WLC 4400 and LAP 1131 radio reset daily at 2 P.M.

Similar Messages

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC 4400 and 5500 Fail-over

  Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
  So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

  You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
  I would put them both on the 7.0.220.0.
  Sent from Cisco Technical Support iPhone App

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• Preventive maintenance WLC 4400 and 5500?

  Hi good morning,
  i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
  the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
  And i would like to know if there are documentation about this topic.
  thanks.

  thanks
  I thought of opening the WLC, and use compressed air to remove dust only.
  but like you mention would be better not open it.
  Greetings

• WLC 4400 and supported APs

  Hello.
  Does anyone know which indoor APs are still sold by Cisco and supported by a 4400 WLC? From my research I only found 3500.
  Thanks in advance,
  João.

  The complete list of APs which can be supported on the 4400 can be found here.

• Low Bandwith, WLC 5508 and LAP 1142N, please help !

  Hello Everyone
  For the Environment:
  - I have a WLC 5508 With a license up to 100 AP, at the Point there are 39 AP connected.
  - The WLC is connected with 8x 1Gbit/s, as a Trunk ==> 2 Members of 3750 Switches Stack ( 4gig and 4 gig)
  - The AP are connected to diferent 2960s with an Uplink ( 3 Gbit/s)  to the 3750 Switches
  - There are max. 12 AP on each 2960s
  - The AP are powered over Ethernet
  The AP:
  - it runs a/b/g/n and on 2,4 Ghz i schould have 300 mbit/s as for the 5 Ghz it schould also run 300mbit /s
  - the Ap has an uplink of 1 Gbit/s
  The clients:
  - have a intel Wifi link 5300 AGN Card
  To the Problem:
  - if i connect to one AP, and the Signal strength is High, i get an upload rate of max. 6-8Mbyte/s.
    and i am the only Person uploading.
    if i upload from 3 clients the same data from the same spot to the same target i get 2-3 Mbyte/s per client.
    if connect to the same target and run over ethernet cable fom the same spot, i get an upload of 70 -85 Mbyte/s.
  Question:
  - Why am i having these Bandwith problems ??

  Thanks Scott,
  I understand what you are mentioning, and i really didnt do it yet.
  I realize that the primary controller was not configured on the
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Wireless –> All APs –> High Availability tab, and did it only to the AP that is taking this beahviour.
  Is this mandatory for a 1 controller only ?
  No mather what the manual say, after that the AP is rebooting 2 mins in 2 mins... with the same kind of messages.
  The interface on the switch is getting a few input errors and the same numbers of crc... but are so few...
  Next step ... i will change it to another one's place/pathing cable.
  Regarding the Radius messages... any ideas ?
  I'm already on 30 sec's of server timeout.
  Best Regards,
  Bruno Petrónio

• WLC 4400 and RADIUS accounting

  Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
  I'm guessing there might be a new Cisco VSA for it.
  Anyone know?
  Thanks

  The error message could be because of any unused protocol.

• WLC 4400 and user authentication

  I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
  Thanks in advance.

  You'll need a radius middle man. ACS will do it natively.

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.

• WLC 4400 question

  Hi
  The scenario is as follows:
  We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.
  No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!
  The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.
  Can this be done?
  I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.
  Any idea or suggestion is quite welcome
  Roger

  Hi Roger,
  You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.
  You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.
  HTH
  Ankur
  *Pls rate all helpfull post

• WLC 4400

  Hi,
  Can anyone tell the detail proceture/doc to remove software version 6 from a WLC 4400 and install a lower version of 5.1?
  Thank you!

  Sorry for the late response.
  Actually I found the version 5.1 software is still on the controller as backup, so I just made this one as ACTIVE.
  The reason I changed it back is the web-autnetication against Radius didn't work - didn't accept usename/pwd. After comparing the log on radius, the only difference is that version 6 sent NAS-Port-Type: Wireless - IEEE 802.11 to radius but version 5 don't. Any idea?
  Thanks!

• WLC 4400 (SW ver: 7.0.235.3) and 1242 AP connectivity issue

  Hi ALL..,
  I got the problem with WLC and APs, APs cannot get IP and can't connect to WLC, it show folloing error,
  *Oct 24 14:45:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:28.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
  *Oct 24 14:45:29.419: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.2.11 peer_port: 5246
  *Oct 24 14:45:29.420: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.2.11
  *Oct 24 14:45:29.420: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Oct 24 14:45:29.595: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *Oct 24 14:45:29.602: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.2.11
  *Oct 24 14:45:29.602: %DTLS-5-PEER_DISCONNECT: Peer 192.168.2.11 has closed connection.
  *Oct 24 14:45:29.602: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.2.11:5246
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.661: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 24 14:45:29.756:  status of voice_diag_test from WLC is false
  My Management Int IP : 192.168.2.50
  AP Mangement interface :192.168.2.11
  DHCP server Pri : 192.168.2.12 Sec 192.168.2.13
  There are reachability betweent SW and WLC. Do you have any idea about my issue?
  Thanks and Regards
  CSCO11872447

  It seems your LAP AP is not getting the iP of the management subnet and LAP is in different subnet than your management IP.
  Please try keeping the static IP on the LAP and then try joining it to the controller first and later on keep it on the DHCP.
  when AP is plugged into a switch, the switch port needs to be access with the right VLAN allowed