WLC 4400 question
Hi
The scenario is as follows:
We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.
No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!
The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.
Can this be done?
I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.
Any idea or suggestion is quite welcome
Roger
Hi Roger,
You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.
You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.
HTH
Ankur
*Pls rate all helpfull post
Similar Messages
-
I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
after debug in my airlap it shows :
Reset done!
ethernet link up, 100 mbps, full-duplex
Ethernet port 0 initialized: link is up
Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 19-Mar-07 01:42 by hqluong
Image text-base: 0x00003000, data-base: 0x004051E0
Initializing flashfs...
flashfs[1]: 9 files, 3 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 15998976
flashfs[1]: Bytes used: 5062144
flashfs[1]: Bytes available: 10936832
flashfs[1]: flashfs fsck took 4 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.
cisco AIR-LAP1242AG-E-K9 (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
Processor board ID FCW1411U0FZ
PowerPCElvis CPU at 266Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 68:EF:BD:5F:9A:18
Part Number : 73-10256-07
PCA Assembly Number : 800-26918-06
PCA Revision Number : A0
PCB Serial Number : FOC14093XU3
Top Assembly Part Number : 800-29152-03
Top Assembly Serial Number : FCW1411U0FZ
Top Revision Number : A0
Product/Model Number : AIR-LAP1242AG-E-K9
Press RETURN to get started!
*Mar 1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
*Mar 1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
*Mar 1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
*Mar 1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
*Mar 1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar 1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
*Mar 1 00:00:09.326: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 19-Mar-07 01:42 by hqluong
*Mar 1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
*Mar 1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
*Mar 1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar 1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar 1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Mar 1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
*Mar 1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
*Mar 1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
*Mar 1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
*Mar 1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
*Mar 1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
*Mar 1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
*Mar 1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
*Mar 1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar 1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Mar 1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
*Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
*Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
*Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
*Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
flashfs[0]: 9 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 5062144
flashfs[0]: Bytes available: 10936832
flashfs[0]: flashfs fsck took 26 seconds.
Base ethernet MAC Address: 68:ef:bd:5f:9a:18
Initializing ethernet port 0...
Reset ethernet port 0...
Reset done!
and after that i check in my WLC that shows
AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
The reulatory domain configured on it '-e' does not match the controller's country
code: USA
i found that the problem about the region.
question :
1. is it possible to change the region in AIRLAP 1242 or in WLC?
2. if possible how to change it?
INFO :
my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9WLC GUI >> Wireless >> Country >> Select the country.
Regards
Surendra -
Up until now, my experience has been with 5500 controllers and ISE.
My customer is using 4400 controller, on 7.0.240 code.
I cannot locate any documents referencing 4400 controller configuration for webauth, named ACLs, posturing, etc...
Does anyone know of any documents, or have experience that can assist with this configuration?Michael,
Depending on the version of ISE software you are running, you may be in luck. The information below is for 1.1.x. If you are using v 1.2, you may have to tweak a bit.
In this first document, you can see the WLC 4400 is supported and Local Web Auth is supported, with the following caveat: “Wireless (An ISE Inline Posture node is required if the WLC does not support CoA as discussed in Footnote #4. WLCs with the code specified in this table do support CoA without an ISE Inline Posture node)”
http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
Of course, with an IPN, your posturing (and CoA) is handled here.
DACLs are also supported on the WLC 4400.
Per User ACLs are covered in the following document:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808b041e.shtml
I think you will find that if you substitute the ACS pages with the corresponding ISE interface pages, this can be done.
Please feel free to ask any additional or follow-up questions.
Also, please let me know if this fixes your issue. If it does, please rate this answer and mark your question as Answered.
Charles Moreton -
Hi ,
I have wlc 4400 with 1010 AP's wireless set-up.
Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
If I see the status of respective client in WLC :
status : Associated
Auth : No
Policy manager : 802.1X REQD
I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
how do i resolve this issue ?Hi Vinod,
The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
debug client
debug aaa event enable
Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.Yes, that is correct. You can set acs to use both radius and tacacs.
For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
You need to set up tacacs commands on WLC along with radius commands.
Regards,
~JG
Please rate helpful posts -
Hi,
I have a WLC 4400 and a WCS 5.2. I'm receiving alarm about flood atacks and desauthentication attacks from a client. These alarms are detected by the IDS system. I'd like to know if there are any way to block this client.
Thanks a lot.Thanks Sschmidt,
I saw this solution. The problem it's that i must create an entry by any client. If there are any client that capture the wpa key and after chage his mac i couldn't block them. Is that correct? I don't know how easily it's capture authenticantion packets with a WLC.
Thanks -
We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
Thanks,Hi Akil,
You are most welcome
Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
same code version. I believe the latest version that is compatible for both is 7.0.220.0.
this is the last version that supports the 4400 series.
Here's a note that reflects the support;
Note
Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
Cheers!
Rob
"Show a little faith, there's magic in the night" - Springsteen -
I have wlc 4400 running on 6.0.196.0, get new wlc 2500 with 7.0.220.0, on 4400, 12 AP only one will register onto 2500.
Both 4400 and 2500 on the same subnet. how to let AP register on 2500 rather than 4400
AP model:
on 4400 now: AIR-AP1242AG-A-K9, AIR-LAP1242AG-A-K9, AIR-LAP1142N-A-K9
on 2500 is AIR-LAP1242AG-A-K9on 4400
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-manager 1 untagged 10.10.1.23 Static Yes No
management 1 untagged 10.10.1.22 Static No No
service-port N/A N/A 10.1.1.10 Static No No
virtual N/A N/A 1.1.1.1 Static No No
on 2500
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
m2 2 10 10.10.1.92 Dynamic Yes No
m3 3 10 10.10.1.93 Dynamic Yes No
m4 4 10 10.10.1.94 Dynamic Yes No
management 1 10 10.10.1.90 Static Yes No
virtual N/A N/A 1.1.1.1 Static No No -
How to disable Password Recovery in WLC 4400
Hi All,
I need your help to disable the password Recovery for the WLC 4400, in case of the hardware stolen or hacking by internal hacker,
Thanks in advanced for your help,
AhmedGee whiz. This is the second post you've made in regards to disable password-recovery mechanism. For the WLC, I agree with Nic, it's not possible. And, for the record, there are ways to bypass a disable-password-recovery mechanism. This is mainly due to prevent un-authorized use of this mechanism by, for example, a disguntled network administrator from shutting down a network.
-
Hi All
I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
any tool to migrate wlc 4400 config to wlc 5508
cheers
VishalThanks Scott, some more inquiry
how to reboot the AP from the controller. ( I see 'Reset AP' - this option to reboot or something else)
how to disconnect all users connected to specific SSID from controller
Can AP model 3702 work with WLC 5508, do we need specific software version
cheers
Vishal -
WLC 4400 - Different minor versions same mobility group?
Hi all,
i have 2 WLC 4400 integraded in 3750G.
One has 6.0.202 and the other 6.0.188.
They are in different places but now i want to put them in the same mobility group.
Will this difference be a problem?
BR
AnthonyYes it will be an issue. You have to remember that the AP gets it firmware from the WLC image. So if an AP has to mi e from one to the other, it will either upgrade or downgrade each time. Best practice is to keep the firmware the same.
Sent from Cisco Technical Support iPhone App -
WLC 4400 Not authetnicating between GUEST and Private networks
Hello,
I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
I will get the debug mac addr <client-MAC-address xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
Thanks for the help
TonyThanks for the help.
Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
Change the lease for 8 hours and set the time correctly and the issue got solved.
Thanks. -
WLC 4400 4.2.176.0 Ver and Windows Vista
We recently upgraded our WLC 4400s to 4.2.176.0. This was requested by Cisco. When the students returned from Christmas break, any student running Vista is able to authenticate to the AP, get an appropriate IP address and DNS configuration, but cannot get to any network resources, including Internet. If we hard code the DNS information in the wireless card TCP/IP Properties, the user can get to some Internet sites, but no HTTPS pages.
All XP and MAC machines appear to be working fine.
Any thoughts?The problem is that its not deauthenticating the user, its just dropping completely and disabling the windows zero configuration in the services. I do not know how or what in the WLC would do this? I really dont think this is anything that I can control. I am guessing that there is an internal conflict on the pc. I have been told that the image used to image the machine has had the manufacturers wireless client utility removed. I did find a DW Utility in the services list. I think that is my problem. I did however go ahead and upgrade them to 5.2.193. All I can do is have the customer monitor and see what happens. Will post an update when I get one.
-
Connecting a WLC 4400 to a 2960 POE Catalyst
I need some help connecting my WLC 4400 to my 2960 catalyst switch. The gigabit port
on the Catalyst switch I am using is connected to port 1 on WLC 4400. I have the port set to trunking
mode but I cannot ping the management interface IP. I also noticed the activity lights on the two interfaces
are not lit.
interface GigabitEthernet0/2
switchport mode trunk
Is there something else I need to attribute to this port?
ThanksSorry to get back to you so late. Here is what I got.
Wireless#sh ip int brief gi0/2
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/2 unassigned YES unset down down
Wireless#sh ip int gi0/2
GigabitEthernet0/2 is down, line protocol is down
Inbound access list is not set
It is plugged in. -
WLC 4400 series OID for Current Clients
Can someone advise what is the OID for the number of current clients for the WLC 4400 series appliance.
Thanks.Based on the results of your walk, I would say it's reports all of the instances on that particular controller...and I say this because only one instance is reported. I would think that if you have multiple WLANS on that WLC, you would get multiple instances reported back, so, (maybe, like you) I'm confused by the description in the MIB object where it states:
"No of Mobile Stations currently associated with the WLAN."
which to me looks like "the WLAN" is used in the singular.
At this point, I think the best thing to do would be to open a TAC case with all of this info, and we can get with our developers for confirmation.
Hope this has been somewhat helpful, and please rate these posts.
Thanks,
-Joe
Maybe you are looking for
-
Is there a way to downgrade to iOS 6.1.3.?
Good evening! Yesterday I made the worst choice of my life: I updated my Phone 4S to iOS 7 and I'm having lots of problems. My problems with this version is that its graphics are too white and they are making me literally sick! I'm having headaches,
-
Creation of Hierarchial datasource in 7.0
Hello, I want to create an extractor ( 7.0 ), for loading hierarchy into an infoobject. I came to know that its not possible to create Hierarchial datasource in 7.0 flow ( possible only in 3.X). still is it possible to create one through RSA2 transa
-
hi all im having trouble getting my laptop to connect to my mac using migration assistant. my mac has a code on the screen but my laptop doesnt respond and just says it waitng for my mac to respond. any idea? please
-
Table Entries.. Transportation
Hi... Hai... Having...table T1 with 10 entries.... After transporting to Testing systaem how can i get same entries here? Thanks, Naveen.I
-
Hi freinds, Whenever i am trying to give tax code in invoice, it is not calculating the tax and is giving a message "Customization for SWI1 j_1iindcus missing in the table" where SWI1 is my company code. Can anybody tell what the problem is and how