Wism's and WLC 4400 Controllers on V4.2.61.0

Similar Messages

• AP1220B and WLC 4400

  Will Aironet AP1220B (AIR-AP1220B-A-K9) compatible with WLC4400 with an IOS upgrade? I looked up on notes and docs but couldn't figure out if that particular model is supported to run under Wireless LAN Controller. Or I just have to do an upgrade to another model?
  Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html
  Lightweight Access Point FAQ
  http://www.cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml

  Hi Zwe,
  You are going to need to upgrade to a different model :( Have a look;
  For all Cisco IOS Software-based Aironet 1200 Series modular AP (1200/1220 Cisco IOS Software upgrade, 1210, and 1230 AP) platforms, the ability to convert the AP depends on the radio.
  If the radio is IEEE 802.11g, MP21G and MP31G are supported.
  If the radio is IEEE 802.11a, RM21A and RM22A are supported.
  You can upgrade the 1200 Series APs with any combination of supported radios:
  G only
  A only
  Both G and A
  From this doc;
  http://www.cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
  EOS/EOL for Cisco Aironet 802.11B-Based and First Gen. 802.11A-Based Prods
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_eol_notice0900aecd802ad911.html
  Hope this helps!
  Rob

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• 2 Cisco WLC 5508 controllers and software upgrade 7.6.130 + FUS 1.9

  Hi
  I have two WLC 5508 controllers that need 7.6.130 and FUS 1.9 installed. (Current version 7.3 and FUS 1.7)
  Configuration: One controller is at Site A and the other controller is at Site B (two different states..)
  They're configured so that if Site A goes down, Site A AP's will failover to Site B and vice versa ..
  - What would be the recommended approach for upgrading the software to 7.6.130.0 (from 7.3) and also upgrading FUS 1.9 (from 1.7)?
  My plan was to download 7.6.130.0 to both controllers and pre-download the software to all AP's (about 100 total between both sites) and then reboot the controllers at night at the same time? Or one before the other? 
  Step 2. Install FUS 1.9 to each controller.
  I'm concerned over what might happen during the upgrade and AP failover etc..
  Thanks

  This is what I would do:
  Upload v7.6.130.0 to all WLCs and then use the pre image download to push the image to all access points. 
  Dont reboot the wlc
  Image swap in the access points so that v7.6.130.0 is primary
  Move all access point to one of the WLCs (A)
  Enable ap AAA authentication on the WLC that has no access points and the one you will work on first.  This prevents access points from joining  
  Reboot the WLC (A)
  Upload the FUS 1.9.0.0
  Reboot WLC (A) this takes up to 45 minutes
  When the WLC (A) comes back online, uncheck ap AAA authentication
  Move access points from WLC (B) to WLC (A)
  Enable ap  AAA authentication on  WLC (B)
  Perform all the other task you did earlier on WLC (A)
  That's it.
  -Scott

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.

• WLC 4400 4.2.176.0 Ver and Windows Vista

  We recently upgraded our WLC 4400s to 4.2.176.0. This was requested by Cisco. When the students returned from Christmas break, any student running Vista is able to authenticate to the AP, get an appropriate IP address and DNS configuration, but cannot get to any network resources, including Internet. If we hard code the DNS information in the wireless card TCP/IP Properties, the user can get to some Internet sites, but no HTTPS pages.
  All XP and MAC machines appear to be working fine.
  Any thoughts?

  The problem is that its not deauthenticating the user, its just dropping completely and disabling the windows zero configuration in the services.  I do not know how or what in the WLC would do this?  I really dont think this is anything that I can control.  I am guessing that there is an internal conflict on the pc.  I have been told that the image used to image the machine has had the manufacturers wireless client utility removed.  I did find a DW Utility in the services list.  I think that is my problem.  I did however go ahead and upgrade them to 5.2.193.  All I can do is have the customer monitor and see what happens.  Will post an update when I get one.

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• WLC 4400 (SW ver: 7.0.235.3) and 1242 AP connectivity issue

  Hi ALL..,
  I got the problem with WLC and APs, APs cannot get IP and can't connect to WLC, it show folloing error,
  *Oct 24 14:45:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:28.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
  *Oct 24 14:45:29.419: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:29.420: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.2.11
  *Oct 24 14:45:29.420: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Oct 24 14:45:29.595: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *Oct 24 14:45:29.602: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.2.11
  *Oct 24 14:45:29.602: %DTLS-5-PEER_DISCONNECT: Peer 192.168.2.11 has closed connection.
  *Oct 24 14:45:29.602: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.2.11:5246
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.756:  status of voice_diag_test from WLC is false
  My Management Int IP : 192.168.2.50
  AP Mangement interface :192.168.2.11
  DHCP server Pri : 192.168.2.12 Sec 192.168.2.13
  There are reachability betweent SW and WLC. Do you have any idea about my issue?
  Thanks and Regards
  CSCO11872447

  It seems your LAP AP is not getting the iP of the management subnet and LAP is in different subnet than your management IP.
  Please try keeping the static IP on the LAP and then try joining it to the controller first and later on keep it on the DHCP.
  when AP is plugged into a switch, the switch port needs to be access with the right VLAN allowed

• ISE WLC 4400 configuration

  Up until now, my experience has been with 5500 controllers and ISE.
  My customer is using 4400 controller, on 7.0.240 code.
  I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
  Does anyone know of any documents, or have experience that can assist with this configuration?

  Michael,
  Depending on the version of ISE software you are running, you may be in luck.  The information below is for 1.1.x.  If you are using v 1.2, you may have to tweak a bit.
  In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat:  “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
  http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
  Of course, with an IPN, your posturing  (and CoA) is handled here.
  DACLs are also supported on the WLC 4400.
  Per User ACLs are covered in the following document:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
  I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
  Please feel free to ask any additional or follow-up questions.
  Also, please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.
  Charles Moreton

• Migrate AP from WiSM to Virtual WLC

  Hello all,
  We have WiSM installed in Core Switch 6500 having 300+ AP registered on it.
  We want to migrate our AP's to new Virtual WLC. What is the best way to migrate AP to new vWLC with less down time.
  Can we migrate AP's from WiSM to Virtual WLC in bulk ( all in one time)? I read some where in form that AP version 7.3 & above start supporting vWLC. I am not sure if this applies for WisM as well ( i am assuming WiSM & WLC are differnt) ?
  My WiSM is running 7.0.240.0 & vWLC is 7.4. please check the WiSM attachments.
  Also is there any way to take backup from WiSM and restore on vWLC ?
  Regards.

  Hi,
  First of all, in order to reduce downtime, I would recommend that you upload the 7.4 code on the WiSM and predownload it to all the APs. (Wireless -> Global Configuration - AP Image Pre-download).
  Another thing would be to configure the vWLCs as back-up Primary & Secondary Controllers (Wireless -> Global Configuration - High Availabiliy). Doing this your APs will already know about the new WLC when the first will go down and will not have to go through discovery process. (test from AP CLI with show capwap client config)
  For the AP mode "mass-conversion" to flexconnect I don't know a better way than from WLC CLI, using:
  config ap mode flexconnect submode none AP_NAME_1
  config ap mode flexconnect submode none AP_NAME_300
  You could use text file to edit the the command with the AP names and than paste it all at once in the WLC. It would be wise to test it first with a few lines.
  If you did all this, when your old WLC goes down all your APs should associate to the new WLCs.
  Best regards,
  Sebastian

• Migrate WLC 4400 to WLC 5500

  Hi experts,
  I want to Migrate WLC 4400 with WLC 5500, But i don't know how to do this.
  Should i create new configuration or use my  WLC 4400 config ?
  I want to know about IOS for WLC 5500, should I upgrade my Access Point to connect with new WLC ?
  I need a good method to migrate this WLC. So my WLC 5500 can run properly.
  Thankyou for your help.

  I have no idea how Ravi's answer is considered "correct" when he didn't address the most important aspect of your thread.  
  As far as I'm aware, you need to ensure both controllers are running the same firmware or 7.0.250.X. 
  Take a copy or export the config of the 4400 configuration to your TFTP server.  Edit the file and change the necessary settings.  Go to the 5500 and download this configuration file.  Upgrade the firmware and the bootstrap if necessary.

• IDS feature on WLC 4400 series

  Hi Everyone,
  I'd like to ask about the IDS feature on WLC 4400 series.
  What will the WLC do if it detects an attack specified in the Standard IDS signature ? Will the WLC shutdown the client or just report it ?
  Thank you

  The intrusion-detection-system (IDS) signature engine on controllers and on the Cisco WCS automatically eliminates duplicate alerts for rogue access points, rogue clients, and IDS signatures that previously occurred when two or more access points detected the same attacker. Now instead of one IDS alert from each detecting access point, a single alert is generated for the attack.
  Intrusion detection, location, and containment preserve the integrity of wireless networks and sensitive corporate information. When an associated client sends malicious traffic, a Cisco wired IDS device detects the attack and sends shun requests to Cisco Wireless LAN Controllers, which then disassociate the client device.

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****