Hellp on Nokia E61i associating with Cisco WLC 4402

I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
Pls. help to point me what I need to adjust to make it work. Thanks!

Hello,
CCKM Key Management mode on Nokia E61i phone can be used
against Cisco LWAPP AP's with TKIP encryption
Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
- WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
- WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
Supported:
- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
Not supported:
- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
 Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
at least on LWAPP AP version 4.1.171.0.
 CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
Layer 2 Security = WPA+WPA2
WPA+WPA2 Parameters:
-WPA Policy = enabled
-WPA Encryption = TKIP enabled, AES disabled
-WPA2 policy = disabled
-Auth.Key Mgmt = CCKM
Br,
-Pasi-

Similar Messages

  • Certificate based authentication with Cisco WLC and Juniper IC

    Hi
    I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
    I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
    My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
    i have also looked at this article :
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
    What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
    All your help is appreciated.

    Hi,
    Since you use an external radius server you don't have to worry for this.
    The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
    The doc you refer is only for Local Radius on WLC.
    Hope this helps
    Regards,
    Christos

  • Guest Splash Page with Cisco WLCs Help

    Hi,
    I need some guidance using Web Authentication / Web Pass-through to create a mandatory splash page that is presented to users of our guest WLAN.  Currently our guest WLAN is wide open, users connect and go straight through to get Internet Access. Here's what we'd like to accomplish.
    1. Have the page hosted on an external web server (i.e not on the controller)
    2. Present Terms of service
    3.
     a. Present an optional field to enter an email address & date of birth (DOB) to opt in for marketing purposes
            OR
     b. Present a mandatory field to enter an email address with an optional check box and DOB to opt in for marketing (the idea behind option b, is that whether they opt in for marketing or not, we could still some how use the email as a username, but not require a password.  In the hopes of then using this as a unique identifier in the WLC for troubleshooting / reporting purposes)
    4. At the very end, have an "I Agree" button
    5. Re-direct to our copmany's public facing website
    Our controllers are 5508s, running 7.4.121.0.  I more or less have an idea of how to accomplish this, but I've never used Web Auth / Web Passthrough with a Cisco Controller before, so I'm hoping someone can clear up a few things for me.
    1. Am I correct that, when using an External server to host the login.html page, we must use Web Authentication, since Web Pass-through is only an option when using an Internal Page? Web Pass-through seems ideal for us, since we don't care about credentials, but from what I'm reading, it seems restricted to Internal (on the Controller) deployments only.
    Based on these
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#passthrough
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html
    2. If Web Pass-through is not an option when using an External deployment, is there any way we could use an email address as a username, but not require a password?  If not, is hiding the username/password fields in the html code of the splash page, and using a single pre-configured default username / password the only other option ? As described here: https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo
    3. It sounds like SSL cert warnings may be an issue even if we use an External deployment, because the controller still acts as a middle man.  Is this correct, and is the best fix to install a valid 3rd party cert on the controller?
    P.S. I’m aware of the Big Brother type things that can be done with Cisco MSE and Connected Mobile Experiences, as far as guest tracking / marketing / analytics go. However, that’s way more than we’re looking to do at this point.
    Thanks in advance for any guidance you can provide!

    Hello Jonathan,
    The idea you have is fine, the only exception is the extra fields of information that you want to collect. From the WLC perspective this is not possible to gather.
    The example given on https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo looks very interesting, and as long as the WLC receive the information it needs to authenticate the client, you can modify the HMTL code as you want. However, as somebody state on that post, Cisco provides the html example, but we do not really support the html content creation or modification.
    Anyway below on answer #2 I am giving you an idea that could work (again Im not html expert I don't know if that could be achieved that way) maybe you can have a better idea.
    To answer your queries:
    1) The customized web-passthrough page can be hosted on an external Web Server.
    When the pages are on an external webserver, the passthrough is still performed on the WLC, just the pages reside on the external server. It is a good idea to be sure that the pages come up ok on the external server without webauth involved since webauth will not work unless the external webserver works
    2) We have examples of what HTML content a customized Web Passthrough page should include. If you add extra fields on the HTML code (like email address & date of birth), the WLC won't be able to handle this data and most probably you won't be able to gather this information from the WLC , unless you customize the web page in such way that it sends the fields email address & date of birth to another server (rather than to the WLC) to gather this information, but at the end what matter for the WLC is to receive the click on the "Accept" button to authenticate the client.
    3) Regarding the certificate, there are two options, the cheapest and easiest is to disable HTTPS for web authentication. Then, your guests will open an HTTP web page, without having the certificate warning.
    Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
    In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.
    This link provides information about WebAuthentication on an External Web Server, however exactly the same applies for Web Passthrough:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
    Also, you can download the WebAuthentication bundle, with the examples and some useful information about different customized web pages, it can be used as a template to build your page. Here you will see that Web Passthrough to an external server is indeed a valid option, when you download and unzip it, open the "readme.html"
    https://software.cisco.com/download/release.html?mdfid=282600534&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest
    Hope this helps

  • Create a point to point link with a wlc 4402

    Hi to all,
    i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
    but on the wlc configuration page i cannot found some configuration step.
    Someone have configured this type of behaviour or can give me some hints?!
    How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
    Thanks and best regards,
    Carlo Sagratella.

    The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
    Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

  • Nokia Lumia support for Cisco WLC

    Dear All,
    I am using Cisco Wireless LAN Controller 4404 in my network, All devices (Laptops, samsung mobile phones, Iphone, HTC, etc) are connecting and working perfectly but NOKIA Lumia mobile phone is unable to connect.
    Is there any hotfix for WLC available? please advise
    Regards,
    Junaid

    Please find below debug details, I started debugging the device by command debug client (client mac) and then tried to connect the device.
    *dot1xMsgTask: Sep 25 12:14:03.096: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
    *dot1xMsgTask: Sep 25 12:14:03.097: ec:f3:5b:d3:99:20 Sending EAP-Request/Identity to mobile ec:f3:5b:d3:99:20 (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 Received EAPOL START from mobile ec:f3:5b:d3:99:20
    *Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
    *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.035: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
    *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
    *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
    *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
    *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.112: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
    And on cell phone it shows the following message:
    connection unsuccessful,
    the credentials provided by the server couldn't be validated,
    I tried to connect it without any encryption and it got connected successfully, issue only on wpa2-Enterprise.
    Please advise,,,
    Regards,
    Junaid

  • Disable led on 1131AG while associated with an WLC

    Hi,
    On autonomous AP's one can disable the bright status LED using the "led ....." command. But how can I disable the LED on a LAP-1131AG? The AP hangs in a bedroom so the light is quite annoying.
    Thanks!

    Anyone know if this can be done through the web GUI
    Depends on the firmware of the WLC.
    7.0.X doesn't support this on GUI but 7.4.100.X does.
    In 7.0.X, you can enable/disable LED globally but 7.4.100.X have an option to do so individually.
    NOTE:  Not sure which firmware starts the support but all my WiSM-2 are running 7.4.100.X.

  • WLC 4402 username and password expires automatically

    Hi,
    We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
    Whether it is the hardware issue or software bug.
    Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
    Kindly suggest on this issue.
    Regards
    S.Manikandan

    Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
    I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
    Regards
    Surendra

  • Prevent certain APs from associating with WLC

    Hi, we have the following situation which I'd appreciate assistance with.
    We have 9 WLCs around a corporate network.  Each of the WLCs was in the same mobility group for failover purposes, and to permit APs to reconnect back to their primary WLC in the event of a failover.
    However one of the sites has now been sold and pending separation of the LAN infrastructure the APs need to be isolated and prevented from associating with any WLC other than their primary (on site).  From our experience once the APs know about other WLCs they retain this list in NVRAM even if the secondary WLC is removed from the configuration they will still associate with one of the known APs if possible (Cisco document this).
    WLC v 8.1.185.
    Does anyone have any recommendations to achieve this?  My thoughts are:
    1) configure WAN router to deny outgoing LWAPP / CAPWAP packets.  Router is a managed service which will entail negotiations and cost with the service provider.
    2) completely default all APs on site.  69 APs mounted in the roof of a large distribution depot.
    3) Use ACLs on the other WLCs to prevent ones from this subnet connecting to them.  May be the easiest because it is all in our control.  But I'm unsure of the implications of this.
    4) any other?
    Thoughts?
    Thanks
    R

    It's not that simple.  If simply changing the config from the controller stopped the APs  from associating to an unwanted controller outside their own network  then I wouldn't be here asking for help.  But that is not the case.
    These APs (LAP1242s) keep a list of known controllers in the NVRAM that is not part of the running configuration from the controller - as I recall it is in the environment variables, but all the APs I have here in the office have been defaulted (which includes deleting the ENV_VARS file from flash) so I can't illustrate it.
    As I said above, blocking the ports at the router involves managed routers and change requests which we can do but takes it two levels outside our control.
    Hence the request for help about using ACLs to deny access to the WLCs from a specific network.
    Thanks
    Robin

  • Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

    Hi All,
    appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
    *Mar  1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:10.033: *** CRASH_LOG = YES
    *Mar  1 00:00:10.333: Port 1 is not presentSecurity Core found.
    Base Ethernet MAC address: C8:9C:1D:53:57:5E
    *Mar  1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
    *Mar  1 00:00:11.494:  status of voice_diag_test from WLC is false
    *Mar  1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.647: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Wed 13-Apr-11 12:50 by prod_rel_team
    *Mar  1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
    *Mar  1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Mar  1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
    *Mar  1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar  1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
    *Mar  1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *Mar  1 00:09:17.912:  status of voice_diag_test from WLC is false
    *Mar  1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
    *Mar  1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    *Mar  1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
    *Mar  1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
    *May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:03.448:  status of voice_diag_test from WLC is false
    *May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:15.450:  status of voice_diag_test from WLC is false
    *May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *May 25 08:27:27.447:  status of voice_diag_test from WLC is false
    *May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:39.446:  status of voice_diag_test from WLC is false
    *May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
    i searched for the regulatory domains difference between  AIR-LAP1041N-E-K9 and  AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
    just to mention that our configuration in WLC for regulatory domains is:
    Configured Country Code(s) AR 
    Regulatory Domain  802.11a:  -A
                                 802.11bg: -A
    My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
    Appreciate your kind support,
    Wisam Q.

    Hi Ramon,
    thank you for the reply but as shown in the below link:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
    the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
    Thanks,
    Wisam Q.

  • Generate one time authentication for Guest on Cisco WLC

    Hi All
    Sorry for my question, because I just started to work with Cisco WLC.
    I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
    For Guest I used PSK with MAC-filtering.
    But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
    I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
    I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
    Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
    Regards
    Hai

    Hi Choudhary
    Thank you much for your information
    Could I reconfirm about my concern.
    With Cisco WLC, I can use WebAuth with Guest user only
    If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
    And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
    Regards
    Hai

  • Bonjour Discovery browser and cisco WLC mDNS

    Hello
    I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
    Multicast disabled on WLC
    wired vlan (with bonjour services) is trunked to WLC
    mdns profile configured and bonjour services are visible on WLC
    mdns profile applied to WLAN
    when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
    *Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
    *Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
    Is it possible to get Bonjour Discovery browser working with cisco WLC?
    thanks
    andy

    I have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc.  Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
    mDNS AP
    1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
    2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
    3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
    4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
    5. This  configuration also allows the user to specify the VLANs from which the  AP should snoop the mDNS advertisements from wired side. The maximum  number of VLANs that AP can snoop is 10.
    6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
    AP will send untagged packets when a query  is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN  information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
    7. If  the AP is in trunk mode, then the user has to configure the VLAN on the  controller on which AP would snoop & forward the mDNS packets. The  native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
    8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
    9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
    a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
    b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • WLC 4402 LAG connection to 2 different chassis of 6509 VSS switch system

    Hi,
    I have inherited a 6509 VSS switch system as the network core and have the task of ensuring proper redundancy and redesign of the directly connected data center devices.  One of the connected devices (WLC 4402) physically appears to be connected to both switches - the WLC is in the same rack as VSS-Chassis1 so I can trace the fiber from WLC port 1 to gi1/1/22, the other fiber from the WLC port 2 goes into the floor and presumably over to VSS-Chassis2 gi2/1/22 (there is fiber connected there, I have link lights on both sides, and the port channel, Po200, on the VSS switch which is configured on gi1/1/22 is also configured on gi2/1/22).  My question pertains to the CDP neighbor output I get on the VSS switch: (truncated to include just the WLC)
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 Gig 0/0/2
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 LAGInterface0/3/1
    NCMECHQWiFi1     Gig 1/1/22        137               H    AIR-WLC44 Gig 0/0/1
    It looks like both WLC ports are physically connected to Gi1/1/22, which they are quite obviously not.
    This is confirmed on the WLC's sho cdp entry all output:
    (Cisco Controller) >show cdp entry all
    Device ID: ncmec-vsscoresw1.ncmec.org
    Entry address(es): 100.1.0.254
    Platform: cisco WS-C6509-E,  Capabilities: Router Switch IGMP
    Interface: LAGInterface0/3/1,  Port ID (outgoing port): GigabitEthernet1/1/22
    Holdtime : 160 sec
    I believe that the multi chassis etherchannel is set up correctly on the VSS:
    vsscoresw1#sho run int gi1/1/22             
    interface GigabitEthernet1/1/22
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    channel-group 200 mode on
    end
    vsscoresw1#sho run int gi2/1/22
    interface GigabitEthernet2/1/22
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    channel-group 200 mode on
    end
    vsscoresw1#sho run int po200
    interface Port-channel200
    description WLC-Management
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    end
    And yet when I show the details of port channel 200, I expect to see "mode on" but get instead see LACP which is unsupported on the WLC:
    vsscoresw1#sho etherchannel 200 detail
    Group state = L2
    Ports: 2   Maxports = 8
    Port-channels: 1 Max Port-channels = 1
    Protocol:    -
    Minimum Links: 0
                    Ports in the group:
    Port: Gi1/1/22
    Port state    = Up Mstr In-Bndl
    Channel group = 200         Mode = On      Gcchange = -
    Port-channel  = Po200       GC   =   -         Pseudo port-channel = Po200
    Port index    = 0           Load = 0xFF        Protocol =    -
    Mode = LACP
    Age of the port in the current state: 180d:19h:47m:01s
    Port: Gi2/1/22
    Port state    = Up Mstr In-Bndl
    Channel group = 200         Mode = On      Gcchange = -
    Port-channel  = Po200       GC   =   -         Pseudo port-channel = Po200
    Port index    = 1           Load = 0xFF        Protocol =    -
    Mode = LACP
    Age of the port in the current state: 180d:19h:47m:02s
                    Port-channels in the group:
    Port-channel: Po200
    Age of the Port-channel   = 354d:12h:47m:27s
    Logical slot/port   = 46/19          Number of ports = 2
    GC                  = 0x00000000      HotStandBy port = null
    Port state          = Port-channel Ag-Inuse
    Protocol            =    -
    Fast-switchover     = disabled
    Load share deferral = disabled  
    Ports in the Port-channel:
    Index   Load      Port          EC state       No of bits
    ------+------+------------+------------------+-----------
    0      FF       Gi1/1/22                 On   8
    1      FF       Gi2/1/22                 On   8
    Time since last port bundled:    173d:17h:06m:34s    Gi2/1/22
    Time since last port Un-bundled: 173d:17h:06m:34s    Gi2/1/22
    Last applied Hash Distribution Algorithm: Fixed
    >>>  So my question, arising at least partly from the apparently misleading CDP information, is this:  How can I confirm that the WLC is correctly dual homed to both core switches? (short of tracing the cable)  I ask because there are several other devices (not WLCs) that need to have the dual homed connections confirmed.
    I tried a layer 2 trace route but for all macs associated with the WLC, the trace abborts with the error "Device has Multiple CDP neighbours on destination port."
    Thanks in advance!
    Sue

    PS:  It is critical that I confirm the redundancy, since as a part of the data center redesign we will be moving the second VSS chassis to the same rack with the first to simplify the dual connections.  I need to verify all the redundant connections before I take it offline and move it.  Thanks!

  • Help Needed - complete newbie - WLC 4402

    I am trying to set up a basic wireless network, completely seperate from our internal network, just utlizing the external internet bandwidth. It will mainly be used for meeting rooms and visitors requiring internet access.
    There should be no need for VLans on the Wireless network.
    The External 7204 router is plugged into a 12 port 2950 switch, which has a connection to the external side of our firewall.The ip address of the router is a public address, so if possible I do not want to give the WLC management ip a public address. The WLC will be plugged into the Cisco 2950 switch.
    I am a complete newbie at setting up the Cisco wireless. I imagine it is down to routing - do I have to purchase another router or is the WLC capable of doing simplified routing?
    Any advice would be greatly apprciated.
    Cisco WLC 4402 - version 5.1.151.0
    Cisco 3750 24 Port Switch
    External Router 7204 VXR Router
    Internal DHCP on WLC range - 192.168.60.100 -> .150
    Management Ip address: 192.168.60.2
    AP ip address: 192.168.60.3
    Virtual ip address: 1.1.1.1
    External Router ip address: 194.*.*.1

    Hi dennischolmes,
    Thanks for your reply, i have tried to create an interface on the controller as you suggested. however I get the following error " Error in setting VLAN and port. Cannot have multiple untagged dynamic interface on the same port" was ondering if you could shed any light on that error.
    Trying to setup the Trunk port on the 2950 switch, it won't allow me to set the encapsulation dot1q - is this down to the software version of the switch?

  • Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

    Hello my name is Ivan:
    I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
    My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
    I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
    Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
    Please help me in this issue.
    Regards
    Ivan

    Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
    So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
    Fixed in:  (12)
    7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
    7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

  • Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

    Hello folks,
    I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
    The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
    Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
    Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
    1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
    2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
    I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
    Best Regards
    Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

    On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
    But you will need to configure AES on the client as well to support N rates.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Maybe you are looking for