Cisco 2504 as Anchor not passing TCP 8443
Hello,
I have a very strange scenario with 2504 WLC. It is deployed as an Anchor with 5508 as the foreign. In summary, my set up is as follows:
2504 - Anchor (version 7.6.120), Port 1- MGT, Port 2 - Guest subnet, No AAA Server, Internal DHCP server
5508 - Foreign (version 7.6.101.1, Guest interface (dummy, non-routable and no vlan on switch), MAC filtering, ACL-redirect, AAA with Radius NAC.
The mobility tunnels are up and FW rule also allows DNS and TCP/8443 from the guest subnet. The guest client receives its DHCP address and queries external DNS on the DMZ, but after that nothing happens. The web redirect URL times out.
I can see hits on the FW ACL for the DNS query and response but none for TCP/8443. The client browser times out. From wireshark, I can see the client query the DNS for the ISE hostname and the DNS replies with the IP address, but I don't see the guest send a packet to ISE. It's as if the DNS packet flows through the Guest interface, but the TCP/8443 packet doesn't flow out of the Anchor WLC to the Foreign to be sent to ISE.
Please does anyone understand this very strange occurrence.
After contacting Cisco TAC without a successful resolution, I discovered that Policy Set was the problem. This was very strange as the Policy set was evaluated and the correct Authz policy applied.
I had a policy set with Radius conditions equal 802.11 AND Wireless_MAB. This was to separate it from another policy set for 802.1X. The Wireless_MAB policy set was evaluated and the web redirect ACL was applied by ISE, but after that ISE didn't respond with the Guest Portal page.
As soon as I removed the condition Wireless_MAB from the policy set definition, the Guest portal worked.
I think Cisco should either evaluate the Policy set functionality and fix it or release a statement that Policy set can't work with 2 conditions defined, which I think doesn't make sense as why would I use Policy set for Radius Nas_Port_type 802.11. This means the 802.1X Policy set would be checked first (if it is first in the order) before the Wireless_MAB Policy as both use NAS_port_type of 802.11.
Similar Messages
-
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
AP 1231G Not Passing DHCP to clients
Hello My company AP 1231G is not passing the DHCP address to the client from the DHCP server can you please advise on my config listed below
basicly the AP is on its own VLAN 10.1.123.1 and the DHCP server is 10.1.10.2 -- trying to use iphelper to pass DHCP to clients and the AP is on static IP 10.1.123.2--
! Last configuration change at 13:15:56 +0800 Fri May 25 2012 by root
! NVRAM config last updated at 13:15:56 +0800 Fri May 25 2012 by root
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXXXXXXXXX
clock timezone +0800 8
ip subnet-zero
no ip domain lookup
ip domain name XXXXXXXXXXXXX
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
dot11 syslog
dot11 ssid XXXXXXXXXX
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid optional
wpa-psk ascii XXXXXXXXXXXXXXXXXXXXXXX
dot11 arp-cache optional
username root privilege 15 password XXXXXXXXXXXXXXXXXXXXX
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid XXXXXXXXXXX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no preamble-short
channel 2432
station-role root access-point
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.123.2 255.255.255.0
ip helper-address 10.1.10.2
ip default-gateway 10.1.123.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
snmp-server view dot11view ieee802dot11 included
snmp-server view ieee802dot11 ieee802dot11 included
snmp-server community public RO
snmp-server community private view undefined RW
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
sntp server 114.80.81.13
sntp broadcast client
endRoan:
Where is your DHCP server configured (swtich, firewall, 3rd party server..etc)?
Does it work correctly if the AP IP on same subnet and ip-helper is not being utilized? -
DHCP Server is not passing out DHCP Leases
I can't seem to figure out why DHCP server is not passing out DHCP lease a client?
Also I can't seem to figure out why NVI0 interface is UP? I have setup another box similarly and NVI0 is down on that and the DHCP server is working fine on that too. Strange!
I am working on CISCO 881 VPN Router...Please have a look at it and let me know. Thanks
Here is the configuration in the box...
sh run
Building configuration...
Current configuration : 6543 bytes
! Last configuration change at 17:09:54 CST Fri Sep 14 2012 by XXXXX
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone CSTime -6
clock summer-time CST recurring
crypto pki trustpoint TP-self-signed-3079619067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3079619067
revocation-check none
rsakeypair TP-self-signed-3079619067
crypto pki certificate chain TP-self-signed-3079619067
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303739 36313930 3637301E 170D3132 30393134 31393231
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373936
31393036 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100993C D622004B F3AEA1E5 81106C28 36EC52D0 5435ABC3 8912095F 3641168A
B67D97AF AEB43CF3 00A00EB5 702FA355 9F58EBEF F42294DC 0E32CF40 E17D372A
3BC36401 55EDBA5C 910B7A51 89D709A8 7EAB3FF0 E4C99D34 CBE3F316 069C0E16
BC284055 35E3D762 463DABF6 852C4E7A D2EF45A4 21F08689 4DF17870 9E2A6C27
1BFB0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A506F70 6C617276 696C6C65 2E796F75 72646F6D 61696E2E
636F6D30 1F060355 1D230418 30168014 64EA4CAE 2029E4C2 702584C6 B5732464
5C9DA38A 301D0603 551D0E04 16041464 EA4CAE20 29E4C270 2584C6B5 7324645C
9DA38A30 0D06092A 864886F7 0D010104 05000381 81006C27 96E06B83 04DBDA81
EEB0AF35 84ED370E A8C9694E F9B9326D 69CB1043 9C396D7B 760D252F 4881926D
878E434F 9AFC3E6D A5BF43F2 E619D6EC F45C039A 5FFB478F A99F7EE5 274E37D5
11976FDE 823FD1A9 700203E5 67A329B3 F4CF45F0 245757C8 E2349276 B13414D1
017616FA 38A40BA8 42545AC5 C7676D21 29E4F491 CADB
quit
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.100.101
ip dhcp excluded-address 192.168.1.254
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip dhcp pool Internal_Network
network 192.168.1.0 255.255.255.0
dns-server 192.168.100.254
default-router 192.168.1.254
ip cef
ip domain name yourdomain.com
ip name-server 192.168.100.254
no ipv6 cef
license udi pid CISCO881-K9 sn FTX1604828T
username XXXXX privilege 15 secret 5 $1$QEcR$96cmvs/h/.05G6BnorcWG/
username XXXXX secret 5 $1$PQQ1$3.Vin0i/2uZ/KD0xEJ8GC.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group YYYYYYY
key XXXXX_XXXXX_XXXXX
pool VPN-Pool
acl VPN-Access-List
crypto isakmp profile vpn-isakmp-profile-1
match identity group YYYYYYY
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN_INTERFACE
ip address 192.168.100.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
interface Vlan1
description VLAN1_INTERFACE
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool VPN-Pool 192.168.1.151 192.168.1.200
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.100 21 192.168.100.3 21 extendable
ip nat inside source static tcp 192.168.1.100 80 192.168.100.3 80 extendable
ip route 0.0.0.0 0.0.0.0 192.168.100.254
ip access-list extended VPN-Access-List
permit ip 192.168.1.0 0.0.0.255 any
permit tcp host A.B.C.D host 192.168.1.100 eq ftp
permit tcp host A1.B1.C1.D1 host 192.168.1.100 eq ftp
permit tcp host A2.B2.C2.D2 host 192.168.1.100 eq ftp
permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.100 eq ftp
permit tcp host A3.B3.C3.D3 host 192.168.1.100 eq ftp
permit tcp any host 192.168.1.100 eq XXX
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner motd ^C XXXXX-XXXXX VPN Router ^C
line con 0
exec-timeout 30 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 124A50424A5E5550
transport input telnet ssh
scheduler max-task-time 5000
endHi Jennifer,
I have gotten it resolved. Per your suggestion, I have turned on debug ip dhcp events and found that POOL EMPTY message. After little research, I found out that I have made a mistake in my excluded-address range.
I have had it as
ip dhcp excluded-address 192.168.1.1 192.168.100.101
It should have been
ip dhcp excluded-address 192.168.1.1 192.168.1.101.
It was a typo.
Thank you for the suggestion.
Srini -
GRE traffic can not pass through LRT224 IPSec Tunnel
Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
SanCan you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Wi-Fi Installation in large property W/Cisco 2504
Hi,
I have an interesting job where i am having to fit a wifi network through a large property. I was advised to use the Cisco 2504 WLC and 9 x Cisco AIR-AP1142N access points.
I know that out of the box the AP's (in standalone versions) have the GUI enabled.
Not being completley up with CLI etc, is the WLC GUI enabled straight out of the box? if not, is it complicated to get it up and running? I'm pretty good at learning/understanding these things just as long as i have a rough idea of what to do!
Thanks in advance,
JoshThats great, Thanks steve.
I have the Controller (although AP's are still on order - out of stock ) but i have one final question before i start to set it up!
I'm looking at this guide: http://www.cisco.com/en/US/docs/wireless/controller/2500/quick/guide/ctr2504_q_s.html#wp34023 and it talks about Management interface. I presume the management IP address would be the fixed ip of the controller if you like.
So if i had a network with a DHCP server. The Router/Server was 192.168.2.1 and the DHCP range started from .10, i could set this to be 192.168.2.2 with the router of the management interface to be .2.1. I then could set the VLAN id to be 0 as i don't need a seperate managment lan (it's only for a house afterall, and if i lock it down with passwords it should be fine).
With the Management Port, i presume that can be the port that connects into the main PoE Switch, similalry the Management DHCP server would be 192.168.2.1?
Virtual Gateway IP address i guess is irelevant as there will be no mobility group?
And DHCP bridging, like on any other wifi system/AP would be 'No' as the Router will be dealing with all DHCP requests?
Thanks again for your fantastic help so far!
Josh -
ISE tcp/8443 & 8905 from client
Hi,
Reading the port reference for ISE: http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html I see that port tcp 8443 & 8905 needs to be allowed from the client to PSN. I can't find the reason why. What is it used for? It say Discovery, but what kind of discovery?
Regards,
PhilipPlease see the below link for detail information over TCP/UDP ports used by ISE.
http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_app_e-ports.html -
Cisco 8945 PC Port not workign with Alternate TFTP ON
I have a Cisco 8945 at home (Internet provided via Cable modem), and it had been working just fine. I have now found that the PC port on the phone will not pass data to my PC with Alternate TFTP on. I know the cabling is all correct, I can actually go into the Cisco phone and DISABLE the alternate TFTP servers on the phone. When I do that the phone no longer works, but the pass through to the PC network port works and my PC connects to the Internet fine.
Enable the alternate TFTP servers again so my phone works, and my PC LAN adapter now thinks there is no longer a cable plugged into it.
What about the TFTP server being enabled (which is required to get my phone to work of the corporate VOIP switch up in Boston), kills the PC port connectivity on the phone?I have a Cisco 8945 at home (Internet provided via Cable modem), and it had been working just fine. I have now found that the PC port on the phone will not pass data to my PC with Alternate TFTP on. I know the cabling is all correct, I can actually go into the Cisco phone and DISABLE the alternate TFTP servers on the phone. When I do that the phone no longer works, but the pass through to the PC network port works and my PC connects to the Internet fine.
Enable the alternate TFTP servers again so my phone works, and my PC LAN adapter now thinks there is no longer a cable plugged into it.
What about the TFTP server being enabled (which is required to get my phone to work of the corporate VOIP switch up in Boston), kills the PC port connectivity on the phone? -
Help required to implement Cisco 2504 WLC and 1042 Access Points
Hi,
My name is Vidya Sagar. I am new to Wireless technology. We are planning to implement Wireless in our office. I have given the requirements below. Kindly go through the details and let me know how to start.
We have purchased Cisco 2504 Wireless Controller (One) and Ciscon 1042 Access Points (Five). At present I am going to use 3 access points only.
I have attached a simple diagram of our office network. We have more than 30 VLANs configured in Core Switch, we are planning to give wifi access to only 3 VLANs.
1. VLAN 121 ( IP Segment - 10.52.121.0 /24)
2. VLAN 116 ( IP Segment - 10.52.116.0 /24)
3. VLAN 100 ( IP Segment - 192.168.100.0 /24) (Guest)
Please give me a implementation plan to do this. I would like to use LDAP or ACS for authentication purpose.
Regards,
Vidya SagarLets just do this simple first before you start using ACS as that will require a certificate installed on the ACS for using PEAP.
So first off, the WLC we will say is in vlan 10. When you are going through the startup wizard, make sure you define the vlan tag to 10 on the management interface. Make sure your virtual interface is an IP address that is not routed in your network, like an out of band IP.
Make sure the WLC time is correct or use NTP!!!!
Now you should be able to http or https to the WLC. I would upgrade the code to v7.4 and install the FUS image. Please reference this link for the upgrade procedure. You don't have to upgrade now... I would wait till you get everything working first.
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html
Now I would connect the APs on the same vlan as the WLC for now. Make sure there is dhcp on that subnet. Once the APs have joined, then you can move them to any subnet you want. Since you don't have many APs it would be okay to leave them in the same vlan as the WLC management or out them on any other vlan you choose. The APs will be connected to an access port NOT a trunk port!!!!
The WLC will need to be connected on a dot1q trunk port only allowing vlans 10,100,116,121. The 2504 running v7.4 will support LAG (etherchannel). Any ways, your switch port should look like this for example only
Interface gigabit1/0/1
description WLC2504
switch port trunk encapsulation dot1q
switchoort mode trunk
switch trunk allowed vlans 10,100,116,121
spanning-tree portfast trunk
channel-mode group 10 mode on << only for v7.4 if you use lag
Don't connect all four ports right now, just port one!!!!
Your Guest vlan, you will need to create an ACL to block traffic from accessing the internal network. You might want to allow dhcp and DNS bit I would leave it open first until you can verify everything is working.
Now on the WLC you need to create a dynamic interface for vlan 100, 116, and 121. If you click on the Controller tab in the GUI and click on interfaces on the left hand side, that will take you to where you can add/delete/modify your interfaces. When creating these interfaces, make sure you add the dhcp server IP address for the primary and or backup.
Now that you have your dynamic interfaces created, its time I create your SSID. Now click on the WLAN tab on the GUI and click on WLAN and then on the too right select Create New and then click go. Select WLAN on the drop down menu and then for the profile name I would use the SSID name also for simplicity.lean e the WLAN id to 1 for this and 2 for the next and so on. After defining these and clicking Apply you can now define your SSID. On the General tab, enable the status and leave the radio policy to all for now, you can decide later what you want to use. Choose your interface you wan to place this SSID on and enable Broadcast SSID for now and leave everything else alone. Now click on the Security tab and on the layer 2 Security, leave it at WPA + WPA2, only check WPA2 Policy and for WPA2 encryption choose AES only. Now go to the bottom of that screen and choose PSk. We will do pre shared key for now so you get to understand the setup and make sure everything is working first. Now on the PSK format, choose ASCII and put your pre shared key in the input box. Make this simple to for testing. You don't want to put in symbols or anything like that. When you are don with that, check apply on the top right and test.
Now you can repeat this with your other SSIDs just to test. Your guest network you can leave open for now to test open authentication.
Here are some links for the WebAuth feature:
https://supportforums.cisco.com/docs/DOC-13954
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b1a506.shtml
Now if you want to use ACS with PEAP, here is some links for that:
https://supportforums.cisco.com/videos/2499
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bd1100.shtml
https://www.google.com/url?sa=t&source=web&cd=8&ved=0CFQQtwIwBw&url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWk_bRdmsQlA&ei=_BEyUeCYM8TdqAHHsICAAw&usg=AFQjCNF8PiVBQK1Kipb4j8AzD153bKtmgA&sig2=smHhNVmCr2of2NzbnDhGmw
Well that is it, hopefully you can get the wireless up for testing and verifying everything works!
Sent from Cisco Technical Support iPhone App -
How to pass TCP connection ID into subpanel VI
Hi,
I am trying to pass a TCP connection ID into a subpanel VI, but wasn't successful.
Here's the function I used:
I was able to pass other control values into the VI but not the TCP conn ID.
Is there any restrictions or other ways I should do it?
Best regards,
Ken
Solved!
Go to Solution.Hi Ken,
Is 'reference' a TCP connection ID? If so, wire the reference directly to the Ctrl Val.Set invoke node. No value property of the reference needed.
It definitely works with TCP connection IDs.
Hope this helps,
Daniel
Message Edited by dan_u on 02-20-2010 01:17 AM -
100% Noob - Need Help for basic setup of Cisco 2504 and 1600 AP
Hello,
I am completely noob in (cisco) networking.
I have to setup a basic but secure wireless network.
I have a cisco 2504 and 2 APs 1600 + a random switch
I have 4 ports on the controller.
I want to keep the 1st port on the network for the controller management, plug my internet box on the 3rd port, and my switch on the 4th port. Then the AP will be on the switch.
I am able to make something working when everythings are plugged on the switch, plugged in the first port (default management port).But this is not what I want.
First thing, Is that possible ?
1st port : office network
2nd port : empty
3rd port : Internet Box
4th port : Switch + all APs
Then, if that is possible, how should i configure the controller to make that work ? I am completely lost in the menus.
I dont need a perfect configuration, just something simple and working.
1 SSID, 10 DHCP addresses, block wireless users trying to go on the office network.
If anyone could help my doing that, It would be very nice.
Thank you.You basically need two SSIDs one for corporate users and second for guests .check the link with step by step config and brief details .
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html -
Captivate 6 Text Entry Events Do Not Pass
I am a long-time user of Captivate going back to version 2. I've created a simulation course with numerous text entry events that do not validate correctly. I am typically using the TAB key to validate the text entered. I have several lessons where everything works fine, but many that have problems.
Typically when TAB is used at the end of a key press, you will see focus shift to the first button on the Play bar - and this does not cause any problems. I see this behavior on the events in my course that work. However, for the ones that do not work, I see the focus shifting to the Address Bar and the event will not pass.
The only workaround I have employed is to use On Focus Lost: Go to Next. This is not a great solution because the text no longer validates with this setting. These events will pass no matter what is entered.
I would really appreciate your help with this! My course is due soon. I would be happy to provide more information or upload my file for your inspection. Thank you!For anyone who might be experiencing the same problem and looking for an answer - this is still 100% broken in Captivate version 6. None of the fixes discussed in the above referenced thread work. I tried playbar widgets, editing the playbars in Flash. No luck.
Adobe just moves forward from version to version not fixing the bugs they create in prior versions. That's your incentive to upgrade, folks.
Best workaround I can offer is Use ENTER as your validation keystroke. It doesn't have the same problems associated with TAB. Good luck! -
Scheduling Agreement -Schedule line should not pass the requirement to MRP
Hi Friends!
As we all know the scheduling agreements is outline agreement with future schedule lines, with this system will pass the requirements to MRP for the schedule line which is even after 5 years, so my requirement is if the schedule line date is above 15 days from the current date then requirement should not pass to MRP.
solution which we gave is, SA initially will determine the schedule line category as CN (which will not transfer the requirement) and a batch job program will run daily and it will check for each schedule line if any of the schedule is with in the 15 days from the current date then it will change the schedule line category from CN to CP.
Now the problem is , by using Batch Job which program I have to call to change the schedule line category?????
1. we tried BAPI_SALESORDER_CHANGE but when we are changing the CN to CP it is not performing ATP where as if we do manually it is performing.
2. we tried BDC but here also we facing some strange problem i.e. while recording the ATP screen is not populating where it is coming while doing manual.
Can someone let me know which one program we should call in Batch job to do this change.
Regards
NathHi nath,
i also failed in changing shedule line category in userexit and in BAPI.
in one case, i succeded in doing it with a bdc after MV45AFZZ / userexit_save just bevore the datas are reset but after the commit-work is processed.
the other possibility is, to change the accepted amount in userexit RV03VFZZ / USEREXIT_AVAILABILITY_OUT.
3. possibility is, to block the order with a delivery - block , same as the credit-control-block. This block can be set in MV45AFZZ or perhaps in BAPI too.
hans -
Dashboard prompt value is not passing into the report
Hi,
I am using OBIEE 10g. The problem is in Oracle BI Answers
I have a prompt and its related report. In the prompt, in one of the column, I am using sql result. The sql query is a co-related sub query where i have used 2 tables. employee_data and employee_region. The reason for using sub-query is that there is no data_center column in the employee_data table. It has the records for all the data_center e.g USA, UK,IND,AUSTRALIA etc So, I used the sub query with condition which will give the result on a particular data center (here it is USA) and this sub query's output is input for the main query. And the prompts works fine and gives correct result
The sql query used for the column in the prompt (in Oracle BI Answers) as
SELECT EMPLOYEE_DATA.ENAME FROM EMPLOYEE WHERE EMPLOYEE_DATA.ENAME IN (SELECT EMPLOYEE_REGION.ENAME FROM EMPLOYEE WHERE EMPLOYEE_REGION.DATA_CENTER = 'USA')Now in the report, there are 2 coulmns. - EMPLOYEE_DATA.ENAME and EMPLOYEE_REGION.DATA_CENTER
I have used the main column EMPLOYEE_DATA.ENAME for filter as 'prompted'.
The problem is the value from the prompt is not passing from the prompt to the report, what I found. Because, instead of showing the result for 'USA' data_center, It also shows other data_center 's (UK,IND,AUSTRALIA) data.
How filter condition I should use for EMPLOYEE_DATA.ENAME column in the report so that the prompt value will pass to the report properly ?
Thanks
Edited by: Kuldip on Feb 21, 2013 6:17 AMHi Kuldip,
There are 2 ways of doing it.
1. Nice and good: For the section where the report is put have a condition to display only if it returns rows. For details please refer to :
http://bischool.wordpress.com/category/guided-navigation/
2. The easy way: Add a "No Result" view to your report and add few spaces in the text.
Let me know if this helped.
Regards,
Jay -
Filters 'OR' function not passing the values to the sql
Hi,
I am facing an issue with the 'OR' function on the filters that are used in the reports.
The report needs to fetch all the records on the three tables as the user enters the value in the dashboard prompts.
eg: [ update_dt_A1 is prompted
and user_name_A1 is prompted ]
or
[ update_dt_B1 is prompted
and user_name_B1 is prompted ]
or
[ update_dt_C1 is prompted
and user_name_C1 is prompted ]
The values entered in the dashboard prompt gets passed to the filter, but the vaules are not passed over to the SQL that runs on the database, hence the reports shows all values and does not reflect the values entered.
When the 'OR' function is replaced with 'AND' the values get passed to the SQL.
Can anyone help on what is the issue on the filters?
ThanksHere is how my Filters are set up
Vendor Name is Prompted
AND
Vendor Number is Prompted
AND
[ [Last_update_date_Vendor is prompted
AND
User_name_Vendor is prompted]
OR
[Last_update_date_Site is prompted
AND
User_name_Site is prompted]
OR
[Last_update_date_Bank is prompted
AND
User_name_Bank is prompted]
The values from the dashboard prompts gets passed to the filter, but the sql that runs does not take the values in the where clause.
Maybe you are looking for
-
ITunes Backup trying to burn to wrong DVD burner
My MacBook Pro has a built-in DVD writer (which I have not had success using lately) and I also just purchased a Samsung SE-S084D External USB DVD Writer, because of my trouble burning DVDs with the internal drive. I've got the Samsung burner connect
-
Issue while installing oracle Databse 10g express edition
Hi, when i am trying to install Oracle database 10g express edition, it is hanging again and again on one step. Step is "Creating and starting Serivices for ORacle database 10g express edition". Could any one can help me out in this regard. Thanks
-
Failure to retrieve spry data set
I have worked with the html data set in spry cs4 before and have managed to get it to work. This is a very simple data set but I get a failure to retrieve data set message. http://www.pixelsandpaper.com/Lestock/index.htm Can anyone help?
-
Cannot find created infoobject in infoobjects, can see it in metadata repos
Hi all, I have created a characteristic infobject in an infoarea. But i cannot view the infoobject in the infoobjects (when i click find and see, it says not entries found). But the same when i check in the meta data repository, i can see the infoobj
-
I can't buy anything because I forgot my security question answers. Can I gain back my answers?