WLC 4400 and supported APs

Similar Messages

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and IDS attacks

  Hi,
  I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
  Thanks a lot.

  Thanks Sschmidt,
  I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
  Thanks

• WLC 4400 and 5500 Fail-over

  Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
  So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

  You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
  I would put them both on the 7.0.220.0.
  Sent from Cisco Technical Support iPhone App

• Wlc 4402 and 1010 Aps

  Hi,
  I have 2 vlans (wired-side) in my corporation: the first one for Data (vlan 1, native) and the second one for voice (vlan 2). We've just get a wlc 4402 with 1010 Aps and I would like to know one thing:
  Could I create 2 Ssids(one for voice and another for Data) and map each one to its wired Vlan?.
  Does the 1010 Ap support 802.1q?
  Thanks in advance for your help

  The 1010 aps connect to the switches as hosts
  (switchport mode access; switchport access vlan ...)
  The controller has 2 ports that connect to the network as trunks. You can connect them as port 1 and 2, or put them in a lag group [aka etherchannel)
  All the vlan trunking is done at the controller port to switch port. The AP sends the info down to the controller over the vlan specified for the aps
  In your case, you should create another vlan for the APS.
  The 4402 controller mgmt interface would sit in the same vlan as the APs. You would then create dynamic interfaces on the controller that have a vlan id and ip address for the desired network per your needs. You would then create a wlan on the controller and then bind it to the dynamic interface you just created.
  I am oversimplfying this process quite a bit, but it should get you started. There is now a good bit of info on cisco.com for the wireless products

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• Preventive maintenance WLC 4400 and 5500?

  Hi good morning,
  i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
  the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
  And i would like to know if there are documentation about this topic.
  thanks.

  thanks
  I thought of opening the WLC, and use compressed air to remove dust only.
  but like you mention would be better not open it.
  Greetings

• WLC 5508 and 1142 APs

  Hi ! How can I view the WPA passwords that was set on my APs ? I have web access to the WLC. Thanks.

  You can use a program called wz Cook on windows boxes to pull the wep and wpa keys ..
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC 5508 and LightWeight APs Deployment question

  Hi There,
  Can you please wit the following question in regards to the deployment of a new WLC and new LAPs,
  I have configured and connected a 5508 WLC and 3500 series LAP.
  LAG is enabled in the WLC and successfully connected to the neighboring switch (using etherchannel) and to the network.
  The port-channel port is set to trunk mode obviously and certain vlan ids are currently allowed (3-5)
  The management interface has this IP address 192.168.5.250/24
  I created a WLAN with WLAN ID 3, Interface set to Management and say SSID test1
  I have connected a new LAP to the network, which switchport interface is set to access mode and assigned with vlan id 3. The LAP is able to join the WLC successfully with an IP address, such as, 192.168.3.100 (assigned via DHCP).
  When I try connecting a mobile client to the wireless LAN, it can successfully detect and connect to the WLAN, created in the WLC (test1) however it gets an IP address by DHCP, in the 192.168.5.0/24 network, which is the IP range of the management interface's IP address.
  What can I do to get the clients connecting on network 192.168.3.0/24? I thought this would be the case since I allocated the WLAN Id of 3 in the WLAN test1 configuration and since the LAP switchport is set to access mode with vlan ID 3.
  Cheers,
  egua5261

  Hi,
  The WLAN ID has no effect with the VLAN ID. WLAN ID is just an identifier for the WLAN.
  you said "Interface set to Management and say SSID test1" and here is your issue.
  You set the interface of the WLAN to the management. So, the WLAN will be mapped to the VLAN to which the management interface is mapped to.
  What you need to do is to create a dynamic interface with ip range in 192.168.3.0/24 and provide VLAN ID for that interface and assign your WLAN to this new interface. This way your clients will get an IP from this specified range.
  HTH
  Amjad

• WLC-2006 and 1242 APs

  Hello.
  I have a 2006 with 2 1242 APs connected to it. The problem I have is the 2 APs keep rebooting. they come up, get a DHCP address, stay up for a minute or so and restart. The log on the controller shows this each time it happens:
  Thu Apr 20 10:54:39 2006 [ERROR] spam_lrad.c 2544: Security processing of Image Data failed from AP 00:16:47:b2:0a:48
  Thu Apr 20 10:54:39 2006 [ERROR] spam_crypto.c 653: Failed decryption of message from AP 00:16:47:B2:0A:48
  Thu Apr 20 10:54:24 2006 [ERROR] spam_lrad.c 5973: Refusing image download to AP 00:16:47:b2:0a:48 - Unable to open file /bsn/ap//c1240
  Any ideas?
  Thanks

  I had the same problem with some 1231 APs with a 4402 controller. If you watch the APs console while it is rebooting, you'll notice that it can't get a certificate. I finally figured out that the time was different (wrong time zone) wrong on the controller compared to what I gave the APs when I upgraded them to LWAPP.
  FYI

• WLC 4400 and RADIUS accounting

  Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
  I'm guessing there might be a new Cisco VSA for it.
  Anyone know?
  Thanks

  The error message could be because of any unused protocol.

• WLC 4400 and user authentication

  I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
  Thanks in advance.

  You'll need a radius middle man. ACS will do it natively.

• WLC 4400 and LAP 1131 radio reset daily at 2 P.M.

  192 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:24:c4:1d:11:10 Cause=Radio interface reset. Status:NA
  193 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:79:b0 Cause=Radio reset due to Init. Status:NA
  194 Tue Mar 25 14:35:46 2014 AP's Interface:1(802.11a) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  195 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  196 Tue Mar 25 14:35:46 2014 AP 'LAP-2F-2_54f8', MAC: 00:24:c4:8f:7f:40 disassociated previously due to AP Reset. Uptime: 15 days, 12 h 03 m 31 s . Last reset reason: operator changed 11g 
  ==================================================================================================================
  *apfReceiveTask: Mar 25 14:35:46.949: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.628: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:46.554: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.042: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.971: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.321: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 

  Similar issue resolved here
  https://supportforums.cisco.com/discussion/11015036/ap1141-rebooting-constantly

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.