WLC 5508 AP Group - Clients using wrong VLAN

I have a network setup as live-ssid. It is using the Interface for VLAN 14. All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14. This is working fine.
I created a new AP Group called 3rd Floor. This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50. I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14. I checked and all the clients are connected to the APs on the 3rd Floor. Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't. I've manually reboot the APs on the 3rd floor to see if that would fix it.
Any help would be great.

My wild guess is that your clients originally connected to another floor and then moved to the 3rd floor.
The idea is that if one of your client moves to the 3rd floor, there is no reason to kill its connectivity by assigning it a 3rd floor ip address instead of its 1st floor ip address for example.
So the clients are assigned a 3rd-floor ip address only if their first AP association is on the 3rd floor.
Even if you powered the client on the 3rd floor, there is a chance that the client connected to an AP on 2nd or 4th floor and then changed because the APs on 3rd floor are giving a better signal. This is often seen when the floors/ceiling don't represent a big RF attenuation, clients might associate to an AP sitting on another floor.
Nicolas

Similar Messages

WLC 5508 - What is the use of service port.

Hi,
I am getting hard to understand use of service port in wlc 5508,
Even after reading so much post and cisco note I am not understanig the use of (Even basic use) service port.
As I understand service port should be access port and should be in diffrent vlan.
Pleae help me to understand it in simple way....

Hi Tarun,
Like others mentioned it is used for Out of Band Management of a WLC. Many do not use this as it could leads to issues unless you properly configure it & put it onto two completely different supernets. Config guides highlighted those restrictions & below is one of them listed in 7.4 config guide
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.
In situations you can use it to get access by directly connecting a laptop to take configuration backup or restore configuration to a controller. In the below post I have used service port to take backup & restore the configuration to a WLC.
http://mrncciew.com/2013/01/25/backup-restore-wlc-configs/
HTH
Rasika
**** Pls rate all useful responses ****

WLC 5508 integration with fortigate and Guest Vlan

Hi
I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
Kindly what will be best solution.

sh etherchannel 99 sum
Flags: D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator
        M - not in use, no aggregation due to minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        d - default port
        w - waiting to be aggregated
Number of channel-groups in use: 38
Number of aggregators:           38
Group Port-channel Protocol    Ports
------+-------------+-----------+-----------------------------------------------
99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)
                                 Gi2/2/4(P)
Last applied Hash Distribution Algorithm: Fixed
Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

WLC 5508 disable wlan client still connected

I have one wlc 5508 running on latest IOS 7.116, there is one wlan abc which i have disable status and disable broadcast, but randomly still i can see from wlc dashboard there is one client connected to this wlan abc. The moment i check on the client details, there is no client connected to that wlan and when return to dashboard, no more client connected to that wlan abc. This happened in randomly, it is bug or something else?

I would guess that the client entry also indicates "probing" as status. It means that the client is not connected. It is actually probing, so it"s looking for that SSID that it probably associated to in the past (so it remembers about it)

Wlc 5508 get error when use port-channel

We have two wlc in the system 5508 and 4402.
we config HA for 2 wlc, both wlc enable LAG
When I connect 2 interface of 5508 to 2 interface (in a port channel mode on, trunk, dot1q) of a
couple of VSS switch, I cant management 5508 through web any more, and I still can do with 4402.
If I shutdown 1 port int the port-channel, it work well.
Do you know what happen ?
Thanks
Duyen

hi Scott,
We have VSS ( 2 x 6509) trunk with (2 switch 4506). one port of wlc4402 connect to one port of one swith 4506.
2 ports of wlc 5508 conect to 6509, each port connect to one switch 6509.
the config in VSS switch like this:
interface gig1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 500 mode on
interface gig2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 500 mode on
etherchannel load-balancer src-dst-ip
( I dont see this command in running config)

Lync Client uses wrong RTP Ports for calls from/to RGS with Agent Anonymity

We have QoS implemented and client ports for audio, video und application defined by Set-CsConferencingConfiguration. We also use firewalls in our LAN between the different VLANs for Clients, Servers and Gateways/SBC. Only RTP from the client with the defined
ports are allowed by the firewall. Media ByPass is enabled.
In all normal cases, the right ports will be used and marked by GPO with the right DSCP value. But if an agent get a call from a RGS which has agent anonymity enabled, the client uses a port in the range 1024-65535 for audio. Also if you make a call on behalf
of the RGS, the client use a random port between 1024-65535. As soon, as the source of the call is in another VLAN (e.g. a call from PSTN which comes in over a SBC in e separate VLAN), the firewall between the two VLANs block the RTP traffic.
We see the deny on the firewall log and in the SBC log we see, the reinvite for the media by pass with the IP of the agent and a not valid port. We also see, that no RTP from the client/agent will arrive the SBC and no RTP from the SBC will arrive the client/agent.
So the call will be disconnected, as soon as an agent wants accept the call.
Is there an additional setting to make sure, the Lync client always use the valid RTP port range?
This behavior exist in Lync 2010 and Lync 2013 clients.

Hi Holger,
Thanks for reply!
Sure! I set all AudioPorts on all Services, but the problem are not the ports used by the server, the problem are the ports used by the client. We set the client ports to 49152 with a count of 40. The client (2013 and also 2010) use these ports correctly in all
cases exept for call from/on behalf of an RGS with Agent Anonymity.
If we disable the RGS agent anonymity, restart the client of the agent, then the client uses also the correct source ports for RTP.
I've checked this behaviour now on 3 customer installations, our own productive installation and in our lab.
Because until now only one of our customers have firewalls between the internal VLANs, only this single customer have the issues...
Regards,
Stephan

WLC 5508 centrally switched client errors

Hello,
I am having trouble with a newly configured install. Basically it seems that my centrally switched guest SSID is not functioning. As you change AP groups, which should change the interface associated with the SSID and also the dhcp client address, the client is retaining the original dhcp address from whichever AP group they first associated with.
I also have a locally switch WPA2 SSID at each location which is working fine. Clients are able to change dhcp address correctly as they move between AP groups. It just doesn't seem to be working on the guest network, which is odd because it was working earlier in the install. It has only started having issues yesteday afternoon.
It does not always coincide with the guest errors but I am generating these logging errors:
*DHCP Socket Task: Aug 17 15:09:23.526: %SIM-3-DHCP_SERVER_NO_REPLY: sim_interface.c:1039 Failed to get DHCP response on interface 'may89-guest_vb_122'. Marking interface dirty.
The interface above is assigned to the guest SSID in one of the AP group. I assume this has something to do with it but I've been over my DHCP assignments on the core switch, local switch, controller, and dhcp server and can find no issue with the configuration.....Also the fact that it was working earlier this week.
I also seem to be generating a high amount of:
*dot1xMsgTask: Aug 17 14:46:22.844: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:456 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx
I am not sure why as I am not using DOT1X at all. The guest is a pass-thru and the WPA2 network is just WPA + WPA2 with TKIP and AES. No DOT1X anywhere on the controller...

I think I might know what to do. Could I just create an interface group for each controller and place all of my individual guest interfaces within that group. Then I could just assign that interface group to each of my AP groups so every AP group would have access to all of the guest interfaces on the controller. I think the reason it is not currently working is because the AP group at my location is set to a specific interface and the ip addresses when I roam are from different interfaces not set for the AP group. I am basically being blocked by the AP group/guest interface because my ip address belongs to the wrong interface.
I think an interface group would solve that problem. The only other issue would what if I roam to an AP group on the other controller. Could I just set up a mobility group and place both controllers in that group? If they both have the UP status in the same mobility group would that allow inter-controller roaming?

Problem Concurent client WLC 5508

Hi All support,
i have running cisco wlc 5508 with software upgrade 7-4-100-0.aes and 24 cisco 1552 AP with mode mesh, concurent client only show 185 clients but if we using dual load wlc ( Whitout mobility group, if using mobility group clients still stuck concurent) clients can get online 150 on wlc01 and 130 on wlc02 ,total client we have is 300 client.for more information we using feature passive client on this network. any body can help ??
regards,
Sigit H.W

this is debug iapp :
*iappSocketTask: Mar 18 11:13:09.419:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.419:      [0496] 00 00 00 00 00 27 22 16 13 f9 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0512] 00 00 00 02 00 00 00 00 00 00 01 46 b8 17 01 00
*iappSocketTask: Mar 18 11:13:09.420:      [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0688] 00 00 27 22 40 a8 81 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0704] 01 00 00 00 00 00 00 00 a8 b9 19 01 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0720] 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.785: IAPP Rx Frame (1633)
*iappSocketTask: Mar 18 11:13:10.785:      [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 e6 80 81 00 00 0b
*iappSocketTask: Mar 18 11:13:10.785:      [0016] 08 00 45 00 05 cc d3 da 40 00 ff 11 28 8a 0a 9d
*iappSocketTask: Mar 18 11:13:10.785:      [0032] 32 6d 0a 9d 32 15 3e 69 14 7f 05 b8 00 00 00 20
*iappSocketTask: Mar 18 11:13:10.785:      [0048] 03 20 bb 9f 00 00 01 04 00 00 00 00 00 00 01 08
*iappSocketTask: Mar 18 11:13:10.785:      [0064] 00 00 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 2c 36
*iappSocketTask: Mar 18 11:13:10.785:      [0080] f8 73 e6 80 00 00 aa aa 03 00 40 96 00 00 06 03
*iappSocketTask: Mar 18 11:13:10.785:      [0096] 32 8b 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 00 00
*iappSocketTask: Mar 18 11:13:10.785:      [0112] 39 00 05 ed e1 cf 0a 30 08 00 00 27 22 40 a4 df
*iappSocketTask: Mar 18 11:13:10.785:      [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0144] 00 00 a0 05 00 00 00 00 00 0c 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0304] 00 00 00 00 00 00 00 00 27 22 84 89 30 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a3
*iappSocketTask: Mar 18 11:13:10.786:      [0336] 06 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0496] 00 00 00 00 00 27 22 40 a8 57 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0512] 00 00 00 00 00 00 00 00 00 00 00 00 aa 0d 01 00
*iappSocketTask: Mar 18 11:13:10.786:      [0528] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0688] 00 00 27 22 2c a9 c6 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0704] 00 00 00 00 00 00 00 00 00 a2 06 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0720] 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: IAPP Rx Frame (1633)
*iappSocketTask: Mar 18 11:13:12.554:      [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 04 20 81 00 00 0b
*iappSocketTask: Mar 18 11:13:12.554:      [0016] 08 00 45 00 05 cc 00 50 40 00 ff 11 fc 17 0a 9d
*iappSocketTask: Mar 18 11:13:12.554:      [0032] 32 6a 0a 9d 32 15 30 44 14 7f 05 b8 00 00 00 20
*iappSocketTask: Mar 18 11:13:12.554:      [0048] 03 20 bb fa 00 00 01 04 00 00 00 00 00 00 01 08
*iappSocketTask: Mar 18 11:13:12.554:      [0064] 00 00 2c 36 f8 73 04 20 2c 36 f8 73 04 20 2c 36
*iappSocketTask: Mar 18 11:13:12.554:      [0080] f8 73 04 20 00 00 aa aa 03 00 40 96 00 00 06 03
*iappSocketTask: Mar 18 11:13:12.554:      [0096] 32 8b 2c 36 f8 73 04 20 2c 36 f8 73 04 20 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0112] 39 00 05 ed 00 00 0a 30 08 00 00 27 22 40 a8 f0
*iappSocketTask: Mar 18 11:13:12.554:      [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0144] 00 00 b0 14 01 00 00 00 00 12 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0304] 00 00 00 00 00 00 00 00 27 22 16 a3 f7 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad
*iappSocketTask: Mar 18 11:13:12.554:      [0336] 10 01 00 00 00 00 24 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0496] 00 00 00 00 00 27 22 40 a9 37 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0512] 00 00 00 00 00 00 00 00 00 00 00 00 b1 13 01 00
*iappSocketTask: Mar 18 11:13:12.554:      [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0688] 00 00 27 22 40 a9 fd 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0704] 00 00 00 00 00 00 00 00 00 b2 16 01 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0720] 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554:      [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(Cisco Controller) >debug iapp all disable

WLC 5508-UC Certificate.

Hello All,
Does UC certificate is supported in cisco WLC 5508..?

Use a 3rd party certificate for sure for WebAuth.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
You can always upload a certificate for management, since its internal, you just need toile sure your UC root ca is trusted by the client machines.
Sent from Cisco Technical Support iPhone App

Cannot add WLC 5508 to Prime Infrastructure 2.1

Regards,
I've been migrating / implementing a WCS to PI 2.1. I had several problems at first to add the 11 WLC we have to PI which I could be solving by trying and testing as I have not found many references by Cisco when it comes to troubleshooting when deploying PI.
I have several queries:
1. The WCS was added 11 WLC using different SNMP communities are configured on each of them. At first when trying to add the WLC had PI SNMP communication problems. I performed the test to eliminate any of the WLC added to WCS and add it again with some communities already existing R / W without any problem. At the end, I could not add the WLC so I had to create an SNMP community with the IP of Prime in the WLC so that they can be added. Does anyone know what is the cause of this?
2. I could not add a WLC 5508 IOS 7.3 using this method, even creating an SNMP community and IP mask 0.0.0.0 / 0. No access list or FW in between the WLC These WLC are spread over several countries but i was able to add the other WLC adding a community in each WLC pointing to the IP of Prime. It is similar to this case:
https://supportforums.cisco.com/discussion/12232506/cannot-add-wlc-5508-v761200-prime-infrastructure-21
Thanks for the help.

It turns out that this situation was caused by a bug in 7.6.120.0 (CSCuo73572).
TAC handed me an escalation image (7.6.120.16) that fixed this.
Added the controllers sucessfully on the first try.
Phill

WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?

Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5? So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
thanks
Eric

I think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
E.G.
Vlan 10
interface vlan 10
ip address 10.0.10.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right.

5508 WLC on 7.4MR2- Clients getting Disconnected using CWA

We are experiencing an issue with clients getting disconnected/time out from a wlan doing CWA. The clients are iphones. A debug client shows the error(Unknown Policy Timeout). This particular WLAN is used for provisioning with ISE. ISE shows the user authenticated the entuire time. At first, we though it was the user idle timeout setting on the WLAN advanced tab, but after increasing that clients still get disconnected. The disconnect occurs around 2 minutes. Sometimes longer around 10 minutes. Cisco seems to think we are hitting a bug introduced in 7.3.112 and will not be fixed until 8.0. Below are the bug details and the debug output. Has anyone seen this? Any possible work-arounds? Thanks.
(Cisco Controller) >debug *apfMsConnTask_7: Mar 20 17:19:02.573: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_7: Mar 20 17:19:02.765: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfReceiveTask: Mar 20 17:20:40.442: 18:af:61:bb:55:2f 10.200.21.0 RUN (20) Unknown Policy timeout
*apfReceiveTask: Mar 20 17:20:40.442: 18:af:61:bb:55:2f 10.200.21.0 RUN (20) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Mar 20 17:20:40.443: 18:af:61:bb:55:2f Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Mar 20 17:20:50.443: 18:af:61:bb:55:2f apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Mar 20 17:20:50.443: 18:af:61:bb:55:2f apfMsExpireMobileStation (apf_ms.c:5835) Changing state for mobile 18:af:61:bb:55:2f on AP 54:78:1a:2f:84:50 from Associated to Disassociated
*apfReceiveTask: Mar 20 17:20:50.443: 18:af:61:bb:55:2f Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Mar 20 17:21:00.442: 18:af:61:bb:55:2f apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f Sent Deauthenticate to mobile on BSSID 54:78:1a:2f:84:50 slot 1(caller apf_ms.c:5929)
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f Setting active key cache index 8 ---> 8
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f Deleting the PMK cache when de-authenticating the client.
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f Global PMK Cache deletion failed.
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f apfMsAssoStateDec
*apfReceiveTask: Mar 20 17:21:00.443: 18:af:61:bb:55:2f apfMsExpireMobileStation (apf_ms.c:5967) Changing state for mobile 18:af:61:bb:55:2f on AP 54:78:1a:2f:84:50 from Disassociated to Idle
https://tools.cisco.com/bugsearch/bug/CSCul43158
Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client
Conditions:Clients using Central Web Authentication (CWA).
Workaround:none
More Info:

mine is with the following. Still trying to figure out why.
*osapiBsnTimer: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile f8:16:54:07:a8:78 on AP 00:e1:6d:b2:a6:90 from Associated to Disassociated
*apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*annyway, i've tried increasing the Session Timeout to 8hours and still testing it .. As my problem is not consistent, i have to monitor and see if its solved.

WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
#Radius include
include        /etc/openldap/schema/radius.schema
#Samba include
#include        /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database    bdb
#dn suffix, domain components read in order
suffix        "dc=cisco,dc=com"
checkpoint    1024 15
#root container node defined
rootdn        "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory    /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index uid,memberUid                     eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
         by dn.exact="cn=Manager,dc=cisco,dc=com" read
         by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem    Tunnel-Type                                   radiusTunnelType
replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem    Cleartext-Password    userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{      default_eap_type = peap      ..... }
tls {
    #I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
    default_eap_type = mschapv2
    #you will have to set this to allowed the inner tls tunnel attributes into the final accept message
    use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{      ldap      mschap      ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter = "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{   eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr"   password="ggsg" \#If you want to verify the Server certificate the below would be needed   \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2"   }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

Mapping Multiple VLANs to Multiple SSIDs as one-one in WLC 5508 via H-REAP?

Hi All,
Can anyone please show me how to map a SSID/WLAN ID to a local vlan of a LAP in WLC 5508 using H-REAP local switched? The reason of doing this is to separate Data subnet/traffic from Voice as currently all 7925 handsets using same SSID as PCs. I would like to create two VLANs on APs and map them to two SSIDs. I could not see any option in WLC5508 to do this. Also when I change the AP mode from H-REAP to local and configuring sub interface using dot1q on the interface Gi0 then unable write running-config to startup-config because I get NVRAM Verification Failed as WLC protects any local changes on any registered LAP at NVRAM.
Your help is much appreciated.

Mehdi:
I am talking about HREAP groups, not AP groups.
You can not achieve what you want if you are using the same SSID on same AP with only a WLC (same AP with same SSID is mapped to different VLANs). You may need a radius server to dynamically assign a VLAN to the clients if you are using same SSID for data and voice.
If you are using different SSIDs for voice and data, you can map each SSID to its corresponding VLAN on the remote site using the VLAN mapping option under HREAP tab in the AP config page.
You can not configure the AP from its console. Lightweight APs can only be configured from the controller. (a few exceptions are available that do not apply here) .
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"

WLC 5508 * 2 & Mobility Group

What I am trying to configure is Mobility Groups.
My understanding is that this will allow AP to successfully register and fail over over seamlessly if any of the WLC had to fail ?
It could be I am confusing two things into one :( & I am totally confused and not understanding the benefits of mobility group mentioned above.
Also when a AP starts up and registers with the WLC ......I click on a registered AP > High Availability ( Primary / Sec / Tertiary ) all fields are blank...
Initially I also thought that once my SSO is all setup and working than those options "AP > High Availability" will get populated automatically but clearly not unless something is not working.
My current config is as follows:-
WLC 5508 * 2
WLC 1 - Primary
WLC 2 - HA SKU (Secondary )
Redundancy = SSO (Both AP and Client SSO)
=============
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... WLC5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. SSO (Both AP and Client SSO)
IP Address....................................... 10.31.66.21
Last Reset....................................... Software reset
System Up Time................................... 0 days 22 hrs 39 mins 57 secs
System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... GB - United Kingdom
Operating Environment............................ Commercial (0 to 40 C)
--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +38 C
External Temperature............................. +21 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ F8:72:EA:EE:5B:B2
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 500
============================================
TA

TA,
Mobility and mobility groups are used for the wireless users roaming. What we know that a wireless users can roam between different APs within the same WLC, but when the SSID is used within multiple WLCs, and the client wanted to roam to an AP joined to another WLC, you would need to configure WLC mobility to maintain seamless roaming. For more info:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001101.html
Now, I understand that your purpose is to have high availability for your APs. No this is done traditionally from the AP page, under HA tab, where you configure the WLCs names and IPs there. This can be done manually on each AP (you can use CLI to make it easier) or you can push a configuration template using a management server (WCS/NCS/CPI).
Configuring HA on the AP:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110000.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110001.html
Using CPI to push AP configuration templates:
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/2-0/configuration/guide/pi_20_cg/temp.html
Now mobility may play a role in this, as if you have already configured mobility for your WLCs, then you won't need to configure a "name" for the WLCs when you add them under the HA tab in AP configuration page. That's it.
BR, Ala

WLC 5508 AP Group - Clients using wrong VLAN

Similar Messages

Maybe you are looking for