H-REAP and AAA-override

Similar Messages

• Flex and aaa override

  Hi!
  The current desing of network needed the follow:
  All branch must have single corporate SSID. Users in branch must be split by functionality in different vlans.
  Corporate SSID must be switched local.
  Does is flex connect with AAA override have ability to mapped one SSID to multiple vlans?
  I can't get confirmation of this from documentation. All examples explain how to map single ssid
  to single_vlan
  Thanks for answers!

  Yes, you can use AAA Override to assign the VLAN in FlexConnect Mode.  Below is a link to the Configuration guide.
  http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01110.html#d174972e3765a1635
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Mobility Anchor and AAA Overide VLAN Assignment

  Hello,
  I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
  1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
  2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
  Please a speedy response would be helpful.

  Hi grabonlee,
  We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.

• WLC and AAA - one SSID and more VLANs

  hi,
  i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server
  Switch Interface Config:
  interface Vlan10
  ip address 10.70.170.1 255.255.255.0
  ip helper-address 192.168.12.10
  interface Vlan20
  ip address 10.70.171.1 255.255.255.0
  ip helper-address 192.168.12.10
  at the WLC i have configured one SSID with
  - Allow AAA Override
  - Layer2 Sec: [WPA1,TKIP+WPA2,AES]
  - ACS 4.1 AAA
  - Key Management: 802.1x
  one SSID mapped to the management interface. and 2 VLANS with different interfaces:
  VLAN-ID1: 10
  Interface-1:
  IP Address 10.70.170.2
  Netmask 255.255.255.0
  Gateway 10.70.170.1
  DHCP: 192.168.12.10
  VLAN-ID2: 20
  Interface-2:
  IP Address 10.70.171.2
  Netmask 255.255.255.0
  Gateway 10.70.171.1
  DHCP: 192.168.12.10
  at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.
  [006] Service-Type: Authenticate only
  [064] Tunnel-Type: VLAN
  [065] Tunnel-Medium-Type: 802
  [081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>
  my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,
  but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,
  and the right interface and the right IP Adress and the communication is right.
  but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).
  what can it be?
  thx

  FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

• AAA Override on Anchored WLANs

  Hi,
  Is it possible to create an anchored WLAN using 802.1x and use AAA override to dynamically change the VLAN clients are put in on the anchor WLC?
  I am assuming not but can't hurt to ask!
  Thanks,

  No:) the reason is that the foreign WLC does the encryption/decryption, so it would have to be done there without anchor. You wouldn't be able to change the vlan id from an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• AAA Override - QOS above what's set on WLAN

  Hey guys, I think I already know the answer but thought I'd run this by the community.  I'm working on configuring a PEAP secured WLAN that will be shared by our Data and VoIP wireless.  Right now the WLAN's QOS is set at Silver and I'm using AAA Override to set the Cisco 7925s on our voip interface and set the QOS level to Platinum.  The problem is that I'm getting tons of the following errors:
  VoIP Call Failure: '44:2b:03:xx:xx:xx' client, detected by 'xxxxxxx' AP on radio type '802.11a'. Reason: 'Call failed: TSPEC QOS Policy does not match'.
  If I change this WLAN's QOS to Platinum the error goes away.  My thought is that I may have to configure the default QOS to Platinum and override all other devices to Silver - I'd rather not do this as more devices are affected by that change.  If anyone knows or has run into something that I might be missing I'd be happy to listen to any suggestions.
  Thanks all!

  Well whatever you set the WLAN QoS level, that is the highest allowed on the WLAN. You can't mark WMM higher but you can limit it. So set your QoS level as Platinum and make sure you drop the QoS value on non voice clients to bronze.
  Sent from Cisco Technical Support iPhone App

• Why my app doesn't compile when my NSFetchedResultsController properties is named "fetchedResultsController" and I override the setter selector?

  Hi everyone,
  I'm struggling with a problem here. I cannot compile my app when I name a NSFetchedResultsController "fetchedResultController" and I override the setter selector.
  How do you explain that? Is it a bug?
  I'm using xCode Version 5.0.2 (5A3005) on OS X 10.9 (13A603).
  Here is a sample of code showing the problem:
  TestViewController.h
  #import <UIKit/UIKit.h>
  @interface TestViewController : UIViewController
  @end
  TestViewController.m
  #import "TestViewController.h"
  @interface TestViewController ()<NSFetchedResultsControllerDelegate>
  @property (strong, nonatomic) NSFetchedResultsController *fetchedResultsController;
  @end
  @implementation TestViewController
  -(void)setFetchedResultsController:(NSFetchedResultsController *)fetchedResultsController
      if(_fetchedResultsController) _fetchedResultsController.delegate = nil;
      _fetchedResultsController = fetchedResultsController;
  - (NSFetchedResultsController *)fetchedResultsController
      if (!_fetchedResultsController) // if no filter, no request
          static NSString *SomeCacheName = @"SomeCache";
          NSFetchRequest *request = [[NSFetchRequest alloc] init];
          [request setRelationshipKeyPathsForPrefetching:@[@"tags",@"tags.tagged_players"]];
          [NSFetchedResultsController deleteCacheWithName:SomeCacheName];
          _fetchedResultsController = [[NSFetchedResultsController alloc] initWithFetchRequest:request managedObjectContext:[NSManagedObjectContext defaultContext] sectionNameKeyPath:nil cacheName:SomeCacheName];
          NSError *error;
          ZAssert([_fetchedResultsController performFetch:&error], @"Event list fetch error. %@. %@", error, error.userInfo);
          _fetchedResultsController.delegate = self;
      return _fetchedResultsController;
  @end

  You have custom accessor methods so need to explicitly declare the instance variable _fetchedResultsController. Read this note under You Can Implement Custom Accessor Methods in Programming with Objective-C.
  https://developer.apple.com/library/ios/documentation/Cocoa/Conceptual/Programmi ngWithObjectiveC/EncapsulatingData/EncapsulatingData.html
  Note: The compiler will automatically synthesize an instance variable in all situations where it’s also synthesizing at least one accessor method. If you implement both a getter and a setter for a readwrite property, or a getter for a readonlyproperty, the compiler will assume that you are taking control over the property implementation and won’t synthesize an instance variable automatically.

• REAP and H-REAP

  I have a question regarding design and protocol. I have a network consisting of four buildings all connected through a combination of fiber and MPLS. These building need wireless. I would like to implement a solution using one 4402 WLC with LAPs in the buildings. My question regards the REAP and H-REAP protocols. Each building will have servers that the wireless users will need to access. I do not want all the traffic coming over the WAN only to return the way it came. It seems like implementing the LAPs with H-REAP is the solution to my problem. I want to ask the community if this seems correct and also ask anyone to add any other information that may be helpful as I may be missing something.
  My concern is unnecessary traffic on the WAN. I want the ease of managing one controller without wasting bandwidth on my WAN. Is there a way to have traffic that is destined for a server that may be local to the LAP not use the WAN? What if the wireless users are on a seperate VLAN/subnet than the servers in the same building?
  Please ask any questions if possible. I hope I was clear enough.
  Thank you.

  Yes... H-REAP is your answer. With H-REAP as you know, you can traffic egress out of the AP's interface directly into the local LAN just as an autonomous AP would. Only centrally switched SSID's will need to be tunneled back to the WLC, but it is up to you on what you want locally and what you want tunneled back. Traffic will stay local since the wireless device will have a gatway local and routing will not send traffic out the WAN if it is destined for another local subnet.

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Can anyone recommend a good document for Cisco IDS and AAA

  I need some basic tutorial for Cisco IDS and AAA. can anyone recommend any document for it?
  thanks

  The Cisco IDS/IPS senors do not perform any AAA functions. You can not validate a user/password externally.

• VPN Client and AAA services on a Cisco ISR Router

  Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
  So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
  1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
  2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
  3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
  4.  Are there helpful articles I can read that will answer some or all of these questions? 
  Thanks in advance,
  Jim

  Hi Jim,
  congratulations
  Assuming a basic setup, your router will have something like this:
  crypto isakmp client configuration group MyGroup
    key cisco123
  So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
  I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
  Does this help?
  Herbert

• WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

  WLC 5508: software version 7.0.98.0
  Windows 7 Client
  Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
  I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
  However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
  AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
  AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
  AVP: l=6  t=Tunnel-Type(64): VLAN(13)
  I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

  Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
  The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
  Install Packages
  1.  Install needed packages.
  yum install openldap*
  yum install freeradius*
  2.  Set the services to automatically start of system startup
  chkconfig --level 2345 slapd on
  chkconfig --level 2345 radiusd on
  Configure and start LDAP
  1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
  cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
  2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
  slappasswd
  3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
  useradd ldap
  groupadd ldap
  4.  Create the directory and assign permissions for the database files
  mkdir /var/lib/ldap
  chmod 700 /var/lib/ldap
  chown ldap:ldap /var/lib/ldap
  5.  Edit the slapd.conf file.
  cd /etc/openldap
  vi slapd.conf
  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #Default needed schemas
  include        /etc/openldap/schema/corba.schema
  include        /etc/openldap/schema/core.schema
  include        /etc/openldap/schema/cosine.schema
  include        /etc/openldap/schema/duaconf.schema
  include        /etc/openldap/schema/dyngroup.schema
  include        /etc/openldap/schema/inetorgperson.schema
  include        /etc/openldap/schema/java.schema
  include        /etc/openldap/schema/misc.schema
  include        /etc/openldap/schema/nis.schema
  include        /etc/openldap/schema/openldap.schema
  include        /etc/openldap/schema/ppolicy.schema
  include        /etc/openldap/schema/collective.schema
  #Radius include
  include        /etc/openldap/schema/radius.schema
  #Samba include
  #include        /etc/openldap/schema/samba.schema
  # Allow LDAPv2 client connections.  This is NOT the default.
  allow bind_v2
  # Do not enable referrals until AFTER you have a working directory
  # service AND an understanding of referrals.
  #referral    ldap://root.openldap.org
  pidfile        /var/run/openldap/slapd.pid
  argsfile    /var/run/openldap/slapd.args
  # ldbm and/or bdb database definitions
  #Use the berkely database
  database    bdb
  #dn suffix, domain components read in order
  suffix        "dc=cisco,dc=com"
  checkpoint    1024 15
  #root container node defined
  rootdn        "cn=Manager,dc=cisco,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw        secret
  rootpw      
  {SSHA}
  cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
  # Mode 700 recommended.
  directory    /var/lib/ldap
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index uid,memberUid                     eq,pres,sub
  # enable monitoring
  database monitor
  # allow onlu rootdn to read the monitor
  access to *
           by dn.exact="cn=Manager,dc=cisco,dc=com" read
           by * none
  6.  Remove the slapd.d directory
  cd /etc/openldap
  rm -rf slapd.d
  7.  Hopefully if everything is correct, should be able to start up slapd with no problem
  service slapd start
  8.  Create the initial database in a text file called /tmp/initial.ldif
  dn: dc=cisco,dc=com
  objectClass: dcobject
  objectClass: organization
  o: cisco
  dc: cisco
  dn: ou=people,dc=cisco,dc=com
  objectClass: organizationalunit
  ou: people
  description: people
  dn: uid=jonatstr,ou=people,dc=cisco,dc=com
  objectClass: top
  objectClass: radiusprofile
  objectClass: inetOrgPerson
  cn: jonatstr
  sn: jonatstr
  uid: jonatstr
  description: user Jonathan Strickland
  radiusTunnelType: VLAN
  radiusTunnelMediumType: 802
  radiusTunnelPrivateGroupId: 10
  userPassword: ggsg
  9.  Add the file to the database
  ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
  10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
  ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
  Configure and Start FreeRadius
  1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
  cd /etc/raddb
  vi ldap.attrmap
  For dynamic vlan assignments, verify the follow lines exist:
  replyItem    Tunnel-Type                                   radiusTunnelType
  replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
  replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
  Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
  checkItem    Cleartext-Password    userPassword
  2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
  eap
  {      default_eap_type = peap      .....  }
  tls {
      #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
  peap {
      default_eap_type = mschapv2
      #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
      use_tunneled_reply = yes
  3.  Change the authenication and authorization modules and order.
  cd /etc/raddb/sites-enabled
  vi default
  For the authorize section, uncomment the ldap module.
  For the authenicate section, uncomment the ldap module
  vi inner-tunnel
  Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
  authorize
  {      ldap      mschap      ......  }
  4.  Configure ldap module
  cd /etc/raddb/modules
  ldap
  {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
  5.  Start up radius in debug mode on another console
  radiusd -X
  6.  radtest localhost 12 testing123
  You should get a Access-Accept back
  7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
  First install openssl support libraries, required to compile
  yum install openssl*
  yum install gcc
  wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
  tar xvf wpa_supplicant-0.6.10.tar.gz
  cd wpa_supplicant-0.6.10/wpa_supplicant
  vi defconfig
  Uncomment CONFIG_EAPOL_TEST = y and save/exit
  cp defconfig .config
  make eapol_test
  cp eapol_test /usr/local/bin
  chmod 755 /usr/local/bin/eapol_test
  8.  Create a test config file named eapol_test.conf.peap
  network=
  {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
  9.  Run the test
  eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

• Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?

  I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site.  With a pool of WLCs deployed in central DC locations.  I would like to get local staff to deploy a basic CLI discovery script for the APs.  However, i thought LAPs don't have CLI???
  I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.  
  http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
  H-REAP Controller Discovery using CLI commands
  H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
  This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
  AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
  Could anyone help?
  Cheers
  Adrian.

  Hi Adrian,
  Further down in the doc you linked;
  H-REAP Controller Discovery using CLI commands
  H REAPs will most commonly discover upstream controllers via DHCP       option 43 or DNS resolution. Without either of these methods available, it may       be desirable to provide detailed instructions to administrators at remote sites       so that each H REAP may be configured with the IP address of the controllers to       which they should connect. Optionally, H REAP IP addressing may be set manually       as well (if DHCP is either not available or not desired).
  This example details how an H REAP's IP address, hostname, and       controller IP address may be set through the console port of the access       point.
  AP_CLI#capwap ap hostname ap1130
  ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
  ap1130#capwap ap ip default-gateway 10.10.10.1
  ap1130#capwap ap controller ip address 172.17.2.172
  Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco           IOS Software Release 12.3(11)JX1 or later, in order to support these CLI           commands out of the box. Access points with the SKU prefix of LAP (for example,           AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software           Release 12.3(11)JX1 or later. These commands are available to any access point           that ships from the manufacturer running this code level, has the code upgraded           manually to this level, or is upgraded automatically by connecting to a           controller running version 6.0 or later.
  These configuration commands are only accepted when the access point is       in Standalone mode.
  Cheers!
  Rob

• How do I safely and correctly override equals in a generic element class?

  (I posted this in the collection forum, but it was suggested I should take it here instead.)
  I've written an OrderedPair element class, (OrderedPair<K,V>), so I can have a set of ordered pairs.
  To get the container to treat OrderedPairs as values instead of objects, I had to override OrderedPair<K,V>.equals(Object) (as hashCode too).
  So I've written the equals(Object) below in the naive way and I'm now getting warnings about an unsafe cast at line (a) and an unsafe assignemtn at line (b).
  I do understand why this is a problem, but I'm not sure what the best solution is.
  How does one ask about instanceof for the otherObject, and how does one cast an Object to an OrderedPair<K,V> in a safe way?
      public boolean equals (Object otherObject) {
       if (otherObject == null || ! (otherObject instanceof OrderedPair<K,V>)) {    //line (a)
           return false;
       } else {
           OrderedPair<K,V> otherPair = (OrderedPair<K,V>) otherObject;      // line (b)
              return this.key.equals(otherPair.key)  && this.value.equals(otherPair.value);
      }or, more to the point, how does one write a version of equals(Object) for a generic class?
  It seems that this overriding of equal will have to be done for many generic element types, so there must be some approach that is safe, yes?
  It was pointed out to me that AbstractMap does something similar

  <warning: thread hijack>
  public class OrderedPair<A,B> {
  final A a;
  final B b;
  A first() {
          return a;
  B second() {
     return b;
  another question about generic code is this:
  is it possible that , most of the time, a generic code may looks like this
  (please note that this is not a criticism of the above code which is perfectly ok to me):
  public class OrderedPair<A,B> {
    public final A a;
    public final B b; // no accessor such as getA(), getB()
  my point : unless you want specific behaviour linked to value consultation
  the actual type of members a and b is not hidden: encapsulation seldom makes sense.
  it is known to the user of the parametrized type, it is not subject to maintenance change
  so it is public ..... (if it is final)
  any remark?

• H-REAP and Client Load-Balancing

  I'm told by Cisco that H-REAP does not support client load-balancing.
  We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
  Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
  We can't re-write the application so we are looking for a wireless solution.
  Anyone hear about how other organizations have dealt with this type of situation?
  I'll be glad to supply more details if I am not being clear in my description of the problem.
  Thanks in advance. All responses will be rated.
  Paul

  This is the functionality which is missing in H-REAP: Client and Network Load Balancing
  "Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
  Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
  I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access.