MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running 5.0.148.0:
MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>
Is my WLC misconfigured or is this a (known) bug in 5.0.148.0?
Trond.

There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:
"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast
deauthentication frames are rejected by CCXv5 compliant
devices."
More info in: CISCO-LWAPP-TC-MIB.my

Similar Messages

MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

Hi together,
a customer has lost some Access Points to another WLC with 7.2 and then they come back after 15 minutes to the origin WLC with 7.5
Attached the messages
MFP Protection is configured as optional
152
Wed Nov 27 05:33:26 2013
MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
153
Wed Nov 27 05:31:40 2013
AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
154
Wed Nov 27 05:31:40 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
155
Wed Nov 27 05:31:33 2013
AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
156
Wed Nov 27 05:31:33 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
157
Wed Nov 27 05:31:33 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
158
Wed Nov 27 05:31:28 2013
AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
159
Wed Nov 27 05:31:28 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
160
Wed Nov 27 05:31:28 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
161
Wed Nov 27 05:31:17 2013
AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
162
Wed Nov 27 05:31:17 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
163
Wed Nov 27 05:31:17 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
164
Wed Nov 27 05:31:15 2013
AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
165
Wed Nov 27 05:31:15 2013
AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
166
Wed Nov 27 05:31:15 2013
AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
167
Wed Nov 27 05:28:26 2013
MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
168
Wed Nov 27 05:23:26 2013
MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
Don´t know at the moment how to handle it.
Regards
Alex

Hi lAlex,
Disable Client MFP under WLAN advanced tab & see if this still occur
Regards
Rasika
**** Pls rate all useful responses *****

MFP Anomaly help

Hi Folks,
I just spotted this on our WCS6.0
MFP Anomaly Detected - 3,461 'Invalid MIC' violation(s) have originated from the AP with BSS '00:16:9d:44:65:d0'. This was detected by the radio with Slot ID '0' of the AP with MAC '00:19:aa:f5:5b:a0' when observing 'Probe Response, Beacon, and Deauthentication' frames.
3,461 seems like far too much - is this an attack? What should I do?
The message reads "originated from the AP", I've id'd the AP in WCS - are one of our APs acting up?
What is going on?
Thanks
Scott

This is a problem on the controller, the WCS is just reporting what the controller says in this case.
There are quite a few bugs on this depending the code of WLC you have:
4.2:
CSCsq87439 "MFP Anomaly Detected - 'Invalid MIC' violation(s)" messages seen on WLC
5.0,5.1 and 5.2:
CSCsl59308 EW: Many 'MFP Anomaly Detected' alarms being reported

MFP Anomaly

Ever since upgrading my 4404 and WiSM controllers, I keep getting a bunch of MFP errors like the one below. Is anyone else seeing the same thing ? I have MFP set to optional. It is occurring in multiple cities.
Thanks,
Randy
Message
MFP Anomaly Detected - 582 'Invalid MIC' violation(s) have originated from the AP with BSS '00:1c:0e:40:ba:6f'. This was detected by the radio with Slot ID '1' of the AP with MAC '00:1a:e2:10:e0:80' when observing 'Beacon, Disassociation, and Deauthentication' frames.

Hi Randy,
Just thought you might want to see this recent post where these same errors are ocurring after an upgrade to 4.2.61.0. Maybe you could piggyback on this TAC Case;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbf0293/0#selected_message
Hope this helps!
Rob

MFP Anomaly on WCS

Wireless Setup:
(9) Wism 7.0.116.0
(1) WCS 7.0.172.0
APs are a mixture of 1242, 1142, 3502i, 3502e.
MFP was enabled and WCS received hundreds of these messages:
MFP Anomaly Detected - 1 'Invalid MIC' violation(s) have originated from the AP with BSS 'MAC address'. This was detected by the radio with Slot ID '0' of the AP with MAC 'address' when observing 'Beacon' frames.
Any help is appreciated.

Hi,
here is the bug i am suspecting!! Lemme know if this answered ur question..
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl59308
Please dont forget to rate the usefull posts!!
Regards
Surendra

Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

Hi All,
appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
*Mar 1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:10.033: *** CRASH_LOG = YES
*Mar 1 00:00:10.333: Port 1 is not presentSecurity Core found.
Base Ethernet MAC address: C8:9C:1D:53:57:5E
*Mar 1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
*Mar 1 00:00:11.494: status of voice_diag_test from WLC is false
*Mar 1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.647: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 13-Apr-11 12:50 by prod_rel_team
*Mar 1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
*Mar 1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
*Mar 1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
*Mar 1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
*Mar 1 00:09:17.912: status of voice_diag_test from WLC is false
*Mar 1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
*Mar 1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
*May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:03.448: status of voice_diag_test from WLC is false
*May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:15.450: status of voice_diag_test from WLC is false
*May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
*May 25 08:27:27.447: status of voice_diag_test from WLC is false
*May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:39.446: status of voice_diag_test from WLC is false
*May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
i searched for the regulatory domains difference between AIR-LAP1041N-E-K9 and AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
just to mention that our configuration in WLC for regulatory domains is:
Configured Country Code(s) AR
Regulatory Domain 802.11a: -A
802.11bg: -A
My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
Appreciate your kind support,
Wisam Q.

Hi Ramon,
thank you for the reply but as shown in the below link:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
Thanks,
Wisam Q.

Anomaly detection using ODM

I was asked the following question:
"My question is very simply, we are doing a monitoring system for a
website that helps the admin to mine on specific data (using ODM to
produce Web mining) so we want to apply the anomaly detection. We dont
know what we should do and what we should produce as a results."
A couple of suggestions come to mind:
1) For an overall discussion of intrusion detection in general using the Oracle RDBMS as an analytical platform the following paper might be useful:
http://www.oracle.com/technology/products/bi/odm/pdf/odm_based_intrusion_detection_paper_1205.pdf
2) A couple of things to think about and do:
(a) Define what is the "mining case", that is, the "object that defines what is the concept you want to mine. For example, in web mine you may want to detect anomalous session activity. This can be defined over the whole activity of a session or over time windows. In the first case each session will define a mining case (it will be a row in the training data). In the second case each section will generate many mining cases, one per time window. Let's assume for sake of discussion that the goal is to identify anomalous session activity. Then the training data will consist of the session activities (e.g., clicks, pages visited, and/or information from forms; or more generally, http requests). There will be one row per session in the training data. If we know beforehand that some of those sessions where intrusion or anomalous in some sense we can also capture this data as a target for supervised modeling.
(b) Decide what modeling to do. Two types of modeling can be performed (see the paper above for examples):
(i) Supervised modeling - case there are examples of anomalous cases as well as normal cases
This can be done by building a classifier on the training data. It is also possible to measure the quality of the classifier on a held aside sample.
(ii) Unsupervised modeling - this should be done as well even if we can create a supervised model
Unsupervised approaches don't provide a measure that indicates how good the model is at predicting anomalous events. These models are better at ranking cases by how anomalous the model believe they are.
Two common unsupervised techniques for anomaly detection are: Clustering and One-Class SVM. The latter is considered a state-of-art in many problem domains and it is the one implemented by ODM. ODM also has clustering but it does not return distance of a row to the center of cluster. This information is necessary for using it clustering for anomaly detection. If one wants to use clustering, the Oracle Data Mining blog has a post that can help compute distance from rows to centroids:
http://oracledmt.blogspot.com/2006/07/finding-most-typical-record-in-group.html
It is important to note that the method described in the post doesn't support nested column attributes.
When building unsupervised models, only the data for normal cases should be used to training the models. The unsupervised models can be seen as defining what is normal. It will recognize that something is anomalous when it does not match the definition of normality learned by the model.
(c) Use ODMR to help with modeling
(d) As new session information is gathered it is possible to score in real-time the session to detect anomalous behavior. One should score both supervised (if information was available) and unsupervised models to detect anomalous behavior. See the above paper for some discussion on this.
The supervised model will indicate if a case is anomalous or not based on known types of anomalous behavior. One should use ROC tuning in ODMR to find a good operating point for the model. This is necessary because the number of anomalous cases is usually small compared to normal ones.
The unsupervised model (one-class SVM) will provide a ranking. The higher the probability of belonging to class 1 the more normal. A 0.5 probability for class 1 indicates the boundary between normal and not normal. In reality it marks a boundary where normality dominates. There can be some anomalous cases with probability higher than 0.5 and some normal cases with probabilities less than 0.5. If working in batch mode we can rank the probabilities in ascending order and select the first K rows for investigation.
--Marcos

A suggestion to speed up the process: provide more information about your data (e.g., schema) and how you are invoking the algorithm (GUI, API, settings). Case you are using the APIs, have you tried the sample programs for anomaly detection?
Regarding the Apriori algorithm it does not support timestamps and dates columns. In fact, none of the algorithms in ODM does (see the documentation for Oracle Data Mining for the supported column data types). the dbms_predictive_analytics package does. Are you trying to do sequential association rules or just trying to do plain association rules using data from a date column? ODM does not support the former. The latter can be done by converting the date column to a VARCHAR or NUMBER column.
--Marcos

WLC 4402 username and password expires automatically

Hi,
We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
Whether it is the hardware issue or software bug.
Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
Kindly suggest on this issue.
Regards
S.Manikandan

Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
Regards
Surendra

WLC-4402+AIR-LAP1142N problem

Hello all,
I've got a following problem with bringing up simple wireless configuration. There is a WLC-4402 controller and several remote locations (I am testing one so far). Two WLAN configured (one for employee and the other for guest access - no mobility anchoring used, guest is just mapper to VLAN restricted on the firewall). WLC serves DHCP pools for wireless clients. Problem I am experiencing at the moment is that user with laptop is able to connect to guest WLAN, got an IP but can communicate (ping) only its own IP, the controller IP in guest subnet and default gateway (which is the firewall interface). Traffic to any other destinations never hit gateway (I am running tcpdump on it to confirm). I double checked controller config but no luck so far. Could that be caused by missconfigured tunnel? No ACL or restriction set on WLC - see attached config.
Thank you in advance,
Peter

Is this an open network or have you enabled layer 3 security? Web Auth? I can see you have created a lobby admin account so expect that you use this for guest account creation with web auth..
When you associate/receieve IP address to the open guest network have you then opened a web browser and authenticated? Until you enter your login details created on the WLC I would imagine that you wouldn't be able to send any data.
If you have authenticated already, can you check on the WLC that the client is associated/authenticated and is the Corp network ok? Also what is the topology between the WLC/Firewall/Remote sites.
Cheers
Mat

WLC 4402 + 4 1130AP's.

Has anyone setup a WLC 4402 and few 1130AP's on their network? Here's the scenario we have VLAN's setup on our network. We want to be able an employee can connect to the internal network and public connect to a DSL Internet. I got the internal employee access the internal network but I couldn't get the DSL users connect to the Internet. Internal network uses DHCP server and DSL users uses Linksys DHCP server. Can someone point me to the right setup/config on 1130AP's to connect to DSL using WLC 4402?

Make sure you can get the VLAN to the internet before you setup the WLAN. 1st off I would test the VLAN that you have setup to go to DSL on a switcport on your core switch and work the DHCP issues out there and then work on the WLAN. can you ping your DSL router intface from your switch. If you can my guess is that the IP helper address is not set right.
You will then need to point the WLAN to VLAN you setup for the DSL.

WLC 4402-50 with ACS 3.3

Hi,
We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
Is there an incompatability between the WLC 4402-50 with ACS 3.3?
thanks
Bob

The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

WLC 4402 7.0.220.0 compatability.

hello friends,
Could you please let me know if Windows 8 laptops machine are conpatible with the WLC IOS Version 7.0.220.0.
My client has WLC 4402 Version 7.0.220.0.
The message that appears is AAA authentication failed.
Your help will be highly appreciated.
Warm Regards
Nelson Mathias

You need 7.0.235.3 as a minimum. Here is a reference guide.
https://supportforums.cisco.com/docs/DOC-27213
Sent from Cisco Technical Support iPhone App

Wireless controller ha between wlc5508 and wlc 4402

We have 2 wlc: a wlc 5508 ( license 100 AP ) and wlc 4402 ( license 12AP).
We try to setup when 5508 down, 12 identify AP (important AP -Group A) will join 4402 and all other AP (not improtan AP -Group B)
wont joint wlc 4402.
First, all AP join wlc 5508, 2 WLC have same mobility group.
After that, we config 12 APs belongto group A have primary and secondary wlc, group B only has primary wlc.
When wlc 5508 down, some of APs of GroupA and some of APs of GroupB join wlc 4402. We test many times and we have differnet result each times.
is theare any way to resolve our problem?
Thanks.

Just to add, make sure that the WLC is running the same code, if not, then make sure the ap is supported on the code that is running on the 5508. The issue with mixed code is the ap will upgrade and downgrade very time they switch to a different WLC.
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
Sent from Cisco Technical Support iPhone App

Upgrading from WLC 4402-50 to WLC 5508-250

I am planning to upgrade my WLC 4402-50 (HA) to WLC 5508-250 (HA). I also have some really old 1020 Access points that I will be replacing with 1142's. Once I have completed the upgrade to the 5508s, I will repurpose the 4402's as Mobile Anchor controllers to support Guest Wireless.
Does anyone have any actual experience with this sort of upgrade? Any practical suggestions or ideas??
Thanks,

Hi,
Are you still facing this issue? if yes try checking the link if that helps
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
thanks,
Vinay

How to test anomaly detection in IPS6 ?

Hi!
Does anybody have experience with AD in IPS6? I tried to test it today with 3 nmap sessions each scanning 100 different IPs. I saw the Sig 13003-0 (single scanner) fired:
signature: description=AD - External TCP Scanner id=13003 version=S262
alertDetails: . adExtraData: numDestIps=150; currentThreshold=150; destPort=80
The scanner threshold was indeed set to 150:
S1# sh ad-knowledge-base vs0 thresholds current
External Zone
TCP Services
Default
Scanner Threshold
User Configuration = 150
Threshold Histogram - User Configuration
Low = 10
Medium = 3
High = 1
UDP Services
This is ok. The problem is that the Sig 13003-1 (warm) didn't fire, however the number of scanned IPs was very high:
S1# sh statistics anomaly-detection vs0
Statistics for Virtual Sensor vs0
Attack in progress
Detection - ON
Learning - OFF
Next KB rotation at 10:00:00 MSK Fri Dec 28 2007
Internal Zone
TCP Protocol
UDP Protocol
Other Protocol
External Zone
TCP Protocol
Service 80
Source IP: 10.0.1.1 Num Dest IP: 280
Questions:
- what does Low/Medium/High exactly mean in threshold histogram?
- how does the sensor detect worms? When the Sig 13003-1 fires? What sequence of events should happen?
- how can I test it?

The sensor constantly watches for scanners on each port.
There are 3 categories of scanners:
Low scanners - scanners that are only scanning a low number of hosts.
Medium scanners - scanners that are scanning a medium number of hosts
High scanners - scanners that are scanning a high number of hosts
NOTE: I can't remember for sure how many hosts must be scanned for it to be a "Low" number of hosts, or "Medium" or "High". But it may be something like 5 hosts scanned is a "Low" scanner, 20 for Medium and 100 for High. Once again I am not sure of those numbers.
Also be aware that the number of hosts scanned is not the Total numner of hosts scanned, but is instead the number of hosts scanned THAT did not respond.
If you connect to 100 web servers and all web servers respond then it does not count that as a scan. If you try to connect to 100 web servers and 92 respond, then for the 8 that don't respond you would be categorized as a Low scanner.
But just because a scanner is counted in a category does not mean an alert will be generated.
There are 2 types of alerts (subsig 0 alerts, and subsig 1 alerts)
Subsig 0 alerts are for a scanner that is scanning enough hosts that you want an alert for it even when no worm has been declared.
This is the "scanner Threshold / User Configuration = 150" that you see in the "show ad-knowledge-base vs0 thresholds current" output.
If a scanner scans more than 150 hosts then a specific alert is generated even though no worm has been declared.
Any scanners scanning less than 150 hosts are still categorized but do not have alerts generated for them when no worm has been declared.
The subsig 1 alerts are for when a Worm has been declared.
Here is how a worm gets declared:
The Thesholds for Low, Medium, and High that you see in "show ad-knowledge-base vs0 thresholds current" is the number of active scanners in each category that are allowed to normally be seen on your network (this is the number of scanners that will be seen on your network even when there are no worms).
A worm gets declared when the number of scanners in any one of the 3 catgeories goes above the threshold for that category.
Let's take for example Medium=3 as the threshold for port 21. And let's assume it takes a scan of 20 hosts to be categorized as a Medium scanner.
This means normally you could have up to 3 scanners on your network where each scanner is scanning 20 or more non-responding hosts on port 21.
(Maybe these are 3 network administrators periodically checking to see which machines have port 21 open)
Suddenly you have 5 scanners that start scanning on port 21 and each of the 5 winds up with 20 or more non-responding hosts.
That 5 has broken the threshold of 3, and a worm is declared. Now any Medium Category scanner on port 21 will begin being declared a scanner under a worm condition (subsig 1).
So for your testing.
Instead of running a scan of 100 hosts from just one machine, I would recommend you scan the same 100 hosts from 2 or 3 machines (NOTE: Only need to scan a single port across those 100 hosts).
Scanning 100 hosts should get them categorized as High scanners. And having 3 High Scanners should push it over the threshold of 1.
BUT keep in mind that it needs to be 100 hosts not responding on the scanned port.
Then you will also want to try it with fewer hosts being scanned (like say 25), but with say 5 machines running nmap doing the scanning.

MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

Similar Messages

Maybe you are looking for