WLC 4402 + ACS 5.4 + AD: is it possible to use separate ip dhcp pools according to AD user group?

Hello, we are using WLC with ACS and it is working well.
We have AD group WiFi_access, and all users from these group are able to athunticate during connecting to corporate wifi network.
How we could make, for example, two AD groups: WiFi_access and WiFi_VIP and users from first group get 10.7.0.0/24 adressess and 10.8.0.0/24 from the second? or it could be 10.7.0.0-100 and 10.7.0.100-200 it doesn't matter.
the main goal is: different AD groups of users must have different privileges and these is controling via ACL on their default gateway switch.

You can use "aaa-override" feature to do that. In that case once user get connected & if he is belong to "WIFI_VIP" group ACS can override the user vlan to a different one (10.8.0.0/24) what they initially associate to.
You can get an idea about the concept from the below post
http://mrncciew.com/2013/05/21/aaa-override-in-acs5-2/
HTH
Rasika
*** Pls rate all useful responses ***

Similar Messages

WLC 4402 Update 7.0.253.3: all 17 APs use channel 1

Since the update of our WLC 4402 to v 7.0.253.3 all 17 accesspoints are using channel 1 !!
Has anyone an idea to solve this channel-fixing?
Thx
Markus

Thanks Scott,
your were right: Channel Assignment Method of RRM was turned OFF since the update of the firmware! I have now changed the setting to AUTOMATIC and now, the APs are again using different channels :-)
THX
Markus

WLC 4402-50 with ACS 3.3

Hi,
We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
Is there an incompatability between the WLC 4402-50 with ACS 3.3?
thanks
Bob

The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

Hellp on Nokia E61i associating with Cisco WLC 4402

I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me âunable to connect, WPA authenticate failed).
In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as âRSA,3EDS,SHAâ, âRSA,AES,SHAâ, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder âunable to connect, WPA authenticate failedâ. I checked ACS's failed log, there's no record; In 4402, there also have no record.
If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
Pls. help to point me what I need to adjust to make it work. Thanks!

Hello,
CCKM Key Management mode on Nokia E61i phone can be used
against Cisco LWAPP AP's with TKIP encryption
Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support.Â WPA/WPA2 security mode on the phone is dedicated to standards basedÂ WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
Â 802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
- WPA-EnterpriseÂ = WPA Key Management (EAP based authentication) with TKIP encryption
- WPA2-EnterpriseÂ = WPA2 Key Management (EAP based authentication) with AES encryption
- Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
- 802.1X dynamic WEP = legacy (pre-WPA era) 802.1XÂ based dynamic WEP (EAP based authentication with dynamic WEP encryption)
Supported:
- CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
- CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
Not supported:
- CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
Re-authentication failures with Cisco autonomous AP's when AES encryption is used althoughÂ initial authentication to autonomous AP's is successful.Â Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
Â Also note that Nokia E-SeriesÂ does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
at least on LWAPP AP version 4.1.171.0.
Â CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security->Â
Layer 2 Security = WPA+WPA2
WPA+WPA2 Parameters:
-WPA Policy = enabled
-WPA Encryption = TKIP enabled, AES disabled
-WPA2 policy = disabled
-Auth.Key Mgmt = CCKM
Br,
-Pasi-

WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

Hi All,
I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
Thanks,
Kashif

Hi,
if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
Lemme know if this answered ur question!!
Regards
Surendra

Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

Hi All,
appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
*Mar 1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:10.033: *** CRASH_LOG = YES
*Mar 1 00:00:10.333: Port 1 is not presentSecurity Core found.
Base Ethernet MAC address: C8:9C:1D:53:57:5E
*Mar 1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
*Mar 1 00:00:11.494: status of voice_diag_test from WLC is false
*Mar 1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.647: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 13-Apr-11 12:50 by prod_rel_team
*Mar 1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
*Mar 1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
*Mar 1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
*Mar 1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
*Mar 1 00:09:17.912: status of voice_diag_test from WLC is false
*Mar 1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
*Mar 1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
*May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:03.448: status of voice_diag_test from WLC is false
*May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:15.450: status of voice_diag_test from WLC is false
*May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
*May 25 08:27:27.447: status of voice_diag_test from WLC is false
*May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:39.446: status of voice_diag_test from WLC is false
*May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
*May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
*May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
*May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
*May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
*May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
i searched for the regulatory domains difference between AIR-LAP1041N-E-K9 and AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
just to mention that our configuration in WLC for regulatory domains is:
Configured Country Code(s) AR
Regulatory Domain 802.11a: -A
802.11bg: -A
My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
Appreciate your kind support,
Wisam Q.

Hi Ramon,
thank you for the reply but as shown in the below link:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
Thanks,
Wisam Q.

WLC 4402 Multiple clients can connect to AP but only one gets an IP

I have a 4402 which is connected to a 4506 Switch int Gig 3/1 via a trunk port. The Managment and AP-manger interfaces are on vlan 6
interface GigabitEthernet3/1
description Trunk Port to WLC
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-6
switchport mode trunk
end
I have a 1142N AP also connected to the switch and it pulls a DHCP IP Address and configs etc and registers to the WLC. It too is on Vlan 6 and it is connected to the 4506 on int gig 4/33 which is an access port.
interface GigabitEthernet4/33
description Access port to Cisco LAP 1142
switchport access vlan 6
switchport mode access
end
My router is my dhcp server;
ip dhcp pool wlanmantraffic
   network 10.6.0.0 255.255.255.0
   default-router 10.6.0.1
   dns-server 66.109.38.250 10.7.0.8
   option 43 hex f104.3130.2e36.2e30.2e33
interface FastEthernet0/1.6
description Vlan6
encapsulation dot1Q 6
ip address 10.6.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
I am doing local authentication, so i have added users to the WLC
My problem is that the first client that connected was able to get an IP address and connect to anything internal and external.
I then connected another client on another laptop and that client could connect but not get an IP address, it just self assigned.
When i look at the clients i can see the MAC address of both Clients on the WLC, but doing a show mac address-table dynamic i only see the MAC of the client that works properly. The client that doesnt get an IP has no entry in the 4506 switch.
I am stumped, from what I understand, is that the 2nd clients traffic is being trunked to the WLC , hence it has the MAC address. But I dont know why its not getting a DHCP assigned IP address.
Thanks in advance for your help.

Here is some of the WLC config,
(Cisco Controller) >show run-config
Press Enter to continue...
System Inventory
NAME: "Chassis"    , DESCR: "4400 Series WLAN Controller:25 APs"
PID: AIR-WLC4402-25-K9, VID: V02, SN: FOCblankedbyme
Burned-in MAC Address............................ 00:07:0E:55:FA:C0
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 25
Press Enter to continue or to abort
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.235.3
RTOS Version..................................... 7.0.235.3
Bootloader Version............................... 7.0.235.3
Emergency Image Version.......................... 7.0.235.3
Build Type....................................... DATA + WPS
System Name...................................... CISCO-LWAPP-CONTROLLER
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.6.0.3
System Up Time................................... 0 days 21 hrs 7 mins 20 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US a
nd Canada)
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
--More or (q)uit current module or to abort
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 3
Burned-in MAC Address............................ 00:07:0E:55:FA:C0
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 25
Press Enter to continue or to abort
AP Bundle Information
Primary AP Image        Size
ap3g1                   6672
ap801                   5180
ap802                   5220
c1100                   3092
c1130                   4960
c1140                   4980
c1200                   3360
c1240                   4800
c1250                   5500
c1310                   3132
c1520                   6400
c3201                   4312
c602i                   3712
Secondary AP Image      Size
ap801                   4952
c1100                   3040
--More or (q)uit current module or to abort
c1130                   4880
c1140                   4492
c1200                   3312
c1240                   4712
c1250                   5060
c1310                   3080
c1520                   5240
c3201                   4260
Press Enter to continue or to abort
Switch Configuration
802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
         case-check ...........Enabled
         consecutive-check ....Enabled
         default-check .......Enabled
         username-check ......Enabled
Press Enter to continue or to abort
Network Information
RF-Network Name............................. RFMobile
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Enabled
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
--More or (q)uit current module or to abort
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
Apple Talk ................................. Disable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Fast SSID Change ........................... Disabled
802.3 Bridging ............................. Disable
IP/MAC Addr Binding Check .................. Enabled
Press Enter to continue or to abort
Port Summary
           STP   Admin   Physical   Physical   Link   Link    Mcast
Pr Type   Stat   Mode     Mode      Status   Status Trap   Appliance   POE
1 Normal Forw Enable Auto       1000 Full Up     Enable Enable     N/A
2 Normal Forw Enable Auto       1000 Full Up     Enable Enable     N/A
Press Enter to continue or to abort
AP Summary
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots AP Model              Ethernet MAC       Location
      Port Country Priority
NOSC-N-B1917-AP01    2     AIR-LAP1142N-A-K9     00:22:bd:1b:34:5a         Route
23B 1        US       1
AP Tcp-Mss-Adjust Info
AP Name              TCP State MSS Size
NOSC-N-B1917-AP01    disabled   -
Press Enter to continue or to abort
AP Location
Total Number of AP Groups........................ 0
Site Name........................................ default-group
Site Description.................................
WLAN ID          Interface          Network Admission Control          Radio Pol
icy
1               management           Disabled                          None
AP Name             Slots AP Model             Ethernet MAC       Location
     Port Country Priority
NOSC-N-B1917-AP01    2     AIR-LAP1142N-A-K9    00:22:bd:1b:34:5a         Route
23B 1     US       1
Press Enter to continue or to abort
AP Config
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... NOSC-N-B1917-AP01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:22:bd:1b:34:5a
IP Address Configuration......................... DHCP
IP Address....................................... 10.6.0.26
Gateway IP Addr.................................. 10.6.0.1
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Enabled
Cisco AP Location................................ Route 23B
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
--More or (q)uit current module or to abort... Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.3
Boot Version ................................... 12.4.18.0
Mini IOS Version ................................ 3.0.51.0
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1142N-A-K9
AP Image......................................... C1140-K9W8-M
IOS Version...................................... 12.4(23c)JA6
--More or (q)uit current module or to abort
Reset Button..................................... Enabled
AP Serial Number................................. FTX1337SA7D
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 6
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... CUSTOMIZED
AP User Name..................................... danielott
AP Dot1x User Mode............................... CUSTOMIZED
AP Dot1x User Name............................... danielott
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 0 days, 19 h 22 m 53 s
AP LWAPP Up Time................................. 0 days, 01 h 08 m 46 s
Join Date and Time............................... Mon Nov 5 16:17:51 2012
Join Taken Time.................................. 0 days, 00 h 00 m 12 s
Attributes for Slot 0
    Radio Type................................... RADIO_TYPE_80211n-2.4
--More or (q)uit current module or to abort
    Administrative State ........................ ADMIN_ENABLED
    Operation State ............................. UP
    Radio Role .................................. ACCESS
    CellId ...................................... 0
    Station Configuration
      Configuration ............................. AUTOMATIC
      Number Of WLANs ........................... 1
      Medium Occupancy Limit .................... 100
      CFP Period ................................ 4
      CFP MaxDuration ........................... 60
      BSSID ..................................... 00:27:0d:07:cb:e0
      Operation Rate Set
        1000 Kilo Bits........................... MANDATORY
        2000 Kilo Bits........................... MANDATORY
        5500 Kilo Bits........................... MANDATORY
        11000 Kilo Bits.......................... MANDATORY
        6000 Kilo Bits........................... SUPPORTED
        9000 Kilo Bits........................... SUPPORTED
        12000 Kilo Bits.......................... SUPPORTED
        18000 Kilo Bits.......................... SUPPORTED
        24000 Kilo Bits.......................... SUPPORTED
        36000 Kilo Bits.......................... SUPPORTED
--More or (q)uit current module or to abort
        48000 Kilo Bits.......................... SUPPORTED
        54000 Kilo Bits.......................... SUPPORTED
      MCS Set
        MCS 0.................................... SUPPORTED
        MCS 1.................................... SUPPORTED
        MCS 2.................................... SUPPORTED
        MCS 3.................................... SUPPORTED
        MCS 4.................................... SUPPORTED
        MCS 5.................................... SUPPORTED
        MCS 6.................................... SUPPORTED
        MCS 7.................................... SUPPORTED
        MCS 8.................................... SUPPORTED
        MCS 9.................................... SUPPORTED
        MCS 10................................... SUPPORTED
        MCS 11................................... SUPPORTED
        MCS 12................................... SUPPORTED
        MCS 13................................... SUPPORTED
        MCS 14................................... SUPPORTED
        MCS 15................................... SUPPORTED
      Beacon Period ............................. 100
      Fragmentation Threshold ................... 2346
      Multi Domain Capability Implemented ....... TRUE
      Multi Domain Capability Enabled ........... TRUE
      Country String ............................ US
    Multi Domain Capability
      Configuration ............................. AUTOMATIC
      First Chan Num ............................ 1
      Number Of Channels ........................ 11
    MAC Operation Parameters
      Configuration ............................. AUTOMATIC
      Fragmentation Threshold ................... 2346
      Packet Retry Limit ........................ 64
    Tx Power
      Num Of Supported Power Levels ............. 8
      Tx Power Level 1 .......................... 20 dBm
      Tx Power Level 2 .......................... 17 dBm
      Tx Power Level 3 .......................... 14 dBm
      Tx Power Level 4 .......................... 11 dBm
      Tx Power Level 5 .......................... 8 dBm
      Tx Power Level 6 .......................... 5 dBm
      Tx Power Level 7 .......................... 2 dBm
      Tx Power Level 8 .......................... -1 dBm
      Tx Power Configuration .................... AUTOMATIC
--More or (q)uit current module or to abort
      Current Tx Power Level .................... 1
    Phy OFDM parameters
      Configuration ............................. AUTOMATIC
      Current Channel ........................... 1
      Extension Channel ......................... NONE
      Channel Width.............................. 20 Mhz
      Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
      TI Threshold .............................. -50
      Legacy Tx Beamforming Configuration ....... AUTOMATIC
      Legacy Tx Beamforming ..................... DISABLED
      Antenna Type............................... INTERNAL_ANTENNA
      Internal Antenna Gain (in .5 dBi units).... 8
      Diversity.................................. DIVERSITY_ENABLED
      802.11n Antennas
         A....................................... ENABLED
         B....................................... ENABLED
         C....................................... ENABLED
    Performance Profile Parameters
      Configuration ............................. AUTOMATIC
      Interference threshold..................... 10 %
      Noise threshold............................ -70 dBm
--More or (q)uit current module or to abort
      RF utilization threshold................... 80 %
      Data-rate threshold........................ 1000000 bps
      Client threshold........................... 12 clients
      Coverage SNR threshold..................... 12 dB
      Coverage exception level................... 25 %
      Client minimum exception level............. 3 clients
    Rogue Containment Information
    Containment Count............................ 0
    CleanAir Management Information
        CleanAir Capable......................... No
Cisco AP Identifier.............................. 6
Cisco AP Name.................................... NOSC-N-B1917-AP01
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. -A
Switch Port Number .............................. 1
MAC Address...................................... 00:22:bd:1b:34:5a
IP Address Configuration......................... DHCP
IP Address....................................... 10.6.0.26
Gateway IP Addr.................................. 10.6.0.1
--More or (q)uit current module or to abort
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Enabled
Ssh State........................................ Enabled
Cisco AP Location................................ Route 23B
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address...............Secondary Cisco Switch Name.......
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... H-Reap
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ......................... kern
S/W Version .................................... 7.0.235.3
Boot Version ................................... 12.4.18.0
Mini IOS Version ................................ 3.0.51.0
--More or (q)uit current module or to abort
Stats Reporting Period .......................... 180
LED State........................................ Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-LAP1142N-A-K9
AP Image......................................... C1140-K9W8-M
IOS Version...................................... 12.4(23c)JA6
Reset Button..................................... Enabled
AP Serial Number................................. FTX1337SA7D
AP Certificate Type.............................. Manufacture Installed
H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 6
H-REAP Backup Auth Radius Servers :
Static Primary Radius Server.................... Disabled
Static Secondary Radius Server.................. Disabled
Group Primary Radius Server..................... Disabled
Group Secondary Radius Server................... Disabled
AP User Mode..................................... CUSTOMIZED
AP User Name..................................... danielott
AP Dot1x User Mode............................... CUSTOMIZED
AP Dot1x User Name............................... danielott
--More or (q)uit current module or to abort
Cisco AP system logging host..................... 255.255.255.255
AP Up Time....................................... 0 days, 19 h 22 m 53 s
AP LWAPP Up Time................................. 0 days, 01 h 08 m 46 s
Join Date and Time............................... Mon Nov 5 16:17:51 2012
Join Taken Time.................................. 0 days, 00 h 00 m 12 s
Attributes for Slot 1
    Radio Type................................... RADIO_TYPE_80211n-5
    Radio Subband................................ RADIO_SUBBAND_ALL
    Administrative State ........................ ADMIN_ENABLED
    Operation State ............................. UP
    Radio Role .................................. ACCESS
    CellId ...................................... 0
    Station Configuration
      Configuration ............................. AUTOMATIC
      Number Of WLANs ........................... 1
      Medium Occupancy Limit .................... 100
      CFP Period ................................ 4
      CFP MaxDuration ........................... 60
      BSSID ..................................... 00:27:0d:07:cb:e0
      Operation Rate Set
--More or (q)uit current module or to abort
        6000 Kilo Bits........................... MANDATORY
        9000 Kilo Bits........................... SUPPORTED
        12000 Kilo Bits.......................... MANDATORY
        18000 Kilo Bits.......................... SUPPORTED
        24000 Kilo Bits.......................... MANDATORY
        36000 Kilo Bits.......................... SUPPORTED
        48000 Kilo Bits.......................... SUPPORTED
        54000 Kilo Bits.......................... SUPPORTED
      MCS Set
        MCS 0.................................... SUPPORTED
        MCS 1.................................... SUPPORTED
        MCS 2.................................... SUPPORTED
        MCS 3.................................... SUPPORTED
        MCS 4.................................... SUPPORTED
        MCS 5.................................... SUPPORTED
        MCS 6.................................... SUPPORTED
        MCS 7.................................... SUPPORTED
        MCS 8.................................... SUPPORTED
        MCS 9.................................... SUPPORTED
        MCS 10................................... SUPPORTED
        MCS 11................................... SUPPORTED
        MCS 12................................... SUPPORTED
        MCS 13................................... SUPPORTED
--More or (q)uit current module or to abort
        MCS 14................................... SUPPORTED
        MCS 15................................... SUPPORTED
      Beacon Period ............................. 100
      Fragmentation Threshold ................... 2346
      Multi Domain Capability Implemented ....... TRUE
      Multi Domain Capability Enabled ........... TRUE
      Country String ............................ US
    Multi Domain Capability
      Configuration ............................. AUTOMATIC
      First Chan Num ............................ 36
      Number Of Channels ........................ 21
    MAC Operation Parameters
      Configuration ............................. AUTOMATIC
      Fragmentation Threshold ................... 2346
      Packet Retry Limit ........................ 64
    Tx Power
      Num Of Supported Power Levels ............. 7
      Tx Power Level 1 .......................... 17 dBm
      Tx Power Level 2 .......................... 14 dBm
      Tx Power Level 3 .......................... 11 dBm
--More or (q)uit current module or to abort
      Tx Power Level 4 .......................... 8 dBm
      Tx Power Level 5 .......................... 5 dBm
      Tx Power Level 6 .......................... 2 dBm
      Tx Power Level 7 .......................... -1 dBm
      Tx Power Configuration .................... AUTOMATIC
      Current Tx Power Level .................... 1
    Phy OFDM parameters
      Configuration ............................. AUTOMATIC
      Current Channel ........................... 161
      Extension Channel ......................... NONE
      Channel Width.............................. 20 Mhz
      Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
        ......................................... 104,108,112,116,132,136,140,
        ......................................... 149,153,157,161,165
      TI Threshold .............................. -50
      Legacy Tx Beamforming Configuration ....... AUTOMATIC
      Legacy Tx Beamforming ..................... DISABLED
      Antenna Type............................... INTERNAL_ANTENNA
      Internal Antenna Gain (in .5 dBi units).... 8
      Diversity.................................. DIVERSITY_ENABLED
      802.11n Antennas
         A....................................... ENABLED
--More or (q)uit current module or to abort
         B....................................... ENABLED
         C....................................... ENABLED
    Performance Profile Parameters
      Configuration ............................. AUTOMATIC
      Interference threshold..................... 10 %
      Noise threshold............................ -70 dBm
      RF utilization threshold................... 80 %
      Data-rate threshold........................ 1000000 bps
      Client threshold........................... 12 clients
      Coverage SNR threshold..................... 16 dB
      Coverage exception level................... 25 %
      Client minimum exception level............. 3 clients
    Rogue Containment Information
    Containment Count............................ 0
    CleanAir Management Information
        CleanAir Capable......................... No

WLC 4402 username and password expires automatically

Hi,
We are facing issue with Cisco WLC 4402 (Cisco AireOS Version 4.2.205.0) and username and password expired automatically. It happens very often. We are not able to retreive the password, so everytime we need to reset(factory default) the Cisco WLC4402 and doing fresh installation.
Whether it is the hardware issue or software bug.
Also is there any possibility of recover the username and [password with resetting the cisco wlc4402.
Kindly suggest on this issue.
Regards
S.Manikandan

Hmmm.. Strange!! are we using any TACACS to manage?? or just the management username and password??
I guess after 5.2 WLC code or so we have the option of resetting the password without losing the config!!
Regards
Surendra

WLC-4402+AIR-LAP1142N problem

Hello all,
I've got a following problem with bringing up simple wireless configuration. There is a WLC-4402 controller and several remote locations (I am testing one so far). Two WLAN configured (one for employee and the other for guest access - no mobility anchoring used, guest is just mapper to VLAN restricted on the firewall). WLC serves DHCP pools for wireless clients. Problem I am experiencing at the moment is that user with laptop is able to connect to guest WLAN, got an IP but can communicate (ping) only its own IP, the controller IP in guest subnet and default gateway (which is the firewall interface). Traffic to any other destinations never hit gateway (I am running tcpdump on it to confirm). I double checked controller config but no luck so far. Could that be caused by missconfigured tunnel? No ACL or restriction set on WLC - see attached config.
Thank you in advance,
Peter

Is this an open network or have you enabled layer 3 security? Web Auth? I can see you have created a lobby admin account so expect that you use this for guest account creation with web auth..
When you associate/receieve IP address to the open guest network have you then opened a web browser and authenticated? Until you enter your login details created on the WLC I would imagine that you wouldn't be able to send any data.
If you have authenticated already, can you check on the WLC that the client is associated/authenticated and is the Corp network ok? Also what is the topology between the WLC/Firewall/Remote sites.
Cheers
Mat

WLC 4402 + 4 1130AP's.

Has anyone setup a WLC 4402 and few 1130AP's on their network? Here's the scenario we have VLAN's setup on our network. We want to be able an employee can connect to the internal network and public connect to a DSL Internet. I got the internal employee access the internal network but I couldn't get the DSL users connect to the Internet. Internal network uses DHCP server and DSL users uses Linksys DHCP server. Can someone point me to the right setup/config on 1130AP's to connect to DSL using WLC 4402?

Make sure you can get the VLAN to the internet before you setup the WLAN. 1st off I would test the VLAN that you have setup to go to DSL on a switcport on your core switch and work the DHCP issues out there and then work on the WLAN. can you ping your DSL router intface from your switch. If you can my guess is that the IP helper address is not set right.
You will then need to point the WLAN to VLAN you setup for the DSL.

WLC 4402 7.0.220.0 compatability.

hello friends,
Could you please let me know if Windows 8 laptops machine are conpatible with the WLC IOS Version 7.0.220.0.
My client has WLC 4402 Version 7.0.220.0.
The message that appears is AAA authentication failed.
Your help will be highly appreciated.
Warm Regards
Nelson Mathias

You need 7.0.235.3 as a minimum. Here is a reference guide.
https://supportforums.cisco.com/docs/DOC-27213
Sent from Cisco Technical Support iPhone App

Wireless controller ha between wlc5508 and wlc 4402

We have 2 wlc: a wlc 5508 ( license 100 AP ) and wlc 4402 ( license 12AP).
We try to setup when 5508 down, 12 identify AP (important AP -Group A) will join 4402 and all other AP (not improtan AP -Group B)
wont joint wlc 4402.
First, all AP join wlc 5508, 2 WLC have same mobility group.
After that, we config 12 APs belongto group A have primary and secondary wlc, group B only has primary wlc.
When wlc 5508 down, some of APs of GroupA and some of APs of GroupB join wlc 4402. We test many times and we have differnet result each times.
is theare any way to resolve our problem?
Thanks.

Just to add, make sure that the WLC is running the same code, if not, then make sure the ap is supported on the code that is running on the 5508. The issue with mixed code is the ap will upgrade and downgrade very time they switch to a different WLC.
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
Sent from Cisco Technical Support iPhone App

Upgrading from WLC 4402-50 to WLC 5508-250

I am planning to upgrade my WLC 4402-50 (HA) to WLC 5508-250 (HA). I also have some really old 1020 Access points that I will be replacing with 1142's. Once I have completed the upgrade to the 5508s, I will repurpose the 4402's as Mobile Anchor controllers to support Guest Wireless.
Does anyone have any actual experience with this sort of upgrade? Any practical suggestions or ideas??
Thanks,

Hi,
Are you still facing this issue? if yes try checking the link if that helps
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
thanks,
Vinay

Windows XP Home on WLC 4402

Hi,
I have a WLC 4402 Wireless LAN Controller with multiple 1231 AP on LWAPP. WLAN has security setting on WPA+WPA2 with PSK share key. All computers in domain are fine, wireless connections are steady. I have a group of students use Netbook on Windows XP Home SP3 got connection and drop situation. Event ID on XP has continuous 4201 and 4202 cases, and on WLC log I have also continuous log as
*Apr 19 10:35:44.046: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client 00:26:5e:eb:fd:0a
I understand XP Home has no certificate from Domain environment therefore I didn't setup any AAA server service. How can this problem be resolved? Keep trying on security combination, but no luck. Please Help. Thanks.
Attachment is WLC configuration file without encryption.

Hi, Kayle
Thanks for quick reply. Its not ASUS EeePC but ASUS s10e. The wireless LAN device is Broadcom 802.11g. I check with Lenono System Update, no newer driver available. Thanks.

Bonjour / iChat working across wlc 4402

I have a L3 switched LAN (Cat4510 at the core with 3560 to the edge), and a WLC 4402 [s/w 4.0.217.0] providing wireless access. There is a multitude a PC's and MACs that sit on the wired and wireless network.
I currently am having issues getting a Apple tool called Bonjour working across the wireless network.
I have done some reading and from what I can gather it uses mdns (which uses udp 5353 / 5354). I have enabled Multicast Routing on the Cat4510 and enabled on the WLC 4402 Ethernet Multicast Mode with a group address of 224.0.0.1, however still cannot get Bonjour clients talking.
Admittedly the blogs I have read and Tech pages on Apple do not give up anymore info than this. Has anyone had experience or come across this before?

Found something interesting on this.
Apparently, apples do not like multicast using IANA Administratively Scoped Block range of 239.0.0.0-239.255.255.255.
I was using 239.0.1.100 and nothing was connecting, I then changed it to 235.0.0.1 and all is well.
Go figure.
ref: http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00802d4643.shtml#wp1011111

WLC 4402 + ACS 5.4 + AD: is it possible to use separate ip dhcp pools according to AD user group?

Similar Messages

Maybe you are looking for