TACACS on Cisco WLC Issue

Similar Messages

• Cisco NCS configuration backup and restore of WLC issues found

  Hi,
  I recently tested the process for a customer of defaulting a Cisco WLC to factory configuration and then restoring the configuration from Cisco NCS.  It was not seamless to say the least and I wonder if I have just gone about it the wrong way. 
  Have have set the NCS platform to configuration sync with the 5508 controllers at 04:00 every day and prior to the controller defaulting I ensured that NCS also reported that the config was in sync.
  I have also set NCS to complete a tftp backup of the controller every night 23:00 - interestingly though I have no idea where this is stored on the NCS platform ( a VM appliance ) or what it's filename is.
  Anyway my experiences where as follows:-
  1.  defaulted WLC and via serial CLI ended up at the configuration wizard.
  2.  Set the correct LAG, management IP, hostname that NCS knew this controller by.
  3.  To test things just created a dummy WLAN ( SSID ) as I assumed this would be overwritten ( big mistake ! ).
  At this point I connected the controller to the network and tried to restore the configuration from the config sync version.
  First problem - you have to remember to set up the SNMP community string you were using as it is needed by the configuration sync process.  After adding this to the controller I could push the configuration to the controller.
  Second problem - failed to add the first WLAN from the backup as I have added the temporary dummy WLAN via the wizard and NCS reported a conflict.  So had to delete WLAN ID 1 from the WLC GUI directly and then the config push no longer reported this error.
  Third problem - for some reason did not add the TACACS server details - reported the error that it could not added them.  I manually added these via a template via NCS and all was well.
  Fourth problem - all but the first WLAN was in the disabled state - had to re-enable all of the WLANs
  Fifth problem - any default items I had disabled or removed have not been saved - therefore I have removed the public and private SNMP communities - but these were still on the WLC after the restore.  I have disabled unused ports not in the LAG as they show an error in NCS - these where not disabled after the restore.
  So all in all not a very satisfactory restore process from NCS to an defaulted WLC ( ment to simulate to the customer what would be needed if they had to replace a controller due to hardware failure ).
  So - anybody like to comment on what I did wrong - is there a different / better way of achieving this ??
  Regards
  Robert

  Hello Robert,
  all the tasks you did seem to be fine for me.
  I was also wondering the process os restoring from NCS controller configuration backups ...
  If anyone else could give another method with less drawbacks, that would be appreciated, but i doubt about it.
  regards,
  Guillaume.

• HA in Cisco WLC

  Hi friends,
  I am planning to have a wireless environment for a corporate company. I would like to have a Cisco wireless LAN controller 2100 series and 15 numbers of cisco aironet 1142 n access point. Since wireless is gonna be a very important medium for the premises, I am planning to have high availability for the 2100 series WLC.
  With this scenario I am having the following of queries?
  1. Does high availability is supported with WLC 2100 series or need to go for an hihger end WLC's? It would be great if I am guided with some documents on this?
  2. My wired switching infrastructure at the core is running with GLBP. Can I connect the both WLC in each switch in an dual home architecture?
  3. Is there any pre-requistes for doing the high availability for the WLc's?
  4. Yet another company that is close to me do have the same architecture for wireless infrastructure, except that they have cisco WLC as 5508 and Cisco aironet 1142n access point. All the end points NIC adapters that they have support a/b/g standard. But with an n series they continously report low signal strength, the reason for this still unknown?
       But the tech documents of 'n' series access point claims that they support, 300Mbps within 33 feet and 200 Mbps within 66 feet.
  They are having 2 nos of Cisco 1142n access point for every 30 feet but still they are facing low signal strength. Also there workspace are all cubicles and without any interference.
  It would be great if I am guided on this issue also?
  Regards,
  Karthik Anbumani

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi Karthik,
  You can build this HA solution based on the 2100 controllers. And if you want HA for 15 access points you need two 2125 controllers. But I will suggest that you consider the 5508 controller since that is a more future proof hardware and will give you more features that you might want to use such as Office Extend.
  Right now there is a bundle available for one 5508 with 10 x AIR-LAP1142 and the GPL price for that bundle is USD 31,424. And you should consider if you need the HA solution or if you are covered by the onsite support. In the product list below I have used the regulatory domain E and power cable for Europe. Make sure that you get this correct for your country. This is a limited offer ending August 1st 2010. You also need the additional 5 access points or more if you want Office Extend.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Also consider that the 2100 series only have FastEthernet interfaces so you will not be able to utilize the full 11n throughput.
  1 x 5508 with 10 x 1142:
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-CT25-1140E10
  802.11a/g/n ESTI Cfg5508-25 10AP WCS Demo Promo ends 8/1/10
  1
  24,595.00
  14 Days
  AIR-CT5508-25-K9Z
  5508 Series Controller for up to 25 APs
  1
  0.00
  14 Days
  AIR-PWR-5500-AC
  Cisco 5500 Series Wireless Controller Redundant Power Supply
  1
  1,495.00
  14 Days
  SWC5500K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  AIR-PWR-CORD-CE
  AIR Line Cord Central Europe
  1
  0.00
  14 Days
  AIR-LAP1142N-E-K9Z
  Manufacturing Level PID - AIR-LAP1142N-E-K9
  10
  0.00
  14 Days
  S114RK9W-12421JA
  Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
  10
  0.00
  LIC-CT5508-25
  25 AP Base license
  1
  0.00
  14 Days
  LIC-CT5508-BASE
  Base Software License
  1
  0.00
  14 Days
  WCS-CD-K9Z
  CD With Windows And Linux. No License.
  1
  0.00
  14 Days
  CON-OSP-CT25E10
  ONSITE 24X7X4 802.11a/g/n ESTI Cfg: 5508-25; 10APs;
  1
  0.00
  CON-OSP-CT0825
  ONSITE 24X7X4 Cisco 5508 Series
  1
  2,944.00
  CON-OSP-1142EK9Z
  ONSITE 24X7X4 802.11a/g/n Fixed AP
  10
  2,390.00
  Total   LeadTime: 14 Days  Total Price: USD   31,424.00
  Total LeadTime: 14 Days  Total Price: USD 31,424.00
  2 x 2125 with 10 x 1142:
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-WLC2125-K9
  2100 Series WLAN Controller for up to 25 Lightweight APs
  1
  8,995.00
  21-35 Days
  CAB-AC-C5-EUR
  AC Power Cord, Type C5, Europe
  1
  0.00
  14 Days
  SWLC2100K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  ASA5505-PWR-AC
  ASA 5505 AC Power Supply Adapter
  1
  0.00
  14 Days
  SSC-BLANK
  ASA 5505 SSC Blank Slot Cover
  1
  0.00
  14 Days
  CON-OSP-AC2125K9
  ONSITE 24X7X4 WLAN Controller for for Retail
  1
  1,656.00
  Total   LeadTime: 21 - 35 Days   Total Price:   USD 10,651.00
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-WLC2125-K9
  2100 Series WLAN Controller for up to 25 Lightweight APs
  1
  8,995.00
  21-35 Days
  CAB-AC-C5-EUR
  AC Power Cord, Type C5, Europe
  1
  0.00
  14 Days
  SWLC2100K9-70
  Cisco Unified Wireless Controller SW Release 7.0
  1
  0.00
  14 Days
  ASA5505-PWR-AC
  ASA 5505 AC Power Supply Adapter
  1
  0.00
  14 Days
  SSC-BLANK
  ASA 5505 SSC Blank Slot Cover
  1
  0.00
  14 Days
  CON-OSP-AC2125K9
  ONSITE 24X7X4 WLAN Controller for for Retail
  1
  1,656.00
  Total   LeadTime: 21 - 35 Days   Total Price:   USD 10,651.00
  Product
  Description
  Quantity
  Price
  Lead Time
  AIR-LAP1142-EK9-PR
  LAP1142 Controller Based E Reg Domain
  1
  9,950.00
  14 Days
  S114RK9W-12421JA
  Cisco 1140 Series IOS WIRELESS LAN LWAPP RECOVERY
  1
  0.00
  AIR-LAP1142-EBULK
  BOM LEVEL PID FOR BULK PACK
  10
  0.00
  14 Days
  CON-OSP-LAP1142E
  ONSITE 24X7X4 802.11a/g/n Fixed Unified AP; ETSI
  10
  2,390.00
  CON-OSP-L1142E0P
  ONSITE 24X7X4 802.11a/g/n LWAPP AP EU Cnfg-Promo Pk
  1
  0.00
  Total   LeadTime: 14 Days  Total Price: USD   12,340.00
  Total LeadTime: 21 - 35 Days   Total Price: USD 33,542.00
  Regards,
  André

• Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

  Hello my name is Ivan:
  I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
  My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
  I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
  Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
  Please help me in this issue.
  Regards
  Ivan

  Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
  So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
  Fixed in:  (12)
  7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
  7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• Understanding statistics from a Cisco WLC?

  Hello,
  From the "Monitor" page on our Cisco WLC.  If you go to "Access Points" from the left side then choose one of the Radios like 802.11b/g/n.  That will list all the APs connected with your controller.
  1) First question, some of the APs listed show the "Interference Profile" as "Failed".  What does this mean?  It has connected clients and no one is reporting an issue.  So what does that really mean?
  2) Second question, if you go to the "Details" for one of the APs I can see the "802.11 MAC Counters" showing things like Tx Fragments, Tx Failed Count, FCS Error Count, etc.  Below is what I see.
  Can someone explain what these statistics are saying?  Again there are no issues reported by our users, but some of these values seem high and I don't understand what they are saying or if there is anything I should be considered with.
  Any help on this would be great!
  Thank you!
  -rya

  For your convenience:
  The details of the " 802.11 MAC Counters " :
  Counters
  Tx Fragment Count
  This counter is incremented for an acknowledged MPDU with an individual address in the address 1 field.
  Tx Failed Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Multiple Retry Count (Graphics view only)
  This counter shall increment when an MSDU is successfully transmitted after more than one retransmission.
  RTS Success Count
  This counter increments when a CTS is received in response to an RTS.
  ACK Failure Count
  This counter increments when an ACK is not received when expected.
  Multicast Rx Frame Count
  This counter increments when a MSDU is received with the multicast bit set in the destination MAC address.
  Tx Frame Count
  This counter increments for each successfully transmitted MSDU.
  Multicast Tx Frame Count
  This  counter increments only when the multicast bit is set in the  destination MAC address of a successfully transmitted MSDU. When  operating as a STA in an ESS, where these frames are directed to the  access point, this implies having received an acknowledgment to all  associated MPDUs.
  Retry Count
  This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
  Frame Duplicate Count
  This counter increments when a frame is received that the Sequence Control field indicates is a duplicate.
  RTS Failure Count
  This counter increments when a CTS is not received in response to an RTS.
  Rx Fragment Count
  This counter shall be incremented for each successfully received MPDU of type Data or Management.
  FCS Error Count
  This counter increments when an FCS error is detected in a received MPDU.
  WEP Undecryptable Count
  This  counter increments when a frame is received with the WEP subfield of  the Frame Control field set to one and the WEPOn value for the key  mapped to the TA's MAC address indicates that the frame should not have  been encrypted or that frame is discarded due to the receiving STA not  implementing the privacy option.
  Band Select statistics
  When  the feature is activated, the WLC doesn't immediately reply to probe  requests on 11b/g. If immediately a probe is also seen on 11a, then the  client is detected as dual band. Then WLC only replies on 11a. After  some time, this "categorization" expires and WLC will again try to see  if the client is present on both bands.

• Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX

  Hi,
  I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
  We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
  The Setup is like :-
  AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
  could anyone please help me to resolve this issue.

  Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
  Firmware for AP is 12.4(10b)JA1
  The logs form WLC during disconnection :-
  Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
  1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
  2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
  3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout

• Cisco WLC 2504 sofware update

  Dear Friends,
  I am using Cisco WLC 2504 current software version is 7.0.220.0 and I want to upgrade it to the latest version which is 8.x.x.x.
  Could you please help and advice the best way of doing it? Also can I upgrade direct to the latest version or do I have to upgrade step by step?
  Thank you very much for your help and support.
  Thanks
  Umar

  Hi
  Could you please help and advice the best way of doing it? Also can I upgrade direct to the latest version or do I have to upgrade step by step?
  Yes, you can go directly to 8.0.x from 7.0.x code. Refer below link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr1.html#68333
  Make sure you refer the release notes for any known issues with this code. Also upgrade FUS to 1.9.0.0 as well. This will take around 30 min downtime as well.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/fus_rn_OL-31390-01.html
  If you have different AP models, MSE, Prime products, refer this compatibility matrix as reference.
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Upgrade BootLoader on Cisco WLC 4404

  What is the latest Bootloader for the Cisco WLC 4404?  And where can I download it?
  My current versions are:
  Product Version.................................. 5.2.178.0
  RTOS Version..................................... 5.2.178.0
  Bootloader Version............................... 4.0.206.0
  Also is there a reason to upgrade the bootloader image?
  On this webpage http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805f381f.shtml it shows the steps to upgrade WLC are :
  This sequence is recommended for your WLC software upgrade:
  Upload a backup of your controller configuration to a TFTP server.
  Disable the 802.11a and 802.11b/g networks on your controller.
  Upgrade the primary image on your controller.
  Upgrade the boot image on your controller.
  Note: This is a required step for upgrades to 4.1 on the WiSM, 3750G Wireless LAN Controller, and 4400 Series Controllers.
  Re-enable the 802.11a and 802.11b/g networks on your controller.
  I get the primary image is just going to be AIR-WLC4400-K9-6-0-196-0.aes.  But where do i download the Bootloader and it looks like i just do the same thing i did with the primary image.
  I think I am missing something.
  Thanks

  The boot software image consists of the controller boot kernel and           boot menu script. that is.. when you use the WLC for the first time. then you will be able to use this while entering the username, mobility information.. interfaces informations etc.. the Software version is the one which you issue CLI  commands...or even simple example wil be.. reboot the WLC and hit ESC.. the software that you access at this time will be boot loader..
  to upgrade the bootloader...
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805f381f.shtml#hw
  Regards
  Surendra

• CISCO WLC How to Block a Client

  Hi,
  We are using CISCO WLC and broadcasting a number of SSIDs.
  What we want to do is to block some spesific users to a spesific SSIDs while letting to connct to another SSID.
  Dows anyone have any idea?

  You can use radius 802.1x authentication or you can setup Mac filtering on the WLC and specify what WLAN's they can connect to. They will only be able to connect to one SSID though.
  This setup you have is not normal as you want to have a device only connect to one ssid for simplicity and for user experience. Having the be able to connect to multiple
  SSID's can lead to connectivity issues on the client side, since the device might switch back and fourth to the different SSID's. Also the more SSID's you have the more noise in the environment. Typically 3-4 max SSID's is suggested.
  Sent from Cisco Technical Support iPhone App

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan

• Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

  HI,Friends.
  I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
  question:
  one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
  I was using radius authentication or ldap certification to do web authentication ?which is good. ？？？
  I specified child ou, ou its users superiors can not be landed on

  hi ,Scott Fella
  Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
  the err:
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
  then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai