WLAN for Management interface
Hi,
We recently had a partner configure our wireless deployment based on two 4402 controllers located at the headquarters.
This partner configured WLAN bound to Management interface (not dynamic interfaces) and said that this is needed.
I serious doubt that. Can someone shed some light on this? Is this something that is needed for any reason?
We are using PEAP as authentication schema and in order to tighten the security we had configured a list of our authentication servers (two IAS servers) under PEAP properties->Connect to these servers.
This is Microsoft recommended way to allow further security with PEAP.
When this is configured authentication fails (IAS authenticated to domain), however when this checkbox is removes it works.
Maybe this WLAN to management inteeface binding is for this?
Thoughts?
Thanks!
David
Generally a WLAN is assigned a specific interface to tie the WLAN to a specifc IP subnet and VLAN to which the interface is configured. IP addresses to the WLAN clients are assgined from the subnet to which the interface belongs to.
Similar Messages
-
I started to configure a new ASA 5515 to replace an 5510. When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
"ERROR: It is not allowed to make changes to this option for management interface on this platform."
Does this mean we can't use the managment interface anymore on these newer ASAs? I was planning on using that port when we bought it. If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!Update: I just found out that you can't use the management interface for failover purposes either. Argggggg.
"Management interface cannot be configured for failover on this platform." -
Hi, I have a particular wireless design that requires one WLC 5508 to be connected to two seperate swithces. Port 1 of WLC is connected trunk to Switch A and Port 2 of WLC is connected to Switch B. Each switch has its own local VLANS. When I connect 1130s LAPs they need to find the management interface initially and then use only AP management interfaces. since there is only one management interface, if I assign management interface on a vlan that is configured on switch A then APs on switch A join fine but those on switch B keep asking for management interface and from capwap debug on WLC it says that join request was received on wrong ineterface ....
the only work around to this was to make routing between switch A and switch B for the two vlans on which APs reside... but for security purposes - client would like to avoid this
any help much appreciated ..Hi thanks for your reply,
Yes I agree perfectly with your explanation - On both switches I have UDP forward for 5246 and 5247 and everything works fine.
You understood exactly what's happening for initial discovery the Guest AP asks for managemnt interface through WLC port 2 but managerment IP is on admin side WLC port 1 and then it drops packet saying that it was received on the wrong port. In fact that is why I put an ACL between the Admin switch and guest switch taht allows only 5426 capwap control - just to allow that initial discovery from guest AP to contact Management interface which can only be assigned to one port and in my case it is on the admin switch side. And that is why I had to make a route between the two independent switches.
My question is to know if there is any other way with my given design to eliminate this initial discovery to the management inetrface, as my client would like the admin and guest switches to be completely seperated i.e. without the routing. Is there any way that the guest APs can make contact with the AP management interface on their side only skipping the discovery of the management interface ? the guest APs were primed on the admin side so they know the IP. After the initial discovery, if I remove the routing between admin and guest switch, guest APs keep their connectivity without any problems. -
What VLAN should the management interface be in on a 4400 controller?
Hi,
Some documentations put the management interface on a 4400 controller into a regular tagged VLAN. But some documentations put it in an untagged Native VLAN, the tag=0. What is the difference? Which configuration is optimal?
Thanks,
JustinThe answer is "it depends" :-)
I would not say any particular config is optimal though. If you have an established VLAN for management interfaces, I would use that. However if you put the management interface in the same VLAN as your AP's, AP's find your controllers easier. Otherwise you can use DHCP to point AP's to controllers.
I prefer to tag the frame as to which VLAN it belongs to, even if that is the same as the native VLAN. -
WLC Duplicate IP address detected for AP-Manager Interface
I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
Model No. AIR-WLC2106-K9
Software Version 7.0.116.0
%LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
%LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address detected for AP AP_DUXO_3, IP address of AP 10.184.1.224, this is a duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
Cisco AP Identifier.............................. 1
Cisco AP Name.................................... AP_DUXO_3
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N
Switch Port Number .............................. 1
MAC Address...................................... cc:ef:48:1a:e4:af
IP Address Configuration......................... Static IP assigned
IP Address....................................... 10.184.1.224
IP NetMask....................................... 255.255.0.0
Gateway IP Addr.................................. 10.184.20.2
Domain...........................................
Name Server......................................
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Disabled
Cisco AP Location................................ DUXO_BOX
Cisco AP Group Name.............................. default-group
Does anyone have an issue like this ?Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device? Its OUI is registered to apple. How do clients get ip addresses DHCP? It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves.
-
Standard Asynchronous ES for Quality Management interface
Hi,
Synchronous standard ES is available for Quality Management interfaces under ES bundle.
Could you please suggest if there is any standard Asynchronous ES available for above QM interfaces like Inspection plan, Inspection results and Usage Decision.
Br,
MadanDear Hummel
This link required SAP ID and use less for those who do not have S User ID's.
further more.... could you please differentiate Stand SAP QM process compare to QM process in RDS? -
Error in Interface for management of HTTP destinations
Hello Experts,
I've go the following error when i'm trying to create a logical port in SOA Manager.
'Error in Interface for management of HTTP destinations'.
I was trying to create a logical port of type WSDL for a consumer proxy, with a URL provided by the EP consultant.
Kindly let me know how can i rectify the above stated error.Hi
Did you try creating the connection via sm59 (RFC Destination), then try to assign it (instead of direct URL call, specify the RFC destination). That way, you can trace the RFC destination.
Regards
Ronny -
WLC to use Management Interface & Few more getting started Questions
Hello,
I'm yet to implement the Wireless LAN in one of our client's corporate office. There 40 x 1130AG LWAPP AP's and 4404 WLC with ACS 4.x for the Authentication of the Wireless Clients who is trying to access the LAN.
For the WLC to connect to the Dual Core Switch, i need to use only one Management Interface with Distribution System port 1 being the Primary and mapping the DS Port 2 as the Backup port for the Management Interface. Is this Right? or do i have configure Dynamic Interfaces as well. Is management interface for accessing / management and configuration only? Management Interface will communicate with ACS for AAA and AP's who would like to associate with the WLC, is this Right?
Note: WLC, AP's, Wireless Clients & AP's are in the same IP Subnet.
Few other question of WLAN's so it helps me during implementation -
⢠Can I use the 802.1x Authentication application found in the Windows XP for the Wireless Interface; instead of Cisco Client Application. For this; I have to configure the WLC / Wireless Client to use EAP algorithm; is this Right?
⢠With the help of RRM, the channel interference between multiple AP's (3 - 4 AP's) in the same area is controlled by the WLC by changing the Channels used by the AP which is not same on all the AP's. Is this right?
⢠How many Client Users will connect per Channels. 802.11 a / g will provide 11 Channels, is this Right?.
⢠I'm trying to set in the WLC to limit the Client connections per AP to 25, can this be achieved?
Please, can anyone help me in calrifying the above points.
Regards,
Keshava RajuMany Thanks Mr. Dennis for your help & Clarification.
With ref to your reply point no# 1. I have actually planned to connect one Gig port of the controller to each of the Dual Cisco Core Switch setup. Can i use all 4 Controller Interfaces configured as LAG and Port 1 & 2 connecting to Core Switch 01 and Port 3 & 4 connecting to Core Switch 02?
I have Final two more questions, Request you to help me calrifying this?
⢠I'm willing to configure Multicast communication between the WLC & AP's. For this configuration is it necessary to Connect the WLC in a different VLAN than the VLAN of the AP's. Is it necessary that I have to set the controller to LWAPP Layer 3 mode to support the Multicast communication?
⢠Though I do not have implementation experience of the WLAN. My understanding of the Interface settings on the WLC - is I will have to configure one Management Interface for in-band management. Do I have to configure AP-Manager Interface (to support Multicast communication) and to make the WLC to communicate with ACS for Client Authentication. All of the Wireless Devices including the ACS are in one VLAN / IP Subnet, is only one Management Interface is enough for communicating with AP's (with Multicast) and communicating with ACS for forwarding the Authentication messages between the ACS & Wireless Clients? -
Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.Hello,
I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs. This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port. As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration. The LAG will overcome this limitation.
George was correct about your DNS entry, this needs to point to the WLC's management interface. This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
"If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface. You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management. All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed. The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire.
2. You will need to create another dynamic interface mapped to the next port. enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt. Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
*NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs. -
4404 DHCP for secondary interface only
Hello,
I have a strange one that I can't figure out. I currently have the managment interface set to my internal network using our DHCP server. We also provide another interface to WLAN for a chartity organization. Their interface and WLAN are locked out of our network (no routes, no nothing) with only VLAN tagging sending out over our backup internet connection. I have been tasked to take over their DHCP scope (255.255.240.0). I added the scope into the 4404 just fine but can't seem to assign it. So, for the sake of argument lets say:
Interface:
management VLAN 10 10.10.10.10 DHCP = 10.10.10.15
charity VLAN 20 192.168.160.2 DHCP = ????
WLAN:
Mine to ->management
Free to -> charity
WLC 4404 Scope:
FreeOne 192.168.162.1-192.168.172.250 / 255.255.240.0
If I tell the charity interface to use 192.168.160.2 for the dhcp scope it errors out. I also tried the DHCP override in the WLAN with no success. If I set either DHCP option for the charity to aim at the managment interface it does nothing as it can't find it... Anyone see a easy workaround solution?
ThanksThanks Steve,
I tried that but nothing happened. I was hoping that since the 10 dot was a local address it would not. Holy C... sorry I should have searched more. Found another article talking about DHCP proxy enabled and checked my controller. DHCP proxy was not enabled. I checked it off with the default 82 option of "AP-MAC-SSID" and my allocated leases lite up like a Christmas tree. Well, problem solved. Thanks for confirming that I had it half right. Sorry I missed that detail.
-Todd -
VLAN for WLC interface (ISE Policies Based on SSID)
I have ISE 1.1 and WLC 2504
I used this link http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bed902.shtml
But I am confuse on the WLC configuration
If I have only one ESSID for corporate user(and many DATA vlan because each AD group is assosiated to one specific VLAN)
I have already created Management interface associated with management Vlan
Wich interface interface should I associate on the corparate WAN ( WLAN -->General --->Interface/interface group) ?
Should I create another interface ? wich Vlan ID should I associate to this interface
or should I use Management interface
Please advisecheck the following links , they are very helpful:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bc8129.shtml
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Please make sure to rate correct answers -
Open module for managing property file and environment variables
Looking for an open module for managing property files and environment variables (like CLASSPATH) set in a shell script. For handeling properties (preserving comments, supporting includes, appending new entries, and more) I have looked at SuperProperties from openadaptor but find certain functionality lacking. As for interfacing with common shell scripts/files containing setting for CLASSPATH, JAVA_HOME, other system/application variables another type of object editor is needed. Maybe JFIG?
Any ideas are greatly welcomed.You seem wright, you hit a brick wall here with Air to find the location
of the command console on windows...
So in fact I never build an exe tool, but this little problem was a nice
case to test it and I tried it.:
I downloaded monodevelop
-GTK# for .NET 2.12.10*
-MonoDevelop 2.4.2*
from http://monodevelop.com/Download
created a console project and had an exe in 5 minutes !
You can download the findconsole tool and the projectfiles here:
http://greencollective.nl/temp/dump/findconsole_monoproject.zip
findconsole.exe will reveal the path/location of cmd.exe on a windows system.
Cheers,
Latcho -
Home Hub 3.0B Management interface unresponsive.
This month (2 weeks ago) I upgraded to Infinity 2 and got a new Home Hub 3.0 Type B.
I was able to get it all working as I wanted to - home network using 172.16.0.1/23 (because of conflicts with vpning into work which already routes 192.168./16 and 10./8)
However, often, very often, trying to access the Hub web interface on 172.16.0.1 or via bthomehub.home simply fails to respond. Regardless of the browser, or me using telnet to simulate a HTTP call.
#host bthomehub.home 172.16.0.1
Using domain server:
Name: 172.16.0.1
Address: 172.16.0.1#53
Aliases:
bthomehub.home has address 172.16.0.1
# telnet 172.16.0.1 80
Trying 172.16.0.1...
Connected to 172.16.0.1.
Escape character is '^]'.
GET /
And it just hangs.
Even though the web management interface is unresponsive, the internet seems to work ok, though wifi is sporadic.
Rebooting the hub doesn't seem to help. I read some reports of badly fitted heatsinks on these Type B's - so could mine be over heating and causing this lock up? If I leave it and try again in a few hours it may work again. Yesterday the internet connection dropped twice and when I was able to login to the web interface, the Event log showed that the hub had spontaneously rebooted itself.
Do I have a bad home hub?Hi pgregg,
Have you tried a full reset of the hub yet? Not just a reboot?
Chris
BT Mod Team.
If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’. -
What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP's?
What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP’s?
• PI provides visibility for autonomous clients within the same list view as lightweight and wired clients (client list page).
• Rogue AP detection for autonomous AP's is not supported (it's supported in CUWN).
• Alarms/events for client authentication issues (e.g. authentication failure) are displayed in PI.
• Config management for autonomous AP's is via CLI template. Config comparison and archiving functionality in PI leverages these same features that were brought in from LMS, so need to defer to others in terms of whether this is a cross-platform feature in PI or is only supported on a subset of platforms. Config comparison/archive is supported in CUWN.PI supports both infrastructure (e.g. AP Tx Power and Channel, busiest AP, AP utilization, etc.) and client (e.g. client count, client sessions, etc.) reports, and there are extensive reports for CUWN -
Adding a WLAN for Remote Location
Hello everyone,
I have a question about creating a WLAN for a remote location on a 5508 WLC that's housed at our main office. Attached is a diagram of the connection between the two locations. My question is, how do I set this up? Our WLC is at our main office (10.1.x.x) and I was able to get a lightweight AP to join the controller using an IP address from the local subnet of the remote location (10.20.x.x). However, I want to create a new subnet that will be broadcast at the remote location only and clients will use the local DHCP/DNS server there. Usually, I create a new interface when I set up a new network but I have to specify a VLAN ID. Since the VLAN at the remote location is also VLAN 1, how do I go about doing this? Do I create an untagged interface? Please help!
Regards,
TerenceI think you're better off using H-REAP/FlexConnect.
Maybe you are looking for
-
How do I find pictures that are no longer on my phone? I am not sure if they are in ICloud or on my sims card.
-
ITouch won't connect via Bluetooth
The iPod is paired. I went through the pairing sequence on my Mac. My Mac sees the iPod, and wants to pair. It asks to confirm the code, which does come up on my iPod. I click "pair" on my iPod, and "continue" on my iMac, and teh iMac reports a succe
-
Video preview during capture CS3
Video preview during capture is not working even though settings are at preview video and audio during capture. The work around seems to be to go ahead record anyway (red button) then it works after I paste the captured audio onto the timeline. When
-
Bug makes IR Utility useless after saving
Today I decided to use the IR utility for the first time. I did some tests, recording a sweep in IR and deconvolving it. Everything went fine. Then I created 81 mono IR impulses. Each time saving them as a project when they were recorded. If I now op
-
Problems crawling websites - website does not show in root
Hi guys I have problems accessing a couple of websites, and they all seem to have the same problem, so I would really appreciate your help. I have set up the web repositories according to "How to set up a Web Repository and Crawling it for Indexing",