Cisco WLC ISE integration issue

Similar Messages

• Cisco WLC DHCP upgrade issues

  Hi,
  I've discovered an issue with our WLC 4400 series controllers when we do firmware upgrades (recently moved to 6.0.199) it seems to reset the dhcp server on the controller but the Access points still retain their old IP until the lease runs out (48hrs). This means that any AP's requesting a new lease often get an IP conflict for the first 48hrs after the upgrade and we experienced areas where AP's wouldnt connect.
  Is this a common issue and is there anyway to get the AP's to request a new address from the controller?
  thanks,
  Matt

  Hi Matt,
  When you do a WLC upgrade, a WLC reboot is required, this results in the DHCP lease table getting restarted as well.
  Solution:
  1-Setup an external DHCP Server to overcome this.
  2- Restart the access points, so they request a new IP address.
  This is mentioned on WLC release notes 6.0.199.0 that you are running, it is for clients, for the rule still applies:
  Link
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn6_0_199.html#wp581125
  Internal DHCP Server
  When clients use the controller's internal DHCP server, IP addresses are  not preserved across reboots. As a result, multiple clients can be  assigned the same IP address. To resolve any IP address conflicts,  clients must release their existing IP address and request a new one.
  The same also applies on newer releases such as 6.0.199.4 and 7.0.
  Have a good day.
  Serge

• Cisco WLC Client MAC address backup to new Controller & ISE

  Hi All,
  We have an existing 4400 controller with MAC filtering for clients configured. Right Now, we are migrating to 5500 WLC and ISE setup.
  We want to use MAC filtering due to company policies on the new Controller as well as ISE.
  Is there a way (from GUI/CLI) that we can export the client MAC Addresses into an Excel file from existing WLC to new WLC & ISE?
  Thanks,
  CJ

  On the CLI issue a show macfilter summary and then import that into excel or a text editor.
  Sent from Cisco Technical Support iPhone App

• How to Sync clock on WLC ISE and AD

  Hi there,
  I am stuck in NTP, deployed WLC CWA using ISE that is integrated with AD. I tried using AD as NTP source but no luck(universal fact that Cisco uses NTP where as Microsoft uses SNTP).
  The issue is, if time is not synced between WLC, ISE and AD; web redirection stopped working and no authentication takes place.
  I tried installting Meinbergglobal NTP software to distribute time to my Cisco devices. It does work with Cisco devices but it acts as master and do not sync its own time with AD.
  I am trying to figure out a way to sync Cisco with Microsoft, is there any way in this world to do so???
  Please help..
  Thanks in advance           

  You mean I should sync AD and all my cisco devices with global NTP server?
  Yes and no.  If you know your network well, doing this is a pain in the proverbial backside because you have to open firewall rules to everyone going out to the global NTP server.
  The smart thing to do is what George has described.  You select a few (between two to four) to go out to the internet to synchronize.  Normally I would nominate our core routers do this.  Next, all our distribution switches and core switches synchronize to our core routers.  All our servers, PCs, printers, WLC, switches  sychronize to our distro switches. 

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• HA in Cisco WLC

  Hi friends,
  I am planning to have a wireless environment for a corporate company. I would like to have a Cisco wireless LAN controller 2100 series and 15 numbers of cisco aironet 1142 n access point. Since wireless is gonna be a very important medium for the premises, I am planning to have high availability for the 2100 series WLC.
  With this scenario I am having the following of queries?
  1. Does high availability is supported with WLC 2100 series or need to go for an hihger end WLC's? It would be great if I am guided with some documents on this?
  2. My wired switching infrastructure at the core is running with GLBP. Can I connect the both WLC in each switch in an dual home architecture?
  3. Is there any pre-requistes for doing the high availability for the WLc's?
  4. Yet another company that is close to me do have the same architecture for wireless infrastructure, except that they have cisco WLC as 5508 and Cisco aironet 1142n access point. All the end points NIC adapters that they have support a/b/g standard. But with an n series they continously report low signal strength, the reason for this still unknown?
       But the tech documents of 'n' series access point claims that they support, 300Mbps within 33 feet and 200 Mbps within 66 feet.
  They are having 2 nos of Cisco 1142n access point for every 30 feet but still they are facing low signal strength. Also there workspace are all cubicles and without any interference.
  It would be great if I am guided on this issue also?
  Regards,
  Karthik Anbumani

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi Karthik,
  You can build this HA solution based on the 2100 controllers. And if you want HA for 15 access points you need two 2125 controllers. But I will suggest that you consider the 5508 controller since that is a more future proof hardware and will give you more features that you might want to use such as Office Extend.
  Right now there is a bundle available for one 5508 with 10 x AIR-LAP1142 and the GPL price for that bundle is USD 31,424. And you should consider if you need the HA solution or if you are covered by the onsite support. In the product list below I have used the regulatory domain E and power cable for Europe. Make sure that you get this correct for your country. This is a limited offer ending August 1st 2010. You also need the additional 5 access points or more if you want Office Extend.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Also consider that the 2100 series only have FastEthernet interfaces so you will not be able to utilize the full 11n throughput.
  1 x 5508 with 10 x 1142:
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-CT25-1140E10
  802.11a/g/n ESTI Cfg5508-25 10AP WCS Demo Promo ends 8/1/10
  1
  24,595.00
  14 Days
  AIR-CT5508-25-K9Z
  5508 Series Controller for up to 25 APs
  1
  0.00
  14 Days
  AIR-PWR-5500-AC
  Cisco 5500 Series Wireless Controller Redundant Power Supply
  1
  1,495.00
  14 Days
  SWC5500K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  AIR-PWR-CORD-CE
  AIR Line Cord Central Europe
  1
  0.00
  14 Days
  AIR-LAP1142N-E-K9Z
  Manufacturing Level PID - AIR-LAP1142N-E-K9
  10
  0.00
  14 Days
  S114RK9W-12421JA
  Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
  10
  0.00
  LIC-CT5508-25
  25 AP Base license
  1
  0.00
  14 Days
  LIC-CT5508-BASE
  Base Software License
  1
  0.00
  14 Days
  WCS-CD-K9Z
  CD With Windows And Linux. No License.
  1
  0.00
  14 Days
  CON-OSP-CT25E10
  ONSITE 24X7X4 802.11a/g/n ESTI Cfg: 5508-25; 10APs;
  1
  0.00
  CON-OSP-CT0825
  ONSITE 24X7X4 Cisco 5508 Series
  1
  2,944.00
  CON-OSP-1142EK9Z
  ONSITE 24X7X4 802.11a/g/n Fixed AP
  10
  2,390.00
  Total   LeadTime: 14 Days  Total Price: USD   31,424.00
  Total LeadTime: 14 Days  Total Price: USD 31,424.00
  2 x 2125 with 10 x 1142:
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-WLC2125-K9
  2100 Series WLAN Controller for up to 25 Lightweight APs
  1
  8,995.00
  21-35 Days
  CAB-AC-C5-EUR
  AC Power Cord, Type C5, Europe
  1
  0.00
  14 Days
  SWLC2100K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  ASA5505-PWR-AC
  ASA 5505 AC Power Supply Adapter
  1
  0.00
  14 Days
  SSC-BLANK
  ASA 5505 SSC Blank Slot Cover
  1
  0.00
  14 Days
  CON-OSP-AC2125K9
  ONSITE 24X7X4 WLAN Controller for for Retail
  1
  1,656.00
  Total   LeadTime: 21 - 35 Days   Total Price:   USD 10,651.00
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-WLC2125-K9
  2100 Series WLAN Controller for up to 25 Lightweight APs
  1
  8,995.00
  21-35 Days
  CAB-AC-C5-EUR
  AC Power Cord, Type C5, Europe
  1
  0.00
  14 Days
  SWLC2100K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  ASA5505-PWR-AC
  ASA 5505 AC Power Supply Adapter
  1
  0.00
  14 Days
  SSC-BLANK
  ASA 5505 SSC Blank Slot Cover
  1
  0.00
  14 Days
  CON-OSP-AC2125K9
  ONSITE 24X7X4 WLAN Controller for for Retail
  1
  1,656.00
  Total   LeadTime: 21 - 35 Days   Total Price:   USD 10,651.00
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-LAP1142-EK9-PR
  LAP1142 Controller Based E Reg Domain
  1
  9,950.00
  14 Days
  S114RK9W-12421JA
  Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
  1
  0.00
  AIR-LAP1142-EBULK
  BOM LEVEL PID FOR BULK PACK
  10
  0.00
  14 Days
  CON-OSP-LAP1142E
  ONSITE 24X7X4 802.11a/g/n Fixed Unified AP; ETSI
  10
  2,390.00
  CON-OSP-L1142E0P
  ONSITE 24X7X4 802.11a/g/n LWAPP AP EU Cnfg-Promo Pk
  1
  0.00
  Total   LeadTime: 14 Days  Total Price: USD   12,340.00
  Total LeadTime: 21 - 35 Days   Total Price: USD 33,542.00
  Regards,
  André

• Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

  Hello my name is Ivan:
  I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
  My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
  I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
  Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
  Please help me in this issue.
  Regards
  Ivan

  Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
  So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
  Fixed in:  (12)
  7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
  7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• ISE integration with SMS gateway required license

  Hello All,
  We have cisco WLC with guest wireless access configured to use local database. the managment requires new solution to send cridintials to user throug SMS after the user signup through portal.
  we decided to use the cisco ISE. my question is what is the required license to integrate ISE with WLC and SMS gateway. should we use the Basic license, advanced or the wireless license.
  Thanks,
  Amr

  Hi Charles,
  why do you say "you would need Base and Plus Licenses at a minimum"? 
  Looking at the ISE licensing guide (table 2):
  http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-730772.pdf
  it seems that Guest Portal services are already included in Base License (and all the AAA stuff too),
  therefore enough for the "Wireless Guest Access with SMS authentication" needed by Amr.
  Finally, the advantage of 'Base' license is that is Perpetual ...no annual fee to pay ;-)
  Regards.
  Gio

• Understanding statistics from a Cisco WLC?

  Hello,
  From the "Monitor" page on our Cisco WLC.  If you go to "Access Points" from the left side then choose one of the Radios like 802.11b/g/n.  That will list all the APs connected with your controller.
  1) First question, some of the APs listed show the "Interference Profile" as "Failed".  What does this mean?  It has connected clients and no one is reporting an issue.  So what does that really mean?
  2) Second question, if you go to the "Details" for one of the APs I can see the "802.11 MAC Counters" showing things like Tx Fragments, Tx Failed Count, FCS Error Count, etc.  Below is what I see.
  Can someone explain what these statistics are saying?  Again there are no issues reported by our users, but some of these values seem high and I don't understand what they are saying or if there is anything I should be considered with.
  Any help on this would be great!
  Thank you!
  -rya

  For your convenience:
  The details of the " 802.11 MAC Counters " :
  Counters
  Tx Fragment Count
  This counter is incremented for an acknowledged MPDU with an individual address in the address 1 field.
  Tx Failed Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Multiple Retry Count (Graphics view only)
  This counter shall increment when an MSDU is successfully transmitted after more than one retransmission.
  RTS Success Count
  This counter increments when a CTS is received in response to an RTS.
  ACK Failure Count
  This counter increments when an ACK is not received when expected.
  Multicast Rx Frame Count
  This counter increments when a MSDU is received with the multicast bit set in the destination MAC address.
  Tx Frame Count
  This counter increments for each successfully transmitted MSDU.
  Multicast Tx Frame Count
  This  counter increments only when the multicast bit is set in the  destination MAC address of a successfully transmitted MSDU. When  operating as a STA in an ESS, where these frames are directed to the  access point, this implies having received an acknowledgment to all  associated MPDUs.
  Retry Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Frame Duplicate Count
  This counter increments when a frame is received that the Sequence Control field indicates is a duplicate.
  RTS Failure Count
  This counter increments when a CTS is not received in response to an RTS.
  Rx Fragment Count
  This counter shall be incremented for each successfully received MPDU of type Data or Management.
  FCS Error Count
  This counter increments when an FCS error is detected in a received MPDU.
  WEP Undecryptable Count
  This  counter increments when a frame is received with the WEP subfield of  the Frame Control field set to one and the WEPOn value for the key  mapped to the TA's MAC address indicates that the frame should not have  been encrypted or that frame is discarded due to the receiving STA not  implementing the privacy option.
  Band Select statistics
  When  the feature is activated, the WLC doesn't immediately reply to probe  requests on 11b/g. If immediately a probe is also seen on 11a, then the  client is detected as dual band. Then WLC only replies on 11a. After  some time, this "categorization" expires and WLC will again try to see  if the client is present on both bands.

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• ISE integration with Prime Infrastructure,

  Hi Team,
    I would like to know what are the advantages and Disadvantages of the ISE integration with Prime Infrastructre.Also  how the LAN, wifi, and identity management part (guest access etc) will work together.
  Cheers!!!
  Minakshi

  Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.
  When posture profiling is enforced in the network, Prime Infrastructure talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
  Cisco ISE is assisting Prime Infrastructure to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console.

• Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX

  Hi,
  I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
  We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
  The Setup is like :-
  AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
  could anyone please help me to resolve this issue.

  Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
  Firmware for AP is 12.4(10b)JA1
  The logs form WLC during disconnection :-
  Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
  1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
  2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
  3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew