Cisco 8510 WLC and RTU licence

Similar Messages

• Help required to implement Cisco 2504 WLC and 1042 Access Points

  Hi,
  My name is Vidya Sagar. I am new to Wireless technology. We are planning to implement Wireless in our office. I have given the requirements below. Kindly go through the details and let me know how to start.
  We have purchased Cisco 2504 Wireless Controller (One) and Ciscon 1042 Access Points (Five). At present I am going to use 3 access points only.
  I have attached a simple diagram of our office network. We have more than 30 VLANs configured in Core Switch, we are planning to give wifi access to only 3 VLANs.
  1. VLAN 121 ( IP Segment - 10.52.121.0 /24)
  2. VLAN 116 ( IP Segment - 10.52.116.0 /24)
  3. VLAN 100 ( IP Segment - 192.168.100.0 /24) (Guest)
  Please give me a implementation plan to do this. I would like to use LDAP or ACS for authentication purpose.
  Regards,
  Vidya Sagar

  Lets just do this simple first before you start using ACS as that will require a certificate installed on the ACS for using PEAP.
  So first off, the WLC we will say is in vlan 10. When you are going through the startup wizard, make sure you define the vlan tag to 10 on the management interface. Make sure your virtual interface is an IP address that is not routed in your network, like an out of band IP.
  Make sure the WLC time is correct or use NTP!!!!
  Now you should be able to http or https to the WLC. I would upgrade the code to v7.4 and install the FUS image. Please reference this link for the upgrade procedure. You don't have to upgrade now... I would wait till you get everything working first.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html
  Now I would connect the APs on the same vlan as the WLC for now. Make sure there is dhcp on that subnet. Once the APs have joined, then you can move them to any subnet you want. Since you don't have many APs it would be okay to leave them in the same vlan as the WLC management or out them on any other vlan you choose. The APs will be connected to an access port NOT a trunk port!!!!
  The WLC will need to be connected on a dot1q trunk port only allowing vlans 10,100,116,121. The 2504 running v7.4 will support LAG (etherchannel). Any ways, your switch port should look like this for example only
  Interface gigabit1/0/1
  description WLC2504
  switch port trunk encapsulation dot1q
  switchoort mode trunk
  switch trunk allowed vlans 10,100,116,121
  spanning-tree portfast trunk
  channel-mode group 10 mode on << only for v7.4 if you use lag
  Don't connect all four ports right now, just port one!!!!
  Your Guest vlan, you will need to create an ACL to block traffic from accessing the internal network. You might want to allow dhcp and DNS bit I would leave it open first until you can verify everything is working.
  Now on the WLC you need to create a dynamic interface for vlan 100, 116, and 121. If you click on the Controller tab in the GUI and click on interfaces on the left hand side, that will take you to where you can add/delete/modify your interfaces. When creating these interfaces, make sure you add the dhcp server IP address for the primary and or backup.
  Now that you have your dynamic interfaces created, its time I create your SSID. Now click on the WLAN tab on the GUI and click on WLAN and then on the too right select Create New and then click go. Select WLAN on the drop down menu and then for the profile name I would use the SSID name also for simplicity.lean e the WLAN id to 1 for this and 2 for the next and so on. After defining these and clicking Apply you can now define your SSID. On the General tab, enable the status and leave the radio policy to all for now, you can decide later what you want to use. Choose your interface you wan to place this SSID on and enable Broadcast SSID for now and leave everything else alone. Now click on the Security tab and on the layer 2 Security, leave it at WPA + WPA2, only check WPA2 Policy and for WPA2 encryption choose AES only. Now go to the bottom of that screen and choose PSk. We will do pre shared key for now so you get to understand the setup and make sure everything is working first. Now on the PSK format, choose ASCII and put your pre shared key in the input box. Make this simple to for testing. You don't want to put in symbols or anything like that. When you are don with that, check apply on the top right and test.
  Now you can repeat this with your other SSIDs just to test. Your guest network you can leave open for now to test open authentication.
  Here are some links for the WebAuth feature:
  https://supportforums.cisco.com/docs/DOC-13954
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b1a506.shtml
  Now if you want to use ACS with PEAP, here is some links for that:
  https://supportforums.cisco.com/videos/2499
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bd1100.shtml
  https://www.google.com/url?sa=t&source=web&cd=8&ved=0CFQQtwIwBw&url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWk_bRdmsQlA&ei=_BEyUeCYM8TdqAHHsICAAw&usg=AFQjCNF8PiVBQK1Kipb4j8AzD153bKtmgA&sig2=smHhNVmCr2of2NzbnDhGmw
  Well that is it, hopefully you can get the wireless up for testing and verifying everything works!
  Sent from Cisco Technical Support iPhone App

• Cisco 526 WLC and 2106 WLC in one Mobility Group

  Hi,
  is it possbile to build a solution with one Cisco 526 Wireless Express Mobility Controller and one Cisco 2106 Wireless LAN Controller in one Mobility Group regarding seamless roaming??
  Thank for your answers
  Best regards
  Stephan

  I don't know if it is possible, but I would think if you had any issues, TAC wouldn't support it. Try opening a case with TAC to see.

• Cisco Hreap WLC and Apple TV

  We are having problems getting apple tv to work for a customer.  We have this working on a different controller and the AP (non Hreap).  The AP/SSID that is having problems is setup the same (Blocking is set to disabled, and mutlicast is enabled).  This one is setup for hreap, is that the problem, is it possible to utilize the airplay with an hreap installation?
  Thanks,
  Joe

  Hi Joe,
  What is the wlc model and code running on it?
  Is the concerned WLAN enabled for local switching?
  - If its in local switching mode, AP multicast mode set to multicast-to-multicast mode will not work, basically not supported. Is that the case?
  - If its centrally switched it should work.
  - Check if you have other multicast settings set-up correctly, global multicast and IGMP snooping enable.
  I assume multicast routing is enabled on all WLc management, AP manager/AP, client vlan.
  Regards
  Sahil

• Prime Infrastructure 2.2- problems: Wired Detailed Device Inventory report not running / Cisco 5500 WLCs no listed in subgroup

  New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
  installed fixes/software/device packs:
  PI 2.2.1 Poodle Fix (installed)
  PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
  Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
  Licences installed (ncs stopped,rebooted)
  Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
  Problem 1:
  The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
  The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
  Devices are in "Managed State"
  Problem 2: fixed! (Browser issue)
  Problem 3:
  Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
  All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
  Has anyone the same issues or a tip for me?
  Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
  BR
  Bastian

  Hallo Bastian,
  I think you still have browser issue, Using IE is still the best with Prime.
  I have exactly same prime 2.2 and installed fixes/software/device packs.
  I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
  Since you have same prime 2.2 as me. I have other problems, can you check yours?
  Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
  https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
  Do you have SNMP Connectivity Failed while Verify Credentials  has no errors all green and checked. 
  https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545

• Cisco 5760 WLC initial config

  Hi,
  I am configuring up a Cisco 5760 WLC and wondering if it is required to put in a default route? In this document it says to put one in but i dont see why it is needed as it is connected to a switch via a layer 2 Trunk.
  Reference:
  https://supportforums.cisco.com/docs/DOC-34430
  Another question, since there is no more Dynamic Interfaces and they are replaced with Layer 2 & 3 interfaces instead. Do all Layer 2 interfaces you create require a layer 3 interface IP address to be configured also? As shown below:
  Thanks

  So by default the 5760 has IP routing enabled so you will need to put in a default route. A default gateway won't work unless you disable IP routing first.
  Sent from Cisco Technical Support iPhone App

• WLC and LWAP Registration Log Question

  We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs.  I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs.  We have a AP that has unregistered and we can't seem to find what switchport it was attached to.  It would be helpful to know the IP address and ideally any CDP information it had.  Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.  Any help would be appreciated.

  You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Initial AP registration on a 8510 WLC HA-SKU and N+1 deployment

  Hi,
  We have several 8510 controllers and one of them needs to be configured as HA SKU for N+1 deployment. I am testing the scenario with two controllers right now, so I have the primary and the secondary controller configured as part of the same Mobility Group and they appear UP. Please, see the rest of the configuration below.
  When I power off the Primary controller, the APs don’t register to the HA SKU controller (secondary). These two controllers are in different parts of the network but they are members of the same mobility group.
  Do I need to specify the HA SKU controller in the DHCP scope for the APs? I am not sure what I am missing....
  Do you have any suggestions?
  Thank you.
  Primary Controller:
  (Cisco Controller) >show redundancy summary
   Redundancy Mode = SSO DISABLED
       Local State = ACTIVE
        Peer State = N/A
              Unit = Primary
           Unit ID = XX:XX:XX:XX:XX:XX
  Redundancy State = N/A
      Mobility MAC = XX:XX:XX:XX:XX:XX
  Redundancy Management IP Address................. 0.0.0.0
  Peer Redundancy Management IP Address............ 0.0.0.0
  Redundancy Port IP Address....................... 0.0.0.0
  Peer Redundancy Port IP Address.................. 169.254.0.0
  Wireless --> Access Points -->  Global Configuration:
  (Cisco Controller) >show redundancy summary
   Redundancy Mode = SSO DISABLED
       Local State = ACTIVE
        Peer State = N/A
              Unit = Secondary - HA SKU
           Unit ID = XX:XX:XX:XX:XX:XX
  Redundancy State = N/A
      Mobility MAC = XX:XX:XX:XX:XX:XX
  Redundancy Management IP Address................. 0.0.0.0
  Peer Redundancy Management IP Address............ 0.0.0.0
  Redundancy Port IP Address....................... 0.0.0.0
  Peer Redundancy Port IP Address.................. 169.254.0.0
  Controller--> General:

  Hi Scott,
  Yes, it is N+1 HA with HA-SKU what I need to implement.
  “6000 Access Points Supported” is shown in the main GUI page.
  I followed the guide you mentioned to do this configuration:
  1 - From the primary controller, configure the backup controller on the primary to point to the secondary controller:
  (Cisco Controller) >config advanced backup-controller primary Secondary 10.9.51.252
  (Cisco Controller) >show advanced backup-controller
  AP primary Backup Controller .................... Secondary 10.9.51.252
  AP secondary Backup Controller ..................  0.0.0.0
  2 - On the permanent AP count WLC, use the config redundancy unit secondary command to convert the controller into an HA-SKU secondary controller:
  (Cisco Controller) >config redundancy unit secondary
  (Cisco Controller) >
  3- On the CLI, use the show redundancy summary command to view the status of the primary and secondary controllers:
  Primary:
  (Cisco Controller) >show redundancy summary
   Redundancy Mode = SSO DISABLED
       Local State = ACTIVE
        Peer State = N/A
              Unit = Primary
           Unit ID = F8:72:EA:66:B8:A0
  Redundancy State = N/A
      Mobility MAC = F8:72:EA:66:B8:A0
  Redundancy Management IP Address................. 0.0.0.0
  Peer Redundancy Management IP Address............ 0.0.0.0
  Redundancy Port IP Address....................... 0.0.0.0
  Peer Redundancy Port IP Address.................. 169.254.0.0
  Secondary:
  (Cisco Controller) >show redundancy summary
   Redundancy Mode = SSO DISABLED
       Local State = ACTIVE
        Peer State = N/A
              Unit = Secondary - HA SKU
           Unit ID = F8:72:EA:66:E4:40
  Redundancy State = N/A
      Mobility MAC = F8:72:EA:66:E4:40
  Redundancy Management IP Address................. 0.0.0.0
  Peer Redundancy Management IP Address............ 0.0.0.0
  Redundancy Port IP Address....................... 0.0.0.0
  Peer Redundancy Port IP Address.................. 169.254.0.0
  As far as I can tell I have completed all the steps. In my configuration, “Redundancy Management IP Address” and “Peer Redundancy Management IP Address” are 0.0.0.0; these are the only differences I can find with the configuration in the Guide.
  Redundancy Management IP Address................. 0.0.0.0
  Peer Redundancy Management IP Address............ 0.0.0.0
  Thank you.
  Joana.

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Mobility between Cisco WLC and Meraki(other vendor)

  Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
  They keep saying it is a IEEE feature and everone should support but I do not understand how?

  While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
  Sent from Cisco Technical Support iPad App

• 8510 WLC realase 8.1 New mobility?

  Hi,
  Does someone know when the release 8.1 for the 8510 WLC is coming? Does it going to support the New Mobility stuff? As far as I know, Cisco was planning to include this feature back again in version 8.1.
  Thank you.
  Joana.

  We have a 8510 WLC as a foreign controller and a 5760 as a mobility anchor in the DMZ. Will this be supported?
  Yes, Guest anchoring will be supported between 8510 with new mobility & 5760
  We have been advised to use 2504 WLCs as mobility anchors for smaller sites. Do you think they will interoperate fine with our core/foreign 8510 WLCs?
  I would think so. 2504 with new mobility, you should be able to peer it with 8510.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• Problem share folder WLC and pc macbookpro

  I am doing a migration from my wireless network in the old network in the PC MacBookPro I can see shared files on the network. But when I connect to the SSID configured on the WLC and I can not see shared files on the network. I have no ACL configured on the SSID.

  Bonjour is a non-routabe multicast based service. A trick I use sometimes is to configure the WLAN to be in hreap mode if the ap is located locally to the target bonjour device.if your running in local mode, make sure they are on the same vlan and global multicast is enabled.
  Sent from Cisco Technical Support iPad App

• Cisco wireless controller and AP-binding domain how do you integrate wireless domain authentication?

  With Cisco equipment wlc 2500 and AP 1600 combines windows 2008 r2 domain controller to achieve the following purposes, 
  1, all cell phones and laptops can access the wireless network with a domain user authentication. 
  2, the guest network should how to do it? 
  My idea is: 
  Made a total of two ssid below 
  Mobile users cnnewcity_mobile: Use webportal certification, so the center certification, local forwarding 
  Computer users cnnewcity_wifi: transparent certification, local forwarding, local authentication 
  The basic steps are as follows: 
  1, set the Radius server clients (AP or controller) 
  2, locking authorization group --- this should be based on the domain user group authorization radius server 
  3, the mobile roaming - different locations on the DHCP server choose to do this you have to consider the next 43 
  4, the establishment of a two vlan to a mobile user to the computer user, create a DCHP scope on the DHCP
  I do not know if you have wood there are better ways?

  Integrating the AD to the WLC Requires:
  1. AD to be registered:
   AT: Security->AAA
      AT: LDAP     
      CLICK: New
      Server IP:    <AD IP>
      Port Number:    389     
      Simple Bind:    Authenticated
      Bind User:    CN=Administrator,CN=Users,DC=testing,DC=local,DC=com
      Bind Pass:    <LDAP Admin pass>
      Confirm Pass: <LDAP Admin pass>
      User Base DN:    OU=WebAuth_Users,DC=testing,DC=local,DC=com
      User Attrib:    sAMAccountName      
      User Obj. Type:    person        
  Enable at WLAN Profile
  1. AT: WLAN->WLANs
      CLICK: <Desired WLAN> -typically web authentication
  2. AT: Security Tab
      AT: AAA Servers
  3. AT: LDAP Servers
      **Select Created LDAP
  4. Apply to Save
  Source: Tried it in implementations :))