WLC 5508, 7.4.100.0, dot1x and web auth
Release notes for 7.4.100.0 states;
"Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
Anybody know anything about this and how-to's?
Eirik
I know what it is. :-)
Want to test to use web auth after dot1x. Do not trust dot1x alone anymore, now that it is so easy to steal sertificates from laptops...
Would like to force users (after eap-tls with certificate) to logon using their AD cred.
Eirik
Sent from Cisco Technical Support iPad App
Similar Messages
-
Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet -
WLC 5508 8.0.100 AP dropout anf fallback issue
After WLC upgrade to 8.0.100 [ not in HA mode], the AP seem to be dropping out and reconnect using the fallback to IP- inspite of the statically configured IP on the AP
Running Outdoor mesh AIR-CAP1552E-N-K9 on WLC 5508
(Cisco Controller) >show boot
Primary Boot Image............................... 8.0.100.0 (default) (active)
Backup Boot Image................................ 7.6.101.2
=========
Last AP disconnect details
- Reason for last AP connection failure.................... The AP has been reset by the controller
- Last AP disconnect reason................................ Unknown failure reason
Last join error summary
- Type of error that occurred last......................... Lwapp join request rejected
- Reason for error that occurred last...................... No Mwar payload found in join request
- Time at which the last join error occurred............... Dec 03 00:05:26.114
AP disconnect details
- Reason for last AP connection failure.................... The AP has been reset by the controllerWe downgraded the WLC to 7.4.121.0 and finally got rid of the DHCP problem
But encountered a new issue
The WGB once connected to the mesh AP does not reconnect to the network , auth failure- AIR-SAP1602E-Z-K9 running - ap1g2-k9w7-mx.152-2.JB2
Local EAP auth configured for WGB client on the WLC
Looks more like the WGB stuck in a state , unable to negotiate its credentials
Controller log
*dot1xMsgTask: Mar 24 10:33:52.737: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg - invalid WPA state (0) - client f4:0f:1b:23:03:37
Attached is the debug and client status from WLC
Any idea what is going on
Thanks -
WLC 5508 -7.4.100 mDNS Bonjour snooping
Hello
Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools AppleTV devices.
I have played around with a few different scenarios to see if I can localize the bonjour traffic.
I guess I am looking to create a logical split for bonjour devices amoung the schools.
Apple came to the school and informed us that the IPAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 AppleTV added.
so we have 3 wlc 5508's with 7.4.100
we have 2 SSIDs that span the whole campus
using AP groups to segment the floors in buildings
So the schools are logically split with AP groups
Here is what I have tried
I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2
I assign the mDNS profiles to the interfaces dedicated each school
enable snooping on the WLAN with profile of none
The end result is that devices from both schools can be seen.
I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers
I followed the vlan select example
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
end result is that devices from both schools can be seen
I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 vlans
https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2013/01/01/wireless-lan-controller-wlc-release-74--bonjour-gateway-configuration-example
I have tried combinations of things, but I must be missing something
In the webinar, Cisco said it will use filtering to restrict which clients can see which services (Apple TV's, etc). What will Cisco use to filter Bonjour requests?
according to this article
http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SIDqFH49
The filtering options are: · Per WLAN/SSID · Per VLAN or AP Group · Per Interface Group (which is a group of VLANs pooled together).
A Bonjour service policy can be created and applied on any one of the above criteria. In the future, we will support per-user Bonjour service policies which will come as a RADIUS attribute from the AAA server.
Read more: http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SZqMYpdh
Cheers
Any insight would be appreciatedHere are the ACLs for the controller
acl create BlockBonjour
acl apply BlockBonjour
acl counter start
acl rule add BlockBonjour 1
acl rule add BlockBonjour 2
acl rule action BlockBonjour 1 deny
acl rule action BlockBonjour 2 permit
acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule destination port range BlockBonjour 1 0 65535
acl rule destination port range BlockBonjour 2 0 65535
acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule source port range BlockBonjour 1 0 65535
acl rule source port range BlockBonjour 2 0 65535
acl rule direction BlockBonjour 1 In
acl rule direction BlockBonjour 2 Any
acl rule dscp BlockBonjour 1 Any
acl rule dscp BlockBonjour 2 Any
acl rule protocol BlockBonjour 1 Any
acl rule protocol BlockBonjour 2 Any
acl apply BlockBonjour ipv6 acl create BlockAllIPv6
ipv6 acl apply BlockAllIPv6
ipv6 acl rule add BlockAllIPv6 1
ipv6 acl rule action BlockAllIPv6 1 deny
ipv6 acl rule destination address BlockAllIPv6 1 :: 0
ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
ipv6 acl rule source address BlockAllIPv6 1 :: 0
ipv6 acl rule source port range BlockAllIPv6 1 0 65535
ipv6 acl rule direction BlockAllIPv6 1 Any
ipv6 acl rule dscp BlockAllIPv6 1 Any
ipv6 acl rule protocol BlockAllIPv6 1 Any
ipv6 acl apply BlockAllIPv6
Apply to wlan: The wlan index is used in this case, the first wlan created on controller
wlan acl 1 BlockBonjour
wlan ipv6 acl 1 BlockAllIPv6 -
DHCP on WLC 5508 - 7.4.100.0 - with HA
Hi All,
I'm just looking for some ideas on a problem we've encountered the last few days with DHCP on certain SSID's. To give you an idea, we have a wireless network with 13 SSID's being managed by a WLC 5508 pair configured as high availability (52 AIR-CAP3502I). Yesterday we encountered an issue with DHCP on a few of the SSID's but not all, and as a last resort a reboot of the controller fixed the problem. Statically assigning addressing allows for traffic to traverse the network out to the web and back so I don't think it's a VLAN configuration issue on the wired side. It's worth mentioning however that the controllers are configured for a LAG to HP switches. DHCP is being handled by an external windows DHCP server and the primary server address points to the gateway which has a relay configuration pointing to the windows server on the other side of it. Again, rebooting the controller fixed the problem and the web traffic traverses fine if statically assigning addressing. Any ideas or suggestions would be appreciated.
Thanks,
KeithWell to determine if its a LAG issue with the HP, just connect one port. This will help determine if its an HA issue or not. I don't know the HP platform, but the WLC uses src-dst-IP for load balancing across the LAG. Maybe the HP is sending the traffic back on a different port. So just having one port connected should eliminate if its a LAG issue or not.
Sent from Cisco Technical Support iPhone App -
Wireless 3850 and Web-Auth for Wireless clients
Hi
I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
Internet is all tested and there is full IP connectivity.
Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
I am using local authentication for the guest users.
When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
Config below
interface Vlan302
description **** Wireless Guest ****
ip address 10.145.224.161 255.255.255.224
ip helper-address 10.144.214.134
ip helper-address 172.17.2.56
ip http server
ip http secure server
ip dhcp snooping
wlan XXXXX 2 XXXXXX
aaa-override
accounting-list default
client vlan 302
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list WEB_AUTH
security ft
security web-auth
security web-auth authentication-list WEB_AUTH
security web-auth parameter-map vit_web
no shutdown
parameter-map type webauth vit_web
type webauth
security web-auth parameter-map vit_web
user-name Guest1
creation-time 1390837878
privilege 15
password 7 022D0156060F1B351D
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
user-name Guest2
creation-time 1390838016
privilege 15
password 7 0724244143000D1145
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
aaa new-model
aaa authentication login WEB_AUTH local
aaa authorization network WEB_AUTH localHey Greg,
Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.x.x wlc.whatever.org
max-http-conns 50
Also I had to enable http server in addition to secure server
ip http server
ip http secure-server
Are you using a self signed cert?
I saw windows clients take a long time to load the page when using a self signed cert.
MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE but I still have the problem.
-Kyle -
WLC 5508 7.4.100.0 HA standby reboot loop
Hi.....
We have been running two 5508 WLCs in HA mode for a while now connecting 25 2602 APs. We disconnected the heartbeat utp cbale to change the positision of the standby WLC in the rack. We did not power it off. After we plugged back the Heartbeat cable the standby WLC goes into a reboot loop and gives the following error message
Error:Unable to add Licenses on secondary Controller
Now I did not try to reboot the primary one as users are connected and am afraid I will have two WLCs down instead of one. From what I have been reading it seemed that several HA issues were resolved in code 7.4.100.0...
I hope there is simple fix/workaround for this situation.
All help is appreciatedHello,
As per your query i can suggest you the following solution -
This document provides information on the theory of operation and configuration for the Cisco Unified Wireless LAN Controller (WLC) as it pertains to supporting stateful switchover of access points (AP SSO).
The new High Availability (HA) feature (that is, AP SSO) set within the Cisco Unified Wireless Network software release version 7.3 allows the access point (AP) to establish a CAPWAP tunnel with the Active WLC and share a mirror copy of the AP database with the Standby WLC. The APs do not go into the Discovery state when the Active WLC fails and the Standby WLC takes over the network as the Active WLC.
There is only one CAPWAP tunnel maintained at a time between the APs and the WLC that is in an Active state. The overall goal for the addition of AP SSO support to the Cisco Unified Wireless LAN was to reduce major downtime in wireless networks due to failure conditions that may occur due to box failover or network failover.
For more information please refer to the link-
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml
Hope this will help you. -
Watchdog reset in WLC 5508 7.4.100.60
Hi ,
Last week we found that primary WLC was hanged so we need to reboot it.
As per logs:
Last Reset....................................... Watchdog reset
We are using 7.4.100.60.
Any idea what could be the root cause.
Regards,Check your WLC serial number as well, if it starts FCW1614 or later then it may be due to this bug as well.
CSCul68057
Symptom:
Wireless LAN Controller may encounter unexpected reload without crash file or coredump.
Console log output may include "reaperWatcher rebooting" and "!!!!! Watchdog detected LOCKUP !!!!!",
and there may be "#OSAPI-2-REAPER_WATCHER_INFO" message in syslog.
Conditions:
5508, 2504 or WiSM2 manufactured after April 2012.
Affected S/N: FCW1614xxxx and later
This is due to incompatibility of previous driver with some of the flash components used after that date
Workaround:
None, upgrade to one of the recommended software versions
Anyway your choices are very limited now, only 3 WLC software codes supported by Cisco 7.0.250.0(7.0MR5), 7.4.121.0 (7.4MR2) and 7.6.101.x(7.6MR1). So upgrade to 7.4.121.0 code as that is the highly recommended code at the moment. See below for more details
https://supportforums.cisco.com/docs/DOC-40178
I would suggest to go for FUS 1.9.0.0 as well.
HTH
Rasika
*** Pls rate all useful responses **** -
WLC 5508 (7.4.100) Coverege Hole Detection
Hi,
After upgrading version 7.4.100, I start to receive logs"Coverege Hole Detection" continiously
Before upgrade logs come very rare
Also coverege areas decrease
I cannot rolled back to previous version, because I start to use AP1600 series
Is it possible to use AP1600 with previous versions other then 7.4.100?
Please helpHello Recep,
As per your query i can suggest you the following solution-
This alarm message is raised when a client Signal-to-Noise Ratio (SNR) falls below the SNR threshold value for the particular radio. 12 is the default SNR threshold value for coverage hole detection.
The coverage hole detection and correction algorithm determine if a coverage hole exists when clients’ SNR levels pass below a given SNR threshold. This SNR threshold varies based on two values: AP transmit power and the controller coverage profile value.
In detail, the Client SNR threshold is defined by each AP’s transmit power (represented in dBm), minus the constant value of 17dBm, minus the user configurable Coverage profile value (this value is defaulted to 12 dB).
Client SNR Cutoff Value (|dB|) = [AP Transmit Power (dBm) – Constant (17 dBm) – Coverage Profile (dB)]
This user configurable coverage profile value can be accessed this way:
1.In the WLC GUI, go to the main heading of Wireless and select the Network option for the WLAN standard of choice on the left side (802.11a or 802.11b/g). Then, select Auto RF in the upper right of the window.
2.In the Auto RF Global parameters page, find the Profile Thresholds section. In this section, you can find the Coverage (3 to 50 dbm) value. This value is the user configurable coverage profile value.
3.This value can be edited to influence the Client SNR threshold value. The other way to influence this SNR threshold is to increase the transmit power and compensate the coverage hole detection.
For more information please refer to the link-
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008082c464.shtml
Hope this will help. -
I'm running 7.6.100.0 as default in production and wants wlc to boot with 7.5.102.0 if I run into issues regarding the 7.6.100.0.
To prepare I have predownloaded the backup image into all AP's.
However, if one AP reboots while the WLCis still running 7.6.100.0 the AP has an invalid primary image and need to re-download 7.6.100.0.
The backup image is then displayed as "3.0.51.0".
If someone reboots the AP, the reboot time is much longer than usually.
And the download might be an issue for some offices in Middle-East and Asia, since the WLC i located in Europe.
Due to some small VPN internet access lines.
This is something that came with version 7.6.100.0.
Before I upgraded the WLC, I was running 7.5.102.0 as primary and 7.3.112.0 as backup, with no issues regarding reboots and image.
Have anyone encounter this type of problem?
Any tips to solve this is much appreciated.
//Jan-ErikThanks, Fella for you feedback!
UPDATE
First of all I have narrow it down and found out that the 1130,1140, 1240 and 1250 are OK
AIR-LAP1131AG-E-K9 reboots and starts with prim: 7.6.100.0 backup: 7.5.102.0 status; OK
AIR-LAP1142N-E-K9 reboots and starts with prim: 7.6.100.0 backup: 7.5.102.0 status; OK
AIR-LAP1242AG-E-K9 reboots and starts with prim: 7.6.100.0 backup: 7.5.102.0 status; OK
AIR-LAP1252AG-T-K9 reboots and starts with prim: 7.6.100.0 backup: 7.5.102.0 status; OK
It seems to be related to the 2602 and 3602 series.
Let me described the steps I did to pinpoint these two models.
AIR-CAP2602I-E-K9
1. New-out-of-the-box and runs prim: 7.3.1.73 backup: 0.0.0.0;
2. Self-upgrade prim: 7.6.100.0 backup: 3.0.51.0. status; Downloading
3. reboots and starts with prim: 7.6.100.0 backup: 3.0.51.0.
4. Manual upgrade / predownloading backup to; 7.5.102.0
5. rebooting from wlc with prim: 7.6.100.0, backup: 7.5.102.0 -comment; starts up with 7.5.1.73 and does the downloading of prim image. Backup: 0.0.0.0
6. self-reboot after downloading, prim: 7.6.100.0. Comes up with prim: 7.6.100.0 backup: 3.0.51.0.
7. reboots from wlc/manual with prim: 7.6.100.0 backup: 3.0.51.0. -comment; no change, comes up with prim: 7.6.100.0 backup: 3.0.51.0.
AIR-CAP3602E-E-K9
1. reboots from WLC and manual with prim: 7.6.100.0, backup: 3.0.51.0 - comment; no problem, comes online with 7.6.100.0/3.0.51.0.
2. Manual upgrade / predownloading backup to; 7.5.102.0
3. rebooting from wlc with prim: 7.6.100.0, backup: 7.5.102.0 -comment; starts up with 7.3.1.73 and does the downloading of prim image. Backup: 0.0.0.0
4. self-reboot after downloading, prim: 7.6.100.0. Comes up with prim: 7.6.100.0 backup: 3.0.51.0.
5. reboots from wlc/manual with prim: 7.6.100.0 backup: 3.0.51.0. -comment; no change, comes up with prim: 7.6.100.0 backup: 3.0.51.0.
During upgrade it gives out this message;
*Jan 20 15:27:29.927: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
Image 7.5.102.0 not found in flash, predownloading.
examining image...
extracting info (286 bytes)
Image info:
Version Suffix: k9w8-.152-4.JA1
Image Name: ap3g2-k9w8-mx.152-4.JA1
Version Directory: ap3g2-k9w8-mx.152-4.JA1
Ios Image Size: 758272
Total Image Size: 11520512
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP3G2
Wireless Switch Management Version: 7.5.102.0
Not enough free space to download.
Check for crashinfo/radio coredump and non used image files...
Not enough free space to download image first w/o extracting
deleting existing version(s)...
Deleting current version: flash:/ap3g2-k9w8-mx.152-4.JB3...
Set booting path to recovery image: 'flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-mx'...done.
Extracting files...
ap3g2-k9w8-mx.152-4.JA1/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/img_sign_rel_sha2.cert (1371 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/B5.bin (1816 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/V5.bin (525 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/img_sign_rel.cert (1375 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/Y5.bin (1524 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/file_hashes (5001 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/B2.bin (9328 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/X5.bin (1487 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/final_hash.sig (513 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/final_hash (141 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/info (286 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/E5.bin (1803 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/Y2.bin (5830 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/V2.bin (12826 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-mx.152-4.JA1 (206045 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/8004.img (541961 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/E2.bin (18656 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1 (10519307 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/X2.bin (15158 bytes)
ap3g2-k9w8-mx.152-4.JA1/html/ (directory) 0 (bytes)
ap3g2-k9w8-mx.152-4.JA1/html/level/ (directory) 0 (bytes)
ap3g2-k9w8-mx.152-4.JA1/html/level/1/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/back.shtml (512 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/sitewide.js (16560 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/officeExtendap.css (41801 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/ap_home.shtml.gz (1297 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/appsui.js (563 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/config.js (25812 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/forms.js (20125 bytes)
ap3g2-k9w8-mx.152-4.JA1/html/level/1/images/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/images/cisco-logo-2007.gif (1648 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/images/info.gif (399 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/images/background_web41.jpg (732 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/1/images/login_homeap.gif (19671 bytes)
ap3g2-k9w8-mx.152-4.JA1/html/level/15/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapSummary.htm (718 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapMain.shtml.gz (3350 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapBanner.htm (7114 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapConfig.shtml.gz (2864 bytes)
extracting ap3g2-k9w8-mx.152-4.JA1/html/level/15/officeExtendapHelp.htm (5013 bytes)
extracting info.ver (286 bytes)
New software image installed in flash:/ap3g2-k9w8-mx.152-4.JA1
archive download: takes 251 seconds
New backup software image installed in flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-mx.152-4.JA1
Reading backup version from flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-mx.152-4.JA1done.
Writing out the event log to flash:/event.log ...
THEN IT BOOTS ON 7.6.100.0
*Mar 1 00:00:57.047: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
examining image...
extracting info (286 bytes)
Image info:
Version Suffix: k9w8-.152-4.JB3
Image Name: ap3g2-k9w8-mx.152-4.JB3
Version Directory: ap3g2-k9w8-mx.152-4.JB3
Ios Image Size: 215552
Total Image Size: 13660672
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP3G2
Wireless Switch Management Version: 7.6.100.0
Not enough free space to download.
Check for crashinfo/radio coredump and non used image files...
Deleting flash:/ap3g2-k9w8-mx.152-4.JA1
*Mar 1 00:01:07.051: %CAPWAP-3-ERRORLOG: Selected MWAR 'krs-wlc-ha.elkem.com'(index 0).
*Mar 1 00:01:07.051: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 20 15:37:13.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 144.127.abc.abc peer_port: 5246
*Jan 20 15:37:13.471: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 144.127.abc.abcpeer_port: 5246
*Jan 20 15:37:13.471: %CAPWAP-5-SENDJOIN: sending Join Request to 144.127.abc.abc
*Jan 20 15:37:13.475: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 20 15:37:13.475: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 20 15:37:13.475: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 20 15:37:13.475: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 144.127.abc.abcperform archive download capwap:/ap3g2 tar file done (free up 11507200 bytes)
Extracting files...
ap3g2-k9w8-mx.152-4.JB3/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/V2.bin (12826 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/Y2.bin (5830 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/file_hashes (6108 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/8004.img (553576 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/X5.bin (1519 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/final_hash.sig (513 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/ap3g2-k9w8-tx.152-4.JB3 (73 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/ap3g2-k9w8-xx.152-4.JB3 (12049578 bytes)
*Jan 20 15:39:13.679: %CAPWAP-3-ERRORLOG: Invalid event 48 & state 10 combination.
*Jan 20 15:39:13.679: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 48, state 10
*Jan 20 15:39:13.679: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Jan 20 15:39:13.679: %CAPWAP-3-ERRORLOG: Failed to process timer message.
extracting ap3g2-k9w8-mx.152-4.JB3/R5.bin (3406 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/R2.bin (9328 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/img_sign_rel_sha2.cert (1371 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/B2.bin (9328 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/info (286 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/8006.img (543804 bytes)
ap3g2-k9w8-mx.152-4.JB3/html/ (directory) 0 (bytes)
ap3g2-k9w8-mx.152-4.JB3/html/level/ (directory) 0 (bytes)
ap3g2-k9w8-mx.152-4.JB3/html/level/1/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/forms.js (20125 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/appsui.js (563 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/ap_home.shtml.gz (1297 bytes)
ap3g2-k9w8-mx.152-4.JB3/html/level/1/images/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/images/info.gif (399 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/images/cisco-logo-2007.gif (1648 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/images/background_web41.jpg (732 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/images/login_homeap.gif (19671 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/config.js (26330 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/sitewide.js (17089 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/officeExtendap.css (41801 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/1/back.shtml (512 bytes)
ap3g2-k9w8-mx.152-4.JB3/html/level/15/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapBanner.htm (7114 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapConfig.shtml.gz (2864 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapSummary.htm (718 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapHelp.htm (5013 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapMain.shtml.gz (3350 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/B5.bin (1980 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/E5.bin (1816 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/Y5.bin (1544 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/C2.bin (19822 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/final_hash (141 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/C5.bin (6936 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/img_sign_rel.cert (1375 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/Q5.bin (2790 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/X2.bin (15158 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/E2.bin (18656 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/Q2.bin (5830 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/V5.bin (525 bytes)
extracting ap3g2-k9w8-mx.152-4.JB3/ap3g2-k9w8-mx.152-4.JB3 (207764 bytes)
extracting info.ver (286 bytes)
New software image installed in flash:/ap3g2-k9w8-mx.152-4.JB3
Configuring system to use new image...done.
Writing out the event log to fla
sh:/event.log ...
archive download: takes 295 seconds
*Jan 20 15:42:09.163: image upgrade successfully, system is now reloading
*Jan 20 15:42:09.215: %SYS-5-RELOAD: Reload requested by capwap image download proc. Reload Reason: NEW IMAGE DOWNLOAD.
*Jan 20 15:42:09.215: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
Write of event.log done
I have also tried to remove all the files on the AP, just leaving
Directory of flash:/
58 -rwx 296 Jan 20 2014 18:33:37 +00:00 env_vars
13 drwx 448 Dec 9 2013 23:30:23 +00:00 ap3g2-rcvk9w8-mx -
WLC 5508 -7.4.100 -mDNS bug?
Hello
I deleted an interface that had a mDNS profile attached and then created a new Interface with the same IP and a different mDNS profile. When I went to delete the test mDNS profile, the wlc complains that it is still attached to deleted interface.
So how do I delete this mDNS profile, do I need a reboot of the WLC?
after I did this on 1 controller, I removed the profile first from the other WLCs before I deleted the interface, that work no problem.
here is some info
(WLC1) config>mdns profile delete APPLETV
Requested Profile is in use by an Interface/Interface Group/WLAN.
Use 'show mdns profile detailed <profileName>' to list the Interface/Interface Group/WLAN mapped to the profile.
(WLC1) >show mdns profile detailed APPLETV
Profile Name..................................... APPLETV
Profile Id....................................... 1
No of Services................................... 2
Services......................................... AirTunes
AppleTV
No. Interfaces Attached.......................... 1
Interfaces....................................... ms-outdoor
No. Interface Groups Attached.................... 0
No. Wlans Attached............................... 0
(WLC1) config>interface mdns-profile ms-outdoor none
(WLC1) >show mdns profile detailed APPLETV
Profile Name..................................... APPLETV
Profile Id....................................... 1
No of Services................................... 2
Services......................................... AirTunes
AppleTV
No. Interfaces Attached.......................... 1
Interfaces....................................... ms-outdoor
No. Interface Groups Attached.................... 0
No. Wlans Attached............................... 0
I delete the interface here!
(WLC1) >show mdns profile detailed APPLETV
Profile Name..................................... APPLETV
Profile Id....................................... 1
No of Services................................... 2
Services......................................... AirTunes
AppleTV
No. Interfaces Attached.......................... 1
Interfaces.......................................
No. Interface Groups Attached.................... 0
No. Wlans Attached............................... 0
(WLC1) >config
(WLC1) config>mdns profile delete APPLETV
Requested Profile is in use by an Interface/Interface Group/WLAN.
Use 'show mdns profile detailed <profileName>' to list the Interface/Interface Group/WLAN mapped to the profile.
Any help would be apprieciated. I will try reloading the wlc tonight when no users are around to see if that helps to clear out the faulting infoyou're hitting
CSCuf56192 Unable to delete a mdns profile in a particular case
When an mdns profile is mapped to an interface and if the interface is deleted without detaching the mdns profile, the profile shows that it is still attached to an interface and doesn't allow the deletion of profile. -
VLAN Override and Web Auth: How to overcome issues?
Hello
I have been investigating if we can deploy vlan override and assign a user vlan via RADIUS, post authentication on a WRD SSID. Having read around the discussions, I can see that there are others who have wanted similar, but have been told that it is not possible:
"Marucho, the particularity of how Web authentication works on the WLC is that it is carried over HTTP between Client and WLC. So the Wireless Client has to already have an IP address prior to starting the web authentication. Since the Wireless Client already has an IP address then you cannot override it anymore.
Unlike dot1x, which takes place over EAPOL and then when you have eap success, client moves to get an ip address from the sent by Radius VLAN."
However, we still have a problem that we would like to overcome and wonder if anyone has any experience or suggestions they could share?
We are a University with a large number of devices grabbing an IP address whilst only remaining associated and not actually going on to authenticate through the WRD. This creates a situation where we have a large number of IP addresses deployed unnecessarily and we would like to tackle this.
We are unable to use private IP for authenticated users (Policy decision) but could use them for associated users and so were hoping we might be able to deploy a private subnet on the WRD SSID prior to authentication and then use VLAN override to assign authenticated users onto the correct VLAN. In order to try and achieve this we were planning on using a very short DHCP lease on the private subnet, so that post-authentication the client device requests a public IP address almost instantly.
Is there any way of achieving this that someone could suggest or would we be knocking our ehads against a brick wall?
thanks
BrynJust giving 2 ideas :
-How about using a WPA PSK on your webauth ssid ? Just give the PSK in the SSID name. This prevents non-intended connections (no automatic association because it's open ssid) and still allows anyone with an intention, to connect to it and you still have the webauth behind. This reduces number of ip addresses.
-How about modifying the webauth successful authentication page to give the credentails to access a private network (PSK or dot1x) where credentials would regularly change ?
Those are workarounds.
Nicolas -
WCSs (5.0.148) lose Terminal, Webfrontend and Web Auth
Hello,
3xWCS 4404 with 5.0.148 and WCS 5.0.56.
After serveral days, I were not able to connect to the telnet, SSH and webfrontend interfaces on all controllers. I tried management and service-port IPs. But I get ping responses from the interfaces and the Wireless LANs are also working, except the Web Authentication, which is now configured to relay the user to a special url.
In the release notes (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html#wp234299) was a caveat (CSCsi30541), but it occurs when you create a new dynamic interface, which I didn't.
The controllers respond to the WCS, so I were able to reboot them via the WCS. After that the situation is normal, until the next time.
Three weeks ago, I installed 5.0 on one of the three WCS. One week ago, I installed it on the other two. This problem occurs on the first WLC for the second time, so I assume, it can happen again.
Any ideas what could be the reason?
p.k.It is a bug in 5.0... The controller will only respond to snmp. The workaround is to reboot. This is a bug if you are using WebAuth. i would open a TAC case to see if they have a work around as of yet, which most likely will be a ER.
-
Hello,
We've got a problem with the AP (AIR CAP 1602I) which is managed by WLC 5508(7.4.100.60)
Users connect to the AP with VOIP phones(Avaya).. and there are following problems during calls
-robot voice
-strong noise(even if call is not made, just speaker is on)
Strange thing is that there is no problem with older APs which are managed with the same WLC.
Any idea?
Thanks in advanceWell that can be a cause also. I would look at using 7.4.110.0 which is MR1. If that doesn't help, then open a TAC case as it might be something else. Going to v7.5 I don't think will fix the issue.
Many times I would go the the manufacture and find out if the support a certain code or not. It's nice when they do test to make sure it still works. Some manufactures do test and will suggest code versions and that's when you have to decide if the 1602 was really needed or just keep adding 1262's since there was only 3 added.
Sent from Cisco Technical Support iPhone App -
Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
AmirHi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses ****
Maybe you are looking for
-
Required Vendor Excise Details_J1ID_Creation Date & time
Hi Experts, We have update Vendor Excise details in t code J1ID under vendor Excise details tab. We have required to Creation date (When Excise details update of particular Customer) Please help BK GAIKWAD
-
5800: Too much advice to *#7370#
Pardon me for venting a little, but after just a few weeks on the group here, I am really surprised at the high number of posts that advocate resetting the phone. It seems to be a recommended cure for everything from WLAN to VIDEOs to MUSIC to hair l
-
How to speed up iTunes for Windows
Hello, A quick search of the forum returned no relevant discussions. Most of it was just flame warring against windows users... I happily use Windows 7 as my desktop OS and prefer using the iPhone (iOS) for mobile. Answering this discussions with "Ge
-
Changing input parameters at GP-Runtime (Web Dynpro)
Hi, I'm searching for a solution to change the input paramters for an action (at GP-Runtime) in a web dynpro application. Is it possible to do something? I cannot found something in the API, which solves the probelem. Thanks for your helping hands St
-
Mac Mail with Optimum VERY slow
Over the past few days downloading e-mail from Optimum On Line using Mac Mail has become VERY sluggish. A 4 MB e-mail with an attachment takes over 7 minutes to download!!! Yesterday it took over 30 minutes to download about 8 e-mails. Outgoing mail