WLC WLAN SSID L3 Security Passthru

With passthru security the end user get a pop-up warning about accepting the self signed certifcate from the virtual ip 1.1.1.3.
Is there a way to replace the certificate with a trusted public certificate?

You can disable https: on the controller. This will eliminate that windows pop-up warning. You need to reboot the controller for change to take effect.
Or you can install an actual SSL certificate on the controller.
For ease of administration I went with option 1 so I did not have to worry about renewing the certificate every year.

Similar Messages

  • WLC 4402 + Ssid Override

    hi!
    I have little problem with the Ssid Override. I think it is a liitle problem but i do not find the solution.
    when i try to enable ssid override i do not see the them. I have completed all steps: create wlans, enable wlan override, select the aps and the radio interfaces and check the ssid to be transmitted.
    As said before, the problem is that i can not connect to them, even loading the profile.
    Checking the 1242ag i see that the mbssid is 8, so i think i can broadcast multiple ssids.
    May be i forgot one step but i do not what.
    Any suggestions?
    thanks in advance.

    Hi Falque,
    If I am following along here correctly, have a look at this info;
    Enabling WLAN Override
    By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.
    From this doc;
    http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008076cbfd.html#wp1114777
    Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN including General Policies, RADIUS Servers, Security Policies, and 802.1x Parameters.
    **Check Admin Status under General Policies to enable the WLAN. If you want the AP to broadcast the SSID in its beacon frames, check Broadcast SSID.
    Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
    From this good doc;
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3
    Hope this helps!
    Rob

  • Why is IP address needed for WLC WLANs?

    I'm familiar with autonomous APs but am new to the WLC. Is there a way to just bridge the WLAN traffic to a VLAN? I don't understand why the WLC requires an IP address for the VLAN when the clients essentially are already on that VLAN. How is it used?
    Thanks.
    (Edit: fixed typo.)

    the parameters specific to this VLAN. Some of the parameters include the IP Address, Netmask, Gateway, and the DHCP server IP address.
    The IP address assigned to this interface acts as the DHCP relay for a client to obtain an IP address from the DHCP server. For example, when a client attempts to associate to a WLAN/SSID (see step 5 in this configuration) mapped to this dynamic interface, it performs a local subnet broadcast to identify the DHCP server. The controller sends a request to the DHCP server (or to itself if it is the DHCP server for the segment) with the IP address of this dynamic interface as relay IP to the DHCP server configured for this interface. The DHCP server assigns an IP address to the client from the configured DHCP scope.
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/68100-wlan-controllers-vlans.html

  • WCS and WLC WLAN Config not fully in sync

    Hi,
    We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC  showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even  after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.

    You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
    If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Equium M50 will only connect to WLan router when security is off

    MY Equium M50 will only connect to my wireless BELKIN G+ MIMO ROUTER when the security is turned off,
    What is the reason for this please?
    Blonde Bimbo!!

    Hello
    Did you mean the WLan encryption which secures the entry to the wireless LAN?
    I suppose you have set the encryption (WPA, WEP, etc...) on your WLan router but didnt configure the WLan card.
    Well, in my opinion you should check which WLan encryption does the card support and then choose it on the WLan router. The encryption key should be set on the router and on the notebook!

  • WLC 5508 WLAN SSID Problem

    Hi,
    I recently got a 5508 controller. I use 1 SSID for the employees on the main site (using certificate authentication). On the Remote sites I want to use the same SSID with different DHCP Servers (AP are configuring with HREAP mode). So I tried to configure different WLAN ID using the same SSID (I override DHCP Server IP Address). When I try to activate SSID, I got the following error : "WLAN with duplicate SSID's and L2 security policy found". I tryed to use "AP Group" and put the different WLAN ID in different AP Group but it dosen't work.
    Anyone as an idea?
    Thanks in advance
    Regards,
    Eric

    Hi,
    This is the expected behaviour!! and there is no way to overcome issue as the error thats popping up is self explanatory!! if you are using Internal WEB AUTH page then the HREAP local switching supports the internal WEB AUTH, and another thing is.. a single WLAN will do the Job!! You just need to configure Local switching on the WLAN so that, the clients in the central site use ( AP in local mode will use central side DHCP) and the AP in the HREAP will use the mapped VLAN to grab the IP!!
    here is the link to do the same!!
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#webauth
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
    Lemme know if htis answered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • WLC Error - SSID connection is flapping

    Hi All,
    I have a strange and "simple" scenario which is making problems on my wireless connections, lemme explain:
    I have two WLC 5508 running a image version 7.6.100.0 and APs 2602E in 3 different place such as Controller + 13 APs on HQ and 9 APs divided by 2 branches.
    I do not have VLANs for while, just a basic and flat vlan, two SSIDs without broadcast which one is for Data Collectors and other is for users with WPA2-Personal security. 
    APs in HQ are configured as Local Mode and on branches are configured as FlexConnect.
    I am losing my connection from Data Collectors or Laptops to the SSIDs (it's just desappearing and returning after 60 seconds +/-). When I look to the WLC log, its showing the errors below:
    *spamApTask0: Sep 23 12:16:24.149: #APF-3-WLAN_OUT_OF_RANGE: apf_site_override.c:2309 WLAN value 17 is out of range.
    *spamApTask0: Sep 23 12:16:24.149: #LWAPP-3-VENDOR_SPEC_ERR: spam_lrad.c:13403 The system has failed decoding vendor specific payload
    *spamApTask0: Sep 23 12:16:21.650: #CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:107 The system could not release exclusive access of AP entry for 18:9c:5d:44:4e:d0 in the database
    Could you please guys help me on this? Could be an Image problem?
    I know that my current topology is wrong however it was the only way that I had to put it up regarding business needs.
    Thank you guys

    Hi Rasika,
    It's seems better now, however 40 minutes ago I got the same issue with aditional log. I don't know if it happened due to problem not solved or maybe a problem with one client only. Follow log:
    *spamApTask1: Sep 24 09:41:00.333: #APF-3-WLAN_OUT_OF_RANGE: apf_site_override.c:2309 WLAN value 17 is out of range.
    *spamApTask1: Sep 24 09:41:00.333: #LWAPP-3-VENDOR_SPEC_ERR: spam_lrad.c:13418 The system has failed decoding vendor specific payload
    *spamApTask1: Sep 24 09:40:59.395: #CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:107 The system could not release exclusive access of AP entry for 18:9c:5d:44:4e:d0 in the database
    *spamApTask1: Sep 24 09:40:58.195: #LWAPP-3-VALIDATE_ERR: spam_lrad.c:10770 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD failed - AP  18:9c:5d:44:4e:d0
    *spamApTask0: Sep 24 09:40:50.957: #CAPWAP-3-ECHO_ERR: capwap_ac_sm.c:6731 Did not receive heartbeat reply; AP: 18:9c:5d:44:f3:30
    *spamApTask0: Sep 24 09:40:50.392: #APF-3-WLAN_OUT_OF_RANGE: apf_site_override.c:2309 WLAN value 17 is out of range.
    *spamApTask0: Sep 24 09:40:50.392: #LWAPP-3-VENDOR_SPEC_ERR: spam_lrad.c:13418 The system has failed decoding vendor specific payload
    *spamApTask0: Sep 24 09:40:49.145: #CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:107 The system could not release exclusive access of AP entry for 18:9c:5d:45:04:50 in the database
    *spamApTask0: Sep 24 09:40:48.156: #LWAPP-3-VALIDATE_ERR: spam_lrad.c:10770 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD failed - AP  18:9c:5d:45:04:50
    *spamApTask7: Sep 24 09:40:45.655: #LWAPP-3-VALIDATE_ERR: spam_lrad.c:10770 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD failed - AP  18:9c:5d:44:f3:20
    *spamApTask2: Sep 24 09:40:35.753: #CAPWAP-3-ECHO_ERR: capwap_ac_sm.c:6731 Did not receive heartbeat reply; AP: 18:9c:5d:44:54:50
    *Dot1x_NW_MsgTask_5: Sep 24 09:37:22.413: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:445 Invalid replay counter from client a8:54:b2:65:f3:d5 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    I pinged 3 devices from yesterday (after full upgrade) to today morning and there were ANY downtime. After I back to the office I tried to ping everything and only once it happens as I mentioned above.
    Thanks,

  • Airwaves Survey shows duplicate entries per WLAN SSID

    Hello Cisco WLAN-experts,
    I have a nice problem for You:
    Our WLAN-networks appear twice in every WiFi-Catcher !
    We are running 1131LAPs in HREAP-Mode together with a 4402WLC and use two WLANs. One is the typical "Guest WLAN", another a more secure one, which we do not broadcast the SSID from.
    Both 802.11b/g and 802.11a are active.
    To our surprise, our 802.11b/g-only WLAN-clients see 4 instead of the expected 2 WLANs while they use tools like Airwaves Survey to scan the surrounding.
    The shortened output looks likes this:
    RSSI BSSID SSID Type
    -44db 00-1f-9e-7f-e1-60 802.11g
    -40db 00-1f-9e-7f-e1-61 guest 802.11g
    -40db 00-1f-9e-7f-e1-62 guest 802.11g
    -39db 00-1f-9e-7f-e1-63 802.11g
    Does anybody have an explanation why the Cisco LAP is appearing with 4 different Mac-addresses in our Clients ?
    Thank You for any hint in advance.
    Greetings from Good old Germany
    derobbacher

    You will see that because users need to see a different mac addess per radio and per ssid. So if you have one ssid and that ssid enabled on both radio's, then you will see two mac address entries. If you only had that on one radio, then you will only see on mac address entry. Hope this helps.

  • CISCO WLC , connecting SSID with local net user

    Dears,
    Created Local Net User
    created SSID and Broadcasted, users can connect to SSID with PSK
    But not able to connect using Local net user created in WLC
    Edwin

    Hi,
    What kind of Layer 2 Security are you using on your SSID?
    You can't have both PSK and Local user database authentication on the same SSID.
    Best regards,
    Sebastian

  • 5530 have to enter WLAN SSID each time

    My home wi-fi does not broadcast the SSID - I prefer it this way for added security. 
    I have however set the router up as an access point and it remembers the password, but whenever I use Menu > Internet > Web and visit a page it offers me "Sarch for WLAN" and then I have to choose "Other (hidden netw.)" and type in the SSID. This is a right pain :-)  Is there a fix for this or do I have to just bite the bullet and tell my router to broadcast my SSID?

    I think you should brodcast the SSID. Depending on where you live it probably won't be that bad. You can also change your router encryption from WEP to WPA or even WPA2 which as far as i know, what they use in the Australian Government. But becarful. some laptops or wireless computers don't support WPA2 or some older ones dont suppor WPA. If you have your password as something totaly random consisting of numbers letters and signs in random orders no on ill guess it and if your neighbours or lolife geeks and hack into your network with sophisticated software, you can always call the police.another thing you can do is change your router broadcasting radius to a lower one so it doesn't reach your neighbors. baack to to original question as far as my knowlege goes bout phones i don't know how to do it but you can always try some of things suggested above
    hope it helps

  • Cisco 877W Dual SSID/VLAN Security Issue

    Hi All
    I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST).  The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
    Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
    P.S config has been pared down to basics below
    version 15.1
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ROUTER
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
    no aaa new-model
    dot11 syslog
    dot11 ssid PRIVATE@123
     vlan 100
     authentication open
     authentication key-management wpa
     wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
    dot11 ssid VISITOR@123
     vlan 200
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 03374C0A08392040420C00
    ip source-route
    no ip dhcp conflict logging
    ip dhcp excluded-address 172.16.1.1 172.16.1.10
    ip dhcp excluded-address 192.168.0.1 192.168.0.10
    ip dhcp pool GUEST
     utilization mark low 70 log
     network 172.16.1.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 172.16.1.1
    ip dhcp pool PRIVATE
     utilization mark low 70 log
     network 192.168.0.0 255.255.255.0
     dns-server 192.168.0.1 61.9.242.33 61.9.226.33
     default-router 192.168.0.1
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 password 7 073F205F5D1E491713
    policy-map type inspect PM-DENYGUEST
     class class-default
      drop
    zone security GUEST
    zone security PRIVATE
    zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
     service-policy type inspect PM-DENYGUEST
    bridge irb
    interface ATM0
     no ip address
     shutdown
     no atm ilmi-keepalive
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     switchport access vlan 100
     no ip address
    interface FastEthernet2
     switchport access vlan 100
     no ip address
    interface FastEthernet3
     no ip address
    interface Dot11Radio0
     no ip address
     encryption vlan 100 mode ciphers aes-ccm
     encryption vlan 200 mode ciphers aes-ccm
     broadcast-key vlan 100 change 30
     broadcast-key vlan 200 change 30
     ssid PRIVATE@123
     ssid VISITOR@123
     mbssid
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    interface Dot11Radio0.100
     encapsulation dot1Q 100 native
     zone-member security PRIVATE
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.200
     encapsulation dot1Q 200
     zone-member security GUEST
     bridge-group 2
     bridge-group 2 subscriber-loop-control
     bridge-group 2 spanning-disabled
     bridge-group 2 block-unknown-source
     no bridge-group 2 source-learning
     no bridge-group 2 unicast-flooding
    interface Vlan1
     no ip address
    interface Vlan100
     no ip address
     bridge-group 1
    interface Vlan200
     no ip address
     bridge-group 2
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp authentication chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 10580A4F1C4005005B
    interface BVI1
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security PRIVATE
    interface BVI2
     ip address 172.16.1.1 255.255.0.0
     ip nat inside
     ip virtual-reassembly in
     zone-member security GUEST
    ip forward-protocol nd
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    logging trap debugging
    logging 192.168.0.11
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    line con 0
     exec-timeout 5 0
     no modem enable
     transport output all
    line aux 0
     exec-timeout 0 1
     no exec
     transport output none
    line vty 0 4
     exec-timeout 5 0
     login local
     transport input telnet ssh
     transport output none
    end

    Ignore that. self zone got me. Argh! phew!

  • WLC WLAN Authentication from External RADIUS Server

    Dears,
    How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
    Thanks,

    Hi Ahmed,
    Its not documented well, but here is it:
    CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
    . If a user has to be logged out then, following attributes are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
             SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
           - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                  we want to delete  particular user  session via particular device
                  (like PDA, Phone or PC)
           - SSH_RADIUS_AVP_USER_NAME(1)
    . If a management user has to be logged out then, following attributes
    are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
      - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                          OR
       - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
       - SSH_RADIUS_AVP_USER_NAME(1)
       - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
    Eg:
    *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
    *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
    *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
    *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
    *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
    *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
    *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
    *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
    *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • WLC 5508 support of Secure LDAP using TLS

    Hi,
    I have seen that the current WLC software release, 7.0.116.0, does not support secure LDAP using TLS. Are there any plans to incorporate this feature? (I've read that it was supported in previous releases to version 4.2). Is it in the roadmap of the product?
    Thank you very much for your help.
    Kind regards,

    I too am desiring this functionality.,,

  • ACS/WLC/WLAN

    i,
    Cany anybody provide any assistance with below query:
    I have a 5508 WLC with my WLAN set to authenticate machines via 802.1x. We use ACS version 4.1 to assign certificates to machines which are on our AD domain.
    The certificate is obtained via a Group Policy on the domain which makes the device broadcast for a CA - this is returned as the server running ACS and this then issues the machine a certificate.
    The issue we are facing is that we are about to start a domain migration and the machines on the new domain cannot request a cert from the server running ACS as it is on the old domain - although there is a trust between the old and new domains.
    Many Thanks,
    Claire

    Hi Dave,
    I couldn't find the link you provided :(
    Have a look at this example, it sounds like what you are looking for;
    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope this helps!
    Rob

  • WLC Physical COnnection and security

    Currently our wireless environment inclued 1200ap and a wds. we have maxed our and want to upgrade to a more conrolled environment. I am suggesting and putting togather a diag. for 4404 wlc and the ap will work with the version 12.3.7 version. My question is about the physical design. Will all 4 ethernet port on the WLC connect to the switch? all on the same vlan as the AP's? also we are using eap-tls Want to migrate to eap-Fast does this require a foot print on the client laptop?

    The ports on the 4404 will trunk with the switch. You can put them in LAG mode which is the equivilent of ehterchannel. You will have to put the switch ports in trunk mode either way.
    You don't have to connect all 4 ports, but it is recommended for failover & maximum possible AP support. You will need assign the management interface on the 4404 (ap-management interface if operating Layer-3 mode) to a vlan/subnet that
    the APs will reside in. All other dynamic interfaces that you create on the controller to bind with wlans will reside in other vlans that get pushed thru the trunk links between the 4404 & the switch(s). be sure to prune out any vlans that you don't need or want to cross the trunk to the 4404. for lwapp APs assign the switch-ports that the APs connect to the same vlan as the management ports on 4404. Not sure about your 1200s. It will work if you trunk the interfaces to the APs as well, but that is more of a shotgun approach for lwapps APs. the last time I had to work with an autonomous AP, it was a stand alone unit and not combined with a WLC. That scenario required a trunk link.
    have you confirmed that you can convert your 1200s to lwapp mode?
    Correct me if I am wrong, but I believe you will need to place a cert on the client laptops for eap-tls. I did this a while back using XP & freeradius and got it to work, but it has been a while.

Maybe you are looking for

  • Backing up and Restoring/Recovering an Oracle 9i Database

    I am fairly new at this and have been tasked with managing off site backups for customer data on a 9i database. I am carrying out a user managed backup of the following data files to the offsite data centre. User File USERS01.DBF Control File CONTROL

  • PDF form with XML data connection comes up blank at run time

    Hello All, I am a newbie to ADOBE Livecycle 9, but am very proficient in C#.  I would like to request for your guidance on the following issue. We have a desktop application in C#, WPF, Sqlserver. The requirement is to launch a Livecycle form from th

  • Exporting photos in iphoto

    when in iPhoto, my photos are high quality such as 9mb.  i hit export, maximum quality, jpg. and it exports asm 1.2mb.  i understand in can hit "original" but if have edited it then it does not show my edit.   also, if i export to desktop and then im

  • Mac101 (German?); Hands on Finder Intro;

    Hello, my mother in law (60+) plans for a computer her first at all. Is there a Mac101 out in German language? And if possible a printable version too? Good old dead old OS7 Mac was shipped with a nice intro for the very first steps to use the finder

  • Report is Currenty being Edited by SAP_SYSTEM

    We receive credit card imports daily at 14:00. If a user has his report open while the import is trying to auto assign his report, I think the report becomes locked by SAP saying:  "expense report is currently being edited by SAP_SYSTEM" Am I correct