ISE deployment in wireless infra without WLC (only Access Point 1240AG)

Hello All,
I am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how deifferent authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?
Thanks in advance.

Hi,
You can perform COA on standalone APs you will need to have an inline posture node in order to reap the benefits of COA, you may have heard this from any vpn related deployments. If you are in the design phase of this project, you may want to purse controllers because the latest rumor is that the inline posture node may be dropped since Cisco is planning on supporting coa on all their devices once the 9.x code drops for the ASAs. However please contact your Cisco rep for an official response.
Here is the footnote in the following link: "Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support."
http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
Thanks,
Tarik admani

Similar Messages

  • Third Party Signal Repeaters/Wireless Extenders for Boosting Cisco Access Points Indoors

    We are have some buildings that have access points (Cisco 2602e with 6dBi Terrawave omni antennas) in the hallways, in which the clients residing in rooms aren't receiving a strong enough signal to connect at suitable rates. The main reason for this is the large thick doors utilized for the client rooms reducing the strength of the signal, and we weren't authorized to place APs inside the rooms. Nor are we able to modify the structure of the building, such as changing the doors. We can't ask or expect the clients to keep their doors open to rcv a stronger signal. I've tweaked the Tx power for the APs, and lowered the mandatory rates on the WLC for this location under the RF profile created for it, but this isn't resolving the issue with the weak signal.
    One band aid solution idea was to place signal repeaters (low profile) inside each room, behind the wall/door area facing the hallway. I've seen a few third party products online, but they seem to only come in support of the 2.4GHz band. If this is a feasible solution, then it looks like we wouldn't be able to support clients on the 5GHz band on our AP, as clients would most likely connect to the 2.4 GHz band due to a stronger signal, limiting our load balancing on the AP. Anyone have experience with using signal repeaters that work properly with Cisco APs.
    Not the ideal situation, but have the hands strapped on what we can do.

    If you've got a WLC, then disable TPC and crank up the power to full.  

  • Locating failed wireless login attempts and which access point they're hitting

    We have a cisco 5508 WLC with about 190 access points.  They use Cisco Secure ACS to authenticate Microsoft Active Directory logins.  We sometimes get non-normal accounts attempting to login to our wireless but are unable to figure out which access point they're hitting.  
    When I look at the failed attempts in our Cisco Secure ACS 5.5 Radius Authentications report, I don't see an IP address, just the MAC address of the failing device.  Is their a way to configure either the WLC or the ACS box to report either the IP address or MAC address of the access point they're connecting to?

    Is this something I need to set the ACS or WLC to send?  When I go to Other attributes in the "Authentications - RADIUS - Today" report, this is all I'm currently seeing.
    Other Attributes:
    ACSVersion=acs-5.5.0.46-B.723 
    ConfigVersionId=3 
    DetailedInfo=Invalid username or password specified, Retry is  allowed

  • Windows 7 or 8 shows the wireless client connected to the access point but the wireless icon displays "No connection to the internet

    I have seen the same issue working with a different vendors wireless solution. When I sniffed the air with OmniPeek and the network the ap was on with WireShark, I see the arp request for the gateway go to the router, the reply from
    the gateway router is sent out to the suspect machine in the air, the PC ack's the packet but never populates the arp cache. I have looked at both arp responses in a working vs failing scenario, both packets are the same. 
    The only way I have been able to resolve it was to disable IP Helper (start up too) from Services, reboot the machine. I was seeing 3 to 4 drops per day but since disabling this Service the machines I have been testing with have not seen the
    issue again. 
    IP Helper:
    Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer.
    Machines Tested and Fixed:
    Lenovo E540
    Lenovo W540
    Acer Aspire One
    Dell Latitude E6420
    The ip helper service change was made on 40 laptops, a dozen of which would fail in about an hour. So far 0 out of the 40 has seen the issue since making the change and rebooting (rebooting is key after the disable) the laptops. It's
    been about 5 days.
    Any reason why disabling this Service fixes the issue? With it on I can replicate the issue pretty quickly on a few different machine types so it does not seem to be driver or wireless nic vendor specific. I've checked through the
    event viewer logs but nothing seems to be triggered during the time of the issue. Using the troubleshooter or disconnecting from the wireless service will fix the issue for only a short time. 

    I have seen the same issue working with a different vendors wireless solution. When I sniffed the air with OmniPeek and the network the ap was on with WireShark, I see the arp request for the gateway go to the router, the reply from
    the gateway router is sent out to the suspect machine in the air, the PC ack's the packet but never populates the arp cache. I have looked at both arp responses in a working vs failing scenario, both packets are the same. 
    The only way I have been able to resolve it was to disable IP Helper (start up too) from Services, reboot the machine. I was seeing 3 to 4 drops per day but since disabling this Service the machines I have been testing with have not seen the
    issue again. 
    IP Helper:
    Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer will not have the enhanced connectivity benefits that these technologies offer.
    Machines Tested and Fixed:
    Lenovo E540
    Lenovo W540
    Acer Aspire One
    Dell Latitude E6420
    The ip helper service change was made on 40 laptops, a dozen of which would fail in about an hour. So far 0 out of the 40 has seen the issue since making the change and rebooting (rebooting is key after the disable) the laptops. It's
    been about 5 days.
    Any reason why disabling this Service fixes the issue? With it on I can replicate the issue pretty quickly on a few different machine types so it does not seem to be driver or wireless nic vendor specific. I've checked through the
    event viewer logs but nothing seems to be triggered during the time of the issue. Using the troubleshooter or disconnecting from the wireless service will fix the issue for only a short time. 

  • Belkin Wireless G Universal Range Extender/Access Point (F5D7132UK)

    Hi
    Anyone have experience using AEs with this Belkin product?
    I have followed the instructions and the Belkin seems to work as described in the manual BUT after about 5 mins or so 3 out of 4 of my AEs disappear from Airport Admin Util and the corresponding speakers are not available via itunes.
    Thanks
    Tony S

    Sorted the problem.  There was nothing wrong with the Edimax repeater or the printer.  I had sited the printer on the shelf under the TV in the conservatory.  Above the shelf is a sky box with a 2.4 Gig AV transmitter connected to it (to send Sky TV to the kitchen).  Powering off the AV transmitter allowed a connection to the repeater.  For info the separation between the AV transmitter and the printer was around 250mm.  I have now moved the AV transmitter away from the printer (by connecting it via a scart lead rather than directly to the sky box).  
    Wireless printer up and running!

  • No network connection btw WLC and access points

    Hi,
    There is no L3 network connection to some of the 1522 APs in our mesh network.
    They register with the 4402 WLC (5.2.157.0)i.e. appear in the AP list. When sending ping packet to APs IP addresses from WLC or PC there is no response, but I can see APs MAC addreess with "arp" command. Users connected to these APs can not access wired network, also in Monitor -> Current clients -> Detail "Auth" is Yes for users who can access wired network and No for those who can not.
    Any advice would be appreciated.
    TIA.

    Today I found out that AP-15 in the following mesh configuration  was the source of the problem:
    No network connection to AP-15 and it's child APs (AP-19, A-17, B-18, B-14,A-16),
    when testing links with "child" (AP-19) and "parent"(AP-21) APs "Error: Cannot get
    stats from the destination ap" message but it sends and receives packets to and
    from other neighbor APs.
    After Hardware Reset on WLC web interface AP-15 functions normally.
    Here is the mesh configuration:
    =======================================================
    ||  AP Name [Hop Counter, Link SNR, Bridge Group Name] ||
    =======================================================
    [Sector 1]
    Central_AP-10[0,0,default]
      |-AP-21[1,42,default]
        |-AP-15[2,31,default]
          |-AP-19[3,39,default]
            |-A-17[4,37,default]
            |-B-18[4,40,default]
            |-B-14[4,39,default]
              |-A-16[5,31,default]
        |-AP-22[2,22,default]
      |-AP_02-12[1,26,default]
        |-AP_03-20[2,39,default]
    Number of Mesh APs............................... 11
    Number of RAPs................................... 1

  • Virtual WLC supported Access Points

    Dear All,
    I read minimum code version of AP should be 7.3.
    Someone please tell me the supported AP models for VWLC 7.4 series..?
    KVS

    Many thanks for your reply.
    So, Access points that are supported 7.3 code can be used to register with vWLC..?
    7.3.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, 1130, 1240, 1250, 1260, 2600, 3500e, 3500i, 3600e, 3600i, 3500p, 1140, 600 OEAP, AP801, AP802
    Thanks in advance...

  • NAC Out-of-Band Deployment for wireless networks

    I am evaluating the NAC appliance for my wired and wireless users. I have read that the only way to deply NAC for wireless is in-band mode but it looks like the following link says that it is possible to deply NAC for wireless networks in-band or out-of-band mode:
    "NAC Appliance can be deployed for WLANs as an in-band deployment for full-time endpoint scanning or out-of-band within a central site for periodic scanning to confirm posture compliance. The NAC Appliance server performs authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls. (Figure 1)"
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_brochure0900aecd80355b2f_ps6128_Products_Brochure.html
    Does anyone know if it is possible to use NAC out-of-band deployment for wireless networks? If you can point me to some documentation it will be appreciated.
    Regards

    Thanks Robert.
    In my case I am planning to deploy a central NAC appliance at the main office to control some branch offices and local wired users at the main office. The NAC appliance will operate in out-of-band mode. But for wireless users at the main office I will need an aditional NAC appliance operating in in-band mode, is this correct?
    Regards

  • Broadcast SSID only on defined Access Points?

    I'm using a Cisco Wireless LAN Controller 5508, 14x Access Points 1041 and 6x Access Points 1031 in combination with a NCS 1.0.
    Is it possible to broadcast SSID'S only on defined Access Points, e.g. AP 1-3,7-10,18? If yes, what have I to do?
    Kind regards
    Kai

    Quick question, can you validate the below scenario please
    We have seven SSIDs
    WLAN           Dynamc Interface that its mapped to
    WHSE10          VLAN10-10.0.10.0/24             
    WHSE20          VLAN20-10.0.20.0/24
    WHSE30          VLAN30-10.0.30.0/24
    WHSE40          VLAN40-10.0.40.0/24
    Office50           VLAN50-10.0.50.0/23
    Office60           VLAN60-10.0.60.0/23
    Guest70           VLAN70-172.16.8.0/23
    we have around 40 access points in the warehouse and 20 APs in the office, and we are broadcasting SSIDs everywhere, means office and guest SSID s exist on the WHSE APS and WHSE SSID s exist on office APs.
    Does having more SSIDs on the APs affects its power (Signal strength) in anyway?
    APgroup1- WHSE-GROUP- (will add VLAN10,VLAN20,VLAN30,VLAN40 interfaces)
    APgroup2- WHSE-OFFICE- (Will add all VLANS-10,20,30,40,50,60 and 70)
    APgroup3- OFFICE-GROUP-( Will add only office and Guest WLANs- VLAN50,60 and 70)
    We won't need to broadcast any WHSE SSIDs in the office area so we will add the Office APS to ----  APgroup3- OFFICE-GROUP
    The WHSE APS will need to advertise both office and WHSE SSID s but we don't need to broadcast Office SSIDs everywhere in the warehouse, so we assign some APs in WHSE to APgroup2- WHSE-OFFICE and some to APgroup1- WHSE-GROUP
    How does the client roaming work in the above scenario when they move from APs in APgroup1 to APs in APgroup2 (I don't think this will be any different than normal client roaming from one AP to another AP but I want to make sure)
    Thanks for the help
    Siddhartha

  • Roaming between RV220W wireless router and WAP121 Access Point

    Hello, I have recently purchased a RV220W wireless router and a WAP121 access point and i would like to allow my users to "roam" between the two networks as needed (so when the user is closer to whichever one they connect to that one since it has a better signal). For the most part I only have experience in cisco IOS and in actual routers not the wireless stuff so my knowledge has not exactly transfered over well.

    William,
    WDS will not work between the RV220W and WAP121 due to incompatible chipsets. The RV220W can be repeated using WDS by another RV220W or RV180W only. You will need to plug the WAP121 into the RV220W or try WorkGroup Bridge mode to repeat the signal.
    Regarding roaming, the router or AP are not aware of each other and do not have the capability to disconnect a client and help them connect to the AP with the stronger signal. The client will switch to the stronger AP only when the original signal is lost.
    The Aironet (enterprise) devices have the ability to utilize a wireless LAN controller which can help keep devices connected to the stronger signal and allow truly seamless roaming between APs.
    - Marty

  • WCS displays Access Point as disassociated but WLC shows as associated

    Hi all,
    I have a WCS ver 7.0.172, a 5508 WLAN Controller with ver 7.0.116.0. At this WLC 21 Access Points (AIR-LAP1131AG-E-K9 ) were associated. As well I have one CleanAir Access Point (AIR-CAP3502E-E-K9) is associated.
    And now ... my problem:
    every time the WCS got a critical error and reports that the AP is disassociated from Controller. But if I take a look to the WLC the AP is associated and works at local mode and have two clients associated.
    I cleared the alarm - a few minutes later the alarm will be reported again. Same result if I delete the alarm.
    Could anybody give support for that issue.
    Thanks and regards
    Holger

    Hi Holgerseiler,
    Have you got any information/solution on this issue?
    I also have same kind of issue. I have a WCS with version 7.0.172.0, and around 25 WLCs (version7.0.116.0, in which i checked) and totally around 1000 APs are assiociated in wireless network.
    Some error messages are coming on my WCS device like
    "AP disassociated from Controller [ip]"
    Here AP name and WLC ip address will change randomly, but there is no impact on my network.
    Thanks in advance
    Sangeeth BS

  • Access points joining different WLC

    hi
    i have a wireless controller module( NME-AIR-WLC25-K9) installed in a Cisco 2851 ISR, this setup is in my remote site, we are connected through MAN network. In our main office i have a cisco 4402 wireless controller. so whenever i install a AP in my remote site instead of joiining the remote site WLC, the access point joins my main office 4402 controller, i dont why it is happening, the AP is not even trying to join the remote site WLC.. i have not configured high availability and both these controller are in separate RF network.
    the firmware version in NME-AIR-WLC25-K9 is 7.0.98.0 ...
    the version in the other controller is 6.0.196.0
    Please let me know what is else i need to check asap
    Thanks
    karthik

    Hi,
      Did you even see the AP trying to join the local controller?  If the controller are in different domains, the AP will prefer the remote controller since it join that one first.  Since you are running 5.2, try configure on the AP the primary controller with the name, and local IP address of the local controller, and then reboot the AP.  See if after that the AP join. run debug capwap events enable to see if you see the AP event trying to join the controller.
    Regards,
    Manuel

  • Need Information For Connecting Access point to WLC 4402

    Hi Friends
    I need Some information for Connecting  my New Access point ( Cisco AIRLAP 1242AG) with WLC(4402) Controller
    In our network set up we have two WLC(4402) we needs to Connect this New Accesspoint To one of our WLC
    My Access point is brand New. I need to Know what all i have to do inorder to connect this AP to the controller (from Acesspoint perspective & WLC perspective)
    I need to Know  what I need to do in AP to connect to the Controller
    Do i need to Assign Static IP Address forAP or after connecting to the switch it automatically gets ip from DHCP and regsiter with controller??
    Do i Need to Configure my AP with default gateway(the switch to which is connected ?) & DO i need to configure the AP with  Controller Ip address ??
    Pls Assist
    Regards
    Safwan

    Hi Scot...
    We tried Connecting the Access Point yesterday, but it failed....
    We are using Cisco 3500 Access point ...
    when we connected , first it automatically got an ip address using DHCP but following error occurred
    P70ca.9bd5.77c6#
    AP70ca.9bd5.77c6#
    AP70ca.9bd5.77c6#
    Not in Bound state.
    *Mar  1 00:13:56.539: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination
    *Mar  1 00:13:56.555: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
    d DHCP address 10.50.11.26, mask 255.255.0.0, hostname AP70ca.9bd5.77c6
    *Mar  1 00:14:04.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported version 6.0
    .182.0 on WLC USSTLController01
    *Mar  1 00:14:14.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported version 6.0
    .182.0 on WLC USSTLController01
    *Mar  1 00:14:24.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported
    version 6.0
    .182.0
    version 6.0
    .182.0
    on WLC USSTLController01
    version 6.0
    .182.0
    Then I COnfigured Ap with  Static ip address & default gateway & controller Ip but tht too didnt work...
    .182.0 on WLC USSTLController01
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>
    *Mar  1 00:13:40.908: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C
    3750X-48P (e05f.b907.9a20)
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>en
    Password:
    AP70ca.9bd5.77c6#
    *Mar  1 00:13:48.033: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP
    . Renewing DHCP IP.
    AP70ca.9bd5.77c6#
    AP70ca.9bd5.77c6#
    AP70ca.9bd5.77c6#
    P70ca.9bd5.77c6>
    *Mar  1 00:13:40.908: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C
    3750X-48P (e05f.b907.9a20)
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>
    AP70ca.9bd5.77c6>en
    Password:
    AP70ca.9bd5.77c6#
    *Mar  1 00:13:48.033: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP
    . Renewing DHCP IP.
    I also  Need to Know Cisco Access point 3500 can be associated with WLC 4402 ( version 6.0.182.0) ??
    Pls Advice How to proceed further

  • Lightweight access-point joined the wireless controller but no radio channels

    a customer  wireless controller 2106  he use  access-point AIR-LAP1252G-E-K9  the access point the leds indicate
    etherner and radio is blinking green and status is green.
    please help i am in the customer company now

    The AP1252 has higher power requirements than some of the Cisco PoE switches provide.  Depending on the switch you are plugging them into you will get enough power to power up the device and connect to a controller but not enough to power up the antennas.  Options that can work include:
    1) Removing one of the antennas if you are not gonig to use it (or as a temporary workaround to get some wireless)
    2) Using an external power supply
    3) Using an external inline power appliance system that supplies enough power (http://www.microsemi.com/powerdsine/ is one example).
    4) Depending on the type of switch you are connecting to you may be able to upgrade code to provide a higher amount of power to the port.  For instance, a Catalyst 6500 by default supplies 15.8 watts of power to a port.  But if you upgrade the code to 12.2(33)SXH2? I believe you can get 16.8 watts of power and this is enough to bring up both antennas on the AP.  But even then you don't have enuf power to run the upper N speeds - I think anything above 72 Mbps is unattainable.
    Other AP models such as the 1140 have lower power requirements and may work better for you.

  • Access Points keep associating and disassociating from WLC

    I have numerous access points, both 3502 and 3602's that are connected to Cisco 2960s POE switches that will disassociate and then reassociate themselves with the WLC.  The WLC and access points are running 7.4.110.0.  The particaular Cisco 2960s POE switch in this case is running 12.2(55)SE3, RELEASE SOFTWARE (fc1).   This is becoming a widespread issue.

    When the AP recovers, what is the physical up time and WLC association time. 
    Now if your AP(s) regularly reboots then I'd consider you test the cable runs using the on-board TDR feature of your switch.

Maybe you are looking for

  • ADE Crashes opening library book from OneClickDigital (Mac OSX 10.9.5)

    I'm new to ADE.  Our local library started offering eBooks this past week via OneClickDigital. eReader is ADE.  I loaded 4.0 on my Mac and downloaded an eBook.  ADE crashes every time I download a book or attempt to open the book. After the crash, th

  • Issue with creationof picture in PDF Photo Book

    I have created a photo book. The preview of a particular photo looks good. I have generated the book in pdf format to review, however, one specific picture show an issue in the picture it's self. I deleted the file and regenerated. Again contaminated

  • Need to validate file Name,split the file name and store the splited values into Variables

    Dear All, Below is the my requirement. I have a folder, in that folder I have bunch of text files. The file name is below format ACA_122_pay_20140430_001 Initially the file name start with ACA code,groupid,group name and date time stamp. This is the

  • Can anyone tell me what's going on here?

    I'm a video producer and have a license with a royalty free music site. Before upgrading to Safari 4, I could demo audio tracks just fine (using this interface: http://www.dewolfe.co.uk/musicsearch/cd_tracks.php?cdnumber=DWCD%200470). This feature al

  • Oracle Instances Processes  consuming too much memory

    Will somebody be able to guide me with the factors that are causing too much memory consumption when a single Oracle.exe instance is started ? Due to this problem it is not possible to run 2 instances at the same time. Oracle is running on Windows NT