WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

Similar Messages

• WLC 5508 and Multiple DHCP servers in different sites?

  Hi
  I work for health authority in our region and we just purchased a Cisco wlc 5508 controller along with 25 3500 AP's. We have multiple sites with different IP subnets in each, all connected by a frame relay (owned by ISP). Each site has its own DHCP server. I have the controller in our main site. So when I take an AP to a remote site, the Ap gets an DHCP address from local DHCP server (which is great) and contacts controller and joins controller. Everything is good. BUT, when a client joins at the remote site, it gets an address from a previous site which will not work because the client is now on a different subnet. We dont use Vlans as they dont transvers the frame relay. I need those clients to obtain DHCP from the local DHCP server from the site they are on. Is that possible??
  I have updated the controller to latest version as well.
  Thanks
  Bryan Yaciuk, CCNA
  Parkland Regional Health Authority

  We call this as HREAP LOCAL SWITCHING!! but here is the catch.. everytime the AP joins the new site.. we need to configure the VLAN mapping and this wil do it for you!! Here is the link which will resolve ur issue..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#ll
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• WLC 4400 and user authentication

  I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
  Thanks in advance.

  You'll need a radius middle man. ACS will do it natively.

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC Controllers with Multiple DHCP Servers

  Hello All,
  I have a central office with (2) 4402 WLC's and about 25 Branch offices throughout the country. Currently all AP's are static IP'd with IP's from the local Branch office subnets. However the Clients all pull their IP's from a Central DHCP server here at corporate.
  What I would like to do, is have clients get local branch office IP's from the AP located at that site. So rather than using a central DHCP server here at corporate using a single subnet for all wireles clients. Clients would be assigned local IP's by preferably local DHCP servers. I am having trouble finding an answer to this problem within the documentation. Any help or Ideas would be appreciated. 

  were not using any radius type authentication. But I am still a bit hazy on how the hreap thing works, I did read the link and it is very helpful but I was kind of thrown into this one without much wireless background. Right now when I change an Ap to H-reap it somehow disables the a radio. I cant seem to get that back working which im not all that sure is even that big of a deal. The SSID is configured for local switching and central auth.

• Mail Adapter - Multiple mail ID and multiple mail servers config.

  Hi All
  I am doing BPM synch scenario in which i get the response from SAP box and send the response via email adapter. I am using mail.xsd and doing mail config. in message mapping. However in the TO field i am able to give only one email ID. If i give multiple email ID's mail is not received. I tried comma and semi-colon as separator. Still not working? I have two questions in configuring TO option:
  1) How to send to multiple id's? I am using Lotus Notes.
  2)How to send to multiple mail servers? I have to send to Lotus Notes id's and outlook express id's also simultaneously.
  Thanks for your help in advance
  Warm Regards
  Samuel

  Hi,
  Please find here with some observations about it,
  1) How to send to multiple id's? I am using Lotus Notes.
  If you have specified an IMAP server under URL, the message is saved in the specified folder but is not sent to the receiver specified under To.
  Then even if Under To, you had specified the e-mail address that will receive the message would be separated with a semicolon. It will not work.
  Please verify about it .
  The below link will also help you to verify if there is anything missing
  Mail Adapter (XI) - how to implement dynamic mail address
  /people/michal.krawczyk2/blog/2005/03/07/mail-adapter-xi--how-to-implement-dynamic-mail-address
  BPM:Single Sender and Multiple Receivers based on synchronous
  exchange(switch) part-1
  /people/prasadbabu.nemalikanti3/blog/2006/03/10/bpmsingle-sender-and-multiple-receivers-based-on-synchronous-exchangeswitch-part-1
  Generic Message Interface in SAP Exchange Infrastructure Email Integration Scenarios
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00d5a235-4803-2a10-f682-889d67c69975
  (If your using Alert Framework then)
  If you want to send it to multiple email addresses and all email addresses are user of XI then you can define "Role" and attach that role to everyuser and make this role as receipent of alert .
  Thanks
  Swarup
  Thanks
  Swarup

• 7.10 installation server, load balancing and multiple installation servers

  Hi
  In the 7.10 GUI installation server, there is no Load balancing option anamore, also there seems to be no option to easily clone the installation server from within the nwsapsetupadmin.exe program.
  If having MANY users at one location, and needing more than one installation server to accomodate the frontend installations, do you need to do this "manually" now ? grouping users and and the logon script directing different user groups to different sapgui installation servers ?
  what about creating multiple installation servers easily, is it possible to simply copy the installation server directory (c:\sapinst f.ex.) to another file server, share the directory and configure the DS and IS services (if needed) ??
  will configured packages and "on end install" scripts and such be copied too to the new installation server ?
  I need to easily create installation servers in 15 countries, this is the reason for my question...

  Hi Kim Sonny,
  hope you're doing fine
  Regarding your question:
  The "Load Balancing" was more a fail-over service and wasn't intended to use for several locations like in your case.
  So the easiest way to do this is to setup one installation server and copy the files to the other servers. On the new Installation servers you only have to setup the service again and that's it.
  Cheers,
  Martin

• Top Essentials Cache and Multiple Application Servers

  Hello,
  I'm developing a new servlets/services application in Java using tomcat and playing around with toplink essentials. Is it possible, when using multiple servers, to expire cached objects? Eg I update user account info on server 1, but 2 and 3 still have old data. The documentation and blogs I have read seem to indicate you either have to force a refresh of the object or set up readAllQueries to go direct to the db (which rather defeats the purpose of having a cache?) - for fresh data. Though I agree there are some places where up to the moment data is not always required, building a system to scale with expiry caching across multiple app servers seems like something toplink essentials SHOULD be able to do.
  Also, is there any work on when the new rev of Toplink Essentials would be out? I see posts about the 11G preview but that's regular toplink.
  Thanks in advance!

  There are several caching options in TopLink Essentials to handle stale data.
  <p>
  Some of the settings are available through properties in the persistence.xml, but for most you will need to use a DescriptorCustomizer or SessionCustomizer and use the API of ClassDescriptor (refer to JavaDocs for additional info).
  <p>
  Caching options include:
  <p>- Cache Type : (weak, hard, soft, none), a weak cache will decrease stale data.
  <p>- Isolated (shared) : You can set the descriptor to be isolated or cache not shared to avoid caching the class.
  <p>- Refresh : You can enable refreshing at the class or query level.
  <p>
  A ClassDescriptor does have an invalidation policy, but the policies for invalidating based on a time-to-live or time-of-day were not ported from TopLink to TopLink Essentials, however you could write your own pretty easily.
  <p>
  If you upgrade to using TopLink 11g (preview), which you can download and use under the Oracle OTN license, then you have support for using cache invalidation and cache coordination. This functionality is also available in the Eclipse EclipseLink project currently in incubation.
  <p>
  <p>---
  <p>James Sutherland

• WLC 4400 and 5500 Fail-over

  Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
  So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

  You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
  I would put them both on the 7.0.220.0.
  Sent from Cisco Technical Support iPhone App

• NetBoot and Multiple DHCP Servers

  Hey everyone,
  We have a NetBoot machine running here at my school (where I work). It was working like a champ until a couple of weeks ago when our network got upgraded and there are now 2 DHCP servers on our network. That, for some reason, is totally screwing up our NetBooting process.
  Here's what I think is happening, and maybe someone can tell me if I right or wrong. NetBoot (or BSDP protocol) is a "broadcast" protocol. (That means it's always just floating around out there on the network. ) NetBoot (BSDP) protocol gets injected into the DHCP stream, and any machine that gets DHCP can get BSDP, and essentially NetBoot.
  The problem is with BSDP. BSDP protocol wants to have all of it's "broadcasts" come from the same server. So when we had 1 DHCP server, everything was fine, because client machines would get their whole NetBoot process from one machine... all of the BSDP broadcasts were coming from our 1 DHCP server.
  Now, we have 2 DHCP servers. What happens is, a client will get some of it's BSDP broadcasts from one DHCP server, and some from another... which it does not like at all.
  I recently read somewhere that it is possible to somehow make one of our DHCP servers the "authoritative" server, to which all of the clients will go to get their NetBooting info.
  Does this sound in any way right? Are we on the right track ? Has anyone seen this before? Any help would be greatly appreciated. Thanks a million.
  Mike

  Now, we have 2 DHCP servers. What happens is, a
  a client will get some of it's BSDP broadcasts from
  one DHCP server, and some from another... which it
  does not like at all.
  Not unless your new DHCP server is also a NetBoot server and is set to provide NetBoot services. BSDP and DHCP are not the same thing. If what you were saying were true, it wouldn't be possible to have DHCP and NetBoot offered by different servers.
  It IS possible, however, that the two DHCP servers are causing problems by both servicing DHCP requests for the same clients. If you've got multiple DHCP servers on the same subnet (or your router's configured to pass DHCP requests between subnets), you should make sure that only one of the DHCP servers answers requests from any given client. In our world, our Novell server is the default DHCP server on our subnet, but I keep a list of excluded MAC addresses on that server so that my Macintosh clients don't get addresses from it. On the Mac OS X server, I'm careful to limit my address ranges only to those machines which have static address maps in NetInfo. That way, our servers coexist, but they don't overlap.
  It's not clear from your message whether your previously solitary DHCP server was your Mac OS X server, or whether one of the two DHCP servers is that box. But whatever the servers are, it might be helpful to turn off one of them to see if the same problem occurs (assuming you can, without major network disruptions). If that's not possible, can you talk to your network admins to see if there's some way to isolate your clients and one of the servers--in other words, see if there's some way to keep DHCP servers from responding to the same requests.
  There may be any number of other reasons why this problem has cropped up. You may need to dust off a hub and a copy of Ethereal or EtherPeek to sniff what's happening on the network. You might also try NetBooting in verbose mode, to see where the process craps out. IIRC, there'a decent guide for this kind of troubleshooting over at Bombich's site (www.bombich.com).
  Good luck.
  David Walton

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• WLC 4400 and RADIUS accounting

  Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
  I'm guessing there might be a new Cisco VSA for it.
  Anyone know?
  Thanks

  The error message could be because of any unused protocol.

• Preventive maintenance WLC 4400 and 5500?

  Hi good morning,
  i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
  the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
  And i would like to know if there are documentation about this topic.
  thanks.

  thanks
  I thought of opening the WLC, and use compressed air to remove dust only.
  but like you mention would be better not open it.
  Greetings

• Scheduling,Email Setup in cluster environment and multiple job servers

  Hello All,
      I have to schedule and email instances of crystal reports to users in PDF and excel format. A Clustered environment of Business Objects 3.1 SP3 is been setup on 2 servers. There is 2 instances of crystal reports Job server been created.
  My question is If there are multiple instances of job servers then should we have to configure mail settings on both instances of job server or not?
  And secondly, in cluster environment the email settings and scheduling of the reports should be setup on both CMS servers( CMS server 1 and CMS server 2) or should CMS server 1 should be enough?
  Thanks in advance.

  You have a couple of options here.
  1.  You can either set up email on all of the job servers on both CMS' in the cluster.  This is actually the easiest to manage.
  2.  You can set up email on some of the job servers on one or the other CMS.  However, at this point you would also have to set up a server group that contains the job servers that are set up for email, plus the RAS server - you might also have to include the Crystal Cache server and the Crystal Processing server.  Then ALL of the reports that are sent via email would have to be scheduled run ONLY on the server group that contains the email-enabled job server(s).
  -Dell