WLC 5508 + NPS MS-CHAP v2 Auth problems

Hi,
I am having a lot of trouble trying to set up a Cisco WLC 5508 to use NPS on Windows Server 2008 as it's authentication.
When a client attempts to connect to the WLAN, the authentication is denied on Windows 7/Vista/XP, however, on Mac/iOS clients, it asks to accept the certificate (this is a public cert, issued by Entrust - however, it is a wildcard cert..), but then it will connect.
So I have two questions:
1/ Why won't the windows clients authenticate? If I set up the WLAN profile on the windows machine, and I deselect "Validate server certificate", then they connect just fine....
2/ Is it possible to make it so the user is not prompted to accept the certificate? Why can't this certificate be validated locally by the client?
Thanks,
Josh

Looks like it might have been an issue with that certificate, I don't know.
Either it didn't like the wildcard, or it didn't like the intermediate/root CA.
I downloaded a Comodo Trial SSL and plugged that in - works like a charm now!

Similar Messages

  • Upgrade WLC 5508 to 7.4.121.0 problem

    After I upgraded WLC 5508 from 7.2.111.3 to 7.4.121.0, all 3602i APs don't associate with the controller.  All APs were working/associating with controller on 7.2.111.3 at same setting.  IP address of APs are setup as DHCP.
    The error message is "AP couldn't get IP address".   
    Any one has this type of problem when you upgrade WLC 5508 from 7.2.111.3 to 7.4.121.0.
    Thanks,

    Hi,
    This doesn't look like software issue.
    You have to check why the APs are not able to get ip address. Try connecting a PC to a swtich port where one of these APs are connected and see if you are able to get IP on PC.
    Also check if the DHCP server is reachable and if there are IP address in the pool assigned for APs.
    HTH,
    Thanks & Regards,
    Ishant
    *** Please rate the post if you find it useful ***

  • WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

    hi NG,
    i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
    Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
    I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
    Checking based upon Users within OUs works fine.
    But i have not got all of those users wihin one single OU!
    Need help for following:    LDAP-Auth based on AD Groups:
    Using:
    MS-Domain:                          MY-DOMAIN.CH
    AD-GROUP:                          VPN-USERS
    AD-Structure:
    MY-DOMAIN.CH
    |
    GROUPS
            |
        Administrative Groups
                          |
                     VPN-USERS
                              (-> Member of this Groups (Wireless1, Wirless2, ...)
    Server Adress:               IP.IP.IP.IP
    Port:                                 389
    Enable Server Stats      YES
    Simple Bind                    Authenticated
    Bind Username              LDAP-USER
    Bind Password               supersecret
    Bind Passw. confirm      supersecret
    User Base DN:               ?-1-?
    User Attribute:                ?-2-?
    User Object Type:          Person
    Server Timeout               2
    What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
    I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
    Could some one provide my with an example, since i have not found documentation regarding this topic.
    Thank you.

    Hi,
    User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
    Remember that the User Base DN is also used for the admin user.
    In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
    Example :
    OU=Employees,OU=Humans,DC=Mydomain,DC=CH
    This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
    Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
    If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
    That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Cisco WLC 5508 - NPS Radius

    Cisco WLC 5508
    Software Version: 7.4.100.0
    Windows Server 2008R2
    I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
    I added the radius server on the WLC, and configured a new WLAN to use it.
    Both are on the same subnet.
    When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
    I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
    Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
    So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
    What in the world is going on here?

    I do have local management users on the controller.
    Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
    However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
    auditpol /get /subcategory:"Network Policy Server"
    If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
    So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.

  • WLC 5508 - wlan stability problems

    Hi.
    I have a WLC 5508 with half a dozen LAPs (AIR-CAP3502I-E-K9).
    They have been working but sometimes clients detect conectivity problems with the wlan.
    Here is the message log I can obtain from the controller:
    Nov 09 12:16:31.886: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32Previous message occurred 7 times.Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*apfReceiveTask: Nov 09 11:51:30.788: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *spamApTask2: Nov 09 11:51:20.144: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.23.1.118*dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67*apfReceiveTask: Nov 09 11:50:40.672: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:38.625: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:35.531: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:31.068: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:29.257: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:28.707: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    Can somebody help me to understand these messages?
    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    3)
    *dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67
    Thanks

    1)
    *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
    //APs are rebooting. don't panic, check the up time of AP. This message seen when AP rebooted/freshly joined and waiting for wlc to assign channel.
    2)
    Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
    //It is cosmetic and can be ignored.
    3)
    *dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32
    //Keys M1-M5 used for wireless auth, here client having struggle completing the auth process.
    get output of, WLC>debug client

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • WLC 5508 with AD, NPS but without GPO, how?

    Hi,
    I didn't found anything related to what I'm trying to do so I though I would create a new discussion...
    I would like to setup a new WLAN and to be able to connect, a user will have to enter his username/password that will be confirmed using NPS and Active Directory. The problem is, I don't want to use a GPO, I would like to only verify if the user is a member of a AD group, let's say "wlan_access".
    I don't want to install anything ( certificate, GPO, creating a WLAN configuration ) on the user's PC/laptop, only AD validation using NPS as a Radius server.
    If a user is part of that AD group, after he enter his credential he will have access to that WLAN.
    Is it possible to setup that? How should I configured the WLAN in my WLC 5508 ( running 7.2.110.0 )? How should I configure NPS ( Windows 2008 R2 Enterprise )?
    Thanks a lot for your help and answers.
    Guillaume

    Hi guys,
    With the info Stephen Rodriguez gave, it looks like I won't be able to do what we want without doing config on the user's devices ( laptop, ipad, etc.. ).
    @Joseph Vasanth Louis Yes the message is from the event viewer of the NPS server. In the connection request policies, there's not much config, I let the option "Authentication Methods" in the tab Settings uncheck, so it won't override the settings in the Network Policies.
    I though it was possible to have authentication using NPS and Active Directoy without installing anything on the user's devices and still having a secured wireless network ( not like a hotspot ).
    The solution I think is the most workable is with the PEAP or PSK, with a certificate but even that...the user will have to create the WLAN profil on his laptop, so I'm not sure we want to go that way. I'll check for the PSK option, to see if the "Web Authentication" could be done using NPS.
    Thanks guys for all your time and help. I'll continue my tests and keep you posted.

  • Integration between WLC 5508 and Microsoft NPS 2008

    Hi guys,
    Any of you, have working guidance for WLC 5508 and Microsoft NPS 2008 integration?
    I managed to configure Wireless 802.1x feature (PEAP) but it failed. I'm running software ver. 7.0.116.0.
    Is there any bug related 802.1x on this software version?
    thanks in advance.
    BR
    shendy

    Hi Shendy,
    I am not aware about any bug related to this. I think you better check all configuration and make sure it is fine.
    Logs from NPS and WLC (and possibly from the supplicant) may guide you where the problem resides.
    What does the NPS logs tell about the reason of the authentication failure?
    What does the WLC logs say about the failure (check show msglog and show traplog).
    - Make sure the Radius server added correctly with correct IP and correct shared secret on WLC.
    - Make sure that the radius is configured correctly to allow PEAP-MSCHAPv2.
    - Make sure WLC is added successfully to WLC with correct IP address and correct shared secret.
    - Make sure the clients are correctly configured and the server's (NPS) certificate is trusted on the clients.
    HTH
    Amjad

  • WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

    Hi all,
    I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are  AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
    Logs of my WLC are:
    *Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
    *apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
    *dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
    *apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
    *Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    I already go to this link to check the Description of errors-
    http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
    Appreciate all feedback. Thank you.

    Hi Ruben,
    a) After successful dot1x authentication, session keys are derived from pairwise master key.
    b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
    c) If the station does not respond, the AP increments the counter and retransmits the key.
    d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
    This in most of the cases will be a client driver problem.
    Solution :
    1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
    2) Upgrade the client driver.
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • WLC 5508 HA Problem Soft.ver 7.4.100

    Dear Support,
    we are using two WLC 5508 software ver.7.4.100 with first 50AP license and in the next day we add 50AP license again to the primary WLC. when we activate HA base in the following guiden http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html but when we doing test the failover we found a couple log message on the Secondary WLC like below and not for long time all AP on the Secondary WLC was drop off. 
    1. DP Critical Error
    2. *RRM-DCLNT-2_4: May 23 07:43:53.204: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:53.164: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
    *RRM-DCLNT-2_4: May 23 07:43:52.854: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:2c:36:f8:72:fc:c0,Key SlotId:0
    I also send a complete log for both problem above and enclose it with pdf file. need you advice and assistance,
    regard, afriansyah

    I agree go to version 7.4.121.0 I has some strange issues on prior releases. Personally I am running 7.6.120.0 right now but that's mainly due to support for the 3702 access points.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-74573
    that's a good guide just to double check yourself just in case. -

  • WLC 5508, DHCP Problem after Update Cisco ASA(DHCP-Server)

    Hello,
    our Problem is, our Apple Devices get no ip adress from our Cisco ASA Cluster(ASA 9.1.2) over Wireless(Cisco WLC 5508). All other devices(Windows, Android,...) work correct, without problems. Our WLC is in HA-Mode.
    Does anybody have an Idea?
    Thank you very much and Best regards,
    Stefan

    Hello again,
    I hope this case is the solution.
    https://supportforums.cisco.com/message/3942112#3942112
    I will let you know after downgrade.
    Best regards,
    Stefan

  • WLC 5508 WPA Authentication Problems

    Hello,
    We have a WLC 5508 with 7.4.100.0 Firmware.
    We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
    Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
    The strange thing is that the problem is solved restarting the Access-points.
    Anyone had this problem previusly?
    Thanks in advance.

    I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
    Cisco Recommended  and not recommended Authentication Settings
    Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
    These images provide examples of incompatible settings for TKIP and AES:
    Note: Be aware that security settings permit unsupported features.
    These images provide examples of compatible settings:

  • Problem uploading SSL certificat on a WLC 5508

    Hello,
    I'm trying to upload a SSL-certificate (RSA:2048) on a WLC 5508 via the "Management->HTTP-HTTPS" - Tab and get the following problem :
    *TransferTask: Jul 18 16:36:14.487: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
    *TransferTask: Jul 18 16:36:14.487: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
    I've generated it using the following commands:
    # openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca-bundle -out CA.pfx
    # openssl pkcs12 -in CA.pfx -nodes -out CA.pem
    But it doesn't work...
    Does anyone have an idea?
    Best regards,
    Eric

    Hello Eric,
    I'm facing the same problem, when trying to upload a chained SSL certificate (2048bits) to the wlc version 7.0.116.0
    Did you use an unchained certificate and what size is your cert?
    According to a Cisco document, for controllers version 5.1.151.0 and later, only unchained certificates are supported for the management certificate.
    I'm just wondering, if this limitation still applies to the newer versions.
    Regards,
    Oliver

  • RF Grouping problem WLC 5508

    Hi,
    We have a problem regarding RF Grouping between two WLC 5508.
    The two controllers have the same RF Group name,RF Grouping is enabled,they belong to the same mobility group,their management IP
    address is on the same subnet, they ping each other but they don't elect a Group Leader. Each one
    elects itself as the Group Leader.
    We have tried to place 2 APs,each belonging to different controller, close one to the other but nothing changed.
    Any help would be much appreciated.

    Hi Nicolas,
    Because we have an almost live network, we wouldn't like to go public with our configurations. Is there any other way we can send them to you?
    Thanks in advance,
    Theofilos

Maybe you are looking for