Wireless design - Cisco 5508
Just recently bought a couple of 5508's, one for lab and one for production.
So I am at early stage design here.
I have a few questions
I would like to create one vlan, that is trunked across all 8 floors of company, distrubution switches and associated AP's per floor.
Once a client tries to connect I would like them to be able to use their domain credentials (LDAP) to authenticate against the wireless
infrastructure. Once they authenticate, they are granted access to the wireless vlan which has connectivity back to the network.
From a design perspective is this the best way to go about doing this ? I see that there is a section for LDAP authentication, if they
are already logged into the domain and then undock their laptop and connect over wireless will they have to retype in the username and password ?
Seamless would be nice
From a guest (in house consultant) perspective, how do I design for just allowing them wireless access but only to the internet and not have access to rest of internal network. Is there a way to differnetiate via vlan assigment is they are a guest or an authenticated user ?
Pretty new to this 5508, but so far it looks great. Any advice / help would be appreciated.
Cheers
Dave
Let's try to do it point by point.
If you are to accept guests, you are better with a separate SSID with no authentication. That separate SSID will be on a separate vlan so you just have to configure ACLs on your network to prevent internal network access.
With regards to authentication, LDAP is a user database. You still need an authentication server. WLC can act as one but it's not as good as a real aaa/radius server.
So the best is to have WLC using a radius server (Microsoft NPS/IAS or Cisco ACS or whatever) that will do PEAP authentication and will use Active Directory as the database (The radius server is using AD as database, not WLC).
This allows to dynamically assign vlans and funny stuff that radius server allows.
To have it "seemless" you can pre-configure the client supplicants to do PEAP and automatically use Windows login credentials, so they won't be prompted if all goes well.
For specific questions, I think all is covered in the WLC config guide but this should be a good set of pointers for you to know where to look.
Hope this clarifies.
Nicolas
Similar Messages
-
Cisco 5508 interface design problem
Cisco 5508 interface design
now i have connect wlc into infra same picture but ap can't register into wlc. How create interface for this diagram. please help me because access switch is unmanage switch i can't config trunk on this.i can install for this solution this isn't ?
thank you for best support.
samyWhy are your AP's on different Vlans?
If you plan to create SSID's on different Vlans then you will need a trunk port to the WLC as the switch needs to pass tagged frames to it and the WLC needs to pass tagged frames back.
Out of interest, you are using a 5508 which is a fairly expensive piece of kit yet you are connecting it to an unmanaged switch. Why? -
Cisco 5508 Hreap - slow wireless throughput
I have a Cisco 5508 setup at a host site with 3 other sites connected using hreap on 1252APs. When doing testing of network speed I find that the throughput from the wireless to wired network is at about 18mbps yet the same test on wired side is 85-100mbps and wireless to wireless is 18mbps
Any ideas what could cause thisHm, just guessing is hard. So ...
Can you upload the configuration?
Which standard do you use? .11n? Encryption method?
Where you the only one on ap while taking the tests?
Have you tried some tests at various daytimes?
Any chances to check for interference or change channels?
Sebastian
Sent from Cisco Technical Support iPad App -
Redirect to web authentication not working on Cisco 5508 Wireless Controller
Hi,
I have a wlan with web authentication:
http://i55.tinypic.com/w145zk.png
and
http://i51.tinypic.com/344sfm0.png
When I connect to the SSID (I get correct IP from the Cisco 5508 Controller) and try to surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
The virtual interface is 1.1.1.1.
Here is a screenshot of interface and internal dhcp:
http://i52.tinypic.com/2vkm1d2.png
Any idea why clients are not redirecting?
Thanks!Thanks for the reply dmantil!
When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users. -
How can I set up 3 different VLANs on Cisco 5508
Dear Community Members,
I have a need to setup three (3) VLANs with different SSID's for students , staff and visitors in a College.
The controller is Cisco 5508 with Cisco 3502E-E-K9 AP
presently the wireless network is flat with just one VLAN
NB.
Staff would log in using active directory user name and password.
Student would log in using username and Registration number Possibly using RADIUS SERVER
How best can i achieve this.Scenes you are using single vlan so the point of have multiple SSID is useless and the better approach will be using the AD for both authentication and managing the Group policy for both. In this way you can manage both students and Staff Kindly see the following link for step by step config and understand Group policy
Server 2008/2012
http://jackstromberg.com/2013/05/tutorial-802-1x-authentication-via-wifi-active-directory-network-policy-server-cisco-wlan-group-policy/
cisco document server 2003 (another explaining in detail the flow)
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml -
Wireless design guide/help
Hi guys........just have few qestions about designing WLC 5508
The scenario is that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
Now my question is as follwow.
1- Keeping in mind that there is only one WLC where should i physically put it?
2- How guest users will work ? How the authentication will be done?
3-There are 8 SFP ports in WLC how physical topology will look like?
4-How many Vlans i have to make for wirless users will that be 10? (1 at each site) ?
my last question is that how these ports work on WLC are they just like swicth e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
Thanks guy and hope to get a response ASAP.1- Keeping in mind that there is only one WLC where should i physically put it?
Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network. You would just need to allow udp 5246 & 5247
2- How guest users will work ? How the authentication will be done?
Guest users can use webauth in which the credentials will be stored on the WLC.
3-There are 8 SFP ports in WLC how physical topology will look like?
This is the tricky part. You can either lag or not lag. You can't split up the lag (etherchannel). So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz. Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest. SO it would look like this:
Management primary port 1 backup port 2
SSID primary port 3 backup port 4
Guest primary port 5 guest port 6
OR
Management & SSID's primary port 1 backup port 2
Guest primary port 3 guest port 4
4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site. If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one. Now you can use a large subnet or have a subnet for each site, its up to you. You would use AP Groups for that.
my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hi guys........just have few qestions about designing WLC 5508
The scenario is that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
Now my question is as follwow.
1- Keeping in mind that there is only one WLC where should i physically put it?
2- How guest users will work ? How the authentication will be done?
3-There are 8 SFP ports in WLC how physical topology will look like?
4-How many Vlans i have to make for wirless users will that be 10? (1 at each site) ?
my last question is that how these ports work on WLC are they just like swicth e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
Thanks guy and hope to get a response ASAP.OSITAN N Many thanks please comment
Internet
FW 1
! <---------------------Traffic comming this way
FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
------Trusted----- ! !
! ------Branch Router-------> RT
! ! ! SW
DSN AD DHCP !
AP
USER
1 Where WLC Place so that Guest trafice dont go to Trusted area?
2. Its gona be H-Reap so DHCP would be local for branch
3. Voce user Qos? priority how ? example
4 Guest Firewall rules to use only internet ? -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
Cisco 5508 Firmware update 6.x 7.0.98 Questions
Hi guys,
Have not done an update on any cisco gear since about 2001
We have a cisco services contract with IBM that supplies us access to the usb drivers, firmwares etc, and we have a Cisco 5508 6.x running ~30 Cisco 1252's, some 1231's and (potentially) some 1262's once the firmware update is done.
We have a base-count license(permanent) of 50AP's, no expiry
So I guess my questions are:
1) When flashing the new firmware - do the licenses require any sort of modification, or will they work as per normal
2) Are any serial numbers or codes required to be entered once the 7.0.98 firmware is installed?
3) I assume that the old firmware/config becomes 2nd in line to the primary boot option of the firmware during boot process?
Thanks7.0.98.0 is deferred code.
Browse to deferred release on bottom:-
http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=280926587&release=7.2.110.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
Deferral Notice:-
Wireless Lan Controller (WLC) software version 7.0.98.0 is being deferred due to the following issue :
CSCtj21464 - WLC data plane core crashes, causing WLC reboot
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
5500 supports 7.2 code but AP 123X is not supported on 7.2, And 126x supported from 7.0.116.0 code. it is suggested to update to 7.0.235.0. -
Hi all,
We recently installed a pair of Cisco 5508 controllers running 7.6.110.0. Right now I don't want to use the 'Redundancy' / 'HA' features, preferring instead to run with an Active/Standby pair controller through the HA tab configured in all APs.
As part of the upgrade to 7.6.110.0 we upgraded the secondary controller first, moved APs over one by one, then upgraded the primary. Right now I am having an issue moving the APs back to the primary. To confirm:
- the mobility group is the same on both devices
- mobility is up
- I am allowing MIC certificates
- AP fallback is enabled
- device names, etc all match as I appreciate there can be issues as this is case sensitive
As far as I was aware that was all that needed to match for this to work. One thing I have noticed however is that if I go into Redundancy -> Global Configuration both the Primary and Seconday are defined as the 'Primary' redundant unit. I've not activated, at least I thought I had not activated, this level of redundancy. Could this be what is causing it? I'm a bit wary of changing this value as I believe the controller will reboot.
Can anybody shed any light on this. The intention was to eventually enable the redundancy and SSO, etc but not right now.
ThanksHi Leo, Scott
So I was doing a bit more reading on this http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html it is an old document but working through it the document suggested that you didn't need to specify the IP address of the Primary or Secondary controller in the Wireless -> All AP -> AP_NAME -> High Availability. I removed this from one of the APs that was at the time serving no clients and tried to move it to the secondary and it worked. I then moved it back to the primary and it worked again.
Any reason why this would happen? The IP addresses I was using were 100% correct. The only difference I see for this controller as opposed to others we manage is the introduction of new interface types i.e. 'redundancy management' , 'redundancy port' ,etc. I do not have redundancy enabled so I'm guessing not, but having trawled through the configuration this is the only difference I can see? -
Cisco 5508 HA - Webauth Bundle for multiple SSID/multiple web pages
Hi Guys,
I have 2* cisco 5508 WLC in HA mode . Both are running IOS 7.5.102.0 . Everything is working perfectly fine.
I need to Creat 3 differnet SSID and Creat 3 different login Pages for them . Each user from respective SSID will get specified login Page. like
I have few questions :
1) I have downloaded webauth bundle from cisco Support Site and in that itself so many files are there. So based on my scenario , in which folder do i need to copy my login and logo file.
2) i have used Picozip to convert the file in .tar format but its giving me following error "
% Error: Webauth Bundle file transfer failed - No reply from the TFTP serve" but i can ping my tftp server easliy.
3) As Controllers are in HA mode , so once i am successful in uploading webauth bundle then it will be replicated on secondary controller or do i have to turn off SSO and upload in both one by one.
Please help me out in this.
CheersHello Sandeep,
i have uploaded the tar which you have sent to me. When i supply my username and pwd, after that it keeps on going and not showing any end result. so it stays on same page and nothing happening after that.
Are there any more radius ACL's to be defined ? 10.10.13.x is wireless client network , 192.168.10.21 is Radius Server , 192.168.10.215 is proxy server. Is there any other ACL need to be defined ??
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
1 Any 10.10.13.0/255.255.255.0 192.168.10.21/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
2 Any 192.168.10.21/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 0
3 Out 10.10.13.0/255.255.255.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
4 In 1.1.1.1/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 0
5 Any 10.10.13.0/255.255.255.0 192.168.10.215/255.255.255.255 Any 0-65535 0-65535 Any Permit 98
6 Any 192.168.10.215/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 98
DenyCounter : 12 -
We have cisco 5508.
We had problems with the connection of the first and second iPad version. Firmware: 7.0.235.3. Putting firmware 7.x. we can not because we have a point of 1310. But we put the firmware 7.2 ipad still have not get wireless. Then we rolled back. It is interesting that not only work the first and second iPads. All the above works. Played with TKIP instead of AES, did not help ...
P.s. iphone works.(Cisco Controller) >show wlan 45
WLAN Identifier.................................. 45
Profile Name..................................... Test
Network Name (SSID).............................. Test
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 6400 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guestwifi
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
--More-- or (q)uit
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status -
I have 2 Cisco 5508 Wireless LAN Controllers.
They are NOT connected to a WCS.
Is there a way to confiure the 5508's to send email notifications when an AP drops off line?
Is not is this functionality available with either a WCS or new NCS?Hi,
You can't send SMTP alerts directly from the controllers.
The options you have are
to configure a Syslog server under the Management tab of the controller to enable logging of alarms to the Syslog server. When the alarm arrives at the syslog server, there needs to be an event configured to email the particular alarm to SMTP recipients
Install WCS at version 7.x providing support for the 5508 controllers and 350x WAPs. Via WCS, with the controllers and WAPs managed by the application, the alarms will be emailed to the configured SMTP recipients
Hope this is of help
Regards
David -
Creating new Bridge Group names in Cisco 5508 WLC??
How do we Create new Bridge Group names on Cisco 5508 WLC, with 1552E Access Point??
You create it on the 1552 once the AP joins. One it joins, you will have to choose that AP and then set the AP mode to Bridge and then apply. This will reboot the AP. Once the AP comes back, you will have a MESH tab on that specific AP or any AP that you have set to Bridge mode. You then set the AP role and the bridge group name there. Here is an older MESH deployment guide to follow.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70mesh.html
Scott -
Cisco 5508 Controller 5GHz band selection
hi,
today i installed one Cisco 5508 Controller with 1262 APs only with 5GHz antennas. all radios are came up excpet 5ghz band, i tried all my level of best to get it UP. can anybody tell me if there is anything we need to really inspect to enable 5 GHz band.
Anvarhi Nocolas,
please find below answers, and attached snapshot
1) what is your AP exact model ? -A ? -E ?
Ans:- AP Model No - AIR-LAP1262N-A-K9
2) What country did you configure your WLC for ?
Ans:- Saudi Arabia
3) did you enable 802.11a network on the "wireless" tab ?
Ans:- Yes
4) if you go to the AP radio list on the WLC, what does it say for your AP ? up ? down ?
Ans:- 802.11a/n Radios DOWN
802.11 b/g/n Radios UP
Thanks,
Anvar
Maybe you are looking for
-
Greetings everyone Im using Netbeans 6.8, when I run my app, this message appears on the emulator.."The application has unexpectedly quit. Contact the application provider to resolve the issue." What does it mean? Any feedback will be greatly appreci
-
Connection between Source Systems and BW
Hello, I´m trying to connect our SAP BI 7.0 system to SAP R/3. At the following link, the topics for connecting BW with SAP source systems aren´t mentioned in detail: http://help.sap.com/saphelp_dm40/helpdata/en/00/dc54384ac9a81be10000009b38f8cf/fram
-
Java.lang.OutofMemory when i call webservices
Hi, I am passing an xml document as byte stream to the web-service method. I get java.lang.outofmemoryerror when the xml file size is larger (say greater than 1MB.). But i am able to parse the xml file in the jsp page. I also tried to change the heap
-
Upgrade & move Elements 5 to Elements 10
I have upgraded from Elements 5 to Elements on a new computer. I moved the catalog, but the links are broken - as far as I can tell due to changes in the path names forced by different hard drive volume names. Any suggestions as to the best way to re
-
I can't see the Audio Waveforms in the timeline. No triangle button to click. Just switched from FCP. Help!