Can sleeping clients just be on anchor controller 7.6
Can sleeping clients just be on anchor controller 7.6? Can the foreign controller not have sleeping clients configured and it still work as long as the anchor is configured for sleeping clients? The other question is.. Do all user use sleeping clients or only user who have actually web authed? We have a lot of people in webauth required state not sure if they count against the sleeping client count.
A sleeping client does not require reauthentication in the following scenarios:
Suppose there are two controllers in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller.
Suppose there are three controllers in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller.
A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_010111.html#concept_F70A46E44FFB41CA9C2A4FC60A81B0A2
Similar Messages
-
Total throughput and client limitations per guest anchor controller; 7,000 guest clients
When I read the specs of a Cisco 5508WLC I read the following :
Cisco 5508 Wireless LAN Controller (WLC) – 8 Gbps and 7,000 guest clients
What happens when client 7001 tries to connect ? Is this a hardcoded like the max 500AP's limit ? Or is this just a guideline ?7000 is the number of entries it can handle in its client database. So you cannot have more than 7000 clients in single 5508.
HTH
Rasika
**** Pls rate all useful resposnes **** -
Is there any iPhone midi controller that can control logic just by one usb
is there any iPhone midi controller that can control logic just by one usb line to the mac?
Free ones would be the best!
Thanks!If you have a Mac Pro and an iPhone, surely you can afford a router? It's about the same price a a decent meal for two.
-
Is there any iPhone midi controller that can control logic just by USB?
is there any iPhone midi controller that can control logic just by one usb insert to the mac?
Free ones would be the best!
Thanks!Although not USB, there are a couple of iPhone/Touch apps that can control the Mac using a wireless network. MobileMouse (free & paid versions) do a great job, as well as Logitech's TouchMouse. Both will allow you to use the touch screen to control the mouse, which essentially gives you the ability to do many things in Logic. I've used them, for example, to begin a recording, which frees me from being near the computer.
-
IOS device failed to get ip address on multiple wlan on the same anchor controller
Dear Experts:
in my implementation, we need 2 WLANs be served on the same anchor controller.
WLAN1: wep/40bit, integration with NAC/OOB on anchor controller for guest wlan service.
and guest account controlled by NACguest server.
WLAN2: wep/40bit, no layer3 secuirty for temporary using.
foreign controller: WiSM on v6.0.196.4 (also testing on 6.0.182.0)
anchor controller: WLC4402 on v6.0.196.4
on WLAN1:
Windows7 client get ip address correctly.
iOS (iPhone4 on 4.3.1/4.3.2, iPad2 on 4.3.1/4.3.2) can get ip address correctly on WLAN1.
WLAN2, iOS device cannot get ip address.
compare with debug message "debug clien mac" + "debug dhcp message enable"
on both foreign and anchor controller.
on foreign controller:
PM state has changed from: DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
on anchor controller:
PM state always stay on: DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
Enable/Disable DHCP Address Assignment Required is not work.
Enable/Disable DHCP proxy is not work.
Any hit this issue when get ip address failed in multiple WLANs on the same anchor controller?
In attachment log file,
DMZ.log: anchor controller on DMZ.
S3p1.log: WiSM on v6.0.182.0
S3p2.log: WiSM on v6.0.196.4
client mac: 00:1f:3b:05:33:c1, Windows7 Client
client mac: 58:55:ca:cf:d2:07, iPhone4 with 4.3.1,
WLAN1 subnet: 10.61.246.0/23
WLAN2 subnet: 10.61.248.0/23Hi, Nicolas:
just checking the attachment for the run-config on foreign/anchor controller.
DMZ_run.config - anchor controller
s3p1_run.config - WiSM on v6.0.182.0
s3p2_run.config - WiSM on v6.0.196.4
at this moment, we have disable the wlan 10 on foreign controller, and wlan 2 on foreign controller.
Wilson... -
Auto-Anchor Controller's Best Practice
Hi All,
I got confused with this setup. I have 2 Wlc's.One is the internal controller and another one configured for the anchor controller (different subnet-DMZ zone) for guest traffic. Where do i configure DHCP assignment for this users..? Should Production controller intervine in this dhcp process or shall i direct to Anchor to take care of everything..? which is recommended ?
And also any best practice doc is available for this ..?
Please help...
thanks in advance.Prasan,
Just keep in mind that there are best practices that are published and best practices that you learn from experience. Being a consultant, I get to implement wireless in various networks and everyone's network is quite different. Also code versions can change a best practice because of bug issues or how a standard might of changed and how that standard was implemented in code. The biggest best practice secret is really working with various client devices, scanner's, laptops, smartphones, etc., and seeing how those change because of newer models and it firmware updates. It's amazing to understand how some devices will require a few checkboxes in the WLAN to be disabled compared to others. Even with anchoring for guest and using a custom WebAuth to make sure the splash page works with various types of browsers.
What I can say is to always try the defaults if possible when you have issues and then enable things one by one.
Sent from Cisco Technical Support iPhone App -
AAA, WLC, and AP Groups, Anchor Controller, Problem
All,
First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up. Here are the details and the problem(s):
Have Cisco ACS using backend AD for user authentication
MSCHAP, 802.1x
Three wireless controllers running ver 7.0.98.0; one controller is 4404 the other two are on WiSM blade in 6509.
Many AP Groups and a few mobility achor setups.
Wifi clients used to test are Intel and have the proper drivers 12.4.4.5 and 13.1.1.1
First authentication problem is via SSIDs associated with anchor contollers. Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
Second authentication problem is related to AP Groups. Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
Note that all the above works fine as long as I am not using 802.1x. If I am using PSK, it all works flawlessly.
One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly. The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
It is not a routing problem....
I have gone through two TAC engineers and the problem is still not resolved. So close, but not succesfull.
Any interoperability/Security experts out there that can help nail this thing?
ThanksJeff,
Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem. I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem. They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS. I was able to apply the patch, but never could get the OS upgrade to take. For the heck of it, I re-checked the problem after applying the patch and YooHoo! Works as advertised!
Thanks for showing the interest, it was definetly a pain-point for my customer. -
Using ISE for guest access together with anchor controller WLC in DMZ
Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
FrankSo i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node. -
Central Web Auth with Anchor Controller and ISE
Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
RogerHi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma -
Guest ssid with anchor controller and Web policy
We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?
Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.
-
Guest Anchor Controller DNS issues
Hi,
I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
Change required (which were attemped).
1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
Problems
The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
Diagnosis
It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
A reboot of the controller did not make any difference.
Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
We had to roll back the changes to the original configuration in order to bring the service back on-line.Hello Eoin
Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
Check the release notes for any bugs on this software:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
Raj -
WLC user rate limit on guest ssid anchor controller
Hi,
I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Thanks guys!
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version
7.0.230.0Amjad,
Thank you for taking the time to respond as well as the document link.
It was pretty clear on the steps and what it would impact.
Two things that push me for a different solution (assuming their is one).
Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
#1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
The idea is to limit WAN utilization.
#2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
***One last question about this and any other changes***
Will any change I make be on the "Foreign, Anchor" or both Controllers? -
Guest Access w/ DMZ Anchor controller
I know the documentation says that the Cisco 2100 series WLAN controllers can NOT terminate a VPN tunnel and as such cannot act as the Anchor controller in the DMZ.
Does the 2500 series suffer from the same problem, or can it be used as an anchor?
The only approved anchors listed are the 3750 w/ WLC, the 4400 series, and the 6500 series, but no mention is made of the 2500 or 5500 controllers.The 2500 cannot be used as an anchor (but as a foreign controller, just like the 2100), the 5500 is capable of doing both.
Stefan -
We are running 7.6 on our 5508-WLC. We have a number of issues w/ 'i-clients' when they go asleep. From what I can tell, I need to enable the 'sleeping clients' feature (not just the session and idle timeouts).
On our WLANs we use Layer-2 (WPA+WPA2) security. Is my understanding correct, that to enable Sleeping Clients we need to also have layer-3 security enabled? If so - is there a way around that requirement?On our WLANs we use Layer-2 (WPA+WPA2) security. Is my understanding correct, that to enable Sleeping Clients we need to also have layer-3 security enabled? If so - is there a way around that requirement?
Sleeping clients only works with WebAuth with no layer 2 encryption. If you are using a layer 2 encryption, it will not work as its not supported.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor. Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ. I would welcome feedback on the validity & security of this alternate solution.
Thanks.Hi Marvin,
Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.
Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.
In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.
I hope this helps.
Does this make sense?
Maybe you are looking for
-
My macbook shuts off and I kept a journal for it because mine's got complications. July 1, 2014 (Tuesday) I spilled a cup of choclate milk on my keyboard, it was soaked! But my battery was drained so I know nothing had short out. So I turned it over
-
Pages error -1712 won't open, pages error -1712 won't open
Help. Pages suddenly won't open. Shows error -1712. What's happened?
-
Nokia 7610, contact restore fails
Hi, I made a complete backup of my Nokia 7610 with Nokia PC suite 6.81.13. According to the log file (attached) the backup was done perfeclty. Then, my mobile was repaired (i.e exchanged with a "new" Nokia 7610) and I tried to restore my backup file.
-
When I select Toolbar-Customize and the options box opens, the Navigation Bar icons disappear.
Two questions: 1) When I select Toolbar, then Customize, the box with the toolbar options opens, but my Navigation bar icons disappear, so I can't add the spaces, bars, etc. to it. How do I fix that? 2) I can reposition the icons in the Navigation ba
-
i cannot access my bb app world for a vry long time a message appeear says " the data service is not operational. sam when log in to ym, msn, gtalk..and other IM. please help. thank you.