Dynamic Interfaces to a WLAN in an AP Group?

Similar Messages

• Adding (dynamic) interfaces to WLC 2504 causes loss of network

  I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
  And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No

  So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
  config wlan disable 2
  config wlan delete wlan 2
  config interface delete lan
  Nmap scan report for 10.99.0.60
  Host is up (0.0037s latency).
  PORT    STATE SERVICE
  22/tcp  open  ssh
  443/tcp open  https
  So... here's me adding the dynamic interface in cli AGAIN:
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        someotherssid / someotherssid              Enabled   management  
  (Cisco Controller) config> interface create lan 33
  (Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
  (Cisco Controller) >config wlan disable 1
  (Cisco Controller) >config wlan interface 1 lan
  (Cisco Controller) >config wlan enable 1
  Voila, management access lost again:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  This time, there's no physical port assigned to the dynamic interface 'lan':
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              -    33       10.99.12.4      Dynamic No     No   
  management                       1    31       10.99.0.60      Static  Yes    No   
  virtual                          N/A  N/A      1.1.1.1         Static  No     No   
  Adding that:
  (Cisco Controller) config interface port lan 1
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              1    33       10.99.12.4      Dynamic No     No   
  Still no management access..:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
  interface GigabitEthernet0/28
   description cisco_wlc
   switchport trunk encapsulation dot1q
   switchport mode trunk
  And the vlans in question are present:
  31   enet  100031     1500  -      -      -        -    -        0      0   
  32   enet  100032     1500  -      -      -        -    -        0      0   
  33   enet  100033     1500  -      -      -        -    -        0      0   
  34   enet  100034     1500  -      -      -        -    -        0      0   

• Force WLAN client to renew ip on WLC with dynamic interfaces

  Hi there
  we would like to have a "two tier" authentication for the corporate WLAN clients:
  Requirements
  1. Machine Authentication
  The client gets machine authenticated based on the machine account in the Active Directory with PEAP. At this stage, the client will get a IP from VLAN A. VLAN A has limited access to the corporate infrastructure (DNS, AD, some volumes / shares, and so on). The filtering is done with an IP access list on the layer 3 VLAN interface on the core switches.
  2. User Authentication
  The users logs in on the client and gets user authenticated based on his user account in the Active Directory with PEAP - only users with a valid Machine Access Restriction (MAR) are allowed to login. Now the client is moved to another VLAN B. VLAN B has full access to the corporate infrastructure, here is no IP access list.
  Infrastructure
  We have the following:
  2 x WLC 5508 with 7.3.101.0
  2 x ACS 5.3.0.40.6
  Problem
  Now we have the problem, that the Windows client sometimes takes up to 3 minutes to connect to the WLAN after the users loggs in. In the debug, I can see that this happens because the client is stuck in DHCP renewal:
  1. After the machine has been authenticated it has an IP assigned from VLAN A. This works pretty well if the client gets rebooted.
  2. If the user loggs in the first time after the reboot, the users gets connected within 10 seconds, what is pretty good. The client has now an IP in VLAN B.
  3. Now the user logs out of Windows and I can see in the debug, that the client is putted into VLAN A (machine authentication) again, but the client still tries to DHCPREQUEST the IP address from VLAN B (user authentication). Because this request is sent out on the wrong dynamic interface on WLC, the DHCPREQUEST is not acknowleged an the client get stuck in this situation.
  4. If the user or another users logs in again shortly after the logout, the client still tries to DHCPREQUEST the IP of VLAN B and now the "3 times DHCP failure on WLC" comes into play, because WLC thinks that the DHCP server is not reachable -> but it only does not answer a wrong DHCPREQUEST.
  Question
  On ISE there is a way to force the client to renew the DHCP address (via CoA, but this has its limitations too --> need to install Active X or Java applet). I think there is now way to force the client to renew its IP with ACS, but my question is, is there a workaround and are there any others, that maybe already solved this problem?
  Alternative
  If there is now way to bring this to work with two different VLAN's, I could try to realize this with only one VLAN. After the machine authentication I could apply a WLC ACL to restrict access to the corporate infrastructure. If the user authentication happens, I could "remove" this ACL to grant full access for this user / client. But I am still interested in the other solution ;-)
  Thanks in advance for any advise and best regards
  Dominic

  Your second option is what you should do. Changing the vlan on a client that already has an IP address especially on wireless will not know it has been put in a different vlan and that's why it breaks. If There was a way to change the vlan and send something to the WLC to disassociate the client, that might work.
  Sent from Cisco Technical Support iPhone App

• WLC Dynamic Interface

  I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
  I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
  For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
  I appreciate any comment on why I need IP addresses for dynamic interfaces.

  Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
  By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
  Sent from Cisco Technical Support iPhone App

• WLC2504 - Dynamic interface problem

  Hi,
  I have problem with my WLC2504. My WLC is  connected through two ports (1 and 2 of four) to my distro switch, where  I have dot1q trunks configured. WLC is configured with Management interface  (IP address 192.168.255.9/24), over which my  LAPs are correctly joined.  However, once I'm trying to add additional Dynamic WLC interface, which  has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC  stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
  Thanks for soon answer
  palo73

  The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.
  The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.
  The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.
  Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
  Guidelines for Deploying the Cisco 2500 Wireless Controller
  Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
  Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
  If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.
  Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.
  For more information you can refer to the link -
  http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml

• Configuring multiple dynamic interfaces in 5508

  Hi,
  I have 5508 controller where as ap-manager interface configuration is optional but since i have different topology at other end , I have 4507 configured with HSRP and i want to divide the AP traffic in both the switches therefore I will have to go ahead and configure multiple AP-manager interface and map with two different physical ports.
  But I have challenge to configure multiple dynamic interfaces.
  I want to create two wlans ( Internal wlan and guest wlan )
  Internal WLAN : 192.168.10.0
  default gateway : 192.168.10.1
  internal DHCP server : 172.16.10.1
  Physical Port : ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
  Guest WLAN : 192.168.20.0
  Default gateway : 192.168.20.1
  Internal DHCP server : 172.16.10.1
  Physical port :  ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
  I want to map it to multiple ports of dynamic interfaces for client traffic to physical ports.
  how do i configure it ?

  In adition to Nico's answer, I would go throught the detailed guide for the configuration of dynamic interfaces:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1167723.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Dynamic interface do not obtain IP.

  we created a dynamic interface on WLC and associated a one ssid using dhcp but this interface do not obtain IP
  could you help me to resolve this case on wlc?
  regards,

  The dynaminc interface is configure to be static.Then from the GUI goto CONTROLLER----INTERNAL DHCP SERVER----DHCP SCOPE
  But the dynamic interface must be in the same ip subnet with the dhcp scope you created. You then need to tie it with the SSID u want. STEP click WLAN-----then the wlan id no---------GENERAL----Inteface u and put the dynamic inteface u just created.

• Dynamic interface with ip 0.0.0.0

  Hi gusy,
  what happens if i set yhe ip address of a dyn interface to 0.0.0.0 and associate this interface to a WLAN?
  will WLAN+this dynamic interface work as a layer 2 VLAN?
  thx....
  Ale.

  No,in fact I dont think you put all 0.0.0.0 on a dynamic interface ,...

• Dynamic interface ip addtress setted to 0.0.0.0 what happens?

  hi guys,
  what happen if i set the IP address of a dynamic interface to 0.0.0.0?
  can I associate a WLAN to this interface?
  will WLAN+Dyn interface work as a layer 2 VLAN?
  thx

  hi Dan
  thx for your reply.
  this is what i would like happen. I explain better.
  I need a wireless guest LAN completely separated from my network with dhcp on the same subnet but this subnet does'n have a private L3 address because is connected directly to internet (clients get public ip addresses) but i'm not sure it can work with controller. 

• Cannot contact Non-native dynamic interfaces on WLC 4402

  Hi,
            In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
  We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor.   We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
  Below are my configuration details
  At switch side
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  interface GigabitEthernet2/0/26
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet1/0/26
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  channel-group 1 mode on
  WLC configurations
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ap-manager                        LAG  untagged 192.168.7.3     Static  Yes    No
  management                      LAG  untagged 192.168.7.2     Static  No     No
  qd-consultant                     LAG  179      192.168.9.254   Dynamic No     No
  qd-guest                            LAG  178      192.168.8.254   Dynamic No     No
  qd-test                              LAG  180      192.168.10.254  Dynamic No     No
  service-port                         N/A  N/A      0.0.0.0               DHCP    No     No
  virtual                                 N/A  N/A      192.0.2.1           Static  No     No

  Your configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
  Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
  Sent from my iPhone

• Doubt with Dynamic Interfaces and VLANs

  Hello.
  I am trying to get wirelles clientes and APs to be on the same VLAN/subnet, now is working with management interface on my WLC 5508. My problem comes up when I change them to a new dynamic interface.
  Before any change:
  VLAN: 8
  Management Interface IP: 192.168.9.2/23
  Gateway: 192.168.8.1
  DHCP Server: 192.168.8.2
  WLAN SSID linked to Managment interface: Ray123
  APs on VLAN 8 and subnet static IP range192.168.9.0/23
  There is no dynamic interface.
  After changes.
  VLAN: 0
  Management Interface: 192.168.6.2/23
  Gateway: 192.168.6.1
  DHCP Server: 192.168.6.2
  Dynamic interface name: Wireless-1
  VLAN: 8
  Management Interface IP: 192.168.9.2/23
  Gateway: 192.168.8.1
  DHCP Server: 192.168.8.2
  WLAN SSID linked to Dynamic interface: Ray123
  APs still on VLAN 8 and subnet static IP range192.168.9.0/23
  After all this done i can see by cdp neighbors all my APs i can ping them and management interface too, but APs are not registered, no clients too.
  According to this guide:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
  Dynamic interfaces and APs should be on the same VLAN.
  But this another guide states the opposite:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
  "Set the APs in a VLAN that is different from the dynamic interface configured on the Controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the Controller and the 'LWAPP discovery rejected' and 'Layer 3 discovery request not received on management VLAN' errors are logged on the Controller"
  I cant understand why VLANs for APs and dynamic interfaces should be on different, it has no sense to configure a vlan intended for APs which shouldnt be on the same vlan.
  Please tell me what is wrong.
  Thanks in advance.

  You have to tell the APs where the WLC lives now, 192.168.6.2.
  You can do this in the following ways:
  Manual Prime the APs
  option 43
  dns
  ip forward udp 5246
  move the aps to the same vlan as the management interface let them join and then chnage the vlan
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC, mapping new dynamic interface to an already used port

  This is my question
  We have a multiple wlc deployment and a wlan which is running dhcp issues (scopes exhausted)
  The main Wlan is mapped to a dynamic interface group (2 vlans), both vlans are mapped to a single physical port
  adding a new dynamic interface (vlan) to the interface group is needed,
  - a new dynamic interface will be created and mapped to the same physical port of the other two (3 vlans)
  - the new interface will be addad to the interface group
  the question is:
  does this operation will require some network downtime (controller reboot,ap reboot... etc.) or will it be a seamless operation?
  thank you

  Does this mean, when utilizing an 802.1x WLAN in an AP Group, you can  not dynamically assign an interface via radius because itw ill be  ignored due to the AP Group settings?  If so, that seems short sited to  me?
  AAA override get priority when AAA override and AP group is used. the debug client output should show site specific over-ride for AP group initially and once it goes into .1x auth it will return the overrided vlan.

• Prime Infrastructure 2.1.1 cannot add more than two interfaces in Dynamic Interface Controller Templates

  Cisco Prime Infrastructure is a damned nightmare of browser bugs (some features work in IE8, some in IE9, and some only in Firefox).  And I am not sure if what I am experiencing is a browser bug - or a real bug - or something that I was able to do before and can't any more?  I would love for someone to either explain why this is happening to me, or reproduce the bug!
  I'm running Prime 2.1.1.  I am doing this ...
  Configure > Controller Template Launchpad
  System > Dynamic Interface
  Select a command > Add interface (GO)
  Enter all the properties - roll to the bottom of the page, and click Apply to Controllers
  I have four controllers.  And normally I would add an interface for each controller.  But I can only create two out of the four.  It doesn't matter which two I choose.  When I click Add under Manage Interfaces for the third controller, I cannot click the Done button to apply it (see screenshot, attached).  I have found that if I change the VLAN to something else, it will let me save it.  But ... why?  I went back and reviewed all of my existing interface templates and I am not doing anything different.  Although, they were all created a long while ago using WCS 7.x.
  Any help, guidance, or confirmation of insanity would be appreciated.
  -Steve Ballantyne

  I doubt I will get any hits on this here but I always try.  I opened a TAC case.  I will come back and comment on whatever they find.

• ISE and WLC dynamic interface group assignment ?

  I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
  Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
  TIA

  I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
  This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
  Edit:
  Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

• Mgmt Via Dynamic Interface not working on 5505 version 7.2.111.3

  Folks,
           I have posted this question a couple of times on the forum but did not get a solution. I am trying to manage my 5508 controller from a dynamic interface which is assigned to port 7 of the controller. I have a switch connected to that port which has a PC on the same subnet as the dynamic interface. From the PC, I can ping the dynamic interface IP Address, but can not telnet,SSH,http or https to it. There is no clear doc that specifics how to effectly use the command "config network mgmt-via-dynamic-interface" command.
  Mgmt Via Wireless Interface................. Enable
  Mgmt Via Dynamic Interface.................. Enable
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  173                                      7    173      172.16.101.100  Dynamic Yes    No
  management                         1    172      172.16.100.100  Static  Yes    No
  service-port                           N/A  N/A      0.0.0.0         DHCP    No     No
  virtual                                    N/A  N/A      1.1.1.1         Static  No     No
  7  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     1000BaseTX
  Any guidence would be highly appreciated.

  Im having a similar issue and have 2 TAC cases open.
  TAC CASE#1:  issue is that even when disbaled I can still access the dynmic interface via HTTPS/HTTPS/TELNET/SSH. But this is on a WISM1.
  Thanks a lot for your quick and prompt response, I see that there is an internal Bug with an ID CSCty32586.
  I see that the bug is fixed told be fixed in 7.0.230.0, but it’s not fixed. The bug is fixed in 7.2.x version.
  I understand that you are using Wism on which 7.1.x version and above is not supported.
  As 7.0.235.3 is released recently to overcome some of the changes and to fix some of the Bugs with older version on these devices.
  Kindly try to upgrade the software version of the WLC to 7.0.235.3 and check the compatibility.
  Please do let me know in case of any concerns and I will be glad to assist you.
  TAC CASE#2: Just like you I can not access the dynamic interface. Still working that one .. The holiday dropped when I just opened that case.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."