Converged ACCESS CWA

Hi
Im doing CWA with my 3850 wlc, but the client seems to be stuck in "WEBAUTH_PEND " on the WLC client list.
It all looks ok in the ISE logs and in the client detail i can see that it has gotten the redirect url, but nothing is happening.
Someone who can give me some ideas to where i should look into ?

See if these links help
https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
HTH
Rasika
*** Pls rate all useful responses ***

Similar Messages

  • Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

    Hello,
    I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
    building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
    well as the Wireless solution.
    At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
    the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
    are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
    from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
    Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
    large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
    the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
    the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
    connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
    support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
    Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
    i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
    between the two switches and their integrated controller.
    Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
    feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
    existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
    This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
    already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
    focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
    state of their connections to the WLAN infrastructure.
    To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
    to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
    subnets need to be assigned to the SSIDs.
    As such, I have the following questions:
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
    that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
    as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
    the solution as per the next question. Please advise which is a better option?
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
    then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
    Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
    clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
    Regards,
    Amir

    Hi Amir,
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
    I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    MO is not required (it is only for very large scale deployments)
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Yes, documents are hard to find :(
    These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Has anyone deployed converged access with 3850 switches and 5760 WLCs?

    Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
    Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
    Pros
    With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
    Less hops for voice calls from user A to user B as data control traffic is dropped locally.
    Cons
    Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
    Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
    Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
    Can someone convince me why would a customer choose converged access?
    Sent from Cisco Technical Support iPad App

    They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
    Sent from Cisco Technical Support iPhone App

  • ISE Auth Policy with Converged Access

    Hi
    Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
    I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

    Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
    I have tried different ways to do the SSID filtering: 
    NAS port ID Equals SSID,
    Called Station ID  Equals SSID
    But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

  • 5508 to 5760 w/3850. Migrating from CUWN to Converged access.

    Hi!
    I have a 5508 WLC managing APs in local and flexconnect mode in the current environment. 
    There's a plan to migrate to converged access using 5760 WLC w/HA as MC, 3850 as MA and keep the 5508 as N+1 controller enabling new mobility. 
    It will look like this:
    1 MC 5760 w/HA
    10 3850 as MA
    1 5508 as N+1 (managing flexconnect APs and backup if the 5760 pair fails)
    The questions I have:
    1. After enabling new mobility in the 5508.
    Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
    2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
    3. Current license count in the 5508 is at 350 APs.
    The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses. 
    I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
    Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses? 
    The plan is to keep the 5508 as a staging controller to move the APs in the event of a FW upgrade in the 5760.

    First of all 5760 & 5508 AP firmware are not same. So failing over between these two WLC will be same as doing AP fail over between two 5508 having different software version. (ie AP has to download the image & reboot every time). Also I would suggest you to start this migration step by step as you need to be familiar with this converged access setup (how it works & troubleshoot issues). I would setup 5760 & move one building AP to this CA & monitor it for 2-3 months & them move on.
    Here are the answer to other queries you have.
    1. After enabling new mobility in the 5508.
    Will I still be able to use flexconnect mode for the remote locations? I know the 5760 doesn't support flexconnect mode, but I'm not sure if the flexconnect feature is not supported in a converged access deployment.
    Yes, 5508 support FlexConnect irrespective of "new mobility" feature enable or not. Here is how you configure new mobility & peer a 5760 to a 5508. You need to have 7.6.x or 8.x code on your 5508 to do this.
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    2. Will I be able to manage and configure everything in the 5760 (MC) and the WLC will push the configurations, WLANS, settings, etc to the 3850s (MA)? Or do I also need to configure WLANS, etc on each individual 3850?
    I do not think you can do this yet, Cisco will make this happen in future. So you have to configure each & every MA identically. If you have prime, then IOS-XE 3.7.x onward it support template configuration. But IOS-XE 3.7 is recently released,so cannot guaranteed the stability. (I am using 3.6.1E in my production). Below post will give you some starting point on this configuration
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    3. Current license count in the 5508 is at 350 APs.
    The new deployment will have 10 3850s with 5 AP licenses per switch and the 5760 will come with 25 AP licenses. That's a total 75 AP licenses.
    I would need to purchase 225 additional licenses on the 5760 to make a total of 350 AP licenses.
    Will I be able to move the switches' AP licenses to the 5760 to make 350 AP licenses?
    In the CA setup, licence only required at MC, not in MAs.It is right to use license model & Cisco trust what you configure is what you purchase (no license key/serial number like in 5508/2504/etc). Refer this for some detail
    http://mrncciew.com/2013/12/12/getting-started-with-5760/
    Like said earlier, start in small scale & get familiar with new setup, my blog may give some other useful posts on this converged access.
    Let us know if you have further queries on this & happy to help
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Converged access

    Hi 
    Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
    I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?

    Hi
    Below should help you to start with basic peering between MA & MC
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    WLAN configuration to be done on MA
    http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
    http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
    Below post should also helps you on 5760/3850 basic configs
    http://mrncciew.com/2013/12/12/getting-started-with-5760/
    http://mrncciew.com/2013/09/29/getting-started-with-3850/
    http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
    Also this thread listed some useful documentation about CA.
    https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • ISE - Branch Wired Design - Non-Converged Access - Best policy on the switch??

    Hello,
    I would like to understand that it would be the solution the most adapted in architecture ISE when the PSN server is on the central site and my remote site does not possess PSN and no equipments converge access.
    What takes place it if my link between site central and remote site is down. In this case, which policy to put on my distant switch?
    1/ Check various policies (dot1x -> MAB -> Web-auth) then no block port but just to send a message to the administrator.
    2/ Put ACL on router site.
    3/ ?? other idea
    what would be the most adapted policy?
    Tks a lot
    bye

    https://supportforums.cisco.com/discussion/11602321/ise-nad-radius-fail-open

  • Converged Access MA and MC licensing

    Hello all,
    one question regarding the licensing for converged access. If I understand it correctly then when I have a deployment in which I already have a WLC (mobility controller) and I deploy a 3650/3850 switch as a mobility agent, then the AP count licensing needs to be maintained on the MC (WLC) and I dont need AP count licences on the MA (3650/3850)?
    Then the only thing I need is to point the MA to the MC IP address and I gain the benefits of converged access architecture (CAPWAP termination ...)?
    Thank you.
    Marek

    I probably found the answer in this document:
    http://www.cisco.com/c/en/us/products/collateral/wireless/5700-series-wireless-lan-controllers/qa_c67-726397.html
    Q. Do I need a wireless access point license on both the mobility agent and the mobility controller?
    A. The license to manage access points is only needed on the mobility controller.
    Marek

  • Converged access question

    I want to use the Cisco 3850 switches to manage my AP's at our remote locations.  Most of the remote locations will use less then 50 AP's so I would only need one MC at each location.  There will be a few locations that will have about 75 AP's each.  So I am better off using a different controller or using 2 3850's setup as MC each?
    Currently I have two 5508's in our core in a centralized configuration and plan to move then into the DMZ to be anchor controllers.  I have two data centers each with an internet connection in a disaster recovery configuration.  So one controller will be in each location.  I thought that maybe I could but another controller at put that in the data center as an MC but was not sure if that would be best or stick with the MC's at the remote sites instead.
    Thank you for the input.

    the current release for the 3850 is 3.3, and it does not support the 3700 series of AP, so the 3850 would not be able to terminate the CAPWAP tunnel
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/release_notes/OL_30562_01.html#wp149415
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • 2504 with new-architecture enabled breaks MAC auth for guest access

    Hello,
    We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
    When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
    Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
    Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

    You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
    HTH
    Rasika

  • Use of 5508 WLC across the WAN as MC for unified access

    I came accross a remark that Cisco 5508 cannot be used for a MC role/functionality accross the WAN for Cisco 3850/3650 switches in the branch locations (acting as MA). The reason was some 10 ms transit time limits,..But i could not find any such mention in any of the documentation...Does any user have some link to this or perhaps a practical implemention experience.

    From CA design perspective, it is making no sense to put a MC at a central office for a branch MA switch stacks. Typically a branch you may have 1 SPG & you better off MA/MC functionality within the same SPG.
    If you have more than one SPG at your branch, then it is good idea to have a discrete controller at branch to do MC functionality (inter SPG roaming to be handled by MC). Instead,  if you keep MC at central office these user roaming decision will be taking un-acceptable amount of time depend on the WAN link propagation delays.
    Refer BRKCRS-2889-Converged Access System Architecture
    Here are two snapshots from above presentation to explain this
    HTH
    Rasika
    Pls rate all useful responses ****

  • Access with ISE server dead

    Hello there,
    I´d like to know how to give access for users when ISE is dead.
    I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?
    My pre authentication acl allow access only to ISE, DNS and DHCP requests.
    Regards.

    Andre-
    I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:
    1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)
    http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html
    eem script example:
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 
    I hope this helps!
    Thank you for rating helpful posts!

  • WLC 8500 and converged wireless

    Hello all,
    Are there any plans to support the "converged wireless access mode" on the 8500 controllers ?
    Don't want to buy this $$$ controller to throw it away in a couple of months when 3850 switches will start appearing and require local termination...
    BTW: will the 3850 ever support just plain pass-through for wireless ? The local termination is a PITA because i will need to replace my wifi APs at the same time i replace my access switch since current APs are not supported on 3850
    regards,
    Geert

    The Cisco 5760 WLC and Cisco Catalyst 3850 are both based upon the same innovative UADP ASIC that enables uncompromised wireless performance with advanced services.
    This ASIC is capable of terminating CAPWAP tunnel, which provides line-rate performance regardless of packet size, encryption, enforcement of security and QoS policies, and advanced visibility through Flexible NetFlow v9.
    The Cisco 5760 WLC can operate in centralized mode (also known as local mode) as well as converged access mode, whereas the Cisco Catalyst 3850 operates in converged access mode. At this time, there is no support for office-extend access points, indoor or outdoor mesh, or FlexConnect access points on the Cisco 5760 WLC and Cisco Catalyst 3850.You can setup mobility between IOS and AIOS.

  • How to Configure MS Office Comminication Server 2007 with WebCenter Spaces?

    Hello All,
    Has anyone successfully configured MS Office Comminication Server(OCS 2007) with WebCenter 11g Spaces?
    I have installed the RTCServices on the MS OCS server, and wll the services and wsdls are accessible. The IM is working with MS Communicator and also Communicator Web Access (CWA). The Webcenter administrator guide does not have any configuration information about how to use the RTCServices (extracted from Oracle's owc_lcs.zip, part of the Oracle Fusion Middleware Companion 11g).
    In the EM's webcenter control -->Settings -->Service Configuration, I tried to create a new IM service and an External Application but not sure what the URL to use.
    If anyone have a successful OCS 2007 integration, could you please share your configuration steps?
    Thanks,
    Johnny
    Edited by: user459212 on Feb 10, 2010 12:30 PM
    Edited by: user459212 on Feb 10, 2010 12:31 PM

    Hi,
    I am also facing the same issue, not sure about what url to use. And also the login webservice doesn't work while I am testing using http://localhost:81/RTC/RTCService.asmx. It always throwing the following error
    " Unable to cast COM object of type 'RTCLib.RTCClientClass' to interface type 'RTCLib.IRTCClient'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{07829E45-9A34-408E-A011-BDDF13487CD1}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."
    Is the current owc_lcs.zip support MS Office Communication Server 2007?
    Please share the configuration step if anyone already integrated OCS 2007.
    Thanks,
    -Mukesh.
    Edited by: user9127933 on Feb 19, 2010 4:05 AM

  • Design Controler 5508 & 5760 Compatibility - N+1

    Hello,
    I've 5508 WLC and adding a new 5760..
    I know, it's possible for this 2 to be in the N+1 model (version 7.6)
    If the 5508 or 5760 goest down, the AP previously associated to the failure controler, need to re-download the image to join the active controler.
    Is it expected to change this constraint image reloading ? If yes, when ?
    This is still a Cisco Validated architecture ?
    Tks a lot.
    Bye.
    David

    Unfortunately these 5760 & 5508 AP images are not exactly same. So if fail-over occur AP has to re-download the image.
    Yes, this has to be fixed, but not sure when.
    Also there is no CVD for anything related to converged access, very bad indeed
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for

  • Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

    Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device

  • PGP Encryption Exception in File and SFTP receiver adapter.

    Scenario: We have got the PGP (Private and Public key pair) and stored the same in PI server path. We have sample partner Public key which is store at temporary shared location for testing purpose. Issue: While doing the encryption we are getting bel

  • Using appended array to draw a graph

    Hi Guys, I'm having a problem with using appended array. I used appended array to save the values from the analyser and then use those values to draw a graph. I have attached 2 VI with this post.                                  1st-I can able to sav

  • Validatrion T.code -MM

    Hi What is the T.code used for Validation Purpose in MM Module ? Regards, Senmani.

  • Hotsync problem with m515

    Hi, I just recently bought an m515 second hand, but in great condition. I'm having problems with it hotsyncing. I have two computers with Windows Vista and with XP home, and neither works. Both have Palm Desktop Win4.14EN. I am trying to use my USB c