Cisco WLC 2125 configuration help

Similar Messages

• Cisco WLC 2125 and AIR-LAP1252AG-A-K9 access points

  We are running into a little issue here and looking for some help. We have the Controller configured and it appears to be working properly the issue we are running into is that we can only get the above mentioned access points to only join the controller if they are plugged directly into the controller. I would assume that we should be able to plug these access points into any of our switches and they should be able to join the controller correct? Obviously there has to be a configuration issue somewhere and am hoping someone can point us in the right direction.

  WAP to Switch - Access port
  WLC to Switch - dot1Q trunk on the switch and tagged on the WLC side

• Cisco 881w guest configuration help

  Hello all,
  I am looking to figure out how to configure a cisco881w for a guest account. I dont want to use the local database to do so... we have a software called smart pass that handels the guest requests. the radius server dosent use any authentication protocols, all I found out is the authentication port 1814 and accounting port 1813. Because we want to keep the guest wireless users away from our internal network, we want them to authenticate against Smartpass, so that they get the agreement of guest usage.
  Has anyone attempted this type of setup?
  Thanks

  Not at present it is not, the port on the 5406zl that the WLC is connected was setup as a trunk group and All VLAN tagged.  When I tried this I lost all connectivity to the WLC.  Is there something on the WLC that need changing also?.

• Cisco WLC : AP automatic configuration for flexconnect parameters and ap group

  Hello !
  Is there a way to configure cisco WLC to automatically set flexconnect parameters such as Vlan support and Native Vlan ID when an access point join the controller ? 
  Same question to assign the access point to a specific AP Group ?
  PS: The access points are set with usine parameters and the WLC is in version 7.4
  Thank you for your answers !
  Stephane

  To my knowledge these features are not available in 7.4, but from what I understand 8.0 will have similar features. I can say that 7.6 has global commands, not sure if its part of 7.4.
  If it is you can navigate there Wireless>Access Points>Global Configuration you can do things like configure your primary and backup controllers, set login credentials, pre-download images to AP's.
  Please rate if you find the information helpful.
  HTH

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan

• WLC 2125 Upgrade

  Hi guys, I have a customer with a WLC 2125, with the version 6.0.199.4 and I will now upgrade to the version 7.0.250.0 but i wondering if it´s possible to make a backup for the old image, (i already download the configuration, but not the image) It´s is possible via console or web?
  Or it´s safety do the upgrade directly?
  Thanks
  Gonzalo

  Hi,
  As per my knowledge you can download old image from wlc. To get the same imgae its better to download from cisco.
  Here is the link:
  http://software.cisco.com/download/release.html?mdfid=282210723&flowid=7011&softwareid=280926587&release=7.0.250.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
  Regards
  Dont forget to rate helpful posts

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco WLC 5508 not sending SNMP Traps

  Hello Everyone.
  I'm having a weird error on our WLC environment. We have an HA with two cisco WLC 5508 and i cannot get SNMP Traps working on a Windows PC running Kiwi Syslog server (free ed.).
  I can receive correctly Syslog messages, but not traps.
  I Tried also to send SNMP Traps from WLC to a different PC using Linux with snmptrapd and it works fine.
  I tried then to send from my Linux box a snmp trap to my Windows PC, and it works fine, but i still cannot receive anything from WLC.
  Using Wireshark to detect traffic, i cannot see any packet on udp port 162.
  I cannot figure out any problem with my scenario, but i can see the following errors on syslog:
  *rmgrTrasport: Mar 30 16:08:22.602: #RMGR-3-INVALID_PING_RESPONSE: rmgr_utils.c:270 Ping response from <my_windows_PC> is invalid. Ip address do not match.
  My WLC Version is 7.6.130.0
  Thank you for your support.

  I have gone through your query and found the following fruitful links ,please let me know if it helps and mark it correct answer if it is.
  https://www.manageengine.com/network-monitoring/help/userguide/processing_traps.html
  https://rscciew.wordpress.com/2014/10/12/snmp-configuration-on-wlc/
  Thanks :)

• Cisco WLC 5508 and LACP

  Hi Fellows,
  I wanna know if 5508 Cisco WLC support LACP or not. Actually i work in a project where i must
  connect WLC 5508 in Enterasys Switches with Link Aggregation.
  Enterasys Switches support LACP 802.3ad but when i learn Cisco Books i see that WLC 5508
  doesn't support LACP.
  Can you help please ?
  Sincerely
  Joseph

  Hi,
  Please take a look into the config guide:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1277652.
  You can read there:
  Once the EtherChannel is configured as on at both  ends of the link, it does not matter if the Catalyst switch is  configured for either Link Aggregation Control Protocol (LACP) or Cisco  proprietary Port Aggregation Protocol (PAgP) because no channel  negotiation is done between the controller and the switch. Additionally,  LACP and PAgP are not supported on the controller.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco WLC in High Availability over WAN

  Hi my name is Ivan i have a trouble perhaps could you help me...
  I have two cisco wlc 5508. I wan to install them in two differents site. One WLC in the site A and the another WLC in the site B.
  Site B is the WAN of the site A. The site A is the headquarter.
  But i need to configure them in High Availability. For example if the Cisco WLC in site A goes down, the ap's have to registered in the WLC of the site B.
  Then the traffic LWAPP have to pass over the WAN between site A to site B.
  I have to configure two cisco wlc in HA over a WAN . Please could help me to do this?. Is ok configure the roamming L3 intercontroller?
  Thanks for your answers
  Regards
  Ivan,
  AP'S - WLC - SITE A ----WAN-----WLC - SITE B - AP'S
  WLC SITE A   DOWN = AP'S SITE A REGISTERED IN WLC SITE B

  Hi Surendra thanks for yoru answer.
  Surendra, if the ap in the site B (in the WAN) goes down then the traffic lwapp have to pass over the wan,
  what will should i do to ensure access point can register on to the cisco wlc in the WAN, moreover to configure the mobility groups in both wireless lan controllers?
  or i only have to configure in the wlc the mobility groups? Could you explain me what things have i to do to ensure this
  SITE A - (ACCESS POINT M)  - LWAPP -----PASS OVER WAN---- SITE B - CISCO WLC - (ACCESS POINT M)
  STATUS: REGISTERED IN SITE B
  Thanks for your answer
  IVAN
  Regards

• WLC 2125 - Country code selection

  WLC Mode: AIR-WLC2125-K9
  Version: 7.0.116.0
  Here is the scenario, we have two WLC, one is located at SG and the other is located at MY (In test stage).
  Both WLC has configured with three Country Codes CN,MY and SG , as well as the Regulatory Domain 802.11a -CS and 802.11bg -ACE).
  Yesterday we did perform WLC failover test and it was successful but we noticed some of the APs country code are incorrect set as before, we are tried into the AP config, and pull up the Advanced Tab and select the Country where the AP is physically located but the weird issue happened whereby there are only one country code available and the other two country code are missing.
  Here is the AP model we used.
  AIR-LAP1142N-N-K9 (CN)
  AIR-LAP1242AG-S-K9 (SG and MY)
  Could someone help to advise what would be the cause how to resolve this issue.
  Thanks in advanced.

  With the -E there are many profiles that can be selected, as most tend to be very close to the same restrictions.
  However I would contact your local regulatory domain group and ask them which country is the same as Mongolia. Explain what you are doing and have them tell you, and get it in writing. that way you are covered on your choice.
  Steve
  Sent from Cisco Technical Support iPad App

• Backing up config on Cisco WLC 2504

  I need to upgrade the software on my controller but first need to take a backup of the config.
  I log into the GUI of the controller and then go to Commands / Upload File, I then select my options:
  File Type: Configuration
  Transfer Mode: TFTP
  IP: 10.x.x.x
  File Path: C:\Cisco\WLC
  File Name: ciscowlc.cfg
  Click Upload
  After about a minute it receive the following error:
  % Error: Config file transfer failed - Error from server: The specified operation is not supported.
  I can't seem to find any information on this error.
  Any help would be greatly appreciated.
  Thanks,
  James

  What TFTP server are you using... I use 3CDeamon and I also select the folder from the TFTP server so my path would just be ./
  Make sure that the firewall on the tftp server is disabled and also make sure your doing the tftp to a wired machine and not a wireless machine.  TFTP and FTP is not allowed when your associated to an AP that is joined to that WLC.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Bonjour Discovery browser and cisco WLC mDNS

  Hello
  I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
  Multicast disabled on WLC
  wired vlan (with bonjour services) is trunked to WLC
  mdns profile configured and bonjour services are visible on WLC
  mdns profile applied to WLAN
  when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
  *Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
  *Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
  Is it possible to get Bonjour Discovery browser working with cisco WLC?
  thanks
  andy

  I have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc.  Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
  mDNS AP
  1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
  2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
  3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
  4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
  5. This  configuration also allows the user to specify the VLANs from which the  AP should snoop the mDNS advertisements from wired side. The maximum  number of VLANs that AP can snoop is 10.
  6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
  AP will send untagged packets when a query  is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN  information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
  7. If  the AP is in trunk mode, then the user has to configure the VLAN on the  controller on which AP would snoop & forward the mDNS packets. The  native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
  8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
  9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
  a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
  b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****