WLC 4402 assign several VLANS to an SSID

Similar Questions

• How to assign several VLANS in transparent PIX using command line

  I need help in the awarding of two inside and two VLANS corresponding to our PIX 525 outside running code 7.06. I can't find a good link on the configs to site or sample of Cisco.

  Basically, you can have only one inside and an external interface. Take a look at the following documentation:

  -Transparent Preview Mode:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html#wp1201980

  «Transparent security apparatus uses an inside interface and an external interface only.» If your platform includes a dedicated management interface, you can also configure the interface of management or subinterface management only for traffic.

  In simple mode, you can use two data interfaces (and if available, dedicated management interface) even if your security apparatus includes more than two interfaces. »

  I hope this helps!

  Best regards

  ~ federico.

• WLC 2504 several VLANs multiple SSID

  I have three sites

  Data center management unit A - main - controller + Access - Point IP 172.16.x.x - Vlan 38

  Unit B - system managed by controller IP 172.17.x.x - Vlan 38 Access Points

  Unit C - system managed by controller IP 172.18.x.x - Vlan 38 Access Points

  In the network topology OSPF runs. We have several VLANS about 38 we wish to propagate through SSID, but maybe I'm not create more than 16. How to make a movement of the user of a unit for unit B how do mention Vlan IP for the user because it is 38 Vlan spread on each unit.

  UNIT A - UNIT B - UNIT C

  |                            |                               |

  172.16.X.X 172.17.X.X 172.18.X.X

  |                            |                               |

  VLAN 2-38 VLAN 2-38 VLAN 2-38

  |                            |                               |

  AP-1                          AP-2                        AP-3

  |                               |                               |

  User to user-1 user-2-3

  Need of advice and suggestion

  Hello Saad,

  If I understand your scenario, you have 2-38 or 16 VLAN for each unit. To ensure exactly the addressing specific IP must be assigned to the user, you must create groups of AP and add AP group particular AP. Let's say for the 1st floor that you used the subnet 192.168.1.0/24 and AP-group1 so all the first floor AP will be in AP group1. In addition to browse documents cisco you will get any idea on AP groups concept.

  In order to obtain roaming when users move from one unit to another unit we configure mobility in the controller. As OSPF is already running then you have reach-ability between the controller.

  Hope this information helps you.

• Dynamic assignment of VLANS / SSID using the IAS 4402/MS

  Greetings,

  In short, we have a WLC4402 (50 AP license) and about 30 1252 s towers in place. At the moment we have three VLANS / SSID in place - one for admin, to teachers and students. The WLC uses a server for MS Windows 2003 running IAS for PEAP authentication. Windows XP, the SSID clients entered manually based on "prior designation" 'type' laptop (admin, teacher or student).

  It works very well. However more frequently our users were 'sharing' portable computers so a student can need to use his laptop computer and vice versa. In short, we would like to use the dynamic assignment of VLANS / SSID as well as if a student has the teacher, 'students' laptop VLAN / SSID would receive them when connect (and apply the appropriate ACL, QoS policies, etc.)

  We have found the documents on how to do that with a CBS, but is there something available for this configuration with a MS IAS server.

  All entry information would be greatly appreciated.

  Joe

  The installer works fine with the Server IAS Ms. You must set the options for RADIUS (3 of them) which are documented in the ACS similar article of the same ilk. You can have one SSID, using RADIUS authentication and have the Active Directory to determine the membership to a vlan based on the group.

  The RADIUS attribute parameters are

  Tunnel-Type = Vlan

  Tunnel-Pvt-Group-ID = vlanid

  Tunnel-Medium-Type = 802

  I also like to set

  Ignore-User-Dialin-Properties = True

  You must create some policies in IAS to match your windows groups and set the id vlan correct. A separate policy of IAS by vlan.

  Set the attributes RADIUS by political IAS and ad group or however you plan on the determination of the membership.

  If you want to use RADIUS for administration, you must also define a separate policy that defines the RADIUS of the Service Type administrative = attribute

  Jim

• Several VLAN, SSID

  I get to the point where my campus wireless network grows beyond the size of the subnet that I am uncomfortable dealing with.  I have a WISN and WCS and spin the latest IOS on each.  Is it possible to use several VLANS on a campus-wide SSID?

  Or, can I put the same SSID on both controllers and map it to two separate without causing problems roaming VIRTUAL networks?

  Thank you

  Eric

  Hi Eric,.

  Yes we do, and this feature is called grouping AP on WLC... Here is the sample configuration to do the same thing...

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

  Concerning

  Surendra

• ISE - assignment of VLAN 7.2 WLC

  Good evening

  The authorization of the Wireless_Employees profile, assign vlan 666 employees wireless.

  ISE is passing VLAN 666 to the WLC - see attachment Radius Auth - VLAN666.jpg

  When I look on the WLC to wireless employee who has connected to the network, successuflly WLC is him always place in the pre-settings 7 VLAN.

  1. can you VLAN be pushed of ISE to the WLC (code 7.2.103) for the specific user session?

  2. If so, suggestions, why it does not work for me.

  Thank you.

  Cath.

  Cath,

  Here's a guide that will help with dynamic assignment of VLANs on a WLC.

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#WLC

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Connection problems SSID with several VLANs

  Hi all

  I'm having a little problem getting a device to associate with an access point and enter an IP via DHCP on a particular SSID. This access point has two VLANs, with two different SSID configured. The configuration is locked. For some reason I can't connect to 2 SSID on my wireless device, but the SSID works very well. I see authentication through the newspaper, so I know that the pre-shared key is correct, but may not enter an IP address (which makes me think I have a problem in the bridge group). Any thoughts?

  Also, I tried both a trunk port and an access port on the switch that is connected to the access point. With both, I can connect and enter an address IP of the VLAN 20 (SSID 1), but not to VLAN 10 (2 SSID).

  SSID dot11 1

  VLAN 20

  open authentication

  authentication wpa key management

  WPA - psk ascii 'key '.

  !

  SSID dot11 2

  VLAN 10

  open authentication

  authentication wpa key management

  Comments-mode

  WPA - psk ascii 'key '.

  Bridge IRB

  !

  !

  interface Dot11Radio0

  no ip address

  no ip route cache

  !

  algorithms for encryption tkip encryption mode

  !

  encryption vlan 20 tkip encryption mode

  !

  encryption vlan 10 tkip encryption mode

  !

  SSID 1

  !

  SSID 2

  !

  antenna transmit right

  straight reception antenna

  root of station-role

  Bridge-Group 1

  Bridge-Group 1 block-unknown-source

  No source of bridge-Group 1-learning

  unicast bridge-Group 1-floods

  Bridge-Group 1 covering-disabled people

  !

  interface Dot11Radio0.10

  encapsulation dot1Q 10

  no ip route cache

  Bridge-group 10

  10 bridge-group subscriber-loop-control

  Bridge-group 10 block-unknown-source

  No source of bridge-group 10-learning

  No bridge group 10 unicast-flooding

  Bridge-group of 10 disabled spanning

  !

  interface Dot11Radio0.20

  encapsulation dot1Q 20

  no ip route cache

  Bridge-group 20

  Bridge-group subscriber-loop-control 20

  Bridge-group 20 block-unknown-source

  No source of bridge-group 20-learning

  No bridge group 20 unicast-flooding

  Bridge-group 20 covering people with reduced mobility

  !

  interface FastEthernet0

  no ip address

  no ip route cache

  automatic duplex

  automatic speed

  !

  interface FastEthernet0.10

  encapsulation dot1Q 10 native

  no ip route cache

  Bridge-Group 1

  No source of bridge-Group 1-learning

  Bridge-Group 1 covering-disabled people

  !

  interface FastEthernet0.20

  encapsulation dot1Q 20

  no ip route cache

  Bridge-group 20

  No source of bridge-group 20-learning

  Bridge-group 20 covering people with reduced mobility

  !

  interface BVI1

  192.168.0.210 IP address 255.255.255.0

  no ip route cache

  Default IP gateway 192.168.0.1

  1 channel ip bridge

  Thanks for your help!

  Your bridge-groups do not have the tail. You have 10 VLANS mapped to bridge-Group 1 on the FastEthernet interface but mapped to bridge-group 10 on the radio just remove the bridge Group 1 of the main radio interface and apply it to the subinterface dot0.10.

• Cisco ACS, multiple CA, assignment of VLAN relevant to the domain

  Hi all

  I searched for a solution to a specific customer requirement.

  I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field?  Ideally, using the same SSID and a Cisco ACS server.

  Is this possible?  Has anyone seen that it works?

  I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?).  And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes.  But I am not sure that these parts would fit together?

  Would appreciate some advice!

  Thanks in advance

  Rob

  Hello

  Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.

  You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.

  GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.

  And you can assign the vlan and use only one ssid as well.

  I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.

  Nicolas

  ===

  Remember responses of the rate that you find useful

• Assignment of VLAN dynamic of the Web authentication

  In a firmware WLC 4402 v.5.2.157 is possible to assign users to one VLAN dynamic based on the RADIUS response received from ACS?

  Yes and no. You can do for a WLAN 802.1 x internal, that the customer does not get an IP address, until they have completed the authentication process. To do this, you use 64/65/81, 64 802, 65 VLAN and to 81 use the name of the interface, not the number VLAN. you will also need to make sure you have AAA Overrided activated under the WLAN.

  If, as is said for Web authentication, the answer is no. The client has an IP address before being validated by the AAA server.

  HTH,

  Steve

• Apple devices several attempts to connect SSID?

  Hello

  I had this problem for so long.

  In society, we have two SSID for corporate networks and invited respectively when I try to connect to one of the SSID that doesn't happen up to 5 attempts. The only journal I receive which seems to be linked to her is:

  * Jun 11 11:48:09.062: % APF-1-DISCONECT_MOBILE_DUE_TO_WLAN_SW: apf_policy.c:541 mobile disconnection due 00:23:32:73:d7:15 pass 1 (femsawl) wireless local networks 2 (visits)

  Here, he shows a switch between the SSID but if you come on an apple device and try to combine for the first time to one of the SSID, the scenario is the same, several attempts to connect.

  Are there known issues with apple devices.

  I'm running a wlc 4402 with 6.0.202.0 version of the software.

  I'd appreciate comments on this.

  Kind regards!

  Hi Rguzman,

  Make sure that the SSID FAST is enabled on your WLC.

  Check out my blog

  http://www.my80211.com/home/2010/5/9/WLC-configuring-fast-SSID-changing.html

• WLC 4402 is rejection of applications for converted LWAPP 1131 AG AP

  WLC does not show the AP.

  WLC 4402 is configured using lwapp-L3. Management interface is in vlan 20 and interface ap - manager is in vlan 100. AP is in vlan 50. AP is getting dhcp ip. option 43 and 60 have been configured.

  debugging shows

  activate the debug lwapp events on WLC

  (Cisco Controller) > Fri 25 Jul 20:51:57 2008: received 00:19:55:5f:cb:52 LWAPP DISCOVERY REQUEST of AP 00:19:55:5f:cb:52 to c 00:1f:9e:9 b: 8:03 on port "1"

  Fri Jul 25 20:51:57 2008: throw L3 Mode LWAPP DISCOVERY REQUEST on intf '1', vlan = "100", management vlan = "20".

  debugging access point

  debug events customer lwapp

  1 00:58:16.716: LWAPP_CLIENT_EVENT: spamHandleDiscoveryTimer: could not find any MWAR

  1 00:58:16.716: LWAPP_CLIENT_EVENT: spamResolveStaticGateway - bridge found

  Debug ip udp

  1 00:58:16.716: UDP: sent src = 172.16.50.151 (64693), dst = 172.16.100.100 (12223), length = 69

  Can correct a pl guide where can I do wrong?

  Try to put the AP Manager interface in the same vlan as the management interface. Also look at the date and time on the controller to ensure that the certificates are validated correctly on the APs.

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• Windows XP Home Edition on WLC 4402

  Hello

  I have a WLC 4402 Wireless LAN Controller with several 1231 AP on LWAPP. WLAN security setting a WPA + WPA2 with PSK share key. All computers in the domain are fine, wireless connections are stable. I have a group of students use Netbook under Windows XP Home SP3 got connection and drop situation. On XP event IDS has continuous case 4201 and 4202 and journal WLC I also continuous newspaper in the form

  * Apr 19 10:35:44.046: % DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL - Key M1 broadcasts exceeded for client 00:26:5e:eb:fd:0 has

  I understand that XP Home has no certificate of domain environment so I didn't install any server AAA service. How can this problem be solved? Keep trying on the combination of security, but no luck. Help, please. Thank you.

  Attachment is WLC configuration file without encryption.

  Bill,

  Is it chance ASUS EeePC Netbook 1005 HA?

  If so, check the drivers.

• 1252 config several VLAN trunking on ethernet not

  Hi all I am new to these forums, but have read some posts on configurations for an AP from 1252 to switch 2950.

  I have several VLANS andmultiple SSID configuration on my ap.  The switch knows the VLANS on the access point

  I think that in the config.

  When I put the 2950 in trunk mode on the port, the ap is conencted too, I can see no longer the access point. And none of my ssid / VLAN traffic through the stem net ether to the switch.  I think I have a problem with the config of the ap specifically either in the British Virgin Islands (do not understand this virtual port) or in bridge groups. (Never worked with foredeck groups.)

  The AP is in stand-alone mode.

  Here is my config on the side of the ap.

  interface Dot11Radio0

  no ip address

  no ip route cache

  !

  the cipher mode vlan 300 encryption tkip aes - ccm

  !

  broadcasting-key vlan 300 change 600 members-notice change in capacity

  !

  !

  SSID 101

  !

  SSID 300

  !

  countermeasure tkip duration of maintaining 120

  gain of antenna 0

  Base-1 speed, 0 2.0 5.5 11.0 6.0 12.0 9.0 18.0 24.0 36.0 48.0 54.0 m0. M1. M2. M3. M4. M5. M6. M7. M8. M9. M10. M11. M12. M13. M14. M15.

  root of station-role

  Bridge-Group 1

  Bridge-Group 1 block-unknown-source

  No source of bridge-Group 1-learning

  unicast bridge-Group 1-floods

  Bridge-Group 1 covering-disabled people

  !

  interface Dot11Radio0.100

  encapsulation dot1Q 100

  no ip route cache

  Bridge-group 100

  100 block-unknown-source bridge-group

  No source of bridge-group 100-learning

  No bridge group 100 unicast-flooding

  Bridge-group 100 covering people with reduced mobility

  !

  interface Dot11Radio0.300

  encapsulation dot1Q 300

  no ip route cache

  Bridge-group 255

  Bridge-group subscriber-loop-control 255

  Bridge-group 255 block-unknown-source

  No source of bridge-group 255-learning

  No bridge group 255 unicast-flooding

  Bridge-group 255 covering people with reduced mobility

  !

  interface Dot11Radio1

  no ip address

  no ip route cache

  !

  the cipher mode vlan 300 encryption tkip aes - ccm

  !

  broadcasting-key vlan 300 change 600 members-notice change in capacity

  !

  !

  SSID 101

  !

  SSID 300

  !

  countermeasure tkip duration of maintaining 120

  gain of antenna 0

  DFS block 3 Strip

  Speed - Basic6.0 9.0 12.0 18.0 36.0 24.0 48.0 54.0 m0. M1. M2. M3. M4. M5. M6. M7. M8. M9. M10. M11. M12. M13. M14. M15.

  channel SFR

  root of station-role

  !

  interface Dot11Radio1.100

  encapsulation dot1Q 100

  no ip route cache

  Bridge-group 100

  100 block-unknown-source bridge-group

  No source of bridge-group 100-learning

  No bridge group 100 unicast-flooding

  !

  interface Dot11Radio1.300

  encapsulation dot1Q 300

  no ip route cache

  Bridge-group 255

  Bridge-group subscriber-loop-control 255

  Bridge-group 255 block-unknown-source

  No source of bridge-group 255-learning

  No bridge group 255 unicast-flooding

  Bridge-group 255 covering people with reduced mobility

  !

  interface GigabitEthernet0

  no ip address

  no ip route cache

  automatic duplex

  automatic speed

  !

  interface GigabitEthernet0.51

  51 native encapsulation dot1Q

  no ip route cache

  Bridge-Group 1

  No source of bridge-Group 1-learning

  Bridge-Group 1 covering-disabled people

  !

  interface GigabitEthernet0.100

  encapsulation dot1Q 100

  no ip route cache

  Bridge-group 100

  No source of bridge-group 100-learning

  Bridge-group 100 covering people with reduced mobility

  !

  interface GigabitEthernet0.300

  encapsulation dot1Q 300

  no ip route cache

  Bridge-group 255

  No source of bridge-group 255-learning

  Bridge-group 255 covering people with reduced mobility

  !

  interface BVI1

  IP 10.131.10.70 255.255.255.0

  no ip route cache

  !

  51 of VLAN is what I'm trying to trunk more.  VLAN 100 is my networks vlan normal almost everything at the moment.  And my attempt to secure traffic wireless to a new vlan Vlan 300 more course on my local network.

  VLAN 51 has no ip address range

  IP VLAN 100 range is 10.131.10.0

  10.131.11.0 between 300 VLAN

  The routing goes to my switch 3750 core / router, but the access point is conencted to a 2950 namely shared resources to my layer distribution on a stack of 2975.  Once again the vlan 300 works on the 2975 stack and will pull dhcp if it is enabled.  Have not tried this on the 2950 yet, but I suspect it will also work based on the setting of the trunk on the s950 battery of 2975.

  In any case, I want to be able to do is have multiple VLANs configured on the AP (from most secure to least guarantee based on the capabilities of the equipment) and that traffic vlan tag go to my 3750 possibly for other guidelines.

  Here, any help would be greatly appreciated.

  Thank you for taking the time to read this.

  Sincerely,

  Kevin Pulford

  Systems administrator

  Harmon city, Inc.

  Yes, remove the vlan 51 can tell vlan 100 is the native, and there will be a link to bridge - Group 1.  Then change the switch port to vlan 100 native.  You should then be able to reach the access point via telnet/GUI.

  orders will be:

  config t

  No int dot11radio0.51

  No int dot11radio1.51

  No int g0.51

  int dot11radio0.100

  100 native encapsulation dot1q

  int dot11radio1.100

  100 native encapsulation dot1q

  int g0.100

  encapsulation dot1q 100 natively.

  To be sure, save reboot and wr mem.

• That treats the assignment do VLAN authorization Cisco ISE?

  Hello

  When I create an authorization policy in Cisco ISE, under common tasks, it is the assignment of VLANS. What makes that? Is it puts the user on this VLAN?

  Thank you.

  Yes, this will overwrite the VLAN configured on the switch port/SSID or wireless. For example, all ports can be configured to be part of VLAN 10, but you want users to finances in VLAN 20. You can use the profile of EHT permission to do exactly this.

  Thank you for evaluating useful messages!