Clients in Flex-connect SSID (with Anchor Controller) not able to connect with BYOD

Similar Messages

• Flex 14 Ideapad Windows 8.1 not able to start or recover using One Key Recovery

  I have a Flex 14 Ideapad with Windows 8.1. This was bought in Dec-2013. In the last 6 / 7 months I have has Windows crashing many times. The crashes used to end with a message boot media not found. Each time I used the One Key Recovery to restore the machine to factory setting.
  Recently, I faced an issue around user id files not being able to be loaded at the initial startup. This time also I used the One Key Recovery to restore the system. After this I have has another windows crash and now the One Key Recovery also is not working.
  What can be done now to make the system work again? 

  When you start up the system with the NOVO-Button, there should be an option for BIOS.
  Do you see the hard drive in the BIOS?
  Another option is this:
  You can use an USB-Flash Drive to start the system.
  For example you can give Ubuntu a try, a good tutorial to do that can be found here:
  http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows
  If this system start up without any problems, we can use it to test your system.

• Secondary domain controller not able to connect from work stations.

  We are using primary and secondary domain controllers. In which the secondary domain controller act as a replication server. actually the problem occurs while accessing the secondary domain controller from work stations I get the following error:
   "The trust relationship between this workstation and the primary domain failed".
  Any one please give as a solution.
  Thank you.

  Hi,
  Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain.
  There might be multiple reasons for this kind of behavior.
  Here are a few of them:
  Single SID has been assigned to multiple computers.
  If the Secure Channel is Broken between Domain controller and workstations
  If there are no SPN or DNS Host Name mentioned in the computer account attributes
  Outdated NIC Drivers.
  According your description, the second one may be the cause of your problem.
  When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required).
  Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.
  If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other.
  A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting
  to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
  Follow below link which explains typical symptoms when Secure channel broken,
  Typical Symptoms when secure channel is broken
  http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
  For detailed information, please refer to the link below,
  Troubleshooting AD: Trust Relationship between Workstation and Primary Domain failed
  http://social.technet.microsoft.com/wiki/contents/articles/9157.troubleshooting-ad-trust-relationship-between-workstation-and-primary-domain-failed.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• WLC 5760 multiple SSIDs with MAC filtering

  Dear All,
  I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
  These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
  Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
  Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
  Thanks,
  Arun John

  Hi Arun,
  this feature currently does not exist on the  5760. it is due to release in one of the MR's of 3.6
  -Joseph

• Will Flex 2 integrate with WebSphere Portal Server

  I have a few questions in trying to argue the case for Flex 2
  to a very large client:
  Will Flex 2 integrate with IBM WebSphere Portal Server ?
  Will Flex 2 integrate with WebSphere if not with Portal
  Server ?
  Does Flex comply to the JSR168 Portlet specification ?

  http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/lcds/help.html?content=wsrp_1 .html
  http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/lcds/help.html?content=wsrp_2 .html
  http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/lcds/help.html?content=wsrp_3 .html

• I am not able to access flex 3 in a week vedios ?

  Hi,
  From past two weeks I am searching for vedios of flex 3 training. I am not able to find anywhere. Please help me out in my projext we are using flex 3 not flex 4 or 4.5.
  Thanks

  Hi,
  These videos may help you.
  Flex 3 Videos
  1) http://www.5min.com/Video/How-to-Create-a-Simple-Flex-Builder-3-80731275
  2) http://www.5min.com/Video/How-to-Create-a-Main-Application-Page-in-Flex-Builder-3-80731242
  3) http://www.5min.com/Video/How-to-Create-Properties-and-Methods-in-a-Component-in-Flex-Buil der-3-80731320
  4) http://www.5min.com/Video/How-to-Use-the-Inline-ActionScript-in-Flex-Builder-3-80731339
  5) http://www.5min.com/Video/A-Review-of-the-Flex-Application-in-Flex-Builder-3-80731251
  6) http://www.5min.com/Video/Understanding-the-Event-Object-in-Flex-Builder-3-80731360
  7) http://www.5min.com/Video/How-to-Use-an-Event-Handler-Method-in-Flex-Builder-3-80731348
  8) http://www.youtube.com/watch?v=xrjmImF0CKE
  Thanks and Regards,
  Vibhuti Gosavi | [email protected] | www.infocepts.com

• Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

  Hi Experts ,
  Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
  how about internet traffic for Guest SSID , which one will be recommanded :
  1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
  2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
  Thanks

  Hi George ,
  Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
  how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
  Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Single Corporate SSID + Single Guest SSID across 200 sites over VPN with Flex Connect

  We have two main sites (East Building as DR + West Building as BDR) + 100 remote sites / all connection between the sites based on VPN / OSPF
  East building has 1 WLC 5508 with a license of 500 AP
  West building has 1 WLC 5508 with a license of 500 AP
  50 remote sites in East
  Each East remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in East is 250 AP
  50 remote site in West
  Each West remote site have 5 AP (AIR-LAP1142N + AIR-CAP2602I)
  Total AP in all the 50 remote site in West is 250 AP
  Hardware available are:
  2 * WLC 5508
  2 * ACS 5.2
  Most of the switches that connect to the AP are 2960G
  All the AP are
  AIR-LAP1142N-E-K9
  AIR-CAP2602I-E-K9
  Requirements in Brief:-
  1 SSID for Internal user across all the sites
  1 SSID for Guest user across all the sites
  All IP for all the sites based on their local subnet
  All the remote sites need to be Flex connect
  The 2 WLC need to configure as failover
  Requirements in Details:-
  One Corporate ABC-SSID for all the sites
  One Guest ABC-SSID for all the sites
  The WLC in East building is the primary which control all the East remote site (250 AP)
  The WLC in West building is the secondary which control all the West remote site (250 AP)
  A fail over between the two WLC as below:
  If the WLC in east fail then all the AP in east (250 AP) will connect to WLC in West
  If the WLC in West fail then all the AP in west (250 AP) will connect to WLC in East
  Each Remote site behaving as Flex connect to reduce the overhead over the WAN/VPN
  Each site must have their own AP groups for the ease of management
  All the AP MGMT IP based on their local subnet
  Each remote site, West building, and East building must obtain their IP based on their local VLAN Example:- site-1 in East:
  Corporate ABC-SSID take 10.204.0.0/24
  Guest ABC-SSID take 192.168.0.0/24
  Example:- site-2 in East:
  Corporate ABC-SSID take 10.204.1.0/24
  Guest ABC-SSID take 192.168.1.0/24
  Example:- site-3 in East:
  Corporate ABC-SSID take 10.204.2/24
  Guest ABC-SSID take 192.168.2.0/24
  And so on…….
  Example:- site-1 in West:
  Corporate ABC-SSID take 10.204.100.0/24
  Guest ABC-SSID take 192.168.100.0/24
  Example:- site-2 in West:
  Corporate ABC-SSID take 10.204.101.0/24
  Guest ABC-SSID take 192.168.101.0/24
  Example:- site-3 in West:
  Corporate ABC-SSID take 10.204.102.0/24
  Guest ABC-SSID take 192.168.102.0/24
  And so on…….
  Reference that I found
  https://supportforums.cisco.com/thread/2039215
  Expert I'm really stuck here, so please any help will do.
  Thanks in advance

  What are you stuck on? What you have mentioned is possible.
  When you setup FlexConnect and also when AP's night failover, you need to make sure that the WLAN ID are in the same order in bother WLC's. also the AP Groups have the same information and have the same AP Group names and WLAN to vlan mapping. So as long as the WLC's are configured exactly the same except for IP addresses and hostname a, failover for FlexConnect will work fine.
  Now the FlexConnect WLAN to vlan mapping is done on the access point itself. So each AP will have to configured. AP Groups will not help here as you can really just create one since you will have the same WLAN's broadcasting at each site. You can make is simple though:) and this is a good tip.....
  If all your vlans are the same in every site including your DR and BDR, then the WLAN to vlan mapping will use the vlan if you have specified in the the WLAN under the I terrace mapping. So if in your corporate WLAN it is mapped to I terrace vlan 100, all you FlexConnect AP's will have that mapping set to vlan 100. If your guest at WLAN is mapped to vlan 999 interface on the WLC then the FlexConnect WLAN to vlan mapping for the guest will be set to vlan 999.
  Now if you have different vlan id's for each site or it might be the same for some and not the others, well you will have to tough each AP and configure the WLAN to vlan mapping.
  The WLAN to vlan mapping appears only when you have enabled FlexConnect local swit hung in the WLAN and you have the access point in FlexConnect mode.
  Sent from Cisco Technical Support iPhone App

• Flex Connect Across Multiple VLANS same SSID

  I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
  Example below:
  1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
  2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
  3) Client walks back to first AP and connectivity is restored
  Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.

  Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN.  The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x.  I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• WLC user rate limit on guest ssid anchor controller

  Hi,
  I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
  We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
  Both the foreign and anchor controller are here at my location.
  I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
  As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
  We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
  I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
  So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
  Thanks guys!           
  Oh and here is my hardware & software levels.
  5508wlc - forgeign
  4402wlc - anchor
  Software Version
  7.0.230.0

  Amjad,
  Thank you for taking the time to respond as well as the document link.
  It was pretty clear on the steps and what it would impact.
  Two things that push me for a different solution (assuming their is one).
  Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
  As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
  #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
  The idea is to limit WAN utilization.
  #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
  Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
  ***One last question about this and any other changes***
  Will any change I make be on the "Foreign, Anchor" or both Controllers?

• Windows 7 client won't connect with 802.1x security

  Having issues connecting a windows 7 dell laptop with cisco unified wireless infrastructure.  Currently running 4 4402 WLCs and 1 wism.  The client in question is trying to connect to an AP that sits on one of the controllers on the wism.  WLC code running is 6.0.199.  If I configure the windows 7 client to an ssid with wpa2 with preshared key it works with no issue.  It's really problematic with 802.1x, wondering if there is addition settings on the adapter in win 7 that I'm missing or have overlooked.
  Thank you in advance for any suggestions to a solution to my problem
  Regards,
  izzy

  Windows is going to want to use the credentials that you login to the machine.  SO if you logged is as "administrator" but you need to authenticated as domain\John.Smith  you need to manipulate the credentials.
  If you are logging in to the machine with valid domain credentiasl though, it becomes a bit more difficult.
  So, is this the only type of machine having an issue?  What is the driver version and chipset type?
  you can run debug client < cliet ma address > and watch what is happening from the controllers persepctive. You can also see what username is being sent to the AAA server.
  Cheers,
  Steve
  If  this helps you and/or answers  your question please mark the question as "answered" and/or rate it, so  other users can easily find it.

• Cisco ISE with Flex Connect ios 7.4

  Hello my name is Ivan
  I have a question:
  Is possible to do a deployment with cisco ise (trust sec 2.0)  and flex connect and web authentication to a cluster of cisco wlc (ios 7.4)?
  There are a features or requeriments to configure this?
  Regards
  Ivan

  By "cluster of cisco wlc" are you referring to the HA features for the 5508?  HA or not should be irrelevant to the configuration of ISE w/ 7.4 WLC on flex connect.
  Configuring CWA (central web auth) via L2/Mac-Filter and RADIUS NAC will require that you have a FlexConnect group built with the desired AP within the group.  You will need to build FlexConnect ACLs and apply them to the FlexConnect group that correspond with the various NAC states the client will be in during the CWA process. 
  You will probably need 1 or 2 Web Policy ACLs
  1. allow traffic to/from dns and ISE PSN
  2. allow traffic to/from dns, ise and other resources (for instance for posturing/remediation)
  Please note that you cannot "dynamically" assign ACLs to FlexConnect APs/Groups as part of the transition from central webauth reqd to RUN.  The WebPolicies ACLs are the only ones that can override (think of them like pre-auth acls).  Once you finally send back the access-accept for the client you can not apply dynamic acls to the particular wlan/vlan.
  For instance if you needed differentiated access on a single network between guest and vendors, you couldn't send an access-accept back with an ACL for vendors vs an ACL for guests - in a FlexConnect environment.  They would have to be placed on separate networks with their respective access.
  It's possible this type of configuration (much desired) will be allowed in 7.5 whenever it rears its head.

• Flex connect with a per user ACL with APs locally switched

  Hi all,
  Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
  Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
  Thanks
  Sent from Cisco Technical Support iPad App

  Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
  As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
  Sent from Cisco Technical Support iPhone App