Is it supported Anchor Controller for CWA??

Similar Messages

• Controllers in the same WISM module in the 6500, i'm trying to make one of them anchor controller for guest internet

  I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
  there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
  -if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
  - I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
  some one please advise
    vlan192   4/1 vlan 192              int g0/0 192.168.2.201
    6500 ----- switch ---- router---------  (outside)
      |         |   |
      |        DHCP server
     WLC

  A couple of questions, is VLAN 192 allowed across the trunk link to the wlc?  Do you have an interface tagged for vlan 192, with a valid address?  What is providing the DHCP?
  Cheers,
  Steve
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• Wireless Anchor SSID for CWA ISE 1.3

  Hello Team,
  Trying to follow this guide: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  We are trying to enable for a guest access with an anchored WLC.
  However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor.
  I have created the SSID with correct anchors.
  Any Ideas? Maybe this option doesn't actually work with anchor?

  "However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor."
  In the anchoring scenario, the AAA authentication comes from the Foreign not the Anchor as it is layer 2 authentication.
  Make sure your Local WLC is able to authenticate the user.
  Steve

• Sizing guest anchor controller

  40 locations, around 20-30 APs per location, 1 gig back from each site to the main site, minimizing cost. Trying to size the guest anchor controller. Redundancy is not required. As I understand correctly 4402/4404/5508 controller supports up to around 70 EOP tunnels. My limitation is bandwidth. Is it safe to say that if Internet bandwidth is <100Mbps, then 4402 will suffice? Only if Internet bandwidth was above >1Gbps when I'd need to go to 4404 (bandwidth is used twice, so 1Gbps guest traffic would result at approximately 2Gbps throughput)

  You could always port-channel a 4402 and use LAG on your anchor controller for 2gb.
  I use a 4402-12 for our anchor's as the BW is adequate, and AP license count is not a factor for anchors.

• IOS device failed to get ip address on multiple wlan on the same anchor controller

  Dear Experts:
  in my implementation, we need 2 WLANs be served on the same anchor controller.
  WLAN1: wep/40bit, integration with NAC/OOB on anchor controller for guest wlan service.
  and guest account controlled by NACguest server.
  WLAN2: wep/40bit, no layer3 secuirty for temporary using.
  foreign controller: WiSM on v6.0.196.4 (also testing on 6.0.182.0)
  anchor controller: WLC4402 on v6.0.196.4
  on WLAN1:
  Windows7 client get ip address correctly.
  iOS (iPhone4 on 4.3.1/4.3.2, iPad2 on 4.3.1/4.3.2) can get ip address correctly on WLAN1.
  WLAN2, iOS device cannot get ip address.
  compare with debug message "debug clien mac" + "debug dhcp message enable"
  on both foreign and anchor controller.
  on foreign controller:
  PM state has changed from: DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
  on anchor controller:
  PM state always stay on: DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  Enable/Disable DHCP Address Assignment Required is not work.
  Enable/Disable DHCP proxy is not work.
  Any hit this issue when get ip address failed in multiple WLANs on the same anchor controller?
  In attachment log file,
  DMZ.log: anchor controller on DMZ.
  S3p1.log: WiSM on v6.0.182.0
  S3p2.log: WiSM on v6.0.196.4
  client mac: 00:1f:3b:05:33:c1, Windows7 Client
  client mac: 58:55:ca:cf:d2:07, iPhone4 with 4.3.1,
  WLAN1 subnet: 10.61.246.0/23
  WLAN2 subnet: 10.61.248.0/23

  Hi, Nicolas:
  just checking the attachment for the run-config on foreign/anchor controller.
  DMZ_run.config  - anchor controller
  s3p1_run.config - WiSM on v6.0.182.0
  s3p2_run.config - WiSM on v6.0.196.4
  at this moment, we have disable the wlan 10 on foreign controller, and wlan 2 on foreign controller.
  Wilson...

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

  Hi Experts ,
  Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
  how about internet traffic for Guest SSID , which one will be recommanded :
  1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
  2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
  Thanks

  Hi George ,
  Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
  how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
  Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

• Cisco 5760 controller in centralized mode supports 4404 controller as anchor controller?

  Hello All,
  I have a cisco 5760 controller running in centralized mode. I want to configure one 4404 controller as anchor controller to work with the 5760 controller. Is this supported?.
  Thanks in advance
  Shabeeb

  No, It is not supported.
  You cannot have a mobility peer with 5760 unless you enable "new mobility" on its peer . In CUWN products this is supported in 5508/WiSM2/8510 on specific codes. In current supported codes it has to be 7.6.x or 8.x.
  As you know 4400 only supported upto 7.0.x code. So new mobility is not supported, hence you cannot peer with CA products.
  In case if you have a "new mobility" supported WLC, here how you configure it
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Guest wireless running slow 1 Mb for one of the foreign vWLC (AIR-CTVM-K9) , the Anchor controller is on DMZ (AIR-CT5508-K9)

  Hi,
  We have few vWLC (AIR-CTVM-K9) as the foreign controller for anchoring on difference site . The Anchor controller (AIR-CT5508-K9) is located at DMZ at the main site. The guess wireless are working fine for all the site except Site A . The download speed is <1mb and i do not see any restriction on the Foreign controller as well as the anchor controller . Upload speed could reach to 5Mb . I have check the configuration for other foreign controller and it is working fine and have the similar setting . Could you please shed some light on where should i start to troubleshooting this . User are able to get the correct ip address, gateway , dns server ip address without any issue.

  Issue resolved . End out it is the Qos apply on the vWLC switch port that slow down the speed. Remove the Qos do the trick.

• Auto-Anchor Controller's Best Practice

  Hi All,
  I got confused with this setup. I have 2 Wlc's.One is the internal controller and another one configured for the anchor controller (different subnet-DMZ zone) for guest traffic. Where do i configure DHCP assignment for this users..? Should Production controller intervine in this dhcp process or shall i direct to Anchor to take care of everything..? which is recommended ?
  And also any best practice doc is available for this ..?
  Please help...
  thanks in advance.

  Prasan,
  Just keep in mind that there are best practices that are published and best practices that you learn from experience. Being a consultant, I get to implement wireless in various networks and everyone's network is quite different. Also code versions can change a best practice because of bug issues or how a standard might of changed and how that standard was implemented in code. The biggest best practice secret is really working with various client devices, scanner's, laptops, smartphones, etc., and seeing how those change because of newer models and it firmware updates. It's amazing to understand how some devices will require a few checkboxes in the WLAN to be disabled compared to others. Even with anchoring for guest and using a custom WebAuth to make sure the splash page works with various types of browsers.
  What I can say is to always try the defaults if possible when you have issues and then enable things one by one.
  Sent from Cisco Technical Support iPhone App

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• DMZ Anchor Controller

  I'm having trouble setting up an Anchor Controller on my DMZ. I have setup everything up and tested it out on my inside network and the Anchor Controller comes up with no problem. When I put the Anchor Controller on the DMZ the data path is up but the control path is down. I can do EPING's but MPINGS fail everytime. The DMZ is secured by a checkpoint firewall. I've made sure ports UDP 16666, 16667 and TCP 97 are open on the firewall. It looks like the traffic is going out to the Anchor controller on the DMZ but not coming back in to establish the tunnel. I've contacted Checkpoint but there support is not the best and I'm wondering if anyone has suppport for a checkpointfirewall. Thanks in advance

  From Chapter 10 of the Enterprise Mobility 4.1 Design Guide -
  http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidance09186a00808d9330.html
  The following verifications and troubleshooting tasks assume the following: •The solution is using the web authentication functionality resident in the anchor controller(s). •User credentials are created and stored locally on the anchor controller(s).
  Before attempting to troubleshoot the various symptoms below, at the very least you should be able to ping from the campus (foreign) controller to the anchor controller(s). If not, verify routing.
  Next, you should be able to perform the following advanced pings. These can only be performed via the serial console interfaces of the controllers: •mping neighbor WLC ip
  This pings the neighbor controller through the LWAPP control channel. •eping neighbor WLC ip
  This pings the neighbor controller through the LWAPP data channel.
  If a standard ICMP ping goes through, but mpings do not, ensure that the default mobility group name of each WLC is the same, and ensure that the IP, MAC, and mobility group name of each WLC is entered in the mobility members list of every WLC.
  If pings and mpings are successful, but epings are not, check the network to make sure that IP protocol 97 (Ethernet-over-IP) is not being blocked.
  Please make sure that the mobility group names are on each other's controller.
  Hope this helps

• Guest Traffic Segregation without using Anchor Controller

  Hi
  I need help in calrifiing , is there any other option avaialble to segregate the guest traffic from CORP on internal WLC itself without using anchor controller ?

  Well really can't tell you or else it would be a book. You either have use ACL's on your layer 3 to deny traffic from your guest subnet to your internal. Nothing has to change on the WLC. If you want to connect one port of the WLC to the DMZ, then disable LAG on the WLC and use port one as primary for the internal traffic which includes management and another port in the WLC as primary for the guest.
  Sent from Cisco Technical Support iPhone App

• Anchor controller configuration in 8.0.110 code

  Hi Experts ,
  We have upgraded our controllers to 8.0.110 code . Post which our guest network is down . All the tunnels between our Foreign and Anchor controller shows down. eping commnad is not supported . mping we are unable to to do.
  Any suggestion on this.

  You can use auto-anchor mobility (also called guest tunneling) to improve load balancing and security for roaming clients on your wireless LANs. Under normal roaming conditions, client devices join a wireless LAN and are anchored to the first controller that they contact. If a client roams to a different subnet, the controller to which the client roamed sets up a foreign session for the client with the anchor controller. However, when you use the auto-anchor mobility feature, you can specify a controller or set of controllers as the anchor points for clients on a wireless LAN.
  In auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a WLAN. You can use this feature to restrict a WLAN to a single subnet, regardless of a client's entry point into the network. Clients can then access a guest WLAN throughout an enterprise but still be restricted to a specific subnet. Auto-anchor mobility can also provide geographic load balancing because the WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so on), effectively creating a set of home controllers for a WLAN. Instead of being anchored to the first controller that they happen to contact, mobile clients can be anchored to controllers that control access points in a particular vicinity.
  When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.
  When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the client is announced to the other controllers in the mobility list. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller decapsulates the packets and forwards them to the client.
  In controller software releases prior to 4.1, there is no automatic way of determining if a particular controller in a mobility group is unreachable. As a result, the foreign controller may continually send all new client requests to a failed anchor controller, and the clients remain connected to this failed controller until a session timeout occurs. In controller software release 4.1 or later releases, mobility list members can send ping requests to one another to check the data and control paths among them to find failed members and reroute clients. You can configure the number and interval of ping requests that are sent to each anchor controller. This functionality provides guest N+1 redundancy for guest tunneling and mobility failover for regular mobility.
  If multiple Controllers are added as mobility anchors for a particular WLAN on a foreign Controller, the foregin Controller internally sorts the Controllers by their IP address. The Controller with the lowest IP address is the first anchor. For example, a typical ordered list would be 172.16.7.25, 172.16.7.28, 192.168.5.15. If the first client associates to the foreign controller's anchored WLAN, the client database entry is sent to the first anchor Controller in the list, the second client is sent to the second Controller in the list, and so on, until the end of the anchor list is reached. The process is repeated starting with the first anchor Controller. If any of the anchor Controllers is detected to be down, all the clients anchored to the Controller are deauthenticated, and the clients then go through the authentication/anchoring process again in a round-robin manner with the remaining Controllers in the anchor list. This functionality is also extended to regular mobility clients through mobility failover. This feature enables mobility group members to detect failed members and reroute clients.

• Originating more than 1 EoIP tunnel to an anchor controller possible?

  I'm attempting to set up (for testing purposes) a 2nd 'guest' SSID on an internal WLC (WLC-A), and terminate it in a DMZ on an anchor controller (WLC-B).  We already have a guest SSID originating on WLC-A and terminating on WLC-B though.  Is it possible to originate a 2nd guest SSID on WLC-A?
  WLC-A - 2504 (7.2.x)
  WLC-B - 5508 (7.2.x)
  The problem I'm seeing is I'm getting no DHCP address assigned on the test SSID.  If I statically assign IP information I still have no connectivity.  It's as if the EoIP tunnel for the 2nd test SSID isn't functional.
  TIA

  Also when you do this, makes sure you have the same SSID configuration on both WLCs. If you created a new test SSID on the foreign, you need to create a new test SSID in the anchor. The only difference in the configuration should be the interface. Also make sure the test SSID in the anchor is anchored to itself (local) and the test SSID in the foreign WLC is anchored to the anchor WLC. The test SSID in the anchor can share the same interface as the guest.
  Sent from Cisco Technical Support iPhone App