WGB and 4402 WLC

Similar Messages

• Air Fortress Gateway and 4402 WLC

  All,
  I'm in the process of a demo/protoype using the cisco lightweight products (4402 controllers w/ 1240 LAP), and using Air Fortress gateway for Layer 2 authentication...I have 3 lightweight AP's associated with the controller (running in Layer 3 mode is only way to get AP's to talk to controller), but when my test client loaded with Air fortress gateway associates with the cisco AP, it's not able to aquire DHCP address, the Air Fortress gateway does not let any traffic thru...the Air Fortress gateway does allow connections thru to dhcp server if I associate to a Intermic AP, then I'm corporate network with Layer 2 FIPS 140-2 encryption via Air Fortress gateway...any one run into same situation?

  hi,
  i am also facing a similar issue, i have a fortress sec?re gateway AF2100 connected on to a vlan 88 on a 6500 switch. of which one of the modules is Wireless services module (2 WLC 4404 integrated on a module) configured in Layer 3 mode. and i have 1242 LWAP APs connected on to the network. the Pcoket PC gets associated to the SSID (which is clubbed to vlan 88) but it is unable to ping the gateways encrypted leg. when i sniffed the packets using ethreal i am able to see that there is exchange of packets between both mac-addresses (mac-add of the pocket PC and that of the encrypted leg). but the Pocket Pc does not get registered and it shows no reply when a ping is initiated to the encrypted leg IP.
  i can also see that there is a sudden increase in the number of the packets that are being decrypted by the fortress when a ping is initiated by the pocket PC.
  At the same time if we remove the LWAPP technology and use autonomous APs in the same setup it works perfectly fine.
  what did you mean in your post about registering it with ACS. are you referring to Cisco Secure Access control server here.

• What is the spec of WLC 5508 and 4402, CPU and MEM? Thanks.

  I cant found any information about WLC 5508 and 4402s' spec of what type of CPU and size of MEM. Thanks.

  4402 is having 512MB memory where as 5508 is having 1GB (based on "show memory statistics" output)
  Also during bootup it will show (here is 4402 as example)
  System will now restart!
  Bootloader 7.0.116.0 (Apr 13 2011 - 14:30:45)
  Motorola PowerPC ProcessorID=00000000 Rev. PVR=80200020
  CPU: 833 MHz
  CCB: 333 MHz
  DDR: 166 MHz
  LBC: 41 MHz
  L1 D-cache 32KB, L1 I-cache 32KB enabled.
  I2C: ready
  DTT: 1 is 33 C
  DRAM: DDR module detected, total size:512MB.
  512 MB
  8540 in PCI Host Mode.
  8540 is the PCI Arbiter.
  Memory Test PASS
  FLASH:
  Flash Bank 0: portsize = 2, size = 8 MB in 142 Sectors
  8 MB
  L2 cache enabled: 256KB
  Card Id: 1540
  Card Revision Id: 1
  Card CPU Id: 1287
  Number of MAC Addresses: 32
  Number of Slots Supported: 4
  Serial Number: FOC1229F08U
  Unknown command Id: 0xa5
  Unknown command Id: 0xa4
  Unknown command Id: 0xa3
  Manufacturers ID: 30464
  Board Maintenance Level: 00
  Number of supported APs: 12
  In: serial
  Out: serial
  Err: serial
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Dual Radio WGB and LWAPP Controller

  Hallo everyone,
  I have a wireless network managed by a 4402 controller with this sw version : 5.2.178.0
  The client wants to add a stand alone wgb (cisco 1242 with an ios 12.4(21) ). The standalone ap associate to an LWAPP AP using the 5Ghz interface and propagate the same ssid at 2.4Ghz (I've also tried using a different ssid ). Actually the WGB is the only AP using that SSID at 2.4Ghz. As for the wired clients of the WGB I have no problems but if the client associate to the 2.4 Ghz SSID, I see it associated on the controller but no traffic from or to the client is allowed.
  If for any case, the 5Ghz interface is resetted and the association betweeen the WGB and the controller is reformed, the 2.4Ghz client starts receiving and receiving traffic.
  Any idea how to set things up from the the first association?
  The wgb ssid is not set as infrastructure-client and the controller correclty identify it as a WGB client. In the same way the controller correclty see the 2.Ghz client like a wired client of the WGB but unless the association b.t.w the WGB and the controller is reset, no traffic reach the client.
  I think that may be a problem related to how the IAPP protocol notify the presence of a client to WGB but I don't know how to work things out.. any idea?
  Thank you in advance!

  The 3600 series Access Points can have either internal or external antennae.  You can tell by looking at the top of the AP.  If there are 4 antenna connections (one in each corner) then they are external antennae. 
  If you cannot get to the AP to check them physically, the antenna type is also denoted by the part number.
  AIR-CAP3602I-x-K9 has internal antennae
  AIR-CAP3602E-x-K9 has external antennae
  The 3600 does have dual radios built in, operating in the 2.4GHz and 5GHz frequency ranges.  However, for them to show up as such, you have to enable both radios on the AP.  You can do this either through the WebUI or the CLI.
  The 802.11ac option is an external module that is attached to the underside of the 3600 AP.  Please find the datasheet for the module here:
  http://www.cisco.com/en/US/prod/collateral/modules/ps12859/ps13128/data_sheet_c78-727794.html
  The 1552c Series access points are also dual-radio systems and should also have both radios turned on through the WebUI or CLI.  Note the quote " The Cisco Aironet 1552C/1552CU Outdoor Mesh Access Points are dual-radio systems with DOCSIS 3.0/EuroDOCSIS 3.0 (8x4 HFC) compliant cable modem for power and backhaul." taken from the datasheet for these APs found here:
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps11451/data_sheet_c78-641373.html
  Cisco ships the APs with one Radio enabled and if you want the dual-radio functionality, you have to turn that on.  Once that is done, you should see the APs show up correctly in the WLC 5508.
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

• Lost connection to 4402 WLC after upgrade

  I setup a 4402 this evening an everything was going great. The unit had v4.2.130.0, I need to upgrade to v6.0.182.0.
  The upgrade guide requires the following upgrade path v4.2.130.0 >  v4.2.176.0 >  v6.0.182.0.
  I began with the upgrade to .176 and everything was fine. HTTPS / SSH2 was working fine. I could ping the WLC and see both ports from the neighboring switch (cdp neigh). Then I upgrade to ver 6.0.182.0 and I could no longer HTTPS / SSH2 to the WLC. CDP neigh on the connecting switch no longer recognized one of the uplinks.
  I have the switch (a Cisco 4507R) configured with a port-channel to the two WLC ports (1 and 2), the WLC is configured with LAG enabled. The port channel was still up as were both ports and no errors in the switch log.
  I checked (via Console) the WLC management vlan... that seemed fine. My IP info was fine... Im sure im just overlooking something very minor... any suggestions would be greatly appreciated. I think after sitting here for so long and trying to find it, Im having tunnel vision.
  Thanks in advance!
  Rich

  No, I didn't touch the boot strap, as per the instructions of a co-worker. I was wondering if this could be my issue.
  I am unfortunately in NYC and the WLC is located in Ottawa, Canada, and no one is available patch the management port. Our " Standards" don't include the use of the management port so I didn't even have it connected.
  Yes, I did have HTTP and Telnet disabled as per out "Standards".
  As of right now I am dead in the water. I had a PC with Net Meeting setup, but the screen saver was never disabled. I went ot get a bite to eat, and yeah... now im locked out, what a night. Fortunately for me, this wasn't a production device. and the site didn't have wireless in the past.

• 4402 WLC & 1000 AP's

  I'm trying to setup my wireless in a test environment before putting in my production just to verify I know how to set it up. Here is what I have: 3560 switch/POE, 4402 WLC, & a 1000 AP.
  I plugged my AP into f0/1 of my switch and added it to VLAN 3. I assigned it an Ip address of 10.0.3.1
  I setup G0/1 to trunk to port 1 of the WLC. Native vlan 1 with no ip address assigned.
  On my WLC I setup a management port untagged assigned it IP address 192.168.1.184 with a gateway of 192.168.1.184.
  I setup ap-manager untagged with an IP address of 192.168.1.185, gateway 192.168.1.184
  I setup one interface "ccla_conf_net2" assigned it IP address 10.0.3.22 Vlan 3 with a gateway of 10.0.3.1
  Lag is disabled so I assigned all interface's to port 1.
  I can ping 10.0.3.22 and 10.0.3.1 but when I go into monitor on the WLC it's showing 0 AP's as being up. Plus my wireless laptop is not picking up the SSID "ccla_conf_net2"
  Do you have any clues as to what I'm doing wrong??

  First suggestion is that you may have forgotton to configure your "ccla_conf_net2" as being capable of dynamic AP managment. Have you done that? Also, how did you get the IP address into the AP?

• WCS with 4402 WLC?

  Is the WCS software necessary to manage a single 4402 WLC or is it just additional bells and whistles?
  Thanks - RV

  Hi Ron,
  You do NOT need the WCS to manage the WLC. We are running 3 WLC 4402-25's without the WCS. The WCS does add some nice funtionality but it is not a must.
  Hope this helps!
  Rob

• Frequent reauthentications with 4402 WLC

  We're having an odd problem with web authentication on a 4402 WLC. Users have to reauthenticate several times before it seems to "stick." After logging in, they'll have to log in again after 2-5 minutes, and then possibly a few more times in the same kind of intervals (sometimes as few as 2-3 reauthentications, once as many as nine times).
  Here's an odd wrinkle: we also have a 2106 controller, identically configured (as far as I can verify. They should have the same configuration, except for IP addresses of course). It's rock solid.
  Both controllers are pointing to a Cisco ACS (the same one for both) for authentication, which in turn does an LDAP lookup.
  Has anyone seen something like this? Digging into the WLC logs shows messages that the user failed authentication (note that the user never gives a bad username/password combo, so it looks as if something internal is forgetting the previous auth). Here's a sample line:
  Apr 17 10:03:32.564 aaa.c:1184 AAA-5-AAA_AUTH_NETWORK_USER: Authentication failed for network user '<redacted>'
  I also see a lot of messages like this, but again I have no idea if they're connected to my problem:
  Apr 17 10:04:13.563 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
  Apr 17 10:03:14.090 apf_foreignap.c:1285 APF-1-CHANGE_ORPHAN_PKT_IP: Changing orphan packet IP address for station00:<redacted> from <redacted> ---><redacted>
  Apr 17 10:03:14.090 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
  Any insights would be appreciated. Like I said, the fact that this setup is working fine on one WLC but not on the other is creating much head-scratching.
  Thanks.

  I'll bet your 2106 is not running 5.148 code. My first suggestion is to not use the 5.x code in a production environment. If that is not feasible then find out why the session is failing to move into the RUN state. Is there some other requirement for the client ? For example, did you enable the DHCP REQUIRED checkbox in the advanced wlan setting?

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• Multicast for Aironet 1310 WGB and 1242 AP

  I have configured a Aironet 1310 bridge as a WGB and is connected to a Aironet 1242AG AP wirelessly!
  A sensor(IP device) is wired into the 1310WGB. The sensor needs MULTICAST to operate!
  I checked the DETAILED STATUS of the RADIO and both the 1310 and 1242 are blocking multicast!
  The RELIABLE MULTICAST TO WGB option is enabled on the 1242AP already! No luck as yet!
  Any thoughts??

  Have you seen this thread??
  https://supportforums.cisco.com/message/3061760#3061760
  Worked for me.
  AndyH

• What attributes are shared between a Radius Server and a WLC?

  I have a customer who is trying to setup a Radius server to authenticate Management users for the controller,
  she is using a Microsoft NPS R2 server. All good at this point.
  She needs to know what attributes are shared between the server and the WLC to complete the authentication
  because she is being successfully authenticated, but still unable to access the WLC.
  Someone knows what those attributes are?
  The only information at the moment that I found, was on a document that said that different management
  users can receive different Vendor-specific Attributes. That means that the returned attributes to the WLC
  will depend of what radius server model or platform you are using.

  Robin,
  For using Microsoft radius to authenticate management users, you can reference this document, which shows you the steps involved.
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91392-airespace-vsa-msias-config.html
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Non-Cisco WGB and H-REAP

  Anyone had success rolling out non-Cisco WGBs with H-REAP?
  My customer is using WLC 5508 with code 7.0.116.0. As per WLC config guide ( http://goo.gl/6kX0d ), Cisco has tested multiple third-party devices for compatibility. Is it possible to get that device list somewhere? My customer is using TP-Link model TL-WA901N v2. The 5508 WLC does not recognize this device as a WGB. Rather, it displays the wired client behind the non-Cisco WGB.
  Is H-REAP supported for non-Cisco WGBs? The WLC config guide says H-REAP is not supported with Cisco WGBs, but does not make a distinction for  non-Cisco WGBs.
  Regards,
  -steve w.

  Hello Stephen,
  Thanks for clarifying. Can Cisco disclose the third-party devices it has tested (non-Cisco WGB)?
  TIA,
  -steve w.

• Configuring Guest Access using 2 LWAPs and 2504 WLC

  Please advise,
  I have 2 APs, Cisco Aironet 1040, and 2504 WLC.
  Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?

  Yes you can. You can have up to 16 SSIDs per AP, but not suggested to have all 16. You can either use one port on the 2504 for both SSID/vlan or specify which port is for corporate and which one is for guest.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Steps to update a 4402 WLC from 4.2 to latest 7.x

  Greetings,
  We need to upgrade a 4402 wlc from 4.2 where it is now, to the most recent 7.x release.  I believe this is a 2 step process.  Does anybody know the correct steps to upgrade to?  Obviously we can't just jump straight to 7.x
  Thanks in advance!
  -Zach

  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp233853
  If you read the release notes a little more carefully, you will also see the following:
  4.2.130.0 or earlier 4.2 release
  Upgrade to 4.2.176.0 before upgrading to 7.0.116.0.
  4.2.173.0 or later 4.2 release
  You can upgrade directly to 7.0.116.0.
  Note If you upgrade from 4.2.176.0 to 7.0.116.0, the upgrade fails for the first time. The upgrade completes successfully when you upgrade again.
  4.2.209.0 or later 4.2 release
  You can upgrade directly to 7.0.116.0.
  Just keep the above in mind depending upon your 4.2 release.

• What are the bandwidth requirements between a WCS and a WLC?

  We have a customer who has two locations Site A (approx. 30 APs) and Site B (approx. 50 APs). Each site has a WLC. The customer wants to deploy a WCS at Site A that will monitor both WLCs.
  What I have been unable to find is how much traffic is going to be generated between the WCS at Site A and the WLC at Site B?
  Primarily, I would like to understand how this configuration will impact their point to point WAN link.
  Also, are there any known requirements in terms of max. allowable latency between the WCS and WLC?
  Any anectdotal evidence would also be appreciated - such as any experiences running this over a T1.
  In this particular case, the customer has a 100Mbps wireless point-to-point link as their WAN link, but I do not know the actual throughput capacity and/or if it is half or full duplex.
  Thanks,
  John

  John,
  This is very interesting question and I will try to answer with what I know after supporting WCS for a while.
  WLC and the WCS communicate over SNMP only. The generated traffic is SNMP (UDP). It's not a lot in terms of bandwidth, should I say quite minimal. Running over a T1 (not congested!) should be completly fine.
  There are a few things we can control about snmp as you are over a WAN link: we can increase the SNMP timeout, we can increase the SNMP retries and also, we can reduce the max varbinds per PDU, so the snmp packets sent are smaller and dont get fragmented over your WAN ISP.
  As SNMP is UDP, the only things you can control is the timeout and the number of retries because UDP doesnt have the control that TCP offers.
  The most intense traffic will be when you first add your controllers in WCS.
  I have seen quite a few deployments with WCS over WAN link and tweaking those settings I mentioned made it possible.
  You can find those settings in WCS -> Administration -> Settings -> SNMP
  HTH