WLC and AAA - one SSID and more VLANs

Similar Messages

• One ssid to multiples vlan without hreap, flex connect

  Hi my name is Ivan
  I have a question about a wireless solution
  I have one cisco wlc 2112 with ios 7.0.230.0 with license to support 12 access points. My access points are nine (9) lap1231ag  and one (1) lap1310
  I just have one wlan (ssid). My scenario of deployment is in layer 3. I have one interface management and ap manager in the WLC. All my Access Points
  have differents ip address that WLC. I need to configure a unique ssid to associate my six (6) dynamics interfaces (each dymanic interface with different vlan subnet).
  Each wlan profile (ssid) should have the same security in phase 2 (wpa2/psk).  My cisco access points don't support hreap. My wlc  support only (4)
  interface into an interface group, and i need six (6) dynamics interfaces.
  Is this possible to configure this scenario?
  I have a research about  it, and i found this link:
  https://supportforums.cisco.com/thread/2180009
  They mention there, that i need HREAP, but my AP's dont support it.
  How can i do it?
  Regards

  1°  It doesn't matter that my buildings are connected between layer 3 links, having my WLC in a different VLAN/Subnet.
  Correct.  The APs do not have any requirement of being L2 adjacent to the WLC.  If your APs are already joined, they will no how to find the WLC once you move them to their new network.  I would suggest making sure you have High Availability configured specifying the APs primary WLC.  Regardless, if joined already, the AP "knows" the controller it wants to join.  If you have "new" APs that are installed at a different L3 network, you just want to make sure you have discovery methods for these new APs to find the WLC (option 43, dns, etc)
  2° It doesn't matter what interface is associated to the WLAN in the WLAN profile.
  That depends on your design.  "IF" you have "all" your APs placed in to respective custom AP groups, then no it doesn't matter as the group interface assignment will override the WLAN interface assignment.  "IF" you still have APs in the "default group" that are not being placed in a new AP group, then these APs will inherit the WLAN configuration so the interface should be assigned accordingly.  In some cases, customers may choose to build a dummy/blackhole interface that the WLAN is bound to in the event an AP winds up in the default group.  Just make sure any dummy interfaces you create are non-routable on your network.
  3° It is not necessary to create an interface group.
  No.  An interface group will bundle multiple dynamic interfaces in to a single group that can be assigned. For instance, if you bundle all these in to a group and then assign, via an AP group, for a WLAN to use the new interface "group", then clients will be placed on the respective dynamic interfaces within that group in a round-robin fashion (or whatever algorithim is in use depending on code release), therefore clients at site A may end up on any of the 6 interfaces.  The interface group is traditionally used when customers are running out of usable space and would like to expand through the use of additional network segments, rather than increasing a subnet size through a mask reduction.

• Auto loading of username and password are taking place on one site and only one site and I do not want this to happen but can"t get it to stop.

  As my question states I don't want auto loading on any site and it only happens on this one site. I have went thru tools and options and there are no sites listed for auto loading. There are no saved passwords. If I go to the site using Internet explorer the problem does not occur.

  Ok, no problem i found this help articles:
  https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
  http://www.youtube.com/watch?v=OukBlXfOP8Y

• CR 4 Ent, Xcelsius and WebI - one query and two different results

  Dear Sirs,
  I'm using BO 4.0 platform and 3 tools: Crystal Reports for Enterprise, WebI and Dashboard Design (Xcelsius).
  I have one question, because in my opinion in this solution is one inconsistency.
  I have one table in SQL Server (like below):
  IDRec (autoinc)  | Col1 (varchar)   | Col2 (int)
  1      A    1
  2      A    1
  3      B    2
  4      B    2
  I have one universe with ONLY 3 dimensions (IDRec, Col1, Col2). I haven't any measures.
  And:
  1. Using CR 4 Ent and I create report using 3 dimensions (IDRec, Col1, Col2).
  I make sure, that I selected option: "Retrieve duplicate rows"
  If I have 3 columns in details I have 4 records (4 rows) in my report, when I have 2 columns (Col1 Col2) I have only 2 records (2 rows) in report (Page view).
  So universe (or something like this) use option DISTICT (I think).
  2. When I use WebI (14.0.2) I have the same situation.
  3. When I use Dashboard Desigm (Xcelsius 2011) I have 4 rows !!!  ALWAYS - it doesn't matter I selected "Retrieve duplicate rows" or not  !!!
  When I look to "View script" window, I not see DISTINCT clause.
  Am I doing something wrong?
  I can change the settings so as to be able to see duplicate records?
  It's very important for some calculation, especially in Crystal Reports (for Enterprise).

  Hi,
    Thanks for the response...But the result is deviating from the expected..
         expected is
       if we have first query returns              second query returns
                1                                                     4
                2                                                     5
                3                                                     6
       these two queries result should be in one table , with first query result in first column and second query result in second column.
     The two queries fetching data from same table(category table as in my post) with different search criteria( in where clause).......Regards,
  Rakesh.

• How to split an image and use one half and the reverse together?

  Dear Forum,
  I would like to take face pictures and split the faces in half. After that, I would like to use the left side of the face and match it to the reverse left side face together(having 2 left sides which will look like a normal face after the 2 sides will be brought together).
  So:
  1. picture of a human face (head)
  2. slipt the face in half
  3. remove the right side
  4. highlight the left side and make a reverse image
  5. put together the real left side and the reverse left side in one face
  How that is possible with Photoshop?

  Thanks ! Sounds easy. I should have posted the question BEFORE the several hours spent trying to figure it out. I appreciate the time and effort.
  Joe

• How can I make a tent with two halves of the info ( and pictures one direction and the other half the opposite direction ( towards each other of course)

  How can I make a table tent in PAGES with both halves of the info and pictures turned towards each other?  I can figure out how to turn just the picture upside down  AND the text sideways, but not upside down with the picture included so that it is at the top and not the bottom! 

  Layout the picture and text (in text boxes) the way you want them in the lower half of the page. Then Select All and Group them. With the Group selected, type Cmnd+D to duplicate it and then hold down the Shift and Command keys and grab a corner box (you’ll see a double headed arrow) and rotate the box until it’s upside down. (Holding down the Shift key will constrain the rotation to 45 and 90 degree positions.) Now drag the box into position in the top half of the page.
  Walt

• HT3702 I changed my card today (twice) and this one works and my iPad said I need to contact you...  What's up?

  See above... I changed it to a card which has money on it and it still says I need to contact the iTunes store... I really want to buy this app!!  bwwaaaa.

  These are user-to-user forums, you can contact iTunes support here : http://www.apple.com/support/itunes/contact/

• Flex and aaa override

  Hi!
  The current desing of network needed the follow:
  All branch must have single corporate SSID. Users in branch must be split by functionality in different vlans.
  Corporate SSID must be switched local.
  Does is flex connect with AAA override have ability to mapped one SSID to multiple vlans?
  I can't get confirmation of this from documentation. All examples explain how to map single ssid
  to single_vlan
  Thanks for answers!

  Yes, you can use AAA Override to assign the VLAN in FlexConnect Mode.  Below is a link to the Configuration guide.
  http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01110.html#d174972e3765a1635
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Multiple SSIDs and NPS

  I have a WLC setup with one ssid (ssid A) using Web auth tied back to NPS with the requirement be that you have to be in the domain users group to authenticate.  It works fine.  I have SSID B setup using eap-tls with the requirement of the pc having to be in the domain computers group.  This work as a new user can login to the pc without having ever logging into it before.  When I try and take my person pc and join ssid b it get an error as expected.  But if I take my android phone and tell it to accept any certificate unspecified it will be allowed to join and i think its because it may be failing against the first match which may be the domain users requirement but matching on the domain users group requirement.  It seems that the fail through is the issue.

  You need to see how devices are passing via NPS. With webauth, it should only allow username and password and EAP-TLS should only allow machine. So when you create your NPS policy, webauth should point to only the OU and EAP-TLS should point to your domain computer OU.
  Move SSID B before the SSID A policy. You can also add a called station id for the EAP-TLS SSID using something like:
  ..-..-..-..-.-..:SSIDB
  The dot is a wildcard for the Mac address.
  Sent from Cisco Technical Support iPhone App

• Play one song and stops

  I've had i-tunes for awhile and never had any problems.I listen to i-tunes on mydesktop at work. Yesterday I cleaned up my library (got rid of songs I did not want) now all of a sudden I play one song and thats it. I have to go back to the library and click on the next song. Any suggestions?
  Dell   Windows XP Pro  

  I figured it out! each song has to have a check mark in front of it. Some how when I was editing things the song were all unchecked. Hold the 'CTRL" key and click one song and all the songs are automatically checked.

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• HREAP & Local mode configuration for one SSID

  I'm looking to provide one SSID Corporate access to multiple sites using HREAP. My question is it possible to configure one SSID and switch the traffic locally?
  I have a controller in the main site that provides one SSID for Corporate access (AP's in Local mode) and would like to have the same SSID used at the remote sites, only difference is the break out locally.
  Do I need to configure the HREAP interface on the controller if it is switching locally at the remote site? If so what interface should it be? I thought it would be locally anyway?

  yes, you can do this.
  In the WLAN, select HREAP Local switching.  This does not mean that the WLAN is always locally switched, just that it can be.
  Put the AP that need to be HREAP/FlexConnect in that mode, reboot, then map the WLAN to the approrpriate VLAN for that site.
  For the AP that you want to do central switching, just leave them as they are.
  Steve

• Is it NAS the solution for a PC and MAC common Lightroom and Photoshop files or Paragon software?

  I'm a Pc user willing to by a Mac. Before to do that I need to solve the problem of having to share files stored in to external drivers formated in NTFS. I'm a Lightroom and Photoshop user with various TB photo archibes. I have been suggested to make use of a PARAGON softeware or to use a NAS link to the WiFi router. How would you solve the problem, please?

  Ok.. much more complicated.
  There is several things that add to the background of the story.
  1. That you are trying to backup a USB drive drive already.. I strongly recommend CCC to do this.. as you cannot setup a separate task in TM to separate the backups. I can understand not wanting to add another USB and it is older iMac so usb2 only.
  2. Your Express do add complexity.. yes they work better if using the TC..
  Will replacing the ASUS with a TC improve my music streaming through the AE's given that it will all be apple then?
  More than likely although hard to say.
  Is the wireless range of the TC as good as the ASU in your opinion?
  No, i have both and the Asus is very good.. but with the Express you can do more than you are doing.
  What model Express and what model Asus we need to know to give a straight answer??
  3. I assume that if I simply replace the ASUS with a TC and use same SSID and PW it should be an easy swap since we have many mobile and networked devices in the house?
  I strongly recommend you start over with new names..
  Problems in wireless networks are common.. and part of the problem is trying to make one wireless router pretend to be another .. you don't fool the clients that rely on MAC address, BSSID not SSID. And you don't fool the main router.. which now is lost as to the clients expecting one MAC address and getting another.
  It doesn't take that long.. use a slightly different name but the same password is fine.. I have several wireless routers.. all use the same password but different SSID.

• Setup 2 x AIR-CAP2702E-Z-K9 - One SSID

  HI,
  Just bought the 2 units of AIR-CAP2702E-Z-K9. Now to try to set up as AP1 and AP2 to be seamless connection. So one SSID.
  Current situtaion
  I have 2 units connected (POE ports not AUX or CONSOLE)to gigabit switch and 1 router.
  Discover mode on both devices.(LED lights; Green, Red, Off)
  Currently not able to find any AP name of those 2 devices.
  I can use MAC OS X terminal to SSH but no luck getting cause password.
  What do I need to resolve? I have contacted the CISCO pre-sale team to before purchase those units and what do I need to do AP1, and AP2 to be one SSID and seamless connection. They told buy two units and can be done.
  Anyone can help me to setup? Is there any step by step cisco web site for this?
  Kind Regards,
  Mark

  Slightly confusing I know .. If you want to do ha on a 5508. You purchase a 5508 with the ha sku or you purchase a 5508 with a 50 ap license. When the 5508 has a 50 or more ap license it allows you to turn it into ha mode.
  Think of the 50 ap licenses as a cost of doing ha ..
  Sent from Cisco Technical Support iPhone App

• Is it possible to do multiple ssids and encryptions on an autonomous AP without vlans?

  I got a customer who just has autonomous APs. They are upgrading from 1210s to 1262s. They are currently running a config that is wide open with no authentication or encryption and using a VPN tunnel on the wireless clients for security. They want to switch to using WPA2/PSK with the new APs. They have existing clients that have to continue to work during the upgrade to the new APs. They run 3 shifts so it is a 24 hr operation with no downtime. What I was thinking would be to configure the 1262 with multiple SSIDs, one with their existing settings and one with the new. Then I could swap the APs one at a time and it would only impact service for a short period of time while I was mounting the new AP. Then once all the new APs are installed I could transition the clients over to the new SSID and encryption then disable the old SSID once all the clients are switched over. I've done this before with a WLC but not with an autonomous APs. The only config examples I can find uses VLANs. This customer is not using VLANs. Is there anyway to use multiple SSIDs with different encryption on a single radio on an autonomous 1262 without VLANs?
  The site has about 30 APs and 100 clients. Yes I know a controller would be preferred for a site of this size but that is a question for sales and why they didn't see them a controller. I just get stuck with what they sell them.
  thanks

  Hi Don,
  Im afraid on the autonmous platform you can not map multiple WLANS to a single vlan.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."