Guest wireless WLC configuration doubts
Hi Experts,
I have one WLC which is configured as a Foreign controller and other is configured with Anchor which is connected in DMZ ( behind firewall ) ...
I have one more Anchor controller which is physically connected to other remote office ...
As of now ,All guest clients are connecting to remote site anchor controller which is suppose to connecte locally configured anchor controller.
Can anybody suggest me ... what configuration or settings i need to look into so that guest clients can be connected to locally configured Anchor controller.
Please suggest me ....
So you want the remote Anchor controller to be treated as a backup. Right ?
In my knowledge, that's not possible to use only one anchor controller at one time. since we have to enter the Anchor controller details in the foreign controller. So if we enter both the Anchor controllers in the Foreign controller they will start load balancing.
Other process is - make a manual entry in the Foreign controller at the time of primary anchor controller failure so that the traffic start moving to remote anchor controller. This is a work around.
Otherwise I don't know if there are any settings which can be done at the Primary Anchor controller to switch to backup controller in the event of failure.
Similar Messages
-
Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510
I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW -
VLAN Configuration for Internal and Guest Wireless
Hello,
We are using the following hardware…
SG300-52MP switch -- latest firmware
ASA 5512-X firewall -- 9.1
Aironet AP1131AG WAP
We have the following networks…
10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
Relevant parts of the WAP configuration are…
dot11 ssid GUEST
vlan 6
dot11 ssid SECURE
vlan 1
interface Dot11Radio0
no ip address
ssid GUEST
ssid SECURE
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface Dot11Radio0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface Dot11Radio1
no ip address
no ip route-cache
ssid GUEST
ssid SECURE
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface Dot11Radio1.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface FastEthernet0
no ip address
no ip route-cache
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface FastEthernet0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface BVI1
ip address 10.252.4.4 255.255.255.0
no ip route-cache
ip default-gateway 10.252.4.1
We can manage the WAP through it’s Internal IP address (10.252.4.4).
And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02). [Note: the VOIP DHCP and network access also works correctly.]
The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
[Note: connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.]
While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
I have a feeling that I have configured the VLANs on the ports incorrectly.
Relevant parts of the SG300 configuration are...
v1.3.0.62 / R750_NIK_1_3_647_260
vlan database
vlan 3,6
ip dhcp snooping
ip dhcp relay address 10.252.4.1
ip dhcp relay enable
bonjour interface range vlan 1
interface vlan 1
ip address 10.252.4.2 255.255.255.0
no ip address dhcp
interface vlan 3
name VOIP
interface vlan 6
name Guest
interface gigabitethernet45 -- Access mode, Untagged VLAN6
description ASA-Guest
ip dhcp snooping trust
switchport mode access
switchport access vlan 6
interface gigabitethernet46 -- Access mode, Untagged VLAN3
description ASA-VOIP
ip dhcp snooping trust
switchport mode access
switchport access vlan 3
interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
description WAP1
switchport trunk allowed vlan add 6
interface gigabitethernet48 -- Trunk mode
description ASA-Internal
ip dhcp snooping trust
ip dhcp relay enable
Can someone who understands this switch better than I do please confirm the VLAN configuration? THANK YOU!Welcome to the discussion area!
+PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration. -
Wireless Design - WLC Configuration
Soon to be working on a design for a Wireless installation across one of our buildings. The wireless survery has been completed, and we'll be installing 175 APs, across the 3 floors of the
building.
With regards to the back-end WLC setup, I have a few queries around the WLC configuration. We're looking at implementing the 4400 series of devices, and due to us having nearly 200 APs, we'll need at least 2 x 4404 or 4 x 4402 - I'm assuming its simpler to have fewer devices to make management simpler.
Also, looking at the Cisco reference material, they recommend that a 4404 can support up to 100 APs, with regards configuring the ports on the box, would I need to configure LAG across the WLC
ports in order for it to accomodate all of the Access Points. If we were to go with a scenario of using 2 x 4404 devices, would we be in a position whereby if we lost a Controller, we'd lose
all of the Access Points associated with that Controller? In order for us to have full resiliency, we'd need an additional 4404 controller for the APs to failover on too?
From a licensing perspective, we'll be purchasing a licence to cover 200 APs.
TIADo you think that the phone carrier change the Android OS kernel and removed the proxy setting option before they sell it to consumers? If it's so why would they do such thing?
As far as I'm aware, no. Phone carriers don't care about wi-fi proxy. They won't make any money if they do and they equally won't make money if they don't. This "proxy" issue came straight from the developers of the Android OS themselves. It's been highlighted since day one of the Android release. This is why some browsers have incorporated proxy settings to their application because the Android OS developers are not interested to fix this shortfall.
RE: iPhone and iPad users if you use Windows proxy server and intergrated Windows authentication is enabled the credential should not be prompted for user if it's already entered in their devices.
Unfortunately, I don't have the details with me right now but I'll try to see if I still have this information when I go back to work. -
WLC guest wireless proxy script for Apple iPhone
I have guest wireless setup on a 4402 WLC. I am using a wpad.dat (proxy.pac) proxy auto-config script to ensure guest traffic passes through a proxy. After a few attempts at creating a working proxy.pac file, Cisco TAC provided one that worked successfully for IE and Firefox (I realise only IE is offically supported by the WLC however my issue is not with an issue of browser-WLC compatibility).
I am after a proxy.pac proxy auto-config file that will work with Apple iPhone Safari browser (the script below does not). Manually specifying the proxy is not an option as Sarafi on the iPhone does not allow "proxy exceptions" to be specified.
The script I use which works fine with IE and Firefox is below:
function FindProxyForURL(url, host)
// variable strings to return
var proxy_yes = "PROXY 10.23.16.20:80";
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://1.1.1.1*")) { return proxy_no; }
if (shExpMatch(url, "https://1.1.1.1*")) { return proxy_no; }
// Proxy anything else
return proxy_yes;Here is the Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.0
http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html#wp1167844 -
Budget tight - Unifi, provides Guest with or without vlan capability....done
I'm really struggling to get my head around how to setup guest wireless connectivity to the internet in my office.Basically at the moment I have a Fortigate 88C firewall, plugged in to a speedtouch modem providing Internet access (Neither of which I have access to asthey're managed by our ISP).We have Netgear Prosafe G5752TP Layer 3 Switches - and at the moment a Netgear WPN802V2 wireless access point - Which I've not managed to find the password to yet to login (I only started this job a few weeks ago) - though looking at the specs it doesn't support VLANs or Multiple SSID's.DHCP \ DNSisprovided to the internal network fromourDomain Controller.I've spent ages trying to get my head around how to set this up, I think I've read so much now I'm just confusing myself- most of what I've seen doesn't account for your DHCP \ DNS server been...
This topic first appeared in the Spiceworks Community -
Separate Internet service for Guest Wireless
Hi all,
I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
In doing that what i was thinking would be the way:
Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
Let me know if i am on the right track or if i am missing something.
Regards!Hi George,
it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
i hope the above answered your doubts. Cheers! -
Setting up webauth for guest wireless access
Hi there,
I'm trying to set up guest wireless access. having no experience with this at all, I'm beginning to struggle.
Equipment:
2x 3850 stacked and acting as one switch running 03.06.00E
4x 1602E AP's registered to the WLC running on the 3850
The infrastructure is sound and corporate wireless access works ok.
I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to; So far my config looks like this (removed unnecessary parts for brevity);
Building configuration...
user-name test
creation-time 1414684496
privilege 0
password 7 051F031C35
type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
aaa new-model
aaa authentication login aaa_guest_webauth local
aaa authentication login local_login local
aaa authorization exec local_authorise local
aaa authorization network guest_authorisation local
aaa authorization credential-download default local
aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
parameter-map type webauth global
virtual-ip ipv4 1.2.3.4
parameter-map type webauth guest-webauth
type webauth
redirect on-success http://www.google.com
banner text ^CC test text test ^C
custom-page login device flash-1:login.html
custom-page failure device flash-1:failed.html
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface VlanXXX
description "Guest-Access-VLAN"
ip address 10.x.x.126 255.255.255.128
ip helper-address x.x.x.x
ip helper-address x.x.x.x
line vty 0 4
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
line vty 5 15
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
wireless mobility controller
wlan Wireless-Guest-Access 24 wireless-guest
client vlan Guest-Access-VLAN
ip access-group GUEST-ACCESS
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list aaa_guest_webauth
security web-auth parameter-map guest-webauth
session-timeout 1800
no shutdown
ap country GB
ap group default-group
ap group BUS-AP-Group
wlan Wireless-Corporate-Access
vlan BUS-CORP-DATA-VLAN
wlan Wireless-Guest-Access
vlan Guest-Access-VLAN
end
I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login'
I am under the impression that the way this should work is as follows;
1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
2. open browser on client and carry out name resolution
3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
4. once three way handshake is completed client carries out an HTTP GET request
5. WLC holds the response and redirects to the login page
6. on successful login, original requested page is forwarded to client.
I can't seem to get a response - even if I remove the ACL.
Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
Cheersalso, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
38725 -rw- 4265 Nov 4 2014 12:21:28 +00:00 webauth_login.html
38726 -rw- 6937 Nov 4 2014 12:11:03 +00:00 webauth_aup.html
38727 -rw- 1356 Nov 4 2014 12:11:30 +00:00 webauth_logout.html
38728 -rw- 662 Nov 4 2014 12:11:43 +00:00 webauth_failed.html
38729 -rw- 318 Nov 4 2014 12:11:58 +00:00 webauth_loginscript.js
38731 -rw- 82940 Nov 4 2014 12:12:28 +00:00 web_auth_image.jpg
CORE-SW01#sho run | s param
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
parameter-map type webauth guest-webauth
type webauth
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
security web-auth parameter-map guest-webauth
CORE-SW01# -
Guest Wireless Cisco ISE 1.3
I am setting up guest wireless in my enterprise using Cisco ISE 1.3.
I have set up Authorization profiles and Authentication conditions for Guest Wireless. I am however not sure of the Authentication results (the allowed protocol section). Since I want to give Guests INTERNET-ONLY access, I have configured WLC with a ACL and tied that ACL-name to ISE. However, when it comes to Authentication results à Allowed protocols, I am unsure of what to include. For instance, I have created an allowed protocol named ‘Wireless_Access’, screenshot attached below..
Please let me know what options have to be checked to suit a guest environment. Any help would be much appreciated.. thanks!Hi,
Below you can find a configuration example for guest access using ISE1.3.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Hope this helps.
Regards -
Guest Wireless - procedures for support ??
Hi
We are just on the cusp of deploying Guest wireless for
external non-employee visitors to our organisation, using WLC's and the lobby
admin functionality. However the issue of support procedures for these guest
devices is sticking.
Our Desktop support dept will not support potential technically challenged
guest user and his mis configured end device (for want of a better phrase......)
Ourselves in networks by policy do not support end devices as such.
We need a completely remote 'no-remote-human-presence' way to test a user
attaching to a SSID, firing up a browser and authing thru the re-directed to
web interface. Remoting to a PC attached to the remote secure wired network
is NOT ideal as we will then be bridging secure wired corp and non-secure
guest wireless (altho it may have to end up being a variation of that.)
I would be interested to hear how people here troubleshoot their
guest wireless service availability.
thnks
martynWe have no way of easily testing on-site availibility of our guest wireless network, but the guest wireless wlan is available in our office. So, if an issue arises, basic troubleshooting steps can be taken by trying to connect to the guest ssid from the office. Otherwise, you would have to get creative with something like you're talking about.
-
Guest Wireless access over WAN
Hello Everyone,
We have around 45 remote location , all are connected with GRE Tunnels.
44 location have there own WLC which are managed by NCS and ISE in HQ , All 44 location have Wireless access for Guest and INternal Staff.
Now my Question is :
One location(45th) have only 10 users and I dont want to put a WLC there.
How can I provide the Guest wireless access on this location over WAN from HQ.
We can buy APs.
Please give me some ideas to solve this problem.
Here I am attaching my default plan :
ThanksYou just configure the access point in FlexConnect mode and then on the guest SSID you would central switch the WLAN. Central switching tunnels back traffic to the WLC and local switching drops traffic off at the local site. Here are some guides to look at.
https://supportforums.cisco.com/docs/DOC-24082
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Sent from Cisco Technical Support iPhone App -
Hello,
Is anyone aware of a way, "except for not broadcasting the SSID", to prevent clients from Inadvertently obtaining an IP address on a guest wireless network?
We are using two pair of 5508's for anchor controllers, and we're close to reaching our limit of 14k clients. While researching, we've found a number of addresses that are being handed out, are mobile devices with their WIFI enabled, walking through our facilities, but not necassarily wanting to use the guest WIFI.
We would like to somehow not have the devices obtain an IP, unless they truly want to connect. All I've been able to come up with is not to broadcast the SSID, which senior managment feels is not acceptable.
ThanksHi,
you can on the create on WLC, a separate dummy L3 interface (192.168.250.0/24 and a VLAN thet is not on Your LAN "3333") and WLAN with the name "1"
The DHCP is configured on 5508 with a lease of 240s.
The SSID appears first in the selection. and the clients will connect to the.
Your SSID can be broadcast and the user can select the need.
miro -
I got the task of setting up a Guest wireless network for one of our remote campuses. We already have some APs that are connecting to our WLC.
The Enviroment:
WLC Cisco 5500 is at our Corporate office. Connects to our Core Switch then to our Router
Router connects to our remote campuses over mpls
We currently already have APs at this campus that are connecting back to our WLC.
We have a DSL line at the remote campus that we want this Guest wireless routed to.
I have already created the guest network on the WLC and a guest VLAN on the Core switch
My main question is how to configure the two routers for this and have this go out the DSL modem?
Any help is very appreciated...That is fine. All you have to do is enable h-reap/FlexConnect local switching on the guest WLAN. Then change the mode on the AP to h-reap/FlexConnect and then the ap will reboot once it comes back up, you need to co figure the switch port as a dot1q trunk only allowing the vlans for the AP and guest. Set the native vlan on the trunk I the vlan the ap belongs on. On the h-reap ap, you will have another tab on the top for h-reap/FlexConnect. You enable vlan support and then put the vlan I'd the ap belongs on. Hit apply then go back to the h-reap/FlexConnect tab and click on vlan mapping. There you will see the guest SSID and then a box in which you can enter a vlan. That is where you will put your vlan for the guest. Now since this vlan your dsl is connected needs to reach all the AP's, you just need to create a layer 2 vlan and connect the dsl router to that. Users will get an ip from that dsl router etc.
Sent from Cisco Technical Support iPhone App -
ISE Custom AUP for Guest Wireless
Hi All,
I am trying to setup Guest wireless using Cisco ISE for the first time. Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb. Can anyone point me in the direction where I can do this? The only alternative I can see is to create a new portal from scratch.
Cheers
BrianMultiPortal Configurations
Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
For Complete Configuration Guide, Please click on below link
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf -
Guest wireless - too slow to get an IP
Hi All,
I am testing our new guest wireless using anchor controllers in the DMZ. The data path and the control path are both up and I can do eping and mping. The WLAN is configured to do a web passthrough. Whenever I try connecting to this new guest SSID, it always gets a 169.254.x.x address and it takes about 60 to 90 seconds before I get the right IP.
Currently, I am using the internal DHCP server on the anchor controllers since I only have a couple of users testing it but eventually I am planning to move the DHCP services to an external server.
Does anyone know why it is taking a long time to get an IP and start working? The client's MAC address shows up on the foreign controller and shows the status as associated and the policy manager status shows "RUN". I cannot seem to find any problems other than the slowness initially. Once I am connected, everything works as I expected.
Any ideas?
MeenaWhat code are you on ? There are known issues (bugs) with 6.x and 7.x code. In fact cisco has a special TAC release 7.0.98.4 that fixes the DHCP issue.
I would however, not use the DHCP on the controller. You have problems with leases after reboot etc ... Best to put it on a real DHCP server.
Maybe you are looking for
-
Itunes 10.7 won't open on windows xp
Just installed itunes 10.7 on my PC. It seems to be installed ok, but when I click on it the hourglass appears briefly then disappears. Nothing happens.
-
Is it possible to connect multiple R/3 systems to one APO system?
Hi, Is it possible to connect multiple R/3 systems to one APO system? Kind regards, Kris De Smedt.
-
Org chart integration with Who's who
Hi All, I am using ERP2004 SP10. I am able to call org chart from who's who. but it opens in same window, so lose the result list when i exit from org chart. I want org chart to appear as pop up. How can i achieve this. I have already specified page/
-
How to stop and (rewind) videos.
Hi. I am trying to create my first 100% to be the page of a Multi-Artistic Performance i have with some friends. All the content of the site is being displayed inside a Movie Clip (called "pageContainer_mc"). I have then 6 diferent pages, each with d
-
Lightroom 5 doesn't export with a maximum long edge as instructed
What is going on with Lightroom 5? I upgraded from 4 and now it doesn't export with a maximum long edge of 2166 pixels even though that is what it is being told to do.