI v1.0
    set system mode switch
    file SSD indicator encrypted
    ssd-control-start
    ssd config
    ssd file passphrase control unrestricted
    no ssd file integrity control
    ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
    spanning-tree priority 40960
    port jumbo-frame
    vlan database
    vlan 2-3,12,14,16,99,600,1000,1010
    exit
    voice vlan id 1010
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    dot1x system-auth-control
    dot1x traps authentication failure 802.1x
    dot1x traps authentication success 802.1x
    hostname ausoff-sw-test1
    line console
    exec-timeout 30
    exit
    line ssh
    exec-timeout 30
    exit
    line telnet
    exec-timeout 30
    exit
    encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
    encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
    radius-server host 172.18.58.58 usage dot1.x
    radius-server timeout 10
    logging host 172.18.58.50
    aaa accounting dot1x start-stop group radius
    enable password level 15 encrypted
    username nac password encrypted *** privilege 15
    username admin password encrypted *** privilege 15
    username cisco password encrypted *** privilege 15
    username readonly password encrypted ***
    ip ssh server
    ip ssh password-auth
    snmp-server server
    snmp-server engineID local 800000090308cc68423f4d
    snmp-server location "***"
    snmp-server contact "***"
    snmp-server community *** rw 172.18.58.58 view DefaultSuper
    snmp-server community *** rw 172.18.14.105 view DefaultSuper
    snmp-server host 172.18.58.58 traps version 2c nac
    snmp-server host 172.18.58.58 version 3 auth nac
    snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
    snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
    encrypted snmp-server user nac nac v3 auth sha ***
    encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
    ip http timeout-policy 1800
    clock timezone " " -6
    sntp anycast client enable ipv4
    sntp broadcast client enable ipv4
    clock source sntp
    sntp unicast client enable
    sntp unicast client poll
    sntp server 0.pool.ntp.org poll
    sntp server 1.pool.ntp.org poll
    ip domain name blah.net
    ip name-server  172.18.19.232
    ip domain timeout 2
    ip domain retry 1
    ip telnet server
    interface vlan 2
    name NACRegistration
    interface vlan 3
    name NACIsolation
    interface vlan 12
    name Users
    interface vlan 14
    name Dev
    interface vlan 16
    name LAN
    interface vlan 99
    name Mgmt
    ip address 172.18.58.61 255.255.255.128
    interface vlan 600
    name "Core Test"
    dot1x guest-vlan
    interface vlan 1000
    name Guest
    interface vlan 1010
    name Voice
    interface gigabitethernet1
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet2
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet3
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet4
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet5
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet6
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet7
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet8
    dot1x host-mode multi-sessions
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    switchport access vlan 600
    interface gigabitethernet9
    dot1x host-mode single-host
    dot1x violation-mode protect trap 10
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet10
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet11
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet12
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet13
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet14
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet15
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet16
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet17
    dot1x host-mode multi-sessions
    no snmp trap link-status
    port monitor GigabitEthernet 20
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode general
    switchport general acceptable-frame-type untagged-only
    switchport forbidden default-vlan
    interface gigabitethernet18
    dot1x host-mode multi-sessions
    dot1x guest-vlan enable
    dot1x radius-attributes vlan static
    dot1x port-control auto
    spanning-tree disable
    spanning-tree bpduguard enable
    switchport mode access
    interface gigabitethernet19
    switchport trunk native vlan 600
    interface gigabitethernet20
    spanning-tree link-type point-to-point
    switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
    macro description switch
    !next command is internal.
    macro auto smartport dynamic_type switch
    exit
    ip default-gateway 172.18.58.1

    Thank you for your response, Tom.  I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300.  There is not an issue with capitalization, the value is simply not provided at all.  Here is an example of a tcpdump decode of such a packet.  Please note the missing attribute:
    15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
        172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
            Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
              NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
                0x0000:  ac12 3a3d
              NAS Port Type Attribute (61), length: 6, Value: Ethernet
                0x0000:  0000 000f
              NAS Port Attribute (5), length: 6, Value: 57
                0x0000:  0000 0039
              Username Attribute (1), length: 12, Value: SSO\dalewl
                0x0000:  5353 4f5c 6461 6c65 776c
              Accounting Session ID Attribute (44), length: 10, Value: 050000DF
                0x0000:  3035 3030 3030 4446
              Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
                0x0000:  4530 2d44 422d 3535 2d42 332d 3144 2d35
                0x0010:  43
              EAP Message Attribute (79), length: 17, Value: ..
                0x0000:  0201 000f 0153 534f 5c64 616c 6577 6c
              Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
                0x0000:  bed3 b19e c70f 52e0 ec31 afcb d545 55ad

  • Radius NMAS 2 Calling station Id

    Hello,
    can the Novell RADIUS server be set up to provide authentication based on
    MAC address and/or Calling - Station -ID ?
    Currently running system 6.5sp2 servers and NMAS with radius.
    Thanks
    Michael

    The called-station-id and calling-station-id attributes are generally
    referred to as "request attributes" because the NAS provides them in the
    access-request packet. Unfortunately, the current version of RADIUS does not
    support request attributes. When you configure attributes for Novell RADIUS,
    you may only configure attributes for the access-accept packet.
    >>> <[email protected]> 10/07/04 7:08 AM >>>
    Hello,
    can the Novell RADIUS server be set up to provide authentication based on
    MAC address and/or Calling - Station -ID ?
    Currently running system 6.5sp2 servers and NMAS with radius.
    Thanks
    Michael

  • Cisco WLC with Bonjor services - MSE 3310 compatibility

    Hi All,
    We have a Cisco WLC 5508 currently running on code 7.2. We have Cisco MSE 3310 appliance (which is EoS & EoS) and it is running on code 7.2 as well.
    Now, we want to implement Bonjor Gateway services to support Apple Services such as Apple TV, Apple Printer etc.
    My understanding is that in order to deploy Bonjour gateway the controller needs to be at least on version 7.4.
    I can upgrade the Controller Code, but I need to know the compatibility between Cisco WLC code 7.4 (7.4.100.0) with Cisco MSE 3310 code (7.3.101.0, as it the highest code available). MSE 3310 appliance compatibility with WLC Code 7.4 ?
    I checked the Cisco Software Compatibility Matrix, and it's not clear at all.
    http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#pgfId-148309
    Thanks and Regards,
    CJ

    If you really want to keep everything compatible, you might want to look at another route, like using Avahi as an mDNS gateway.  Take a look at this document... there are other mDNS gateways out there which can work, but this doc is strictly for the Avahi:
    http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series-access-point/113443-cuwn-apple-bonjour-dg-00.html
    http://www.timabbott.com/computers/multi-vlan-airplay-with-avahi/
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX

    Hi,
    I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
    We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
    The Setup is like :-
    AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
    could anyone please help me to resolve this issue.

    Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
    Firmware for AP is 12.4(10b)JA1
    The logs form WLC during disconnection :-
    Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
    1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
    2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
    3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout

  • Interface, Attribute and visibility

    Dear all,
    how can I make my attributes protected or privat in an interface. The class setting up the interface has then the getter and setter methods for the attributes (even the interface has the methods too).
    Kind regards
    Roman

    Hi Roman,
    An interface should not be pictured as a template, but more as a communication channel for different objects with common characteristics. If you want a template to create other classes, with private/protected attributes, and methods, I recommend that you use an abstract class. An abstract class will allow you to declare attributes and methods without code. Of course, you cannot instantiate an abstract class; you have to create another class that inherits from it.
    Cheers,
    Luc

  • Why Calling-Station-Id [31] attribute is "async"??

    AS5350, IOS tried 12.4(4T) and 12.4(3b).
    Cisco configured as dial-up server. When subscriber connects to some SPE via usual modem using radius authentication, his callback number may not be determined. Then I see in radius debug, that:
    RADIUS: Calling-Station-Id [31] 7 "async"
    When I used ios 12.3(3a) in that case i saw a blank field instead of "async".
    When callback number is determined i see, i.e.:
    RADIUS: Calling-Station-Id [31] 12 "3272779467"
    What does "async" mean? Why exactly this? How to cut this async off?

    Okay. Let it so. But in IOS 12.3(3a) there was a blank field. No "async" words.
    Have you got any link to a document where it is said that "async" is a normal value of 31th attribute of RADIUS protocol?

  • Cisco 3640, PPPoE, MAC in Calling-Station-Id

    Hi ALL!
    Almighty ALL, please tell me which IOS on 3640 can send MAC address in Calling-Station-Id when user connecting via РРРоЕ? I tried command "radius-server attribute 31 mac format unformatted" with no luсk :(
    Thanks!

    You can try using the code 12.3(9.9) on a 3640. You could use the radius-server attribute nas-port format command to configure the NAS-Port field for the PPP extended format. And the called-station-id should be the mac of the AP.

  • Call/video not working between Cisco jabber for Windows and VCS control C40s

    Hello,
    I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
    The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
    If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
    Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
    I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
    Anyway here is what is happening:
    When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
    However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone. 
    I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
    Let me know if someone of you are interested in read these logs or could point me on the right direction.
    Thanks!

    Ok,
    I have looked at both logs. I have to mentinon though that you didnt
    provide the log that shows the h323 setup between cucm and the VCS. This
    is  most likely because the call originated from a different cucm than
    the ones you provided the logs from.
    The call would have orginated from the first cucm in the cucm group of
    this trunk: Name=RL_TRUNK_VIDEO
    The cucm ip will be : 10.252.53.10.
    This is the VCS log that confirms where the h323 request originated
    from:
    pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="54000"
     Received RAS PDU:
    Having said that here is my analysis of the logs that you sent..
    Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
    video it can support)..
    Observer that Jabber says it doesnt support G729 anexB
    21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
    from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
    [862370,NET]
    INVITE sip:[email protected];user=phone SIP/2.0
    Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
    From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
    -00000e65
    To: <sip:[email protected]>
    Call-ID: [email protected]
    Max-Forwards: 70
    Date: Fri, 11 Apr 2014 01:55:16 GMT
    CSeq: 101 INVITE
    User-Agent: Cisco-CSF/9.4.1
    m=audio 19252 RTP/AVP 0 8 18 105 104 101
    c=IN IP4 10.223.20.73
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:105 G7221/16000
    a=fmtp:105 bitrate=24000
    a=rtpmap:104 G7221/16000
    a=fmtp:104 bitrate=32000
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-15
    a=sendrecv
    m=video 28878 RTP/AVP 97
    c=IN IP4 10.223.20.73
    ++++Now lets observer the capabilites exchange during h245 negotiation
    between cucm and VCS++++
    Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
    Note that G729A, G729AB, G729 is all advertised..
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="45660"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : terminalCapabilitySet
     capabilityTableEntryNumber 2,
           capability receiveAudioCapability :
    g729wAnnexB : 6
           capabilityTableEntryNumber 3,
       capability receiveAudioCapability : g729AnnexAwAnnexB : 6
           capabilityTableEntryNumber 4,
           capability
    receiveAudioCapability : g729 : 6
    capabilityTableEntryNumber 5,
           capability receiveAudioCapability :
    g729AnnexA : 6
    ++++++
    After doing MSD (master slave determination, we move to the OLC phas e..
    Here we see that the far end..c40 wants to use G729AB for media++++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
    Module="network.h323" Level="DEBUG":  Src-ip="10.224.114.11"  Src-
    port="11163"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : openLogicalChannel :
       forwardLogicalChannelNumber 1,
    forwardLogicalChannelParameters
         dataType audioData :
    g729AnnexAwAnnexB : 20,
         multiplexParameters
    h2250LogicalChannelParameters :
    +++Next VCS sends G729AB as the codec to use to CUCM+++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
    Module="network.h323" Level="DEBUG":  Dst-ip="10.252.53.10"  Dst-
    port="45660"
     Sending H.245 PDU:
     value MultimediaSystemControlMessage
    ::= request : openLogicalChannel :
       forwardLogicalChannelNumber 1,
    forwardLogicalChannelParameters
         dataType audioData :
    g729AnnexAwAnnexB : 20,
         multiplexParameters
    h2250LogicalChannelParameters :
    ++++The next thing we get is an OLC reject from CUCM and this is where
    th call drops++
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="45660"
     Received H.245 PDU:
     value MultimediaSystemControlMessage
    ::= response : openLogicalChannelReject :
    forwardLogicalChannelNumber 1,
       cause dataTypeNotSupported : NULL
    Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
    Module="network.h323" Level="INFO":  Dst-ip="10.224.114.11"  Dst-
    port="11163"
      Detail="Sending H.245 OpenLogicalChannelRejResponse
    +++We then receive a call release from cucm with cause code of 47:
    resource unavailable++++
    Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
    Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
    port="50913"
     Received H.225 PDU:
     Q931
       Message Type: Release
    Complete
       Call reference flag: Message sent from originating side
    Call reference value: 0x7b
       Info Element : Cause
         Location: Usr
       Cause Value: Resource unavailable
       Info Element : User User
       Length = 22
    Suggestions:
    Change the region setting between the ICT trunk to VCS and Jabber to use
    G711 and test again.

  • What attributes are shared between a Radius Server and a WLC?

    I have a customer who is trying to setup a Radius server to authenticate Management users for the controller,
    she is using a Microsoft NPS R2 server. All good at this point.
    She needs to know what attributes are shared between the server and the WLC to complete the authentication
    because she is being successfully authenticated, but still unable to access the WLC.
    Someone knows what those attributes are?
    The only information at the moment that I found, was on a document that said that different management
    users can receive different Vendor-specific Attributes. That means that the returned attributes to the WLC
    will depend of what radius server model or platform you are using.

    Robin,
    For using Microsoft radius to authenticate management users, you can reference this document, which shows you the steps involved.
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91392-airespace-vsa-msias-config.html
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Cisco WLC 2504 and ways to authenticate users

    Hi All,
         What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
         and any one can give me case study for this issue
    System consist of Cisco 2504 and Cisco LAP 1140
    Thanks

    To implement radius based authentication is the best practice for the small & enterprise environment.
    Information About RADIUS
    Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
    •Authentication—The process of verifying users when they attempt to log into the controller.
    Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
    •Accounting—The process of recording user actions and changes.
    Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
    RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
    You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on. 
    For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947

Maybe you are looking for

  • HT1338 need to version 5.1.1

    help me I need version 5.1.1

  • Tricky query with multiple hierarchial sub queries

    Here's a pussle that I cannot solve. Who can help me? Given table F (records form a binary tree with levels 0, 1, and 2): Id IdParent F1 null F2 F1 F3 F2 F4 F2 F5 F1 F6 F5 F7 F5 and given table D (records form a similar binary tree with levels 0, 1,

  • Type restricted to a fixed area

    I want to have a paragraph restricted to a define shape - say a rectangle. If I have some free text in a Word document, how can copy it in Illustrator so that its formatting is restricted to the reectangle that I have defined of a specific size? Than

  • IOS 7, iPad 4: keyboard problems with Shift key

    Since I have upgraded my iPad 4 to iOS 7 a few days ago the keyboard drives me mad: I did not experience the overall slowness of the keyboard as reported by so many others. Anyway, I reset my settings just to be safe. But the reset had absolutely no

  • UIX Table: Very complex (?!) data presentation

    Hello, I will define this problem using HR schema object on Employees table. What I need is to present the data from this table in the following fashion: DepartmentId-> | 10 | 20 | 30 | ... EmployeeId | 200 | 201 | 114 | | | 202 | 115 | | | | 116 | |