Guest configuration with WLC

i am using WLC 4402 with firmware 5.1 and 1252 Access Point.
i am in trouble to configure guest access with the WLC.
i have configured interface in WLC under CONTROLLER->INTERFACES->GUEST.
WHEN I SELECT THIS INTERFACE AS GUEST IT DOESN'T TAKE IP ADDRESS INFORMATION. IN THIS CASE I HAVE TO UNCHECK GUEST SELECTION BOX.
AND I GOT DYNAMIC INTERFACE WITHOUT IP ADDRESS.
AFTER DOING THIS I CREATE WLAN NAMED GUEST AND ENABLED IT.
i have put guest interface as a ingress interface and management as egress interface and applied web auth successfully but still it is not showing me guest SSID when i try to search it.
help me
plz
thanks

Have you gone through these documents yet?
Wired Guest Access using Cisco WLAN Controllers Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Guest WLAN and Internal WLAN using WLCs Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
Hope these will help you.

Similar Messages

  • Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

    I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
    WLC 2504
    1142 LAPs
    4510R+E
    ASA 5510
    Existing configuration as follows:
    WLC management interface and APs addressed on the 192.168.126.0 /25 network
    Internal WLAN mapped to the management interface
    Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
    WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
    4510 connected to ASA inside interface (security level 100)
    Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
    ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
    What is the best way to add guest wireless to our existing configuration?
    Note: I need the guest wireless to be filtered by Websense as our internal wireless is
    Any advice would be greatly appreciated!

    Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
    Any input would be greatly appreciated...
    JW

  • NAC Guest Server with WLC

    Dear All,
    I just need to confirm that is it possible that we add same WLC to CAS(wireless users) and NAC Guest Server(wireless guest users) or I must need one more WLC for NAC guest server.
    Regards,

    Hello Nomair
    You do not need seperate WLC's.. NAC guest servers are just normal radius servers, used for authentication. You can integrate your existing WLC's, which are added on IB or OOB to your CAS, with the guest server. I'm attaching a doc which gives info on how to setup wlc's and guest servers.
    Hope this helps.. all the best.. happy new year to you. rate replies if found useful..
    Raj

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • WLC 2100 guest access with local web authentification

    Hello I tried to create a guest acces with local web authentification.
    My Laptop is connected to the Wlan but My Browser don't ask my login and password

    Please refer to the following links:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

  • ISE 1.2 With WLC and AD

    Hi everyone,
    What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
    The wireless network is configured with 2 SSID (Staff and Guest) 
    Active Directory, DNS, DHCP, and  NTP configured & synced.
    ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
    Please provide your thoughts and assistance.
    Regards

    You have to implement dot1x and radius between your NAD and ISE device.
    Using the switch 3850, that are the steps: 
    username RADIUS-HEALTH password radiusKey1 privilege 15
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    !this password will be used to communicate with ISE and to verify reachability
    !between ISE and Switch
    aaa server radius dynamic-author
     client 172.16.1.18 server-key 7 radiuskey
     client 172.16.1.20 server-key 7 radiuskey
    ip domain-name lab.local
    ip name-server 172.16.1.1
    dot1x system-auth-control
    interface GigabitEthernet1/0/3
     switchport mode access
     switchport voice vlan 50
     switchport access vlan 10
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip access-list extended ACL-ALLOW
     permit ip any any
    !the comm between radius and ise will occur on these Port
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    snmp-server community ciscoro RO
    snmp-server community public RO
    snmp-server trap-source Vlan100
    snmp-server source-interface informs Vlan100
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 10 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    !defining ISE servers
    radius server ISE-RADIUS-1
     address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
     automate-tester username RADIUS-HEALTH idle-time 15
     key radiusKey
    Please be sure that NTP servers and time are synchronized. 
    enable dot1X on windows machine, or using cisco NAM. 
    you can enable debugging on aaa authentication to see the events. 
    you have to create this user on ISE (RADIUS-HEALTH). 
    3850#test aaa group radius username password new-code 
    and observe the result. You are supposed to have user authenticated successfully. 
    You Must also have define these device in ISE on the radius interface.
    ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
    administration-->network resources -->Network Devices-->Add
    input the name
    input the Ip address for radius communication
    select the authentication settings and field the corresponding shared secret radius key
    select snmp settings and select version 2c. 
    snmp community : ciscoro
    you can customize the polling interval if you want and that all. 
    you are supposed to received message communication between your NAD and ISE. 
    After you can do the procedure for WLC device. 
    I will fill it after you have passed the first steps (3850 authentication). 

  • ISE device registration webauth with wlc 7.0 lwa

    Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
    Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
    Thanks.

    Hi,
    The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
    For your reference here is the item in the New Features section of the 7.2 WLC release notes:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • Prime Infrastructure 2.0 can not create the guest account on WLC 5508

    The PI can manage the WLC which means the connection between them is ok, but I am not able to create the guest account on it. The WLC has guest SSID with web auth configured correctly..
    Any idea why?
    Thanks!

    raymond,
    that's good to know that it required :
    1) not only a RW community string
    2) but also as well ssh credentials
    i too would have thought option 1) would be all that was required but it doesn't appear that way w/ your response.
    the only way i'll go to add devices in is by doing both SNMP RW and ssh at the same time.
    now we know
    thanks for pointing this out

  • Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

    Hi All,
    appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
    *Mar  1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:10.033: *** CRASH_LOG = YES
    *Mar  1 00:00:10.333: Port 1 is not presentSecurity Core found.
    Base Ethernet MAC address: C8:9C:1D:53:57:5E
    *Mar  1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
    *Mar  1 00:00:11.494:  status of voice_diag_test from WLC is false
    *Mar  1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.647: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Wed 13-Apr-11 12:50 by prod_rel_team
    *Mar  1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
    *Mar  1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Mar  1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
    *Mar  1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar  1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
    *Mar  1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *Mar  1 00:09:17.912:  status of voice_diag_test from WLC is false
    *Mar  1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
    *Mar  1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    *Mar  1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
    *Mar  1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
    *May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:03.448:  status of voice_diag_test from WLC is false
    *May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:15.450:  status of voice_diag_test from WLC is false
    *May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *May 25 08:27:27.447:  status of voice_diag_test from WLC is false
    *May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:39.446:  status of voice_diag_test from WLC is false
    *May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
    i searched for the regulatory domains difference between  AIR-LAP1041N-E-K9 and  AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
    just to mention that our configuration in WLC for regulatory domains is:
    Configured Country Code(s) AR 
    Regulatory Domain  802.11a:  -A
                                 802.11bg: -A
    My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
    Appreciate your kind support,
    Wisam Q.

    Hi Ramon,
    thank you for the reply but as shown in the below link:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
    the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
    Thanks,
    Wisam Q.

  • Extending Guest Wifi with Multiple Base Stations

    The 7.6.3 firmware update reports this new feature:
    "The ability to extend the Guest Wi-Fi network on a network that is configured with multiple AirPort Base Stations"
    http://support.apple.com/kb/DL1617
    I assumed that this meant that an Airport Express was able to "Extent" the guest wifi network. However, I am not able to get this to work. Having entered all the details I just get the orange light and the message that it was unable to extend the network - check the details. I have checked them multiple times and still not working. If I switch to extending the "main" network then it works first time, but does not extend the guest as far as I can see.
    If I set up from scratch it picks up the guest network and tries to extend but then switches to the main wifi later in the process after claiming to extend the base station itself, not one of the wifi networks.
    What does this update mean?! Has anyone managed to "extend the Guest Wi-Fi network" in any way?
    All devices have been updated to 7.6.3 and all airport utilities have been updated to the latest version (6.2).
    I am running an extreme as the main router then I have a number of expresses to extend round a large building, but it is the guest that needs extending!!
    Any help would be much appreciated!
    Adam

    I am running an extreme as the main router then I have a number of expresses to extend round a large building
    You need to have the "new" AirPort Express to be able to extend the Guest Network. The "new" Express looks like a miniature AirPort Extreme.
    Check the Model No on the side of the AirPort Express devices that you have. If you see A1264 this is an older version of the Express that does not have Guest Network capabiltiy.
    Using an AirPort Extreme and new AirPort Express here., the Guest Network "extends" just fine when I try this using wireless only. I also have another AirPort connected back to the main AirPort Extreme using a wired Ethernet connection. The Guest Network is extended on this device as well.

  • Connecting Cisco AIR-CAP2602E over WAN with WLC - Procedural Details

    Hi,
    I have a Wireless LAN Controller Installed in one of the subnets where some AIR-CAP2602E's are connected with the WLC. WLC acts as DHCP for the AIR-CAP2602E Devices.
    I have additional AIR-CAP2602E access-points at other location (Subnet) and Need to connect them with WLC. 
    Challange faced by me is creating DHCP on Cisco 2950 (L2) or 3750 (L3) with DHCP option 43. Can any one has detailed configuration of enabling DHCP for specific VLAN on Cisco L2 and L3 Devices. 

    If you have control of the DNS environment for these network segments, just make an entry for :
    cisco-lwapp-controller aliases cisco-capwap-controller (IP list) as the CAP will hunt for those two name sets.
    My WLC provides DHCP support only to the wlans supported by the AP but not the AP it self..
    hope this helps

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • ISE CWA WebAuth with WLC

    Hi all,
    I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
    as the redirect page.
    I'm using ISE 1.1.2 and WLC version 7.3.101
    1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

    Hi,
    Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
    This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
    As far as certs if you are using mobile devices you may want to consider 3rd party certs.
    Let me know if that helps.
    Tarik Admani
    *Please rate helpful posts*

  • NAC Guest Server and WLC's

    Just wanted to know if this will work or not...
    I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

    I've some (very) basic questions.
    Let's say guest vlan = x
    1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
    2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
    3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
    4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
    4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
    The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
    I've found to open the following ports in the firewall:
    UDP 97 for EoIP
    UDP 16666 for intercontroller traffic
    and 1812/1813 for Radius.
    Thanks in advance

Maybe you are looking for

  • Thunderbolt and motu 8pre

    Hi Does anyone know how to get the MOTU 8pre to work with a Firewire 400 to 800 and Thunderbolt adapter on a 2.7 GHz Intel Core i5 Imac? Motu support suggest a 400 -800 cable but I have tried this and it just doesn't work!!

  • Integration of BIP Report file bursting with Unix FTP directory(using IBot)

    We have a requirement for dynamically creating the folder in FTP server, which gets the bursted file when a BIP report is executed. We have used the following approach: Created a IBot with Custom Java Program which creates a folder dynamically in FTP

  • Error in calling pa_project_pub.UPDATE_TASK to update attribute8 of pa_task

    Hi All, I am calling procedure pa_project_pub.UPDATE_TASK to update attribute8 od pa_tasks, it runs fine if one setup WORKPLAN is disabled, but when it is enabled, this API gives me following error The flex field values you have entered are invalid.

  • White balance in photoshop cc

    I only get auto, custom and as shot in choices of white balance in photoshop cc.  I don't know why.

  • Photoshop CS5.1 Serial key error

    I need some help, I am putting my serial key in correctly and it says "We are unable to start you Adobe Photoshop CS5.1 Extended Version Subscription"? Help me please