Force WLAN client to renew ip on WLC with dynamic interfaces

Similar Messages

• WLC dynamic interface limit

  Hi,
  I have a WISM with sw version 4.0.179.11 wich I try to add more dynamic interfaces on. However I get the message " Can't create more than 64 entries".
  I find in the deployment guide for WLC - quote: "Dynamic Interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The WLC will support up to 512 Dynamic Interface instances. "
  Has anybody encountered this limitation before?
  How can I add more than 64 interfaces ?
  regards rolf

  Hi.
  I have a customer wth a WLC which has DHCP Proxy disabled and Primary & Secondary DHCP servers configured (external to the WLC).
  The problem I've just started looking at is...if the Primary has run out of leasable IP addresses, the WLC doesn't appear to request one from the Secondary server.
  It looks like (without any real investigation) the "I've run out of addresses" response from the Primary server is sufficient for the WLC to believe that the Primary is still on the network and it doesn't need to go to the Secondary.
  I'll add more as and when I do more testing.

• 4400 WLC Layer 3 Authentication Status for WLAN Clients

  We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller.  The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage.  These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402.  On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest".  This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.
  Functionally there is no issue.  Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser.  The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.
  For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated.  In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients.  For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed.  The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.
  Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes".  We have proven over and over that this is not accurate.  This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers.  The WSC reports will show all 15 as Authenticated and they are not.  We have proven many times that the anchor WLC is the only controller accuratly conveying this info.
  Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected.  They suggested it may be a code bug with the 4400 series WLC.  We are running controller Software Version 6.0.188.0 on all 3 controllers.
  Please let me know what you think may be causing this issue.  Any help or advice is greatly appreciated!

  Hi,
  We run version 7.0 on the WCS and WLCs but I thought I'd try the report and see what I got. The result is a line graph with the number of associated and authenticated clients superimposed. I'm not sure how useful a report of this nature is.
  It doesn't inspire confidence: when I specifiy the guest wireless SSID I get zero clients! I know there have been guest clients authenticated during the report period I spec'd.
  Scott

• Client Roaming Within Single WLC with Different AP Groups

  I am trying to setup a 4400 WLC with 2 different AP Groups mapped to its respective Dynamic Interfaces / Vlans. AP's are equally mapped to both the AP groups by Floor wise ex: First floor AP's connect to one AP group and the Second Floor AP's connecting to other AP group.
  Goal is to create separate Network policy for each Floor using ACL's and apply to their respective Vlans on Layer 3 Switch. Wireless Raoming should happen seamlessly between these Ap groups making the DHCP changes by not disconnecting and connecting every time user roam across the Floors.
  Problem is When Clients Roam between Floors i,e moving between AP Groups, they still maintain their old DHCP IP addresses when moved to new AP group even after Client re-authetication. This defies our goal of creating a Wireless Network Policy using single WLC.
  Knobs i have tuned in WLC to acheive our goal includes....
  1. WLAN Session Timeout - No use
  2. DHCP Proxy Disable - No Use
  3. ARP Time out - No use
  Looks like WLC is storing the IP address and MAC information of the Client unconditonally during roaming and clearing out untill a manual or forced disconnect or disassociation is done.
  Did anyone tried to implement this setup and made it running? Any help or suggestion would be higly appreciated.
  Thanks
  Guru

  abit late for a reply but....try going to the SSID>Advanced and ticking the "DHCP Addr. Assignment" Required checkbox and test again.
  What does the DHCP Required field under a WLAN signify?
  A. DHCP Required is an option that can be enabled for a WLAN. It       necessitates that all clients that associate to that particular WLAN obtain IP       addresses through DHCP. Clients with static IP addresses are not allowed to       associate to the WLAN. This option is found under the Advanced tab of a WLAN.       WLC allows the traffic to/from a client only if its IP address is present in       the MSCB table of the WLC. WLC records the IP address of a client during its       DHCP Request or DHCP Renew. This requires that a client renews its IP address       every time it re-associates to the WLC because every time the client       disassociates as a part of its roam process or session timeout, its entry is       erased from the MSCB table. The client must again re-authenticate and       reassociate to the WLC, which again makes the client entry in the table.

• Wireless Clients can't connect post WLC Upgrade to version 7.4.100.0

  Upgraded WLC Flex 7500 controller to: 7.4.100.0
  Previous WLC Controller version: 7.2.111.3
  After the upgrade, all AP's reported back to the controller and looked like working. We have 50+ branch sites that connect back via Layer 2 to the main office. The main office SSID's were broadcasting and users could connect and get the proper IP's. Users that connected back through FlexConnect AP's couldn't obtain an IP address. The client would authenticate to the WLC and accept the SSID key, but would not get an IP address. I see with the 7.4.100.0 upgrade there are more options for DHCP for each interface, which we don't use interfaces for all sites as we did in the early days, now we make sure the flex connect tab has the vlan identifier in the tab and the traffic goes out the local firewall etc. Each remote site has a Linux based firewall and DHCP server.
  Looking for any insight with the 7.4.100.0 upgrade that may cause clients to not connect and obtain an IP address.
  We have since back dated our WLC Software to: 7.2.111.3 to allow things to work pre upgrade which everything worked fine.
  Any suggestions would be great, we had to upgrade version 7.4.100.0 to support our AP 1602.
  Thanks in advance.
  Matt

  Verify that you have an upgraded FUS image. Second, make sure your WLAN to vlan mapping on the FlexConnect AP's have the correct vlan mapping. I have seen these change to the default vlan mapping.
  Sent from Cisco Technical Support iPhone App

• ISE Certificate Chain Not Trusted By WLAN Clients

  We are running ISE 1.1.3 using Entrust cert signed by Entrust sub CA L1C, which is signed by Entrust.net 2048, which is in all major OS stores as trusted (Windows, Android, iOS).
  We have installed a concatenated PEM file with all of the certificates from the chain, as described in the ISE User Guides. The ISE GUI shows all of the certs in the chain individually after the import (i.e. the chain works and is good). However, we are not sure if the ISE is sending the entire chain to the WLAN clients during EAP authentication or just the ISE cert because of the error message we get on ALL client types which state that the certifiicate is not trusted.
  So the question is if the ISE is really sending the whole chain or just its own cert with out the rest of the certs in the chain (which would explain why the WLAN clients complain about the certificate trust.)
  Anyone out there know if the ISE code is not up to sending the cert chain in version 1.1.3 yet or if there is some other explanation? Screenshot attached of iPhone prompting for cert verification.

  Thanks hardiklodhia, your post confirms what we are seeing - the Windows clients have no issue as long as they are set to either NOT validate the EAP server cert or they are set to trust the signing CA cert from the local store by specifically selecting the signing CA (i.e. tick next to "Validate Serverr Certificate" and then another tick next to the signing CA cert in the box below.)
  The iOS clients ALWAYS prompt for verification (thanks Apple.)
  Note: we are using 1.1.3 and the cert chain import using a concatenated PEM file with ALL of the certs in the chain works fine. We are seeing the whole chain on the clients and the ISE extracts each PEM file into its local store.
  The PEM file format is not adequately described in the user guides rather a vague description of cert order is provided.
  The file should look like this:
  -------------------------Top of page-----------------------------
  Root CA PEM FILE
  Intermediate CA 1 PEM FILE
  Intermediate CA 2 PEM FILE
  ETC
  ISE CERT PEM FILE
  ------------------------Bottom of page-------------------------
  By "PEM FILE" I mean the actual base64 encoded PEM output from openssl when you convert a .crt or .der file to PEM, including the words "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for each PEM FILE above,
  e.g.
  -----BEGIN CERTIFICATE-----
  MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
  ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
  MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
  ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
  MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
  hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
  95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
  2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX
  8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD
  gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1
  RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF
  SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
  RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
  bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
  IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
  EN551lZqpHgUSdl87TBeaeptJEZaiDQ9JifPaUGEHATaGTgu24lBOX5lH51aOszh
  DEw3oc5gk6i1jMo/uitdTBuBiXrKNjCc/4Tj/jrx93lxybXTMwPKd86wuinSNF1z
  /6T98iW4NUV5eh+Xrsm+CmiEmXQ5qE56JvXN3iXiN4VlB6fKxQW3EzgNLfBtGc7e
  mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
  wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIFKjCCBBKgAwIBAgIETB9GEzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
  VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
  Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
  KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
  yhHR/hYfdVM88hBXXypACgrxBv/JFlKzSEDwKydJeT1tcP//nG4jv1WWgLk6O2Mi
  0oE0fnGmuf9fTX4+CdapG2gTDFJ29Chv3kavJDNtB85A7CK8oWI8Qav78Rvaz7nA
  LiRMLBQ1RkqUrQFL2WHx4mJkCddPXzOeOVJlUTGJ
  -----END CERTIFICATE-----
  The last PEM output (the one directly above) is the ISE cert in PEM format. The first PEM output (the one at the top) is the Root CA cert in PEM format. The ones in the middle are intermediate signing CAs in order (from root to leaf).

• How can I apply existing WCS "WLAN Config" templates to a new WLC?

  We've been running a pair of WLC 4402s managed by WCS, thus we are still on the older 7.0.235.0 (WCS) / 7.0.235.3 (WLC) release. I'm trying to add an additional WLC 4402-50 as a hot spare. I first ran the manual setup steps to give it an IP in our range, and used the WLCs web page to set our SNMP communities and such to the values used by our existing WLCs, then I added the new WLC in WCS.
  At this point I could apply most of the "Controller Templates" from our existing configuration to the new unit. However, I can not get it to take our existing interfaces nor our WLAN Configurations. How do I avoid needing to recreate these from scratch on the new WLC?
  We only have four dynamic interfaces, and each WLC needs its own IP address for each interface, so I did manually add these via the WLCs web page. However, now when I go to the WCS' "Configure > Contoller Templagte Launch Pad" page, then select "WLANs > WLAN Configuration", I see my usual list of WLANs, but can't figure how to push them to the new WLC.
  For all of the other templates on the launch pad, I can select a template, click the "Apply to Controllers..." button, and I get a list that has my existing two and also the new controller. I can select the new controller, and apply the template, and it succeeds.
  Yet if I select a specific WLAN config, and press "Apply to Controllers...", the list that appears has only my existing two WLCs, not the the new one.
  In small green type at the top it says, "Controllers configured with Interface/Interface Group - 'w-restricted'  and selected RADIUS server(s), LDAP servers, ACL Name with rules and  Ingress interface are shown."
  I have already manually added the interface "w-restricted" to the new controller, and have added the RADIUS servers via the template used by our other two WLCs. Not sure what to do about "LDAP servers, ACL Name with rules and  Ingress interface", as we don't have any ACL rules, nor use LDAP directly from the WLCs (as all user ID stuff is via RADIUS).
  Any hints on what manual setup I should add to get the new WLC in the list for these WLAN Configs?
  Thanks,
  Steve

  To be honest, if your only adding another WLC, your better off creating the interface and WLAN's manually. I don't like pushing out templates to create new WLAN's. I would use it to adjust an existing WLAN, but that would be it. To me it's safer. Also your new WLC is on the same code? If you really want to figure it out, I would manually add the interfaces first then refresh the co fog from the new WLC and then push out the WLAN SSID and see if it takes. If not, don't waste your time anymore and create it manually.
  Sent from Cisco Technical Support iPhone App

• Cisco Trust Agent - Any way to force the client to always be enabled?

  We have begun to roll out dot1x configuration on our fleet of switches to support a basic authentication and posture check for our NAC Framework deployment. Previous to this, we spent a couple of months deploying the Trust Agent. In the time between deploying the client, and turning dot1x on the switch ports, some users have un-checked the "Enable Client" option available to them in the system tray icon, and the Wired Client. Obviously when dot1x is applied to the port, the supplicant forwards the authentication request to the client, and waits forever for a response, leaving users trying to login waiting for 20 - 30 mins for the login process to complete. My question is thus, is there any way (registry setting, config file setting) to force the client to always be enabled?
  Thanks,
  Michael

  Z-index Guide:
  http://www.smashingmagazine.com/2009/09/15/the-z-index-css-property-a-comprehensive-look/
  Nancy O.

• Cisco 876w: wlan client - routing problem

  I configured a Cisco 876w to connect to an existing WLAN as a client. Now I would like to connect 3 PCs to the 876w which should be able to access the internet via the 876w.
  Problem:
  Being at the console (ssh) of the 876w, I can ping hosts in the internet (even with their name like www.google.com) but when I'm using a client PC, I can't... What am I missing here? Could it be a NAT problem?
  Config:
  Internet <--->  DSL Router 192.168.1.1 (and WLAN AccessPoint)  <--->  Cisco 876w (gets IP per DHCP, VLAN1 IP: 10.10.10.1) <---> PC (10.10.10.101)
  Current configuration : 9897 bytes
  version 12.4
  no service pad...dot11 vlan-name wlan-lan vlan 1
  dot11 ssid WLAN
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 0923467F1B2E52789807132F7A202E3D31
  no ip source-route
  ip dhcp excluded-address 10.10.10.1 10.10.10.9
  ip dhcp excluded-address 10.10.10.101 10.10.10.254
  ip dhcp pool ccp-pool1
     import all
     network 10.10.10.0 255.255.255.0
     default-router 10.10.10.1
     domain-name cisco.test.com
     dns-server 208.67.222.222
  ip cef
  no ip bootp server
  ip domain name test.com
  ip name-server 208.67.222.222ip ddns update method sdm_ddns1
  HTTP
    add http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
    remove http://[email protected]/nic/update?system=dyndns&hostname=//[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
  no ipv6 cef
  multilink bundle-name authenticated
  isdn switch-type basic-net3
  username admin privilege 15 secret 5 $1$uiouLKjbLIUBlKbj
  username service privilege 15 secret 5 $1$LKjblkJNBLKkjlbkm
  archive
  log config
    hidekeys
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-all sdm-cls--1
  match access-group name AllowAny
  policy-map type inspect sdm-policy-sdm-cls--1
  class type inspect sdm-cls--1
    inspect
  class class-default
    drop
  zone security wan
  zone security lan
  zone-pair security sdm-zp-lan-wan source lan destination wan
  service-policy type inspect sdm-policy-sdm-cls--1
  interface BRI0
  description <--
  no ip address
  ip flow ingress
  ip virtual-reassembly
  encapsulation ppp
  shutdown
  dialer pool-member 1
  isdn switch-type basic-net3
  isdn point-to-point-setup
  ppp multilink!        
  interface ATM0
  backup interface BRI0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  no atm ilmi-keepalive
  interface ATM0.3 point-to-point
  description <--
  ip flow ingress
  shutdown
  pvc 1/32
    pppoe-client dial-pool-number 2
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  description <--
  no ip address
  no ip proxy-arp
  ip flow ingress
  ip virtual-reassembly
  no ip route-cache cef
  no ip route-cache
  encryption mode ciphers aes-ccm
  encryption vlan 1 mode ciphers aes-ccm
  ssid WLAN
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role non-root
  no cdp enable
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  no cdp enable
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security lan
  ip tcp adjust-mss 1412
  interface Dialer0
  ip ddns update hostname blahblah.dnsalias.com
  ip ddns update sdm_ddns1
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  zone-member security wan
  encapsulation ppp
  shutdown
  dialer pool 1
  dialer idle-timeout 600
  dialer string 01919214124
  dialer load-threshold 20 outbound
  dialer watch-group 1
  dialer-group 1
  no cdp enable
  ppp authentication chap pap callin
  ppp chap hostname asfa
  ppp chap password 7 128763520
  ppp pap sent-username asfa password 7 0302141555
  ppp multilink
  interface Dialer2
  ip ddns update sdm_ddns1
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly
  zone-member security wan
  encapsulation ppp
  dialer pool 2
  dialer-group 2
  no cdp enable
  ppp authentication chap pap callin
  ppp chap hostname gast
  ppp chap password 7 095B239876473F06090A
  ppp pap sent-username gast password 7 1239847629873693D
  router rip
  network 10.0.0.0
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  ip http server
  ip http access-class 23ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 105 interface Dialer0 overload
  ip nat inside source list 106 interface Dot11Radio0.1 overload
  ip access-list extended AllowAny
  remark CCP_ACL Category=128
  permit ip 10.10.10.0 0.0.0.255 any
  ip access-list extended nix
  remark tut nix
  remark CCP_ACL Category=2
  permit tcp any any
  permit udp any any
  permit icmp any any
  permit ip any any
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=2
  access-list 100 permit ip any any
  access-list 101 remark CCP_ACL Category=2
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=2
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  access-list 103 remark CCP_ACL Category=2
  access-list 103 permit ip 10.10.10.0 0.0.0.255 any
  access-list 105 remark Alles
  access-list 105 remark CCP_ACL Category=2
  access-list 105 permit ip 10.10.10.0 0.0.0.255 any
  access-list 105 permit icmp 10.10.10.0 0.0.0.255 any
  access-list 105 permit udp 10.10.10.0 0.0.0.255 any
  access-list 105 permit tcp 10.10.10.0 0.0.0.255 any
  access-list 106 remark NAT wlan
  access-list 106 remark CCP_ACL Category=2
  access-list 106 permit ip 10.10.10.0 0.0.0.255 any
  access-list 106 permit icmp 10.10.10.0 0.0.0.255 any
  access-list 106 permit udp 10.10.10.0 0.0.0.255 any
  access-list 106 permit tcp 10.10.10.0 0.0.0.255 any
  dialer watch-list 1 ip 208.67.222.222 255.255.255.255
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  no modem enable
  transport output telnet
  line aux 0
  transport output telnet
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end
  #sh ip int brief
  ndrmedienturm#sh ip int brief
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0              unassigned      YES unset  up                    up     
  FastEthernet1              unassigned      YES unset  up                    down   
  FastEthernet2              unassigned      YES unset  up                    down   
  FastEthernet3              unassigned      YES unset  up                    down   
  BRI0                       unassigned      YES NVRAM  standby mode/disabled down   
  BRI0:1                     unassigned      YES unset  administratively down down   
  BRI0:2                     unassigned      YES unset  administratively down down   
  Dot11Radio0                unassigned      YES TFTP   up                    up     
  Dot11Radio0.1              unassigned      YES DHCP   up                    up     
  ATM0                       unassigned      YES NVRAM  administratively down down   
  ATM0.3                     unassigned      YES unset  administratively down down   
  SSLVPN-VIF0                unassigned      NO  unset  up                    up     
  Vlan1                      10.10.10.1      YES NVRAM  up                    up     
  NVI0                       unassigned      YES unset  administratively down down   
  Dialer0                    unassigned      YES NVRAM  administratively down down   
  Dialer2                    unassigned      YES NVRAM  up                    up     
  Virtual-Dot11Radio0        unassigned      YES TFTP   up                    up     
  Virtual-Dot11Radio0.1      192.168.1.54    YES DHCP   up                    up

  Hi,
  Just check it out few things from client are you able to ping the wan interface of the cisco 876w and when you ping the internt address from client pc what is the out put of the nat translation in router.
  The command to check the same is show ip nat translation is packet is gettin translated or not.
  Hope to Help !!
  Ganesh.H

• WLAN override option not available for WLC 4402 - 6.0.196.

  Hi All,
  Its kind of weird BUT it seems that the option for WLAN override is missing.u.
  I could find it on the lower version BUT not on the 6.0.196.
  Please help.
  Does this mean I could only set it up via the WCS and not the WLC directly.
  Thank you.
  Warmest Regards,
  Azzafir Ariff Patel.

  Hi Scott,
  Thank you so much for the clarification.
  Thanks again.
  Quoting fella5 :
  azzafir,
  >
  A new message was posted in the Discussion thread "WLAN override
  option not available for WLC 4402 - 6.0.196.":
  >
  https://supportforums.cisco.com/message/3042635#3042635
  >
  Author : Scott Fella
  Email : [email protected]
  Profile : https://supportforums.cisco.com/people/fella5
  >
  Message:

• WRVS4400N v2 WLAN clients dropping

  I purchased a WRVS4400N for my home to replace an older router. Since I started using the Cisco router, WLAN clients drop. I can sometimes get them back after initiating a ping to a static LAN IP, but it takes a few seconds.
  This issue impacts Win Vista, Win7, Mac, Android, and Linux machines...so basically anything that does WiFi. There seem to be many complaints here with no resolution. Has anyone fixed this problem in their network? I'd really hate to return this thing, but it's becoming unusable.

  Mr. Cameron,
  Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. I am truly sorry to hear about your issue you are having with your router.
  Have you called into the Small Business Support Center for help on this? If you have may I have your case number so that I can pull your case and review it to see if there is anything I can do for you.
  If you have not called in, I would like to strongly encourage you to call in and get a case created and let one of our agents help you with this issue. THe WRVS4400N is a very good router and I want to make sure that we do everything we can to keep your business.
  Thanks
  Eric Moyers
  Cisco Network Support Engineer
  1-866-606-1866

• Dynamic Interfaces to a WLAN in an AP Group?

  Running 7.2.110.0 code.
  Question:
  I had been working with an EAP WLAN testing for awhile in preperation for a project and had it work well with a single SSID and upon login and authentication, an attribute was passed by ACS to the WLC to point the client o a certain interface configured on the controller... pretty simple setup and seemed to work well.
  I stepped away from that project for a bit as it was in a holding pattern and moved onto my wireless upgrades, replacing AP's and surveying and installing new controllers.  Upon installing new controllers I decided that I would start using AP Groups more often as to keep things clean and created one with the basic required SSIDs, including the new EAP SSID (call it WLANEAP) and I moved most of my AP's to this AP group so that I didn't see all the other ones I was creating and using for other things currently under the default group provided by the wlc.  Again, no issues, until today.
  I was trying to get my WLANEAP network running again as I decided to use it for another implementation and I knew I had it handy and running, however.. not so much.  I've tried and tried but can not get the laptop to get an ip out from the interface provided by ACS.  I did a client debug, and saw:
  Applying site-specific Local Bridging override for station 08:11:96:5a:9b:0c - vapId 7, site 'BasicInstall-RW', interface 'vlan20'
  So, in seeing this I realized that in my AP Group I had to map it to an interface, vlan20 in this case which has no routing on it so no dhcp or anything.
  Does this mean, when utilizing an 802.1x WLAN in an AP Group, you can not dynamically assign an interface via radius because itw ill be ignored due to the AP Group settings?  If so, that seems short sited to me?

  Does this mean, when utilizing an 802.1x WLAN in an AP Group, you can  not dynamically assign an interface via radius because itw ill be  ignored due to the AP Group settings?  If so, that seems short sited to  me?
  AAA override get priority when AAA override and AP group is used. the debug client output should show site specific over-ride for AP group initially and once it goes into .1x auth it will return the overrided vlan.

• WLC Dynamic Interface

  I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
  I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
  For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
  I appreciate any comment on why I need IP addresses for dynamic interfaces.

  Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
  By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
  Sent from Cisco Technical Support iPhone App

• Adding (dynamic) interfaces to WLC 2504 causes loss of network

  I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
  And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No

  So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
  config wlan disable 2
  config wlan delete wlan 2
  config interface delete lan
  Nmap scan report for 10.99.0.60
  Host is up (0.0037s latency).
  PORT    STATE SERVICE
  22/tcp  open  ssh
  443/tcp open  https
  So... here's me adding the dynamic interface in cli AGAIN:
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        someotherssid / someotherssid              Enabled   management  
  (Cisco Controller) config> interface create lan 33
  (Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
  (Cisco Controller) >config wlan disable 1
  (Cisco Controller) >config wlan interface 1 lan
  (Cisco Controller) >config wlan enable 1
  Voila, management access lost again:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  This time, there's no physical port assigned to the dynamic interface 'lan':
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              -    33       10.99.12.4      Dynamic No     No   
  management                       1    31       10.99.0.60      Static  Yes    No   
  virtual                          N/A  N/A      1.1.1.1         Static  No     No   
  Adding that:
  (Cisco Controller) config interface port lan 1
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              1    33       10.99.12.4      Dynamic No     No   
  Still no management access..:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
  interface GigabitEthernet0/28
   description cisco_wlc
   switchport trunk encapsulation dot1q
   switchport mode trunk
  And the vlans in question are present:
  31   enet  100031     1500  -      -      -        -    -        0      0   
  32   enet  100032     1500  -      -      -        -    -        0      0   
  33   enet  100033     1500  -      -      -        -    -        0      0   
  34   enet  100034     1500  -      -      -        -    -        0      0   

• Cannot contact Non-native dynamic interfaces on WLC 4402

  Hi,
            In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
  We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor.   We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
  Below are my configuration details
  At switch side
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  interface GigabitEthernet2/0/26
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet1/0/26
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 177
  switchport trunk allowed vlan 177-180
  switchport mode trunk
  channel-group 1 mode on
  WLC configurations
  (Cisco Controller) >show interface summary
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  ap-manager                        LAG  untagged 192.168.7.3     Static  Yes    No
  management                      LAG  untagged 192.168.7.2     Static  No     No
  qd-consultant                     LAG  179      192.168.9.254   Dynamic No     No
  qd-guest                            LAG  178      192.168.8.254   Dynamic No     No
  qd-test                              LAG  180      192.168.10.254  Dynamic No     No
  service-port                         N/A  N/A      0.0.0.0               DHCP    No     No
  virtual                                 N/A  N/A      192.0.2.1           Static  No     No

  Your configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
  Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
  Sent from my iPhone