WLC 4400 and RADIUS accounting

Similar Messages

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

• WLC with Multiple RADIUS Accounting Servers

  If a WLC has multiple accounting servers defined for a WLAN, will accounting packets be sent to all accounting servers ?
  The operation of authentication servers is that the WLC will only send authentication requests to a single RADIUS server. If that RADIUS server becomes unavailable, then the WLC will start to send authentication requests to the next available RADIUS server in the list configured for the WLAN.
  Is it the same mode of operation for accounting servers? Or, does the WLC send accounting records to all accounting servers that are defined against a WLAN?
  Thanks
  Nigel.

  So the WLC would use the priority list for the Radius servers for accouting.
  I have a setup that I need to send accounting to two different servers for different reasons. can this be done on the WLC?
  if not, does anyone know a good forking server for radius accounting?

• WLC 4400 and 5500 Fail-over

  Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
  So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

  You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
  I would put them both on the 7.0.220.0.
  Sent from Cisco Technical Support iPhone App

• Preventive maintenance WLC 4400 and 5500?

  Hi good morning,
  i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
  the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
  And i would like to know if there are documentation about this topic.
  thanks.

  thanks
  I thought of opening the WLC, and use compressed air to remove dust only.
  but like you mention would be better not open it.
  Greetings

• WLC 5508 and AAA accounting

  Hello,
  Does anyone know if a WLC 5508 can tie into AAA accounting in order to enable departmental chargeback for WLAN services ?  (keep track of usage by department, and charge accordingly)

  Thank you Nick.  (It think you have answered another post of mine)
  I feel like all I do is ask ask ask, I need to start answering ?'s ....maybe after a couple hundred posts will I know enough to be helpful

• Help Please: WLC 2106 and RADIUS

  Hello,
  In the WLC there are two groups (say A and B).  How would I take group B and point it to a RADIUS server for authentication please?  Looking for a step by step answe please. The server is ping reachable.  I have seached  but did not see any difinitive answer.
  Thanks!

  You can achieve what you want per WLAN.
  configure authentication servers order in wlan settings as per this image:
  HTH
  Amjad
  You want to say "Thank you"?
  Don't. Just rate the useful answers,
  that is more useful than "Thank you".

• WLC 4400 and supported APs

  Hello.
  Does anyone know which indoor APs are still sold by Cisco and supported by a 4400 WLC? From my research I only found 3500.
  Thanks in advance,
  João.

  The complete list of APs which can be supported on the 4400 can be found here.

• WLC 4400 and user authentication

  I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
  Thanks in advance.

  You'll need a radius middle man. ACS will do it natively.

• WLC 4400 and LAP 1131 radio reset daily at 2 P.M.

  192 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:24:c4:1d:11:10 Cause=Radio interface reset. Status:NA
  193 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:79:b0 Cause=Radio reset due to Init. Status:NA
  194 Tue Mar 25 14:35:46 2014 AP's Interface:1(802.11a) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  195 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  196 Tue Mar 25 14:35:46 2014 AP 'LAP-2F-2_54f8', MAC: 00:24:c4:8f:7f:40 disassociated previously due to AP Reset. Uptime: 15 days, 12 h 03 m 31 s . Last reset reason: operator changed 11g 
  ==================================================================================================================
  *apfReceiveTask: Mar 25 14:35:46.949: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.628: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:46.554: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.042: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.971: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.321: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 

  Similar issue resolved here
  https://supportforums.cisco.com/discussion/11015036/ap1141-rebooting-constantly

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.