Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

Similar Messages

• Cisco WLC 2500 AP-Manager

  hello
  i have a question about a cisco wlc 2500.
  when you configure a interface on the controller, you can set a ip address
  mask en DHCP server address but also you can set the interface as a AP-Manager
  why is this?
  thanks

  On the old WLC models like 2100, 2006,4400 we had to configure the management interface for managing the WLC and the AP manager so that the APs could create the LWAPP or CAPWAP tunnel to the WLC.
  On the new model of WLCs like the 2500,5508 the AP manager interface is not required, the management interface if it has the check for dynamic interface it will work at the same time as the AP manager interface.
  Here is the link where you can check on how to deploy the 2504 WLC and the different setups to use with several AP managers.
  http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml

• Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

  Hello my name is Ivan:
  I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
  My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
  I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
  Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
  Please help me in this issue.
  Regards
  Ivan

  Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
  So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
  Fixed in:  (12)
  7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
  7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

• WLC 5508 802.1x with AES

  Hi,
  We have a staff WLAN on Cisco WLC 5508. We use 802.1x with TKIP with authentication from RADIUS server. We deployed new 802.11n APs but on staff WLAN we cannot enable 802.11n because of the TKIP encryption. Can we just simply change the encryption without changing any other configuration to support 802.11n data rates?

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WPA2 802.1x with MS RADIUS, LDAP, Clean Access

  We are in a multivendor enviornment using NAC and WCS.  We would like to implement WPA2 Enterprise.  We currently authenticate with LDAP to place users in proper roles.
  Not 100% sure on this.  As far as I know, it is not possible to implement 802.1x with LDAP.....so how could we use LDAP and a Radius server together in order to implement WPA2 Enterprise?  Is this possible?  Any documentation out there that I have yet to find explaining this?
  Any help would be appreciated.
  Thanks in advance,
  Ben

  Hi,
  Let's clarify all possibilities and you can chose one from there :-)
  1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).
  The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.
  2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.
  3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.
  Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.
  I hope this clarifies ?
  Nicolas
  ===
  please rate answers that you find useful

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Cisco WLC 2500 snmp v3

  hello everyone
  i have a question.
  i am trying to get snmp version 3 working on my network.
  i am using solarwinds to monitor the cisco WLC's. but when i add a snmp-user to the controller
  i get the following message:
  (Cisco Controller) debug>snmp all enable
  (Cisco Controller) debug>*Sep 06 14:40:30.515: SNMPD: Packet from: 192.168.8.192:59047, in_packet_len = 71
  *Sep 06 14:40:30.516: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.516: Unknown engine Ids
  *Sep 06 14:40:30.517: SNMPD: Sending SNMP packet to 192.168.8.192:59047, out_packet_len = 115
  *Sep 06 14:40:30.542: SNMPD: Packet from: 192.168.8.192:59047, in_packet_len = 137
  *Sep 06 14:40:30.542: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.543: SNMPD: received get pdu
  *Sep 06 14:40:30.543: SNMPD:calling do_response
  *Sep 06 14:40:30.543: Searching for requested instance of sysObjectID
  *Sep 06 14:40:30.543: SNMPD: Sending SNMP packet to 192.168.8.192:59047, out_pac      ket_len = 153
  *Sep 06 14:40:30.765: SNMPD: Packet from: 192.168.8.192:59049, in_packet_len = 73
  *Sep 06 14:40:30.765: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.765: Unknown engine Ids
  *Sep 06 14:40:30.766: SNMPD: Sending SNMP packet to 192.168.8.192:59049, out_packet_len = 117
  *Sep 06 14:40:30.791: SNMPD: Packet from: 192.168.8.192:59049, in_packet_len = 138
  *Sep 06 14:40:30.791: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.791: SNMPD: received get pdu
  *Sep 06 14:40:30.791: SNMPD:calling do_response
  *Sep 06 14:40:30.791: Searching for requested instance of sysContact
  *Sep 06 14:40:30.792: SNMPD: Sending SNMP packet to 192.168.8.192:59049, out_packet_len = 138
  *Sep 06 14:40:30.818: SNMPD: Packet from: 192.168.8.192:59049, in_packet_len = 73
  *Sep 06 14:40:30.818: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.818: Unknown engine Ids
  *Sep 06 14:40:30.819: SNMPD: Sending SNMP packet to 192.168.8.192:59049, out_packet_len = 117
  *Sep 06 14:40:30.843: SNMPD: Packet from: 192.168.8.192:59049, in_packet_len = 178
  *Sep 06 14:40:30.844: SNMPD: calling srDoSnmp.
  *Sep 06 14:40:30.844: SNMPD: received set pdu
  *Sep 06 14:40:30.844: SNMPD:calling do_sets
  *Sep 06 14:40:30.844: snmpd: Attempt to set object sysContact
  *Sep 06 14:40:30.844: pass 1 of set request processing done
  *Sep 06 14:40:30.846: pass 2 of set request processing done
  *Sep 06 14:40:30.846: calling set method which do not have undo methods
  *Sep 06 14:40:30.846: set failed, undoing
  *Sep 06 14:40:30.847: SNMPD: Sending SNMP packet to 192.168.8.192:59049, out_pac  
  *Sep 06 14:41:57.517: Authentication failure, bad community string
  *Sep 06 14:41:57.518: Bad Community name
  *Sep 06 14:41:57.518: SNMPD: Failed to get result Pdu.
  *Sep 06 14:41:57.518: SNMPD: *NOT* sending out packet, out_packet_len = 0
  i have only configure the SNMP v3 User on the controller.

  Hello Johan,
  debugs show:
    Authentication failure, bad community string
  This indicates community string mismatch. Make sure about the community string and encryptin and privacy passwords.
  Make sure to enable only SNMPv3 on WLC to isolate better.
  HTH
  Amjad
  You want to say "Thank you"?
  Don't. Just rate the useful answers,
  that is more useful than "Thank you".

• Cisco WLC and Unsecured WLAN with redirect

  Hi Folks,
  Can someone point me in the right direction heer.
  I have a WLS box - i want to create a WLAN which will
            1.)     allow anyone to connect to without authentication.
            2.)     once connected they need to be redirected to a web server for further instructions.
  Any suggestions greatly appreciated.
  Cheers

  Hi George,
  I have downloaded those files and will have a look now.
  I have a couple of other questions in relation to this.
  When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect
  Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1
  This 1.1.1.1 address maps to a virtual interface on both controllers that we have.
  Why does it go to this page?
  Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.
  Cheers

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• Problèmes d'ajout de licences sur un controller WLC 2500

  Bonjour,
  Je possède un Cisco WLC 2500 controller pour mes bornes Wifi.
  Sur ce controller j'ai déjà un pack de 25 licences d'installées.
  Récemment j'ai acheté un nouveau pack de licence et il met impossible de l'ajouter correctement.
  j’effectue la procédure suivante :
  Je clique dans l'onglet "management" puis sur "software activation"
  Je clique sur "commandes"
  Je sélectionne "install licences"
  ce que j'obtiens 
  ensuite je reboot le controller, mais les licences ne sont pas présente dans la liste.
  Avez-vous une idée ?
  Merci d'avance

  GREP peut servir à deux choses : un enrichissement automatique via les styles GREP ou un rechercher-remplacer. Les styles GREP ne font qu'enrichir du texte existant mais n'ont pas pour fonction d'ajouter du texte. Pour ce que tu cherches à faire (un ajout), la syntaxe proposée dans le livre doit donc être utilisée dans la boîte de dialogue « rechercher-remplacer ».

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco WLC 5508 - NPS Radius

  Cisco WLC 5508
  Software Version: 7.4.100.0
  Windows Server 2008R2
  I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
  I added the radius server on the WLC, and configured a new WLAN to use it.
  Both are on the same subnet.
  When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
  I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
  Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
  So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
  What in the world is going on here?

  I do have local management users on the controller.
  Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
  However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
  auditpol /get /subcategory:"Network Policy Server"
  If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
  auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
  So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan