Cisco WLC with Bonjor services - MSE 3310 compatibility

Similar Messages

• Cisco WLC with ISE - need to restrict access during non-business hours

  Hello,
  We have a requirement to turn off our wireless during non-business hours.  We have a 5508 WLC with ISE.  What is the best way to accomplish this task?  
  Thank you in advance.
  Beth

  Aside from Steve's respond, there are several methods of doing this and this will all depend on how complex your network is and how technical you want to do this.  
  1.  As what Steve said, use PI and you can define several schedules when to turn off/on the SSID; 
  2.  If you have corporate access, you can use AD to schedule non-business hours; 
  3.  If you have Cisco PoE switches, you can enable EnergyWise to power off the APs; 
  4.  If you manage your core network, you can enable time-based ACL to disable the default gateway of the dynamic interface which is attached to your SSID.  
  The most "destructive" method is option #3, because there are chances that your AP won't power up properly, if not power up at all.  

• Attach WAP4410N as WGB to Cisco 5760 WLC with LWAP 3702

  I have 5760 WLC with 3702 wireless infrastructure. Can i connect a WAP4410N AP as WGB to be attached to my current wifi network so i can provide connectivity to some wired devices? Any tips on doing so? And any limitation can be imposed for using this WAP instead of any other AP that are supported by WLC5760? If the wired clients are passive, configuring passive-client on WLC will work normally?

  Thanks Eric for the reply, however, this AP is not expected to be controlled by WLC as you mentioned since it is not lightweight and not supported by this WLC for compatibility. But in this scenario, i'm talking about operating it in WGB mode to be attached to the unified wireless infrastructure. In this scenario, it is just attached as a client that pass the traffic of its clients to the other side.
  I have noticed the below statement in this guide page (539)
  http://hcsdemo.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/consolidated_guide/b_37e_consolidated_3650_cg.pdf
  When non-Cisco WGBs are used, the switch has no information about the IP address of the clients on the wired segment behind the WGB. Without this information, the switch drops the following types of messages:
  • ARP REQ from the distribution system for the WGB client.
  • ARP RPLY from the WGB client.
  • DHCP REQ from the WGB client.
  • DHCP RPLY for the WGB client.
  Accordingly, if the switch will drop all this traffic, then no traffic will be passed from the WGB clients to the network ! what I’m missing here?!!!

• Unable to integrate WLC with cisco ACS

                   Hi,
  I am not able to integrate Cisco Tacas with WLC
  Below are the error logs in Juniper firewall
  WLC IP: 10.210.126.133
  Cisco ACS: 10.116.45.131
  Date/Time
  Source Address/Port
  Destination Address/Port
  Translated Source Address/Port
  Translated Destination Address/Port
  Service
  Duration
  Bytes Sent
  Bytes Received
  Close Reason
  2013-11-04 16:31:03
  10.210.126.133:49098
  10.116.45.131:49
  10.210.126.133:49098
  10.116.45.131:49
  TCP PORT 49
  2 sec.
  591
  428
  Close - TCP FIN
  2013-11-04 16:31:03
  10.210.126.133:51759
  10.116.45.131:49
  10.210.126.133:51759
  10.116.45.131:49
  TCP PORT 49
  2 sec.
  525
  326
  Close - TCP FIN
  2013-11-04 16:31:09
  10.210.126.133:51759
  10.116.45.131:49
  10.210.126.133:51759
  10.116.45.131:49
  TCP PORT 49
  9 sec.
  475
  238
  Close - TCP FIN
  2013-11-04 16:31:09
  10.210.126.133:49098
  10.116.45.131:49
  10.210.126.133:49098
  10.116.45.131:49
  TCP PORT 49
  9 sec.
  519
  318
  Close - TCP FIN
  Pls suggest further whether any changes needs to be done in any end
  Cisco ACS Srver
  11/04/2013
  16:31:01
  Author failed
  ads.shalder
  DCN-BANG2&BANG5-RW
  127.0.0.1
  Service denied
  service=ciscowlc protocol=common
  10.210.126.133
  ads.shalder
  No
  1
  10.210.126.133
  Pls suggest further
  Br/Subhojit

  Hi,
  we are getting this error on WLC side debug
  (Cisco Controller) >*tplusTransportThread: Nov 05 09:51:32.683: Forwarding request to 10.116.45.131 port=49
  *tplusTransportThread: Nov 05 09:51:32.689: tplus auth response: type=1 seq_no=2 session_id=5b675ca1 length=16 encrypted=0
  *tplusTransportThread: Nov 05 09:51:32.689: TPLUS_AUTHEN_STATUS_GETPASS
  *tplusTransportThread: Nov 05 09:51:32.689: auth_cont get_pass reply: pkt_length=25
  *tplusTransportThread: Nov 05 09:51:32.689: processTplusAuthResponse: Continue auth transaction
  *tplusTransportThread: Nov 05 09:51:32.700: tplus auth response: type=1 seq_no=4 session_id=5b675ca1 length=6 encrypted=0
  *tplusTransportThread: Nov 05 09:51:32.700: tplus_make_author_request() from tplus_authen_passed returns rc=0
  *tplusTransportThread: Nov 05 09:51:32.700: Forwarding request to 10.116.45.131 port=49
  *tplusTransportThread: Nov 05 09:51:32.705: author response body: status=16 arg_cnt=0 msg_len=0 data_len=0
  *tplusTransportThread: Nov 05 09:51:32.705: Tplus authorization for ads.shalder failed status=16
  WLC hardware is: AIR-CT2504-K9V01
  Br/Subhojit

• WLC is loosing SHA2 configuration, used to speaks with the virtual MSE

  Hi,
  I'm having a little problem with the SHA2 configuration on a WLC 2504.
  Throught cli on the WLC I configured the SHA2 with this command: (Cisco Controller) >config auth-list add sha256-lbs-ssc 00:0c:29:0d:80:5f 88daa0a7f828cd8eb139136065e1c7f62fdc6ac91935e8631fc84e5fc41fc95d
  And works for several days, and without any reason disappears from the configuration and the NMSP over SSL gets down between the WLC and the Virtual MSE and the NMSP Status goes Inactive and I lose all the statistics.
  Please help, I need to resolve this issue.
  Anybody else has this problem?
  Thanks in advance
  Regards

  https://supportforums.cisco.com/discussion/11383036/mse-nmsp-passes-troubleshoot-test-still-inactive

• Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

  Hello my name is Ivan:
  I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
  My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
  I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
  Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
  Please help me in this issue.
  Regards
  Ivan

  Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
  So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
  Fixed in:  (12)
  7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
  7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• Cisco WLC 5508 with Nexus 5048 CDP error

  Hello,
  We got cisco WLC 5508 running 74.121.0
  The WLC is connected to Nexus 5548 with dual-homed.
  We receive CDP duplex mismatch from the Nexus switches.
  Any ideas?

  Can you check the duplex info. of the neighbor using
  router#show cdp neighbors detail

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan

• Cisco wlc 5508 with 30 Vlan

  Hello
  i need your help
  i want to configure Cisco WLC 5508 whith 03 vlans, 3750 as core swich
  - management Vlan
  - local-user vlan
  - Guest Vlan
  i want to know all steps or config to do on WLC 
  thx

  Hi,
  Just check this.
  It may help u.
  Wireless LAN Controller and Lightweight Access Point Basic Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/69719-wlc-lwap-config.html
  http://rscciew.wordpress.com/2014/01/22/configure-dynamic-interface-on-wlc/
  Webauth for guest users:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
  http://rscciew.wordpress.com/2014/06/19/wlc-webauth-configuration/
  Regards

• Muvo 200 and compatibility with subscription services (Napster to

  Hi
  I bought an muvo v200 as a christmas present as it displayed the "plays for sure" logo on the box. However, on reading the documentation and online stuff it doesnt look as if the device is compatible with subscription services.
  Can anyone confirm this please...or better still tell me there is a firmware u/g available somewhere. If it isnt going to work, then I am confused by the meaning of the "playsforsure" logo on the box.
  Thanks for your help.
  DaveBP

  None of Creative's memory-based players is compatible with Subscription services. If you look into PlaysFor Sure a bit more you will see that there are 2 parts to it - Download and Subscription.
  Creative display the PlaysForSure logo because it is compatible with the Download part of PFS.
  PFS was devised by Microsoft and there is more info about it at www.playsforsure.com.
  PB

• MSE Wips compatibility

  Hi guys, I have a platform with this elements:
  MSE
  7.4.100.0
  CISCO PRIME NCS 
  1.1.2.12
  WLC 5508
  7.2.115.1
  I would like to active the Wips functionality on the access points 1131, I have already the Wips License over the MSE, I don't know if there is some compatibility issue about this, because I'm not able to make it work, I'll be waiting for your comments.
  Regards,
  Alberto Badilla.

  Please refer:
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html