WLC 5508 cannot have similar user logged twice !

Dear Support Community,
I was having users on a Cisco WLC 440x controllers. Some service accounts were logged several time with the same AD-Account.
Since I migrated them on the new controller (5508), it seems that we cannot have the same AD user logged several time.
I changed the Radius server with the one we were using on the old 440x but situation seems to be same,
I checked the error message when trying to start a second similar connection they looks like :
*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client xxxxxxxxxxx
*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447
Authentication aborted for client xxxxxxxxxxx
If I move back to the other 440x similar logins are allowed without any problems.
Could you tell me where I should look to fix this ?
Thanks for your help,
Regards
P.S. We use certificates with users.

besides what scott says, I just wanted you to give a look into the footnote in the screenshot that Scott provided.
When using 802.1x security make sure max-login-ignore-identity-response is disabled
You can enable/disable max-login-ignore-identity-response from Security->Local EAP->General. The concurrent login configuration won't work until you disable this feature.
HTH
Amjad
You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Similar Messages

Cannot have multiple users logged in at once on a single client computer

I am running OSX 10.6 Snow Leopard Server on a Mac Pro, and have two iMacs (27.5") as clients in my workgroup.
Computer A : Server
Computer B, C : Client machines
The problem is that when user1 is logged onto the server network drive (/Network/Servers/ComputerA/Users/~user1/) from a given client (say ComputerB), it is not possible to login another user (user2) onto the server network drive from client Computer B.
It IS possible however for user2 to log in from another client machine (ComputerC) without any problem and access his home directory.
Similarly it IS possible for a local user to log onto ComputerB while a network user is logged onto the central file server.
If user1 is logged into ComputerB, and user 2 is logged onto ComputerC, if user1 ssh's over to Computer B, he can log in, but he cannot access his home directory, getting the following error:
Could not chdir to home directory /Network/Servers/nplab0/Users/chris_dimattina: Permission denied
-bash: /Network/Servers/nplab0/Users/chrisdimattina/.bashprofile: Permission denied
and gets sent to the root directory of ComputerB.
Any help would be appreciated!!
Thanks,
Chris

Thanks!
What can I do to fix it? Should I use NFS protocol instead?
I basically want to make my workgroup into a standard UNIX workgroup where lots of different people can be logged in and running jobs on the same machine.
Chris

WLC-5508 (7.0.98.0) - logs

We are seeing the below logs on the 5508 controllers running on 7.0.98, can someone help me with the resolution
<134>Airespace_01: *apfProbeThread: Mar 05 14:53:46.938: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 36 times/sec!.]
The above log occured around 60,000 times in last 7 days (not for the same client) - a quick google search led me to CSCtf38685 Bug
Resolution-- Upgrade ( please let me know if this not the correct or if there is a work around for this)
<132>Airespace_01: *apfMsConnTask_2: Mar 05 16:39:44.178: %APF-4-ASSOCREQ_PROC_FAILED: apf_80211.c:2998 Failed to process an association request from 00:17:23:0a:a5:40. WLAN:8, SSID:XXXXX. mobile in database timed out
The above log occured around 15,000 times in last 7 days (not for the same client)
Resolution- Increase the user Idle Timeout value ( default 300 sec)-- Please let me know if this is not the correct resolution
<133>Airespace_01: *mmListen: Mar 05 17:11:43.787: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer
The above log occured around 19,000 times in last 7 days (not for the same client)
Resolution-- Upgrade ( please let me know if this not the correct or if there is a work around for this)
<132>Airespace_01: *apfOrphanSocketTask: Mar 05 17:51:11.325: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1283 Could not Register IP Add on MSCB. MSCB still in init state. Address:cc:08:e0:ca:62:70
The above log occured around 5,000 times in last 7 days (not for the same client)
Resolution- Reboot the controller-- We rebooted the controller but that didn't fix the issue- any other work around
131>Airespace_01: *dot1xMsgTask: Mar 05 17:51:03.312: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client 00:17:23:0e:9c:34
I have only one SSID that have 802.1x enabled and there are no clients associated with that SSID, is there a way to check which SSID the clients in the above log are trying to get on to?
Thanks for your help....
Siddhartha

Thanks Scott,
We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.98.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... N/A
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... Airespace_01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.0.0.201
Last Reset....................................... Power on reset
System Up Time................................... 9 days 2 hrs 57 mins 21 secs
System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
Is the below Upgrade Path make sense ?
1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
2. Upgrade the secondary controller and reboot
3. Failover the APs to secondary controller and test
Siddhartha

WLC 5508 cannot change SSID

Hello,
I have an issue where I cannot get clients to change SSID. I have two SSID, one WPA2 secure, one open guest. The secure is locally switched via Flexconnect and the guest is centrally switched. Both of them work. I have been able to test this and both work as intended. The problem is that once you connect to one of them, either secure or guest, you cannot then change to the other. The only way to change is to delete the dhcp entry from the scope and then do it.
Fast SSID change is enabled. I also have debug client output from when the client fails when you try to switch which I will include below. I also pulled some wireshark captures and those show me that the DHCP ack packets are trying to give the client the ip address from the incorrect/previous scope. So basically it's like FAST SSID change is not working and the client is never being disassociated properly??
I am totally stumped and even though the client will most likely not be switched between SSID that often I would still like to know the solution.
Cisco 5508 running 7.2.110.0
Cisco 3502 LWAPP
windows server 2008 dhcp server
DHCP Socket Task: Dec 07 09:37:23.023: a4:d1:d2:14:fc:51 DHCP successfully bridged packet to DS
*apfMsConnTask_0: Dec 07 09:39:35.149: a4:d1:d2:14:fc:51 Association received from mobile on AP 18:33:9d:5e:c8:70
*apfMsConnTask_0: Dec 07 09:39:35.149: a4:d1:d2:14:fc:51 0.0.0.0 WEBAUTH_REQD (8) Changing IPv4 ACL 'Guest - Internet Only' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_0: Dec 07 09:39:35.149: a4:d1:d2:14:fc:51 0.0.0.0 WEBAUTH_REQD (8) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 Applying site-specific Local Bridging override for station a4:d1:d2:14:fc:51 - vapId 3, site 'VanBuren', interface 'wireless guest'
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 Applying Local Bridging Interface Policy for station a4:d1:d2:14:fc:51 - vlan 50, interface id 11, interface 'wireless guest'
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 Applying site-specific override for station a4:d1:d2:14:fc:51 - vapId 3, site 'VanBuren', interface 'wireless guest'
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 0.0.0.0 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'Guest - Internet Only' (ACL ID 0) --- (caller apf_policy.c:1795)
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 0.0.0.0 WEBAUTH_REQD (8) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_0: Dec 07 09:39:35.150: a4:d1:d2:14:fc:51 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 apfMs1xStateDec
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state WEBAUTH_REQD (8)
*pemReceiveTask: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 Removed NPU entry.
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 18:33:9d:5e:c8:70 vapId 3 apVapId 2for this client
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 18:33:9d:5e:c8:70 vapId 3 apVapId 2 flex-acl-name:
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3124, Adding TMP rule
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:5e:c8:70, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IP
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 50, Local Bridging intf id = 11
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3268, Adding TMP rule
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:5e:c8:70, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255,
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 50, Local Bridging intf id = 11
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 apfPemAddUser2 (apf_policy.c:270) Changing state for mobile a4:d1:d2:14:fc:51 on AP 18:33:9d:5e:c8:70 from Associated to Associated
*apfMsConnTask_0: Dec 07 09:39:35.151: a4:d1:d2:14:fc:51 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_0: Dec 07 09:39:35.152: a4:d1:d2:14:fc:51 Sending Assoc Response to station on BSSID 18:33:9d:5e:c8:70 (status 0) ApVapId 2 Slot 1
*apfMsConnTask_0: Dec 07 09:39:35.152: a4:d1:d2:14:fc:51 apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile a4:d1:d2:14:fc:51 on AP 18:33:9d:5e:c8:70 from Associated to Associated
*pemReceiveTask: Dec 07 09:39:35.152: a4:d1:d2:14:fc:51 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Dec 07 09:39:35.152: a4:d1:d2:14:fc:51 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   xid: 0xbdc7df36 (3183992630), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   chaddr: a4:d1:d2:14:fc:51
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP   requested ip: 10.2.4.42
*DHCP Socket Task: Dec 07 09:39:35.178: a4:d1:d2:14:fc:51 DHCP successfully bridged packet to DS
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   xid: 0xbdc7df36 (3183992630), secs: 2, flags: 0
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   chaddr: a4:d1:d2:14:fc:51
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP   requested ip: 10.2.4.42
*DHCP Socket Task: Dec 07 09:39:36.972: a4:d1:d2:14:fc:51 DHCP successfully bridged packet to DS
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP   xid: 0xbdc7df36 (3183992630), secs: 4, flags: 0
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP   chaddr: a4:d1:d2:14:fc:51
*DHCP Socket Task: Dec 07 09:39:39.351: a4:d1:d2:14:fc:51 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:39.352: a4:d1:d2:14:fc:51 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 09:39:39.352: a4:d1:d2:14:fc:51 DHCP   requested ip: 10.2.4.42
*DHCP Socket Task: Dec 07 09:39:39.352: a4:d1:d2:14:fc:51 DHCP successfully bridged packet to DS
*DHCP Socket Task: Dec 07 09:39:39.352: a4:d1:d2:14:fc:51 Failed to get response for 3 dhcp attempts from client.Total DHCP failed count for the interface wireless guest : 10

External windows 2008 dhcp server. The ip-helper on the L3 interface is working because it will pull dhcp just fine as long as it is the first SSID you connect with. Once you have the an address from dhcp and try to change it keeps wanting to give me that same address even though my L3 interfaces for the two SSIDs are on two separate vlans each with a separate scope (vlan 31 and vlan 50). Although each vlan uses the same dhcp server but that does not matter since I have two different scopes setup. One for each subnet.

Cisco WLC 5508 simultaneous Web Auth Users logins?

Hi there,
We have 2 WLC5508 (7.2.111.3) with several SSID's.
One of them is configured as Passthrough with an external splash server. Works fine.
Now we want to use the "On MAC Filter failure".
If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
So, every client WebAuth uses the same username&password for authentication against the WLC.
User Login Policies is set to unlimited.
So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
The two WLC's have abount 100-170 clients connected.
Question:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information wolud be great.
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
Thanks for the answers ;-)
Kind regards,
Norbert

Question:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
> I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information would be great.
> ISE is really used to login with a username and password and to be able to profile. You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
> Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to.

Multiple users logged into one server, each users printer has a different name, application needs ONE name to print to.
I'm NOT in any way a Terminal Services expert and I need help trying to get an application program working in a multi-user environment.
The issue is that the printer changes for every user that is logged in. The application needs to print NOT to the default printer, but to a "special" printer which is selected in the application... let's call it a label printer to simplify the explanation.
You have your default regular printer, easy for the application to find that one, and then you have a special printer that labels get printed onto. The application needs to know what printer is the label printer. So we allow the user to select that in the
application and the selection is stored in a config file in
C:\ProgramData\mfgr\prog\setting files
I don't have access to the application so I can't change how this works.
In the "regular" world, selecting the label printer driver to use should be per machine, NOT per user. When a new user logs into a machine, the physical printer doesn't go "poof" and a new printer suddenly appear. Same printer for all
users.
Yet in terminal services, the physical machine is "merged" with the virtual machine on the server. And there can be many users logged in at the same time. So each users real machine (and real printer) is injected into the "fake" terminal
services machine. The name of the printers is made unique for each user. So the printers DO go "poof" and change names depending on the user logged into terminal services.
So user "A" logs in and sets up the application to print to "LabelPrinterForUserA" (or whatever the name of the printer happens to be), that setting is stored in the ProgramData subfolder, and all is well. Later, user "B" logs
in, and when they print, the application tries to print to "LabelPrinterForUserA" which doesn't exist for user B or is only accessible by user A. If user B re-configures, that breaks it for user A.
SOLUTION 1: The way that /should/ work (in my mind) is that you define one "generic" printer in Terminal Services... call it "Virtual Label printer" and when the user wants to print to it, the print job gets re-directed back to whatever
physical printer is actually connected to their local workstation. There is a map of virtual printer to actual printer depending on the current user. The application is told once to print to "Virtual Label Printer" for all users.
SOLUTION 2: Or... there should be some way to make the ProgramData sub folders separate per user. E.g. when user "A" tries to access:
C:\ProgramData\mfgr\prog\setting files
they actually get
C:\UserData\UserA\AppData\mfgr\prog\setting files
and user "B" gets
C:\UserData\UserB\AppData\mfgr\prog\setting files
So the question I have is: Does either of those solutions exist hidden somewhere in the setup of terminal server? Or is there another way around this issue that I don't know?

I don't really have a "for sure" answer to this, but because people here can't seem to deal with a question that hasn't been answered I'll provide the best answer I did receive from ServerFault.com user Nathan:
I can feel your pain with using old software on terminal servers ...the solution I've come up with definitely won't scale as it requires some manual configuration, but I've gotten this method to work with our label printers (which require to be
printed to an LPT port...yep, that old).
Share your USB-connected printers to the network on each machine. Then, have the user log in on aunique session for each of them
(a TS account cannot be shared among computers for this to work) and install a network printer pointing to the USB one they shared. Try to use a DNS name to account for possible DHCP movements.
After, it should work. Each user can do this since display names can be identical as long as the ports are different (which they are).
This was clarified by the following series of comments:
I think you are on to something here, and I originally advised the admin to do this. The problem he ran into is that it setup the printer names in the TS as "printer on usersworkstation"
and he could not rename it except to change the "printer" to whatever. E.g. the "on userworkstation" remained. I believe there is another way of installing the printer which avoids this, but I can't find it. Ages ago, one used to do NET
USE LPT2 \\computer\printer password /USER:domain\user /PERSISTENT:YES and then tell the driver to print to LPT2 –  James
Newton Mar
17 at 16:21
@JamesNewton That's actually the exact method we used. The way around the "network printer" part is to install it as local printer and map it to a TCP/IP port that way. –  Nathan
C Mar
17 at 16:28
You mean in the case where the printers are TCP/IP connected and not local USB / LPT to the users workstation? That makes sense. Wonder if this will work for USB connected printers... –  James
NewtonMar
17 at 16:35
@JamesNewton You'd share the local printer on the client's PC then on the server connect via TCP/IP to it. You'd need static addresses or use DNS names if DHCP, though. –  Nathan
C Mar
17 at 16:51
Ah. Yes. I see. Looks like the LPT thing should work even with a USB connected printer:superuser.com/questions/182655/… –  James
Newton Mar
17 at 17:09

Scanner Sharing Only Working With a User Logged Into Host Computer

I have been able to get my Brother MFC7020 to work perfectly with the network. I have gotten the scanning to work over the sharing system as well but with a weird glitch. I must have a user logged into the host computer in order for the shared scanner to appear in Image Capture. If I log out of the host computer, the scanner disappears. I have double checked my settings, I have locked the preference pane, and I still have this issue. For some reason when the host computer is idle at the login window I cannot access the shared scanner. Printing usually works however.
I am running Snow Leopard 10.6.4 on all machines in the network and the host is a mini.

Probably because the process is set up as a launch agent instead of a launch daemon. Agents launch when somebody logs in. Daemons can run when the system starts up or when someone logs in. You could try moving the plist (which is probably in /Library/LaunchAgents) to the /Library/LaunchDaemons folder and see what happens. But, if it is not designed to run in that environment, it won't work right.
The plist should have a name like com.brother.something.plist. You will need to restart to get it to register correctly.

WLC 5508 & Windows Server 2008 radius

Hello guys, I need some bailout here. I have a WLC 5508 which i have configured for AP's but i would like to use the windows server 2008 as the radius server to authenticate the Active directory users.
Can i use a separate windows server 2008 as the radius server or I have to use the same server working as the Active directory?
I don't want to request unnecessary server from my client.
Rgds,
Anthony

I am trying to take my WLC 5508 and have backend authentication through LDAP using web auth. i have tried and tried to set this up but it fails everytime.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
I used that document to get me most of the way there but i cant get the part in the WLC where i go to SECURITY>AAA>LDAP, from here i click on the SERVER index that I want to use which is 1 and not sure what creditenals to put in some of those fields on there. the fields are USER BASE DN: , USER ATTRIBUTE: , and USER OBJECT TYPE: . I have tried to do it as the link says from above but it just does not work.

Mail with two users logged in

I'm having a problem in which if I have two users logged into my Mini and one
of the two users launches Mail, the other user has mail launch as well. Now this
wouldn't be a big deal except when my wife gets on the mini and my user is logged in and I'm at work, the fact that Mail is launched on my account, it will block
Thunderbird at work. How can I stop Mail from launching on the non-active user
when the active user launches it?

You could get a KVM (Keyboard/Video/Mouse) switch for the monitor on the kid's computer. If it doesn't have VGA connection it might cost a bit more to find a DVI compatible switch (or you'd need a DVI-VGA adapter) but they are available.
Search Google, or websites for computer stuff retailers like OtherWorld Computing, CompUSA, etc.

TS3147 Printers Pausing: Other Users Log-off before job done permanently pauses printers

I have a problem with printers pausing. I work for a University, and this concerns computer lab Macs. Whenever someone Prints to a printer, and logs off before the print job is completely though, the printer pauses permanently for all other users.
I have found 2 temporary fixes:
     1) have initial user log back in, and allow job to complete (Hard to do, since there are 4000+ students here)
     2) Delete printer and re-add them (I unpause close to 1-3 printers a day this way currently)
Since those fixes require multiple trips, and or trying to reach people, they are not great solutions
How can I fix this problem so it won't happen again?
Theories of how to fix I don't know how to impliment (I normally am a PC guy):
     1) Clear print que on log-off Script
     2) Delay Log-off Script (Allow print job to go though)
     3) Checkbox somewhere to override the printers pausing?
Happens on both our iMacs, and Mac Minis we use on campus.

4on6 wrote:There are some related threads in this forum, but I still can't figure out what is my problem (printer works in some situations - printing a pdf in evince or a webpage in chromium - but in others not, e.g. printing from emacs).
The distinction that comes to mind here is that emacs (and some others) will print via lp. I suspect that the default printer for lp is not set, and therefore the print job is lost.
To test this, create ~/.cups/lpoptions (if you don't already have it) with the content:
Default <The_Name_Of_My_Printer_In_CUPS>
And see if that helps.

I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

Well, try this (I was able to fix my with these steps):
Go Utilities > Disk Utility
Select your Startup Disk, e.g. Macintosh HD
Then, under the First Aid Tab, click Verify Disk Permissions.
If there are errors, then click repair Disk Permissions.
After it is done, restart the computer and see if your problem is resolved.
I hope this help.
Zeke
www.ZekeYuen.com/blog/

Cannot add WLC 5508 to Prime Infrastructure 2.1

Regards,
I've been migrating / implementing a WCS to PI 2.1. I had several problems at first to add the 11 WLC we have to PI which I could be solving by trying and testing as I have not found many references by Cisco when it comes to troubleshooting when deploying PI.
I have several queries:
1. The WCS was added 11 WLC using different SNMP communities are configured on each of them. At first when trying to add the WLC had PI SNMP communication problems. I performed the test to eliminate any of the WLC added to WCS and add it again with some communities already existing R / W without any problem. At the end, I could not add the WLC so I had to create an SNMP community with the IP of Prime in the WLC so that they can be added. Does anyone know what is the cause of this?
2. I could not add a WLC 5508 IOS 7.3 using this method, even creating an SNMP community and IP mask 0.0.0.0 / 0. No access list or FW in between the WLC These WLC are spread over several countries but i was able to add the other WLC adding a community in each WLC pointing to the IP of Prime. It is similar to this case:
https://supportforums.cisco.com/discussion/12232506/cannot-add-wlc-5508-v761200-prime-infrastructure-21
Thanks for the help.

It turns out that this situation was caused by a bug in 7.6.120.0 (CSCuo73572).
TAC handed me an escalation image (7.6.120.16) that fixed this.
Added the controllers sucessfully on the first try.
Phill

Windows cannot load the user's profile but has logged you on with the default profile for the system.

My Windows 7 crashed a couple days ago after a windows update, I got this message.
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
I restarted the machine and got this message
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.
DETAIL - The process cannot access the file because it is being used by another process. for C:\Users\TEMP\ntuser.dat
I checked the event Log I found these .
Windows cannot load the user's profile but has logged you on with the default profile for the system.
DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.
DETAIL - The process cannot access the file because it is being used by another process.
This is the first error in the event viewer after a successful logon
The description for Event ID 34 from source ccSvcHst cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
ccSetMgr
Windows cannot load the user's profile but has logged you on with the default profile for the system.
DETAIL - Access is denied.
Looking at the Logs all I can tell is that after the Desktop Window Manager started if caused this error.
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
then this one
The Desktop Window Manager has exited with code (0x40010004)
Then this before it shutdown.
The User Profile Service has stopped.
I started up the PC and the first message I got was
How can I get access to my user profile? do I need to createa new Administrator account? Please help
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.

hi do the following
1. In Search programs and files (Windows 7) area, type in regedit, and press Enter.
2. If prompted click yes,
3. expand the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
4. click the sid that related to your admin profile (if you not sure, click each sid and in turn look to the right hand side of registry editor it will show who that sid is related to one of the registry files should hae in description localhost\admin or
something similair)
5. right click the sid and press delete.
6. restart your machine and log back on with the admin account, this will then rebuild the admin profile... dont worry when it loads and none of your personal settings are saved or files or folders... go to c:\users
in here you will see two folders for the admin account, one will be just admin and the other most likely admin.localhost
i cant remember which one is which but just check both, one will still have all your files and folders in it.
i suggest making a backup of your data before doing this incase something does go wrong, but ive had this happen many times in a domain enviorment and has worked for me everytime.

Deployment of WLC-5508 with 2702i-D have performance issue.

Hi Team,
We have centrally deployed WLC-5508 with 50 AP licence along with HA scenario. we have 3 locations.
1- HQ. have 26 AP with POWINJ5.
2- Branch location A- 8 AP with POWINJ5.
3. Branch location B have 8 AP with POWINJ4.
my exception is to achieve that single SSID with dynamic VLAN from group police (NPS). MY HO have 26 AP and those are working in local mode.
and branches are connected through flexconnect mode. and all are working with different-2 NPS.
Now i am facing a problem with this deployment are following.
1- branch A have performance issue.
2- HQ have performance issue.
3- i don't want to go with dedicated NPS for every location.
In order to achieve this deployment i want only single SSID with primary and secondary NPS at my HQ with dynamic VLAN for respective departmental users vlans..
above is my problem and concern. otherwise i am successfully achieving this solution with dedicated NPS with single group policy. but when i am going forward to achieve my expectation that time i am facing authentication issue at my HQ and sometimes am not able to get proper VLAN IPs. at my HQ.
kindly help me in that to understand where I am doing wrong things to achieve my expectation.
Thanks.
Nalin

I am facing 2 different problems.
1st issue- in existing setup we have throughput issue. (while downloading or uploading any data from the internet or Intranet, that time wireless clients are facing slowness of the Speed. and same time when i am trying from LAN i am not facing any issue)
2nd Issue- I want to achieve only single SSID with primary and secondary NPS (AD group is bind with vlan Attributes) with dynamic VLAN for respective departmental users.
for Issue no 2 i have created SSID to achieve the single ssid parameter for every location. in order to achieve i have change all access points mode local to Flexconnect mode after that i have created AP groups location wise and then create flexconnect Groups where i have mapped all the vlan through AAA VLAN-ACL mapping. created interface group and mapped all the vlans in that group.
for more understanding please go through the below mentioned CLI view.
Cisco Controller) >show wlan apgroups
Total Number of AP Groups........................ 4
Site Name........................................ GURGAON-AP-GROUP
Site Description................................. GURGAON-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Pol icy
3 gurgaon-interface Disabled None
--More-- or (q)uit
4 gurgaon-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
GUR-AP-01 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:e4 default location 1 IN 1
GUR-AP-05 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b5:18 default location 1 IN 1
GUR-AP-03 2 AIR-CAP2702I-D-K9 bc:16:65:13:71:00 default location 1 IN 1
GUR-AP-07 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:f8 default location 1 IN 1
GUR-AP-06 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:e0 default location 1 IN 1
GUR-AP-08 2 AIR-CAP2702I-D-K9 f4:4e:05:45:78:98 default location 1 IN 1
GUR-AP-02 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:2c default location 1 IN 1
GUR-AP-04 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:64 default location 1 IN 1
GUR-AP-09 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b4:44 default location 1 IN 1
Site Name........................................ MUMBAI-AP-GROUP
Site Description................................. MUMBAI-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
--More-- or (q)uit
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-7-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:d8 7th Floor 1 IN 3
--More-- or (q)uit
FAL-7-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:18 7th Floor 1 IN 1
FAL-7-AP14 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ad:e8 7th Floor 1 IN 1
FAL-7-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:4c 7th Floor 1 IN 1
FAL-7-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:bc 7th Floor 1 IN 1
FAL-7-AP13 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:80 7th Floor 1 IN 1
FAL-7-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:94 7th Floor 1 IN 1
FAL-7-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:e8 7th Floor 1 IN 1
FAL-7-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:f0 7th Floor 1 IN 3
FAL-7-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:e4 7th Floor 1 IN 1
FAL-7-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:84 7th Floor 1 IN 3
FAL-7-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:14 7th Floor 1 IN 1
FAL-7-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:c8 7th Floor 1 IN 3
FAL-7-AP11 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:08 7th Floor 1 IN 1
Site Name........................................ MUMBAI-THIRD-FLOOR-AP
Site Description................................. MUMBAI-THIRD-FLOOR-AP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
--More-- or (q)uit
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-3-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:a4 3rd Floor 1 IN 3
FAL-3-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:94 3rd Floor 1 IN 3
FAL-3-AP11 2 AIR-CAP2702I-D-K9 f4:0f:1b:73:00:74 3rd Floor- Eurek 1 IN 3
FAL-3-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:d0 3rd Floor 1 IN 3
--More-- or (q)uit
FAL-3-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b5:88 3rd Floor 1 IN 3
FAL-3-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:9c 3rd Floor 1 IN 3
FAL-3-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:af:a0 3rd Floor 1 IN 1
FAL-3-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:fc 3rd Floor- Eurek 1 IN 3
FAL-3-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:28 3rd Floor 1 IN 3
FAL-3-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:f4 3rd Floor 1 IN 3
FAL-3-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:8c 3rd Floor 1 IN 2
FAL-3-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:f4 3rd Floor 1 IN 3
Site Name........................................ RAHEJA-AP-GROUP
Site Description................................. RAHEJA-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
--More-- or (q)uit
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
5 raheja-interface Disabled None
2 raheja-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-RAHEJA-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:1c Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:37:3c Confrennce Room 1 IN 3
FAL-RAHEJA-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:48 Near Confrence R 1 IN 3
FAL-RAHEJA-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:c0 Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:a0 Near Server Room 1 IN 3
FAL-RAHEJA-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:20 Reception Area 1 IN 3
FAL-RAHEJA-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:68 USER BAY ROAD si 1 IN 1
FAL-RAHEJA-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:d4 Training Room 1 IN 1
--More-- or (q)uit
Site Name........................................ default-group
Site Description................................. <none>
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
3 gurgaon-interface Disabled None
4 gurgaon-guest Disabled None
5 raheja-interface Disabled None
6 test Disabled None
Cisco Controller) >show flexconnect group summary
FlexConnect Group Summary: Count: 4
Group Name # Aps
Gurgaon-AP 9
HQ-3RD-FLR-AP-GROUP 12
HQ-7THFLR-AP-GROUP 14
Raheja-AP-Group 8
(Cisco Controller) >show flexconnect group detail Gurgaon-AP
Number of AP's in Group: 9
bc:16:65:13:71:00 GUR-AP-03 Joined Flexconnect
f4:4e:05:45:78:98 GUR-AP-08 Joined Flexconnect
f4:4e:05:78:ae:64 GUR-AP-04 Joined Flexconnect
f4:4e:05:78:ae:e4 GUR-AP-01 Joined Flexconnect
f4:4e:05:80:b3:2c GUR-AP-02 Joined Flexconnect
f4:4e:05:80:b3:e0 GUR-AP-06 Joined Flexconnect
f4:4e:05:80:b3:f8 GUR-AP-07 Joined Flexconnect
f4:4e:05:80:b4:44 GUR-AP-09 Joined Flexconnect
f4:4e:05:80:b5:18 GUR-AP-05 Joined Flexconnect
Efficient AP Image Upgrade ..... Disabled
Master-AP-Mac Master-AP-Name Model Manual
Group Radius Servers Settings:
Type Server Address Port
Primary Unconfigured Unconfigured
Secondary Unconfigured Unconfigured
--More-- or (q)uit
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key.................. <hidden>
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
DHCP Broadcast Overridden interface config: Disabled
Number of User's in Group: 0
Vlan :........................................... 203
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 205
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 204
--More-- or (q)uit
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 206
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 207
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 208
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 209
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 210
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 211
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 212
Ingress ACL :................................... None
Egress ACL :.................................... None
--More-- or (q)uit
Vlan :........................................... 216
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 217
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 218
Ingress ACL :................................... None
Egress ACL :.................................... None
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID Vlan ID
WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
(Cisco Controller) >
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 6
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
1 FRACTAL-EMP-MUMBAI / FRACTAL Enabled group for mumbai none
2 FRACTAL-GUEST / FRACTAL-GUEST Enabled guest wifi none
3 FRACTAL-EMP-GURGAON / FRACTAL-GURGAON Enabled gurgaon-interface none
4 GURGAON-GUEST / FRACTAL-GUEST-GURGAON Enabled gurgaon-guest none
5 RAHEJA-EMP-WIRELESS / FRACTAL-R Enabled raheja-interface none
6 TEST-SSID / TEST-SSID Enabled test none
hope this will give you proper understanding.

AIR-CAP1602i cannot join a WLC 5508 controller

Hello,
I'm managing a large number of access points on a Cisco wlc 5508 controller.
We've recently purchased a bunch of new AIR-CAP1602I-E-K9.
note that we already have AIR-CAP1602I-E-K9 and other models in production.
These A.P are not able to join the controller for some reason, I've tried a lot of different things but I am now at a loss.
I have checked the regulatory domain, upgraded the FUS, manually upgraded the software version of the LAP to match the version on the other A.P.
I even downgraded/upgraded the WLC code (version 7.4.x and 8.0)
I use the dhcp option 43 to to send the controller IP.
Here are the info that can help:
errors:
#on A.P
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
#on WLC
Lwapp join request rejected (WLC version 7.6.130.0)
Failed to add database entry (WLC version 8.0)
WLC sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... XXX
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... XXX
Last Reset....................................... Software reset
System Up Time................................... 6 days 4 hrs 16 mins 27 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... Multiple Countries:CA,FR
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +41 C
External Temperature............................. +22 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 7
Number of Active Clients......................... 1977
Burned-in MAC Address............................ A4:93:4C:B0:E4:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 250
AP sh version
AP58f3.9cb8.3701#sh version
Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(4)JB6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 22-Aug-14 10:56 by prod_rel_team
ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)
AP58f3.9cb8.3701 uptime is 31 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g2-k9w8-mx.152-4.JB6/ap1g2-k9w8-mx.152-4.JB6"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP1602I-E-K9 (PowerPC) processor (revision B0) with 229366K/32768K bytes of memory.
Processor board ID FGL1832X5QU
PowerPC CPU at 533MHz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.6.100.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 58:F3:9C:B8:37:01
Part Number                          : 73-14671-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC183171L4
Top Assembly Part Number             : 800-38552-01
Top Assembly Serial Number           : FGL1832X5QU
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602I-E-K9
AP sh inventory
NAME: "AP1600", DESCR: "Cisco Aironet 1600 Series (IEEE 802.11n) Access Point"
PID: AIR-CAP1602I-E-K9 , VID: V01, SN: FGL1832X5QU
Thanks for your help !

Hi Olivier,
The error messages that you have on the debugs:
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Dec 12 09:24:49.659: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
It is related to the bug: CSCuh46442
https://tools.cisco.com/bugsearch/bug/CSCuh46442/?referring_site=ss
This bug is resolved in version : 8.0.100.0
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80.html#pgfId-1163951
Can you please paste here "show ap auth-list" from the controller CLI?
I suggest to enable MIC if it is not enabled, and then check if the AP's will join or not.
Kind Regards
Mohammad Setan

WLC 5508 cannot have similar user logged twice !

Similar Messages

Maybe you are looking for