Intra controller roaming and Security

Similar Messages

• Intra-Controller roaming and AP Groups

  WiSM 2 controllers running 7.3.101.0
  All controllers have the same subnets/dynamic interfaces/WLAN
  All controllers in same mobility group.
  Controller1
  AP1 has APGROUP1 applied
  APGROUP1 has SSID1 mapped to DynintVLAN1
  Controller2
  AP2 has APGROUP2 applied
  APGROUP2 has SSID1 mapped to DynIntVLAN2
  Client associates to AP1 and gets IP from DynintVLAN1
  Client roams to AP2.  Keeps IP address but connectivity stops.
  Client shows in Controller 1 to be Anchored to Controller 1
  Client shows in Controller 2 to be mobile client and mapped to Controller 1 but interface shows as DynintVLAN2
  My understanding with this configuration is that the client should stay connected via mobility to Controller 1 but it seems to stay authenticated but looses connectivity.
  Any thoughts?
  Thanks.

  I checked eping and mping between these controllers and no problem
  When roamed to controller 2 I even tried a dhcp release and renew and that worked!  I got my same IP address so I think the mobility parts are working since I was able to get back to the original VLAN.  I just cant ping my gateway or off network.
  After the roam here are the "sh client detail"
  Controller 1 (Anchor)
  (Controller1) >show client detail 00:24:D7:37:B7:48
  Client MAC Address............................... 00:24:d7:37:b7:48
  Client Username ................................. **************deleted
  AP MAC Address................................... 00:00:00:00:00:00
  AP Name.......................................... N/A              
  Client State..................................... Associated    
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 1 
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ 00:00:00:00:00:00 
  Connected For ................................... 1060 secs
  Channel.......................................... N/A
  IP Address....................................... 172.17.137.241
  Gateway Address.................................. Unknown
  Netmask.......................................... Unknown
  Association Id................................... 0 
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1 
  Status Code...................................... 0 
  Client CCX version............................... 4 
  Client E2E version............................... 1 
  Re-Authentication Timeout........................ 1583
  QoS Level........................................ Silver
  --More-- or (q)uit
  802.1P Priority Tag.............................. disabled
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... m15
  Supported Rates.................................. 18.0,24.0,36.0,48.0,54.0
  Mobility State................................... Anchor
  Mobility Foreign IP Address...................... 172.17.12.5
  Mobility Move Count.............................. 2
  Security Policy Completed........................ Yes
  Policy Manager State............................. RUN
  Policy Manager Rule Created...................... Yes
  Audit Session ID................................. ac110c0e0011541752570af9
  IPv4 ACL Name.................................... none
  IPv4 ACL Applied Status.......................... Unavailable
  IPv6 ACL Name.................................... none
  IPv6 ACL Applied Status.......................... Unavailable
  Client Type...................................... SimpleIP
  PMIPv6 State..................................... Unavailable
  Policy Type...................................... WPA2
  Authentication Key Management.................... 802.1x
  --More-- or (q)uit
  Encryption Cipher................................ CCMP (AES)
  Management Frame Protection...................... No
  EAP Type......................................... PEAP
  Interface........................................ zone5dynint743
  VLAN............................................. 743
  Quarantine VLAN.................................. 0
  Access VLAN...................................... 743
  Controller2
  (Controller2) >show client detail 00:24:D7:37:B7:48
  Client MAC Address............................... 00:24:d7:37:b7:48
  Client Username .................................**************deleted
  AP MAC Address................................... 00:23:eb:81:ec:20
  AP Name.......................................... AP2     
  Client State..................................... Associated    
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 1 
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ 00:23:eb:81:ec:20 
  Connected For ................................... 212 secs
  Channel.......................................... 11
  IP Address....................................... 172.17.137.241
  Gateway Address.................................. Unknown
  Netmask.......................................... Unknown
  Association Id................................... 10
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1 
  Status Code...................................... 0 
  Client CCX version............................... 4 
  Client E2E version............................... 1 
  Re-Authentication Timeout........................ 1584
  QoS Level........................................ Silver
  --More-- or (q)uit
  802.1P Priority Tag.............................. disabled
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... m15
  Supported Rates.................................. 18.0,24.0,36.0,48.0,54.0
  Mobility State................................... Foreign
  Mobility Anchor IP Address....................... 172.17.12.14
  Mobility Move Count.............................. 3
  Security Policy Completed........................ Yes
  Policy Manager State............................. RUN
  Policy Manager Rule Created...................... Yes
  Audit Session ID................................. ac110c05008392c65257ede8
  IPv4 ACL Name.................................... none
  IPv4 ACL Applied Status.......................... Unavailable
  IPv6 ACL Name.................................... none
  IPv6 ACL Applied Status.......................... Unavailable
  Client Type...................................... SimpleIP
  PMIPv6 State..................................... Unavailable
  Policy Type...................................... WPA2
  Authentication Key Management.................... 802.1x
  --More-- or (q)uit
  Encryption Cipher................................ CCMP (AES)
  Management Frame Protection...................... No
  EAP Type......................................... PEAP
  Interface........................................ zone1dynint732
  VLAN............................................. 732
  Quarantine VLAN.................................. 0
  Access VLAN...................................... 743

• L3 intra-controller roam

  Hi folks,
  I fully understand how Layer 2/3 roam function and role of EoIP in an inter-controller enviornment.L2 intra-controller roaming also pretty straightforward.
  However, L3 intra-controller roaming is not very clear to me.Could someone throw some light on the matter pls?Also if you could point me to to a Cisco doco that would be great.
  Thanks,
  J

  Janesh,
       Correct, the client does not need to refresh it's IP, or get a new one. 
       The configuration guide and the mobility FAQ should speak to this.  As for the mechanism.  When you are roaming inside the same WLC it knows that the client hasn't moved off of it, so it just updates the MSCB entry and the client rolls along.
       Now if you roam from WLC-A to WLC-B, the WLC looks at the interface name, and ip address assigned to that interface.  If the subnets match, the MSCB entry from WLC-A is moved to WLC-B.  The traffic for the client will ingress and egress on WLC-B.  This is a Layer 2 roam.
       Now the client roams from WLC-A to WLC-B, the WLC looks at the interface name, and ip address assigned to that interface.  The subnets do not, WLC-A copies the MSCB entry to WLC-B, then they pass the client traffic between them for the client.  The traffic will ingress on WLC-A, be sent accross the mobility tunnel to WLC-B, and then to the client.  The inverse is true for traffic from the client.  It flows from the client to WLC-B, across the mobility tunnel to WLC-A, and then egress to the network there.  This is a Layer 3 roam.
  HTH,
  Steve
  Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

• Is it possible to disable intra-controller roaming with 1510AP

  Hi all,
  Is it possible to disable intra-controller roaming with 1510AP?
  Thanks

  Intra-controller roaming is enabled by default and cant be disabled.Refer URL
  http://cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008063f3b9.html#wp1093741

• Roaming and 2.4 vs 5.0 on 1250 series AP design help

  Hello,
  I will be upfront and honest and state that although I am familiar with some wireless technologies, most of this stuff is a mystery to me. I have done some homework and have researched quite a bit, but have ind of hit a wall.
  I have been handed four Aironet 1250 series AP's all with the dual radio modules (2.4 and 5.0). I really need to use only one of the modules so that we can power it via POE and not enchanced POE (long story).
  So, I need help with a design. Here's what I'd like to see.
  1.       I would like to setup "roaming" so that when a wireless client goes from one AP to another it is seamless to the user and the users NIC will associate with the strongest AP signal. Can I do this by simply setting the same SSID and security on each AP, or must I have a controller to do this?
  2.       Also, I cannot seem to get older legacy clients to communicate with the 5.0 Ghz radio module (they can’t even see it) but they work fine when I switch it out for the 2.4. I know this is a very noob question, but can the older clients (non N) work on the 5.0 module)
  I have looked through a ton of documentation but there doesn’t seem to be a configuration guide that I can find for what I need to do.
  That’s it. Can someone please have mercy on me and point me in the right direction? I will be looking in the mean time but I have a lot of unknowns. I think if I can get the two questions answered above, then I can mark as resolved and run with it.
  Thanks a bushel,
  dt

  Hi Dave,
  1. Yes, the conditions for a proper roaming are : same SSID, same security settings, and the APs serving the same client subnet (so that client doesn't have to change its ip address).
  This is sufficient for data, Fast roaming is required for applications like voice and you can then look into using cckm as key mechanism and configure one AP to act as WDS to centralize the roaming keys.
  2. This is not related. 11n is available on both 2.4 and 5 ghz band. The question is if your old adapters are capable of 802.11a or not. 11a is the 54Mbps speed in the 5ghz band. I would guess they are not capable of it.
  Adapters that are on laptop now are often "abgn" meaning they can do N speeds on both 2.4 and 5ghz band. An adapter that would be "bg" or "bgn" would typically be restricted to only 2.4 Ghz.
  Hope this helps,
  Nicolas
  ===
  Please rate answers that you find useful

• Can I setup "Roaming" and "Extended Network" on the same device?

  I have 2 buildings that need wifi coverage.  In the main building, I have 2 Apple Airport Extremes.  I have one as the main router.  The 2nd has a network cable from the 1st unit and is setup as "Roaming".  I would like to add "Extended Network" (wireless) function to the 2nd unit.  Then I would place a 3 Airport Extreme at the 2nd building.  I have signal at the 2nd building, but I would like it to be stronger. 
  Can I setup an Airport Extreme with Roaming and Extended Network functions and if so, how would I do it.
  Thank you.

  Yes, that should be no problem.
  Windows 7 uses 5.6 airport utility.. what model extreme are you setting up??
  But it is relatively simple.. you do not need to generally do anything now for the AE setup for roaming..
  On the one you will extend, simply plug it into a computer.. run the airport utility.. go to the wireless tab and put in the extend wireless with the name and security of the wireless you are extending.

• Wireless guest wlan and secured corporate wlan

  I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
  Lee

  Hi stepehen
  LWAPP also defines the tunneling mechanism for data traffic.
  A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
  Pls Refer the docu..
  http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
  Regds
  Saji k.s

• Question regarding roaming and data usage

  I am currently out of my main country of service, and as such I have a question regarding roaming and data usage.
  I am told that the airplane mode is sufficient from keeping the phone off from roaming, but does this apply to any background data usage for applications and such?
  If the phone is in airplane mode, are all use of the phone including wifi and application use through the wifi outside of all extra charges from roaming?

  Ann154 wrote:
  If you are getting charged to use the wifi, then it is possible.  Otherwise no
  Just to elaborate here, Ann154 is referring to access charges for wifi, which is nothing to do with Verizon, so if you are using it in a plane, hotel, an internet cafe etc that charges for Wifi rather than being free .   Verizon does not charge you (or indeed know about!) wifi usage, or any other usage that is not on their cellular network (such as using a foreign SIM for example in global phones)  So these charges, if any, will not show up on the verizon bill app.  Having it in airplane mode prevents all cellular data traffic so you should be fine

• I have forgotten my apple security questions, when I go to My Apple ID and click on password and security, there is no option to reset my security questions even though I have a rescue email adress, how do i reset my security question ?

  I have forgotten my security questions but when I click on My Apple ID and got to password and security, there is no option to rest my questions and/or send my self a rescue email, what do I do now ?

  You need to contact Apple. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
  (89174)

• Start up problems after Safari 3.1 and Security update

  Updated safari and security update last night.
  Safari downloaded and installed but there was an error downloading or installing the security update, I forgot.
  After I restarted everything booted up fine, but was stuck on "Starting Mac OS X" screen.
  Did a fsck and zap the pram, still stuck.
  Today I tried booting up in safe mode, stuck on the gray screen with the apple logo.
  Then I tried booting up from an external firewire dvd drive. Repaired permissions, repaired the disk, but it is still stuck on "Starting Mac OS X" screen. Help please...
  Thank you

  Ok i had a similar problem, with all the recent updates for Leopard, including the 10.5.2 combo update... the 12" PowerBook G4 kept getting stuck on the grey apple and spinning wheel... if it managed to get past this it would get stuck on the blue screen!!!
  The way i got around this, after trying all these other tips was: Archived & Installed 10.5; restarted, waited; downloaded 10.5.2 Combo update, installed; restarted, waited; waited; waited; after getting back to desktop, restarted, waited; then ran Software Update only installing one at a time, and after each install, restarted, waited; when all Software updates completed, proceeded with iLife updates etc... It took a while (still quicker than the 3 days of failed installs and updates) with a lot of waiting on the blue screen (5-20mins) but we got there in the end. Disks where checked with Leopard Disk Utility before and after, permissions where checked before and after completing all installs, also with a DW 4.1 optimization. Also note worthy is the RAM was upgraded from the initial 256Mb (!!!) with an extra Gb.

• Bursting with translation and security attributes?

  Hi folks,
  I've been lurking on the forum for a while and despite not always finding a solution, existing threads normally pointed me in the right direction - so thanks :)
  I'm working on EBS 11.5.10 with the latest Bi-Publisher 5.6.3 (5472959) and bursting (5968876) patches installed.
  I have successfully done the following individual AR Invoice Bi-Publisher tasks:
  1. translated an invoice RTF template by attaching an xliff file to the data definition,
  2. applied security attributes to the template to restrict updates on the resulting PDF,
  3. burst a custom AR invoice print and emailed the resultant pdf's.
  The PDF generated by the combined Invoice print correctly applies the translation and security attributes; however when I run the "XML Publisher Report Bursting Program" to the XML file the resultant burst PDF's do not apply the translation or security attributes. I assume this a limitation of bursting control files? If so, is this on the list of future enhancements to Bi-Publisher?
  Here's an example of my control file document entry, I have included locale and pdf-security entries - these don't cause an error but equally don't generate the desired result (p.s. I know I'm emailing on a PRI filter - it's just a test):
  <xapi:document output-type="pdf" delivery="att_email">
  <xapi:template type="rtf"
  location="/usr/tmp/xxxINVOICE3.rtf"
  locale="fr-US"
  pdf-security="true" pdf-encryption-level="1" pdf-permissions-password="xxxxxx"
  filter=".//G_INVOICE_HEADER[PRINTING_OPTION='PRI']" >
  </xapi:template>
  </xapi:document>
  Thanks
  Dave

  =================
  ==Properties Idea's
  =================
  You would have happened to try applying the security stuff in the application for your template? Try that and see if the pdf properties get set.
  If that doesn't work your left with two options:
  1. create a java concurrent program and set the properties manually.
  2. Log a tar.
  =================
  ==local idea's
  =================
  Are you sure you don't have to create template config for the locale? i suspect that's why it's not applying the xliff translation. Also, your NLS_LANG needs to be set to FRENCH for the approriate template to be applied. If your logged-in as english your french format template will not be applied, neither will the translation. As an example you can query vl table and you'll only get american (us) but if you alter your session you'll get the translation for that language when your query the table.
  location="xdo://xxxAR.xxx_XML_PRINT.fr.US"
  try it out and see if that works. Note: This will only work if your session NLS_LANG is set to FRENCH.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• HT2534 My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes accou

  My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes account without credit card?????

  Why do you need to create a new account?
  Just change the payment method.
  http://support.apple.com/kb/ht1918

• I forgot the answers for the security questions and when I try to change them (My Apple ID - Manage your account - Password and Security) I'm asked to answer the exact questions I'm Trying to change because I don't remember the answers. How can I do it?

  I forgot the answers for the security questions and when I try to change them (My Apple ID -> Manage your account -> Password and Security) I'm asked to answer the exact questions I'm trying to change because I don't remember the answers. How can I do it?

  Can't you try the email option instead?

• [Request] Move Windows Control Panel applet from "System and Security" to "Programs"

  The "Flash Player (32-bit)" Windows Control Panel applet should be  moved from "System and Security" to "Programs" where the Java applet is.
  Vote: https://bugbase.adobe.com/index.cfm?event=bug&id=2953107
  Thanks

  njb,
  Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
  *Non Lenovo employee*
  I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)