LAP local - frequently disassociated WLC

Hi,
I have a WLC 4402-40 with code 5.0.148.0 with 27 APs.
Two APs are often disassociated from the WLC.
Two APs are the same model of others and all APs are in local LAN.
This is the Time Statistics:
Time Statistics
UP Time
Controller Associated Time
Controller Association Latency
The others APs have the sam Controller Associations Latency.
Is there a log that can give a informations as to why the APs are disassociated?
These two APs I configured the name of the primary WLC.
Regards.
Mirko Severi.

Correct, if you are using a controller setup then H-REAP with local switching is the only way to dump traffic locally to the AP.

Similar Messages

  • 1252 LAP won't join WLC

    Hi all
    I'm having an issue with a 1252 LAP that is connected to the WLC over a WAN link.
    Basically, it won't associate. The following is taken from a console into the LAP:
    *Mar 1 00:00:07.799: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar 1 00:00:08.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar 1 00:00:26.851: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar 1 00:00:27.003: Logging LWAPP message to 255.255.255.255.
    %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.148.x.x, mask 255.255.255.0, hostname AP002
    2.90a3.533a
    Translating "CISCO-LWAPP-CONTROLLER.nation.radix"...domain server (10.x.x.x)
    %LWAPP-3-CLIENTEVENTLOG: Controller address 10.x.x.x obtained through DHCP
    %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.
    %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.nation.radix
    %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER.nation.radix
    %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    %LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - Fxxxxxxx)
    %LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
    %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
    %LWAPP-5-CHANGED: LWAPP changed state to DOWN
    IOS Bootloader - Starting system.
    Xmodem file system is available.
    The ap-manager interface is configured correctly and there isn't a duplicate IP address.
    The LAP was initially stand alone and was converted to LWAPP.
    The MTU over the WAN link is 1500 bytes.
    All I'm getting from the WLC debugs is:
    Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx Received LWAPP DISCOVERY REQUEST from AP 00:22:xx:xx:xx:xx to 00:19:xx:xx:xx:xx on port '29'
    Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx LWAPP Discovery Request AP Software Version: 0x3003300
    Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx Successful transmission of LWAPP Discovery Response to AP 00:22:xx:xx:xx:xx on port 29
    So basically the join messages don't seem to reach the WLC. In fact they don't even seem to reach the local router on the remote subnet. The discovery packets are seen on the local router but the joins don't seem to appear at all.
    I'm not sure if it's a latency issue. Average latency over the WAN link is under 70ms.
    I'm assuming the certificate on the WAP is MIC and the MAC details have been entered into the WLC AP Security policies for authentication. I'm not seeing any debugging messages relating to bad authentication at all.
    I can't debug from the LAP as it's LWAPP, obviously.
    I've been through many Cisco documents trying to troubleshoot the problem, including this http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml, but can't find a solution.
    We're running WLC version 4.2.130.0.
    Can anyone help?
    Thanks
    Brodie

    I assume you have connected to router's AUX and doing reverse telnet. You should be getting Password: prompt on your LAP's console. Password and Enable are both Cisco. Below is console output from my lab's 1250 LAP after erasing configuration (which can only be initiated from controller). In my case, the vlan is not configured with Option 43 and no proper DNS, so LAP doesn't join the controller.
    By the way, your best bet might be to convert this LAP back to IOS and then back to LAP again. Use this method:
    http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
    Do you have "Authorize APs against AAA" checked under Security > AP Policies in any of your WLCs ?
    Press RETURN to get started!
    *Mar 1 00:00:07.099: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar 1 00:00:07.619: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar 1 00:00:08.595: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *May 10 23:17:25.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *May 10 23:17:26.155: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1250 Software (C1250-K9W8-M), Version 12.4(10b)JDC, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Fri 01-May-09 10:49 by prod_rel_team
    *May 10 23:17:26.155: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start
    *May 10 23:17:27.183: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *May 10 23:17:27.387: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *May 10 23:17:27.387: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *May 10 23:17:28.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *May 10 23:17:28.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *May 10 23:17:30.783: %LWAPP-3-CLIENTERRORLOG: ../lwapp/lwapp_l2.c:152 - discarding msg type 12 in state 0
    *May 10 23:17:30.783: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
    *May 10 23:17:30.795: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 16 seconds
    *May 10 23:17:44.571: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *May 10 23:17:44.731: Logging LWAPP message to 255.255.255.255.
    %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.8.3, mask 255.255.255.0, hostname AP0022.558e.24bc
    User Access Verification
    Password:
    AP0022.558e.24bc>en
    Password:
    AP0022.558e.24bc#show lwapp ?
    client LWAPP Client Information
    ids LWAPP IDS Information
    ip LWAPP IP configuration
    mcast LWAPP Mcast Information
    reap LWAPP REAP Information
    rm LWAPP RM Information
    AP0022.558e.24bc#show lwapp client config
    AP0022.558e.24bc#
    AP0022.558e.24bc#ping 3.45.47.143
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 3.45.47.143, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
    AP0022.558e.24bc#

  • 1310 LAP unable to join WLC 5508

    Hi All,
    Hope to you a very happy new year,
    I have an (AIR-LAP1310G-E-K9R) and I tried to join it to WLC 5508 but I'm facing an error,
    I get this error from the LAP 1310 console as below:
    Compiled Mon 17-Jul-06 11:45 by alnguyen
    *Mar  1 00:00:05.289: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
    *Mar  1 00:00:06.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
    *Mar  1 00:00:23.337: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar  1 00:00:33.477: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.114.36.25, mask 255.255.255.0, hostname APe4d3.f1c2.8882
    examining image...
    *Mar  1 00:00:44.781: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    *Jan 11 15:21:37.178: %LWAPP-5-CHANGED: LWAPP changed state to IMAGE
    %Error opening  (Protocol error)archive download: takes 6 seconds
    *Jan 11 15:21:43.178: LWAPP_CLIENT_ERROR_DEBUG:  Retransmission count for packet exceeded more than max(IMAGE_DATA
    , 1)
    *Jan 11 15:21:43.178: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Jan 11 15:21:43.179: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Jan 11 15:21:43.181: LWAPP_CLIENT_ERROR: not receive read response(3)
    *Jan 11 15:21:43.185: lwapp_image_proc: unable to open tar file
    *Jan 11 15:21:43.200: %SYS-5-RELOAD: Reload requested by lwapp image download proc. Reload Reason: Reason unspecified.
    *Jan 11 15:21:43.201: %LWAPP-5-CHANGED: LWAPP changed state to DOWN
    *Jan 11 15:21:43.207: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERYXmodem file system is available.
    flashfs[0]: 3 files, 2 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7741440
    flashfs[0]: Bytes used: 1861632
    flashfs[0]: Bytes available: 5879808
    flashfs[0]: flashfs fsck took 14 seconds.
    Base ethernet MAC Address: e4:d3:f1:c2:88:82
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    Loading "flash:/c1310-rcvk9w8-mx/c1310-rcvk9w8-mx"...#######################################################################################################################################################################
    File "flash:/c1310-rcvk9w8-mx/c1310-rcvk9w8-mx" uncompressed and installed, entry point: 0x3000
    executing...
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C1310 Software (C1310-RCVK9W8-M), Version 12.3(11)JX1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Mon 17-Jul-06 11:45 by alnguyen
    Image text-base: 0x00003000, data-base: 0x00359EA0
    Initializing flashfs...
    flashfs[1]: 3 files, 2 directories
    flashfs[1]: 0 orphaned files, 0 orphaned directories
    flashfs[1]: Total bytes: 7741440
    flashfs[1]: Bytes used: 1861632
    flashfs[1]: Bytes available: 5879808
    flashfs[1]: flashfs fsck took 2 seconds.
    flashfs[1]: Initialization complete....done Initializing flashfs.
    cisco AIR-LAP1310G-E-K9R   (PowerPCElvis) processor (revision B0) with 24566K/8192K bytes of memory.
    Processor board ID FGL1649T00U
    PowerPCElvis CPU at 262Mhz, revision number 0x0950
    Last reset from reload
    LWAPP image version 3.0.51.0
    1 FastEthernet interface
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: E4:D3:F1:C2:88:82
    Part Number                          : 73-8960-09
    PCA Assembly Number                  : 800-24963-06
    PCA Revision Number                  : B0
    PCB Serial Number                    : FOC16447J1K
    Top Assembly Part Number             : 800-28479-05
    Top Assembly Serial Number           : FGL1649T00U
    Top Revision Number                  : D0
    Product/Model Number                 : AIR-LAP1310G-E-K9R
    Press RETURN to get started!
    *Mar  1 00:00:04.329: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1310 Software (C1310-RCVK9W8-M), Version 12.3(11)JX1, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Mon 17-Jul-06 11:45 by alnguyen
    *Mar  1 00:00:05.289: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
    *Mar  1 00:00:06.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
    *Mar  1 00:00:23.337: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar  1 00:00:33.352: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.114.36.28, mask 255.255.255.0, hostname APe4d3.f1c2.8882
    examining image...
    *Mar  1 00:00:44.783: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    *Jan 11 15:21:37.189: %LWAPP-5-CHANGED: LWAPP changed state to IMAGE
    %Error opening  (Protocol error)archive download: takes 6 seconds
    *Jan 11 15:21:43.189: LWAPP_CLIENT_ERROR_DEBUG:  Retransmission count for packet exceeded more than max(IMAGE_DATA
    , 1)
    *Jan 11 15:21:43.189: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Jan 11 15:21:43.189: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Jan 11 15:21:43.192: LWAPP_CLIENT_ERROR: not receive read response(3)
    *Jan 11 15:21:43.195: lwapp_image_proc: unable to open tar file
    *Jan 11 15:21:43.210: %SYS-5-RELOAD: Reload requested by lwapp image download proc. Reload Reason: Reason unspecified.
    *Jan 11 15:21:43.210: %LWAPP-5-CHANGED: LWAPP changed state to DOWN
    *Jan 11 15:21:43.216: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERYXmodem file system is available.
    flashfs[0]: 3 files, 2 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 7741440
    flashfs[0]: Bytes used: 1861632
    flashfs[0]: Bytes available: 5879808
    flashfs[0]: flashfs fsck took 14 seconds.
    Base ethernet MAC Address: e4:d3:f1:c2:88:82
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    Please Advise,
    Thanks in advanced,
    Ahmed,

    Dear Stefan,
    Many thanks for your kind reply,
    Please find the information below:
    Controller Summary
    Management IP Address
    10.114.44.131
    Service Port IP Address
    10.114.23.20
    Software Version
    7.2.111.3
    Field Recovery Image Version
    6.0.182.0
    System Name
    CIR906.WLC.5508
    Please Advise,
    Thanks,
    Ahmed,

  • Having trouble connecting 1141N LAP's to 2504 WLC

    I am using the WLC as a standalone device so I have set up an internal DHCP server so as to have the AP's connect to the WLC and obtain an IP address using that internal DHCP server. When I connect the AP's to the WLC through the POE they light flashes green and eventually goes solid green while loading up but then fails somehow and the light cycles blue, green, and red. Here is the Console output of the AP while booting up and trying to connect to the WLC:
    IOS Bootloader - Starting system.
    FLASH CHIP:  Numonyx P33
    Checking for Over Erased blocks
    Xmodem file system is available.
    DDR values used from system serial eeprom.
    WRDTR,CLKTR: 0x87000800, 0x40000000
    RQDC, RFDC : 0x80000035, 0x00000208
    PCIE0: link is up.
    PCIE0: VC0 is active
    PCIE1: link is NOT up.
    PCIE1 port 1 not initialized
    PCIEx: initialization done
    flashfs[0]: 5 files, 2 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 32385024
    flashfs[0]: Bytes used: 6676992
    flashfs[0]: Bytes available: 25708032
    flashfs[0]: flashfs fsck took 19 seconds.
    Reading cookie from system serial eeprom...Done
    Base Ethernet MAC address: 6c:20:56:8c:e1:fb
    Ethernet speed is 1000 Mb - FULL duplex
    Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"...############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
    File "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx" uncompressed and installed, entry point: 0x4000
    executing...
    enet halted
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 11-Dec-12 04:16 by prod_rel_team
    Initializing flashfs...
    FLASH CHIP:  Numonyx P33
    Checking for Over Erased blocks
    flashfs[2]: 5 files, 2 directories
    flashfs[2]: 0 orphaned files, 0 orphaned directories
    flashfs[2]: Total bytes: 32126976
    flashfs[2]: Bytes used: 6676992
    flashfs[2]: Bytes available: 25449984
    flashfs[2]: flashfs fsck took 6 seconds.
    flashfs[2]: Initialization complete.
    flashfs[3]: 0 files, 1 directories
    flashfs[3]: 0 orphaned files, 0 orphaned directories
    flashfs[3]: Total bytes: 11999232
    flashfs[3]: Bytes used: 1024
    flashfs[3]: Bytes available: 11998208
    flashfs[3]: flashfs fsck took 1 seconds.
    flashfs[3]: Initialization complete....done Initializing flashfs.
    Ethernet speed is 1000 Mb - FULL duplex
    This product contains cryptographic features and is subject to United
    memory validate-checksum 30
    ^
    % Invalid input detected at '^' marker.
    no ip http server
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
           ^
    % Invalid input detected at '^' marker.
    login authentication default
      ^
    % Invalid input detected at '^' marker.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-LAP1141N-A-K9    (PowerPC405ex) processor (revision A0) with 81910K/49152K bytes of memory.
    Processor board ID FTX1714E0RY
    PowerPC405ex CPU at 586Mhz, revision number 0x147E
    Last reset from power-on
    LWAPP image version 7.4.1.37
    1 Gigabit Ethernet interface
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 6C:20:56:8C:E1:FB
    Part Number                          : 73-12836-05
    PCA Assembly Number                  : 800-33767-05
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC16345U29
    Top Assembly Part Number             : 800-33776-04
    Top Assembly Serial Number           : FTX1714E0RY
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-LAP1141N-A-K9
    % Please define a domain-name first.
    logging facility kern
            ^
    % Invalid input detected at '^' marker.
    logging trap emergencies
            ^
    % Invalid input detected at '^' marker.
    Press RETURN to get started!
    *Mar  1 00:00:08.799: *** CRASH_LOG = YES
    Base Ethernet MAC address: 6C:20:56:8C:E1:FB
    *Mar  1 00:00:09.220: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
    *Mar  1 00:00:10.915: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:12.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:12.522: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 11-Dec-12 04:16 by prod_rel_team
    *Mar  1 00:00:12.564: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
    *Mar  1 00:00:12.564: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default configlwapp_crypto_init: MIC Present and Parsed Successfully
    *Mar  1 00:00:13.534: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
    no bridge-group 1 source-learning
                       ^
    % Invalid input detected at '^' marker.
    %Default route without gateway, if not a point-to-point interface, may impact performance
    *Mar  1 00:00:45.650: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED AIR-CT2504-K9 (f029.2988.2fa6)
    *Mar  1 00:00:51.014: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
    *Mar  1 00:01:01.014: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
    Then the console output just cycles continuously saying that last line over and over again.

    Well... its not really supported connecting the AP to the WLC.  If you want to get it working, the AP has to be on the same subnet as the management ip of the WLC.  So your dhcp scope should be that of your management. 
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Local policies in WLC 7.5.x code

    Hi Experts,
    We have created a local policy to block andriod devices in our network. Wheras our windows 7 and 8 clients are also matching the profile under android and it is getting blocked.
    Is WLC not doing the profiling properly or any bugs?

    First off, v7.5 is deferred and you should move up to v7.6.130.0.  I have no issues profiling devices on v7.6.130.0 and or v8.0.x, but wouldn't go with v8.0.x as of right now.  I have used local policies to place Windows 7 & 8 on a certain vlan and place devices like Android, iPhone, etc on a bogus vlan for a given WLAN.  Profiling isn't as feature rich as what you will get in ISE, but use it if it can work for you now.  With new devices coming our, profiling might not work so well unless you upgrade the WLC code and upload newer list for the manufacture oui or uploading the profiling_policies.xml from ISE,which you only can get from someone who deos have ISE up and can export the list.
    Scott

  • VLAN configuration of LAP in H-REAP WLC Setup

    Hello,
    I have a setup configured fairly simple, I think. We have a 4402 WLC at our corporate office. We also have 6 1131's split into two deployments at different offices. We have a common SSID structure across all of them (corporate and guest). Corporate works properly authenticating against Active Directory, and guest authenticates properly via the guest database. The thing I cannot get my mind around is the proper method for configuring these two SSID's to be on separate VLAN's. If it were all local, I think I'd have no problems. Do I need to configure a virtual interface on the controller? Do I need a separate one for each office? The VLAN won't exist in the corporate office (unless it needs to). My goal is to isolate guest access into it's own subnet and run it straight out to the Internet without touching the local satellite network. Thanks!
    Sean

    Ok, think I figured it out. I changed the VLAN mappings via each AP edit page and all seems well. Originally I was going to try and push the VLAN configurations for both offices via the "guest" WLAN policy, which is where I think my confusion arose. By doing that, I needed to assign the configuration through an Interface (I'm guessing). If anyone has a better suggestion, please let me know. Thanks!

  • Difference between bridge and local mode with wlc 5508

    Hello,
    Now i have wlc5508 with few ap 11xx 12xx in local mode. All work correct. I will have to add few ap1552 in bridge mode ( i have to wait for wlc upgrade to change ap1552 to local mode). My question is that all ( local and bridge mode) will work correct together for my clients: rfid readers, laptop, computer in a,b,g,n mode ? What about roaming  and other feature ?
    thanks for help
    Peter

    If you plan on not doing MESH, then you set these 1552's in local mode and they will perform the same tasks as any other AP's in local mode.  When you want to do MESH, then that is when bridge mode comes into play and you have to define your RAP's and MAP's.
    Roaming, clients devices, doesn't matter if your using local or bridge.  roaming depends on your device and coverage and rfid, also depends on triangulation with the coverage you have now.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • WLC Local EAP-TLS auth, certificate ACL feature?

    Hi All,
    I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
    Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
    Thanks in advance.

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • Encrypted L3 Communications Between LAP and WLC?

    Hi All,
    I am working with a client that wants to put LAPs remote to their WLC (a 4402). The rub is that the communications between the LAP and WLC must be secure even across their private WAN! I have a couple of resulting questions if anyone is able to help;
    I can't find out if and what encryption method is (is it AES etc.?) used on the backhaul between LAPs and the WLC and what's involved?
    Terminology may be wrong here, this is not a wireless mesh, just conventional LAP to WLC
    The client's WAN is already encrypted (IPSec VPN over VPLS) in parts - what's the consequence of running AP<-->WLC with end-to-end encryption (if possible) over a WAN with IPSec, i.e. double encryption?
    Strange but true - any pointers will be much appreciated.... Phil.C

    With a 4400 series controller the control traffic between the AP and controller is already AES encrypted.  The user traffic is not encrypted.  If you use a 5508 controller all traffic between the AP and controller is AES encrypted.
    As for running the traffic through a VPN, that should work.  The issue I typically see with this is with the MTU.  The controller will drop any packets with a data payload less than 32bytes.  Depending on the MTU over the VPN I have seen packets get fragmented and this to be an issue.  If you are using one of the CAPWAP versions (5.2 or newer) dynamic MTU discovery is part of the protocol and this MTU issue really doesn't exist.

  • LAP join the wrong controller

    Hello everybody,
    I have an issue with my LAP and my two WLC. I have one WLC in production and another one in test, and I want to associate the LAP with the one in test but I can't, and my LAP join the WLC in production with this messages on the LAP :
    *May 13 13:17:07.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'TESTWLC'(index 0).
    *May 13 13:17:07.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *May 13 13:16:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.117.10 peer_port: 5246
    *May 13 13:16:03.036: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
    *May 13 13:16:03.036: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
    *May 13 13:16:03.040: %CAPWAP-3-ERRORLOG: Certificate verification failed!
    *May 13 13:16:03.040: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
    *May 13 13:16:03.040: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.30.117.10:5246
    *May 13 13:16:03.041: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.117.10:5246
    *May 13 13:16:03.042: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
    I have disabled certificate checking, regulatory domain are the same between WLC and LAP, my LAP(1041), my WLC are updated with the good software version and the both WLC are "Virtual" WLC.
    If you have any idea to resolve this problem, I will be happy to know it :)
    Thanks

    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.6.110.0
    RTOS Version..................................... 7.6.110.0
    Bootloader Version............................... 7.6.110.0
    Emergency Image Version.......................... 7.6.110.0
    Build Type....................................... DATA + WPS
    System Name...................................... TESTWLC
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
    IP Address....................................... 172.30.117.10
    System Up Time................................... 1 days 15 hrs 40 mins 5 secs
    System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
    System Stats Realtime Interval................... 5
    System Stats Normal Interval..................... 180
    Configured Country............................... LU  - Luxembourg
    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 1
    Number of Active Clients......................... 0
    Burned-in MAC Address............................ 00:50:56:94:0E:12
    Maximum number of APs supported.................. 200
    TESTLAP#sh version
    Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Tue 11-Dec-12 04:45 by prod_rel_team
    ROM: Bootstrap program is C1600 boot loader
    BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
    TESTLAP uptime is 15 hours, 36 minutes
    System returned to ROM by power-on
    System image file is "flash:/ap1g2-k9w8-mx.152-2.JB/ap1g2-k9w8-mx.152-2.JB"
    Last reload reason:
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-CAP1602I-E-K9    (PowerPC) processor (revision B0) with 98294K/32768K bytes of memory.
    Processor board ID FGL1807S09R
    PowerPC CPU at 533Mhz, revision number 0x2151
    Last reset from power-on
    LWAPP image version 7.4.100.0
    1 Gigabit Ethernet interface
    2 802.11 Radios
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 18:E7:28:1A:3B:1B
    Part Number                          : 73-14671-04
    PCA Assembly Number                  : 000-00000-00
    PCA Revision Number                  :
    PCB Serial Number                    : FOC18045ZD1
    Top Assembly Part Number             : 800-38552-01
    Top Assembly Serial Number           : FGL1807S09R
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-CAP1602I-E-K9
    Configuration register is 0xF
    As you can see, I use the LU country code, maybe it can be a mismatch between the WLC version and the LAP version?
    Thanks.

  • Lap 1142N not joining WLC2106

    Hi,
    I have a 1142N which does not join the WLC when connected via a 2960 switch. When I connect a different lap 1142N to the same port on the same switch using the same cables, it does join the lap to the WLC. And when I connect the first lap directly to the WLC it also works fine.
    Resetting the failing lap does not fix the problem. All software levels on the lap are the same.
    Anyone an idea what could be wrong?
    Thanks in advance.
    Regards
    Jeroen

    thnx for your support so far.
    All the AP's are the same, AIR-LAP1142N-E-K9 v05. I have two AP's which work fine when connected via the 2960 therefore I assume that the switch, wlc, vlan and dhcp configuration is fine.The thirth one is giving me some challenges ;-)
    Note: the non working AP is only not working when connected via de 2960, it is working fine when directly connected to the WLC2106.
    @David, where can i find the regulatory domain setting?
    working AP
    NAME: "AP1140", DESCR: "Cisco Aironet 1140 Series (IEEE 802.11n) Access Point"
    PID: AIR-LAP1142N-E-K9
    failing AP
    NAME: "AP1140", DESCR: "Cisco Aironet 1140 Series (IEEE 802.11n) Access Point"
    PID: AIR-LAP1142N-E-K9
    AP manager subnet
    192.168.1.0/24
    Management subnet
    192.168.2.0/24
    WLC2106 sysinfo
    ==================================================================================
    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.0.220.0
    RTOS Version..................................... 7.0.220.0
    Bootloader Version............................... 4.0.191.0
    Emergency Image Version.......................... 6.0.199.4
    Build Type....................................... DATA + WPS
    System Name...................................... CiscoWLC1
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 1.3.6.1.4.1.9.1.828
    IP Address....................................... 192.168.2.2
    System Up Time................................... 10 days 0 hrs 31 mins 36 secs
    System Timezone Location.........................
    Configured Country............................... NL  - Netherlands
    Operating Environment............................ Commercial (0 to 40 C)
    Internal Temp Alarm Limits....................... 0 to 65 C
    Internal Temperature............................. +48 C
    --More-- or (q)uit
    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 2
    Number of Active Clients......................... 0
    Burned-in MAC Address............................ 70:81:05:AE:F9:C0
    Maximum number of APs supported.................. 6
    DHCP pool configured on core switch
    ==================================================================================
    ip dhcp pool AP-Pool
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.254
       dns-server 192.168.1.1
    Boot info failing WAP
    ==================================================================================
    using  eeprom values
    WRDTR,CLKTR: 0x85000800 0x40000000
    RQDC ,RFDC : 0x80000037 0x0000020f
    using ÿÿÿÿ ddr static values from serial eeprom
    ddr init done
    Running Normal Memtest...
    Passed.
    IOS Bootloader - Starting system.
    FLASH CHIP:  Numonyx P33
    Checking for Over Erased blocks
    Xmodem file system is available.
    DDR values used from system serial eeprom.
    WRDTR,CLKTR: 0x85000800, 0x40000000
    RQDC, RFDC : 0x80000037, 0x0000020f
    PCIE0: link is up.
    PCIE0: VC0 is active
    PCIE1: link is up.
    PCIE1: VC0 is active
    PCIEx: initialization done
    flashfs[0]: 28 files, 8 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    % Please define a domain-name first.
    Press RETURN to get started!
    *Mar  1 00:00:08.197: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:08.208: *** CRASH_LOG = YES
    Security Core found.
    Base Ethernet MAC address: 64:9E:F3:B3:5F:88
    *Mar  1 00:00:09.787: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:10.359: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar  1 00:00:10.393: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 215 messages)
    *Mar  1 00:00:10.416:  status of voice_diag_test from WLC is false
    *Mar  1 00:00:11.459: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:12.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:12.573: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1140 Software (C1140-K9W8-M), Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 18-Oct-11 14:52 by prod_rel_team
    *Mar  1 00:00:12.573: %SNMP-5-COLDSTART: SNMP agent on host AP649e.f3b3.5f88 is undergoing a cold start
    *Mar  1 00:11:43.044: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Mar  1 00:11:43.105: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:11:43.105: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:11:44.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar  1 00:11:44.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:11:44.297: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar  1 00:11:52.102: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.44, mask 255.255.255.0, hostname AP649e.f3b3.5f88
    *Mar  1 00:12:01.917:  status of voice_diag_test from WLC is false
    *Mar  1 00:12:01.972: Logging LWAPP message to 255.255.255.255.
    *Mar  1 00:12:04.769: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    *Mar  1 00:12:04.792: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:12:04.816: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:12:05.776: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    *Mar  1 00:12:05.776: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    *Mar  1 00:12:05.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.1.1)
    *Mar  1 00:13:13.006: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    Not in Bound state.
    *Mar  1 00:13:23.524: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
    *Mar  1 00:13:23.637: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.45, mask 255.255.255.0, hostname AP649e.f3b3.5f88
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.1.1)
    *Mar  1 00:14:19.511: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    Not in Bound state.
    *Mar  1 00:14:30.030: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
    *Mar  1 00:14:30.139: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.46, mask 255.255.255.0, hostname AP649e.f3b3.5f88
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.1.1)
    *Mar  1 00:15:26.013: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    Not in Bound state.
    *Mar  1 00:15:36.532: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
    *Mar  1 00:15:36.640: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 192.168.1.47, mask 255.255.255.0, hostname AP649e.f3b3.5f88
    Show version failing wap
    ==================================================================================
    Cisco IOS Software, C1140 Software (C1140-K9W8-M), Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 18-Oct-11 14:52 by prod_rel_team
    ROM: Bootstrap program is C1140 boot loader
    BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)
    uptime is 6 minutes
    System returned to ROM by power-on
    System image file is "flash:/c1140-k9w8-mx.124-23c.JA3/c1140-k9w8-mx.124-23c.JA3"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-LAP1142N-E-K9    (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.
    Processor board ID FCZ1548W0GJ
    PowerPC405ex CPU at 586Mhz, revision number 0x147E
    Last reset from power-on
    LWAPP image version 7.0.220.0
    1 Gigabit Ethernet interface
    2 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 64:9E:F3:B3:5F:88
    Part Number                          : 73-12836-03
    PCA Assembly Number                  : 800-33767-03
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC15443W5A
    Top Assembly Part Number             : 800-33775-02
    Top Assembly Serial Number           : FCZ1548W0GJ
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-LAP1142N-E-K9  
    Configuration register is 0xF
    show inventory failing wap
    ==================================================================================
    NAME: "AP1140", DESCR: "Cisco Aironet 1140 Series (IEEE 802.11n) Access Point"
    PID: AIR-LAP1142N-E-K9
    Message was edited by: Jeroen

  • ISE and WLC for posture remediation

    Please can anybody clarify a few things in relation to ISE and wireless posture.
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
    2) Can/Should a dACL/wACL be specified as a remediation ACL?
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
    5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
    thanks
    Nick

    Nick,
    Answers are inline:
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
    2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
    source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
    5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
    You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
    Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
    Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
    Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Certificate based authentication with Cisco WLC and Juniper IC

    Hi
    I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
    I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
    My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
    i have also looked at this article :
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
    What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
    All your help is appreciated.

    Hi,
    Since you use an external radius server you don't have to worry for this.
    The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
    The doc you refer is only for Local Radius on WLC.
    Hope this helps
    Regards,
    Christos

  • Authentication for WLC

    Hi,
    I have a WLC (4404), and it is configured for authentication in ACS.
    When I conect in WLC whit browser (HTTPS), I put my username and password from ACS, and it works.
    However, if I put the local username in WLC it works.
    I would like to disable the username local when ACS works, as I do that?
    But when ACS go down a need of the local username...

    You will not be able to do this like how you can with a router or switch. Locally is checked first prior to tacacs and can't be changed. Maybe speak with you local Cisco wireless SE to see if he can put that as a feature enhancement.

  • AIR-LAP-1142N-E-K9 unexpected power offs

    Hi we have two seperate Cisco wireless networks both based around the same infrastructure.
    Cisco 5508 WLC/s running 7.4.100 Firmware in our datacentre, with AIR-LAP-1142N-E-K9 LAPS distributed at site offices.
    This infrastructure has been running well until recently when we have had a spate of the LAPS appearing to power off.
    The LAP appears to be off with no LED status light as if it has been powered off, but the power supplies are still connected and the LAPS are often warm to the touch as if drawing power even when they have been "off" for a couple of days.
    Unplugging the power supply (at the LAP) and re-applying brings the LAP back on.
    The LAPS involved all used the recommended Cisco manufactured power supplies as there was no POE/power injector infrastructure.
    The LAPS vanish from the WLC as if disconnected, without any apparent errors in the WLC logs.
    There are no crash logs for the LAPS which have powered off.
    Console output from a LAP which has powered off on startup just shows the AP coming back from a "cold start".
    LAPS operate normally after restart, but after avariable period, typically 2-7 days will power off again.
    This is happening across multiple sites, to LAPS connected to different WLCs.
    Has anyone seen this issue before?

    The LAP appears to be off with no LED status light as if it has been powered off, but the power supplies are still connected and the LAPS are often warm to the touch as if drawing power even when they have been "off" for a couple of days.
    Gareth,
    Just want to make sure you are using a power brick/power injector.  Can you please confirm?
    Had issues with 7.4 when I noticed that some of my APs, running in PoE, would suddenly get "lost".  They would suddenly reboot and they wouldn't negotiate PoE properly.  I had to manually shut down the ports for at least 5 seconds.  If I don't leave it off for that long the APs simply won't boot up.
    Ever since I've moved to 7.5, I haven't seen this happen.
    There is a well-known bug, can't seem to find it, about 1140 and WLC firmware 7.4.  If I remembered correctly, the bug describes what you are seeing.
    You may want investigate in using 7.5.

Maybe you are looking for

  • W540 fails to boot

    Turned on my W540 running Win 8.1 and it has started going straight to a blue screen that says the Boot Configuration Data File doesn't contain valid information for an operating system. No logical explaination as to why this has happened. So first I

  • Upgrading from HTC Incredible (3G version) to HTC Rezound, need to transfer ALL data

    Well, what the title says. Can someone please tell me ( in clear, intelligent, unbroken ENGLISH!) how to transfer EVERYTHING from my old phone to the new? Neither phone is <Deleted> or in any way modified, and I don't plan on changing that. So far, I

  • Problem with Pages purchase

    I downloaded the free trial of iWork when I bought my MBP in Dec, then purchased separate Pages in January through the App Store. Pages loads documents fine, but won't save anything as it tells me my trial has expired, even thought I have now paid fo

  • Managed Metadata error - There was an error processing the request

    Hello there, I can edit terms in managed metadata service from Central Admin > Service Applications > Managed Metadata > Manage. BUT When I go to my Site Collection > Site Settings > Term Store Management - I get this error "There was an error proces

  • JAXB 2.1 API loaded from the bootstrap classloader, but it needs 2.2 API

    I am trying to deploy a Java web service into a Tomcat 5.5.20 server. I have the web service packaged in a .war file in Tomcat's webapps directory, and I can see that the .war file gets extracted when I start Tomcat. However, I get the following erro