WLC 5508 AD authentication for management

Similar Messages

• WLC 5508 Multiple Interfaces for Multiple SSIDs

  Hello guys,
  I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
  I have 2 questions:
  1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
  Port 1: Controller management only=> 192.168.x.x /24
  Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
  Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
  Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
  Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
  2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?

  Yes you can... but you have to disable LAG.  Each post will need to be connected to a dot1q trunk and you will only allow the vlan that is required for that port.  Also on the interface, you will define what port is primary and what is backup.  I'm guessing you will not be using the backup port.  For example... port 1 that connects to a trunk port will only allow the management vlan.  Here is a link to setup dhcp on the WLC
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC 5508 Local Authentication- need guidance

  Hi formers'
  i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
  The environment don't have ACS, no directory services ( AD or LDAP).
  Requirement:
  say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
  user's entry is store at WLC.
  i create the user at local net user, and map it to appropirate WLAN.
  at the WLAN, i enable local EAP and select the profile that i create.
  PROBLEM STATEMENT:
  The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
  Question
  a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
  b. can please post any useful document URL or any supportive info, it will be very helpful
  Thanks
  Noel

  Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
  You could also follow the WLC config guide in the "Local eap" chapter.
  The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

• WLC 5508 WPA Authentication Problems

  Hello,
  We have a WLC 5508 with 7.4.100.0 Firmware.
  We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
  Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  The strange thing is that the problem is solved restarting the Access-points.
  Anyone had this problem previusly?
  Thanks in advance.

  I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
  Cisco Recommended  and not recommended Authentication Settings
  Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
  These images provide examples of incompatible settings for TKIP and AES:
  Note: Be aware that security settings permit unsupported features.
  These images provide examples of compatible settings:

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Wlc 5508 radius authentication fail

  I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
  so settings are:
  Layer Wlan settings:
  Layer 2 security:WPA+WPA2
  AES
  Auth Key mgmt:802.1x
  We have the authentication server enabled:
  Ip an port are correct
  AAA overide not enabled
  Order for authentication, radius only
  Advanced: dafault settings
  Radius authentication servers:
  Call Station ID Type: IP address
  MAC Delimiter: Colon
  Network User
  Management
  Server Index
  Server Address
  Port
  IPSec
  Admin Status
  Server Index
  Server Address
  Shared Secret Format
                   ASCII                 Hex              
  Shared Secret
  Confirm Shared Secret
  Key Wrap
    (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
  Port Number
  Server Status
                   Enabled                  Disabled              
  Support for RFC 3576
                   Enabled                  Disabled              
  Server Timeout
    seconds
  Network User
  Enable
  Management
  Enable
  IPSec
  Enable
  *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
  *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  Radius server occasionally sees attempts from user "XXZZYY"

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• One WLC 5508, Multiple Sites/Networks

  So I'm trying to think this design out in my head.  Here is what I have:
  Corp Office with a WLC 5508 configured with a management port and a guest WLAN port for guest wireless etc to the corp Layer 3 switch in a wireless VLAN, using 802.1q trunk of course.  The WLC is configured to be a DHCP server for the Guest WLAN.
  (Side note:  the sites are connected using WAN routers at each location configured with bundled T3's and all routes are setup and each network successfully traverses to the other)
  First phase will be to install 30 APs.  5 at the corporate office and 25 and two other sites.  I'm using a class A network but have subnetted the networks so to speak to make each site have multiple VLANs using class C networks.  I want to be able to implement the WLC 5508 at the corporate office and manage the APs centrally at all locations.  The APs are already configured for lightweight mode and I have successfully configured 5 of them and connected. 
  My question is if I install the other 25 APs at the other 2 offsite locations and connect them to the network, will it automatically contact the WLC and get a DHCP address from the Corporate WLAN DHCP even though it is at another site?  Am I overlooking a step or configuration method for this type of implementation?
  Thanks for all contributions!

  Ok so I have configured my environment as suggested.  I can see the new IP Address lease to the AP at my remote site on
  the DHCP Server (Windows Server DHCP at the remote site).  I can ping that IP from the Central office to the remote site however the WIreless Controller is not associating the AP at all.  Although I can ping the AP from the WLC.  I checked the logs and I dont see any association attempt from that IP or MACt.  So here is what I have:
  Central Site-
       WLC 5508 With Internal DHCP for local APs
       APs associating successfully
  Remote Site
       Windows DHCP with Option 43 Configured per Cisco AP Option 43 Whitepaper
       AP 1142-Light-Weight attached to switchport (Wireless Vlan configured) and reachable via ping through all of network.
       AP obtained IP from Windows DHCP from Wireless Scope I configured successfully.
  So it doesn't seem the CAPWAP tunnel was built successfully.  I do have an ASA 5520 in the environment but all traffic to remote sites is wide open as I do not block any ports so CAPWAP traffic should flow well.
  Mission a step?
  Dee

• WLC 5508 7.4.X - N+1

  Hi,
  I don't undestand this document
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/N1_HA_Overview.html
  How can the third 5508 (suport max 500 AP) backup all other WLC ? n+1 how ?
  With secondary wlc configured in HA-SKU (without AP SSO) the 500 licenze are permanent ?
  who can explain me.. this is a document bug ??

  What they're describing is HA N+1, not HA 1:1 AP SSO.  This option, which is "NON-AP-SSO", allows you to use an HA-SKU or > -50-k9 SKU coverted, to operate as a dedicated +1 WLC in HA.  When using this configuration, this WLC allows the use of the "hardware maximum" of the device: Thus 500 APs for WLC 5508, or 1000APs for a WISM2 (as an example).  Since this WLC can wait as a backup to multiple WLCs, that's why it's not capable of the AP SSO, which requires a 1:1 pairing of the HA WLC with an Active HA WLC.
  When using the HA N+1 the WLC acts the same as the pre AP-SSO "HA" concept; where you had Primary, Secondary Tertiary configs on your APs (which you may still have).  All it is saying is that the N+1 HA WLC can act as one of these Secondary/Tertiary WLCs, much like a WLC you had licenesed for 250 or 500 APs could do previously.
  In the past you would use, lets say a 250 WLC AP as this backup WLC.  Many people were frustrated that they had to have a $60,000 WLC just sitting there "waiting for something to fail".  But that's what it did.  If a WLC failed, lets say one with 100 APs, this backup WLC would take on the APs and use 100 of it's 250 AP license count.  If additional WLCs failed, the process continued until this backup WLC was filled.
  The idea of using the HA-SKU in an N+1 is that while yes, you don't get the 1:1 AP SSO configuration, you are getting more bang for your buck in that this WLC can sit as a backup (as it did in the past) but it can accept up to the maximum it's hardware can handle in terms of AP count, not only what it was permanently licensed for.  Rather than spending $100,00 on a 500 AP count WLC to backup your 2x250 AP count WLCs, why not look at a $50,000 HA-SKU that can "handle" up to 500 APs.
  So given this scenario, this WLC is "backuping up all other WLCs" for whom it is a Secondary/Tertiary WLC backup.
  As far as the HA-SKU "licenese", it's not "permanent" per se.  With an HA SKU in N+1 you have a 90 day timer which will then "nag you" (via console) that this HA WLC is not truly intended to permanently house these APs.  The idea is that if the Primary WLC failed, you would get it back online and then move your APs back to where they belong and return the HA N+1 WLC back to 0 APs.

• 4400 WLC Layer 3 Authentication Status for WLAN Clients

  We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller.  The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage.  These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402.  On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest".  This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.
  Functionally there is no issue.  Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser.  The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.
  For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated.  In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients.  For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed.  The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.
  Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes".  We have proven over and over that this is not accurate.  This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers.  The WSC reports will show all 15 as Authenticated and they are not.  We have proven many times that the anchor WLC is the only controller accuratly conveying this info.
  Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected.  They suggested it may be a code bug with the 4400 series WLC.  We are running controller Software Version 6.0.188.0 on all 3 controllers.
  Please let me know what you think may be causing this issue.  Any help or advice is greatly appreciated!

  Hi,
  We run version 7.0 on the WCS and WLCs but I thought I'd try the report and see what I got. The result is a line graph with the number of associated and authenticated clients superimposed. I'm not sure how useful a report of this nature is.
  It doesn't inspire confidence: when I specifiy the guest wireless SSID I get zero clients! I know there have been guest clients authenticated during the report period I spec'd.
  Scott

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• WLC 5508 & Forefront Threat Management Gateway.

  We are trying to implement a Guest wireless network on a new WLC 5508 which connects to the Internet via a Windows 2008R2 server running Forefront Threat Management Gateway beyond which there's a ASA and then the Internet. The Windows server also provides DHCP and DNS to the WLAN clients.
  The problem we're having is that the TMG server will not return packets to a wireless client. We booth the wireless client, it picks up a DHCP address (from the TMG server), we open a browser and try and access the Internet, result; nothing. If we run Wireshark on the client we can see the DHCP request and response, we see the DNS request but no reply comes back. On the TMG server in the TMG live log we can see that it is dropping the packets to the client with the following error message:
  A packet was dropped because its destination IP address is unreachable.
  We've tried attaching a wired PC to the same VLAN and it can obtain an IP address from the TMG server, get DNS resolution from the TMG server and access the Internet so we know the problem must lie beteen the TMG server and the WLC 5508 but we can't determine whether it's something the WLC is doing which "masks" the client from the TMG server or something in the TMG server which is preventing it from communicating with the client.
  If we open a browser on the client and enter http://1.1.1.1/login.html we get the login page and can authenticate (we have no DNS Host Name on the Virtual Interface, we've tried it with and without, no difference either way) but after that, nothing. We can see the client making repeated DNS requests and the return packets for each one are dropped by the TMG server with the message above.
  Any advice would be much appreciated.
  The WLC is running Software Version 7.3.112.0.

  We are trying to implement a Guest wireless network on a new WLC 5508 which connects to the Internet via a Windows 2008R2 server running Forefront Threat Management Gateway beyond which there's a ASA and then the Internet. The Windows server also provides DHCP and DNS to the WLAN clients.
  The problem we're having is that the TMG server will not return packets to a wireless client. We booth the wireless client, it picks up a DHCP address (from the TMG server), we open a browser and try and access the Internet, result; nothing. If we run Wireshark on the client we can see the DHCP request and response, we see the DNS request but no reply comes back. On the TMG server in the TMG live log we can see that it is dropping the packets to the client with the following error message:
  A packet was dropped because its destination IP address is unreachable.
  We've tried attaching a wired PC to the same VLAN and it can obtain an IP address from the TMG server, get DNS resolution from the TMG server and access the Internet so we know the problem must lie beteen the TMG server and the WLC 5508 but we can't determine whether it's something the WLC is doing which "masks" the client from the TMG server or something in the TMG server which is preventing it from communicating with the client.
  If we open a browser on the client and enter http://1.1.1.1/login.html we get the login page and can authenticate (we have no DNS Host Name on the Virtual Interface, we've tried it with and without, no difference either way) but after that, nothing. We can see the client making repeated DNS requests and the return packets for each one are dropped by the TMG server with the message above.
  Any advice would be much appreciated.
  The WLC is running Software Version 7.3.112.0.

• Wlc 5508 : guest users to be configured only give access for internal SAP application

  Hi,
  I have one new requirement with one of the client.
  I have wlc 5508 with 6.0 firmware. I need to have one guest wlan which will have access only for internal SAP application.
  I have gone through cisco document for internet guest users , where web page will be redirected with user name and password once it is authenticated , we can access internet.
  Provided if we have access list configured in wlc ...  for internet access only /
  what about this mentioned scenario ?
  can anybody suggest on the same ?

  Hi Vinod,
  Go for the ACL on any Router or the switch.. i prefer not on the WLC..
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
  Here is the link as well to do it on the WLC
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml
  Lemme know if this answered ur question..
  Regards
  Surendra

• WLC 5508 And Third Party SSL for Web Authenticaiton

  Hello,
  We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.
  Anyone can elaborate on this approach?
  Regards, 

  With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials.  Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler.  Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups.  You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help. 
  Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements. 
  Scott

• Repeated wlc 5508 client web authentication

  I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
  I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
  I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
  The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
  I do have a TAC case opened up, but was wondering if anyone has experienced this before?
  Sorry for the rambling...

  Rene,
  I did several things and at least one of them seemed to resolve the issue:
  These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
  1.       Upgrade WLC to 7.0.98.218 [self explanatory]
  2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
  3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
  days [DHCP running external from the WLC]
  4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
  5.       Increased session timeout from 14400 seconds to 64800 seconds
  (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
  I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
  Good Luck,
  Rob.

• WLC 5508 AP-Manager interface

  Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
  But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

  Hello,
  I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
  George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
  This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
  "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
  1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
  2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
  *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
  I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.