WLC 5508 (ver 7.2) and ISE 1.1.2

Similar Messages

• Upgrade WLC 5508 Ver. 7.0.98.0 to Ver 7.6.110.0

  i will upgrade WLC 5508 Ver 7.0.98.0 with License 50 AP. to Ver 7.6.110.0 will it ask to install license ?

  No, It will not ask for again.
  Just upgrade the software.
  Regards
  Dont forget to rate helpful posts

• ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0

  Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
  For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
  For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
  The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
  I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
  Any help will be much appreciated.

  This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
  Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.

• LAG WLC 5508 7.0.235 and Nexus 7K 5.2(3a)

  I can't get the WLC to form a LAG, the 5508 has 2 SFPs direct to Nexus 7k.  Enabled LAG and rebooted.  The 5508s port 2 just stays Link Down in WLC.
  hostname n7k-01
  int port-channel 31
  vpc 31
  int eth1/12
  description WLC-5508-Port1
  switchport
  switchport mode trunk
  channel-group 31 mode active
  no shut
  show run int eth1/12
  Ethernet1/12 is up
    Dedicated Interface
    Belongs to Po31
  hostname n7k-02
  int port-channel 31
  vpc 31
  int eth1/7
  description WLC-5508-Port2
  switchport
  switchport mode trunk
  channel-group 31 mode active
  no shut
  show run int eth1/7
  Ethernet 1/7 is down (Link not connected)
    Dedicated Interface
    Belongs to Po31

  Controller cannot establish SXP connection with a Cisco Nexus 7000 Series switch.
  Symptom: An SXP connection from the controller to the Cisco Nexus 7000 Series switch reports the On state on the controller side while the switch reports the Waiting for Response state.
  Conditions: Establishing SXP connection between the controller and ASA.
  Workaround: Add an intermediate device that supports SXPv2 between the controller and the Cisco Nexus 7000 Series switch.

• WLC 5508 integration with fortigate and Guest Vlan

  Hi
  I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
  And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
  Kindly what will be best solution.

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• CWA with WLC Firmware 7.0.228 and ISE 1.1.1

  Hi,
  Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
  My customer has many access points which are support only for firmware code 7.0.228.
  Cisco ISE version 1.1.1
  WLC 5500 Series but the existing access point is cannot support to 7.3
  Thanks,
  Pongsatorn Maneesud

  Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
  Scenarios                                                          WLC 7.0                                             7.2 
  802.1X Auth                                                     Yes                                                      Yes
  802.1X + Posture                                            Yes                                                      Yes
  802.1X + Profiling                                           Yes                                                      Yes
  Web Auth + Posture                                       No *                                                   Yes
  Web Auth + Profiling                                      Inventory only *                         Yes
  Central Web Auth(CWA)                               No *                                                   Yes
  Local Web Auth(LWA)                                   Yes                                                      Yes

• WLC 5508 Local Authentication- need guidance

  Hi formers'
  i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
  The environment don't have ACS, no directory services ( AD or LDAP).
  Requirement:
  say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
  user's entry is store at WLC.
  i create the user at local net user, and map it to appropirate WLAN.
  at the WLAN, i enable local EAP and select the profile that i create.
  PROBLEM STATEMENT:
  The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
  Question
  a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
  b. can please post any useful document URL or any supportive info, it will be very helpful
  Thanks
  Noel

  Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
  You could also follow the WLC config guide in the "Local eap" chapter.
  The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

• Guest enrollment (self-service) on WLC 5508

  Hi folks,
  My desired setup is to integrate wlc 5508 (guest anchor) into cisco ise or nac server for guest authentication.
  And then, ise or nac will connect to an SMS gateway to deliver credentials to mobile phones.
  But I am looking into something unique where guests that enter into our facility can do self-enrollment. (i.e. guest connects to ssid and redirected to web authentication that asks for user information like name, email, mobile, etc).
  After this process, guest will receive an sms for the credentials.
  Does anyone here know a reliable third party software for the said enrolment that will work fine with my setup.
  Your response are highly appreciated.

  Hi Saurav,
  Now it is supported on 1.3
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter_0101.html

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• Wlc 5508 ios upgrade in ha mode

  I am having 2 wlc 5508 in HA mode, and want to upgrade ios from 7.5 to 7.6
  Current IOS file status in primary and secondary.
  Primary  WLC IOS :  AIR-CT5500-K9-7-5-102-0.aes
  Standby WLC IOS :  AIR-CT5500-LDPE-K9-7-5-102-0.aes
  HA WLC ios upgrade procedure is when we  upgrade ios in primary wlc it will push to standby wlc and if earlier ios version match it will accept it.
  ISSUE : If you check in wlc status detail I have given upper both has same ios version but IOS file are different and currently in HA mode and working.
  Now I am trying to upgrade IOS it is not allow me to upgrade it.
  Giving below error :
  TFTP receive complete... extracting components.
  Checking Version Built.
  Image version check passed.
  Informing the standby to start the transfer download process
  Waiting for the Transfer & Validation result from Standby.
  Standby - Standby receive complete... extracting components.
  Standby - Checking Version Built.
  Standby - Image version check passed.
  Standby - Transfer failure : Upgrade from non LDPE to LDPE software is not allowed.
  Please download AIR-CT5500-K9-x-x-x-x.aes image instead.
  Transfer & Validation on Standby failed.
  Transfer download failed both on Active & Standby, Please retry download
  (Cisco Controller) >
  Please suggest how I can upgrade IOS in HA mode.

  Primary WLC IOS : AIR-CT5500-K9-7-5-102-0.aes
  Standby WLC IOS : AIR-CT5500-LDPE-K9-7-5-102-0.aes
  This won't work and you'll see from the error message.  Your standby WLC has a particular firmware loaded with LDPE enabled.  So first, you need to answer if you need LDPE or not.   
  Both firmwares has to match, including LDPE.  If you need LDPE, the your primary has to be loaded with LDPE before you can proceed.  If you don't need LDPE, then you need to downgrade the secondary to non-LDPE version before you can proceed.

• WLC 5508, LAP1262, Security Features Design

  Dears,
  I am planning to get the following Hardware;
  AIR-CT5508-50-K9
  5508 Series Controller for up to 50 APs
  AIR-LAP1262N-E-K9
  802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain
  During my design, i am considering to get the following security features.
  NOTE: I don't have WCS and Mobility Services Engine (MSE).
  Managing Access Points at remote/WAN office.
  wIPS configuration (without WCS and MSE)
  How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.
  Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.
  Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
  Unfortunatelly i dont have LAB to test these features, so please respond.......

  Dear Scott,
  Thanks for your detailed response. I still have confusion regarding the Point5. Find the following details;
  Current Design:
  All the Internet traffic (http, https) for Wired and Wireless users is forwarded to proxy server (microsoft ISA/10.1.100.1)) for internet access.
  For this purpose, all users have to add proxy to their explorers.
  New Design/Requirements for Wireless Guest Users:
  For the Wireless Guests users to get internet, they will have to add the proxy in their Explorers.
  I would like to provide them Internet Access without additing proxy in their Explorers (not to bother them with configuring their laptops).
  Is it possible, if WLC can automatically redirect the Internet traffic from Guests users to proxy Server (10.1.100.1).

• WLC 5508- GUI Cert Error

  I tried installing chained certificate in for the https access in wlc 5508. It failed and later i came to know it will only accept unchained cert for management access. But now the problem is i could not get GUI access. It shows error like "This server security certificate is revoked "
  What should i do now..?

  Amjad,
  Do you mean this link for unchained certs ?
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Need Information of cisco WLC 5508 LAG Interface

  HI
  We have cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC.
  Now we want to segregate the trafffic og GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ?
  Can i use one interfcae cisco WLC 5508 and connect it to the firewall or any device ?
  Thanks
  Puneet

  Hi
  Thanks ...I am using WLC as a DHCP server for Guest.
  So  i want to know ,is there any requirement that GUEST subnet should be pingable from WLC management IP address.
  my topology is here...
  Corp network and management network are reachable however management metwork is not pinagble from guest netowrk.

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

  Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
  12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
  OpenSSL messages are:
  SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
  certificate ex pi red"'
  4 727850450.3616:error.140890B2: SS L
  rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
  relurned: s3_ srvr.c: 272 0
  I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn