VLAN Override and Web Auth: How to overcome issues?

Similar Messages

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Wireless 3850 and Web-Auth for Wireless clients

  Hi
  I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
  Internet is all tested and there is full IP connectivity.
  Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
  I am using local authentication for the guest users.
  When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
  Config below
  interface Vlan302
  description **** Wireless Guest ****
  ip address 10.145.224.161 255.255.255.224
  ip helper-address 10.144.214.134
  ip helper-address 172.17.2.56
  ip http server
  ip http secure server
  ip dhcp snooping
  wlan XXXXX 2 XXXXXX
  aaa-override
  accounting-list default
  client vlan 302
  ip flow monitor wireless-avc-basic input
  ip flow monitor wireless-avc-basic output
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list WEB_AUTH
  security ft
  security web-auth
  security web-auth authentication-list WEB_AUTH
  security web-auth parameter-map vit_web
  no shutdown
  parameter-map type webauth vit_web
  type webauth
  security web-auth parameter-map vit_web
  user-name Guest1
  creation-time 1390837878
  privilege 15
  password 7 022D0156060F1B351D
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  user-name Guest2
  creation-time 1390838016
  privilege 15
  password 7 0724244143000D1145
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  aaa new-model
  aaa authentication login WEB_AUTH local
  aaa authorization network WEB_AUTH local

  Hey Greg,
  Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
  parameter-map type webauth global
  type webauth
  virtual-ip ipv4 x.x.x.x wlc.whatever.org
  max-http-conns 50
  Also I had to enable http server in addition to secure server
  ip http server
  ip http secure-server
  Are you using a self signed cert?
  I saw windows clients take a long time to load the page when using a self signed cert.
  MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE  but I still have the problem.
  -Kyle

• WLC 5508, 7.4.100.0, dot1x and web auth

  Release notes for 7.4.100.0 states;
  "Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
  Anybody know anything about this and how-to's?
  Eirik

  I know what it is. :-)
  Want to test to use web auth after dot1x. Do not trust dot1x alone anymore, now that it is so easy to steal sertificates from laptops...
  Would like to force users (after eap-tls with certificate) to logon using their AD cred.
  Eirik
  Sent from Cisco Technical Support iPad App

• Applet behaves differently in appletviewer and Web Browser, how to resolve?

  I have an applet application which need to access disk files. While I set the .java.policy file properly and the applet runs excellent in appletviewer. However, if I load the applet in Web broswer (e.g. NetScape), the applet cannot access the same disk files as it does in appletviewer?
  Does anyone have a clue on how to resolve?
  Thank you.

  I know you can do it with JavaScript, and I know how to do that...but this is a Java forum (I want a Java solution, that's why I post it here)!
  Therefore my question relates to Java, and in this case, it's an applet.
  Any solution to my problem, please?

• Log4j and Web context - how to configure?

  Does anyone know of a way to manage log4j.properties in the Web context? Specifically, to configure it so that:
  a) logs go to an appropriate directory (probably $CATALINA_BASE/logs)
  b) the logfile is named for the context (e.g. /MyContext would go to mycontext.log)
  log4j.properties allows for variables. However, these variables are either defined inside the log4j.properties, which is a catch-22 for this, or checked against java System properties, which are JVM-wide. I could put a context listener that sets a predetermined property, but then it affects everything in the JVM, i.e. all other contexts, making it useless. Here is what I see as my options:
  1- hardcode a full path in the log4j.properties, making distribution of the WAR difficult
  2- hardcode it per context, but use $CATALINA_BASE as a system var. This is not terrible, but then depends on Tomcat, as opposed to being able to switch to other containers. It also makes the log4j.properties less transportable across contexts (more effort)
  3- Configure everything in a Listener. This would work, but then I lose my ability to configure declaratively (log4j.properties or log4j.xml), and my ability to do configureAndWatch().
  Ideally, I would like to have one of the following:
  a- a variable that log4j picks up that is unique to each context and declares its path, but portable across containers (unlikely)
  b- second best, have my listener determine the real path to logs, set some variable that is only held in this context, then have log4j read the properties or xml file correctly resolving the variable
  c- less so, I guess the listener can load up the properties or XML file, manipulate any instance of the variable manually, then load the properties into PropertyConfigurator for log4j. Not quite sure how to do this, though.
  Anyone tackled this?

  Does it matter if I have to access the OWA url using a trailing folder name? I access OWA like so, https://owa.example.com/owa, I know it's a bit redundant, but I don't know how to make mail aware of that, or even if it's a problem? If I leave off the URL I can connect but not authenticate, with the URL it's obviously an invalid hostname. Anyone familiar with this issue?

• WCSs (5.0.148) lose Terminal, Webfrontend and Web Auth

  Hello,
  3xWCS 4404 with 5.0.148 and WCS 5.0.56.
  After serveral days, I were not able to connect to the telnet, SSH and webfrontend interfaces on all controllers. I tried management and service-port IPs. But I get ping responses from the interfaces and the Wireless LANs are also working, except the Web Authentication, which is now configured to relay the user to a special url.
  In the release notes (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html#wp234299) was a caveat (CSCsi30541), but it occurs when you create a new dynamic interface, which I didn't.
  The controllers respond to the WCS, so I were able to reboot them via the WCS. After that the situation is normal, until the next time.
  Three weeks ago, I installed 5.0 on one of the three WCS. One week ago, I installed it on the other two. This problem occurs on the first WLC for the second time, so I assume, it can happen again.
  Any ideas what could be the reason?
  p.k.

  It is a bug in 5.0... The controller will only respond to snmp. The workaround is to reboot. This is a bug if you are using WebAuth. i would open a TAC case to see if they have a work around as of yet, which most likely will be a ER.

• Flex Builder, debugger and web application: how?

  Hello,
  I'm traying to setup a project in eclipse with both a java
  web application (servlets, jsp) and flex applications as a
  frontend. So I installed flex builder as a plugin on an eclipse+web
  standard tools, then created a WST web application project, and
  used the "Add flex nature.." of the flex plugin. I don't want to
  use the flex data services.
  Now, in a standard run (I installed a tomcat 5.5 and
  configured it in eclipse), my mxlm files are being correctly
  compiled into swf, and they are successfully calling my servlets
  (which simulates a backend xml-based interface).
  I'm having problems in debug: if I launch the debug profile
  related to tomcat, the normal version of the sfw will be used (even
  manually switching to the "-debug" version, it says that a running
  flex debugger has not be found on localhost). On the other way, if
  I launch the debug as a "flex application", it seems to work (it
  stops at breakpoints) but my tomcat is not started at all, the swf
  is accessed as a local file and all call to my servlet will fail..
  so it will stop working almost immediately.
  There is a way to setup eclipse to start standard java
  debugging with tomcat *and* the flex debugger?
  Thanks
  Cosma

  I found a workaround of sorts for the problem: don't
  terminate the applications!
  Previously, I would terminate the application using either
  the Terminate button in the Debug view or by closing the tab in the
  browser (Firefox). Now I just let them pile up in the browser and I
  rarely see this problem.
  In other words, I was having lots of trouble when doing
  Launch-Terminate-Launch-Terminate... but now I just
  Launch-Launch-Launch... and clean up once in a while.

• IOS 8 and Web Outlook In A Browser Issue

  I have a 3rd gen iPad and iPhone 5 both currently 8.1.  I started having problems using Web Outlook email (work not personal) when I updated to IOS 8. I also did each update to IOS 8 without resolution. The problem is "responding" to emails. Most often, I am not able to respond to emails. When I touch the reply, there will be a spinning as it appears to be trying to load a new screen or it just sits there without loading. I have used both Safari and Dolphin browsers wih the same result. I can view emails, calendar, contacts. It seems to be the responding.
  i have have also noticed a problem when i am able to reply, that I will suddenly not be able to see what I have typed. Then when I hide the keyboard, suddenly the words wil appear. I also have problems sometimes with editing and I when I use the back button(x) to erase, it wont actuallly erase, just goes over the letters and leaves them on the screen. If I close the screen and save draft, I can sometimes go back and edit.
  I just noticed now when typing in this screen, that my keyboard lost the prediction for a short time. It doesn't add period when I double space, it doesn't capitalize the I if I type it and hit space etc.  Then it suddenly started doing it again.
  Wondering if anyone anyone else has noticed this issue
  Thanks
  mrcminnesota

  Can someone kindly help me on this? Is there any possible solution for the scenario that i mentioned?
  All I need to is to quickly launch all the UI Maps or all the screens of an OUAF application in a browser, using some java classes in OUAF or any java script method...
  Edited by: OATS Explorer on Jan 16, 2013 9:49 AM

• FlexConnect VLAN Central Switching and guest WEB Auth

  Hi,
  I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
  In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
  I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
  I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
  Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
  Hope some one can answer me.
  Thanks
  Aksel

  So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
  You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
  Here is a doc regarding AP Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Sent from Cisco Technical Support iPhone App

• WLC2112 with Guest / Web-Auth and vlan

  Hi
  I'm trying to configure my WLC with guest SSID and vlan 10.
  The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
  Please help.
  Management IP Address 192.168.14.252
  Software Version 6.0.182.0
  Emergency Image Version
  I have tried with ver. 5.2 also -

  I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
  Don't know if that helps, or not.

• I am unable to load some web pages, I get an error message saying unable to load page due to invalid or unsupported form of compression, this happens on the BBC news page for example. Any ideas how to overcome???

  OS is Windows7. I'm using the latest version of Mozilla Firefox
  I am unable to load some web pages, I get an error message saying unable to load page due to invalid or unsupported form of compression, this happens on the BBC news page for example. Any ideas how to overcome???

  Reload web page(s) and bypass the cache.
  * Press and hold Shift and left-click the Reload button.
  * Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  * Press "Cmd + Shift + R" (MAC)
  Clear the cache and the cookies from sites that cause problems.
  "Clear the Cache":
  * Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
  "Remove Cookies" from sites causing problems:
  * Tools > Options > Privacy > Cookies: "Show Cookies"

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• How to install Web Auth. Bundle on WLC 2504

  Hi, 
  I need to install a Web Auth bundle and when I download the file from cisco's webpage, its a .zip, but the WLC asks for a .tar file, so I converted it to a .tar and tried again but then it said file was too big.
  Can someone please instruct me on how to do it?
  Thanks in advance,
  Javier

  Hi,
     the .tar file size (no more than 1Mb
  the filename length of the files (should be no more than 30 characters)
  Plus other guide lines while downloading at the below location
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049431
  Regards
  Dhiresh
  **Please rate helpful posts**