Possible with WLC 4402

Wanted to know if the 4402 would fit our envirment till we move to a different means of authentication at our school. I already have the 4402 for the new method but we are not ready to deploy that as yet.
Currenly the wireless network we use has a VPN concentrator at the head of the network. We use standalone APs that broadcast an open SSID. Users attach the the SSID and get a private IP. They authenticate with a VPN client. Once authenticated they are given a public IP address.
I would like to be able to place the 4402 and its 1131 APs on this network and have it with with the VPN method we use know. What I don't know. Will I be able to config the 4402 to handle the private then public exchange of IP addresses that the client phase through as they authenticate? I have no control over the VPN and the DHCP servers. Everything is untagged on this network and there are no VLANs. Would I need to create interfaces for the private and public subnets that the client use? 4402 is on another subnet along with the AP. Since the network is untagged I might need a separate port for the private and public subnets. The 4402 would then not have enough ports for this to work or am I'm not thinking correctly.
Craig

I found the VPN passthrough setting for the WLAN an enabled it. It appears clients are connecting to the open WLAN. Looks like they are not getting a private IP.
We use external DHCP server and it isn't in same subnet as the pool it distributes. Users are to connect to the open WLAN and obtain a private IP from the DHCP server. They then authenticate via the VPN client and obtain a public address. Not sure how to define the interface for the WLAN. Should be be based on the private ip subnet or public. Since the DHCP server is not on the clients private subnet do I need a routing statement to allow client to be able to contact DHCP server.
Craig

Similar Messages

Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

Hi All,
appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
*Mar 1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:10.033: *** CRASH_LOG = YES
*Mar 1 00:00:10.333: Port 1 is not presentSecurity Core found.
Base Ethernet MAC address: C8:9C:1D:53:57:5E
*Mar 1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
*Mar 1 00:00:11.494: status of voice_diag_test from WLC is false
*Mar 1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.647: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 13-Apr-11 12:50 by prod_rel_team
*Mar 1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
*Mar 1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
*Mar 1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
*Mar 1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
*Mar 1 00:09:17.912: status of voice_diag_test from WLC is false
*Mar 1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
*Mar 1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
*May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:03.448: status of voice_diag_test from WLC is false
*May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:15.450: status of voice_diag_test from WLC is false
*May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
*May 25 08:27:27.447: status of voice_diag_test from WLC is false
*May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:39.446: status of voice_diag_test from WLC is false
*May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
i searched for the regulatory domains difference between AIR-LAP1041N-E-K9 and AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
just to mention that our configuration in WLC for regulatory domains is:
Configured Country Code(s) AR
Regulatory Domain 802.11a: -A
802.11bg: -A
My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
Appreciate your kind support,
Wisam Q.

Hi Ramon,
thank you for the reply but as shown in the below link:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
Thanks,
Wisam Q.

SNMP traps with WLC 4402

Currently using WLC 4402 with about a dozen WAPs. I would like to start logging some messages to troubleshoot some association issues. The syslog does not seem adequate for this the issues I am having. I noticed the default SNMP traps but is only holds 255 traps. I have tried to setup an SNMP server to get the traps but I get no data, only OID values. I was successful in getting the MIBs for the OIDs but still not all the data that I see on the brief traps screen.

Hi,
I have tried it with solarwinds and works fine for me. Talking about the traps. But they are too many.
The OID is : 1.3.6.1.4.1.14179.1.1.2.4.1.22
snmp info for polling:
MIB Value Type: Raw Value
Format: None
SNMP Get Type: Get Table
Polling Type: node
On WLC go to Managemnet (top TAB)
Right hand select > SNMP > Traps Control.
In this menu select what traps to need to be logged.
These traps will be shows on the oid polled.

AP 1131ag not able to join with WLC 4402

In some of my spare time, I've been trying to get this AP to join with this WLC. It's been about two weeks now. I'm not sure what the problem is. I think that there are a few possible issues, but I'm asking the more experienced & knowledgeable support community. I did convert the autonomous AP to a LAP. So here are some outputs:
AP sh ver
AP0014.6956.6926#sh ver
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(25e)JAO3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 18-Dec-13 20:53 by prod_rel_team
ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(2)JA3, RELEASE SOFTWARE (fc2)
AP0014.6956.6926 uptime is 2 hours, 11 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w8-mx.124-25e.JAO3/c1130-k9w8-mx.124-25e.JAO3"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
Processor board ID FTX0924T1NR
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version 7.3.1.72
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:14:69:56:69:26
Part Number                          : 73-8962-07
PCA Assembly Number                  : 800-24818-06
PCA Revision Number                  : C0
PCB Serial Number                    : FOC092238UU
Top Assembly Part Number             : 800-25544-01
Top Assembly Serial Number           : FTX0924T1NR
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1131AG-A-K9
Configuration register is 0xF
WLC sh sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 4.2.205.0
RTOS Version..................................... 4.2.205.0
Bootloader Version............................... 4.2.205.0
Build Type....................................... DATA + WPS
System Name...................................... wlcVA010a03a01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.1.1
System Up Time................................... 4 days 0 hrs 54 mins 42 secs
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
3rd Party Access Point Support................... Disabled
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:18:73:35:DC:40
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
WLC debug lwapp errors enable
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:15 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
WLC debug lwapp events enable
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Received LWAPP DISCOVERY REQUEST from AP 00:13:5f:f8:94:f0 to ff:ff:ff:ff:ff:ff on port '1'
Fri Jan 24 16:52:20 2014: 00:13:5f:f8:94:f0 Successful transmission of LWAPP Discovery Response to AP 00:13:5f:f8:94:f0 on port 1
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:31 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Received LWAPP JOIN REQUEST from AP 00:13:5f:f8:94:f0 to 06:0a:10:10:00:00 on port '1'
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Unable to free public key for AP 00:13:5f:f8:94:f0
Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 Decoding Join Request failed for AP 00:13:5f:f8:94:f0
WLC debug pm pki enable
Fri Jan 24 16:49:45 2014: sshpmGetIssuerHandles: invalid args (0x13d7edd0/0x13d7edd4/0x13d7edd8/0x30231b14/0)
Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: called with (nil)
Fri Jan 24 16:49:45 2014: sshpmFreePublicKeyHandle: NULL argument.
Fri Jan 24 16:49:50 2014: sshpmGetIssuerHandles: invalid args (0x13d91320/0x13d91324/0x13d91328/0x30231b14/0)
Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: called with (nil)
Fri Jan 24 16:49:50 2014: sshpmFreePublicKeyHandle: NULL argument.
Thanks!
Leon

cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.WLC sh sysinfoManufacturer's Name.............................. Cisco Systems Inc.Product Name..................................... Cisco ControllerProduct Version.................................. 4.2.205.0RTOS Version..................................... 4.2.205.0Bootloader Version............................... 4.2.205.0Build Type....................................... DATA + WPSFri Jan 24 16:55:20 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.Fri Jan 24 16:52:36 2014: 00:13:5f:f8:94:f0 LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP 00:13:5f:f8:94:f0.
adding to Above .
Manually add self-signed certificates (SSCs) to a Cisco Wireless LAN (WLAN) Controller (WLC).
you can manually add the SSC to the WLC.
these kind problems occure with Lightweight AP Protocol (LWAPP)-converted AP.
Via GUI:
Choose Security > AP Policies and click Enabled beside Accept Self Signed Certificate.
Select SSC from the Certificate Type drop-down menu.
Enter the MAC address of the AP and the hash key, and click Add.
Via CLI:
Enable Accept Self Signed Certificate on the WLC. The command is config auth-list ap-policy ssc enable.
(Cisco Controller) >config auth-list ap-policy ssc enable
Add the AP MAC address and hash key to the authorization list,The command is config auth-list add ssc AP_MAC AP_key .
(Cisco Controller) >config auth-list add ssc
More to check here:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml.
Also mention by Scott that this is very old version on WLC.Please upgrade it.
Hope ite helps.
REgards
Dont forget to rate helpful posts

Restrict Access Vlan with WLC 4402

Folks, I have three SSID configured on WLC and three groups configured on ACS and I need to restrict SSID access based on ACS group.
I tried to use this guide below.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
How you can see, this example is aplicable to 802.1x and work out fine with 2 SSIDs that I have but the third SSID don't work because it use the NAC Web login to Auth the user, I needed to fallback because this configuration blocked my NAC Authentication.
Although I have configured NAR just Group2 and Group3, users on Group1 that are Auth with NAC were blocked.
Anyone Know Why this or How can i configure this restriction on WLC and ACS?
thanks a lot

Hi,
You could be hitting DDTS CSCdu52690.
I will suggest to do an upgrade ACS version 3.0 is old and unsupported.
Thanks,

WLC 4402, LAP1242AG APs and Layer 2 Switch Network Design

Hi Every One,
I am new designer in the Wireless technology. During design i came accros through a confusing/complex existing topology which i have to integrate with WLC 4402 as below;
Existing:
1: I have 12 Switches; all vtp mode server. all in single vlan 1 with single subnet 192.168.0.0/24. All users ports in this single vlan 1.
2: All of these are old switches including 2950G, 350GXL, 4912.
3: All the switches gateway is Pix Firewall (192.168.0.1).
To Do:
1: I have to implement 1 * WLC 4402, 22 *LAP1242AG Access Points.
2: WLC will be connected to 350GXL or 4912 through Fiber.
3: Access Points will be connected to all other 20 switches randomely.
Confusion:
1: In my design i created separate vlan 450 for WLC and APs management. But this is not doable in this current setup because all the switches are vtp mode server. Also the gateway is Firewall. Which will require configuration on all existing switches + Pix.(I DONT WANT TO GO FOR THIS OPTION).
2: To make my work easy, is this possible to Put the WLC, APs in the same vlan 1 (192.168.0.0/24) that is currently used by the existing switches? The gateway for these WLC and APs will be Pix (192.168.0.1).
3: I tried to search Cisco examples, but in every example Cisco has made a separate vlan for WLC, APs management. So will Point 2 worK?
4: Do i require any specific changes for this?
5: ANY OTHER DESIGN SUGGESTION?????????
Please find the attached Diagram for more information.

Thanks for the reply.
1: U mean dat the switch port config will be as below;
int g0/10
description connected to WLAN Controller
switch mode access
switch access vlan 1
int g0/23
description connected to AP
switchport mode access
switchport access vlan 1
so below wil b the sumary of config:
All switches, WLC, APs, Wireless users and Wired users will be in the same subnet (192.168.0.0/24). Is it ok??
2: Wat do u mean by vtp config; Please clarify???
As i mentioned all switches are in vtp mode server. vtp domain name is configred on 12 out of 15 switch. Do i need to config same vtp domain name on all switches? I also have to check vtp pass??

Need Information For Connecting Access point to WLC 4402

Hi Friends
I need Some information for Connecting my New Access point ( Cisco AIRLAP 1242AG) with WLC(4402) Controller
In our network set up we have two WLC(4402) we needs to Connect this New Accesspoint To one of our WLC
My Access point is brand New. I need to Know what all i have to do inorder to connect this AP to the controller (from Acesspoint perspective & WLC perspective)
I need to Know what I need to do in AP to connect to the Controller
Do i need to Assign Static IP Address forAP or after connecting to the switch it automatically gets ip from DHCP and regsiter with controller??
Do i Need to Configure my AP with default gateway(the switch to which is connected ?) & DO i need to configure the AP with Controller Ip address ??
Pls Assist
Regards
Safwan

Hi Scot...
We tried Connecting the Access Point yesterday, but it failed....
We are using Cisco 3500 Access point ...
when we connected , first it automatically got an ip address using DHCP but following error occurred
P70ca.9bd5.77c6#
AP70ca.9bd5.77c6#
AP70ca.9bd5.77c6#
Not in Bound state.
*Mar 1 00:13:56.539: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination
*Mar 1 00:13:56.555: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
d DHCP address 10.50.11.26, mask 255.255.0.0, hostname AP70ca.9bd5.77c6
*Mar 1 00:14:04.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported version 6.0
.182.0 on WLC USSTLController01
*Mar 1 00:14:14.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported version 6.0
.182.0 on WLC USSTLController01
*Mar 1 00:14:24.564: %CAPWAP-3-UNSUPPORTED_WLC_VERSION: Unsupported
version 6.0
.182.0
version 6.0
.182.0
on WLC USSTLController01
version 6.0
.182.0
Then I COnfigured Ap with Static ip address & default gateway & controller Ip but tht too didnt work...
.182.0 on WLC USSTLController01
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>
*Mar 1 00:13:40.908: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C
3750X-48P (e05f.b907.9a20)
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>en
Password:
AP70ca.9bd5.77c6#
*Mar 1 00:13:48.033: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP
. Renewing DHCP IP.
AP70ca.9bd5.77c6#
AP70ca.9bd5.77c6#
AP70ca.9bd5.77c6#
P70ca.9bd5.77c6>
*Mar 1 00:13:40.908: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C
3750X-48P (e05f.b907.9a20)
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>
AP70ca.9bd5.77c6>en
Password:
AP70ca.9bd5.77c6#
*Mar 1 00:13:48.033: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP
. Renewing DHCP IP.
I also Need to Know Cisco Access point 3500 can be associated with WLC 4402 ( version 6.0.182.0) ??
Pls Advice How to proceed further

Help required with WLC software upgrade

I have a customer with WLC 4402 in use, running software version 7.0.98.0, and supporting 11 APs at present. The customer wants to enlarge the WLAN, which involves increasing the number of APs. I have purchased a new WLC5508, and have installed it onto the network alongside the 4402. the 5508 is running software version 7.0.116.0. Because the wireless network is critical to the user, we want to move the APs over to the new controller while the network is up and running, then remove the 4402.
However, when we set the 5508 as the master controller, or tell one of the APs to use the 5508 as its primary controller, the AP connects to the new controller, downloads the new software version, attempts to load it but reports an error with the unzipped file size of the software and fails to boot. formatting the flash on the AP, then disconnecting the 5508 from the network and rebooting the AP allows it to connect to the 4402, it downloads the older software and boots as normal. A new AP, if connected to the 5508 in a test scenario (ie no 4402) connects, downloads and boots perfectly.
I have the upgrade software to allow the 4402 to be upgraded to 7.0.116.0, but I am concerned that, if this is installed, the existing APs will then fail to boot from the 4402 or the 5508.
all APs are 3502s, running IOS version 12.04(23c)JA when connected to the 4402 and 12.04(23c)JA2 on the 5508.
Any suggestions would be gratefully received
Thanks

Hi Pat,
thanks for the reply. I am off site until the morning, but will attach the colsole output tomorrow.
Your mentioning a corrupt image makes me wonder - we had a lot of trouble setting up the initial config on the new WLC, getting a lot of launch failures. Eventually things seemed to settle down (it certainly booted successfully first time this morning) and getting an AP to connect without a problem made me hope it was just a quirk of the configuration wizard, but I think I will try a reboot of the WLC before I do anything else, just to check it is stable.
If it is a corrupt image it may take a little while to sort, as we have not as yet got a support contract on the 5508 - the plan was to upgrade the existing contract on the 4402 once they were swapped out, but I'll let you know whats going on
Rob

WLC 4402-50 with ACS 3.3

Hi,
We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
Is there an incompatability between the WLC 4402-50 with ACS 3.3?
thanks
Bob

The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

Hellp on Nokia E61i associating with Cisco WLC 4402

I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me âunable to connect, WPA authenticate failed).
In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as âRSA,3EDS,SHAâ, âRSA,AES,SHAâ, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder âunable to connect, WPA authenticate failedâ. I checked ACS's failed log, there's no record; In 4402, there also have no record.
If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
Pls. help to point me what I need to adjust to make it work. Thanks!

Hello,
CCKM Key Management mode on Nokia E61i phone can be used
against Cisco LWAPP AP's with TKIP encryption
Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support.Â WPA/WPA2 security mode on the phone is dedicated to standards basedÂ WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
Â 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
- WPA-EnterpriseÂ = WPA Key Management (EAP based authentication) with TKIP encryption
- WPA2-EnterpriseÂ = WPA2 Key Management (EAP based authentication) with AES encryption
- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1XÂ based dynamic WEP (EAP based authentication with dynamic WEP encryption)
Supported:
- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
Not supported:
- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
Re-authentication failures with Cisco autonomous AP's when AES encryption is used althoughÂ initial authentication to autonomous AP's is successful.Â Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
Â Also note that Nokia E-SeriesÂ does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
at least on LWAPP AP version 4.1.171.0.
Â CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security->Â
Layer 2 Security = WPA+WPA2
WPA+WPA2 Parameters:
-WPA Policy = enabled
-WPA Encryption = TKIP enabled, AES disabled
-WPA2 policy = disabled
-Auth.Key Mgmt = CCKM
Br,
-Pasi-

Create a point to point link with a wlc 4402

Hi to all,
i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
but on the wlc configuration page i cannot found some configuration step.
Someone have configured this type of behaviour or can give me some hints?!
How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
Thanks and best regards,
Carlo Sagratella.

The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

WLC 4402 with Ap 1131Ag Urgent

Hi,
Im trying this frist time and gone through the documenet during the installtion.
I have configured the WLC 4402 as below
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type
ap manager 1 2 52.234.57.132 Dynamic
management 1 untagged 52.234.57.8 Static
service-port N/A N/A 192.168.1.1 Static
virtual N/A N/A 1.1.1.1 Static
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... 00:21:a0:38:69:80
IP Address....................................... 52.234.57.8
IP Netmask....................................... 255.255.255.128
IP Gateway....................................... 52.234.57.3
VLAN............................................. untagged
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 52.225.1.2
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
But after onnecting my APs im getting an error...
*Mar 1 00:18:48.839: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not
resolve
CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com
Translating "CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com"...domain
server (52.2
24.13.1) (52.225.1.2)...
Can you please help me .. to solve this

Hi,
Can you tell me what will be the best way to configure my WLAN setup.
Our set up is
1. 2 Cores switch 4506 with HSRP 52.234.57.3/25 (MNGMT VLAN 1)
2. 52.234.57.128/26 (For WLANusers VLAN 2)
3. C 3750 PWR in Access 52.234.58.0/24 USER1 (VLAN4)
4. C 3750 PWR in Access 52.234.59.0/24 USER2 (VLAN5)
Our DNS and DHCP server sits in HO with IP adrs 52.225.1.2 and 52.234.15.12.
I have did the basic WLC configuration.
and when i connected the LAP in my access i found the error of NOT able to resolve with DNS server. i.e CISCO-LWAPP-CONTROLLER.hyderabad2.XXXXX.com.
I'm getting this error when try both L2 and L3 setup.
We are using C4402 WLC and 1131 AG LAP
Please advice how to overcome this.
Thanks in advance...
Vj

WLC 4402 username and password expires automatically

Hi,
We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
Whether it is the hardware issue or software bug.
Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
Kindly suggest on this issue.
Regards
S.Manikandan

Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
Regards
Surendra

1131 LWAP not join WLC 4402

I am deploying WLC 4402 with LWAP 1131 but AP fail to join the WLC .The resone that I dont have DNS server.The error message in the AP is :
AP001d.451f.8582>
*Mar 1 00:00:38.005: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned D
HCP address 172.26.5.12, mask 255.255.255.0, hostname AP001d.451f.8582
Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:00:49.371: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve
I tried to configure the Controller address in LAP but I fail ,The error when I tried to configure AP is below:
AP001d.451f.8582#lwapp ap controller ip address 172.26.5.10
ERROR!!! Command is disabled.
my question is :
is it possible to make LAP join WLC with out DNS,if yes how ?

Hi Yhab,
There are other ways besides DNS to help in the AP and WLC Discovery process. Have a look in this good doc;
Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml#topic2
For the Static entry problem;
If this AP was ever registered you can use this command from the LAP CLI to clear the LWAPP configuration on the LAP:
clear lwapp private-config
This allows you to use the AP LWAPP static configuration commands again.
Here is an example:
Enable (enter password)
AP1240#clear lwapp private-config
AP1240#lwapp ap hostname AP1240
AP1240#lwapp ap ip address 10.77.244.199 255.255.255.224
AP1240#lwapp ap ip default-gateway 10.77.244.220
AP1240#lwapp ap controller ip address 172.16.1.50
Note: You cannot use the clear lwapp private-config command when the LAP is registered with the controller.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml#t2
Hope this helps!
Rob

Rolling upgrade of WLC 4402 controllers and APs

In need to upgrade the software on two WLC 4402 controller in a hospital. Both WLCs have the same config and one is primary (has all APs connected) and the other backup (no APs connected.) The APs are placed so there is still coverage if one goes down in an area. My question - is it possible to do a rolling upgrade to have no downtime for the wireless clients? My plan would be to upgrade the backup WLC then selectively move APs to it. If I swap the primary and secondary controllers in the high availability tab on each AP, do I need to do a reset (General - Hardware Reset) or will it automatically reboot and connect to the upgraded backup controller? When I'm done, I'd upgrade the primary controller and now call that backup. Does this make sense?

I've done this same sort of thing on a slightly larger scale about 5 times now at the hospital I work at. Quick answer is "Yes, it is possible to do a rolling upgrade and have no downtime for wireless clients."
I've got 5 WLC's, and I use the high availability tab to move all the AP's off one, upgrade it, and move all the AP's from the next WLC over to it, upgrade that one, etc.
The thing you need to be careful of is your timing and your choice of APs to move.
It generally takes about a minute to move an AP between WLCs running the same version. But if there's a version change that makes the AP upgrade, you're looking at about 6 minutes.
I do them one at a time, and when they show up in the WLC as being up, running and happy for 1 minute, I do the next one. And so on. Takes me about 3 days to go through all 5 WLCs and 375 APs. Not once have I had a user notice the move.
Also, in order to test, after I do the first upgrade, I move just one area's APs into that WLC for a day and then test the various flavors of gear we have (phones, infusion pumps, laptops, etc.) to confirm that the new version doesn't have any trouble. Sometimes it does and I work with TAC to get things resolved before I do the whole hospital.
jh

Possible with WLC 4402

Similar Messages

Maybe you are looking for