WLC 2112 and WLC 2504

This might be a really stupid question but I need to ask just so that I get a definitive answer. I have a customer that is using a WLC 2112 and has maxed out the licenses for the WLC. I have suggested for him to purchase a 2504 with 30 or 40 licenses to replace the existing 2112. He doesn't want to purchase 30 to 40 licenses and doesn't want to remove the 2112 from the network environment. He would rather purchase a WLC 2504 with 15 licenses and just add that into the network.
My question is, will there be a problem running a 2504 and a 2112 on the same network? Or can I just make one a primary and one a secondary?

That should be fine. Just make sure the WLCs are running the same code version and everything should work fine. This is required for APs failover from one WLC to another. You don't want the APs upgrading or downgrading code versions every time the ap moves from the primary to the secondary WLC.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • C3850 WLC enabled and WLC 2504, which one should be Primary controller.

    I have 2 designs to make a better solution, please advise me.
    I have C3850 and WLC 2504.
    1. I will use C3850 as mobility controller (MC) and mobility agent (MA) for WLC 2504. Does it work? or
    2. I will use WLC 2504 as MC and MA for C3850.
    Can I do both of design?
    Which one is better?
    Please recommend me a solution.
    Thank you in advance.

    Hi
    2504 (or any legacy WLC) itself having MC/MA & we cannot separate that role on it. You can seperate MC & MA functionality in Converged Access product platforms (3850/3650) only.
    Therefore here are the answer to your queries
    1. You can have a 3850 with MC/MA functionality. But your 2504 will be a separate controller on your mobility domain. You can allow roaming between these two systems configuring them as mobility peers. You cannot register 3850 connected APs to any other controller other than 3850 WLC itself.So you cannot use these two different system as high availability for AP.
    You need to have min 7.6.x  on your 2504 in order to configure mobility between 2504 & Converged Access system.
    Here is a reference post how you configure roaming between 5508 & Converged Access MC (5760/3850/3650)
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    2. None of the documents listed the 2504 could act as MC for 3850/3650(MA). So my understanding is you should have 5760/5508/WiSM2/8500 as MC. But you can test it & see whether 2504 could act as MC which I doubted.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC 4400 and WLC 5500

    We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
    Thanks,

    Hi Akil,
    You are most welcome
    Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
    same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
    this is the last version that supports the 4400 series.
    Here's a note that reflects the support;
    Note
    Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
    Cheers!
    Rob
    "Show a little faith, there's magic in the night" - Springsteen

  • Savant and WLC 2504

    The customer have 1x WLC 2504 and 7x AP 3502i.
    He are installing a automation system called Savant, this system use the Bonjour protocol to discovery the services on the network.
    I've configured the multicast group on controller and switch (SG300) with IP 239.xxx.xxx.xxx, but the Savant (on iPad) don't finds the service.
    Somebody has gone through a similar scenario?
    I've used this document: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
    PS: The customer haven't VLAN
    Best regards.

    #Disable mdns/bonjour on wlc. place the WLC Management and AP vlan on same subnet. keep the savant server and iphone on same wlan and try.
    #WLC 2500 supports only Multicast to Multicast for AP mode, be sure that wired side Multicast is configured properly and working.
    #Try with any standard app to verify bonjour and AP mode multicast works.
    #it is possible there may be any specific string that require to be added onto bonjour profile for savant to work. do debug mdns all enable and see what is missing.
    it is suggested to open TAC case for troubleshooting.

  • Prime 1.3 can't updates switches and wlc

    Hello.
    I have Prime 1.3, two WLC 5508 and 8 switches 2960s
    I try update my devices through Prime, but I can't.
    When I start "Upgrade Analysis" and select switche (Catalyst WS-C2960S-24PS-L) and image (c2960s-universalk9-mz.150-2.SE2.bin) then click to "Run report"
    Prime shows me that "Image not Applicable for this Device"
    I try different images, but it does not help.
    And with WLC 5508 the same trouble.
    Maybee anybody know why Prime can't do right analysis and updates devices?

    I am having this same issue with Prime 1.3.  I can't deploy software to my 2504 or 5508 controllers.  I get the "Image not Applicable for this Device" message and it tells me there is "No Flash" when I try to deploy to individual devices.  I can manually load the exact same file to those controllers via a TFTP server and they upgrade just fine.  Help from cisco would be great on this.

  • Anchor mobility between WLC 5508 and Aruba/Clearpass

    Hello. I have a question regarding the abiltiy to configure anchor mobility between a 5508 WLC and an Aruba controller. To date, my understanding is it has never been possible and I have never found any documentation that says it can be done.
    Scenario: My organization and a partner organization co-own a hospital. We coexist on a large campus, with each org having a number of buildings that the owning org maintains the network presence in. We also maintain back-to-back firewalls between us and do not hand-off any direct layer 2 interfaces to each other. However, the two orgs do partner to provide each others business SSID's in each other's WiFi networks using anchor mobility. Our current solution utilizes an A/M tunnel between my org's 5508 controllers and the partner orgs 2504 controller and we explicitly permit the tunnel traffic between partner controllers for A/M to work. Last year, the partner org retired some old WiSM's and changed their wireless solution to Aruba and recently implemented Clearpass. In order to maintain A/M with us they left a 4404 operational, but due to the newer code we were running they were forced to purchase a 2504. So now they are only maintaining a limited footprint in their network with a few Cisco AP's and the rest of their coverage areas use Aruba AP's and they have indicated that they want to completely retire their Cisco WLC's. Because we host some of their SSID's on our controllers and can tunnel them to their 2504, they get all of their WiFi traffic coming from our network, however my org can only connect to our SSIDs on their campus in certain areas.
    The solution I have been asked to provide is to find a way to continue providing some sort of anchor mobility services between our WLC's and their Aruba controllers. My org maintains that we do not want to simply hand them a layer 2 interface for security reasons, but they want our SSIDs to be available in all areas of the partner org's campus and vice versa. So far I have stalled the partner org's plans to retire their WLC's by telling them that retiring their WLC's will completely break WiFi between orgs, but they are adamant that some sort of A/M solution must be found.
    Is there any way to do some sort of A/M between a WLC and Aruba controller and if so, is there any documentation showing configuration examples etc?
    Thanks,
    John

    Hi John,
    I do not think it will work. Even if it get working somehow, it will be operation nightmare to troubleshoot & fix a issue since both vendor will say it is NOT supported solution.
    What about if you ask them to advertise your SSID (assuming it is dot1x) on their APs as another SSID on their network, but pointing it to your RADIUS & DHCP for IP connectivity (you do not have layer 2 requiremnt for this & can do this as long as you have L3 communication between each other)
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC 2112 & MacBook or Apple Devices ???

    Dear All,
    Last week i succesfully configured the WLC 2112 with 12 AP ofcourse :)  with 3 SSIDs
    the issue i am facing is that users with MacBooks & Ipad's are having issues connecting to new wireless setup. where as all other Brand Laptops and PDAs are getting connected just fine.
    When i am trying to connect a MacBook to a SSID and when i enter the password after 10 or 15 sec the MacBook self assigns an IP address to itself intead of getting the password from WLC's DHCP.
    i have set  Authentication level is basic WEP key protection.
    Channel set to overlapping channel 10.
    Experts i need your Experties. will appriciate if i can get a Quick Response.

    Hi,
    Are the Mac and Apple devices configured to get a dynamic dhcp ? What is the Subnet from which these devices getting IP from ?
    Could you disable Aironet extenstions under wlan > advanced section and test as this enhances the third party clients to be able to connect to Cisco device.
    Regards,
    Madhuri

  • WLC 2112 is not accessable

    Hello Experts,
    I have a problem with my Cisco WLC 2112.
    Problems:
    1. I can not reach this WLC via GUI or CLI.
    2. Can not access via Console.
    3. Status LED is Dark Orange or Red.
    Can anybody help.
    Regards

    Hi,
    Status LED is Amber(ORANGE/RED)— Means Problem encountered during boot.
    http://www.cisco.com/en/US/docs/wireless/controller/2100/quick/guide/ctrl206q.html#wp39363
    Did u tried with these settings:
    9600 baud
    8 data bits
    No flow control
    1 stop bit
    No parity
    If the console is not responsive, then its a hardware failure and you should contact the TAC or You should RMA'd it.
    Be aware: WLC 2100 Series are EOL/EOS.
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
    Regards
    Dont forget to rate helpful posts

  • DHCP setup help on AIR-WLC-2112 with LAP1042N

    I am new to wireless.  I would like to statically assign ip addresses for my controller(AIR_WLC-2112) and my access point (LAP1042N).  I would then like the controller to distribute dhcp addresses for users.  What is the best way in doing this? 

    Hi Mark,
    You can certainly setup your network for 2 VLANs for different wireless networks. You will only need to setup the switchports to the WLC as trunks. In other words, the APs will simply reside in the vlan you define (access switchports) and they will tunnel all traffic back to the controller, regardless of client vlan. The WLC will then determine which vlan the traffic needs to go on.
    You have 2 ways of setting your AP IP addresses as static -- you can statically assign them through the console during initial installation:
    capwap ap ip address
    capwap ap ip default-gateway
    capwap ap controller ip
    Or, you can simply let the APs start by using DHCP, and auto discovery of the WLCs via DNS lookup of "cisco-capwap-controller", or DHCP option 43. Once they join the controller you can assign them static addresses in the WLC AP settings.
    Now, onto the last question regarding your WAN sites. We do have options for you there as well -- the feature we're looking at would be H-REAP. Traditionally the APs tunnel all wireless traffic back to the controller. However, in H-REAP mode, you can specify the APs to put traffic on the network right at the local switch, so it wouldn't have to get tunneled across your WAN (depending on WAN bandwidth). You still configure the AP and manage it centrally. For more information on this feature, please check out the H-REAP deployment guide:
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml
    -Patrick Croak
    Wireless TAC

  • WLC 2112 with 1042 Mesh APs

    Hello everybody,
    I have a Mesh architecture with 2112 WLC and 1042 APs
    I want just to know if I can connect one 1310 AP to the ethernet port of a mesh 1042 AP with ethernet bridging enabled.
    thanks

    Hello benhamzagi,
    Thank you for contacting the Sales Acceleration Center (SAC) regarding your recent inquiry, Case Number 80931
    Case Description:
    WLC 2112 with 1042 Mesh APs
    Case Solution:
    Here is the compatibility Matrix link
    http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp118661
    Or the attach tables will help you base on Release, Controller, Mesh and AP
    Table 3 Controller Software Release and Controller Model Support Matrix
    Controller Model
    First Support
    Last Support
    2100
    4.2.x
    7.0.x
    2500
    7.0.x
    Cat3850
    3.2.0SE
    4400
    4.2.x
    7.0.x
    5500
    6.0.x
    5700
    3.2.0SE
    7500
    7.0.x
    8500
    7.3.x
    Virtual Controller
    7.3.x
    WiSM
    4.2.x
    7.0.x
    WiSM2 (1 DP)
    7.0.x
    WiSM2 (2 DP)
    7.2.x
    SRE
    7.0.x
    Table 4 Mesh and Controller Software Releases and the Supported APs
    Mesh and Controller Releases
    Supported Access Points
    7.4.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, 1130, 1240, 1250, 1260, 1600, 2600, 3500e, 3500i, 3500p, 3600e, 3600i, 1140, 600 OEAP, AP801, AP802
    7.3.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, 1130, 1240, 1250, 1260, 2600, 3500e, 3500i, 3600e, 3600i, 3500p, 1140, 600 OEAP, AP801, AP802
    7.2.11x.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1552S, 1130, 1240, 1250, 1260, 2600, 3500e, 3500i, 3500p, 3600e, 3600i, 1140, 600 OEAP, AP801, AP802
    7.2.10x.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1552S, 1130, 1240, 1250, 1260, 3500e, 3500i, 3600e, 3500p, 3600i, 1140, 600 OEAP, AP801, AP802
    7.0.2x.x
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1130, 1240, 1250, 1260, 3500e, 3500i, 3500p, 1140, 600 OEAP, AP801, AP802
    7.0.116.0
    1522, 1524PS, 1524SB, 1552E, 1552H, 1552I, 1552C, 1130, 1240, 1250, 1260, 3500e, 3500i, 3500p, 1140, 600 OEAP, AP801, AP802
    7.0.98.x
    1522, 1524PS, 1524SB, 1130, 1240
    6.0.202.0
    1522, 1524PS, 1524SB, 1130, 1240
    5.2.193.0
    1522, 1524PS, 1130, 1240
    4.1.192.35M (Mesh Release 3)
    1505, 1510, 1522, 1524PS, 1130, 1240
    4.1.191.24M (Mesh Release 2)
    1505, 1510, 1522 (US, Canada, and RoW), 1130, 1240
    4.1.190.5 (Mesh Release 1)
    1505, 1510, 1522 (US and Canada)
    As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.

  • Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

    With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
    Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
    Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
    Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
    Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
    Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    OOPS !!
    I will repost the whole messaqge with the correct external URL's:
    In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
    TrustSec Home Page
    http://www.cisco.com/en/US/netsol/ns1051/index.html
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
    I find this page very helpful as a top-level start to what features and capabilities exist per device:
    http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
    The TS 2.1 Design Guides
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    DesignZone has some updated docs as well
    http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
    As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
    http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

  • Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

    Hello Experts
    We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
    My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
    Questions:
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Thanks.

    Hi
    The LAN subnet is same for both Buildings connected via a dark fiber.
    If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
    Anyway if you want to do this & here is the answer for your specific queries.
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
    This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
    BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

    Hello,
    We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
    I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
    I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    11027
    Detected Host Lookup UseCase (Service-Type = Call Check (10))
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - Internal Endpoints
    24210
    Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
    24216
    The user is not found in the internal users identity store
    24209
    Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
    24211
    Found Endpoint in Internal Endpoints IDStore
    22037
    Authentication Passed
    15036
    Evaluating Authorization Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Guest Redirection
    15016
    Selected Authorization Profile - Test_Profile
    11002
    Returned RADIUS Access-Accept
    I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
    Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
    Thanks in advance.
    Jay

    The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thank you for rating helpful posts! 

  • ISE and WLC for posture remediation

    Please can anybody clarify a few things in relation to ISE and wireless posture.
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
    2) Can/Should a dACL/wACL be specified as a remediation ACL?
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
    5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
    thanks
    Nick

    Nick,
    Answers are inline:
    1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
    2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
    3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
    source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
    4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
    5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
    You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
    Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
    Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
    Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Linksys PCI cards and WLC problems

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:Standardowy;
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    Hi,
    I have Linksys
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:Standardowy;
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    WMP200 and WMP54G Wi-Fi PCI cards  installed on PC.
    My infrastructure is WLC 2106 and two APs 1231G and one 1242G.
    The problem is that the cards have problem with connection to WLAN.
    The broadcast SSID must be enable then the cards connect to WLAN otherwise is a problem with connection.
    When the card is connected but connection is unstable and poor.
    The cards have the newest firmware installed.
    Has anyone encountered a similar problem?
    Kamil

    Hi Kamil,
    Have you associated other types of clients with these AP's?  If so, do they perform better?
    You might want to start by checking the status of the poorly performing client on the controller while it's connected:
    monitor -> clients
    You'll primarily be interested in the RSSI and SNR. The other counters such as 'excessive retries' should be observed as well.
    Also check the AP's radio interface stats.  Check for excessive interference or channel utilization.
    This is a very helpful doc that you may want to check out:
    Unified Wireless Network: Troubleshoot Client  Issues
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d45a2.shtml
    Let us know if any of this helps.

Maybe you are looking for

  • Chinese text while downloading to excel

    Hello Everyone, I have one alv report in which text is coming into Chinese language. When i download my alv data to excel, chinese text is getting converted into #### characters. Anyone having idea how to download the chinese text from alv into excel

  • Why can't I preview a book I created in iPhoto before placing the order

    How do I preview a book i created in iPhoto before placing the order

  • XI 3.0 Webservices and security

    Hi, Just wondering if anyone knows if its possible to lock down outbound xi interfaces that have been published as wsdl's to specific calling XI users/business systems? So in the real world, I'd like to restrict bus system x so it may only call an ex

  • Here's to the Crazy Ones...those of us furious with the $200 drop

    Here's to the crazy ones. The ones who spend the night outside the Apple Store to buy a $600 phone. The ones who take the day off of work just to get a place in line. The ones who have their girlfriends bring by a cup of coffee at 5:00am just so they

  • WVC54GCA EU

    I have upgrade my WVC54GCA EU to firmware version 1.24 but now I have problem with connection, the camera is working fine after startup but after about 1 hour, I lost connection. maybe it is the new firmware. I can't find the old firmware. Does anybo