WLC 4402-50 with ACS 3.3

Hi,
We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
Is there an incompatability between the WLC 4402-50 with ACS 3.3?
thanks
Bob

The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

Similar Messages

WLC 7.4 with ACS 4.1

Hi All
Has anyone any experience of using a Cisco 5508 controller (code version 7.4.100.0) with an ACS appliance running version 4.1 or 4.2?
I've found that the ACS constantly reports a 'Bad request from NAS' (Invalid message authenticator in EAP request). message. This usually indicates a mismatched shared secret but this isn't the case.
The controller works fine opposite a Microsoft NPS Radius Server.
Regards
Roger

By default the NAS-ID on the WLAN is the hostname of the WLC. If that is changed and the WLC was rebooted, then the NAS-ID that will be seen by the radius is that under the WLAN. The Radius server Overwrite interface will change the NAS-ID to the dynamic interface and not the management interface.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

WLC Lobby Admin with ACS 5.1

Hello,
Just wondering if someone knew how to configure a LobbyAdmin account for WLC 7.0 on a 5.1 ACS? I'm very new to ACS 5.1 and need to advise as to how to configure it.
I've got the ACS policy working that allows me to login to the WLC using a user account with full rights but the Lobby admin account can login with full rights as well. I've tried setting the custome attributes in the shell profiles with role0-mandatory-LobbyAmbassador, task0-Mandatory-Configure Guest User and task1-Mandatory-Lobby Ambassador User Preferences but it still doesn't work.

The debug for the Lobby account shows a space in the role,
*tplusTransportThread: Jan 24 14:40:10.751: arg[0] = [33][role1= LOBBY]
If I use a working account there is no space,
*tplusTransportThread: Jan 24 14:39:08.151: arg[0] = [9][role1=ALL]
I've checked the shell profile and don't see any spaces.

Wlc 4402 fine tuning

Hello,
In one of our building we have a wlc 4402 controller with 50 1130 APs.
This setup is mainly used for VOIP Wireless with a 7921 phone.
I need advices on how i can fine tune the APs to obtain the very maximum
coverage for the 7921 phone.
thanks

there is no tweaks i can do to obtain better coverage ?
i can do some trade-off on wifi signal since the setup is used only for the one 7921 telephone.
thanks again

Wlc 4402 errors when trying to join ap

Hello,
I have a wlc 4402 controller with software version 6.0.199.4
now i have problems adding 1131 aps to my controller.
in the pas i added 15 access points (withouts problems) but
now doesn't seems to work anymore.
here's what i got from controller when trying to join
*Nov 11 12:24:37.739: %LWAPP-3-RADIUS_ERR: spam_radius.c:138 Could not send join reply, AP authorization failed; AP:00:13:c4:93:c1:58
here's what i got on the AP (console cable on my pc when booting)
%LWAPP-3-CLIENTERRORLOG: LWAPP Crypto Init (SSC): no certs in the SSC Private File
Got an idea on this ?
thanks for help

Was the AP in automatic mode before? Did you copy the LWAPP recovery image to the AP using tftp?
All APs manufactured before 2005 or 2006 do not have MIC (manfacture install MIC) installed. You need to use LWAPP conversion tool to convert the AP to LWAPP/CAPWAP; so that the conversion tool will install SSC (Self Signed Certificates) to build the encrypt the LWAPP/CAPWAP control traffic:
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html
As LWAPP discovery image is already there, you need to convert the AP back to autonomous mode and use LWAPP conversion tool to conver the AP:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38trb.html#wp1058472
I hope that the mode button is not disable on the AP. if it does, I hope that the break key is not disable. If both the mode button and break key are disable, you need to RMA the AP.

Dynamic VLAN assignment issue with ACS & WLC

I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
When I attempt to authenticate a user in the ACS local user database, I receive an auth failure. I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS. Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID. The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
Am I missing something?

I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now. I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything. I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab. ARGH!!

Hellp on Nokia E61i associating with Cisco WLC 4402

I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me âunable to connect, WPA authenticate failed).
In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as âRSA,3EDS,SHAâ, âRSA,AES,SHAâ, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder âunable to connect, WPA authenticate failedâ. I checked ACS's failed log, there's no record; In 4402, there also have no record.
If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
Pls. help to point me what I need to adjust to make it work. Thanks!

Hello,
CCKM Key Management mode on Nokia E61i phone can be used
against Cisco LWAPP AP's with TKIP encryption
Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support.Â WPA/WPA2 security mode on the phone is dedicated to standards basedÂ WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
Â 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
- WPA-EnterpriseÂ = WPA Key Management (EAP based authentication) with TKIP encryption
- WPA2-EnterpriseÂ = WPA2 Key Management (EAP based authentication) with AES encryption
- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1XÂ based dynamic WEP (EAP based authentication with dynamic WEP encryption)
Supported:
- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
Not supported:
- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
Re-authentication failures with Cisco autonomous AP's when AES encryption is used althoughÂ initial authentication to autonomous AP's is successful.Â Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
Â Also note that Nokia E-SeriesÂ does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
at least on LWAPP AP version 4.1.171.0.
Â CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security->Â
Layer 2 Security = WPA+WPA2
WPA+WPA2 Parameters:
-WPA Policy = enabled
-WPA Encryption = TKIP enabled, AES disabled
-WPA2 policy = disabled
-Auth.Key Mgmt = CCKM
Br,
-Pasi-

Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

Hi All,
appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
*Mar 1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:10.033: *** CRASH_LOG = YES
*Mar 1 00:00:10.333: Port 1 is not presentSecurity Core found.
Base Ethernet MAC address: C8:9C:1D:53:57:5E
*Mar 1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
*Mar 1 00:00:11.494: status of voice_diag_test from WLC is false
*Mar 1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.647: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 13-Apr-11 12:50 by prod_rel_team
*Mar 1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
*Mar 1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
*Mar 1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
*Mar 1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
*Mar 1 00:09:17.912: status of voice_diag_test from WLC is false
*Mar 1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
*Mar 1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
*May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:03.448: status of voice_diag_test from WLC is false
*May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:15.450: status of voice_diag_test from WLC is false
*May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
*May 25 08:27:27.447: status of voice_diag_test from WLC is false
*May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:39.446: status of voice_diag_test from WLC is false
*May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
i searched for the regulatory domains difference between AIR-LAP1041N-E-K9 and AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
just to mention that our configuration in WLC for regulatory domains is:
Configured Country Code(s) AR
Regulatory Domain 802.11a: -A
802.11bg: -A
My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
Appreciate your kind support,
Wisam Q.

Hi Ramon,
thank you for the reply but as shown in the below link:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
Thanks,
Wisam Q.

Link Problem with port 2 in WLC 4402

Hi,
I have a problem with port 2 in Wireless Lan Controler 4402. The problem is that the distribution port 2 of the WLC not link with the switch (3750). We receive the WLC and we follow the autostart wizard and we enable LAG. The wizard finish, I restart the system and all works fine. The two distribution ports of WLC, 1 and 2 appears UP and the LAG works correctly. After this we upgrade the firmware of the WLC to the version AIR-WLC4400-k9-6-0-182-0.aes and we restart the system again but at this time port 2 does not link and port 1 link OK. We do not know the reason why port 2 doesn´t link? Could you help me ?
Thank in advance.
Regards.

Does it properly refuse authentication ? Or does the login page stop appearing or something ?
There was a bug with the webauth dying under heavy load, regardless of number of identical accounts used.
One good way for you to check would be, when problem occurs, to create a second backup guest user and see if that would start working. If it doesn't, the account is not the problem.
I'm not aware of any maximum of usage of the same account.
Which 4.2 exactly are you running ?

WLC 4402 + ACS 5.4 + AD: is it possible to use separate ip dhcp pools according to AD user group?

Hello, we are using WLC with ACS and it is working well.
We have AD group WiFi_access, and all users from these group are able to athunticate during connecting to corporate wifi network.
How we could make, for example, two AD groups: WiFi_access and WiFi_VIP and users from first group get 10.7.0.0/24 adressess and 10.8.0.0/24 from the second? or it could be 10.7.0.0-100 and 10.7.0.100-200 it doesn't matter.
the main goal is: different AD groups of users must have different privileges and these is controling via ACL on their default gateway switch.

You can use "aaa-override" feature to do that. In that case once user get connected & if he is belong to "WIFI_VIP" group ACS can override the user vlan to a different one (10.8.0.0/24) what they initially associate to.
You can get an idea about the concept from the below post
http://mrncciew.com/2013/05/21/aaa-override-in-acs5-2/
HTH
Rasika
*** Pls rate all useful responses ***

SNMP traps with WLC 4402

Currently using WLC 4402 with about a dozen WAPs. I would like to start logging some messages to troubleshoot some association issues. The syslog does not seem adequate for this the issues I am having. I noticed the default SNMP traps but is only holds 255 traps. I have tried to setup an SNMP server to get the traps but I get no data, only OID values. I was successful in getting the MIBs for the OIDs but still not all the data that I see on the brief traps screen.

Hi,
I have tried it with solarwinds and works fine for me. Talking about the traps. But they are too many.
The OID is : 1.3.6.1.4.1.14179.1.1.2.4.1.22
snmp info for polling:
MIB Value Type: Raw Value
Format: None
SNMP Get Type: Get Table
Polling Type: node
On WLC go to Managemnet (top TAB)
Right hand select > SNMP > Traps Control.
In this menu select what traps to need to be logged.
These traps will be shows on the oid polled.

Create a point to point link with a wlc 4402

Hi to all,
i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
but on the wlc configuration page i cannot found some configuration step.
Someone have configured this type of behaviour or can give me some hints?!
How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
Thanks and best regards,
Carlo Sagratella.

The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

WLC 4402 with Ap 1131Ag Urgent

Hi,
Im trying this frist time and gone through the documenet during the installtion.
I have configured the WLC 4402 as below
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type
ap manager 1 2 52.234.57.132 Dynamic
management 1 untagged 52.234.57.8 Static
service-port N/A N/A 192.168.1.1 Static
virtual N/A N/A 1.1.1.1 Static
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... 00:21:a0:38:69:80
IP Address....................................... 52.234.57.8
IP Netmask....................................... 255.255.255.128
IP Gateway....................................... 52.234.57.3
VLAN............................................. untagged
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 52.225.1.2
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
But after onnecting my APs im getting an error...
*Mar 1 00:18:48.839: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not
resolve
CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com
Translating "CISCO-LWAPP-CONTROLLER.hyderabad2.XXXX.com"...domain
server (52.2
24.13.1) (52.225.1.2)...
Can you please help me .. to solve this

Hi,
Can you tell me what will be the best way to configure my WLAN setup.
Our set up is
1. 2 Cores switch 4506 with HSRP 52.234.57.3/25 (MNGMT VLAN 1)
2. 52.234.57.128/26 (For WLANusers VLAN 2)
3. C 3750 PWR in Access 52.234.58.0/24 USER1 (VLAN4)
4. C 3750 PWR in Access 52.234.59.0/24 USER2 (VLAN5)
Our DNS and DHCP server sits in HO with IP adrs 52.225.1.2 and 52.234.15.12.
I have did the basic WLC configuration.
and when i connected the LAP in my access i found the error of NOT able to resolve with DNS server. i.e CISCO-LWAPP-CONTROLLER.hyderabad2.XXXXX.com.
I'm getting this error when try both L2 and L3 setup.
We are using C4402 WLC and 1131 AG LAP
Please advice how to overcome this.
Thanks in advance...
Vj

WLC can't communicate with ACS.

Hello,
I have a new for use ACS 1120 with 5.0.0.21 software. The purpose of the ACS is to authenticate Wireless users based on an ACS defined external identity source, LDAP. The following configs are made:
- LDAP is configured as an external identity source on ACS.
- WLC is configured on ACS as AAA client.
- WLC is configured to use ACS RADIUS server (10.140.19.20) and WLANs are configured for [WPA2][Auth(802.1X)] AAA authentication.
But for some reason AAA requests from WLC can not reach the ACS. Both devices are connected to the same 6506 switch, there is no firewall inbetween. There is no fail/success RADIUS log on ACS. This is the log from the WLC. PLEASE HELP!!!
4
Sat Jun 23 05:41:032012
    RADIUS server 10.140.19.20:1813 deactivated in global list
5
Sat Jun 23 05:41:03 2012
    RADIUS server 10.140.19.20:1813 failed to respond to request (ID 70) for client 00:22:fa:1d:3a:ae / user 'unknown'
6
Sat Jun 23 05:40:40 2012
     RADIUS server 10.140.19.20:1813 deactivated in global list
7
Sat Jun 23 05:40:40 2012
     RADIUS server 10.140.19.20:1813 failed to respond to request (ID 69) for client 00:16:ea:c9:2d:dc / user 'unknown'
8
Sat Jun 23 05:40:40 2012
     RADIUS server 10.140.19.20:1813 deactivated in global list
9
Sat Jun 23 05:40:40 2012
     RADIUS server 10.140.19.20:1813 failed to respond to request (ID 68) for client 00:16:ea:c9:2d:dc / user 'unknown'

Yes, you won't see any hits on ACS for PEAP authentication failure. Also, you should have a valid contract with Cisco before you download the latest images.
If you would like to test, you may download the evaluation vesrion of ACS 5.3 along with the trial license file.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_vmware.html#wp1069919
Regards,
Jatin
Do rate helpful posts-

WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

Hi All,
I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
Thanks,
Kashif

Hi,
if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
Lemme know if this answered ur question!!
Regards
Surendra

WLC 4402-50 with ACS 3.3

Similar Messages

Maybe you are looking for