WCS with 4402 WLC?

Similar Messages

• Frequent reauthentications with 4402 WLC

  We're having an odd problem with web authentication on a 4402 WLC. Users have to reauthenticate several times before it seems to "stick." After logging in, they'll have to log in again after 2-5 minutes, and then possibly a few more times in the same kind of intervals (sometimes as few as 2-3 reauthentications, once as many as nine times).
  Here's an odd wrinkle: we also have a 2106 controller, identically configured (as far as I can verify. They should have the same configuration, except for IP addresses of course). It's rock solid.
  Both controllers are pointing to a Cisco ACS (the same one for both) for authentication, which in turn does an LDAP lookup.
  Has anyone seen something like this? Digging into the WLC logs shows messages that the user failed authentication (note that the user never gives a bad username/password combo, so it looks as if something internal is forgetting the previous auth). Here's a sample line:
  Apr 17 10:03:32.564 aaa.c:1184 AAA-5-AAA_AUTH_NETWORK_USER: Authentication failed for network user '<redacted>'
  I also see a lot of messages like this, but again I have no idea if they're connected to my problem:
  Apr 17 10:04:13.563 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
  Apr 17 10:03:14.090 apf_foreignap.c:1285 APF-1-CHANGE_ORPHAN_PKT_IP: Changing orphan packet IP address for station00:<redacted> from <redacted> ---><redacted>
  Apr 17 10:03:14.090 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
  Any insights would be appreciated. Like I said, the fact that this setup is working fine on one WLC but not on the other is creating much head-scratching.
  Thanks.

  I'll bet your 2106 is not running 5.148 code. My first suggestion is to not use the 5.x code in a production environment. If that is not feasible then find out why the session is failing to move into the RUN state. Is there some other requirement for the client ? For example, did you enable the DHCP REQUIRED checkbox in the advanced wlan setting?

• Hellp on Nokia E61i associating with Cisco WLC 4402

  I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
  I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
  I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
  In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
  If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
  I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
  Pls. help to point me what I need to adjust to make it work. Thanks!

  Hello,
  CCKM Key Management mode on Nokia E61i phone can be used
  against Cisco LWAPP AP's with TKIP encryption
  Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
  On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
  Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
   802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
  - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
  - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
  - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
  - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
  Supported:
  - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
  - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
  Not supported:
  - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
  Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
  Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
   Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
  at least on LWAPP AP version 4.1.171.0.
   CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
  In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
  Layer 2 Security = WPA+WPA2
  WPA+WPA2 Parameters:
  -WPA Policy = enabled
  -WPA Encryption = TKIP enabled, AES disabled
  -WPA2 policy = disabled
  -Auth.Key Mgmt = CCKM
  Br,
  -Pasi-

• 4402 WLC & 1000 AP's

  I'm trying to setup my wireless in a test environment before putting in my production just to verify I know how to set it up. Here is what I have: 3560 switch/POE, 4402 WLC, & a 1000 AP.
  I plugged my AP into f0/1 of my switch and added it to VLAN 3. I assigned it an Ip address of 10.0.3.1
  I setup G0/1 to trunk to port 1 of the WLC. Native vlan 1 with no ip address assigned.
  On my WLC I setup a management port untagged assigned it IP address 192.168.1.184 with a gateway of 192.168.1.184.
  I setup ap-manager untagged with an IP address of 192.168.1.185, gateway 192.168.1.184
  I setup one interface "ccla_conf_net2" assigned it IP address 10.0.3.22 Vlan 3 with a gateway of 10.0.3.1
  Lag is disabled so I assigned all interface's to port 1.
  I can ping 10.0.3.22 and 10.0.3.1 but when I go into monitor on the WLC it's showing 0 AP's as being up. Plus my wireless laptop is not picking up the SSID "ccla_conf_net2"
  Do you have any clues as to what I'm doing wrong??

  First suggestion is that you may have forgotton to configure your "ccla_conf_net2" as being capable of dynamic AP managment. Have you done that? Also, how did you get the IP address into the AP?

• Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?

  I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site.  With a pool of WLCs deployed in central DC locations.  I would like to get local staff to deploy a basic CLI discovery script for the APs.  However, i thought LAPs don't have CLI???
  I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.  
  http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
  H-REAP Controller Discovery using CLI commands
  H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
  This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
  AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
  Could anyone help?
  Cheers
  Adrian.

  Hi Adrian,
  Further down in the doc you linked;
  H-REAP Controller Discovery using CLI commands
  H REAPs will most commonly discover upstream controllers via DHCP       option 43 or DNS resolution. Without either of these methods available, it may       be desirable to provide detailed instructions to administrators at remote sites       so that each H REAP may be configured with the IP address of the controllers to       which they should connect. Optionally, H REAP IP addressing may be set manually       as well (if DHCP is either not available or not desired).
  This example details how an H REAP's IP address, hostname, and       controller IP address may be set through the console port of the access       point.
  AP_CLI#capwap ap hostname ap1130
  ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
  ap1130#capwap ap ip default-gateway 10.10.10.1
  ap1130#capwap ap controller ip address 172.17.2.172
  Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco           IOS Software Release 12.3(11)JX1 or later, in order to support these CLI           commands out of the box. Access points with the SKU prefix of LAP (for example,           AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software           Release 12.3(11)JX1 or later. These commands are available to any access point           that ships from the manufacturer running this code level, has the code upgraded           manually to this level, or is upgraded automatically by connecting to a           controller running version 6.0 or later.
  These configuration commands are only accepted when the access point is       in Standalone mode.
  Cheers!
  Rob

• WCS with location doesnt locate clients

  I have WCS with location installed. From the Cisco documentation the WCS with location is suppose to provide a small set of location/mapping functions. Adding the location appliance will give you historical data.
  When trying to view clients on the floor map it says that "No clients found on this floor. Either you dont have any location server which locates clients or no clients are detected."
  There are several clients that are online and show up in the other search function but they arent mapped out.
  Any ideas?

  I'm having a similar problem with WCS not displaying my client(s) on the Heatmap. I have setup a lab environment with a single 2006 controller and 2 1010 APs. I walked around the perimeter of my office space to verify roaming between controllers but WCS still doesn't display my client. When I try to reload the heatmap it says:
  Loading clients..
  Loaded 0 out of 0 Clients.
  I have also verified that Clients are not being filtered from the view.
  Any more ideas?
  Any help is appreciated. Thanks!

• Using Cisco WCS with Microsoft IAS

  Hi.
  I have two 5508 and WCS 7.0.172. I want to user Active Directory users credintals to login on ther WCS. Have a configurated NPS role on server with windows 2008 r2.
  I have read this http://zmq503o1.wordpress.com/2008/01/06/using-cisco-wcs-with-microsoft-ias/ and done the same.
  I dont't agree with "on the "Encryption" tab and clear all the checkboxes except "No encryption" - wants an encryption connection but this didn't work till in user's properites in AD permit "Reversible encryption". This is not what that I want.  Would I need to generate ssl-cert for the wcs as wroted this?http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/hard.html#wp1042471
  or doing smth else? thx

  Camera is only supported for use with CUVA. Any other application attempting to utilize the camera is not tested and is not supported.

• Local printers not working with 2504 WLC

                     I have a 2504  WLC with 3 1262 WAPs in lightweight mode.
       Clients connect using WPA2 PSK AES with no problem.  Clients are Windows XP Home SP3.  Test pages end up in print queue and eventually get a error printing status.  Clients are not part of a domain and in a standalone workgroup - techstream.
  Printer can be pinged from wireless client.
  Another 1262N WAP in standalone mode connected to same lan from windows 7 sp1 clients have no problem printing to a local printer.
  What does work on the Windows XP Home client is connecting to a network shared printer authenticating with domain admin id and password and it works.  Reboot and the network shared printer can not connect multiple reasons are "access is denied" and message box says "only security tab will be displayed....."   Another Windows XP Home SP3 client on reboot can't open the network shared printer with message "Can't find printer"
  The local printers do work on these pc's with an old colubris router that has an outside interface on our lan and internal network with clients getting dhcp address from colubris router of 192.168.3.XXX  . 
  What is wrong with the wireless 2504 WLC?
  Thanks
  Broadcast forwarding was enabled.

  Although a cisco tech support was helpful in making sure multicasting was enabled and a multicast server defined, the problem was at the CP2025DN printer. It had old network ip mask and gateway configured on the printer.
  The new devices were part of the new network configuration (Mask and gateway had changed). I didn’t change that printer when I changed all the other printers at the facility because it was still active thru the old wireless network. I forgot to change the printer ip config when I brought the new wap on the new wireless network with the wlc 2504.
  End result was the clients were part of a different subnet and gateway configuration then the printer and this disrupted the communication between clients and the printer. Once I corrected the mask and gateway on the printer to be the same as the dhcp scope of the wireless network, communication and printing worked.
  Problem solved.  User error

• 4402 WLC Trunk/STP Issue

  Hello,
  We have a few WLC's on our Network. The last WLC we deployed is having issues with connectivity. Persistent PING tests are showing drops every 20 packets or so. We noticed that the Mgt VLAN is flapping in STP.
  The WLC is connected to a 4506 Switch 10/100/1000 mode. Auto negotiation is on and the port on both sides is 1000/Full. Having no issues with the others controllers.
  4506 port config:
  interface GigabitEthernet3/42
  description Trunk to nyc1-32-wlc-02
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,50-52
  switchport mode trunk
  VLAN 52 is the Mgt VLAN associated with the WLC. Any help would be appreciated. Thank you.
  John

  I connected Port 2 to 4506-2 and we're still having the same issue. It appears that the Mgt VLAN is being dropped from Spanning Tree.
  ICMP packets are OK:
  nyc1-32-4506-1#sh spanning-tree int gi3/42
  Vlan Role Sts Cost Prio.Nbr Type
  VLAN0001 Desg FWD 4 128.170 Edge P2p
  VLAN0050 Desg FWD 4 128.170 Edge P2p
  VLAN0051 Desg FWD 4 128.170 Edge P2p
  VLAN0052 Desg FWD 4 128.170 Edge P2p
  ICMP Packets time out:
  nyc1-32-4506-1#sh spanning-tree int gi3/42
  no spanning tree info available for GigabitEthernet3/42
  After 4 time outs, the SPT on the interface comes back up.
  nyc1-32-4506-1#sh spanning-tree int gi3/42
  Vlan Role Sts Cost Prio.Nbr Type
  VLAN0001 Desg FWD 4 128.170 Edge P2p
  VLAN0050 Desg FWD 4 128.170 Edge P2p
  VLAN0051 Desg FWD 4 128.170 Edge P2p
  VLAN0052 Desg FWD 4 128.170 Edge P2p
  nyc1-32-4506-1#
  Before we enabled spanning-tree trunk fast, we got several time-outs (7 - 9), now we only get 4 (with it enabled).
  Any idea? Thank you.

• Is 1252G AP compatible with 5508 WLC

  hi,
  I want to know whether 1252G AP can register with 5508 WLC? from the datasheet 5505 support CAPWAP while 1252 is LWAP. Kindly provide the link regarding the compatibility as well.
  Regards
  Nareh

  hi,
  I would also to add that I will be using CAP 1552E (802.11N) outdoor AP with the 1252G AP. Is it possible that both LWAP and CAPWAP AP registers with the same 5508 WLC ?
  Regards
  Nareh

• Ordering WCS with MSE

  When ordering WCS with MSE, is this all you need for WCS?
  WCS-STANDARD-K9 ($0) + WCS-PLUS-500 ($44.5K)
  In the past we've ordered WCS-APLOC-500. Did WCS-PLUS-500 replace it?
  Is WCS-APBASE-500 for when you don't use MSE?

  Yes you just need standard + Plus to integrate with MSE. Plus also gives you high availability which is a nice feature. Plus has replaced Loc.
  Below link will give you all the info you need.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd804b4646.html
  And Base is without MSE/WIPS/HA.
  Cheers
  Mat

• Steps to update a 4402 WLC from 4.2 to latest 7.x

  Greetings,
  We need to upgrade a 4402 wlc from 4.2 where it is now, to the most recent 7.x release.  I believe this is a 2 step process.  Does anybody know the correct steps to upgrade to?  Obviously we can't just jump straight to 7.x
  Thanks in advance!
  -Zach

  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp233853
  If you read the release notes a little more carefully, you will also see the following:
  4.2.130.0 or earlier 4.2 release
  Upgrade to 4.2.176.0 before upgrading to 7.0.116.0.
  4.2.173.0 or later 4.2 release
  You can upgrade directly to 7.0.116.0.
  Note If you upgrade from 4.2.176.0 to 7.0.116.0, the upgrade fails for the first time. The upgrade completes successfully when you upgrade again.
  4.2.209.0 or later 4.2 release
  You can upgrade directly to 7.0.116.0.
  Just keep the above in mind depending upon your 4.2 release.

• Create a point to point link with a wlc 4402

  Hi to all,
  i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
  but on the wlc configuration page i cannot found some configuration step.
  Someone have configured this type of behaviour or can give me some hints?!
  How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
  Thanks and best regards,
  Carlo Sagratella.

  The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
  Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

• WCS does need WLC or can works with stands alone APs

  Hi all, I'm student and curently reading about WCS capacity. I would know if WCS requier AP to pass through a WLC to work with WCS or if WCS can work with multiple "stand alone" APs (without any WLC)
  Thanks.

  WCS can work with standalone APs that you can add in WCS.
  Nevertheless the configuration options are limited.
  The configuration guide is a good resource for more information.
  http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_list.html
  Also you can get an evaluation license for WCS for 60 days for 20 APs.
  You can download the software and play with it as well:
  http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=279705270
  WCS general product page:
  www.cisco.com/go/wcs

• Do I need to have WCS with WLC?

  Looking to upgrade my 802.11b setup of original AP4800e's and 340's. I've settled on the 1130, and I would like to get a WLC appliance, but do I need to get the WCS too?

  You don't have to have WCS.
  We were told by Cisco sales rep we should got WCS and WLC to ease the managing tasks. So we got both. But I have finished configuring WLC without even install the WCS. All things are working fine to me, although I would have to say the WLC on-line/PDF help documents need revolutionary improvement to be useful.
  We did install WCS last week. Haven't had a chance to look deep into it yet, but just from the surface it is more for "monitoring" instead of the real configuration. So, I would say WCS is nice to have for big deployment.