WLC 5508 custom syslog port

Similar Messages

• Does WLC 5508 Support LDAPS - Port 636

  We have 2 5508 WLC's and @ 35 AirCap Radios.
  We're running latest S/W release 8.0.110.
  We presently use LDAP to authenticate to the wireless.
  We would like to move to LDAPS on port 636.
  Configuration Guide says you can select other port numbers for LDAP but
  only port 389 is supported.
  Is this true?
  I read some old posts that said on releases year ago LDAPS and port 636 was supported.

  Config guide says below & it is default to 389. It does not say only 389 supported.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101110.html
  "If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number text box. The valid range is 1 to 65535, and the default value is 389."
  Anyway give it a try & see
  Rasika

• WLC 5508 - Error extracting webauth files.

  Hi all,
  i am getting an error during the Upload of Login page for WLC 5508 customized.
  After the upload is completed i receveid the error "Error extracting webauth files."
  I tried to create the file *.tar with different program (winrar, 7zip, gnu tar, etc)
  anyone know the solution for this problem?
  Thanks
  Marco

  TQVVM Marco, it helps and issue resolved. I was downloading a folder consists of (login.html+folder CSS) compressed .TAR but failed. Instead of putting in a folder and directly downloaded the compressed .TAR and it was extracted successfully.
  Thanks.

• WLC 5508 Syslog send to custom port

  We have added Splunk to a monitoring systems and I would like to send my wlc 5508 log messages to it.  We have the Syslog Data Inputs on that server are all TCP and we would like to maintain tcp only if possible. I do need to be on a custom port other than 514.  We are on 7.4.100.60 on a HA pair of 5508's.  Does any on have any insight on changing the syslog port number in the WLC config?

  I too am using Splunk for capturing WLC Syslog.  With regards to the destination port of the Syslog, I don't know how to change it.  However, to get around this I have set up a Splunk Forwarder with Syslog-NG.  Basically Syslog-NG listens on any port number/protocol you define and writes logs to a log file name $hostname$.log.  This means I could have x different WLCs sending Syslog to Syslog-NG on UDP 514 and Syslog-NG will write the syslog from each host to it's individual file.
  From their I've configured Splunk forwarder to monitor each file and forward the logs on to Splunk.  You can forward to any port/protocol you wish.
  Also remember to do this
  config logging debug syslog enable
  On the controller.  Otherwise you won't see the messages you expect.

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• WLC 5508 issue with 4 ports in portchannel

  Hi,
  We have one WLC 5508 and LAG is enabled on it but when we connect 4 cables to a distribution switch only 3 links are sending and receiving traffic and the 4th one is up with outgoing traffic from the distribution switch to WLC but nothing incoming.
  Some APs went down and refuse to be registered back to the WLC. when we shut down the 4th port everything is back to normal.
  the etherchannel config is identical and I can see all ports are active and not suspended :
  interface GigabitEthernet2/2/1
  description PortChannel-WLC1-Port1
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/2
  description PortChannel-WLC1-Port2
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/3
  description PortChannel-WLC1-Port3
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/4
  description PortChannel-WLC1-Port4
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• Port channel WLC 5508 and 3750

  Hi All,
  I want to configure Port channel for WLC 5508 and cisco 3750 Stack Switch. What changes I need to make on WLC and where?
  Thanks
  Jagdev

  Thanks Chris,
  LAG is enable on WLC, and Port channel is configured on 3750, Please see the configration and Port channel status below:-
  (Cisco Controller) >show lag summary
  LAG Enabled
  interface Port-channel14
  description Port Channel to WLC001
  switchport trunk encapsulation dot1q
  switchport mode trunk
  end
  sh etherchannel 14 summary
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      f - failed to allocate aggregator
          M - not in use, minimum links not met
          u - unsuitable for bundling
          w - waiting to be aggregated
          d - default port
  Number of channel-groups in use: 14
  Number of aggregators:           14
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  14     Po14(SD)        LACP      Gi1/0/22(I) Gi2/0/22(I)
  sh run int g1/0/22
  Building configuration...
  Current configuration : 209 bytes
  interface GigabitEthernet1/0/22
  description Trunk to WLC001 DistPort1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 254
  switchport mode trunk
  channel-group 14 mode active
  end
  sh run int g2/0/22
  Building configuration...
  Current configuration : 209 bytes
  interface GigabitEthernet2/0/22
  description Trunk to WLC001 DistPort2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 254
  switchport mode trunk
  channel-group 14 mode active
  end

• Wlc 5508 get error when use port-channel

  We have two wlc in the system 5508 and 4402.
  we config HA for 2 wlc, both wlc enable LAG
  When I connect 2 interface  of 5508 to 2 interface (in a port channel mode on, trunk, dot1q) of a
  couple of VSS switch, I cant management 5508 through web any more, and I still can do with 4402.
  If I  shutdown 1 port int the port-channel, it work well.
  Do you know what happen ?
  Thanks
  Duyen

  hi Scott,
  We have VSS ( 2 x 6509) trunk with (2 switch 4506).  one port of wlc4402 connect to one port of one swith 4506.
  2 ports of wlc 5508 conect to 6509, each port connect to one switch 6509.
  the config in VSS switch like this:
  interface gig1/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 500 mode on
  interface gig2/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 500 mode on
  etherchannel load-balancer src-dst-ip
  ( I dont see this command in running config)

• WLC-5508 logging to syslog

  It appears that there are two different types of log information generated by the WLC-5508.  The stuff that can be sent directly to syslog seems to be very basic while most of the good log information is sent via snmp trap.  Does anyone have this setup to log to a SIEM in a manner that gives a good security view into the wireless controller?

  Mike,
  Have you tried to change the logging level on the wlc? There are multiple levels of logging that can be set on the wlc. On the wlc GUI, you can check the current logging level by navigating to this page - Management > Logs > Config > Syslog Server. Under the "Syslog Server", you can change the level of logging.　
  If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. Note that setting a higher logging level on the wlc might result in more logs sent to the syslog server.
  Regards,
  Nagendra

• WLC 5508 : session disconnected when one lag-port is down.

  Hello,
  I have a WLC 5508 ( version 6.0.182).
  When the port1 and port2 are connected ( The switch is configured with a etherchannel in forced mode) everything works fine: There is traffic on the 2 ports.
  When I disconnect one of the 2 ports, I can still ping outside with my PC client, but all my tcp sesssions goes down and I even cannot restart my session. The only way I found  is to do a "Disconnect / Reconnect"  on my  PC  wireless connection.
  Do you know this probleme ?
  Is it a way to avoid it ?
  Michel Misonne

  CSCth12513 LAG fail-over does not work on CT5508
  This bug is fixed in the special release available through TAC : 6.0.199.157 and 7.0.xxxx
  Hope this helps.
  Nicolas
  ===
  Dont' forget to rate answers that you find useful

• Change WLC 5508 port speed

  I connect a copper SFP on port 2 of WLC 5508 to a ASA 5510 firewall.  The links between two devices are down.  Since ASA 5510 only support 100 full, how do I change port speed on port 2 to 100.
  Thanks

  Does this mean, I couldn't change port speed on the WLC?
  Yes you can.  You can change the speed setting to GIGABIT, nothing less. 
  Why do I need to buy another Gigbit switch for 2 connection?
  What do you mean by "another"????   Do you have an existing GigabitEthernet switch that you can connect the WLC into?
  You need a GigabitEthernet port to connect the WLC's GigabitEthernet port.  And then you can have a FastEthernet port to connect the SAME SWITCH to your ASA.
  WLC --- (1000BaseTx) --- Switch --- (10/100BaseTx) --- ASA
  Does this make sense to you?

• WLC 5508 Distribution Ports

  Dear Community,
  i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.
  By default WLC ports are gig ports so is there any comand or option to configure the port by decreasing its speedin wlc.
                                                                         OR
  could we connect them in the same status like wlc gig port wit switch 3750 fastethernet port and there will not any speed mismatch and it will work fine.Honestly on my behalf it will not work like this.
  please advise what is the best practice to do that.

  i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.Won't work because the 5508 will negotiate to 1Gb only.

• Possible to setup something likes "protected port" on WLC 5508

  Hello,
  Let's say I have 3 APs, all connected to a WLC 5508
  Each AP has a computer that is connected to it, Computer A, B and C, all on the same Vlan with same SSID
  Is it possible to configure so
  A and B can not talk to each other but both can talk to C  ?
  Something like "protected port" feature in the switch world.
  Thanks

  Im looking for a solution for a WiFi network for our guests, where they dont need to talk to each other, and all need to talk to a wire internet gateway/router only.
  If you want to block guest SSID users from talking to each other then it's possible.  As Scott has pointed out, it's called "P2P Blocking Action".
  I do NOT recommend having guest and corporate share the same SSID.  I don't think it's best practice.

• WLC 5508 - What is the use of service port.

  Hi,
  I am getting hard to understand use of service port in wlc 5508,
  Even after reading so much post and cisco note I am not understanig the use of (Even basic use) service port.
  As I understand service port should be access port and should be in diffrent vlan.
  Pleae help me to understand it in simple way....

  Hi Tarun,
  Like others mentioned it is used for Out of Band Management of a WLC. Many do not use this as it could leads to issues unless you properly configure it & put it onto two completely different supernets. Config guides highlighted those restrictions & below is one of them listed in 7.4 config guide
  Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.
  In situations you can use it to get access by directly connecting a laptop to take configuration backup or restore configuration to a controller. In the below post I have used service port to take backup & restore the configuration to a WLC.
  http://mrncciew.com/2013/01/25/backup-restore-wlc-configs/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC 5508 in HA pair (7.4.121.0) sudden reload

  I have a pair of WLC 5508 in HA pair running version 7.4.121.0, last week I have two sudden reload on my active WLC. Here's the error from my syslog server on the first sudden reload. The second reload has almost the same logs.
  10.x.x.234 - active
  10.x.x.237 - standby
  2014-01-30 17:52:20 Local0.Error 10.x.x.237 WLC-HA01: *rmgrMain: Jan 30 17:52:24.498: #RMGR-3-RED_HEARTBEAT_TMOUT: rmgr_main.c:242 rmgrTmoHeartbeat: Recved GW ping count 6 phyMgr ping count 0.
  2014-01-30 17:52:20 Local0.Emerg 10.x.x.237 WLC-HA01: *rmgrMain: Jan 30 17:52:24.555: #RMGR-0-RED_HA_RELOAD: rmgr_utils.c:198 System reboot: reason: category Sanity check object Self
  2014-01-30 17:52:21 Local0.Emerg 10.x.x.234 WLC-HA01: *rmgrMain: Jan 30 17:52:24.989: #RMGR-0-RED_HA_RELOAD: rmgr_utils.c:188 System reboot: reason: category Peer reload req object Peer
  2014-01-30 17:52:21 Local0.Alert 10.x.x.234 WLC-HA01: *dtlArpTask: Jan 30 17:52:25.106: #DTL-1-IP_CONFLICT_DETECTED: dtl_net.c:4857 Network device with mac addr 7c:ad:74:8d:6b:0f using IP address of local interface
  Cisco TAC recommends to disable monitoring the default gateway.
  --> config redundancy management-gateway-failover disable
  I was wondering if someone has the issue with what I have.
  Second issue I have is when it fails over to the standby WLC, I do get a web-auth certificate error from the WLC when clients login. This only happens after a sudden reload. If I do a redundancy force-switchover during maintenance window, the certificate error doesn't show up. To fix the certificate error I have to bounce both WLCs one after the other.
  Thanks in advance.

  Hi,
  I exeprienced a reload problem in standby WLC, with HA in release 7.6.100.0.
  I use a dedicated VLAN to transport the redundancy sync and info, 'cause the two WLCs are in different buildings.
  The standby WLC reload continuously 'cause it doesn,t find the default gateway.
  (Cisco Controller-Standby) >show redundancy summary
              Redundancy Mode = SSO ENABLED
                  Local State = STANDBY HOT
                   Peer State = ACTIVE
                         Unit = Secondary - HA SKU (Inherited AP License Count = 500)
                      Unit ID = 00:06:F6:DB:E3:E0
             Redundancy State = SSO (Both AP and Client SSO)
                 Mobility MAC = 58:8D:09:CD:81:C0
  Management Gateway Failover = ENABLED (Management GW failover would be operational in few moments)
  Average Redundancy Peer Reachability Latency = 621 usecs
  Average Management Gateway Reachability Latency = 0 usecs
  Redundancy Management IP Address................. 40.231.36.6
  Peer Redundancy Management IP Address............ 40.231.36.5
  Redundancy Port IP Address....................... 169.254.36.6
  Peer Redundancy Port IP Address.................. 169.254.36.5
  Rebooting as default GW is not reachable from Standby Controller
  Restarting system. Reason: Default Gateway is not reachable ..
  The problem is that the WLC tries to ping the DGW using the primary IP management address belonging to the active WLC, so we have duplicated IP problem, ARP problem and so on .....
  The standby WLC should use the redundancy managemet address to ping the default gateway, instead the primary IP management address!!!!!!
  So the workaround is the CLI command :
  config redundancy management-gateway-failover disable
  on the primary WLC, via console or in SSH.
  When the standby will reload it will inherit the config from the active primary WLC
  (Cisco Controller-Standby) >show redundancy summary   
              Redundancy Mode = SSO ENABLED
                  Local State = STANDBY HOT
                   Peer State = ACTIVE
                         Unit = Secondary - HA SKU (Inherited AP License Count = 500)
                      Unit ID = 00:06:F6:DB:E3:E0
             Redundancy State = SSO (Both AP and Client SSO)
                 Mobility MAC = 58:8D:09:CD:81:C0
  Management Gateway Failover = ENABLED (Management GW failover is disabled as it is DISABLED on the Peer)
  Average Redundancy Peer Reachability Latency = 666 usecs
  Average Management Gateway Reachability Latency = 0 usecs
  Redundancy Management IP Address................. 40.231.36.6
  Peer Redundancy Management IP Address............ 40.231.36.5
  Redundancy Port IP Address....................... 169.254.36.6
  Peer Redundancy Port IP Address.................. 169.254.36.5
  The workaround works in my experience.