WLC 5508 802.1x with AES
Hi,
We have a staff WLAN on Cisco WLC 5508. We use 802.1x with TKIP with authentication from RADIUS server. We deployed new 802.11n APs but on staff WLAN we cannot enable 802.11n because of the TKIP encryption. Can we just simply change the encryption without changing any other configuration to support 802.11n data rates?
On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
But you will need to configure AES on the client as well to support N rates.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Similar Messages
-
WLC 5508 - 802.11n using 802.1X security
WLC 5508 product version: 6.0.199.4
AP: AIR-LAP1142N-S-K9
The connection can reach up to 144Mbps when using WPA2 with AES (Layer 2 security), WMM allowed (QOS). But when I use 802.1X (Layer 2 security), can only reach up to 54Mbps.
Any special setting when using 802.1X to reach 144Mbps?
Or do I need to upgrade?
Any help is very much appreciated.Change the field "layer 2 security to " WPA+WPA2"
in the below section in authentication key managment set the checkmark for "802.1X"
That should solve the issue. -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP
Hello folks,
I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
Best Regards
Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
But you will need to configure AES on the client as well to support N rates.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
WLC 5508 not communicating with ACS 4.2
Hi,
Strange one here, I have setup a WLAN with PEAP user authentication through ACS to the Windows database. My clients cannot connect to the WLAN.
From the logs, I can see no activity on the Radius server stats (as seen from the controller) and no failed login attempts on the ACS itself. The ACS/Radius is setup correctly on the controller and the controller can ping the ACS, but they just don't seem to be talking???
I have used this setup before, but the only difference is that the controller is a 5508 (done this with 4400's in the past) and the ACS is running on VMWare (Never done this before).
If I change the security to WPA2 PSK it works fine.
I want to use PEAP for user authentication. NOT Machine auth. I have a certificate installed on the ACS and it is in the trust list of the client PC.
Any help appreciated!
DanNoble,
Here are a few links...
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml
If you find this helpful, please rate the post!
Thanks -
In WLC 5508 HA Issue with Russia IOS Image
Hi,
I have two 5508 WLC IOS code 7.6.120.0 in the both wlc I am having the same code. But in the one wlc i am having Russia image as below mention...
Cisco Unified Wireless Network Software Release 7.6 for Cisco 5500 Series Wireless LAN Controllers with Licensed Payload Encryption.Only Recommended for Russia Where Data DTLS Payload Encryption is Regulated by the Government. AIR-CT5500-LDPE-K9-7-6-120-0.aes & in the 2nd wlc Cisco Unified Wireless Network Software Release 7.6 for Cisco 5500 Series Wireless LAN Controllers.
AIR-CT5500-K9-7-6-120-0.aes. In this case can I configure HA one like as primary & 2nd wlc as standby mode use the same license in the both wlc. I bye it two separately box before 2 years.
IOS code will be the same but image is change. It's possible for HA. When I buy it that time both wlc ios code is 7.0.X.X & 7.5.X.X.
If possible then how can do for the same. or it's not possible. I am try to convert as normal ios code but it's not accepted. Only upgrade with Russia ios code.
Help me out please.....
Thanks & Regards,
Rahul WankhadeHI Rahul,
Yes you can configure WLC as HA.
*** Diff of images:
–Licensed DTLS— AS_5500_LDPE_x_x_x_x.aes
–Non licensed DTLS— AS_5500_x_x_x_x.aes
HA Config:
1. Either you must have enough AP licencse on both.
http://rscciew.wordpress.com/2014/01/22/ap-failover/
2. Or you must have 2nd wlc with minimium 50AP licence to convert it to HA SKU.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html
Regards
Dont forget to rate helpful posts -
WLC 5508 series issues with APs
Hi All,
we recently upgrade our WLC to a new hardware 5508 running 7.6.120.0 and we seem to notice
now and then users ring up and complain that they can not connect to the APs most are AIR-CAP3502I-N-K9 or AIR-LAP1242AG-N-K9
We can see the APs in the controller and can not see anything wrong.
We reboot the APs and it fix the problems.
Just wondering if anybody experience the same issues with this IOS & hardware ???
Any feedback is much appreciated
Thanks
qleCisco has issued a "deferred notice" for 7.6.120.X. Cisco openly recommends everyone to use the newer code, 7.6.130.X.
If you "read between the lines", Cisco is saying everyone needs to AVOID 7.6.120.X. -
Config RADIUS on WLC 5508 - Problems comunication with NPS Server
Hi,
I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
My WLAN interface is in a different vlan than the management interface, is that a problem?
I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
the logs from the WLC shows this, but i have difficulties interpreting all this data:
*apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
Received EAPOL START from mobile 3c:c2:43:94:3e:bc
dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
I also note this: "Applying Local Bridging Interface Policy for station "
What does this means? -
WLC 5508 and Multiple DHCP servers in different sites?
Hi
I work for health authority in our region and we just purchased a Cisco wlc 5508 controller along with 25 3500 AP's. We have multiple sites with different IP subnets in each, all connected by a frame relay (owned by ISP). Each site has its own DHCP server. I have the controller in our main site. So when I take an AP to a remote site, the Ap gets an DHCP address from local DHCP server (which is great) and contacts controller and joins controller. Everything is good. BUT, when a client joins at the remote site, it gets an address from a previous site which will not work because the client is now on a different subnet. We dont use Vlans as they dont transvers the frame relay. I need those clients to obtain DHCP from the local DHCP server from the site they are on. Is that possible??
I have updated the controller to latest version as well.
Thanks
Bryan Yaciuk, CCNA
Parkland Regional Health AuthorityWe call this as HREAP LOCAL SWITCHING!! but here is the catch.. everytime the AP joins the new site.. we need to configure the VLAN mapping and this wil do it for you!! Here is the link which will resolve ur issue..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#ll
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra -
Hello everyone!
I have a controller of the 5508 series and Ap 1602.
Ap manage to obtain IP addresses from the DHCP server that is the 5508 controller.
but the Rev fail to register, please I really vesoin help.
Below are some show:
1. AP: sh version
AP0006.f6d5.ea9c#sh version
Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Dec-12 04:52 by prod_rel_team
ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
AP0006.f6d5.ea9c uptime is 38 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP1602E-E-K9 (PowerPC) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FGL1709Z6PC
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.1.37
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:06:F6:D5:EA:9C
Part Number : 73-14508-04
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC17020MTR
Top Assembly Part Number : 800-38553-01
Top Assembly Serial Number : FGL1709Z6PC
Top Revision Number : A0
Product/Model Number : AIR-CAP1602E-E-K9
Configuration register is 0xF
2. AP: sh ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 unassigned YES DHCP up up
GigabitEthernet0 unassigned NO unset up up
GigabitEthernet0.1 unassigned YES unset up up
3. AP: sh inventory
---nothing---
4. WLC: sh sysinfo
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.3.101.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... WLC-EEML
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.10.10.1
Last Reset....................................... Software reset
System Up Time................................... 1 days 1 hrs 13 mins 37 secs
System Timezone Location.........................
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
--More-- or (q)uit
External Temperature............................. +25 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ E0:2F:6D:5D:7D:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 25
5. WLC: sh time
Time............................................. Fri Jan 3 12:21:37 2014
Timezone delta................................... 0:0
Timezone location................................
NTP Servers
NTP Polling Interval......................... 86400
Index NTP Key Index NTP Server NTP Msg Auth Status
also, I'm in africa but
I can not change the country or the time zone
thank you in advance for your helpHi,
By CLI:
Before change the country code on wlc , You must disable
WLC > config 802.11a disable network
WLC >config 802.11b disable network
WLC >config country SA (...or wtever country u are in)
And then enable both network again.
WLC >config 802.11a enable network
WLC >config 802.11b enable network
By GUI:
First disable both network 802.11a and 802.11b
Follow these steps to disable the 802.11a and 802.11b/g networks as follows:
a. Choose Wireless> 802.11a/n > Network.
b. Unselect the 802.11a Network Status check box.
c. Click Apply to commit your changes.
d. Choose Wireless > 802.11b/g/n > Network.
e. Unselect the 802.11b/g Network Status check box.
f. Click Apply to commit your changes.
Change country code on WLC now:
Choose Wireless > Country
after changing the country code please enable both networks(802.11a and 802.11b)
Hope it helps.
Regards
Dont forget to rate helpful posts. -
WLC 5508 with LAP-1142n - Several Errors
Hello all,
I had installed a WLC 5508 with 7 LAP 1142n and 2 converted AP 1131abg.
I am seeing some errors relating 2 issues.
1st- One particular AP 1142 is disassociating and reseting the radios.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Thu Oct 28 11:50:49 2010
AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface reset. Status:NA
Thu Oct 28 11:50:49 2010
AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface reset. Status:NA
Thu Oct 28 11:50:49 2010
AP's Interface:1(802.11a) Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface reset. Status:NA
Thu Oct 28 11:50:49 2010
AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface reset. Status:NA
Thu Oct 28 11:50:46 2010
AP's Interface:1(802.11a) Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to Init. Status:NA
Thu Oct 28 11:50:46 2010
AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to Init. Status:NA
Thu Oct 28 11:50:46 2010
AP 'AP3', MAC: e8:04:62:23:ac:e0 disassociated previously due to AP Reset. Uptime: 1 days, 10 h 24 m 23 s . Last reset reason: operator changed 11g mode.
Thu Oct 28 11:50:35 2010
AP Disassociated. Base Radio MAC:e8:04:62:23:ac:e0
Thu Oct 28 11:50:35 2010
AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
Thu Oct 28 11:50:35 2010
AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
I had some search, and the new discovery cause, might be that the AP didnt know what WLC do associate, in a multi-controller environment. This is not the case. I only have one WLC in the same management vlan.
2st-The Radius server is beeing related in the logs as been deactivated. I raise the server time-out on Radius configuration option, but it still continues to do it.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Thu Oct 28 10:24:41 2010
RADIUS server 10.67.128.36:1812 deactivated in global list
Thu Oct 28 10:24:41 2010
RADIUS server 10.67.128.36:1812 failed to respond to request (ID 172) for client e8:06:88:51:c0:2b / user 'unknown'
Is this meaning the WLC stop sending request to the Radius Server ? We dont have BackUp Radius.
As far as i know, its always the same mac-address client that is associated to that error, maybe a iphone.
I had so many clients in that SSID and they are all working good.
The Radius server is a NPS from windows Server 2008
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
, and the client says that the medium response time is 0,02 sec, so im wondering why the controller is not getting response from Radius for a particular client?! My client also says, that didnt found any log related to that mac-address client ... what is weird...
WLC with last software available 7.0.164
Hope some one help me here.
Best Regards,
Bruno PetrónioThanks Scott,
I understand what you are mentioning, and i really didnt do it yet.
I realize that the primary controller was not configured on the
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Wireless –> All APs –> High Availability tab, and did it only to the AP that is taking this beahviour.
Is this mandatory for a 1 controller only ?
No mather what the manual say, after that the AP is rebooting 2 mins in 2 mins... with the same kind of messages.
The interface on the switch is getting a few input errors and the same numbers of crc... but are so few...
Next step ... i will change it to another one's place/pathing cable.
Regarding the Radius messages... any ideas ?
I'm already on 30 sec's of server timeout.
Best Regards,
Bruno Petrónio -
WLC 5508 software version working with ISE1.1.2
Hi,
My understanding is that for fully WLC 5508 integration with ISE 1.1.2, it needs Version 7.2.103.0. Question is if customer has 5508 with either 7.0.230 or 7.0.98, and ISE 1.1.2, can AAA part work? what part will not work, any potential issue if they don't upgrade 5508 to 7.2.103?
Thanks in advance!
TinaPlease check the below Table:
Table 1 Supported Network Access Devices
Device
Minimum OS Version
MAB
802.1X
Web Auth
Session CoA
VLAN
DACL
SGA
IOS Sensor
CWA
LWA
Wireless LAN Controller (WLC) 2500, 5500
7.2.103.0
No6
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Ref. Link: http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038 -
Deployment of WLC-5508 with 2702i-D have performance issue.
Hi Team,
We have centrally deployed WLC-5508 with 50 AP licence along with HA scenario. we have 3 locations.
1- HQ. have 26 AP with POWINJ5.
2- Branch location A- 8 AP with POWINJ5.
3. Branch location B have 8 AP with POWINJ4.
my exception is to achieve that single SSID with dynamic VLAN from group police (NPS). MY HO have 26 AP and those are working in local mode.
and branches are connected through flexconnect mode. and all are working with different-2 NPS.
Now i am facing a problem with this deployment are following.
1- branch A have performance issue.
2- HQ have performance issue.
3- i don't want to go with dedicated NPS for every location.
In order to achieve this deployment i want only single SSID with primary and secondary NPS at my HQ with dynamic VLAN for respective departmental users vlans..
above is my problem and concern. otherwise i am successfully achieving this solution with dedicated NPS with single group policy. but when i am going forward to achieve my expectation that time i am facing authentication issue at my HQ and sometimes am not able to get proper VLAN IPs. at my HQ.
kindly help me in that to understand where I am doing wrong things to achieve my expectation.
Thanks.
NalinI am facing 2 different problems.
1st issue- in existing setup we have throughput issue. (while downloading or uploading any data from the internet or Intranet, that time wireless clients are facing slowness of the Speed. and same time when i am trying from LAN i am not facing any issue)
2nd Issue- I want to achieve only single SSID with primary and secondary NPS (AD group is bind with vlan Attributes) with dynamic VLAN for respective departmental users.
for Issue no 2 i have created SSID to achieve the single ssid parameter for every location. in order to achieve i have change all access points mode local to Flexconnect mode after that i have created AP groups location wise and then create flexconnect Groups where i have mapped all the vlan through AAA VLAN-ACL mapping. created interface group and mapped all the vlans in that group.
for more understanding please go through the below mentioned CLI view.
Cisco Controller) >show wlan apgroups
Total Number of AP Groups........................ 4
Site Name........................................ GURGAON-AP-GROUP
Site Description................................. GURGAON-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Pol icy
3 gurgaon-interface Disabled None
--More-- or (q)uit
4 gurgaon-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
GUR-AP-01 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:e4 default location 1 IN 1
GUR-AP-05 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b5:18 default location 1 IN 1
GUR-AP-03 2 AIR-CAP2702I-D-K9 bc:16:65:13:71:00 default location 1 IN 1
GUR-AP-07 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:f8 default location 1 IN 1
GUR-AP-06 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:e0 default location 1 IN 1
GUR-AP-08 2 AIR-CAP2702I-D-K9 f4:4e:05:45:78:98 default location 1 IN 1
GUR-AP-02 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:2c default location 1 IN 1
GUR-AP-04 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:64 default location 1 IN 1
GUR-AP-09 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b4:44 default location 1 IN 1
Site Name........................................ MUMBAI-AP-GROUP
Site Description................................. MUMBAI-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
--More-- or (q)uit
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-7-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:d8 7th Floor 1 IN 3
--More-- or (q)uit
FAL-7-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:18 7th Floor 1 IN 1
FAL-7-AP14 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ad:e8 7th Floor 1 IN 1
FAL-7-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:4c 7th Floor 1 IN 1
FAL-7-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:bc 7th Floor 1 IN 1
FAL-7-AP13 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:80 7th Floor 1 IN 1
FAL-7-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:94 7th Floor 1 IN 1
FAL-7-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:e8 7th Floor 1 IN 1
FAL-7-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:f0 7th Floor 1 IN 3
FAL-7-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:e4 7th Floor 1 IN 1
FAL-7-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:84 7th Floor 1 IN 3
FAL-7-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:14 7th Floor 1 IN 1
FAL-7-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:c8 7th Floor 1 IN 3
FAL-7-AP11 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:08 7th Floor 1 IN 1
Site Name........................................ MUMBAI-THIRD-FLOOR-AP
Site Description................................. MUMBAI-THIRD-FLOOR-AP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
--More-- or (q)uit
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-3-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:a4 3rd Floor 1 IN 3
FAL-3-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:94 3rd Floor 1 IN 3
FAL-3-AP11 2 AIR-CAP2702I-D-K9 f4:0f:1b:73:00:74 3rd Floor- Eurek 1 IN 3
FAL-3-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:d0 3rd Floor 1 IN 3
--More-- or (q)uit
FAL-3-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b5:88 3rd Floor 1 IN 3
FAL-3-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:9c 3rd Floor 1 IN 3
FAL-3-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:af:a0 3rd Floor 1 IN 1
FAL-3-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:fc 3rd Floor- Eurek 1 IN 3
FAL-3-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:28 3rd Floor 1 IN 3
FAL-3-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:f4 3rd Floor 1 IN 3
FAL-3-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:8c 3rd Floor 1 IN 2
FAL-3-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:f4 3rd Floor 1 IN 3
Site Name........................................ RAHEJA-AP-GROUP
Site Description................................. RAHEJA-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
--More-- or (q)uit
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
5 raheja-interface Disabled None
2 raheja-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-RAHEJA-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:1c Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:37:3c Confrennce Room 1 IN 3
FAL-RAHEJA-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:48 Near Confrence R 1 IN 3
FAL-RAHEJA-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:c0 Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:a0 Near Server Room 1 IN 3
FAL-RAHEJA-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:20 Reception Area 1 IN 3
FAL-RAHEJA-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:68 USER BAY ROAD si 1 IN 1
FAL-RAHEJA-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:d4 Training Room 1 IN 1
--More-- or (q)uit
Site Name........................................ default-group
Site Description................................. <none>
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
3 gurgaon-interface Disabled None
4 gurgaon-guest Disabled None
5 raheja-interface Disabled None
6 test Disabled None
Cisco Controller) >show flexconnect group summary
FlexConnect Group Summary: Count: 4
Group Name # Aps
Gurgaon-AP 9
HQ-3RD-FLR-AP-GROUP 12
HQ-7THFLR-AP-GROUP 14
Raheja-AP-Group 8
(Cisco Controller) >show flexconnect group detail Gurgaon-AP
Number of AP's in Group: 9
bc:16:65:13:71:00 GUR-AP-03 Joined Flexconnect
f4:4e:05:45:78:98 GUR-AP-08 Joined Flexconnect
f4:4e:05:78:ae:64 GUR-AP-04 Joined Flexconnect
f4:4e:05:78:ae:e4 GUR-AP-01 Joined Flexconnect
f4:4e:05:80:b3:2c GUR-AP-02 Joined Flexconnect
f4:4e:05:80:b3:e0 GUR-AP-06 Joined Flexconnect
f4:4e:05:80:b3:f8 GUR-AP-07 Joined Flexconnect
f4:4e:05:80:b4:44 GUR-AP-09 Joined Flexconnect
f4:4e:05:80:b5:18 GUR-AP-05 Joined Flexconnect
Efficient AP Image Upgrade ..... Disabled
Master-AP-Mac Master-AP-Name Model Manual
Group Radius Servers Settings:
Type Server Address Port
Primary Unconfigured Unconfigured
Secondary Unconfigured Unconfigured
--More-- or (q)uit
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key.................. <hidden>
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
DHCP Broadcast Overridden interface config: Disabled
Number of User's in Group: 0
Vlan :........................................... 203
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 205
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 204
--More-- or (q)uit
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 206
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 207
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 208
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 209
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 210
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 211
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 212
Ingress ACL :................................... None
Egress ACL :.................................... None
--More-- or (q)uit
Vlan :........................................... 216
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 217
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 218
Ingress ACL :................................... None
Egress ACL :.................................... None
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID Vlan ID
WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
(Cisco Controller) >
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 6
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
1 FRACTAL-EMP-MUMBAI / FRACTAL Enabled group for mumbai none
2 FRACTAL-GUEST / FRACTAL-GUEST Enabled guest wifi none
3 FRACTAL-EMP-GURGAON / FRACTAL-GURGAON Enabled gurgaon-interface none
4 GURGAON-GUEST / FRACTAL-GUEST-GURGAON Enabled gurgaon-guest none
5 RAHEJA-EMP-WIRELESS / FRACTAL-R Enabled raheja-interface none
6 TEST-SSID / TEST-SSID Enabled test none
hope this will give you proper understanding. -
7925 Phones voice quality issues with wlc 5508 version 7.6
Hi all,
I have a mix environment with 1 WLC 5508 and more or less 6 sites with several Access Points ( all AIR-LAP1242AG and all in FlexConnect mode Hreap ) and several wireless phones (all CP7925G) . My Ap's have antennas 2.4GHz in all sites except 1 site ( the one i'm talking for now) with 2.4GHz and 5GHz , because of the problems we suggest to have all phone in A BAND (5Ghz) . In this site we force the phones just to A (802.11a only) , power safe NONE , Continuous scan mode , i fallow all in http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf , one thing i didn’t do it was apply QoS because I can’t apply several ios commands in that 2960 with lan lite ios.
So I have 3 SSID for data and 2 for VOICE ( one is common to all environment and supports 2.4 and 5Ghz , and other just to test one site , with only 5Ghz with “[WPA2][Auth(802.1X + CCKM)][Auth(FT 802.1X)]”, because I read that problem can be phone rooming , and in FlexConnect only have fast-roaming in a CCKM or a PKM key-management solution , but even like this the problem still exist) .
I have another sites with phones in 2.4GHz running well and others with problems.
i read here in forums lots and lots of people with similar problems , i tried several solutions ( WLC upgrades versions and phones firmware's , …. ) tried all my best of solving the problems mas now I’m running without any ideas , i did also some site surveys and detect some interferers that why I change phones to 5Ghz , and I run also WLC Config analyser to help me , but all without good success. Some changes solve temporarily problems , but after some time , people reclaim about problems.
I can open a TAC case but first I want be sure if did all already.
Can someone try to help me?
ip phone 7925G firmware : CP7925G-1.4.5SR1.3
CUCM 8.6.2
WLC 5508 : 7.6.120.0
AP : AIR-LAP1242AG-E-K9 7.6.120.0 (flexconnect)
Best RegardsHi Serge,
Thanks for the suggestions. I have taken care of all the settings. Problem is , the user is seated in his office cabin and using the 7925 and there is around 50db signal strength in his room from an AP which is just outside the cabin. And this doesnt occur often, when we go to check and make calls, everything is fine whereas the user says it happens sometimes in the morning, evening etc... randomly... where the fone goes blank while in a call.... since the problem never happens when we go to troubleshoot the issue, we really dont know what is going on. This is happening when calling PSTN.
AP's are not restarting and there is no logs indicating that. Wireless infrastructure looks very much OK cos there are other users who are not experiencing this problem and there is ample coverage all over the floor. I am baffled why only one user has this problem even when he is seated in his office cabin.
Tried changing phones also, but still remains.
Question : i tried to do a linktest from WLC to his phone, but it failed, while linktest to laptops are working fine. Does wlc linktest not working for wireless phones ?
regards
Joe -
WLC 5508 with 7.4.100.0 software
Hi All,
One of my client has a wireless setup with WLC 5508 and 1142N APs. It was running with a good coverage for access points when WLC was running with 7.0 software version. Last week I upgraded the software to latest 7.4.100.0 version. After that the coverage of APs are very low.
Can someone help me regarding this issue.
Thanks
SadiqI didn't have coverage issues per say, but my 1142 APs kept disassociating randomly
TAC suggested running these commands. Which has stopped the APs leaving the building.
> config 802.11a disable network
> config 802.11a 11nSupport a-mpdu tx priority all disable
> config 802.11a 11nSupport a-mpdu tx scheduler disable
> config 802.11a enable network
> config 802.11b disable network
> config 802.11b 11nSupport a-mpdu tx priority all disable
> config 802.11b 11nSupport a-mpdu tx scheduler disable
> config 802.11b enable network
Aggregation is the process of grouping packet data frames together rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas A-MSDU is performed in the hardware.
Disables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.
Maybe you are looking for
-
I can no longer edit my track/artist/album info.
Normally I would right click ---> Get Info and edit my track or go to File ---> Get Info and do the same. I am able to get to the point of changing the information, but after I make the changes, I click OK, but they are not reflected in iTunes. Is th
-
Extract the new , changed , deleted vendor master data -urgent pls
Hi all, I have require ment like i need to extract all new, changed and deleted data from SAP TO MAXIMO i need to send to a windows environment which both systems share, i am using LFA1 ,CDHDR , CDPOS Tables , i will get the reuired information , can
-
Warining Message in ME21N/ME22N in SAP4.6B
Hi all, I have given a warning message in a user exit(EXIT_SAPMM06E_013). This user exit is triggered on PO SAVE. In ME21, ME22 the warning message is being diaplyed as expected. But in ME21N, ME22N the warning message is not being displayed but is j
-
Exporting MPEG2's????
I am using an uncompressed quicktime graphic within final cut that I have to take into dvd studio pro to create a dvd. When I export an mpeg2 and burn my dvd the graphic seems to look like I have lost Alot of contrast. The quality has been greatly lo
-
Ive successfuly developed a PLSQL package to build a dynamic menu in XML which I then convert into a menu MMB file using the ifxml2f90 utility supplied with 9iDS. I can run all this locally on my PC. Now that its working I want to deploy it to our DB