No of SSID support on Cisco WLC
Hi All,
Can you please help me on providing below details on Cisco wireless controller?
1. No of SSID support on Cisco WLC
2. Is it possible to restrict SSID on AP's (e.g. I have 10 SSID's configured on controller, I want first 10 Access points use set of SSID (SSID 1-5), and rest of the AP use SSID 6-10.
Thanks
Jamal
Hi Jamal,
Just to add a touch to the great info from Robert (+5 points Robert)
The feature you are looking for is called WLAN Override in WLC 4.x versions.
Enabling WLAN Override
By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.
From this doc;
http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40wlan.html#wp1114777
Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN including General Policies, RADIUS Servers, Security Policies, and 802.1x Parameters.
**Check Admin Status under General Policies to enable the WLAN. If you want the AP to broadcast the SSID in its beacon frames, check Broadcast SSID.
Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
From this good doc;
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3
In 5.x versions you will use AP Groups, because in WLC 5.x versions, WLAN Override has been replaced with the "AP Groups" feature;
Creating Access Point Groups
After all access points have joined the controller, you can create up to 150 access point groups and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1128591
To learn more about AP Groups check out George's excellent video
http://www.my80211.com/cisco-labs/2009/3/22/cisco-ap-group-nugget.html
Hope this helps!
Rob
Similar Messages
-
Nokia Lumia support for Cisco WLC
Dear All,
I am using Cisco Wireless LAN Controller 4404 in my network, All devices (Laptops, samsung mobile phones, Iphone, HTC, etc) are connecting and working perfectly but NOKIA Lumia mobile phone is unable to connect.
Is there any hotfix for WLC available? please advise
Regards,
JunaidPlease find below debug details, I started debugging the device by command debug client (client mac) and then tried to connect the device.
*dot1xMsgTask: Sep 25 12:14:03.096: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
*dot1xMsgTask: Sep 25 12:14:03.097: ec:f3:5b:d3:99:20 Sending EAP-Request/Identity to mobile ec:f3:5b:d3:99:20 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 Received EAPOL START from mobile ec:f3:5b:d3:99:20
*Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.035: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.112: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
And on cell phone it shows the following message:
connection unsuccessful,
the credentials provided by the server couldn't be validated,
I tried to connect it without any encryption and it got connected successfully, issue only on wpa2-Enterprise.
Please advise,,,
Regards,
Junaid -
I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN .
HI All,
I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN . the WLC are providing the HQ and one of the Branches the Wireless services .
Am using all the available 9 SSIDs at the HQ , and am using only 4 of it at the Brnche.
The problem that i have are happening only at the Branch office as i cant room between the SSIDs within Diferent VLANs but i can do it with the one that pointing to the same VLAN. Once the client ( Laptop/Phone ) connected to one of the SSIDs. it imposiible to have him connected to the other ones with Different VLAN. meanwhile, It says its connected to the other SSID but its not getting IP from that pool.
here is the Show Run-Config from my WLC .. and the Problem happening between the SSID AMOBILE and ASTAFF. i have the Debug while am switching between the SSIDs if needed .
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.04 10:20:47 =~=~=~=~=~=~=~=~=~=~=~=
show run-config
Press Enter to continue...
System Inventory
NAME: "Chassis" , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9, VID: V01, SN: FCW1535L01G
Burned-in MAC Address............................ 30:E4:DB:1B:99:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12
Press Enter to continue or <ctrl-z> to abort
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.235.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... WLAN Controller 5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.125.18.15
Last Reset....................................... Software reset
System Up Time................................... 41 days 5 hrs 14 mins 42 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... US - United States
--More or (q)uit current module or <ctrl-z> to abort
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
External Temperature............................. +20 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 10
Number of Active Clients......................... 61
Burned-in MAC Address............................ 30:E4:DB:1B:99:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12
Press Enter to continue or <ctrl-z> to abort
AP Bundle Information
Primary AP Image Size
ap3g1 5804
ap801 5192
ap802 5232
c1100 3096
c1130 4972
c1140 4992
c1200 3364
c1240 4812
c1250 5512
c1310 3136
c1520 6412
c3201 4324
c602i 3716
Secondary AP Image Size
ap801 4964
c1100 3036
--More or (q)uit current module or <ctrl-z> to abort
c1130 4884
c1140 4492
c1200 3316
c1240 4712
c1250 5064
c1310 3084
c1520 5244
c3201 4264
Press Enter to continue or <ctrl-z> to abort
Switch Configuration
802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
case-check ...........Enabled
consecutive-check ....Enabled
default-check .......Enabled
username-check ......Enabled
Press Enter to continue or <ctrl-z> to abort
Network Information
RF-Network Name............................. OGR
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Enabled
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
--More or (q)uit current module or <ctrl-z> to abort
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Fast SSID Change ........................... Enabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
Press Enter to continue or <ctrl-z> to abort
Port Summary
STP Admin Physical Physical Link Link
Pr Type Stat Mode Mode Status Status Trap POE SFPType
1 Normal Forw Enable Auto 1000 Full Up Enable N/A 1000BaseTX
2 Normal Disa Enable Auto Auto Down Enable N/A Not Present
3 Normal Disa Enable Auto Auto Down Enable N/A Not Present
4 Normal Disa Enable Auto Auto Down Enable N/A Not Present
5 Normal Disa Enable Auto Auto Down Enable N/A Not Present
6 Normal Disa Enable Auto Auto Down Enable N/A Not Present
7 Normal Disa Enable Auto Auto Down Enable N/A Not Present
8 Normal Disa Enable Auto Auto Down Enable N/A Not Present
Press Enter to continue or <ctrl-z> to abort
AP Summary
Number of APs.................................... 8
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KNOWLOGY_DC01 2 AIR-LAP1131AG-A-K9 00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1 US 1
KNOWLOGY_DC02 2 AIR-LAP1131AG-A-K9 00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1 US 1
KN1252_AP01 2 AIR-LAP1252AG-A-K9 00:21:d8:ef:06:50 Knowlogy Confere 1 US 1
KN1252_AP02 2 AIR-LAP1252AG-A-K9 00:22:55:8e:2e:d4 Server Room Side 1 US 1
Anham_AP03 2 AIR-LAP1142N-A-K9 70:81:05:88:15:b5 default location 1 US 1
ANHAM_AP01 2 AIR-LAP1142N-A-K9 70:81:05:b0:e4:62 Small Conference 1 US 1
ANHAM_AP04 2 AIR-LAP1131AG-A-K9 00:1d:45:86:e1:b8 Conference room 1 US 1
ANHAM_AP02 2 AIR-LAP1142N-A-K9 70:81:05:96:7a:49 Copy Room 1 US 1
AP Tcp-Mss-Adjust Info
AP Name TCP State MSS Size
KNOWLOGY_DC01 disabled -
KNOWLOGY_DC02 disabled -
--More or (q)uit current module or <ctrl-z> to abort
KN1252_AP01 disabled -
KN1252_AP02 disabled -
Anham_AP03 disabled -
ANHAM_AP01 disabled -
ANHAM_AP04 disabled -
ANHAM_AP02 disabled -
Press Enter to continue or <ctrl-z> to abort
AP Location
Total Number of AP Groups........................ 3
Site Name........................................ ANHAM8075
Site Description................................. ANHAM 8075 Location
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
9 knowlogy_ogr Disabled None
7 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
Anham_AP03 2 AIR-LAP1142N-A-K9 70:81:05:88:15:b5 default location 1 US 1
ANHAM_AP01 2 AIR-LAP1142N-A-K9 70:81:05:b0:e4:62 Small Conference 1 US 1
ANHAM_AP04 2 AIR-LAP1131AG-A-K9 00:1d:45:86:e1:b8 Conference room 1 US 1
ANHAM_AP02 2 AIR-LAP1142N-A-K9 70:81:05:96:7a:49 Copy Room 1 US 1
Site Name........................................ Knowlogy_DC
--More or (q)uit current module or <ctrl-z> to abort
Site Description................................. DC Center Access points
WLAN ID Interface Network Admission Control Radio Policy
2 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
3 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KNOWLOGY_DC01 2 AIR-LAP1131AG-A-K9 00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1 US 1
KNOWLOGY_DC02 2 AIR-LAP1131AG-A-K9 00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1 US 1
Site Name........................................ OGR
Site Description................................. 1934 OGR Office
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
2 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
--More or (q)uit current module or <ctrl-z> to abort
7 knowlogy_ogr Disabled None
9 knowlogy_ogr Disabled None
8 knowlogy_ogr Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
KN1252_AP01 2 AIR-LAP1252AG-A-K9 00:21:d8:ef:06:50 Knowlogy Confere 1 US 1
KN1252_AP02 2 AIR-LAP1252AG-A-K9 00:22:55:8e:2e:d4 Server Room Side 1 US 1
Site Name........................................ default-group
Site Description................................. <none>
WLAN ID Interface Network Admission Control Radio Policy
1 knowlogy_ogr Disabled None
2 knowlogy_ogr Disabled None
3 knowlogy_ogr Disabled None
4 knowlogy_ogr Disabled None
5 knowlogy_ogr Disabled None
6 knowlogy_ogr Disabled None
7 knowlogy_ogr Disabled None
8 knowlogy_ogr Disabled None
--More or (q)uit current module or <ctrl-z> to abort
9 knowlogy_ogr Disabled None
10 management Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
Press Enter to continue or <ctrl-z> to abort
AP Config
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... KNOWLOGY_DC01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:1d:45:86:ed:4e
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.100
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................ wireless.knowlogy.com
Primary Cisco Switch IP Address.................. 10.125.18.15
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
--More or (q)uit current module or <ctrl-z> to abortIP Address.................. 10.125.18.15
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
--More or (q)uit current module or <ctrl-z> to abort
Reset Button..................................... Enabled
AP Serial Number................................. FTX1134T0QG
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 48 days, 20 h 19 m 18 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:33 2013
Join Taken Time.................................. 0 days, 00 h 10 m 47 s
--More or (q)uit current module or <ctrl-z> to abort
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211b
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:1d:71:09:8f:90
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
11000 Kilo Bits.......................... MANDATORY
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
--More or (q)uit current module or <ctrl-z> to abort
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 .......................... 11 dBm
Tx Power Level 5 .......................... 8 dBm
Tx Power Level 6 .......................... 5 dBm
Tx Power Level 7 .......................... 2 dBm
Tx Power Level 8 .......................... -1 dBm
--More or (q)uit current module or <ctrl-z> to abort
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy DSSS parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 11
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
Current CCA Mode .......................... 0
ED Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 12 dB
--More or (q)uit current module or <ctrl-z> to abort
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... KNOWLOGY_DC01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:1d:45:86:ed:4e
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.100
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
--More or (q)uit current module or <ctrl-z> to abort
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................ wireless.knowlogy.com
Primary Cisco Switch Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
--More or (q)uit current module or <ctrl-z> to abort
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
AP Serial Number................................. FTX1134T0QG
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
--More or (q)uit current module or <ctrl-z> to abort
AP Up Time....................................... 48 days, 20 h 19 m 18 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:33 2013
Join Taken Time.................................. 0 days, 00 h 10 m 47 s
Attributes for Slot 1
Radio Type................................... RADIO_TYPE_80211a
Radio Subband................................ RADIO_SUBBAND_ALL
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:1d:71:09:8f:90
Operation Rate Set
6000 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
9000 Kilo Bits........................... SUPPORTED
12000 Kilo Bits.......................... MANDATORY
18000 Kilo Bits.......................... SUPPORTED
24000 Kilo Bits.......................... MANDATORY
36000 Kilo Bits.......................... SUPPORTED
48000 Kilo Bits.......................... SUPPORTED
54000 Kilo Bits.......................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 36
Number Of Channels ........................ 20
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
--More or (q)uit current module or <ctrl-z> to abort
Tx Power
Num Of Supported Power Levels ............. 7
Tx Power Level 1 .......................... 15 dBm
Tx Power Level 2 .......................... 14 dBm
Tx Power Level 3 .......................... 11 dBm
Tx Power Level 4 .......................... 8 dBm
Tx Power Level 5 .......................... 5 dBm
Tx Power Level 6 .......................... 2 dBm
Tx Power Level 7 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy OFDM parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 44
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
......................................... 104,108,112,116,132,136,140,
......................................... 149,153,157,161
TI Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
--More or (q)uit current module or <ctrl-z> to abort
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 16 dB
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Press Enter to continue or <ctrl-z> to abort
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... KNOWLOGY_DC02
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:36:c5:c4
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.101
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
--More or (q)uit current module or <ctrl-z> to abort
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Enabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
--More or (q)uit current module or <ctrl-z> to abort
AP Serial Number................................. FTX1230T24F
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 48 days, 20 h 24 m 41 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:35 2013
Join Taken Time.................................. 0 days, 00 h 10 m 48 s
--More or (q)uit current module or <ctrl-z> to abort
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211b
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:a5:0c:30
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
11000 Kilo Bits.......................... MANDATORY
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
--More or (q)uit current module or <ctrl-z> to abort
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 .......................... 11 dBm
Tx Power Level 5 .......................... 8 dBm
Tx Power Level 6 .......................... 5 dBm
Tx Power Level 7 .......................... 2 dBm
Tx Power Level 8 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
--More or (q)uit current module or <ctrl-z> to abort
Current Tx Power Level .................... 1
Phy DSSS parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 1
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
Current CCA Mode .......................... 0
ED Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 12 dB
Coverage exception level................... 25 %
--More or (q)uit current module or <ctrl-z> to abort
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... KNOWLOGY_DC02
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:36:c5:c4
IP Address Configuration......................... DHCP
IP Address....................................... 10.22.1.101
Gateway IP Addr.................................. 10.22.1.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
--More or (q)uit current module or <ctrl-z> to abort
Cisco AP Group Name.............................. Knowlogy_DC
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.3.8.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Enabled
PoE Power Injector MAC Addr...................... Disabled
--More or (q)uit current module or <ctrl-z> to abort
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1131AG-A-K9
AP Image......................................... C1130-K9W8-M
IOS Version...................................... 12.4(23c)JA5
Reset Button..................................... Enabled
AP Serial Number................................. FTX1230T24F
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 22
WLAN 2 :........................................ 21
WLAN 4 :........................................ 25
WLAN 3 :........................................ 25
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
--More or (q)uit current module or <ctrl-z> to abort
AP Up Time....................................... 48 days, 20 h 24 m 41 s
AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
Join Date and Time............................... Tue Sep 24 21:24:35 2013
Join Taken Time.................................. 0 days, 00 h 10 m 48 s
Attributes for Slot 1
Radio Type................................... RADIO_TYPE_80211a
Radio Subband................................ RADIO_SUBBAND_ALL
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:a5:0c:30
Operation Rate Set
6000 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
9000 Kilo Bits........................... SUPPORTED
12000 Kilo Bits.......................... MANDATORY
18000 Kilo Bits.......................... SUPPORTED
24000 Kilo Bits.......................... MANDATORY
36000 Kilo Bits.......................... SUPPORTED
48000 Kilo Bits.......................... SUPPORTED
54000 Kilo Bits.......................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 36
Number Of Channels ........................ 20
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
--More or (q)uit current module or <ctrl-z> to abort
Tx Power
Num Of Supported Power Levels ............. 7
Tx Power Level 1 .......................... 15 dBm
Tx Power Level 2 .......................... 14 dBm
Tx Power Level 3 .......................... 11 dBm
Tx Power Level 4 .......................... 8 dBm
Tx Power Level 5 .......................... 5 dBm
Tx Power Level 6 .......................... 2 dBm
Tx Power Level 7 .......................... -1 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Phy OFDM parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 36
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
......................................... 104,108,112,116,132,136,140,
......................................... 149,153,157,161
TI Threshold .............................. -50
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
--More or (q)uit current module or <ctrl-z> to abort
Diversity.................................. DIVERSITY_ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 16 dB
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................ 0
CleanAir Management Information
CleanAir Capable......................... No
Press Enter to continue or <ctrl-z> to abort
Cisco AP Identifier.............................. 5
Cisco AP Name.................................... KN1252_AP01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:21:d8:ef:06:50
IP Address Configuration......................... DHCP
IP Address....................................... 10.125.18.101
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 10.125.18.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Disabled
Cisco AP Location................................ Knowlogy Conference Rooms Side
Cisco AP Group Name.............................. OGR
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
--More or (q)uit current module or <ctrl-z> to abort
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.0
Boot Version ................................... 12.4.10.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. PoE/Medium Power (15.4 W)
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1252AG-A-K9
AP Image......................................... C1250-K9W8-M
IOS Version...................................... 12.4(23c)JA5
--More or (q)uit current module or <ctrl-z> to abort
Reset Button..................................... Enabled
AP Serial Number................................. FTX122990L5
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
Native ID :..................................... 118
WLAN 1 :........................................ 111
WLAN 2 :........................................ 111
WLAN 4 :........................................ 112
WLAN 6 :........................................ 112
WLAN 7 :........................................ 111
WLAN 9 :........................................ 112
WLAN 8 :........................................ 112
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 26 days, 00 h 24 m 39 s
--More or (q)uit current module or <ctrl-z> to abort
AP LWAPP Up Time................................. 26 days, 00 h 23 m 48 s
Join Date and Time............................... Wed Oct 9 10:59:07 2013
Join Taken Time.................................. 0 days, 00 h 00 m 50 s
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211n-2.4
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
CellId ...................................... 0
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 7
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 00:22:55:df:a5:90
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
--More or (q)uit current module or <ctrl-z> to abort
11000 Kilo Bits.......................... MANDATORY
MCS Set
MCS 0.................................... SUPPORTED
MCS 1.................................... SUPPORTED
MCS 2.................................... SUPPORTED
MCS 3.................................... SUPPORTED
MCS 4.................................... SUPPORTED
MCS 5.................................... SUPPORTED
MCS 6.................................... SUPPORTED
MCS 7.................................... SUPPORTED
MCS 8.................................... SUPPORTED
MCS 9.................................... SUPPORTED
MCS 10................................... SUPPORTED
MCS 11................................... SUPPORTED
MCS 12................................... SUPPORTED
MCS 13................................... SUPPORTED
MCS 14................................... SUPPORTED
MCS 15................................... SUPPORTED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ US
--More or (q)uit current module or <ctrl-z> to abort
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 11
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 8
Tx Power Level 1 .......................... 20 dBm
Tx Power Level 2 .......................... 17 dBm
Tx Power Level 3 .......................... 14 dBm
Tx Power Level 4 ..........Well you need to understand the behavior of h-reap or what it's called now, FlexConnect. In this mode, the clients are still remembers on the WLC until the session timer/idle timer expires. So switching between SSID's in h-reap will not be the same when switching when the AP's are in local mode.
Take a look at the client when connected in FlexConnect in the WLC GUI monitor tab. Thus will show you what ssid and vlan the client is on. Now switch to a different ssid and compare this. It's probably the same because the client has not timed out. Now go back to the other ssid and look again. Now on the WLC, remove or delete the client and then switch to the other ssid at the same time. Or switch SSID's and then remove the client. The client will join the new ssid and in the monitor tab, you should see the info.
There is no need to have clients have multiple SSID's unless your testing. Devices should only have one ssid profile configured to eliminate any connectivity issues from the device wanting to switch SSID's.
Sent from Cisco Technical Support iPhone App -
Generate one time authentication for Guest on Cisco WLC
Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
HaiHi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai -
Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP
Hello folks,
I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
Best Regards
Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
But you will need to configure AES on the client as well to support N rates.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Called-Station-ID attribute and Cisco WLC code 7.4
Hello
I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
Thanks
AndySince you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
Sent from Cisco Technical Support iPhone App -
Master Secondary Cisco WLC environment
I've inherited 2 Cisco wireless WLC's recently.. we have what we consider our Master Cisco WLC 5508 controller, and a 2504 WLC at our HQ. Bottom line, these WLC's are set as individual master controllers and their respective AP's connect to each of their respective controllers. The difference we have is the APs and locations which connect to our master wlc at our data center, guest access works fine. The AP's that connect to our WLC 2504, do not have an Internet POP so today, employee wireless access is working, but I cannot get them guest access as it is not connected in any way to the master in our data center. I've come over from a Aruba environment where we have a master/local environment and it worked perfectly. Is this design in a Cisco WLC environment possible ? Thanks, Dan
You have two different model controllers and there is no master local. In the Cisco side you set the primary, secondary and or tertiary controller. What you need to do is to make sure that the VIP is the same and that each controller is configured in the others mobility group.
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107188-mobility-groups-faq.html
Then you can anchor the SSID to the WLC in the data center. That's how you can get this to work.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch10GuAc.html
Please rate helpful post and Cisco Support Community will donate to Kiva
Scotty -
CISCO WLC How to Block a Client
Hi,
We are using CISCO WLC and broadcasting a number of SSIDs.
What we want to do is to block some spesific users to a spesific SSIDs while letting to connct to another SSID.
Dows anyone have any idea?You can use radius 802.1x authentication or you can setup Mac filtering on the WLC and specify what WLAN's they can connect to. They will only be able to connect to one SSID though.
This setup you have is not normal as you want to have a device only connect to one ssid for simplicity and for user experience. Having the be able to connect to multiple
SSID's can lead to connectivity issues on the client side, since the device might switch back and fourth to the different SSID's. Also the more SSID's you have the more noise in the environment. Typically 3-4 max SSID's is suggested.
Sent from Cisco Technical Support iPhone App -
Hi,
I installed Cisco WLC ( 2504 - 7.2) and configured 2 SSID. Guest with webauth and a corp with 802.1x (IAS). Users in corp are complaining that some times the connection time outs (about 4 seconds) and returns.
What could be happening?
How do I start a troubleshooting in this situation?
Thanks in advance
Sent from Cisco Technical Support iPad AppThe corp SSID. Under the adavnce tab do you have session timeout enabled ?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Hi friends,
I am planning to have a wireless environment for a corporate company. I would like to have a Cisco wireless LAN controller 2100 series and 15 numbers of cisco aironet 1142 n access point. Since wireless is gonna be a very important medium for the premises, I am planning to have high availability for the 2100 series WLC.
With this scenario I am having the following of queries?
1. Does high availability is supported with WLC 2100 series or need to go for an hihger end WLC's? It would be great if I am guided with some documents on this?
2. My wired switching infrastructure at the core is running with GLBP. Can I connect the both WLC in each switch in an dual home architecture?
3. Is there any pre-requistes for doing the high availability for the WLc's?
4. Yet another company that is close to me do have the same architecture for wireless infrastructure, except that they have cisco WLC as 5508 and Cisco aironet 1142n access point. All the end points NIC adapters that they have support a/b/g standard. But with an n series they continously report low signal strength, the reason for this still unknown?
But the tech documents of 'n' series access point claims that they support, 300Mbps within 33 feet and 200 Mbps within 66 feet.
They are having 2 nos of Cisco 1142n access point for every 30 feet but still they are facing low signal strength. Also there workspace are all cubicles and without any interference.
It would be great if I am guided on this issue also?
Regards,
Karthik Anbumani/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi Karthik,
You can build this HA solution based on the 2100 controllers. And if you want HA for 15 access points you need two 2125 controllers. But I will suggest that you consider the 5508 controller since that is a more future proof hardware and will give you more features that you might want to use such as Office Extend.
Right now there is a bundle available for one 5508 with 10 x AIR-LAP1142 and the GPL price for that bundle is USD 31,424. And you should consider if you need the HA solution or if you are covered by the onsite support. In the product list below I have used the regulatory domain E and power cable for Europe. Make sure that you get this correct for your country. This is a limited offer ending August 1st 2010. You also need the additional 5 access points or more if you want Office Extend.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Also consider that the 2100 series only have FastEthernet interfaces so you will not be able to utilize the full 11n throughput.
1 x 5508 with 10 x 1142:
Product
Description
Quantity
Price
Lead Time
AIR-CT25-1140E10
802.11a/g/n ESTI Cfg5508-25 10AP WCS Demo Promo ends 8/1/10
1
24,595.00
14 Days
AIR-CT5508-25-K9Z
5508 Series Controller for up to 25 APs
1
0.00
14 Days
AIR-PWR-5500-AC
Cisco 5500 Series Wireless Controller Redundant Power Supply
1
1,495.00
14 Days
SWC5500K9-70
Cisco Unified Wireless Controller SW Release 7.0
1
0.00
14 Days
AIR-PWR-CORD-CE
AIR Line Cord Central Europe
1
0.00
14 Days
AIR-LAP1142N-E-K9Z
Manufacturing Level PID - AIR-LAP1142N-E-K9
10
0.00
14 Days
S114RK9W-12421JA
Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
10
0.00
LIC-CT5508-25
25 AP Base license
1
0.00
14 Days
LIC-CT5508-BASE
Base Software License
1
0.00
14 Days
WCS-CD-K9Z
CD With Windows And Linux. No License.
1
0.00
14 Days
CON-OSP-CT25E10
ONSITE 24X7X4 802.11a/g/n ESTI Cfg: 5508-25; 10APs;
1
0.00
CON-OSP-CT0825
ONSITE 24X7X4 Cisco 5508 Series
1
2,944.00
CON-OSP-1142EK9Z
ONSITE 24X7X4 802.11a/g/n Fixed AP
10
2,390.00
Total LeadTime: 14 Days Total Price: USD 31,424.00
Total LeadTime: 14 Days Total Price: USD 31,424.00
2 x 2125 with 10 x 1142:
Product
Description
Quantity
Price
Lead Time
AIR-WLC2125-K9
2100 Series WLAN Controller for up to 25 Lightweight APs
1
8,995.00
21-35 Days
CAB-AC-C5-EUR
AC Power Cord, Type C5, Europe
1
0.00
14 Days
SWLC2100K9-70
Cisco Unified Wireless Controller SW Release 7.0
1
0.00
14 Days
ASA5505-PWR-AC
ASA 5505 AC Power Supply Adapter
1
0.00
14 Days
SSC-BLANK
ASA 5505 SSC Blank Slot Cover
1
0.00
14 Days
CON-OSP-AC2125K9
ONSITE 24X7X4 WLAN Controller for for Retail
1
1,656.00
Total LeadTime: 21 - 35 Days Total Price: USD 10,651.00
Product
Description
Quantity
Price
Lead Time
AIR-WLC2125-K9
2100 Series WLAN Controller for up to 25 Lightweight APs
1
8,995.00
21-35 Days
CAB-AC-C5-EUR
AC Power Cord, Type C5, Europe
1
0.00
14 Days
SWLC2100K9-70
Cisco Unified Wireless Controller SW Release 7.0
1
0.00
14 Days
ASA5505-PWR-AC
ASA 5505 AC Power Supply Adapter
1
0.00
14 Days
SSC-BLANK
ASA 5505 SSC Blank Slot Cover
1
0.00
14 Days
CON-OSP-AC2125K9
ONSITE 24X7X4 WLAN Controller for for Retail
1
1,656.00
Total LeadTime: 21 - 35 Days Total Price: USD 10,651.00
Product
Description
Quantity
Price
Lead Time
AIR-LAP1142-EK9-PR
LAP1142 Controller Based E Reg Domain
1
9,950.00
14 Days
S114RK9W-12421JA
Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
1
0.00
AIR-LAP1142-EBULK
BOM LEVEL PID FOR BULK PACK
10
0.00
14 Days
CON-OSP-LAP1142E
ONSITE 24X7X4 802.11a/g/n Fixed Unified AP; ETSI
10
2,390.00
CON-OSP-L1142E0P
ONSITE 24X7X4 802.11a/g/n LWAPP AP EU Cnfg-Promo Pk
1
0.00
Total LeadTime: 14 Days Total Price: USD 12,340.00
Total LeadTime: 21 - 35 Days Total Price: USD 33,542.00
Regards,
André -
Certificate based authentication with Cisco WLC and Juniper IC
Hi
I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
i have also looked at this article :
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
All your help is appreciated.Hi,
Since you use an external radius server you don't have to worry for this.
The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
The doc you refer is only for Local Radius on WLC.
Hope this helps
Regards,
Christos -
Cisco WLC 5508 not sending SNMP Traps
Hello Everyone.
I'm having a weird error on our WLC environment. We have an HA with two cisco WLC 5508 and i cannot get SNMP Traps working on a Windows PC running Kiwi Syslog server (free ed.).
I can receive correctly Syslog messages, but not traps.
I Tried also to send SNMP Traps from WLC to a different PC using Linux with snmptrapd and it works fine.
I tried then to send from my Linux box a snmp trap to my Windows PC, and it works fine, but i still cannot receive anything from WLC.
Using Wireshark to detect traffic, i cannot see any packet on udp port 162.
I cannot figure out any problem with my scenario, but i can see the following errors on syslog:
*rmgrTrasport: Mar 30 16:08:22.602: #RMGR-3-INVALID_PING_RESPONSE: rmgr_utils.c:270 Ping response from <my_windows_PC> is invalid. Ip address do not match.
My WLC Version is 7.6.130.0
Thank you for your support.I have gone through your query and found the following fruitful links ,please let me know if it helps and mark it correct answer if it is.
https://www.manageengine.com/network-monitoring/help/userguide/processing_traps.html
https://rscciew.wordpress.com/2014/10/12/snmp-configuration-on-wlc/
Thanks :) -
Hi Fellows,
I wanna know if 5508 Cisco WLC support LACP or not. Actually i work in a project where i must
connect WLC 5508 in Enterasys Switches with Link Aggregation.
Enterasys Switches support LACP 802.3ad but when i learn Cisco Books i see that WLC 5508
doesn't support LACP.
Can you help please ?
Sincerely
JosephHi,
Please take a look into the config guide:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1277652.
You can read there:
Once the EtherChannel is configured as on at both ends of the link, it does not matter if the Catalyst switch is configured for either Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation Protocol (PAgP) because no channel negotiation is done between the controller and the switch. Additionally, LACP and PAgP are not supported on the controller.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Backing up config on Cisco WLC 2504
I need to upgrade the software on my controller but first need to take a backup of the config.
I log into the GUI of the controller and then go to Commands / Upload File, I then select my options:
File Type: Configuration
Transfer Mode: TFTP
IP: 10.x.x.x
File Path: C:\Cisco\WLC
File Name: ciscowlc.cfg
Click Upload
After about a minute it receive the following error:
% Error: Config file transfer failed - Error from server: The specified operation is not supported.
I can't seem to find any information on this error.
Any help would be greatly appreciated.
Thanks,
JamesWhat TFTP server are you using... I use 3CDeamon and I also select the folder from the TFTP server so my path would just be ./
Make sure that the firewall on the tftp server is disabled and also make sure your doing the tftp to a wired machine and not a wireless machine. TFTP and FTP is not allowed when your associated to an AP that is joined to that WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hellp on Nokia E61i associating with Cisco WLC 4402
I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me âunable to connect, WPA authenticate failed).
In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as âRSA,3EDS,SHAâ, âRSA,AES,SHAâ, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder âunable to connect, WPA authenticate failedâ. I checked ACS's failed log, there's no record; In 4402, there also have no record.
If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
Pls. help to point me what I need to adjust to make it work. Thanks!Hello,
CCKM Key Management mode on Nokia E61i phone can be used
against Cisco LWAPP AP's with TKIP encryption
Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
- WPA-Enterprise = WPA Key Management (EAP based authentication) with TKIP encryption
- WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1XÂ based dynamic WEP (EAP based authentication with dynamic WEP encryption)
Supported:
- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
Not supported:
- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
 Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
at least on LWAPP AP version 4.1.171.0.
 CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security->Â
Layer 2 Security = WPA+WPA2
WPA+WPA2 Parameters:
-WPA Policy = enabled
-WPA Encryption = TKIP enabled, AES disabled
-WPA2 policy = disabled
-Auth.Key Mgmt = CCKM
Br,
-Pasi-
Maybe you are looking for
-
I Need Help ID-ing My Stolen Macbook Pro
Hello, my MacBook Pro 13" was stolen, it has Euro Keyboard Layout, Thats not common in Jamaica. Yesterday i saw a MacBook Pro at a Pawn Shop Fitting The Description of mine. How can i know for sure that its mine? i don't have the receipt, i dont know
-
Hi i am trying to figure out how to make a drop down menu on the business catalyst admin console My menu content holder code is <ul> <li> <a href="/">Home</a> </li> <li> <a href="/clicker.html">Clicker</a> </li> <li> <
-
I get an "unable to connect" message yet I can connect and use Internet Explorer with no problem. I tried updating to Firefox4 and still get the same message. What do I do?
-
Hi, I have acquired some data(Magnitude versus frequency), I want to just select the points which are in specific range(their frequency.....X-axis), for example I want to filter the signal only for the points which are between 20Hz and 30Hz. Does any
-
Group selection in sub-window... e.g. to move
A page window contain three sub-windows, I delete two sub-windows and want to move the middle one to the top of the page... (reflow) this sub-window contains 20 or 30 objects, How do I select the sub-window and it's contents without selecting the pag