WLC s/w v4.1 and TACACS unreachable

In,
Cisco WLC_Config Guide_Web & CLI_Release 4.1
it says,
"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."
Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

Hi Mark,
No, the local database is always queried first.
Please read Chapter 5 and the section on configuring TACACS:
"You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."
It goes on further to explain:
For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."
Hope this helps.
Paul

Similar Messages

Updated WLC has strange error log and AP's not joining

Hi we recently updated all of our WLC's to 7.098 and it all went smoothly, controllers rebooted and AP's updated their firmware and rebooted OK.
One WLC (4402) which was working fine since the update now has no AP's associated. The AP's were all configured to run in HREAP mode and are on remote sites within our WAN. I have checked that all policies and ports are still open (none have changed anyway) but the AP's can not join with the contoller.
The log from an AP trying to join with the WLC.
*Mar 1 00:15:24.966: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:15:34.991: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 12 02:17:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.96.4.17 peer_port: 5246
*Jan 12 02:17:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 12 02:18:17.447: %CDP_PD-2-POWER_LOW: All radios disabled - NON_CISCO-NO_CDP_RECEIVED (0000.0000.0000)
*Jan 12 02:18:25.999: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2013 Max retransmission count reached!
*Jan 12 02:18:25.999: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 10.96.4.17 is reached.
*Jan 12 02:18:56.000: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.96.4.17:5246
*Jan 12 02:18:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 12 02:18:56.001: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 12 02:19:06.006: %CAPWAP-3-ERRORLOG: Go join a lwapp controller
*Jan 12 02:19:06.006: %LWAPP-3-CLIENTERRORLOG: Set Transport AddressCalled
*Jan 12 02:19:06.014: %LWAPP-5-CHANGED: CAPWAP changed state to JOIN
*Jan 12 02:19:11.013: %LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - ceo-wlc-01)
The logs on WLC show as below.
*emWeb: Jan 12 13:14:13.629: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:1289 Authentication succeeded for admin user 'adann'
*spamReceiveTask: Jan 12 13:14:12.919: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:a4:10 supporting CAPWAP
*spamReceiveTask: Jan 12 13:14:11.543: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:8f:a0 supporting CAPWAP
*spamReceiveTask: Jan 12 13:14:11.395: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:24:14:ff:f1:70 supporting CAPWAP
*emWeb: Jan 12 13:14:10.731: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:1289 Authentication succeeded for admin user 'adann'[...It occurred 2 times/sec!.]
*emWeb: Jan 12 13:14:09.459: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:1289 Authentication succeeded for admin user 'adann'
*spamReceiveTask: Jan 12 13:14:09.457: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:24:14:ff:ec:00 supporting CAPWAP
Any suggestions would be appreciated!
Tony

Strange. Something must have happened that you didn't notice.
From the logs, it looks like only lwapp requests are arriving at the WLC. And WLC discards them cause it knows the AP can also do capwap so it's waiting for the capwap join packet.
As next step, I'd take a look at network traffic. Mostly close to the WLC where we want to know if we are receiving capwap discovery/join from the AP or not.
Nicolas

AAA and TACACS servers

Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts**

WAAS and TACACS

We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
Thanks in advance.

Hi Stan,
WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
On TACACS side:
1. Please make sure to create right username.
2. Please make sure to verify if you are using ASCII password authentication.
3. Try to use less than 15 letters - Alphanumeric TACACS password.
4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
5. Verify if this user needs level 15 (admin equivalent account).
On WAE CM side:
1. Please make sure to select right authentication method as primary and secondary.
2. Please make sure to enable the check box for authentication methods.
You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
Hope this helps.
Regards.
PS: Please mark this as Answered, if this resolves your issue.

ISE 1.1/WLC 7.2 Wireless MAB and Profiling

I am trying to set up wireless MAB with CWA so that when devices connect to the open guest network they are profiled and if they match a device type (iphone, android) they are allowed access to the internet without AUP or Authentication and all other device type (including unknown) is redirected to the guest portal for authentication. My configuration works when devices are correctly profiled, the issue is that it appears that the RADIUS probes are the only profiling components working on the guest side. Devices are being correctly profiled on the corp network segment. The key profiling components I need to get a match on iphone is DHCP and HTTP user agent. Without those all iphones are categorized as an apple device and not iphone. I suspect this is because they are matching the MAC OUI from the RADIUS probe and MAC filtering with NAC RADIUS on the WLC. The ISE is on a seperate LAN from the guest and right now I am only allowing DNS and 8443 through the ASA. I also believe DHCP profiling is not working because the guest DHCP is running on the WLC internal DHCP and is not forwarding requests to the ISE for inspection because it will not relay the request to 2 servers, it just uses a secondary if the primary is unreachable.
Can someone point me in the right direction? I believe my Authentication, Authorization, and Identity Source Sequence, etc configuration is correct, but can post additional details if necessary. My main issue is the profiling probes and getting them working correctly on the guest LAN.

What we did to get around this was to adjust the profiler policy for Apple-Device to take network scan action when MAC:OUI contains Apple. So basically the device connects to the wireless network, MAC filtering on the WLC identifies the OUI to belong to Apple and initiates an NMAP scan that properly identifies the OS of the iDevice. This allows iPhones to connect and other Apple devices like iPads to be redirected to the login portal.
We can also make similar adjustments to Android and other devices that require profiling to properly identify the device type. In this case, allowing SmartPhones to connect directly to the internet and all other devices to be redirected to the portal.
Hope that helps.

Windows 8.1 compatibility with WLC v7.0.98.218 and DELL DEVICES

hello,
We have a lot wlc (4400, WiSM, WS-C3750G-24PS and 5500) running on version 7.0.98.218.
Windows 7 and Windows 8 clients are able to connect to the WiFi, which has Windows 8.1 can no longer connect.
we tested two WLAN's, one with security policy: [WPA2] [Auth (802.1X)] and another with [WPA2] [Auth (PSK)], MAC Filtering
in any of the WLAN's the clients with Windows 8.1 did not bind (cannot connect).
the outup obtained is attached
one of the devices which are having problems is a dell laptop E5430.
We've update the wireless card drivers ... according to the dell ... I did downgrade for old version... upgrade to last versions given by broadcom ... but still the problem
can you help me ?!?
Regards,
Tiago Marques

To enable that your network is ready for 802.11w and Windows 8 ensure that you are running the latest Cisco Unified releases in your wireless controller network.
Please find the link :-
http://www.my80211.com/home/2012/10/19/bug-cscua29504-upgrade-that-code-if-you-want-windows-8-to-wo.html

Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

Is it possible to install a widcard certificate for web auth in those versions?
Is there any difference between this two versions.
Are both of them versions supporting wildcards certificates?
Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
*TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
*TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
*TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
*TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
*TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
*TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
*TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
*TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
pLocalFilename=cert.p12
*TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
*TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
*TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
*TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
*TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1> cwd = /mnt/application
*TransferTask: Nov 28 11:20:59.624: finished umounting
*TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
*TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
*TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
*TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
*TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
(Cisco Controller) >
Would I have the same results in wlc with v 7.5.102?
Thank you.

Hi Pdero,
Please check out these docs:
https://supportforums.cisco.com/thread/2052662
http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
https://supportforums.cisco.com/thread/2067781
https://supportforums.cisco.com/thread/2024363
https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
Regards
Dont forget to rate helpful posts.

Updated WLCs shows wierd log messages and most APs do not associate

Hi, I recently updated my 4402 WLC to latest Software Version (7.0.98.0).
This first seamed to have worked fine. WLCs rebooted fine, then APs rebooted and upgraded their software images.
All fine as it seamed.
The I went on to also upgrade to latest Emergency Image Version(5.2.157.0).
After rebooting the WLCs most APs won't associate again.
Logs from WLCs shows a lot of messages like:
Oct 7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:38 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:38 wlc-1 WLC-1:
Oct 7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:38 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:38 wlc-1 WLC-1:
Oct 7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:39 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:39 wlc-1 WLC-1:
Oct 7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:39 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:39 wlc-1 WLC-1:
Oct 7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:40 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:40 wlc-1 WLC-1:
Oct 7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:40 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:40 wlc-1 WLC-1:
Oct 7 20:11:40 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:40.905: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
Oct 7 20:11:40 wlc-1 WLC-1: -Traceback: 105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:40 wlc-1 WLC-1:
Oct 7 20:11:43 wlc-1 WLC-1: *mmMobility: Oct 07 22:11:43.210: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:43 wlc-1 WLC-1: -Traceback: 105fbe18 102d8be0 102bc81c 102d5d20 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:43 wlc-1 WLC-1:
Oct 7 20:11:43 wlc-1 WLC-1: *mmListen: Oct 07 22:11:43.210: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
Oct 7 20:11:43 wlc-1 WLC-1: *mmListen: Oct 07 22:11:43.211: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:43 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:43 wlc-1 WLC-1:
Oct 7 20:11:50 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:50.913: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
Oct 7 20:11:50 wlc-1 WLC-1: -Traceback: 105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
When looking back a bit in the logs it looks like this started after upgrading the Software version. But after this first reload it the APs came back and worked. Now they don't.
The case seams to be the same with both my WLCs.
What could have gone wrong?
Please advice.

Not sure which messages are concerning you the most...
Regarding the message:
Oct 7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
Oct 7 20:11:39 wlc-1 WLC-1: -Traceback: 105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
Oct 7 20:11:39 wlc-1 WLC-1:
There is already a bug for it: CSCth64522
And for:
Oct 7 20:11:50 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:50.913: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
Oct 7 20:11:50 wlc-1 WLC-1: -Traceback: 105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
Looks like it's matching CSCtf39550
Both bug fixes should be included in the next 7.0 release and should not impact the WLC behavior.
Hope this helps...

WLC 7.6.130.0 and PI 2.1 Compatability

Hi,
Does PI 2.1 (Patch 2.1.2) supports WLC (5508) version 7.6.130.0 ? From the compatibility table here http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#52734 , this version is not listed. The listed version 7.6.120.0 has gone under "Deferred Releases" on the download page with 7.6.130.0 being the only available in the 7.6 train. The MSE 7.6.132.0 is also not listed in the table. Although, the MSE release notes align all the components MSE 7.6.132.0, PI 2.1 and WLC 7.6.130.0 on one line here http://www.cisco.com/c/en/us/td/docs/wireless/mse/release/notes/mse7-6-132-0.html#98519 .
Just wanting to confirm compatibility before proposing a solution involving these components.
Thanks,
Rick.

We were told a few months ago that the next major version of PI (2.2 I think) would get it in sync with features of the WLC releases. They said that it would probably be out in November but I guess it's slipped a bit.

WLC with ISE as radius and also external web server

Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
Mohit

Hi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
    a. any to ISE
    b.ISE to any
    c.any to dns server
    d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below ,

WLC for GUEST network hangs and requires restart

I have a remote site customer that is getting support calls saying that guest users cannot login to the wireless "guest" network. When they try to access it, the browser hangs up when trying to load the redirect page.
When they restart the controller, it begins working again. The WLC version is 5.0.148.0. Has anyone seen this issue? If not, what would be the best way to troubleshoot?
Thanks for any help.

5.0.148.0 has a lot of bugs, suggest you to keep on using 4.2.112 at this moment until the maintenance release of version 5 comes out. This is one of its bug: CSCsm98250.
Symptom:
Webauth and controller access via HTTP or telnet/SSH stop working.
Conditions:
After the controller was upgrade to 5.0, ramdomly webauth, and controller access via HTTP or telnet/SSH stop working.
Workaround:
Reboot controller.

CWA with WLC Firmware 7.0.228 and ISE 1.1.1

Hi,
Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
My customer has many access points which are support only for firmware code 7.0.228.
Cisco ISE version 1.1.1
WLC 5500 Series but the existing access point is cannot support to 7.3
Thanks,
Pongsatorn Maneesud

Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
Scenarios                                                          WLC 7.0                                             7.2
802.1X Auth                                                     Yes                                                      Yes
802.1X + Posture                                            Yes                                                      Yes
802.1X + Profiling                                           Yes                                                      Yes
Web Auth + Posture                                       No *                                                   Yes
Web Auth + Profiling                                      Inventory only *                         Yes
Central Web Auth(CWA)                               No *                                                   Yes
Local Web Auth(LWA)                                   Yes                                                      Yes

LAG WLC 5508 7.0.235 and Nexus 7K 5.2(3a)

I can't get the WLC to form a LAG, the 5508 has 2 SFPs direct to Nexus 7k. Enabled LAG and rebooted. The 5508s port 2 just stays Link Down in WLC.
hostname n7k-01
int port-channel 31
vpc 31
int eth1/12
description WLC-5508-Port1
switchport
switchport mode trunk
channel-group 31 mode active
no shut
show run int eth1/12
Ethernet1/12 is up
Dedicated Interface
Belongs to Po31
hostname n7k-02
int port-channel 31
vpc 31
int eth1/7
description WLC-5508-Port2
switchport
switchport mode trunk
channel-group 31 mode active
no shut
show run int eth1/7
Ethernet 1/7 is down (Link not connected)
Dedicated Interface
Belongs to Po31

Controller cannot establish SXP connection with a Cisco Nexus 7000 Series switch.
Symptom: An SXP connection from the controller to the Cisco Nexus 7000 Series switch reports the On state on the controller side while the switch reports the Waiting for Response state.
Conditions: Establishing SXP connection between the controller and ASA.
Workaround: Add an intermediate device that supports SXPv2 between the controller and the Cisco Nexus 7000 Series switch.

WLC mobility group between 4404 and 5508 controllers

Mobility 'Control and Data Path Down' between 4404 and 5508 WLC's.
Hello, we have 5 x 4404 WLC's running 7.0.240.0 with mobility configured fine between them.
We have installed a 5508 with HA running 7.4.110.0, and have tried to add it to the mobility group, however we see 'Control and Data Path Down' between the new 5508 and all the 4404 controllers.
All controllers have:
The same virtual address
Management interfaces are in the same VLAN, and indeed all the controllers connect via the same pair of 3750X stacked switches.
The default mobility domain name is the same
4404 output when issung the command 'show mobility summary'
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... SGH-Mobility
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xe209
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 6
Mobility Control Message DSCP Value.............. 0
5508 ouput when issueing the command 'show mobility summary'
Mobility Architecture ........................... Flat
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... SGH-Mobility
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xe209
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 6
Mobility Control Message DSCP Value.............. 0
I've spent quite some time double checking all the configurations to no avail.
Has anybody seen this problem before?
Kind regards
Dave Bell

Thanks Sandeep.
I am well versed with WLC's and mobility, however trying to add a 5508 to a mobility group with 4404's has come up with a bit of a curve ball.
All the 4404 controllers all joined the mobility group fine, no problems at all - its only the 5508 I am struggling with.
In theory its simple, populate the IP address, and MAC addres of the management interface of the remote WLC, as long as the management interfaces are in the same VLAN, and the Default Mobility Domain Name are the same it should come up.
Interestingly I have found the 5508 reports its own management interface MAC address incorrectly when viewing the Mobility Groups:
For example:
{Screen shot WLC1.jpg}
5508 management address is 10.95.x.x and when viewing the Mobility Management screen it shows its own MAC address as bc:16:65:f9:37:60.
however!
From our router is I do an sh arp | i 10.95.x.x (controller management address), I see:f872.eaee.becf.
{Screen shot wlc2.jpg}
Hence the WLC reports as: bc:16:65:f9:37:60
and
The network reports as: f872.eaee.becf for the same IP address.
I have changed the other WLC's to the MAC adress seen on the network for the new controller, aka changed from
bc:16:65:f9:37:60
to
f8:72:ea:ee:be:cf
I now see the controllers reporting the mobility with the new controller as 'Control Path Down', however I am at a loss as to what may be causing this?
Kind regards
Dave Bell

WLC HA, difference between GLOBAL- and AP- High Availability

hello everyone,
I have a question regarding HA and LAP...
we have two 5508 (sw ver 6.0.199.4), on each specific AP we have an entry for which is his primary and secondary controller
so far so good, when one controller fails, the AP is connecting to the second controller and goes on doing his business...
so what I am not sure about is what I should configure globally regarding HA
first question: do I have to configure anything at all?
second question: what should I configure best? we are using our WLCs only to control APs that are connected to our (WLAN-dedicated) LAN, we are not controlling any APs at a remote-location.
finally, let me quote the configuration-guide:
"Follow these steps to configure primary, secondary, and tertiary controllers for a specific access point and to configure primary and secondary backup controllers for all access points."
and the question for this:
what is the difference between a controller and a backup-controller?
from my point of view: if I configure a primary and a secondary controller, the secondary controller is the backup-controller for the primary controller...
while I am writing this, I would like to apologize for what I am asking here, because at this time I am totally confused about this and to write those questions down, did not help to calm down...
thank you very much in advance!
regards,
Manuel

hi Leo,
I tested this out, but i guess its not working as i thought it would work. I configured the backup primary controller IP and name in the global configuration of the Wireless tab of the WLC and left the AP high availability blank with no settings. I joined the AP to the WLC and show capwap client ha output on the AP shows the backup primary controller name. but if i shut down the primary controller, the AP does not join the back, it just tries to get WLC ip by renewing DHCP forever and stuck in that...   below are the outputs.. any idea why its like this ? I thot if there is no HA configured at the AP level, the global config on the controller level should take effect ?
LWAP3-1042#sh cap cli ha
fastHeartbeatTmr(sec)   7 (enabled)
primaryDiscoverTmr(sec) 30
primaryBackupWlcIp      0xA0A700A
primaryBackupWlcName    WLC2-4402-50
secondaryBackupWlcIp    0x0
secondaryBackupWlcName
DHCP renew try count    0
Fwd traffic stats get   0
Fast Heartbeat sent     0
Discovery attempt      0
Backup WLC array:
LWAP3-1042#
*Apr 30 20:36:21.324: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Apr 30 20:36:31.829: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.49, mask 255.255.255.0, hostname LWAP3-1042
*Apr 30 20:37:17.832: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Apr 30 20:37:28.337: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.50, mask 255.255.255.0, hostname LWAP3-1042
*Apr 30 20:38:14.338: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Apr 30 20:38:24.842: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.51, mask 255.255.255.0, hostname LWAP3-1042
regards
Joe

WLC s/w v4.1 and TACACS unreachable

Similar Messages

Maybe you are looking for