AP c1130 and 7.4 WLC

Similar Questions

• Questions - Samsung Galaxy 2 and 3 Xcover - WLC 5500 - SW 8.1.131.0 roaming

  Hello.

  I have problems with Samsung Galaxy Xcover 2 and 3 of the phones that connect to our Wifi network of customers. They have WLC5508 with SW 8.1.131.0 and use CAP2702 in local mode. The SSID is set up with WPA2, PSK. Samsung clients connect, but when they wander, they give up and reconnect to the next access point. All who have experienced this and have a solution?

  Rgds

  Snorre Ölberg

  Is it only these devices? If so sounds like a customer number. You tried to make debugging and reproduce the problem?

• Wireless 802.11r and Laurette on WLC

  Hi all

  I saw in version 7.4 and later on the WLC5508 you can configure 802.11r and 11 k fast aid Transaction so that iOS7 don't suffer a loss connection for roaming... my question is on the same WIFI network, I can configure 802. 1 X and FT - 802.1 X authentication so that I'll be able to have the same SSID non802.11r and 802.11r compatible client? Or this configuration creates association problem?

  BR

  OG

  Maybe this can help also to explain it:

  http://www.Cisco.com/en/us/docs/wireless/controller/7.3/configuration/gu...

  Legacy clients can not associate with a WLAN which has enabled 802.11r, unless the driver of the supplicant who is responsible for the analysis of exchange of information (IE ARS) robust security network is old and not aware of the suites more in EI AKM. Because of this limitation, customers cannot send connection requests to the local wireless networks. These customers, however, can still be associated with non - 802.11r WLAN. Customers who are capable of 802.11r can associate as 802.11i clients on LANs wireless with 802.11i and 802.11r Authentication Key Management Suites active time. The solution is to activate or upgrade the driver of the legacy clients to work with the 802.11r new AKMs, after which legacy clients can associate with success of 802.11r compatible WLAN. Another solution is to have two SSID with the same name but with security different parameters (IP and non-pi).

  Sent by Cisco Support technique iPhone App

• Config of basis for the 2nd and 3rd of the WLC?

  I saw the discussion about the configuration of the failover on of the WLC. I think I have a pretty good understanding of what is supposed to happen here. But what is really clear is the config of base on the 2nd and 3rd in WLC. They need to be configured exactly like the first, with the exception of the unique fields such as host name and ip addresses, interface and such? Usually people take the config of the first and do a "Find and replace" to fix the config for subsequent controllers? I will add 2 more to my controller in the near future and try to have a better understanding of the process until I have to implement. Thank you!

  You are right in the config WLC - unique IP/hostname info and everything else the same. There is usually not a lot of changes of configuration to do on the additional WLC, the few times that I did I have manually configured things or used WCS. Configure additional WLC being part of the same group of mobility and/or hardcode primary, secondary & tertiary controllers AP for failover.

  HTH

• WLC 4402 impossible to authenticate correctly with ACS 5.2

  For some reason, I can't WLC to authenticate correctly with ACS 5.2. It's very strange in the sense that when I checked the log. ACS authenticates and authorizes the WLC 4402, but I can't log on the WLC. login screen appears, if I typed the username that he jumped

  Controller of >

  user:

  password:

  No matter what I typed (internal or external users), nothing seems to work.

  It comes to my frustration, I have no problem with authentication of routers and switches except WLC 4402.

  Hello

  Please delete privilege on the ACS level settings.

  Elements of strategy > authorization and permissions > peripheral Administration > Shell profiles > common tasks

  By default the privilege - do not use.

  Maximum privilege - not in use

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages

• Image file capwap IOS corresponding with image Wlc file flash

  Hello to all the experts wireless

  My willingness to question may seem a little more evident for some of you, but here it is :)

  I would like to understand the relationship between the Capwap IOS image file I see while typing "dir flash" on an AP and version a WLC gives to this access point when joining it. My wlc runs 7.4.100 and about to access flash (2602i):

  MYCAPWAPAP #dir flash:
  Directory of flash: /.

  2 - rwx 75095 October 23, 2014 07:54:43 + 00:00 event.log
  3 - rwx 280 23 October 2014 07:57:35 + 00:00 lwapp_officeextend.cfg
  4 - rwx 49372 October 23, 2014 09:37:14 + 00:00 lwapp_non_apspecific_reap.cfg
  5 - rwx 95008 October 23, 2014 07:54:34 + 00:00 lwapp_reap.cfg.bak
  drwx 10 2048 October 23, 2014 07:54:33 + 00:00 ap3g2-k9w8 - mx.152 - 4.JB6
  drwx 51 128 23 October 2014 07:57:38 + 00:00 configs
  52 - rwx 64 23 October 2014 07:54:34 + 00:00 sensord_CSPRNG0
  53 - rwx 64 23 October 2014 07:54:34 + 00:00 sensord_CSPRNG1
  77 - rwx 95008 October 23, 2014 07:57:55 + 00:00 lwapp_reap.cfg
  7 - rwx 7192 23 October 2014 09:36:56 + 00:00 private-multiple-fs
  56 - rwx 0 26 March 2014 14:37:17 + 00:00 this
  drwx 13 448 9 November 2013 19:06:17 + 00:00 ap3g2-rcvk9w8-mx
  8 - rwx 75303 October 22, 2014 16:30:26 + 00:00 event.capwap
  76 - rwx 230 23 October 2014 07:57:34 + 00:00 env_vars

  total 31739904 bytes (10376704 bytes free)

  That means that the 7.4.100 image file is included in the ap3g2 file? In other words, where the wlc on the AP firmware image is stored? As an access point has a main image and a backup, it must be stored somewhere on it, or maybe I'm missing something here!

  Thank you

  Theo

  Hi Theo,.

  If you read this post, you will understand the platform to represent the AP ap3g2.

  https://supportforums.Cisco.com/document/77131/understanding-access-point-iOS-images

  platform featureset - tar.version.tar

  • AP1G1 - 700 series (starting with 15.2 702w (4) JB5)

  • AP1G2 - series 1600

  • ap1g3 - series of 1530

  • ap3g2 - 3700/2700/3600/2600 series (beginning with 15.2 (4) sustained 3700 JB; 2700 starting with 15.2 (4) JB5)

  • ap3g1 - 3500/1260 series

  In light mode, there is recovery Imange & integral. (Recovery image contains files of minutes to start the AP & discover a WLC, then WLC will push the complete image according to the code of the software running on a WLC.

  ap3g2 -k9w8-mx. 152 - 4.JB6

  ap3g2 -rcvk9w8- mx

  In this case, you can see a few directories with the name above on your access point. Corresponding image should be in these subdirectories.

  HTH

  Rasika

  Pls note all useful responses *.

• WLC5508 problem with dhcp and flexconnect local switching

  Hello
  I have a new WLC 5508 with firmware 8.0.133.0 (suggested one right now) and I'm trying to set up a WLAN with flexconnect and local switching, but when I try to connect a client it is not getting an IP address.

  Here's what I did:
  -put the AP mode flexconnect
  -support vlan in the AP has allowed
  -local switching license and only in wlan
  -spread the vlan from AP to the local gateway
  -put the IP helper on local and pointed the wlc management ip gateway
  -set up a scope for the vlan Server dhcp internal WLC
  -set up a working group with the vlan-wlan association flexconnect

  Here is what I checked:
  -l'AP obtains an IP address in dhcp in the vlan, and a lease for that appear in the DHCP Server internal to the WLC
  -If I put the interface vlan on a switch in DHCP it gets the ip address of the same way
  -If I set the static IP address in the wireless client it ping the local gateway and navigate normally
  -J' tried the deactivation/activation proxy DHCP in the management connected to the WLAN interface, but nothing happened
  -J' tried Central DHCP activation of treatment with no luck

  It seems a dhcpdump on the wireless client client ask for an IP address, but get no response, as if it were the DHCP request is be filtered or diverted somehow.

  All you other ideas?

  DHCP on the controller is not a real dhcp server, see it that way. The management interface is used when defining aid ip and proxy dhcp must be enabled for internal dhcp. In your configuration, dhcp only works for the AP and should not work for any cable customer. You should be able to use the IP helper pointing to your WLC management interface but also make sure that you create an interface on the WLC for the local subnet and assign the interface to a correct address, even if it is not actually using it. Then in the new dynamic interface of this local subnet, you create, make sure that the primary dhcp is the ip address of the controller management. I think it works.

  I would really use a true if possible dhcp server or even put a dhcp scope on the interface of L3 on the production site.

  -Scott

  Please evaluate the useful messages *.

• WLCs manage LWAPPs to use chs overlapping?

  I'm a beginner with the wireless and more, the WLC. (I use a WLC module in a search report international No. 2851). I have a few general questions about the WLCM:

  (1) I will deploy five laps out of the WLCM in a floor of a building. It's true that I don't have to worry of duplication of canals as the WLCM detects contention and change the channel? Don't I have to configure anything in particular about channels, on the side of RF?

  (2) I have will be also using 7920 s in my deployment and want to ensure call quality when a user walks/wanders between the towers. I'll use static and 7920 WEPs s are on the same VLAN. Since all APs are associated with the same WLCM, is it true that I will not make additional configuration in order to ensure smooth roaming?

  Thank you!

  Greetings,

  It is what it is supposed to do. It has been my experience and other institutions, this is not necessarily the case.

  Regarding the allocation of channels, this device did a mediocre job, even though I have many more AP 5, so your mileage may vary. Be on the lookout for the same location co channel features where is not necessary to be.

  Power settings also not are managed properly. Almost each AP in my installations are power 2 (17dBm or 50mW) level and it is only because I do not allow the maximum power in option. There is a wonderful document you must download if you want to be anywhere near LWAPP - http://www.cisco.com/warp/public/114/rrm.pdf

  read especially the emission power algorithm and the algorithm of hole in coverage. I took the third AP of any AP has a threshold by default - 65, which means that if this criterion is satisfied that the power will not come down. My investigations are at 11 Mbit/s to-65dBm, that would mean my third AP since my first AP location will be at the edge of the first cell in the AP. If you draw three circles on paper, your first circle is where you want, the radius of the third circle must pass through the edge of the first circle... so now that you have to enter the second circle somewhere in there. This scenario is called duplication of 50% - where two AP (two 50% (a 100%) overlap to another AP. If in the case of a failure of AP - two others can pick up the slack. Well, if I draw my networks as such, what the hell do need me LWAPP for? I opened a TAC case and vain quickly actually, I got nowhere at all.

  My solution for me is to redesign the existing infrastructure in order to have 20-30% overlap and have 11 Mbps cell boundries to-65dBm. The only way I'll be able to maintain the allocations of power and the channel will remove auto channel RF and power capabilities. I'll harcode that in. Perhaps, once the design, I get up and functional, I'll experiment with sections of the installation and let auto RF have a chance in a properly designed environment and see what happens. Unfortunately, I'm in a production of high-profile health care environment, and I'm not comfortable, especially given the results that I've seen so far.

  I hope that you have determined that the 5 you need the AP was based on a valid poll, preferably using the 7920 as the survey tool.

  If you have determined your coverage, throughput requirements, and plans for future growth, and read about what rate you can get each access point in the scenarios of data and voice and has determined that some areas may or may not be more densely populated with users using voice or data or both - then you should be ok.

  Please think of voice being on the same vlan as data, which should be separate even more data wired people.

  If you have many users then go ahead. If you think that the user density could bite you in the pants, he will and he won't let go.

  If I have not scared the crap out of you yet, I hope to have given you some things to think about and tools to use so that you are not in the situation that I am currently.

  However, being the payer cleaner remarkably well. I'm kind of the wireless "Mr. Wolf" in the film of our network.

  Well - being

• Privilege in WLC management needs first 2.2

  The word Hello,

  After you install a Cisco first 2.2 and added several WLC, my client wants to just a reading only the first management. Then, when I added WLC I provided SNMP v3 RO and no username/password / activate telnet/SSH.

  The problem is that my customer wants to manage guest users of premium, I have of course some write type of privilege is necessary. Changing SNMP of ro to RW would be enough? Or maybe I need to add a user/password / activate SSH/telnet to manage? Or maybe I'll be times RW SNMP and telnet/SSH?

  Thank you very much!

  David

  Hi David,

  most likely, you would need RW and ssh\telnet as well, but it depends on what type of operations, your guest user will have access to.

  Thank you-

  Alya

  Ratings encourage contributors *.

• WLC 5760 with AP1121G

  Guys,

  I ve got a thing who me it s kinda weird. I m trying to make a working group with wlc 5760 and an 1100 AP mode standalone, but all I get it s this error to the AP.

  * 18:45:05.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: WPAIE not found and required

  * 18:46:03.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Rcvd response of the channel 11 8861 0c68.03ea.4073

  * 18:47:47.639 1 Oct: % DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: combining

  configurations are:

  SSID dot11 TEST

  open authentication

  authentication wpa key management

  WPA - psk ascii 7 1416000E0F0C2379747960

  interface Dot11Radio0

  no ip address

  no ip route cache

  encryption ciphers aes - ccm mode

  SSID TEST

  base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0

  station-role workgroup bridge

  Bridge-Group 1

  Bridge-Group 1 covering-disabled people

  and on the WLC 5760,

  WLAN TEST 7 TEST

  No ssid broadcast

  customer vlan 7

  no security wpa akm dot1x

  Security wpa psk key set ascii 0 arechi2013 akm

  session-timeout 1800

  no downtime

  Sho wlan name TEST

  Security

  802.11 authentication: open system

  The static WEP keys: disabled

  802. 1 X: disabled

  Wi - Fi Protected Access (WPA/WPA2): enabled

  WPA (SSN IE): disabled

  WPA2 (RSN IE): enabled

  TKIP encryption algorithm: disabled

  AES encryption algorithm: enabled

  Management key auth

  802. 1 x: disabled

  PSK: enabled

  CCKM: disabled

  CKIP: disabled

  Can someone help me?

  1121 are not supported.  Here's a matrix showing which is taken in charge and what is not.

  http://www.Cisco.com/en/us/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp98682

  Thank you

  Scott

  Help others by using the rating system and marking answers questions as 'response '.

• WLSE and WCS

  Help!

  I intend implementation of 10-15 s AP in my company. I don't need a lot, but I want a ssid and the ability to walk between access points without losing the connection. The cost is a little problem as well. In my view, there is an area called 2.13 to express the Cisco Wireless LAN Solution. Now this box as terribly cheap. Makes me wonder. Every time I thought a lot about this, I so with the price of the WCS of 25 reviews 4400, 7 times the price upward. Now, I've been Googling my fingers numb, but I can't really know what is distinguished by a wcs and wlse solution. Can I use this box of Cisco Wireless LAN Solution Express 2.13 at little cost only a PoE switch and some radio stations? Or do I have as well a 6500 with a controller wlse switch? because then; the 4400 would be cheaper.

  Appreciate the help,

  \\mark

  Hi Mark,

  This is a big topic of discussion! Haha, I hope I can help with some basic information. The two solutions as you watch (WLSE vs WLC/WISN/WCS) are for two different architectures wireless. The WLSE is for 'stand-alone' access points, and the WISN/WLC/WCS are all for "lightweight" access points

  The fundamental difference between the two is that autonomous architecture is a distributed design, while the lightweights are centralized. Here are some details:

  AUTONOMOUS

  Each access point runs any himself. It must be set up individually for all SSID and VLAN. A WLSE device can be used to manage multiple APs via SNMP, but it's a manual process. A WLSE can also help the management of radio, as the channel design, but it is still a very manual process.

  LIGHT WEIGHT

  Access points are not individually configured. They must join a wireless LAN (WLC) controller to operate. They can find the controller automatically, and when they do they download a configuration. They work with the help of the controller. The controller takes the information of all the APs and adjusts dynamically the channels and power radio as needed to optimize the network. The WLC is the only device that you need to manage since it manages all the APs for you.

  It's a view VERY high level of the two models. Long story short, stand-alone solutions require usually more work to manage, and lightweight demand less. You are just looking to run 10-15 access points, so a light solution probably won't pay off as it would if you were installing 100 +. This does not mean that you don't have light, but it might not be useful the extra cost.

  Once again, very complicated subject and I hope that gives you a better understanding that will help you when Googling. Try Googling light autonomous vs, you'll find some good articles.

• ISE foreign CWA / deployment WLC - missing user of anchor names

  I'm not sure if this belongs to the section mobility or security - I'll just give it a try here.
  I've set up wireless access visitor with Cisco ISE 1.3 (patch 2) and a stranger WLC / anchor of deployment (7.6.130.0).
  So far almost everything works fine - but I probably have a problem with logging Cisco ISE.

  In exploitation forest 'authentications Live', I see the authentication successful, but the identity of the column, it shows just the MAC address of endpoint.
  If navigation to the identity store of endpoint endpoint of comments is in the right group (guestendpoints) and when you look at the details of the endpoint, I can see the "portalusername" who created the user.

  If I click on endpoints active view (see attachment), I can see all active clients (Authz profile "PermitAccess"). I guess the user name of the client must be filled out there as well, no?

  endpoint_view.PNG

  

  Someone has an idea what is the cause for this? Or is the normal behavior?

  My rules of authentication are:
  If "wireless_mab" and "RADIUS: Called-Station-ID ENDS WITH comments-SSID" then use "endpoints internal" and continue if "user not found".

  My authorization rules are:
  1.) if GuestEndpoints AND (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then PermitAccess
  2.) if (Wireless_MAB AND RADIUS: Called-Station-ID ENDS_WITH Guest SSID) then GUEST_WEBAUTH
  The profile GUEST_WEBAUTH Authz defined the CWA and preauthentication ACL for the WLC

  The WLC I just configured the WLC foreign with the RADIUS (ISE) server and active authentication MAC the SSID.
  All parameters such as aaa-override and RADIUS of the NAC are defined. The defined RADIUS is set on "settler" to comply with the ISE

  According to my experience, this is the expected behavior.  The new workflow for the use case of comments starting at the point 1.3 of the ISE typically includes registration of endpoint, you're.  Your strategy for authz for post-portail of authentication (after the certificate of authenticity) needs the MAC address to use as the identity for permissions invited, not the guest credentials used on the portal.

  That being said, I would like to be able to see the username of the user portal whenever a registered endpoint point authenticates (until it is served using endpoint political purges, of course).

  Tim

• WebAuth LOCAL with Wireless Lan Controller and ISE

  Greetings,

  We intend to set up a centralised comments with sponsored webauth wireless network. I didn't know that this will not work with our current WLC code (6.0.199.4) as 7.2 or later version is required.

  We have a project to upgrade the WLCs but he won't be ready before the deadline for the completion of the reviews wireless.

  I am using local WebAuth temporarily until the WLCs are ready. My questions are:

  1. am I correct that I can still authenticate ISE?

  2. Since local webauth does not cost support, does that mean I can't apply a pre or post auth ACL?

  3. can someone point me to a good guide for configuring local webauth?

  Thank you!

  Hi Leroy,

  In CWA you can push the AVPs desire in the final result because of the nature of the flow:

  -Comments will connect to the SSID.

  -WLC send wireless MAB ask (1st authentication). In response, ISE returns accepted with url-redirect-acl and redirect url.

  -WLC updates the client session and once http (s) generated WLC redirects the customer to ISE according to AVPs received at the 1st auth(MAB request).

  -The customer enters the identification information in the portal. ISE valid creds and refers to WLC one type COA to re-authenticate.

  -WLC re authenticates the client (2nd authentication) session, and at this point ISE can support AVPs custom as names of VLANS, Interfaces or space air dynamic ACLs.

  -WLC overrides the client session with the new attributes.

  Local Web Auth as you mentioned, there are 2 steps but the WLC "considers" cela a single thread.

  To the LWA, the flow is as follows:

  -The client connects to the SSID.  Since there is no involved L2 auth client through DHCP, captures an IP and arrives at WebAuth_Required. Redirect URL is configured statically on WLC and pre auth ACL allows client access to ISE during the auth phase.

  -Customer opens the browser and WLC redirects the customer to ISE, but breast of redirection, there is a 'return to WLC' action which indicates to ISE to send customer WLC virtual IP containing identification information of the client used for auth in portal comments.

  -In this way the WLC now "knows" the handed creds to ISE and this way there is a formal request from RADIUS WLC sends to ISE asking these creds. ISE links in return an accept, and this is how the WLC now "knows" that auth is correct and she should move client to RUN.

  LOA of the simplest way would be to define an Interface of comments and statically applying a restrictive ACL at the level of the interface rather than wait the AVP of AAA server.

  LWA is supported in this version at very low level and basic, but if you want a complex flow involving the pusher of the dynamic attribute you will need something higher to 7.2.110.0.

  Recommended version would be 7.6.130.0 as for now.

  Kind regards

  Antonio

• Cisco WLC 8540 HA Timer

  Dear Experts,

  I prepare a project for a wireless solution Documentation and we use wlc 8540 in HA mode. For HA, WLC will send keepalive updates on each 100msec to check the unit of the Hotstandby State via the RP Port. But in the documentation, I am obliged to put the correct failover time. So can I assume that the 101st msec, failover happen? and for that I need to provide some docs cisco which mentions exact switching timers.

  can you please guide me on this. ?

  see you soon,

  Thank you

  Waqas

  Hi Waqas,

  Try this document: high availability Tech Note

  The time it takes for failover in the event of power failure on an Active zone also depends on the Keepalive timer configured on the WLC (configured for 100 msec by default). The algorithm to determine the failover is listed here:

  • The WLC Eve sends Keepalive to the WLC Active and waits for and acknowledgement within 100 msec according to the default timer. This can be configured in varies from 100 to 400 ms.
  • If there is no recognition of Keepalive in 100 msec, WLC Eve immediately sends an ICMP message to the active WLC via redundant management interface to verify if it is a failover of the box or some problem with redundant connection Port.
  • If there is no response to the ICMP message, the WLC Eve gets aggressive and immediately sends another Keepalive message to the WLC Eve and expected receipt of 25% less time (i.e. 75 ms or 25% less than 100 msec).
  • If there is no recognition of Keepalive in 75 msec, the WLC Eve immediately sends another ICMP message to the active WLC via redundant management interface.
  • Yet once, if there is no answer for the second ICMP message, the WLC Standby gets more aggressive and immediately sends another Keepalive message to the WLC standby and waiting for an acknowledgement in extra time 25% Real Timer less than the last Keepalive timer (i.e. 50 msec or last Keepalive timer of 75 MS - 25% less of 100 msec).
  • If there is no acknowledgement of the third package Keepalive less than 50 msec, the WLC Eve immediately sends another ICMP message to the active WLC via redundant management interface.
  • Finally, if there is no response from the third package ICMP, Standby WLC says the WLC Active died and the role of the WLC assets.

  Network failover

  In the case of a failover of network (i.e. the WLC Active cannot reach its gateway for some reason any), it may take 3-4 seconds for a complete failover based on the number of access points in the network.

  See you soon,.

  Ric

• Deploy a new 5508 as a secondary WLC in network

  Hi friends,

  I am really poor deployed WLC.

  I need to deploy a new WLC 5508 networked as a secondary controller. The primary WLC (5508) has been configured as a single from now and good work WLC... Now, I need deploy the new 5508 as secondary controller.

  I could connect to the console and make the basic configs. (Service and management int IP interface addresses etc)

  Now, I have to perform two tasks:

  (1) I should synchronize the configuration of the primary 5508 for 5508 high school which I just added. Please guide me how do?

  (2) I need to set up the HA (failover) using the RP or giving the Pri/Sec/Ter static by AP.

  Please help me ASAP as I am not very used to WLC deployments.

  Thank you

  Francis

  Hello

  1. It is a model of HA - SKU (secondary) license?
  2. Or do you have at least 50 AP secondary license to WLC?

  If you have any of the above then go through this guide:

  http://networkguy.de/?p=558

  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/TechNotes/7-5/H...

  Concerning

  Remember messages useful rates