WLC 5500 and ISE
Hello,
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
Thank you for helping.
I have read your proposed document, but didn't understand details beside SNMP probes.
The reason I don't want to enable ISE authentication/profiling and posture for guest is that I don't have enough licenses for all guests. I am planning to create separate SSID for guest which will have just open “authentication” without any key or ISE. In this case why ISE will profile guest users, it even doesn’t be associated with this WLAN profile?
Similar Messages
-
CWA with WLC Firmware 7.0.228 and ISE 1.1.1
Hi,
Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
My customer has many access points which are support only for firmware code 7.0.228.
Cisco ISE version 1.1.1
WLC 5500 Series but the existing access point is cannot support to 7.3
Thanks,
Pongsatorn ManeesudTarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
Scenarios WLC 7.0 7.2
802.1X Auth Yes Yes
802.1X + Posture Yes Yes
802.1X + Profiling Yes Yes
Web Auth + Posture No * Yes
Web Auth + Profiling Inventory only * Yes
Central Web Auth(CWA) No * Yes
Local Web Auth(LWA) Yes Yes -
Hello,
I need to know what are the features I will lose for the wireless users, if I did not use a WLC deployment (Using autonomous AP), knowing that I'm using last code of ISE1.1.1.
Also in case of no WLC, can I use Inline posture node or I have to use WLC in this case ?
Thanks.So I understand from that COA is supported on the Cisco Switch and it provides this to the wired client, while this is not supported on the AP (although it is connected after that to a switch) and we will need WLC or inline posture, but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE, so why the Inline posture can provide the CoA to the wireless clients while the switch can't do that ?
Note : I assumed a lot of facts in the above statement so please correct me if any is wrong
Fact 1: COA is supported on the Cisco Switch and it provides this to the wired client.
Fact 2: but I believe that the inline posture will be added after the switch so setup will be AP-----Switch---Inline posture---Core and ISE.
Also assuming that CoA is not supported and as I know it is important for the Posture and profiling, but can we use normal AAA authentication and Guest life mangamnet with ISE and without WLC or inline posture ?
Thanks -
We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
Thanks,Hi Akil,
You are most welcome
Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
same code version. I believe the latest version that is compatible for both is 7.0.220.0.
this is the last version that supports the 4400 series.
Here's a note that reflects the support;
Note
Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
Cheers!
Rob
"Show a little faith, there's magic in the night" - Springsteen -
Can we create Mobility group between WISM2 and WLC 5500
Dears,
I need your feedback urgent please,
Can we create Mobility Group between WISM2 and WLC 5500
Firmware for WISM2 > 7.4.121.0
Firmware for WLC5500 > 6.0.196.0
I created Mobility Group with (IP address , MAC Address and Mobility group name) for Foreign Controller. if any configuration required from my side.
Wait your feedback urgent please
Regards,Hi,
Controllers do not have to be of the same model to be a member of a mobility group. Mobility groups can be comprised of any combination of controller platforms.
Thats enough :)
Regards
Dont forget to rate helpful posts -
Preventive maintenance WLC 4400 and 5500?
Hi good morning,
i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
And i would like to know if there are documentation about this topic.
thanks.thanks
I thought of opening the WLC, and use compressed air to remove dust only.
but like you mention would be better not open it.
Greetings -
Best practices for network design on WLC 2504 and 5508
Dear all:
I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
Maximum amount of AP per port
The scenario when to use all ports in both WLC
Maximum number of clients(users) per port
Bandwidth comsumption of management vs data in order to assign one port for management
I've just found this:
Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
Thanks for your help.The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
This is an old document. 5508 can now support up to 500 APs if you run firmware 7.X. 2504 can support up to 75 APs if you run firmware 7.4.X.
I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy. If one link goes down, you have other link to push traffic. -
WPA2 Auth on WLC 5760 using ISE 1.2
Hello there,
I am trying to configure WPA2 802.1x authentication on my WLC that should use ISE as radius server which is set to authenticate AD users.
The issue is that when I try to connect the SSID, it does not forward the authentication request to ISE. Therefore, I dont see any authentication request on ISE coming from the client.
I am using the following cli config for the SSID.
wlan TESTSTAFF 70 TESTSTAFF
aaa-override
client vlan Floor_WL
security dot1x authentication-list WPA-Auth
session-timeout 1800
no shutdown
aaa authentication dot1x WPA-Auth group ISE_Group
aaa group server radius ISE_Group
server name ISE
radius server ISE
address ipv4 <ise_ip> auth-port 1812 acct-port 1813
key <key>
On ISE, I have added the WLC as network device. CWA authentication is working fine it is just Layer2 WPA 802.1x authentication which is not forwarding requests to ISE.
Can you please suggest?
Thanks in advance.is ur wlc and iSE is connected???
is ur Radius Shared secret is correct or same on both side?
Please check these: http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
Regards -
Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?
Hi,
I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
The WLCs are running 7.3 and ISE is 1.1.1
I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
The credentials will be created by the sponsor, using the sponsor portal on the ISE.
Now to the questions:
Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
Thankyou very much :-)
Best Regards,
Niels J. LarsenHi,
I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
The WLCs are running 7.3 and ISE is 1.1.1
I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
The credentials will be created by the sponsor, using the sponsor portal on the ISE.
Now to the questions:
Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
Thankyou very much :-)
Best Regards,
Niels J. Larsen -
Central Web Auth with Anchor Controller and ISE
Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
RogerHi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma -
Wlc 5500 authentication timeout
I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)
Scott-
Here are the results of the sho WLAN cmd:
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
--More-- or (q)uit
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status -
WLC 5500 802.1x problems
So here is the problem that i have.
I have a WLC 5500 in site A ( let´s say city A too ) with its own set of wlans ( wlan 1 , wlan 2 ... ) that are used to differentiate different types of users ( teachers, students, etc ) using a RADIUS server and a AD for this client and using 802.1x. Everything on site A is working fine.
Now i´m trying so set an access point in site B ( in city B ) with its own set of wlans ( wlan X, wlan Y ... ) that is also used to differentiate clients, site B as its own DHCP, its own RADIUS and its own AD. I´ve managed to connect the access point to the WLC and set wlans for site B. My problem now is that when a user tries to connect to wlan X and he is suppose to be in wlan Y, he is not forwarded to wlan Y and is left in wlan X. I´ve also configured HREAP.
Does anyone as any idea why the clients aren't being assigned to the correct wlan??
I´ve checked in the Radius server and its sending the correct wlan to the user.
I now that the text is probably a little bit confusing, but i hope that someone can help me.
Thanks in advanced.You are right, it is not supported:
Note: If the APs are in H-REAP mode and locally switched at the remote site, the dynamic assignment of users to a specific VLAN based on the RADIUS server configuration is not supported.
Since you can't do dynamic vlan, why not have two policies, one for teachers and the other for students. You will need to have then in seperate groups in AD also. Then filter on the ssid and the AD group, so if students try to access the teachers ssid using their credentials, they get rejected and vice versa.
I don't know what you mean by connecting two site without h-reap. The only other way is switching the AP to local mode, which you better have some good bandwidth.
Scott -
WLC 5508 And Third Party SSL for Web Authenticaiton
Hello,
We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.
Anyone can elaborate on this approach?
Regards,With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials. Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler. Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups. You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help.
Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements.
Scott -
WLC management and monitoring.
Hello
we are looking forward to monitoring the cpu, environment variables and the memory of a wireless lan controller via snmp. but we are not able to find in the mibs the right oid to manage this.
can the exact oid be given in order to monitor these three elements on a cisco WLC 5500 series.
thank you in advance
MarioYou'll probably find the objects in the CISCO-SYSTEM-EXT-MIB useful...
cseSysCPUUtilization OBJECT-TYPE
SYNTAX Gauge32 (0..100 )
UNITS "%"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The average utilization of CPU on the active
supervisor."
::= { ciscoSysInfoGroup 1 }
= 1.3.6.1.4.1.9.9.305.1.1.1
cseSysMemoryUtilization OBJECT-TYPE
SYNTAX Gauge32 (0..100 )
UNITS "%"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The average utilization of memory on the active
supervisor."
::= { ciscoSysInfoGroup 2 }
= 1.3.6.1.4.1.9.9.305.1.1.2
You can browse other objects on the MIB here:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.305.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true -
Dear All,
i have WLC 5500 with 50 AP Base license with LAP 3500i APs,
so, do i need license for the WLC to work with the cleanair technology even it software ver 7 ?????
and also i have WCS with base license so do i need a license also for the WCS to work with clean air technology????
thanks
AhmedYou do not need extra license for either WLC or WCS to work with cleanair. But if you buy 10 AP pack 3500 APs, you will get WCS Plus upgrade license (for 100 APs) for free.
More info can be found here:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/qa_c67-604158.html
zhenning
Maybe you are looking for
-
Windows 7 and internet connection issue
I am having a problem connecting to internet on Windows 7 OS. I have a Macbook that installed Windows 7 on Bootcamp. When I connect the DSL wire to my computer in dormitory it connects automatically. But when I go to somewhere else it doesn't connect
-
PhotoShop CS2 with Windows - via Bootcamp / Parallels
Hi All, Hope you can help ! I am thinking of upgrading from G4 powerbook to an Intel MacBook. My main question is this: I have a full copy of Photoshop CS2 for windows, will this run sufficently well under either bootcamp / parallels on a MacBook or
-
My ipad screen somehow has flipped to a negative format vs color
How can I chancge the colr setting of thedisplay back to color. Somehow it has switched to a B&W negative format.
-
Signed applet changed(source code) no dialog box to say code tampered
dear friends, i have signed an applet ,i also get the default dialog box asking me the permission to grant rights or not.now i have changed the source code,compiled the file and converted into same jar file name which it was used to sign it earlier.w
-
Hello everyone i hav iphone 5 and i had an issue with imassage so ive been told dat i shod ubdate to ios 6.1 so i did as well and the imassage is sending nw bt i cant send text massages