HREAP and cisco 5508

Similar Messages

• Cisco 5508 Hreap - slow wireless throughput

  I have a Cisco 5508 setup at a host site with 3 other sites connected using hreap on 1252APs. When doing testing of network speed I find that the throughput from the wireless to wired network is at about 18mbps yet the same test  on wired side is 85-100mbps and wireless to wireless is 18mbps
  Any ideas what could cause this                  

  Hm, just guessing is hard. So ...
  Can you upload the configuration?
  Which standard do you use? .11n? Encryption method?
  Where you the only one on ap while taking the tests?
  Have you tried some tests at various daytimes?
  Any chances to check for interference or change channels?
  Sebastian
  Sent from Cisco Technical Support iPad App

• Cisco 5508 and Ipads

  We have cisco 5508.
  We had problems with the connection of the first and second iPad version. Firmware: 7.0.235.3. Putting firmware 7.x. we can not because we have a point of 1310. But we put the firmware 7.2 ipad still have not get wireless. Then we rolled back.  It is interesting that not only work the first and second iPads. All the above works.  Played with TKIP instead of AES, did not help ...
  P.s. iphone works.

  (Cisco Controller) >show wlan 45
  WLAN Identifier.................................. 45
  Profile Name..................................... Test
  Network Name (SSID).............................. Test
  Status........................................... Disabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 6400 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guestwifi
  Multicast Interface.............................. Not Configured
  --More-- or (q)uit
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Global Servers
  --More-- or (q)uit
     Accounting.................................... Global Servers
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Local Authentication................... Disabled
     H-REAP Learn IP Address....................... Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  --More-- or (q)uit
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status

• HREAP and Remote Office VLAN

  We have a corporate office which we have a 5508 WLC and 2 WiSMs (v7.0.116) and WCS (v7.0.172) and rolling out remote offices which will have 2 or 3 APs (1142N).  I setup the first remote office with wireless using HREAP and its working well. Configuring the WLAN for the remote office we select an interface we created with the VLAN at the remote office and now that we are preparing for the next remote office can I use the same VLAN for the second office? For example, we are using local switching for a WLAN using VLAN 6 and will need the same at the second remote office.
  Thanks for any help.
  Jeff

  if you are user FlexConnect, and are on 7.2 or better code on the WLC.
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1247954
  If you are not using FlexConnect, which you said you weren't, the traffic doesn't get locally switched. it all is handeld at the WLC.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• HREAP and Dynamic VLAN assignment (MS NPS)

  Hi All
  Just a quick rundown of what I am trying to achieve.
  We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
  The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
  I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
  Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
  Regards
  Connie

  Do you perhaps know if there are plans for this limitation being addressed in the near future?
  We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
  Thanks for the feedback, though!
  Regards
  Connie

• Microsoft Lync 2010 and Cisco APs

  My company has extensively deployed Microsoft Lync Enterprise voice and this was an upgrade from OCS R2. Staff in my company have complained often of poor calls over wireless. I have resisted applying QoS for now until I understand fully how Cisco APs and WLCs implement QoS. I recently watched a video from Aruba networks comparing performance of Lync calls over its access points and Cisco access points. The Cisco setup was a 3500 AP and 5508 WLC with 7.0.116 code. There were also other bandwidth consuming applications running at the background. I must say that I was impressed at how Aruba's access point performed over Cisco access points. This is because Aruba does application specific QoS and not the traditional client or SSID QoS.
  I am considering making recommendation to management to go Aruba for the upgrade of a larger subsidiary. However, before I make such a recommendation,I have 2 quetstions
  1.  I would like to know if Cisco has revamped its WLC code to better deal with Lync and if so, I would be grateful if I could be shown any documentation or video on how to implement QoS to improve Lync experience.
  2. Also if HREAP is implemented, does the WLC still implement QoS or has this to be handled by the switch since packets are locally switched.
  I currently have a mix of 5508 and 4404 WLCs with over 300 1041n APs.

  Osita,
  As far as I know, Cisco has not done any optimization specifically for Lync, but as long as Lync is using standards-based tagging for the latency-sensitive parts of the application (voice and video), then you can elevate your WLAN QoS setting to the appropriate metal to allow for elevated QoS-tagged traffic on that WLAN.
  Keep in mind that the controller does not actively tag upstream client traffic, so even if you have clients doing other applications on their workstations over that WLAN, that traffic will not be re-marked from best effort to a multimedia QoS level. I.e., you can have a WLAN that shares both data and voice/video in a Lync environment.
  If you want to learn WLC QoS from the best (IMO), here is is Jerome Henry doing a 5-part video series explaining and implementing QoS on the WLC. It starts with Part 1, and the goes to Part 2-a, 2-b, 3-a and 3-b:
  http://www.youtube.com/watch?v=44t-0JYEwkA&list=UUm3YBBhcJRokmAD1LaJg3hQ&index=15&feature=plcp
  Locally switched HREAP traffic will come out into the switchport marked with the DSCP tag given to it by the application. It is up to you to configure proper end-to-end QoS on your network from there.
  Justin

• How can I set up 3 different VLANs on Cisco 5508

  Dear  Community Members,
    I have a need to setup three (3) VLANs with different SSID's for students , staff and visitors in a  College.
  The controller is Cisco 5508  with Cisco 3502E-E-K9 AP
  presently the wireless  network is flat with just one VLAN 
  NB.
  Staff would log in using active directory user name and password.
  Student would log in using username and Registration number  Possibly using RADIUS SERVER
  How best can i achieve this.

  Scenes  you are using single vlan so the point of have multiple SSID is useless  and the better approach will be using the AD for both authentication  and managing the Group policy for both. In this way you can manage both  students and Staff Kindly see the following link for step by step config  and understand Group policy
  Server 2008/2012
                  http://jackstromberg.com/2013/05/tutorial-802-1x-authentication-via-wifi-active-directory-network-policy-server-cisco-wlan-group-policy/
  cisco document server 2003  (another explaining in detail the flow)
                http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

• Redirect to web authentication not working on Cisco 5508 Wireless Controller

  Hi,
  I have a wlan with web authentication:
  http://i55.tinypic.com/w145zk.png
  and
  http://i51.tinypic.com/344sfm0.png
  When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
  The virtual interface is 1.1.1.1.
  Here is a screenshot of interface and internal dhcp:
  http://i52.tinypic.com/2vkm1d2.png
  Any idea why clients are not redirecting?
  Thanks!

  Thanks for the reply dmantil!
  When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
  I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

• Cisco 5508 external web authentication

  Hi all,
  Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
  I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
  Thanks

  I hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
  Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
  I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available.

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Cisco 5508 Firmware update 6.x 7.0.98 Questions

  Hi guys,
  Have not done an update on any cisco gear since about 2001
  We have a cisco services contract with IBM that supplies us access to the usb drivers, firmwares etc, and we have a Cisco 5508 6.x running ~30 Cisco 1252's, some 1231's and (potentially) some 1262's once the firmware update is done.
  We have a base-count license(permanent) of 50AP's, no expiry
  So I guess my questions are:
  1) When flashing the new firmware - do the licenses require any sort of modification, or will they work as per normal
  2) Are any serial numbers or codes required to be entered once the 7.0.98 firmware is installed?
  3) I assume that the old firmware/config becomes 2nd in line to the primary boot option of the firmware during boot process?
  Thanks

  7.0.98.0 is deferred code.
  Browse to deferred release on bottom:-
  http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=280926587&release=7.2.110.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
  Deferral Notice:-
  Wireless Lan Controller (WLC) software version 7.0.98.0 is being deferred due to the following issue :
  CSCtj21464 - WLC data plane core crashes, causing WLC reboot
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
  5500 supports 7.2 code but AP 123X is not supported on 7.2, And 126x supported from 7.0.116.0 code. it is suggested to update to 7.0.235.0.

• Cisco 5508 HA

  Hi all,
  We recently installed a pair of Cisco 5508 controllers running 7.6.110.0. Right now I don't want to use the 'Redundancy' / 'HA' features, preferring instead to run with an Active/Standby pair controller through the HA tab configured in all APs.
  As part of the upgrade to 7.6.110.0 we upgraded the secondary controller first, moved APs over one by one, then upgraded the primary. Right now I am having an issue moving the APs back to the primary. To confirm:
  - the mobility group is the same on both devices
  - mobility is up
  - I am allowing MIC certificates
  - AP fallback is enabled
  - device names, etc all match as I appreciate there can be issues as this is case sensitive
  As far as I was aware that was all that needed to match for this to work. One thing I have noticed however is that if I go into Redundancy -> Global Configuration both the Primary and Seconday are defined as the 'Primary' redundant unit. I've not activated, at least I thought I had not activated, this level of redundancy. Could this be what is causing it? I'm a bit wary of changing this value as I believe the controller will reboot.
  Can anybody shed any light on this. The intention was to eventually enable the redundancy and SSO, etc but not right now.
  Thanks

  Hi Leo, Scott
  So I was doing a bit more reading on this http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html it is an old document but working through it the document suggested that you didn't need to specify the IP address of the Primary or Secondary controller in the Wireless -> All AP -> AP_NAME -> High Availability. I removed this from one of the APs that was at the time serving no clients and tried to move it to the secondary and it worked. I then moved it back to the primary and it worked again.
  Any reason why this would happen? The IP addresses I was using were 100% correct. The only difference I see for this controller as opposed to others we manage is the introduction of new interface types i.e. 'redundancy management' , 'redundancy port' ,etc. I do not have redundancy enabled so I'm guessing not, but having trawled through the configuration this is the only difference I can see?

• Cisco 5508 HA - Webauth Bundle for multiple SSID/multiple web pages

  Hi Guys,
  I have 2* cisco 5508 WLC in HA mode . Both are running IOS 7.5.102.0 . Everything is working perfectly fine.
  I need to Creat 3 differnet SSID and Creat 3 different login Pages for them . Each user from respective SSID will get specified login Page. like
  I have few questions :
  1) I have downloaded webauth bundle from cisco Support Site and in that itself so many files are there. So based on my scenario , in which folder do i need to copy my login and logo file.
  2) i have used Picozip to convert the file in .tar format but its giving me following error "
  % Error: Webauth Bundle file transfer failed - No reply from the TFTP serve" but i can ping my tftp server easliy.
  3) As Controllers are in HA mode , so once i am successful in uploading webauth bundle then it will be replicated on secondary controller or do i have to turn off SSO and upload in both one by one.
  Please help me out in this.
  Cheers

  Hello Sandeep,
  i have uploaded the tar which you have sent to me. When i supply my username and pwd, after that it keeps on going and not showing any end result. so it stays on same page and nothing happening after that.
  Are there any more radius ACL's to be defined ? 10.10.13.x is wireless client network , 192.168.10.21 is Radius Server , 192.168.10.215 is proxy server. Is there any other ACL need to be defined ??
                         Source                         Destination                 Source Port  Dest Port
  Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range       Range    DSCP  Action      Counter
       1 Any      10.10.13.0/255.255.255.0     192.168.10.21/255.255.255.255  Any     0-65535     0-65535  Any Permit           0
       2 Any   192.168.10.21/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit           0
       3 Out      10.10.13.0/255.255.255.0           1.1.1.1/255.255.255.255  Any     0-65535     0-65535  Any Permit           0
       4  In         1.1.1.1/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit           0
       5 Any      10.10.13.0/255.255.255.0    192.168.10.215/255.255.255.255  Any     0-65535     0-65535  Any Permit          98
       6 Any  192.168.10.215/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit          98
  DenyCounter : 12

• Cisco 5508 Memory Usage

  What is the average memory usage for a Cisco 5508 with 500 APs (mostly 3502s) running 7.0.116.0 code? I am currently at 450 access points and have 80% memory usage should I be concerned?

  Tom,
       I just had a 5508 in production hit 89% memory usage and crash… I have opened a TAC case and I will update once more information is available. The controller rebooted and came right back online at 56% memory usage; I suggest rebooting it during downtime.
  Bill

• Cisco 5508 interface design problem

  Cisco 5508 interface design
  now i have connect wlc into infra same picture but ap can't register into wlc. How create interface for this diagram. please help me because access switch is unmanage switch i can't config trunk on this.i can install for this solution this isn't ?
  thank you for best support.
  samy

  Why are your AP's on different Vlans?
  If you plan to create SSID's on different Vlans then you will need a trunk port to the WLC as the switch needs to pass tagged frames to it and the WLC needs to pass tagged frames back.
  Out of interest, you are using a 5508 which is a fairly expensive piece of kit yet you are connecting it to an unmanaged switch. Why?