Mobility Group Requirements for Guest Anchor WLC

Similar Messages

• Connect an AP to a Guest Anchor WLC?

  We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
  Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
  Thanks
  Sankung

  Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
  Sent from Cisco Technical Support iPhone App

• How to change "No Password required" for Guest to "Yes"account under Somarsoft Dumpsec

  Check Content:
  Verify all accounts require passwords.
  Run the DUMPSEC utility.
  Select "Dump Users as Table" from the "Report" menu.
  Select the following fields, and click "Add" for each entry:
  UserName
  SID
  PswdRequired
  AcctDisabled
  Groups
  If any accounts have "No" in the "PswdRequired" column, this is a finding.
  Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present.  It can be set by entering the following on a command line: "Net user <account_name> /passwordreq:yes".

  Hi Malik,
  How to change "No Password required" for Guest to "Yes"account under Somarsoft Dumpsec
  Please contact SystemTools Technical support to get more efficient support regarding this matter:
  http://www.systemtools.com/support.htm
  http://www.systemtools.com/toolboard/
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Guest-Anchor-WLC and NAC integration guide

  I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

  User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

• Implementing Two Guest Anchor WLCs

  Hello -
  I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor. 
  I am looking to bring my current guest service onto the DMZ.  Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP.   We do not use our corporate internet service for guest.   In any event.  The DMZ design I am working on would include two WLCS sitting on our DMZ.  I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border.   Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border.   So I would need to configure both anchors on the guest WLAN of each WLC.   I'm just wondering if this is possible and if the failover will actually work.
  Any input is appreciated.   I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
  Thanks
  Chuck

  Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
  When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
  As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
  Does that answer your question?

• Email address required for guest access

  We have a guest network with a customized web page right now. When the user connects, it asks for their name and logs it to a RADIUS server. However, the user can leave this field blank and press enter to gain access. Is there some way to force a user to enter their name into this page before access can be granted? We don't want to enter a username for each user because there are too many. I found this page and this is what we want to happen (I can't figure out how to do it).
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  (figure 10-7)
  We would like a page like this, but the user MUST enter a name or email before proceeding. No password is required. Down the road, we will attempt to verify the email that they enter, however we are not worried about that now.
  Thanks

  This is how we have it setup. However, they don't have to enter anything, the entry field can be blank and they can still be granted access. All we want is for them to enter something in this field before they are allowed on.

• CCKM vs Mobility Groups - Roaming for Voice Clients

  Hi there,
  I am looking at deploying wireless at our site for voice, I have a couple of questions regarding Roaming between APs and best way to acheive fast roaming for latency senstive voice and other applications.
  According to Cisco SRND for Voice over Wireless (
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch5.html), it is recommended:
  "Fast roaming algorithms include Cisco Centralized Key Management (CCKM)  and Proactive Key Caching (PKC). CCKM and PKC allow a WLAN client to  roam to a new AP and re-establish a new session key—known as the  Pairwise Transient Key (PTK)—between the client and AP without requiring  a full IEEE 802.1X/EAP reauthentication to a AAA/RADIUS server."
  But let's say I used WPA/PSK for my WLAN and just rely on mobility information in the controller to perform the handover, would this still be best practice.
  I have actually tested both and they work quite well, neither drops a call or experiences any degragation in voice quality. I suppose I am asking for a real world perspective and if I should adhere to the SRND on this one?
  Many thanks

  Hi Tony,
  Great question BTW.
  CCKM/OKC/PKC only comes into play when EAP is used. During the EAP process the PMK is seeded from the MSK. From the PMK, it is seeding the PTK. With no advance romaing in use as a client roams from AP to AP you would have to redo that process all over.
  When you use PSK.. Your MSK is your PMK and there is no need to go back to the radius server for a new PMK. So your client and ap exchange this info.. no need for a radius server ..
  Does this make sense?

• New Group Required for Service Management

  Hi,
  I could not see Forum Group - Service Management
  This covers Maintenance & Customer Services
  If this group is available, we can put our ideas there and then easily find out.
  In the group SCM, huge data is getting posted and difficult to find out perticular like Service Management.
  Hope to hear soon,
  Regards,
  Jayantkumar Joshi
  INTELLIGROUP ASIA PVT LTD.,
  Sr PM-CS Lead Consultant
  Mobile: 91-9885430724
  [email protected]
  India

  Hi Jayantkumar Joshi,
  Posting a request for a new forum in this, the Suggestion Forum, is the proper place for such a request.  Thanks for taking the time to do so.
  Creating a new forum usually is done under the following conditions:
  1) There is a critical mass of content in a particular area and the collaboration team sees that the creation of a new fourm would best service discussions of that area. (by critical mass, we mean hundreds of references to a topic)
  2) There are requests from a number of community members with some very clear justifications around why such a new forum would be of value to the community.
  (we also would hope that the requestors are active members of the community and actively engaged in using the forums)
  3) The collaboration team sees a new direction or subject evolving and provides a forum for discussing it or a subject becomes so large that it would be better to subdivide it into subcategories. (these requests are trends and we try to avoid creating new forums without being sure there will be active conversation to populate them)
  4) The product management gives us moderation support or there is enough subject matter expertise in the community to create a community led moderation of an area.
  A user can do a search on forums to see examples of such critical mass that warrants its own space.  For example, when subdividing the ABAP forum we searched for key words that were appearing hundreds of times in the general forum and began to create the ability to move discussions to subareas of the ABAP topic for Enhancements, Data Transfer, Dictionary, Form Printing.  Although we did so, people still persist in posting to the ABAP general forum
  We also got community help and support from a number of top contributors in an area as to what topics were constantly recurring.  And lastly and importantly, we turned to subject matter experts internally to get feedback, definition, advice.
  All that being said, we would ask our community to consider:
  1) Is there enough interest in Service Management to create a separate group around this?
  2) Is there enough existing conversation around this topic to move it to such a new area
  3) Is it clear under exactly which catergory this falls: SCM, CRM, PM and how to know exactly what is meant by Service Management (I did a search in help.sap.com and wasn't really sure)
  Each forum needs a contract that states what kind of content we wish to have discussed there.  That is a prerequisite.
  In light of all these comments, please see if your idea meets the criteria: critical mass, clear definition of what is to be discussed, interest of the community.
  best,
  Marilyn

• Guest anchor mobility group

  I have 2 anchor controllers in a DMZ to provide redundancy for guest access. They are configured with the same default Mobility group name which is different from the local controller Mobility names. My local controllers include both anchor controllerss in their mobility groups configuration. The anchor controllers provide DHCP for guest access, but with different IP subpool addresses.
  Do I have to include both DMZ anchor controllers as well as the local controllers in the mobility groups which are configured on the DMZ controllers?
  Would the DMZ controllers communicate with each other - if so, what information would be exchange e.g. client status?
  Does symmetric tunnelling have to be configured?
  Thanks

  I would add both DMZ controller to eachother's mobility group list.  This way if a client roams from a controller that is anchored to WLC-A to a controller anchored to WLC-B the client's session could be handed off.

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC 5500 mobility group failover

  Hey
  I have a Question i am testing  mobility group with
  Failover for redundend connection between 2
  Cisco 5500 Wlc.
  On both the controllers i got the mobility working
  And both the controllers have the same version
  And configuration.
  But when i unplug the main controller the access-
  Points don't convers to the second one
  The just keep on creaming can't find the main controller
  Also with this thus the second wlc need to have the same
  Interface ip address like managment..??
  Thanks

  What do you mean by "convers". An AP will only join one wlc and when that primary wlc is no longer available, should failover to the other/secondary wlc. Mobility is required for an AP to know about all the other APs in that mobility group. And if not configured correct, your AP will only be able to join that wlc.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Can we create Mobility group between WISM2 and WLC 5500

  Dears,
  I need your feedback urgent please,
  Can we create Mobility Group between WISM2 and WLC 5500
  Firmware for WISM2 > 7.4.121.0
  Firmware for WLC5500 > 6.0.196.0
  I created Mobility Group with (IP address , MAC Address and Mobility group name) for Foreign Controller. if any configuration required from my side.
  Wait your feedback urgent please
  Regards,

  Hi,
  Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
  Thats enough :)
  Regards
  Dont forget to rate helpful posts

• Mobility Group Table *MUST* be populated in each WLC in same mobility group

  For what it's worth,
  I recently discovered that when you have multiple controllers and want to implement Mobility Groups, more is needed than simply entering the same Default Mobility Group Name for each controller within the mobility group. The following is required:
  a) The IP address of the "Virtual" interface on each controller must be identical on each controller within the mobility group.
  b) The Default Mobility Group Name must be identical on each controller within the mobility group (case sensitive).
  c) The mobility table must be populated with an entry for each controller within the mobility group.
  Otherwise, you will see some inexplicable behavior such as:
  * LWAP access points refusing to change to a different controller, even if their primary controller is explicitly set and the LWAP is rebooted.
  * LWAP access points unable to find any other wireless controller other than the one pointed to by the "CISCO-LWAPP-CONTROLLER" DNS entry (presumably, this would also be the case if DHCP Option 43 is used to point the LWAP to a controller). Once the first controller reaches its max. capacity of LWAPs, no more LWAPs can join.
  * Even MASTER CONTROLLER MODE has no effect.
  Cisco TAC was able to explain the great mystery of the Mobilty Group Table to me. However, unless you know your problem is related to mobility groups issues, you might not know to start there (I know I didn't).
  The least difficult method I have found for populating the mobility group table is as follows:
  Build a text file with one entry for each controller in the mobility group as follows:
  Log into the GUI for each controller and selecting: Controller -> Mobility Management -> Mobility Groups, click the "EDIT ALL" button and copy the MAC and IP address from the text box into a text file using NOTEPAD. Repeat this for each controller, creating a new line for each:
  The format for the entries is as follows:
  00:1a:6c:91:22:A0 192.168.20.44
  00:1a:6c:91:22:B4 192.168.20.45
  Once the text file is completed (one entry for each controller in the mobilit group), click the EDITALL button and copy the entire contents of the text file and paste it into the text box on the controller GUI, click the APPLY button and click Save Changes. Repeat for each controller.
  Again, make sure that the following settings are IDENTICAL in each of the controllers in the Mobility Group:
  * The IP address of the "virtual" interface ( Controller -> interfaces ) must be the same on all controllers.
  * The "Default Mobility Domain Name" ( Controller -> General ) must be identical on each controller in the mobility group (note: the Mobility Domain Name is case sensitive).
  After making changes directly to the controllers, a "refresh from controller" in the WCS might be needed to get the WCS to attempt to synchronize itself with the controllers.
  Here is a link to the 4.2 Wireless Controller Configuration Guide which discusses this in greater detail.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a00808e638b.html
  It is unfortunate that there are currently no mechanisms in the WCS 4.2 to make these changes in bulk (i.e.: The WCS has no Controller Template to do this).
  Also, if you ever need to replace a controller, you will need to update the Mobility Group Table in each controller in the Mobility Group (since the tables will have the MAC address of the old controller which will now be different in the new replacement controller).
  Despite having used the "unified" product for some time now, there are still surprises from time to time. I just thought that I would share my experience for those who may want avoid it and/or who may be encountering any of odd the behavior described above.
  - John

  Hi John,
  Nice work with this very relevant info! Please post a short reply here so that we can give this the nice rating it deserves :)
  Thanks again!
  Rob

• 5508 Mobility Groups

  Hello.
  2 questions
  1) Is it possible for 2 WLCs installed in seperate data centres with L3 seperation to be joined in a mobility group? We will have aps in the branch offices split between controllers so we want to make sure roaming work ok. Also all guest access should be anchored to data centre 2.
  2) in flexconnect local switching mode, do I need to create flexconnect groups if I'm only using radius servers in the data centre with no requirement to use local radius as a backup?

  Mobility groups can work when the WLC's are in different subnet asl long as UDP 16666 and IP 97 allowed between the two WLC's.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wp1102312
  You will not be able to configure for guest, what wlc is primary or secondary.  The foreign WLC will decide which guest anchor controller (if there is two) it will use.
  You don't need to use flexconnect groups if you don't want to.  If your devices are not cckm compliant, then I wouldn't worry about it personally.  Here are the numbers, but some has changed with the 7.3.
  The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:
  •Up to 100 FlexConnect groups for a Cisco 5500 Series Controller
  •Up to 1000 FlexConnect groups for a Cisco Flex 7500 Series Controller. The Cisco Flex 7500 Series Controller can accommodate up to 50 access points per FlexConnect group.
  •Up to 20 FlexConnect groups with up to 25 access points per group for the remaining platforms.
  https://supportforums.cisco.com/docs/DOC-26778#Increased_scale_for_Cisco_Flex_7500_Series_Controllers_668166
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Mobility group membership

  I have 4 WLC's deployed :
  1. AnchorWLC - WLC4402 anchor in a DMZ for guest access
  2. WLCA1 - WLC4402 on SiteA
  3. WLCB1 - WLC2006 on SiteB
  4. WLCB2 - WLC2006 on SiteB
  SiteA & SiteB are geographically separated.
  On all WLC's there is the same mobility group 'group1' with the following group members:
  1.on AnchorWLC: group1 members:WLCA1,WLCB1,WLCB2
  2.on WLCA1: group1 members: anchorWLC
  3.on WLCB1: group1 members: WLCB2,anchorWLC
  4.on WLCB2: group1 members:WLCB1,anchorWLC
  As SiteA and SiteB are geographically separated I have not included internal(non-anchor) WLC's that are on siteA in the mobility group created on WLC's on SiteB and vice versa . The only WLC that has all controllers added to his mobility group is the AnchorWLC as guest access is needed from both siteA and siteB.
  Is this a valid config(anayway it is working...) or is it recommended to have 2 different mobility groups, one for each site(A & B) and create 2 seperate mobility groups on the anchorWLC ?

  I would recommend going for two separate mobility groups. Even though it is working since it is geographically separated, its always better to have different mobility groups.