Cisco 5760 WLC initial config

Similar Messages

• Attach WAP4410N as WGB to Cisco 5760 WLC with LWAP 3702

  I have 5760 WLC with 3702 wireless infrastructure. Can i connect a WAP4410N AP as WGB to be attached to my current wifi network so i can provide connectivity to some wired devices? Any tips on doing so? And any limitation can be imposed for using this WAP instead of any other AP that are supported by WLC5760? If the wired clients are passive, configuring passive-client on WLC will work normally?

  Thanks Eric for the reply, however, this AP is not expected to be controlled by WLC as you mentioned since it is not lightweight and not supported by this WLC for compatibility. But in this scenario, i'm talking about operating it in WGB mode to be attached to the unified wireless infrastructure. In this scenario, it is just attached as a client that pass the traffic of its clients to the other side.
  I have noticed the below statement in this guide page (539)
  http://hcsdemo.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/consolidated_guide/b_37e_consolidated_3650_cg.pdf
  When non-Cisco WGBs are used, the switch has no information about the IP address of the clients on the wired segment behind the WGB. Without this information, the switch drops the following types of messages:
  • ARP REQ from the distribution system for the WGB client.
  • ARP RPLY from the WGB client.
  • DHCP REQ from the WGB client.
  • DHCP RPLY for the WGB client.
  Accordingly, if the switch will drop all this traffic, then no traffic will be passed from the WGB clients to the network ! what I’m missing here?!!!

• HA clarification in cisco 5760 WLC

  Hi Experts ,
  We want to establish HA between two 5760 WLC's. These controllers will be there in seperate building . So IS there anyway that we can establish HA without using stacking cables?

  Hi guys! We have 2 WLC 5760 and one of them is a HA SKU and they HAVE to be in different buildings. Can we configure the HA SKU WLC as standalone and use mobility groups for redundancy? Is there a License issue in this scenario?
  Thanks in advance!

• Query: Cisco 5760 WLC

  Hi All,
  I'm looking at the feature set offered by the 5760 so far I like it.
  However  find it bit hard to locate an "all in one" configuration guide for the platform.
  I came across individual pieces of the config guide which is based on CLI -IOS XE
  http://www.cisco.com/en/US/partner/products/ps12598/products_installation_and_configuration_guides_list.html
  What I'm after is a configuration guide similar to what we have for IOS 7.0 train which includes configurations done via GUI.
  Unless I need to fine tune or debug  I'm happy with the GUI when it comes to WLCs :-)
  On a side note, would there be a chassis based equivalent to the 5760 ?
  Any help is much appreciated.
  Thanks,
  Janesh

  That is the only guides out right now. I guess you will have to wait a while before some better "How to Guides" be one available. As far as the chassis, I believe they will, but not anytime soon.
  Sent from Cisco Technical Support iPhone App

• 5760 WLC Clean Air question

  Hi,
  My customer Cisco 5760 WLCs running as a HA pair. Clean Air has been configured on these boxes but when I do a sh ap dot11 5ghz cleanair summary all the APs show Spectrum Oper State as Down:-
  CPIT-5760-WLC-1#sh ap dot11 5ghz cleanair summary
  AP Name               MAC Address         Slot ID  Spectrum Capable  Spectrum Intelligence   Spectrum Oper State
  AP1                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  AP2                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  AP3                   xxxx.xxxx.xxxx            1  Enabled           Enabled                 Down
  Anyone got any ideas as to how I overcome this little obstacle?
  Thanks
  Alan

  Thanks for the reply. As far as I can tell all the radios are operational:-
  and Clean Air has been configured:-
  ap dot11 24ghz cleanair
  ap dot11 5ghz cleanair
  Also the link you sent was for release 7 on the old series controllers whereas this is a HA pair of the 5760s running release 3.03.
  I have been through the configuring Clean Air chapter for this release and it doesn't suggest anything I haven't already tried.
  Alan

• 5760 WLC compatability with 887 routers in unified mode

  Hi,
  I was wondering if cisco 5760 WLC is compatible with APs in 887 router when switched to unified mode? It seems like WLC is rejecting it says unsupported AP
  Cheers

  Not supported.
  Here is the supported AP list as of IOS-XE 3.6.0 (1700 & 1570 series support added in 3.7.0E)
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Supported_Features.html#pgfId-1071753
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Cisco 5760 - Anchor config issue

  Hi,
  I am having an issue where the 5760 Anchor WLC has 4 Subnets but half of the VLANS need to go to a seperate gateway and the other half to another gateway.
  Below image is what the network looks like:
  The router (Content Filtering) is the Gateway for 4 x SSID’s/VLANs
  The Firewall is the Gateway for the Management VLAN
  The issue here is that we have 2 separate Gateways and there is no way to define separate gateways for each VLAN on the 5760 WLC
  We have an default IP route 0.0.0.0 0.0.0.0 10.1.1.254 which is pointing to the Firewall. The firewall is not the gateway for the other 4 x SSID/VLANs that exist on the Anchor so we do not want all traffic going to the Firewall, only management traffic.
  Is there a way to set different gateways for different subnets/VLANs on the 5760 WLC? Keeping in mind that there is an default route pointing to the Firewall.
  Also does the 5760 WLC acts as a Layer 3 device?
  Thanks

  All types of deployments listed below for the Anchor configuration.
  Case solution :
  Wireless WebAuth and Guest Anchor Solutions
  The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
  Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
  release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and CLI configuration for webauth.
  Configure Parameter-Map Section in Global Configuration
  The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
  ! First section is to define our global values and the internal Virtual Address.
  ! This should be common across all WCM nodes.
  PARAMETER-MAP TYPE WEBAUTH GLOBAL?
  VIRTUAL-IP IPV4 192.0.2.1
  PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
  TYPE WEBAUTH?
  BANNER TEXT ^C WEBAUTHX^C
  REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
  REDIRECT PORTAL IPV4 9.12.128.50
  Configure Customized WebAuth Tar Packages
  Transfer each file to flash:
  copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
  copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
  copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
  copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
  Configure Parameter Pap with Custom Pages
  parameter-map type webauth webparalocal
  type webauth
  custom-page login device flash:webauth_consent.html
  custom-page success device flash:webauth_success.html
  custom-page failure device flash: webauth_failure.html
  custom-page login expired device flash:webauth_expired.html
  Configure Parameter Map with Type Consent and Email Options
  parameter-map type webauth webparalocal
  type consent
  consent email
  custom-page login device flash:webauth_consent.html
  custom-page success device flash:webauth_success.html
  custom-page failure device flash:webauth_failure.html
  custom-page login expired device flash:webauth_expired.html
  Configure Local WebAuth Authentication
  username guest password guest123
  aaa new model
  dot1x system-auth-control
  aaa authentication login EXT_AUTH local
  aaa authorization network EXT_AUTH local
  aaa authorization network default local
  or
  aaa authentication login default local
  aaa authorization network default local
  Configure External Radius for WebAuth
  aaa new model
  dot1x system-auth-control
  aaa server radius dynamic-author ?
  client 10.10.200.60 server-key cisco ?server-key cisco ?
  auth-type any
  radius server cisco
  address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
  key cisco
  aaa group server radius cisco server name cisco
  aaa authentication login EXT_AUTH group cisco
  or
  aaa authentication login default group cisco
  Configure WLAN with WebAuth
  wlan Guest-WbAuth 3 Guest-WbAuth
  client vlan 100
  mobility anchor 192.168.5.1
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security web-auth
  security web-auth authentication-list EXT_AUTH
  security web-auth parameter-map webparalocal
  no shutdown
  Configure HTTP Server in Global Configuration
  !--- These are needed to enable Web Services in the Cisco IOS® software.
  ip http server
  ip http secure-server
  ip http active-session-modules none
  Other Configurations to be Checked or Enabled
  !--- These are some global housekeeping Cisco IOS® software commands:
  ip device tracking
  ip dhcp snooping
  SNMP Configuration
  From the CT5760 console, configure the SNMP strings.
  snmp---s er v er co mmuni t y p ub l i c r o
  snmp---s er v er co mmuni t y p r i v a t e r w
  IPv6 Configuration
  IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
  Enable IPv6 Snooping - CT5760
  There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
  ipv6 nd raguard attach-policy testgaurd
  Trusted-port
  Device-role router
  interface TenGigabitEthernet1/0/1
  description Uplink to Core Switch
  switchport trunk native vlan 200
  switchport mode trunk
  ipv6 nd raguard attach-policy testgaurd
  ip dhcp snooping trust
  Enable IPv6 on Interface - CT5760
  Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
  vlan configuration 100 200
  ipv6 nd suppress
  ipv6 snooping
  interface Vlan100
  description Client VLAN
  ip address 10.10.100.5 255.255.255.0
  ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
  ipv6 address FEC0:20:21::1/64
  ipv6 enable

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Cisco 5760 controller in centralized mode supports 4404 controller as anchor controller?

  Hello All,
  I have a cisco 5760 controller running in centralized mode. I want to configure one 4404 controller as anchor controller to work with the 5760 controller. Is this supported?.
  Thanks in advance
  Shabeeb

  No, It is not supported.
  You cannot have a mobility peer with 5760 unless you enable "new mobility" on its peer . In CUWN products this is supported in 5508/WiSM2/8510 on specific codes. In current supported codes it has to be 7.6.x or 8.x.
  As you know 4400 only supported upto 7.0.x code. So new mobility is not supported, hence you cannot peer with CA products.
  In case if you have a "new mobility" supported WLC, here how you configure it
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• 5760 WLC cross-satck port-channels?

  Hi would anyone know if cross-stack port-channels can be configured on a stack of 5760 WLC's?
  I need to aggregate x4 20Gb port-channels comprised of x8 10Gb 10G-LR SFP's
  Thanks

  Please check the below link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/layer2/command_reference/b_lay2_3se_5700_cr/b_lay2_32se_5700_cr_chapter_010.html

• 5760 WLC Features

  The release notes for the new 5760 WLC mention that "profiling and on boarding" are not yet supported.
  http://www.cisco.com/en/US/docs/wireless/controller/3.2_0_se/release_notes/OL28115_3_2_se_rn.html
  Does this mean that when using ISE with Guest Server features, device profiling or guest self registration isn't supported ??

  Yes It is true that 5760 does not support "profiling and on boarding". But when you use ISE for the same it will support the entire feature which you looking for.

• Cisco 4404 WLC causing a DOS attack several times a day

  Hi Everyone
  Excuse if this is a duplicate post, but I have searched the forums, but no joy. I also posted it in wireless security as this is where I felt it fits.
  Anyway onto my issue:
  I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.
  However, over the last month or two we have had an issue where we have had high load on our WAN.
  We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
  Yes, 46 x 5mb = no WAN for about 2-5 minutes.
  ARGH!
  So can anyone sugest where I start to look? I am happy to post configs etc. Firmware 7.0.230
  Cheers

  Hi Steve
  Yes it is the capwap port. The remote access points are in hreap mode and servicing trusted network access (802.1x) and guest access  is tunnelled across the wan with local breakout from the 4404 via a dedicated vlan. The guest wireless is wpa2.
  As the traffic originates from the 4404 and goes to all access points we don't believe it is a network breach. I always hate the phrase "it affects everyone", it usually does not, however in this instance the packeteer shows it does connect to every access point.
  DNS is also configured so when new access points are connected they get auto join and get a base configuration.
  This issue has been going on since at least Christmas and we put a packeteer box between our wan and our local network. We can say it is the 4404.

• WCS and WLC WLAN Config not fully in sync

  Hi,
  We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC  showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even  after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.

  You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
  If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Prime Infrastructure 2.2- problems: Wired Detailed Device Inventory report not running / Cisco 5500 WLCs no listed in subgroup

  New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
  installed fixes/software/device packs:
  PI 2.2.1 Poodle Fix (installed)
  PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
  Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
  Licences installed (ncs stopped,rebooted)
  Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
  Problem 1:
  The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
  The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
  Devices are in "Managed State"
  Problem 2: fixed! (Browser issue)
  Problem 3:
  Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
  All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
  Has anyone the same issues or a tip for me?
  Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
  BR
  Bastian

  Hallo Bastian,
  I think you still have browser issue, Using IE is still the best with Prime.
  I have exactly same prime 2.2 and installed fixes/software/device packs.
  I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
  Since you have same prime 2.2 as me. I have other problems, can you check yours?
  Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
  https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
  Do you have SNMP Connectivity Failed while Verify Credentials  has no errors all green and checked. 
  https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545