WLCs 5508, HA enabled and Internal DHCP

Hi:
Designing a new project for a customer in which a pair of WLC-5508 and a bunch of AP-3602I will be deployed.
Controllers running 7.4 image, and I'd also like to use them as internal DHCP servers for clients in different WLANs
As for the redundancy mechanism I'd go for activating HA (AP-SSO) but I know HA and internal DHCP server can't coexist.
So, my question is: does anyone know if Cisco is thinking of implementing both features in any new version to come? The goal would be the Active controller handing over all leases database in case of active to standby switchover.
Thx!
Juan.

As you already know that HA and DHCP both cannot coexist on WLC. Till now there is no plan of cisco to implement this.

Similar Messages

  • Does WLC release 7.6 support internal DHCP when AP and client SSO is configured?

    Hi,
    I currently have 5508 WLCs running on release 7.6 and they are to be configured in 1:1 HA mode. Would like to know if internal DHCP is supported if AP and client SSO is to be configured.
    Thanks in advance.

    Unfortunately, till date no AirOS release supports Internal DHCP when AP SSO is configured.
    For details, check HA Deployment Guide. It says following :
    "Internal DHCP is not supported when SSO is enabled."
    -Thanks
    Vinod

  • ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

    Hi,
    We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
    Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
    When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
    Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
    Thanks
    Pranav

    Hi Tarikh,
    I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
    Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
    What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
    Thanks
    Pranav

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • WLC 5508 : WPA2 enabled SSID - especially Intel & Dell wireless cards are not getting connected

    Hi ,
    I have one pecular issue in my wireless lan set-up. I have some laptop users who are using below inbuilt wireless adapter/cards :
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    1 ) Dell wireless 1397 WLAN Minicard
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    2 ) Intel Centrino Advanced N6200 AGN
    above card are having issue with WPA2 enabled ssid connecitivity. strange is , the same users are getting connected to other wep enabled SSID but its not working for WPA2 SSID.
    I have external ACS server which is used for radius authentication. Last time I had put same query in support forum did some workaround.
    eq. disabling DHCP proxy option in WLC and moving all DHCP scope in external server.
    After doing this workaround this mentioned users are still facing issue. I gone through some cisco document and some forums and came across that there is something to be done in " Session Timed Out "  optionin WLC
    which is default 1800 sec based on that I tried to capture debug outputs for mentioned above problematic clients and user who is working fine .
    I gone through the same debug output  and observed :
    User who is working fine :
    Processing Access-Accept for mobile 00:22:5f:8d:55:84
    00:xx:xx:xx:xx:xx Setting re-auth timeout to 1800 seconds, got from WLAN config.
    00:xx:xx:xx:xx:xx Station 00:22:5f:8d:55:84 setting dot1x reauth timeout = 1800
    00:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station 00:22:5f:8d:55:84 (RSN 2)
    00:xx:xx:xx:xx:xx Adding BSSID 00:1f:ca:2c:f3:01 to PMKID cache for station 00:22:5f:8d:55:84
    New PMKID: (16)
    The User /  card which is having issue :
    Processing Access-Accept for mobile 00:22:5f:90:a2:ac
    00:xx:xx:xx:xx:xx Setting re-auth timeout to 0 seconds, got from WLAN config.
    00:xx:xx:xx:xx:xx Station 00:22:5f:90:a2:ac setting dot1x reauth timeout = 0
    00:xx:xx:xx:xx:xx Stopping reauth timeout for 00:22:5f:90:a2:ac
    00:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station 00:22:5f:90:a2:ac (RSN 2)
    00:xx:xx:xx:xx:xx Adding BSSID 00:26:cb:1d:fe:31 to PMKID cache for station 00:22:5f:90:a2:ac
      New PMKID: (16)
    Please suggest me to do workaround.

    Hi,
    According to output of working as well as not working wireless cards ,
    below is my observations :
    Not working wireless cards observation :
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    The client passed the L2 authentication and that, after successful association, it is now going into the DHCP_REQD state
    Not-working wirelss card :
    *Apr 06 11:58:15.866: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Apr 06 11:58:15.866: 0c:60:76:3e:8c:49 Stopping retransmission timer for mobile 0c:60:76:3e:8c:49
    *Apr 06 11:58:15.869: 0c:60:76:3e:8c:49 10.10.232.137 Added NPU entry of type 1, dtlFlags 0x0
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    The client entry is added to the Network Processing Unit (NPU) of the controller with an IP address of  10.10.232.137 but after that , I am getting below output
    *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy AP LOCP - mode:0 slotId:0, apMac 0x0:1f:ca:2c:ea:e0
    *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy WLAN LOCP EssIndex:2 aid:50 ssid:USTRI_SECURE
    *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x0, eaptype:0x2 w:0x1 aalg:0x0, PMState:        RUN
    *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 99, status 3
    *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy Username LOCP :   U25744
    *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy IP LOCP: 0xa0ae889
    *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy CCX LOCP 4
    *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy MobilityData LOCP status:1, anchorip:0x0
    *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
    *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 Clearing Address 10.10.232.137 on mobile
    *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
    *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 apfMmProcessDeleteMobile (apf_mm.c:522) Expiring Mobile!
    *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 0c:60:76:3e:8c:49 on AP 00:1f:ca:2c:ea:e0 from Associated to Disassociated.
    working cards ouput :
    *Apr 06 12:16:28.038: 00:22:5f:8d:55:84 10.10.232.190 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Apr 06 12:16:28.038: 00:22:5f:8d:55:84 Stopping retransmission timer for mobile 00:22:5f:8d:55:84
    *Apr 06 12:16:28.042: 00:22:5f:8d:55:84 10.10.232.190 Added NPU entry of type 1, dtlFlags 0x0
    The client entry is added to the Network Processing Unit (NPU) of the controller with an IP address of  10.10.232.190  and as expected  , I am getting below output
    *Apr 06 12:16:28.749: 00:22:5f:8d:55:84 DHCP received op BOOTREQUEST (1) (len 321, port 29, encap 0xec03)
    *Apr 06 12:16:28.751: 00:22:5f:8d:55:84 DHCP processing DHCP REQUEST (3)
    *Apr 06 12:16:28.751: 00:22:5f:8d:55:84 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   xid: 0x6eefbbb8 (1861204920), secs: 0, flags: 0
    *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   chaddr: 00:22:5f:8d:55:84
    *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   ciaddr: 10.10.232.190,  yiaddr: 0.0.0.0
    *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 06 12:16:28.753: 00:22:5f:8d:55:84 DHCP successfully bridged packet to DS
    *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy AP LOCP - mode:0 slotId:0, apMac 0x0:1f:ca:2c:f3:0
    *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy WLAN LOCP EssIndex:2 aid:10 ssid:USTRI_SECURE
    *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x0, eaptype:0x2 w:0x1 aalg:0x0, PMState:        RUN
    *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 99, status 3
    *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy Username LOCP : USTR\U17967
    *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy IP LOCP: 0xa0ae8be
    *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy CCX LOCP 4
    *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy MobilityData LOCP status:1, anchorip:0x0
    Finally client is getting stuck with DHCP-REQD state ..................
    Please look into this and put light on this ............

  • WLC 5508 Web Auth and EAP / PEAP

       Morning all, I'm looking for some clarification.
    Current setup:
    I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
    This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
    Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
    Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
    In line with child protection policies I need an 'auditable' trail when students access wireless resources.
    Planned setup:
    I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
    There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
    Clarification:
    With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
    Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
    Many thanks.

    If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
    But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
    or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
    Check the following link which contain couple of EAP config examples:
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
    Please make sure to rate correct answers

  • WLC Internal and External DHCP

    I am currently using the Internal DHCP component within my 5508 Controller with software version 7.0.166.0.  This seems to be working fine as the Vlan Routed interface connected to it via the Dynamic Trunk Port is functioning as l have the ip-helper command setup on this specific vlan interface..
    My issue now is that we have a isolated ADSL Network which is configured off our Core 6513 but just as a Layer 2 Vlan so no traffic can be routed to other vlans.
    With our new WIFI environment which consists of the 5508 Controller and numerous 3502 AP's we wont to utilize this ADSL vlan with our new WIFI environment..  This ADSL Vlan has a dedicated Linksys Router which is currently running DHCP and assigning addresses to clients at the moment..
    What l want to do is configure the 5508 controller to use this ADSL vlan aswell but to also keep using the Linksys Router aswell for DHCP..
    I have setup a new dynamic interface and added the ADSL Vlan ID to the Trunk port of the 5508 and also setup its own SSID.  But for some reason l cannot get both the internal and External DHCP servers to work at the same time ?  If l enable DHCP Proxy option on the 5508 the internal DHCP server works and when l disable DHCP Proxy the ADSL Vlan DHCP works through the 5508 but not the internal DHCP Server ??
    Can l get both the internal and external DHCP servers to work in harmony or should l be focusing on using one method over the other ?

    Hey Scott l have just tried configuring another scope for the L2 Vlan but it doesn't seem to be working when l add the ip address of the management interface which is the internal DHCP Server to the dynamic interface of this adsl network l have setup l dont seem to get a ip address within this scope ?
    I am just wandering seeing it is just a L2 vlan without a routed interface would this be the problem and would need to set this up with the "ip helper-address" of the management interface ?
    Cheers SG

  • Some C1242 Radios are disabled after WLC 5508 upgrade to 7.3.101.0

              One week ago I use a WLC 5508 to place and replace another WLC 5508 with version 6.0.199.4, when I conect the new WLC all AP´s works OK only 10 dont work and not are recognizes from the WLC with version 7.3.101.0. The fail is the radios stay disabled. All ap´s are AIR-AP1242G-AK9 . See the image below, the only difference this ten AP´s are conected in switches cisco all the rest are connected in switches of ohter vendor.  
    If possible some command in the configuration is not neccesary and make the bad function?
    This is tipically config apllied by the customer in they cisco switches
    interface   GigabitEthernet0/22
    description PB-RS-A22
    switchport access vlan 5
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type   inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    I reed some documents but i don´t found the right solution can any help me?
    Thank

    Are the APs being powered through POE or perhaps an injector (if injector, do you have the injector override enabled for joined APs with their radios down?)  What's the disparity of the models; are all 1242s in this "down radio" state, or only the 1242s plugged in to the Cisco Switches?
    When you say the 10 don't work and are not "recognized" by the WLC, are you indicating that they have not re-joined the newer WLC or are they joined but their radios are not operationally up?  Please clarify the state of these APs.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html#wp965532
    Please note that a version prior to 7.0.98.0 cannot be upgraded directly to 7.3.101.0 from the WLC perspective, but it's possible your 1242 AP's image (used from the 6.0.199.4 release) is not able to properly join and download code for the 7.3.101.0 WLC that was put in to place.  The 1242 APs in your scenario would still be running the old 6.0.199.4 image.
    I'm curious what all is or isn't happening from the questions above, but you may need to load a newer recovery release on the 1242s to have them join properly - or - downgrade the WLC to a version that allows a direct upgrade from 6.0.199.4 such as 7.0.240.0.  Let the APs join the downgraded WLC and finish up any image downloads and re-join, then upgrade the WLC back to 7.3.101.0 (would recommend latest 7.3.112.0 instead) and see if they rejoin and radios are online.

  • WLC 5508 Internal DHCP server issues

    Hi,
    I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
    The setup is as follows:
    - I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
    - I have an LWAP connected to the WLC in HREAP mode.
    - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
    - Only one scope for Guest Interface is setup on the WLC. 
    Problems:
    1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
    unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
    2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
    3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.  
    ************Output from the Controller********************
    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.0.116.0
    Bootloader Version............................... 1.0.1
    Field Recovery Image Version..................... 6.0.182.0
    Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
    Build Type....................................... DATA + WPS + LDPE
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address         Type        Ap Mgr        Gu                                                                            
    est
    guest                                        1    301      10.255.255.30    Dynamic   No              No                                                                            
    management                          1    100      172.17.1.30        Static          Yes            No                                                          
    service-port                              N/A  N/A      192.168.0.1       Static         No               No                                                                            
    virtual                                        N/A   N/A      10.0.0.1              Static         No               No                                                                            
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 4
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    1        LAN                                    Enabled   management
    2        Internet                               Enabled   management
    3        Managment Assets          Enabled   management
    4        Guest                                  Enabled   guest
    (Cisco Controller) >show dhcp detailed guest
    Scope: guest
    Enabled.......................................... Yes
    Lease Time....................................... 86400 (1 day )
    Pool Start....................................... 10.255.255.31
    Pool End......................................... 10.255.255.254
    Network.......................................... 10.255.255.0
    Netmask.......................................... 255.255.255.0
    Default Routers.................................. 10.255.255.1  0.0.0.0  0.0.0.0
    DNS Domain.......................................
    DNS.............................................. 8.8.8.8  8.8.4.4  0.0.0.0
    Netbios Name Servers............................. 0.0.0.0  0.0.0.0  0.0.0.0
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... e8:b7:48:9b:84:20
    IP Address....................................... 172.17.1.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 172.17.1.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 100
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 172.30.50.1
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show interface detailed guest
    Interface Name................................... guest
    MAC Address...................................... e8:b7:48:9b:84:24
    IP Address....................................... 10.255.255.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.255.255.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 301
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show dhcp leases
           MAC                IP         Lease Time Remaining
    00:21:6a:9c:03:04    10.255.255.46    23 hours 52 minutes 42 seconds        <<<<<<< lease remains even when the client is disconnected.
    *********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
    (Cisco Controller) >show client detail 00:21:6a:9c:03:04
    Client MAC Address............................... 00:21:6a:9c:03:04
    Client Username ................................. N/A
    AP MAC Address................................... a0:cf:5b:00:49:c0
    AP Name.......................................... mel
    Client State..................................... Associated
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 2                 <<<<<<<<   'Internet' SSID
    BSSID............................................ a0:cf:5b:00:49:ce
    Connected For ................................... 319 secs
    Channel.......................................... 36
    IP Address....................................... 10.255.255.46      <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
    Association Id................................... 1
    Authentication Algorithm......................... Open System
    Reason Code...................................... 1
    Status Code...................................... 0
    Session Timeout.................................. 1800
    Client CCX version............................... 4
    Client E2E version............................... 1
    QoS Level........................................ Silver
    802.1P Priority Tag.............................. disabled
    WMM Support...................................... Enabled
    Power Save....................................... OFF
    Mobility State................................... Local
    Mobility Move Count.............................. 0
    Security Policy Completed........................ Yes
    Policy Manager State............................. RUN
    Policy Manager Rule Created...................... Yes
    ACL Name......................................... none
    ACL Applied Status............................... Unavailable
    Policy Type...................................... N/A
    Encryption Cipher................................ None
    Management Frame Protection...................... No
    EAP Type......................................... Unknown
    H-REAP Data Switching............................ Central       <<<<<<<<<
    H-REAP Authentication............................ Central       <<<<<<<<<<
    Interface........................................ management
    VLAN............................................. 100           <<<<<<<<<<< right Vlan
    Quarantine VLAN.................................. 0
    Access VLAN...................................... 100

    Hi All,
    I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
    DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    Thanks,
    Raj Sandhu

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • Clients unable to connect and get DHCP - LAP1142N AP and 5508 WLC

    Hi,
    I have 19 locations, each with 1 or more LAP1142N AP's in FlexConnect mode, AP's are primed using CAPWAP to my 5508 WLC at the datacenter. The AP's join the WLC without issue every time. I have two WLAN's, one guest and one staff, the guest network is open and obtains DHCP from a WatchGuard XTM33 firewall at each of the remote locations. The staff side is WPA2/RADIUS and DHCP is assigned from the WLC. Each AP is assigned a static IP that is not in the DHCP scope. For example: DHCP scope on the branch firewall is 192.168.1.10-250 the AP will be assigned static IP of 192.168.1.1.. The AP's are connected to a HP procurve switch that has a untagged VLAN, the firewall is using the native vlan 1 and so is the AP.
    I have been running this network for over a year and it has not had a single issue until the last two weeks. Nothing on the network has changed or has been upgraded.
    Now for the issue: The issue I am seeing is that clients are no longer able to connect to the AP and do not get DHCP assigned to them. I am able to get it working, if I remove the static IP from the AP, the AP will reboot, join the controller, then begin working, users can connect and DHCP is assigned from the firewall as it should. However, If the AP then reboots, the AP will join back to the controller but no clients can connect nor do they get a DHCP address. So, I then reassign a static IP to the AP again and it reboots, connects to the controller and clients then can connect and get DHCP.
    Attached is a running config from one of the APs
    I've found several posts on this topic, in fact the patch of unassigning or reassigning static IP is one that I found. However, I wanted to post this to see if there is any further assistance I can get on this. I am also waiting on my SmartNet to start up and will be contacting Cisco support as well.
    Thanks for any help.

    Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
    What is Mobility Anchor?
    A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

  • WLC 5508 and Multiple DHCP servers in different sites?

    Hi
    I work for health authority in our region and we just purchased a Cisco wlc 5508 controller along with 25 3500 AP's. We have multiple sites with different IP subnets in each, all connected by a frame relay (owned by ISP). Each site has its own DHCP server. I have the controller in our main site. So when I take an AP to a remote site, the Ap gets an DHCP address from local DHCP server (which is great) and contacts controller and joins controller. Everything is good. BUT, when a client joins at the remote site, it gets an address from a previous site which will not work because the client is now on a different subnet. We dont use Vlans as they dont transvers the frame relay. I need those clients to obtain DHCP from the local DHCP server from the site they are on. Is that possible??
    I have updated the controller to latest version as well.
    Thanks
    Bryan Yaciuk, CCNA
    Parkland Regional Health Authority

    We call this as HREAP LOCAL SWITCHING!! but here is the catch.. everytime the AP joins the new site.. we need to configure the VLAN mapping and this wil do it for you!! Here is the link which will resolve ur issue..
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#ll
    Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • 5508 internal DHCP server

    Hi,
    A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged:
    Internal DHCP ServerThe controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
    In this case, the APs will not be in the same subnet as the Managment Internet.
    Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)? 
    Thanks.

    #DHCP proxy needs to be enabled to use internal dhcp on WLC. WLC uses virtual ip for dhcp and they're unicast. So keeping the AP on L3 doesn't work with internal dhcp. dhcp for wireless client works due to the packets are sent to WLC via capwap.
    #The DHCP required state can cause traffic to not be forwarded properly if a client is deauthenticated or removed. To overcome this problem, ensure that the DHCP required state is always disabled.
    Ans: it is expected behavior irrespective of dhcp being internal or external, it is a feature and not disadvantage.
    Cons:-
    #can't have dhcp reservations.
    #can't have option 43 or any other dhcp options.
    #DHCP service can't be restarted, WLC reboot is required if needed to so.
    #If Multiple WLCs used, need to create non overlapping scope on other WLCs as well.
    #Wired clients cannot get ip from internal dhcp. So need to maintain separate network & dhcp server for wired network, and this require routing.
    #From WLC GUI, Can't remove the client, need to use cli.
    #WLC reboot may clear the dhcp lease, though not sure 100%

  • WLC 5508, vlan select, reserved address in external DHCP server

    Hi guys,
    I have a deploy with a WLC 5508 version 7.0.116.0, APs mode local and vlan select feature enable. The issue is that the reserved IP address in external DHCP server not work. The DHCP contains a reserved IP address associates with mac address, but the assignement of IP is not match with de policies in DHCP. All others services operate normally.
    This reserved assignment operate previusly to modificate the WLAN to vlan select feature. Help me to improve this situation.
    Thanks.-
    Best regards

    Hello Abhishek, thanks for you quick answer....
    the link was a document used for the deploy, but not especifict nothing about the reserved IP address for particular host. In other words, the reserved IP address (through MAC address) in external DHCP server not work when "vlan select" its enable.

  • WLC CT2504: Interface IP can not be used as internal DHCP server IP

    Hello all,
    I've got a new CT2504 controller with software version 7.0.220.0
    Regarding to
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml
    I've tried to configure the internal DHCP on a dynamic-interface, but this is not possible:
    (Cisco Controller) >config interface dhcp dynamic-interface vlan401 primary 172.16.x.3
    vlan401 Interface IP can not be used as internal DHCP server IP
    It works, if I use another IP (aka DHCP server) in the same subnet or in another subnet. It works also for the management interface.
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... d0:c2:82:xx:xx:xx
    IP Address....................................... 10.2.x.135
    IP Netmask....................................... 255.255.255.240
    IP Gateway....................................... 10.2.x.129
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 400
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 10.2.x.135
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Disabled
    Scopes are defined and Proxy is enabled.
    (Cisco Controller) >show dhcp summary
      Scope Name                   Enabled          Address Range
    ap                               Yes      10.2.x.137 -> 10.2.x.140
    intern                            Yes      172.16.x.20 -> 172.16.x.30
    (Cisco Controller) >show dhcp proxy
    DHCP Proxy Behaviour: enabled
    Has somebody an explanation for this issue?
    Thanks in advance,
    Regard,
    Robert

    You can use the internal dhcp, but you need to set the primary dhcp as the management ip. So in your dynamic interface, your primary dhcp is configure with the wlc management ip address. Dhcp proxy also needs to be enabled and is enabled by default.
    Thanks,
    Scott Fella
    Sent from my iPhone

Maybe you are looking for

  • Perspective View using orbit tool won't let me rotate in certain directions

    Is the perspective view able to view in all directions and angles? Often when I use it with the orbit tool I can rotate about the X and Y planes but not the Z. Or Z and Y but not X. I was under the impression that the perspective view and the orbit t

  • How to run a jms-class as a stand-alone java-Programm???

    Hi, I have another little question concerning jms. The jms programs I have written so far had to be executed as application clients using the appclient-tool. I asked myself, if it is possible to run a class that uses jms like a normal java-Programm w

  • Slicing Problems

    Help. I created the graphics in Fireworks. Editor is Dreamweaver. The right side is my problem. My problem arises when I make a slice to cut out a hole in the graphic so I can add a text scroll script. It creates several more images in several cells.

  • What is the easiest way to send an email in JSF application

    Hi Everyone, I need an email service in my JSF app for password request. What is the best way to do this in JSF? Thanks in advance,

  • SAPINST guiengine: login timeout; the client was unable to  establish valid

    sapinstGUI cannnot connect to sapinst.  Message : <b>guiengine: login timeout; the client was unable to establish a valid connection</b> The GUI with selectable install components never shows Any idea?   I have been trying a lot of alternatives , and