WLC 4400 question

Hi
The scenario is as follows:
We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.
No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!
The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.
Can this be done?
I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.
Any idea or suggestion is quite welcome
Roger

Hi Roger,
You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.
You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.
HTH
Ankur
*Pls rate all helpfull post

Similar Messages

  • Troubleshoot Cisco Airlap 1242 with WLC 4400 Series LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response

    I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
    after debug in my airlap it shows :
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
    File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
    executing...
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    Image text-base: 0x00003000, data-base: 0x004051E0
    Initializing flashfs...
    flashfs[1]: 9 files, 3 directories
    flashfs[1]: 0 orphaned files, 0 orphaned directories
    flashfs[1]: Total bytes: 15998976
    flashfs[1]: Bytes used: 5062144
    flashfs[1]: Bytes available: 10936832
    flashfs[1]: flashfs fsck took 4 seconds.
    flashfs[1]: Initialization complete....done Initializing flashfs.
    cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
    Processor board ID FCW1411U0FZ
    PowerPCElvis CPU at 266Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    2 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 68:EF:BD:5F:9A:18
    Part Number                          : 73-10256-07
    PCA Assembly Number                  : 800-26918-06
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC14093XU3
    Top Assembly Part Number             : 800-29152-03
    Top Assembly Serial Number           : FCW1411U0FZ
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-LAP1242AG-E-K9
    Press RETURN to get started!
    *Mar  1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
    *Mar  1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
    *Mar  1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
    *Mar  1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
    *Mar  1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar  1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
    *Mar  1 00:00:09.326: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    *Mar  1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
    *Mar  1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
    *Mar  1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
    *Mar  1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar  1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
    *Mar  1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
    *Mar  1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
    *Mar  1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
    *Mar  1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
    *Mar  1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
    *Mar  1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
    *Mar  1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
    *Mar  1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
    *Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
    *Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
    *Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
    *Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
    flashfs[0]: 9 files, 3 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 15998976
    flashfs[0]: Bytes used: 5062144
    flashfs[0]: Bytes available: 10936832
    flashfs[0]: flashfs fsck took 26 seconds.
    Base ethernet MAC Address: 68:ef:bd:5f:9a:18
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    and after that i check in my WLC that shows
    AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
    The reulatory domain configured on it '-e' does not match the controller's country
    code: USA
    i found that the problem about the region.
    question :
    1. is it possible to change the region in AIRLAP 1242 or in WLC?
    2. if possible how to change it?
    INFO :
    my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9

    WLC GUI >> Wireless >> Country >> Select the country.
    Regards
    Surendra

  • ISE WLC 4400 configuration

    Up until now, my experience has been with 5500 controllers and ISE.
    My customer is using 4400 controller, on 7.0.240 code.
    I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
    Does anyone know of any documents, or have experience that can assist with this configuration?

    Michael,
    Depending on the version of ISE software you are running, you may be in luck.  The information below is for 1.1.x.  If you are using v 1.2, you may have to tweak a bit.
    In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat:  “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
    http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
    Of course, with an IPN, your posturing  (and CoA) is handled here.
    DACLs are also supported on the WLC 4400.
    Per User ACLs are covered in the following document:
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
    I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
    Please feel free to ask any additional or follow-up questions.
    Also, please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.
    Charles Moreton

  • WLC 4400 : some of the clients are stuck in 802.1x REQD ( Auth - no but status is Associated ) in PEM process

    Hi ,
    I have wlc 4400 with 1010 AP's wireless set-up.
    Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
    If I see the status of respective client  in WLC :
    status : Associated
    Auth : No
    Policy manager : 802.1X REQD
    I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
    how do i resolve this issue ?

    Hi Vinod,
    The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
    If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
    debug client
    debug aaa event enable
    Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

    WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
    Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

    Yes, that is correct. You can set acs to use both radius and tacacs.
    For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
    eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
    2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
    You need to set up tacacs commands on WLC along with radius commands.
    Regards,
    ~JG
    Please rate helpful posts

  • WLC 4400 and IDS attacks

    Hi,
    I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
    Thanks a lot.

    Thanks Sschmidt,
    I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
    Thanks

  • WLC 4400 and WLC 5500

    We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
    Thanks,

    Hi Akil,
    You are most welcome
    Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
    same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
    this is the last version that supports the 4400 series.
    Here's a note that reflects the support;
    Note
    Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
    Cheers!
    Rob
    "Show a little faith, there's magic in the night" - Springsteen

  • Move AP from WLC 4400 to 2500

    I have wlc 4400 running on 6.0.196.0, get new wlc 2500 with 7.0.220.0, on 4400, 12 AP only one will register onto 2500.
    Both 4400 and 2500 on the same subnet. how to let AP register on 2500 rather than 4400
    AP model:
    on 4400 now:  AIR-AP1242AG-A-K9, AIR-LAP1242AG-A-K9, AIR-LAP1142N-A-K9
    on 2500 is AIR-LAP1242AG-A-K9

    on 4400
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    ap-manager                       1    untagged 10.10.1.23      Static  Yes    No  
    management                     1    untagged 10.10.1.22      Static  No     No  
    service-port                      N/A  N/A         10.1.1.10       Static  No     No  
    virtual                               N/A  N/A          1.1.1.1         Static  No     No  
    on 2500
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    m2                               2    10       10.10.1.92      Dynamic Yes    No  
    m3                               3    10       10.10.1.93      Dynamic Yes    No  
    m4                               4    10       10.10.1.94      Dynamic Yes    No  
    management                 1    10       10.10.1.90      Static  Yes    No  
    virtual                          N/A  N/A      1.1.1.1         Static  No     No 

  • How to disable Password Recovery in WLC 4400

    Hi All,
    I need your help to disable the password Recovery for the WLC 4400, in case of the hardware stolen or hacking by internal hacker,
    Thanks in advanced for your help,
    Ahmed

    Gee whiz.  This is the second post you've made in regards to disable password-recovery mechanism.  For the WLC, I agree with Nic, it's not possible.   And, for the record, there are ways to bypass a disable-password-recovery mechanism.  This is mainly due to prevent un-authorized use of this mechanism by, for example, a disguntled network administrator from shutting down a network.

  • WLC 4400 to WLC 5508

    Hi All
    I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
    any tool to migrate wlc 4400 config to wlc 5508
    cheers
    Vishal 

    Thanks Scott, some more inquiry
    how to reboot the AP from the controller. ( I see 'Reset AP' -  this option to reboot or something else)
    how to disconnect all users connected to specific SSID from controller
    Can AP model 3702 work with WLC  5508, do we need specific software version
    cheers
    Vishal

  • WLC 4400 - Different minor versions same mobility group?

    Hi all,
    i have 2 WLC 4400 integraded in 3750G.
    One has 6.0.202 and the other 6.0.188.
    They are in different places but now i want to put them in the same mobility group.
    Will this difference be a problem?
    BR
    Anthony

    Yes it will be an issue. You have to remember that the AP gets it firmware from the WLC image. So if an AP has to mi e from one to the other, it will either upgrade or downgrade each time. Best practice is to keep the firmware the same.
    Sent from Cisco Technical Support iPhone App

  • WLC 4400 Not authetnicating between GUEST and Private networks

    Hello,
    I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
    Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
    I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
    Thanks for the help
    Tony

    Thanks for the help.
    Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
    Change the lease for 8 hours and set the time correctly and the issue got solved.
    Thanks.

  • WLC 4400 4.2.176.0 Ver and Windows Vista

    We recently upgraded our WLC 4400s to 4.2.176.0. This was requested by Cisco. When the students returned from Christmas break, any student running Vista is able to authenticate to the AP, get an appropriate IP address and DNS configuration, but cannot get to any network resources, including Internet. If we hard code the DNS information in the wireless card TCP/IP Properties, the user can get to some Internet sites, but no HTTPS pages.
    All XP and MAC machines appear to be working fine.
    Any thoughts?

    The problem is that its not deauthenticating the user, its just dropping completely and disabling the windows zero configuration in the services.  I do not know how or what in the WLC would do this?  I really dont think this is anything that I can control.  I am guessing that there is an internal conflict on the pc.  I have been told that the image used to image the machine has had the manufacturers wireless client utility removed.  I did find a DW Utility in the services list.  I think that is my problem.  I did however go ahead and upgrade them to 5.2.193.  All I can do is have the customer monitor and see what happens.  Will post an update when I get one.

  • Connecting a WLC 4400 to a 2960 POE Catalyst

                       I need some help connecting my WLC 4400 to my 2960 catalyst switch. The gigabit port
    on the Catalyst switch I am using is connected to port 1 on WLC 4400. I have the port set to trunking
    mode but I cannot ping the management interface IP. I also noticed the activity lights on the two interfaces
    are not lit. 
    interface GigabitEthernet0/2
    switchport mode trunk
    Is there something else I need to attribute to this port?
    Thanks

    Sorry to get back to you so late. Here is what I got.
    Wireless#sh ip int brief gi0/2
    Interface IP-Address OK? Method Status Protocol
    GigabitEthernet0/2 unassigned YES unset down down
    Wireless#sh ip int gi0/2
    GigabitEthernet0/2 is down, line protocol is down
    Inbound access list is not set
    It is plugged in.

  • WLC 4400 series OID for Current Clients

    Can someone advise what is the OID for the number of current clients for the WLC 4400 series appliance.
    Thanks.

    Based on the results of your walk, I would say it's reports all of the instances on that particular controller...and I say this because only one instance is reported. I would think that if you have multiple WLANS on that WLC, you would get multiple instances reported back, so, (maybe, like you) I'm confused by the description in the MIB object where it states:
    "No of Mobile Stations currently associated with the WLAN."
    which to me looks like "the WLAN" is used in the singular.
    At this point, I think the best thing to do would be to open a TAC case with all of this info, and we can get with our developers for confirmation.
    Hope this has been somewhat helpful, and please rate these posts.
    Thanks,
    -Joe

Maybe you are looking for