Redundant WLC and ACS deployment

Deployed a project with one WLC 5508, one ACS 1121 and one WCS with 200 APs 1131. Now we required redundency in this design. Is there anyone help me out for this design and configuration.

Hi Muhammad, there are two types of redundancy in the CUWN  network. controller and AP redundancy.
since you have only one WLC, the controller redundancy is not possibe. for the lightweight APs, there's automatic self healing from the WLC when one AP goes down. this means that neighbouring APs can detect that one of their neighbors is not alive and they react by transmitting a powerful signal to compensate. I would strongly advise you about strongly deploying a second WLC especially that you have 200 APs. If your WLC crashes, you are out of business for a while !
rate if this helps.

Similar Messages

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Incompatibility issue - WLC 5508 and ACS 5.4

    Hi,
    This is my scenario:
    Cisco WLC 5508 firmware 7.4.110.20 and ACS 5.4, two WLAN eap/tls, many client  can't connect to WLAN and on ACS i receive the following error:
    Authentication failed : 11051 RADIUS packet contains invalid state attribute
    workaround:
    1 -Check the network device or AAA Client for hardware problems.
    2-known RADIUS compatibility issues.
    3-Check the network that connects the device to ACS for hardware problems
    there are some incompatibility issue between WLC and ACS ? the compatibility matrix document for wireless imposes the 7.5 firmware for WLC.
    What do you think is possibile ?

    Are there any other errors shown in the details of the failed authentication?
    We may need to look at service logs in debug mode, opening a TAC case would be the best way to go about this.
    Javier Henderson
    Cisco Systems

  • Redundant WLC-5508 Deployment Licensing

    I am deploying a redundant WLC-5508.  We purchased 2, each with the base license of 50 AP's.  After the survey, we determined that we need an additional 9 access points.  Do we have to purchase 2 upgrade licenses?  If so, can we get them in increments of 5, similar to the 2500 series WLC's?

    After the survey, we determined that we need an additional 9 access points.  Do we have to purchase 2 upgrade licenses?
    Yes.  You need to purchase TWO (2) licenses.
    Here's the difficulty with your scenario:
    For unknown reason, someone in Cisco has determine that, in your case, you have an appliance with 50 bases license and you need to add 9 WAPs.  Logic dictates that you could potentially get a 25-base license right?  Not in this case.  Your minimum license you can get is 100-base license.
    Because of this, I would recommend that you raise a TAC Case and potentially get both of the WLC RMA-ed.  Tell TAC that you want to get a 25-base license ADDED to both units.  (Bringing the total to 75.)
    Message was edited by: Leo Laohoo

  • Wireless Virtual LAN - SSID and ACS User Mapping

    Hi Everybody
    We have the following senario:
    - WLC 4402 and ACS 3.3
    - 2 SSID's , One for Emploies - one for gests
    - All users are (guest and emploies) are authentication against the ACS Server.
    We would like to only permit Guest users to use the Guest SSID.
    I've been reading the Wireless Virtual LAN Deployment Guide :
    http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
    and have tried to use methode 1.
    - RADIUS-based SSID access control:
    "Upon successful 802.1X or MAC address authentication, the RADIUS server
    passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
    "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
    - Enable and configure Cisco IOS/PIX RADIUS Attribute,
    009\001 cisco-av-pair
    - Example: ssid=LEAP_WEP"
    I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
    Does anyone have any idea of what I'm doing wrong?
    Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
    Greetings
    Jarle

    Hi I'm sorry but this still does not help.
    We have now upgraded ACS to version 4.0 and I'm still having the same problems.
    This is what i have configured:
    WLC:
    - WLAN
    - SSID : Public
    - WLAN id = 3
    - L2 Security : 802.1x
    - Interface Name : GuestVLAN
    - Controller - Interface
    - management - Untagged
    - GuestVLAN - VLAN 112
    - Security
    - RADIUS Servers
    When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
    Switch:
    - Port connected to WLC uses Trunking.
    - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
    ACS:
    - AAA Client is the WLC, Authenticating using Cisco Airespace
    - Guest Users are member of Group 11
    - Private Users are member of Group 1
    Group 11
    - Use Per Group NAR to only allow WLAN Access
    - Cisco Airespace RADIUS Attributes
    x 14179\001 - Aire-WLAN-ID = 3
    - Cisco IOS / PIX RADIUS Attributes
    x 009\001 Ciso-av-pair = "ssid=Public"
    - IETF Radius Attributes
    x 006 Service Type = Login
    x 007 Framed-Prot = ppp
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 112
    Group (default Group)
    - Cisco Airespace RADIUS
    x 14179\001 Aire-WLAN-ID = 1
    - Cisco IOS/PIX Radius Attrib
    x 009\001 Cisco-av-pair = "ssid=Private"
    - IETF RADIUS
    x 008 Service-type = Login
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 1
    Do you have any idea of what i should change?
    Greetings
    Jarle

  • Machine authentication with MAR and ACS - revisited

    I'm wondering if anyone else has overcame the issue I'm about to describe.
    The scenario:
    We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
    We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
    The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
    The passed authentications log does successfully show the machines authenticating.
    The challege:
    We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
    In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
    In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
    So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
    The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
    Has anyone seen / over come this ?
    Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

    Here's the only thing I could find on extending the schema (I'm not a schema expert):
    http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
    If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
    You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

  • Using Active Directory and ACS for Concentrator 3000 VPN

    Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
    Below is my understanding, I appeciate any help to piece some or all the below together
    (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
    (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
    (3) Concentrator is the NAS, and ACS is the RADIUS server
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
    (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
    (5) A single "Tunnel Group" is created on the concentrator
    (6) Mulpile Groups, per corporate infosec policies are created on the AD
    (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
    TIA.

    In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
    When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
    Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
    We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
    Now go to access-policies > default-network access > identity should be AD1.
    Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
    After that slect the appropriate ad group for teachers and end-station filter.
    Save changes.
    Jatin Katyal
    - Do rate helpful posts -

  • WLC 4402 + ACS 5.4 + AD: is it possible to use separate ip dhcp pools according to AD user group?

    Hello, we are using WLC with ACS and it is working well.
    We have AD group WiFi_access, and all users from these group are able to athunticate during connecting to corporate wifi network.
    How we could make, for example, two AD groups: WiFi_access and WiFi_VIP and users from first group get 10.7.0.0/24 adressess and 10.8.0.0/24 from the second? or it could be 10.7.0.0-100 and 10.7.0.100-200 it doesn't matter.
    the main goal is: different AD groups of users must have different privileges and these is controling via ACL on their default gateway switch.

    You can use "aaa-override" feature to do that. In that case once user get connected & if he is belong to "WIFI_VIP" group ACS can override the user vlan to a different one (10.8.0.0/24) what they initially associate to.
    You can get an idea about the concept from the below post
    http://mrncciew.com/2013/05/21/aaa-override-in-acs5-2/
    HTH
    Rasika
    *** Pls rate all useful responses ***

  • How to create guest access in wireless by WISM and WCS and ACS?

    dear sir
    i neeed to know the steps of how we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?

    You need to define your requirements a little bit. The WLC can do WebAuth and an employee can access either the WLC or WCS to put in the username and password credentials, but you would need to figure out what's best for you.
    Here is a support doc that you can reference.
    https://supportforums.cisco.com/docs/DOC-13954
    Sent from Cisco Technical Support iPhone App

  • WLC and WCS conflict

    Hi I am currently using 21 X WLC with N+1 Redundancy and 1X WCS with 1000++ of LAP1020. If had been observed that the antenna type and power TX had been changed with no reason. Is there any settings that may affect with AP customized Tx Power and antenna settings other than using the WCS template to push the configure to the APs instead of the WLC.

    Sorry for jumping in on the question with another question but it seemed the right place.
    I have an AIR-CT5508-25-K9 WLC and +25AP license : L-LIC-CT5508-25A.
    As far as I understand it the WLC should already have a 25AP license installed and with the adder license I should have a count of 50 APs.
    However, after installing the adder license the count is still 25.
    Could you please let me know if it's just something wrong in my reasoning or should a case be opened?
    Thank you,
    Barbara

  • Im in the military and im deployed right now i got a ipod touch but it wont let me down load apps . i put all my billing info in and my address but it keeps telling me to contact the support to complete my transaction

    im in the military and im deployed right now i got n ipod touch but it wont let me download apps . i put all my billing info and address in but it keeps telling me that i need to contact the support to complete my transaction

    it keeps telling me that i need to contact the support to complete my transaction
    Then contact Support.
    http://apple.com/support/itunes/contact/

  • Best report to check application and package deployment compliancy?

    I am looking for the best report to check application and package deployment compliancy.
    Preferably targeting a collection.
    tconners

    I'm recommending this one:
    Software Distribution - Application Monitoring folder -
    All application deployments (advanced)
    It allows you to select Collections and applications
    Kent Agerlund | My blogs: blog.coretech.dk/kea and
    SCUG.dk/ | Twitter:
    @Agerlund | Linkedin: Kent Agerlund |
    Mastering ConfigMgr 2012 The Fundamentals

  • ISE 1.2 With WLC and AD

    Hi everyone,
    What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
    The wireless network is configured with 2 SSID (Staff and Guest) 
    Active Directory, DNS, DHCP, and  NTP configured & synced.
    ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
    Please provide your thoughts and assistance.
    Regards

    You have to implement dot1x and radius between your NAD and ISE device.
    Using the switch 3850, that are the steps: 
    username RADIUS-HEALTH password radiusKey1 privilege 15
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    !this password will be used to communicate with ISE and to verify reachability
    !between ISE and Switch
    aaa server radius dynamic-author
     client 172.16.1.18 server-key 7 radiuskey
     client 172.16.1.20 server-key 7 radiuskey
    ip domain-name lab.local
    ip name-server 172.16.1.1
    dot1x system-auth-control
    interface GigabitEthernet1/0/3
     switchport mode access
     switchport voice vlan 50
     switchport access vlan 10
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action authorize voice
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    ip access-list extended ACL-ALLOW
     permit ip any any
    !the comm between radius and ise will occur on these Port
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    ip radius source-interface Vlan100
    logging origin-id ip
    logging source-interface Vlan100
    logging host 172.16.1.20 transport udp port 20514
    logging host 172.16.1.18 transport udp port 20514
    snmp-server community ciscoro RO
    snmp-server community public RO
    snmp-server trap-source Vlan100
    snmp-server source-interface informs Vlan100
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 10 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    !defining ISE servers
    radius server ISE-RADIUS-1
     address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
     automate-tester username RADIUS-HEALTH idle-time 15
     key radiusKey
    Please be sure that NTP servers and time are synchronized. 
    enable dot1X on windows machine, or using cisco NAM. 
    you can enable debugging on aaa authentication to see the events. 
    you have to create this user on ISE (RADIUS-HEALTH). 
    3850#test aaa group radius username password new-code 
    and observe the result. You are supposed to have user authenticated successfully. 
    You Must also have define these device in ISE on the radius interface.
    ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
    administration-->network resources -->Network Devices-->Add
    input the name
    input the Ip address for radius communication
    select the authentication settings and field the corresponding shared secret radius key
    select snmp settings and select version 2c. 
    snmp community : ciscoro
    you can customize the polling interval if you want and that all. 
    you are supposed to received message communication between your NAD and ISE. 
    After you can do the procedure for WLC device. 
    I will fill it after you have passed the first steps (3850 authentication). 

  • Java platform and Java Deployment should be updated but there is no other version, always the warning to update but thats not possible

    Java Platform 7u9 and Java Deployment Kit plug-ins are yellow and asked to be updated.
    The problem is that there is no other version than I have already installed.
    Even if I try to instal this latest version again I've get the message that I already have the latest version.
    The same problem was with Flashplayer where I installed the latest version but three days Firefox asked to update the plugin.
    The last one is now ok but Java Platform and Java Deployment Kit is hopeless.
    Why it ask for an update if there is none?
    What should or can I do? I always be careful and patch my pc if necesserry.
    All my friends who are working with Firefox have the same problem.
    Can anybody tell me whats going on here?
    greetings, Mimi321

    Hi
    There is still an issue for me. When i check to see if add-ons are up to date it identifies "Java(TM) Platform SE 7 U9" as out-of-date and gives me an orange "Update" action. When i hit this it takes me to the Java website giving me "Recommended Version 7 Update 9". This is the one i've already got so i cannot get rid of the orange Update action buttons.
    Furthermore, if i try the link earlier in this thread to test to see which version of Java i should be using it says "Congratulations! You have the recommended Java installed (Version 7 Update 9)" so i'm not sure what this talk of version 7.10 is about?

  • Status of a specified package and program deployment

    Good morning.
    In the report "Status of a specified package and program deployment", I noticed there are 2 groups of reports; "Status of Targeted Resources" and "Resource Receipt Status". Each group has their own substatus:
    Status of Targeted Resources:
    Accepted - No Further Status, Succeded, Waiting
    Resource Receipt Status:
    Accepted, Expired, No Status
    Can anyone guide me on the following?
    1. The meaning of each status (Accepted-NFS, Succeeded, Waiting, Accepted, Expired, No Status).
    2. Some of the count for status is less than what is displayed on the report after I exported to csv format. What does this mean? Does it mean some clients not detected or something?
    3. Total percentage of each "Status of Targeted Resources" and "Resource Receipt Status" is around 100.1% and 99.9% respectively as per print screen below. What does this mean?
    Your guidance is much appreciated. Thank you.

    Hi,
    Accepted - No Further Status – Back end installation may be running and need to wait for some time to get the actual status
    Succeeded – Deployment installed successfully without any issues
    No Status - Systems are not online or has issue with SMS Agent, or not received the policy, if the system is online then this status must change in one hour time (if the status not changed then you may Suspect the issue with SMS / SCCM agent
    Accepted – Deployment can be installed in few mins, as it will start downloading the software from remote /local system
    Expired – Deployment is expired
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

Maybe you are looking for

  • Air 3.5 front camera issue

    I am using the latest air 3.5 sdk to build an video application. But I find that the front camera can not render correctly in spark.VideoDisplay, while the back camera is ok. My deivce is galaxy nexus, android 4.1.2, the code is below: protected func

  • How do I get beyond the single screen of recent content in this forum?  There's no option for older pages.

    Adobe, your forum software is terrible.  And it differs from time to time and from product to product.  Until recently, I could scroll through multiple screens of new/newly modified posts by clicking on a "more" bar.  Now it's gone.  How do I go beyo

  • 16:9 viewer and canvas

    Ok, this is a simple thing, yet it is bothering me. Every time I see a picture of someone using FCE, the viewer and canvas are widescreen. I can't seem to get my canvas and viewer to be widescreen. I can work with widescreen just fine, but I have gre

  • Logic- report to move columns to row in a list

    Hi, I have an internal table ITAB with following data ITAB DATE      MATNR PLANT  QUANT 200704    100A   050   111.00 200705    100A   050   333.00 200706    100A   050   444.00 200707    100A   050   555.00 200704    100B   051   999.00 200705    10

  • Help with Java Web Start

    Hi everybody, I have a simple Java application that has a JFrame containing a TextField displaying some text inside it. I am using the NetBeans IDE. I am trying to Enable Java Web start for this application. The steps I have taken upto now are: 1. Ri