WLC 2504 N+1 HA SKU clone configuration

Similar Messages

• WLC 2504 HA Configuration

  Hi Guys,
  What configuration should I use in order to configure HA using 2x Cisco WLC 2504 ?
  - Do I need to have licenses for 2x Controllers ? I have only one WLC with license installed.  
  At the moment I have the following scenario below.
  AIR-CT2504-K9 – Primary (30 Aps Supported)
  AIR-CT2504-HA-K9 – Secondary (0 license)
  Software Version - 7.6.130.0 (Both Controllers)
  Both controllers are going to be in the same place.
  Can anyone help me please ?
  Thanks,
  Everton

  Thanks Scott Fella !
  Just one more question.
  Should I use a crossover cable to connect the primary controller to the secondary ? Or should I use a switch to connect them ?
  Thanks,
  Everton

• Configure a second Wlan on WLC 2504

  Hello,
  I  created a topic about this problem on the learningnetwork cisco site too. You can find it here: https://learningnetwork.cisco.com/thread/73201.
  The problem is:
  We have the Cisco WLC 2504 with a couple of access points. On this WLC we have a network connection via a radius server for our employees. The DHCP server for this connection is the server you see on the drawing. The connection from the switch to the WLC is connected on port 1 of the WLC. This connection works like a charm.
  Now I want to create a second network (which is divorced from our internal network) for our guests, but it doesn’t work till now. What we have at the moment is:
  A connection from the firewall via the router to the internet
  A connected cable from the firewall to the WLC on port 2
  A configured interface (port 2) on the WLC
  A configured Wlan on the WLC (it is possible to connect to the guest Wlan with a static ip)
  The SSID of the guest network is broadcasted via the AP’s which also broadcast the internal network SSID
  The problem I have now is:
  I have no connection between the WLC Port 2 (192.168.10.2) and the firewall (192.168.10.1). When I try to ping the firewall (192.168.10.1) I get a no reply received message.
  How can I get this working? I hope someone can help me with this. Thanks in advance!
  Screenshots:
  Guest interface
  Network layout
  Show int sum
  Show wlan sum
  Wlan general
  Wlan advanced

  Frank,
  The issue is that the WLC will not route between VLANs.  In order for the scenario that Rasika recommended to work, the switch needs to be a layer 3 switch or needs a layer 3 device attached to it to route between the VLANs.
  In my WLC, I have a guest interface as well:
  The gateway listed in the VLAN 50 Interface on my L3 Switch:
  I then have a route established on my switch to send that traffic to my ASA:
  Due to that, I can ping the ASA from my WLC:
  Of course, my WLAN for guests only has access to the guest Interface Group:
  Try these changes on your switch (or other Layer 3 Device) and let us know if it worked for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan

• WLC 2504 7.5 Redundancy

  Hi all,
  Just a little question about high availability in cisco 2504 WLC Ver 7.5.102.0.
  Following the cisco documentation for WLC I want to set the HA configuration by going to Controller - Redundancy menu. My issue is that this menu does not exist in my WLC.
  Anyone know if this version of ios is HA capable or not ?
  Thanks
  Fabien.

  Hi,
  When the active controller is unavailable, the standby controller will adopt the licenses from the primary controller. It is expected that the you will be able to get the primary controller back online within 90 days. After 90 days, the you will get a daily reminder to switch back to the primary controller.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/qa_c67-714540.html
  Table 1. Controller Support for -HA and Stateful Switchover
  Controller Model
  SKU
  Supports N+1
  Supports SSO
  5508
  AIR-CT5508-HA-K9
  Yes
  Yes
  WiSM2
  WS-SVC-WISM2HA-K9=
  WS-SVC-WISM2-HA-K9
  Yes
  Yes
  Flex 7500
  AIR-CT7510-HA-K9
  Yes
  Yes
  8500
  AIR-CT8510-HA-K9
  Yes
  Yes
  2500
  AIR-CT2504-HA-K9
  Yes
  No
  UC blade on ISR G2
  No
  Yes
  No
  Virtual controller
  No
  Yes
  No
  regards

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• DHCP Error with WLC 2504 and Aironet 2600 setup across subnets

  Hey guys
  I have just setup a new WLC 2504 controller to manage a WiFi service that will span 6 geographic locations.  The local networks at each location are on different subnets (all 192.168.x.x) and are linked up via IPSEC VPN links, and there is Active Directory spanning the sites, with DNS and DHCP servers running at each location.
  I tested the WLC at our main office with a single AP, and it worked fine.  The AP set itself up, and wireless devices connect with no probs. Great!  Yesterday I headed out to one of our remote sites, and connected an AP to their network - and that seemed to work fine too.  Within a few minutes I was able to see the WiFi network I'd setup, and my smartphone connected to it straight away (as I'd rpeviously connected at the main office), so I was pretty happy that all was working well.
  This morning however I've had notification that wifi performance at the remote site isn't great.  I've got someone to check their ip address, and I've found that their IP address and default gateway match the LAN at the main office where the WLC is based - NOT the LAN where the wireless client is.  Obvioulsy this is not ideal!
  So I guess my question is, what have I done wrong?  (I guess I HAVE done something wrong!?).  And how can I get wireless clients at remote sites to pick up an IP from the DHCP server at THEIR site?
  Any help would be greatly appreciated! 
  Thanks!           

  Hello Tim,
  What mode your APs are in? Local mode? or FlexConnect mode?
  If local mode, then all the traffic will be tunnelled to the WLC and they'll be same as if you are connecting from the WLC location.
  If you use FlexConnect APs (which is recommended for remote sites) you can configure FlexConnect groups on the WLC and add each location in a specific group. In that group you can decide what VLAN the users should be in.
  Check this link for FlexConnect group configuration
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1230080
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Best practices for network design on WLC 2504 and 5508

  Dear all:
  I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
  Maximum amount of AP per port
  The scenario when to use all ports in both WLC
  Maximum number of clients(users) per port
  Bandwidth comsumption of  management vs data in order to assign one port for management
  I've just found this:
  Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
  Thanks for your help.

  The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
  This is an old document.  5508 can now support up to 500 APs if you run firmware 7.X.  2504 can support up to 75 APs if you run firmware 7.4.X.
  I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
  Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy.  If one link goes down, you have other link to push traffic. 

• WLC 2504 redundancy set up

  WLC: 2504
  Firmware: 7.6.100
  Hello,
  I'm getting very confused in how to set up redundancy with WLC 2504. Some sources talk about Client SSO, some about N+1.
  But it seems that although I should use Client SSO with firmware 7.6, the WLC 2504 doesn't support it.
  When I type config redundancy, I have no choice
  >config redundancy ?
  unit           Configure redundancy unit [primary | secondary]
  So I typed "config redundancy unit primary" on my 2504 and "config redundancy unit secondary" on my 2504-HA
  And when I issue this command I have very little information
  >show redundancy summary
  Type of the Unit = Primary
  Does someone has guidelines for redundancy with WLC 2504 on firmware 7.6 ?
  Thank you

  Hello,
  Thank you both for your answers.
  Something I didn't understand in the documentation is this.
  Is there a replication of configuration between the WLC primary and the HA ? I did read that they should have different network settings (IP addresses) so I understand that there is not a total replication, what about the rest of the configuration ?
  The only result I have when I issue a command on the WLC-HA is this
  >show redundancy summary
  Type of the Unit = Secondary
  It doesn't look exactly what I see in the documentation.
  Thank you

• WLC 2504 can't change WAP name or switch off CDP via WLC gui

  Hi All,
  Please can you assist? I have 1 x Cisco WLC 2504 & 2 x Cisco WAP AIR-CAP1602I-E-K9 running 7.4.100.60.
  All three devices are installed and working correcty within a corporate environment. However, there are a few tweaks that I would like to do, to tidy up the configuration and switch certain elements on or off. For example, my core networking hardware is Huawei and I would like to switch off 'CDP' on the WAP's as the associated error messages are filling up my logging buffer on my switch. So, I https to my WLC, locate the WAP in question, goto 'interfaces' and untick the box for 'CDP state' hit apply, then I get the following error message "controller name is mandatory when controller ip address is configured" and then the tick reappears!
  At present I have two WAP's. Both have static IP addresses and both are reachable on the network. The one WAP did allow me to change the name to something meaningful, but the other WAP would not let me and still has the default MAC address as its name. I have the same issue, when I try to change the name on the WAP it says "controller name is mandatory when controller ip address is configured"
  I have also tried to CLI directly in to the WAP to make these alterations, but as soon as i launch 'putty' it quits out. I guess this is locked down once the WAP's associate with the WLC.
  And around I go.... Someone must have been in this situation, what am i missing? Thanks in advance!

  Hi Andy,
  By default SSH & Telnet is disabled for WLC controlled APs. So you have to enable it first via WLC GUI in order to access the AP via telnet or SSH.
  Wireless -> Select your AP -> Advanced -> Tick Telnet/SSH boxes.
  If you could not change AP name via WLC GUI (it may be a bug), but as I said earlier try to change it via WLC CLI (not AP CLI itself). SSH  to your WLC & then try the following.Old AP name is the one with its mac address.
  (WLC) >config ap name
  (WLC) >save config      
  Are you sure you want to save? (y/n) y
  Configuration Saved
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

  I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
  WLC 2504
  1142 LAPs
  4510R+E
  ASA 5510
  Existing configuration as follows:
  WLC management interface and APs addressed on the 192.168.126.0 /25 network
  Internal WLAN mapped to the management interface
  Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
  WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
  4510 connected to ASA inside interface (security level 100)
  Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
  ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
  What is the best way to add guest wireless to our existing configuration?
  Note: I need the guest wireless to be filtered by Websense as our internal wireless is
  Any advice would be greatly appreciated!

  Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
  Any input would be greatly appreciated...
  JW

• Cisco WLC 2504 and ways to authenticate users

  Hi All,
       What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
       and any one can give me case study for this issue
  System consist of Cisco 2504 and Cisco LAP 1140
  Thanks

  To implement radius based authentication is the best practice for the small & enterprise environment.
  Information About RADIUS
  Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
  •Authentication—The process of verifying users when they attempt to log into the controller.
  Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
  •Accounting—The process of recording user actions and changes.
  Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
  RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
  You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on. 
  For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947

• Savant and WLC 2504

  The customer have 1x WLC 2504 and 7x AP 3502i.
  He are installing a automation system called Savant, this system use the Bonjour protocol to discovery the services on the network.
  I've configured the multicast group on controller and switch (SG300) with IP 239.xxx.xxx.xxx, but the Savant (on iPad) don't finds the service.
  Somebody has gone through a similar scenario?
  I've used this document: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  PS: The customer haven't VLAN
  Best regards.

  #Disable mdns/bonjour on wlc. place the WLC Management and AP vlan on same subnet. keep the savant server and iphone on same wlan and try.
  #WLC 2500 supports only Multicast to Multicast for AP mode, be sure that wired side Multicast is configured properly and working.
  #Try with any standard app to verify bonjour and AP mode multicast works.
  #it is possible there may be any specific string that require to be added onto bonjour profile for savant to work. do debug mdns all enable and see what is missing.
  it is suggested to open TAC case for troubleshooting.

• WLC 2504 LAG - Issue

  Hello All,
  I am having difficulty connecting via gui to my 2504 WLC controller, with code 7.4 VIA a Lag link. i have configured a tagged vlan (vlan 40) on the WLC ap-management port.
  I have configured a port-channel on a C2960s
  interface Port-channel2
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  I have configured the interfaces on the C2960S
  interface range GigabitEthernet1/0/1 - 4
  description BH-C2960SPSL24-01 connection to BH-C2504WLC-01
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 2 mode active
  I can ping the interface, but cannot bring up a gui.

  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.17 22:27:37 =~=~=~=~=~=~=~=~=~=~=~=
  show run
  Building configuration...
  Current configuration : 10532 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  boot-start-marker
  boot-end-marker
  no aaa new-model
  switch 1 provision ws-c2960s-24ps-l
  crypto pki trustpoint TP-self-signed-131252096
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-131252096
  revocation-check none
  rsakeypair TP-self-signed-131252096
  crypto pki certificate chain TP-self-signed-131252096
  certificate self-signed 01
    3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31333132 35323039 36301E17 0D393330 33303130 30303830
    355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3133 31323532
    30393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    D1D20BAE AE0D9EF4 049AF361 1FFAC404 33C7940F 0EC84FA3 52470085 11BE1B6F
    EF7795D5 D81F0AD5 25D3668A 7004C157 BC4C4AE6 84A3302A CE774AAF E388A3BE
    1249476C 396F042A 90DA38B8 5C413D4E 1C6A9405 80A12F74 50F6571E DC11306E
    6AFFB6DF FB6E9292 96EE61A6 9EF87310 E4722DB3 3B10368D C737BAE4 93F3B759
    02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
    11040B30 09820753 77697463 682E301F 0603551D 23041830 168014CE 95CAC648
    8F3F96AE B382A38E 4AC7B6BF 9DEB9F30 1D060355 1D0E0416 0414CE95 CAC6488F
    3F96AEB3 82A38E4A C7B6BF9D EB9F300D 06092A86 4886F70D 01010405 00038181
    0063BCAE 64F7D969 244A07C3 B0D70FEF 00E78CF7 4EF017BE 72745FED 090AF5DA
    7420B4BD EAB89849 C7241FAE A8496714 5BF6331F A6936762 A861756E A55A43D8
    9366AAB5 C55DECEE F84AFC63 964834C0 E917FCF5 DA5B9043 FD0365B6 03351CA8
    7C4EAB92 831BA642 DD210D4B 0C21E6A8 F0BDA231 3AF9652C D376DAC2 1E17ABFC DB
    quit
  spanning-tree mode pvst
  spanning-tree extend system-id
  auto qos srnd4
  port-channel load-balance src-dst-ip
  vlan internal allocation policy ascending
  interface Port-channel1
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  interface Port-channel2
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  interface FastEthernet0
  no ip address
  shutdown
  interface GigabitEthernet1/0/1
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet1/0/2
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet1/0/3
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet1/0/4
  switchport trunk native vlan 99
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 2 mode on
  interface GigabitEthernet1/0/21
  description BH-C2960S-01 GI 1/0/21 trunk connection to Watchguard Firebox
  switchport trunk native vlan 99
  switchport mode trunk
  interface GigabitEthernet1/0/22
  description Switch connection to AP
  interface GigabitEthernet1/0/23
  description BH-2960S-01 GI 0/22-24 trunk connection to BH-HPJ9022A-01 gi 47-48
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet1/0/24
  description BH-2960S-01 GI 0/22-24 trunk connection to BH-HPJ9022A-01 gi 47-48
  switchport trunk allowed vlan 1,40,45,50,55,60
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet1/0/25
  interface GigabitEthernet1/0/26
  interface GigabitEthernet1/0/27
  interface GigabitEthernet1/0/28
  interface Vlan1
  ip address 192.168.87.14 255.255.255.0
  interface Vlan40
  ip address 172.16.10.3 255.255.255.0
  no ip http server
  ip http secure-server
  line con 0
  exec-timeout 30 0
  password admin
  line vty 0 4
  access-class vty_ports in
  exec-timeout 30 0
  password admin
  login
  length 0
  line vty 5 15
  access-class vty_ports in
  exec-timeout 30 0
  password admin
  login
  end

• AP1121 can'T join WLC 2504

  Hi there,
  It's me again... same devices which making trouble.
  I have an allready configured WLC 2504 running in the network. Every LAP i add to the network joins imidiatly to the Controller.
  But not the AP1121G AP.
  It fails the Handshake everytime and the Controller shows me an failmessage at the statistics in the GUI.
  GUI Message:
  RADIUS authorization is pending for the AP
  CLI Debug:
  *spamApTask0: May 23 17:29:18.258: 00:11:20:6e:2b:14 Allocated index from main list, Index: 16
  *spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS keys for Control Plane are plumbed successfully for AP 192.168.1.100. Index 17
  *spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS Session established server (192.168.1.10:5246), client (192.168.1.100:1716)
  *spamApTask0: May 23 17:29:18.260: 00:11:20:6e:2b:14 Starting wait join timer for AP: 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.263: 00:11:20:6e:2b:14 Join Request from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 Deleting AP entry 192.168.1.100:1716 from temporary database.
  *spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 AP with same name AP0011.206e.2b14 exist. Using default name AP0011.206e.2b14 for this AP.
  *spamApTask0: May 23 17:29:18.265: 00:11:20:6e:2b:14 In AAA state 'Idle' for AP 00:11:20:6e:2b:14
  *spamApTask0: May 23 17:29:18.266: 00:11:20:6e:2b:14 State machine handler: Failed to process  msg type = 3 state = 0 from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Failed to parse CAPWAP packet from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.267:
  *spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Finding DTLS connection to delete for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 Disconnecting DTLS Capwap-Ctrl session 0x1458bd60 for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 CAPWAP State: Dtls tear down
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 DTLS keys for Control Plane deleted successfully for AP 192.168.1.100
  *spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 DTLS connection closed event receivedserver (172:16:58:250/5246) client (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 Entry exists for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 No AP entry exist in temporary database for 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  192.168.1.100:1716)since DTLS session is not established
  *spamApTask0: May 23 17:29:18.277: 00:11:20:6e:2b:14 Received LWAPP JOIN REQUEST from AP 00:11:20:6e:2b:14 to 84:78:ac:b3:73:c0 on port '1'
  *spamApTask0: May 23 17:29:18.278: 00:11:20:6e:2b:14 incomingRadJoinPriority = 1

  Problem solved
  Hey guys, i solved the problem. It wasn't the firmwareversion. I downgraded the WLC and the problem still exists.
  Problem reason: The AP1121G series doesn't  has a MIC - Manufactured Installed Certificate - which is compatible/ accpeted by the WLC 2504 and it's parameters for the RADIUS server. Maybe it has no MIC, i don't know.
  So you need the SSC - Self Signed Certificate - for the join authentication.
  Solution:
  1. Logon to GUI or CLI of the WLC.
  2. Enable "Accpet Self Signed Certificate"
            GUI: Security > AP policy
            CLI: (Cisco Controller) >config auth-list ap-policy ssc enable
  3. Look for the SSC Hash of the AP:
            CLI: (Cisco Controller) >debug CAPWAP events enable
            There you'll find an event which is called e.g.:
       Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
  4.Add the ap manually to the controller
            GUI Security> AP policy > Add               There you have to set the right parameters, ap MAC, Cert. type: "SSC"           and the Key.
            CLI:    
            (Cisco Controller) >config auth-list add ssc 00:0e:84:32:04:f09e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
  5. Maybe you should reboot the ap.
  And it's done