Cisco WLC and Airtight SS-300AT-C-60

Similar Messages

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• Mobility between Cisco WLC and Meraki(other vendor)

  Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
  They keep saying it is a IEEE feature and everone should support but I do not understand how?

  While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
  Sent from Cisco Technical Support iPad App

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Cisco WLC and Unsecured WLAN with redirect

  Hi Folks,
  Can someone point me in the right direction heer.
  I have a WLS box - i want to create a WLAN which will
            1.)     allow anyone to connect to without authentication.
            2.)     once connected they need to be redirected to a web server for further instructions.
  Any suggestions greatly appreciated.
  Cheers

  Hi George,
  I have downloaded those files and will have a look now.
  I have a couple of other questions in relation to this.
  When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect
  Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1
  This 1.1.1.1 address maps to a virtual interface on both controllers that we have.
  Why does it go to this page?
  Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.
  Cheers

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• WLC and LWAP Registration Log Question

  We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs.  I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs.  We have a AP that has unregistered and we can't seem to find what switchport it was attached to.  It would be helpful to know the IP address and ideally any CDP information it had.  Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.  Any help would be appreciated.

  You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Cisco WLC AP count over SNMP

  Hi,
  Is it possible to monitore a quantity of AP on Cisco WLC and quantity of wireless clients?
  I was found only list of AP names over snmp...
  Thanks in advance

  Hi, Ralf
  If not late
  I use script directly in monitoring system
  main ()
  VALUE=`snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  echo "Message: Warning! Number of registed APs decriased."
  echo "Data:Count"
  echo "Count\t$VALUE"
  exit 0
  main $*
  This is shell. but you can use simple only one line
  `snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  (from linux)

• CISCO WLC How to Block a Client

  Hi,
  We are using CISCO WLC and broadcasting a number of SSIDs.
  What we want to do is to block some spesific users to a spesific SSIDs while letting to connct to another SSID.
  Dows anyone have any idea?

  You can use radius 802.1x authentication or you can setup Mac filtering on the WLC and specify what WLAN's they can connect to. They will only be able to connect to one SSID though.
  This setup you have is not normal as you want to have a device only connect to one ssid for simplicity and for user experience. Having the be able to connect to multiple
  SSID's can lead to connectivity issues on the client side, since the device might switch back and fourth to the different SSID's. Also the more SSID's you have the more noise in the environment. Typically 3-4 max SSID's is suggested.
  Sent from Cisco Technical Support iPhone App

• Cisco WLC

  Hi,
   why should have to choose cisco WLC and why can not go other vendor(Aruba).

  why should have to choose cisco WLC and why can not go other vendor(Aruba).
  I don't get the question.  You want us to provide you a reason?
  Before I start giving you a few, what are you trying to achieve and what is the state of the budget to do what you are doing?  These two questions are the lynch-pin to your question.

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE and WLC Timeout Best Practices

  I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
  I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
  Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

  I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
  Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
  The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

• Called-Station-ID attribute and Cisco WLC code 7.4

  Hello
  I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
  This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
  clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
  clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
  WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
  Thanks
  Andy

  Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
  Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
  Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
  Sent from Cisco Technical Support iPhone App