WLC and DHCP

We've got a supernet wherein the WLC is distributing addresses dhcp for wireless clients... radios motorola to be more precise. My question is the WLC allow dhcp for clients wired on that subnet as well?

Any Yes or no supporting documentation would be greatly appreciated.

Thank you!

-anne

http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN-WLAN/99470-config-wiredguest-00.html

After a successful transfer from the client to the DMZ anchor controller, an IP DHCP, authentication of the client address assignment, and so on are handled in the DMZ WLC.

Tags: Cisco Security

Similar Questions

unloading of feature to make dhcp off the WLC and put it on Active Directory.

I need to use the feature of unloading to dhcp off the WLC and put it on Active Directory. Someone at - it a walkthrough or a page for this? I know it's just a checkbox and a redirect to the new dhcp server, but where the hell is the configuration on the WLC?

Thank you!

-anne

You can go there.

http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01001001.html

Point to your existing ad integrated DHCP server.

WLC - server DHCP (Override) and

Hi guys,.

A little confused. If I want my wireless clients to a DHCP address on my business DHCP servers, I need to click the Overrides button, for the WLC to act as a relay agent or the docs say that this happens by default?

Can someone pls confirm, because it is a little confusing. The files help mentioned below also?

Thx a lot indeed.

Ken

Server DHCP (Override)

----------------------

When the substitution is selected, you can enter the IP address of your DHCP server. It is a required field for some configurations of WLAN. There are three valid configurations:

-DHCP Server override on a valid DHCP and DHCP address assignment requested server IP address: requires that all WLAN clients obtain an IP address from the DHCP server.

-DHCP Server override on a valid DHCP and DHCP address unnecessary assignment server IP address: allows all clients WLAN get an IP address from the DHCP server or use a static IP address.

-DHCP Server OFF Overrides: guests WLAN using the DHCP setting in the Management Interface, not the static address of the Forces.

Hi Ken,

Your WLC default is DHCP relay, you do not need to override.

The WLAN configuration, put you in an interface. If you check this configuration of the interface, you will see that it points to a DHCP server. This is where your WLC relays to wireless clients.

If you wish to override this setting and to send your customers to a different DHCP server instead, you then click DHCP replace in the WIFI config and enter another IP DHCP address.

HTH

Jerome

L3 - SG300 - 28 p and DHCP

Hi all

I'm having a bit of difficulty up a SG300 - 28 p to L3 and DHCP. I will attach a basic network diagram and a very short list of my needs.

I'm building a temporary network for a company event 1 day that I can't make it work in our office "Lab".

L3 - SG300 - 28 p connects to our provider using a connection of the SFP.

I have to be able to address IP DHCP 300 + using the SG300 - 28 p

My problem is that I can ping my 2 machines test (manually configured IP) about 172.16.0.3 and 172.16.0.4, but cannot ping after the (internet) referral. Also DHCP distributes no intellectual property for the range 172.16.0.10 - 172.16.1.200

VLAN 1 is set to 10.2.2.20 access port (to the provider through a connection on port 28 FPS)

VLAN 100 is 172.16.0.2 access port (ports 1-26)

I have the WLC and WAP tri...

Is the set of even possible? I know that the EQ network is a bit budget for users, but for a one day business event I just do not have a budget for the purchase of switches better.

Please excuse the gross chart.

Thank you in advance.

-RJ

Thanks for the reply.

With the information that you have provided, it seems the only part missing is the way return the unit for service providers. Unfortunately there is no way around that, and no, you will not be able to put anything between the two, because the device doing the NATting is unity of suppliers.

I think that what is happening is that traffic is actually the side provider, but there is no way to do so as soon as the provider is not a route for the subnet in 172.16.x.x.

Out of curiosity, why do you use a VLAN for the devices connected to the SG300? Could you use the 10 subnet Ip addresses? If you do this, you will not need to have a route back from the supplier, as all devices will be on the same subnet.

5508 WLC and associating 1242

I have a 5508 running 6.0.196.0 and have a few 1142 currently associated with him. I tried to get a 1242 to associate, but it won't.

My WLC recovering DHCP to a VLAN wireless (950) and the 1242 Gets an IP address to this VLAN, but does not associate or showup as an AP.

In addition, I have a console cable connected and attached the output of the trunk, but cannot get my settings to allow (via HyperTerminal) to get the CLI. I'm set to 9600, N, 8, 1 and I tried a few other settings.

Layer 1 - good

Layer 2 - good

Layer 3 - good

1142

1142

1142

1252

DHCP leases are superior and can ping one of these, but only to show that the three 1142 s in the controller.

A reflection as to why does not showup? How bout my hyperterm settings?

Thank you!

The you have probably the Frother activated in HyperTerminal, this is why the AP will not meet your entry. Make sure that the terminal emulation program has Frother off.

In regards to the 1252 only joined does not, the reason is because he runs an independent image of AP, not a picture LWAPP/CAPWAP. You can see if you look at the name of the image. This has k9w7 which is autonomous images. K9w8 are light images. You just need to convert this lightweight AP.

Requirement of DNS and DHCP Server Essentials 2012 home

I have a Server Windows Essentials 2012 acting as DNS and DHCP server with a domain name for backups etc on my home network. It's that everything works fine, no errors, no problem. Works well actually, telling me when the children did not install updates or restarted.

I have two groups of users. My sons step, 10 and 12, which I want to use OpenDNS as a provider external DNS with a policy very, very limited and my wife and me who want to use indications of root or Google DNS or any other DNS provider. Others, specific devices no user (box of the xBox, WII, Satellite, TV, CCTV etc.) can use.

Before the 2012 server, I had a 2 k 3 server running in a virtual machine for DHCP, alone and put my wife and my devices on static reservations with the just and external DNS provider used OpenDNS as the default scope, DNS. Unfortunately different bits of domain services 2012 don't seem to work unless the server of 2012 is the first DNS server listed on client machines (backups failed. Impossible to find other local computers). Currently, this means that we are all using OpenDNS.

What I would like is a way to say 2012 to send adult group DNS queries to another DNS provider and leave the rest at default to OpenDNS, while still having them register in the original DNS domain. Any suggestions?

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

function of guard of source IP and dhcp DHCP scope of exhaustion (customer parodies other customers)

Hello world.

A dhcp server assigns ip address based on the mac address by equipment of the customer field in the dhcp packets.

A potential attack is when a crowd of thugs mimics different mac addresses and causes the dhcp server to assign ip addresses until no ip address is left for legitimate host.

For example, a host with mac1 h1 is designated by the ip address of the dhcp server as:

199.199.199.1 mac1

DHCP server has this entry in its database.

Using hacking tools such as Yersinia or Gobbler can create a DHCP discover messages every time that create another mac for material scope of the client to the dhcp server, thereby causing a dhcp server to assign ip addresses because they are of legitimate dhcp to dhcp server discover messages with matching each another Mac in hardware of client addresses.

You could use dhcp snooping and it will avoid that (exhaustion of dhcp scope) and configure the switch to check if the CBC mac fits the hardware address of the client in the dhcp message. But when even we can creat spoofed discover messages where mac src in the ethernet header will match the client hardware address in dhcp discovery message. It did not always overcome the problem.

You might say use IP source guard characteristic but it really will prevent this problem from happening?

Let me illustrate:

H1 - f1/1SW - DHCP server

Let's say that we have configured dhcp snooping on sw1 and f1/1 is untrusted port. Switch a suite dhcp binding

199.199.199.1 mac1 vlan1 f1/1

Then, we configure source ip guard in order to validate the mac src and src ip against the dhcp bindings. When you configure keep source ip first, it will allow dhcp only if a host can request ip address and dhcp binding can be built. After that IP keep source will validate ip or mac src src or both against the binding.depending dhcp on how configure us source ip guard.

In our case, we have configured source ip guard in order to validate the mac src and src ip against the dhcp binding.

A dhcp connection is already created as:

199.199.199.1 mac1 vlan 1 f1/1

Now, using hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discovery message where mac src = mac2 ethernet header and client harware address = mac2 in dhcp discovery message. As the switch is configured with the function of guard of source ip and therefore allows dhcp discover message to pass through. DHCP server after you receive the message dhcp assigns another IP from the pool. The dhcp server has now after the entries:

199.199.199.1 mac1

199.199.199.2 mac2.

We continue to spoofed dhcp to craft discover messages as described above and are dhcp server keep ip address assignment until exhausts the entire pool.

So my question is how ip source guard in conjunction with dhcp snooping doesn't stop this attack does not happen? (IE DHCP scope exhaustion)

I really appreciate your comments.

Thank you and have a week.

Hi Sara,.

Ask was quite interesting. As far as I know that whatever it is port snooping untrusted won't let your fake dhcp server.

You can take this query in the Sub forum of experts mentioned that is specific for dhcp snooping and source of guard.

https://supportforums.Cisco.com/message/3689811#3689811

Please assess whether the information provided is useful.

By

Knockaert

4402 WLC and WCS

Hi all

We have 3 WLC 4402 all with identical config and we use Lobby Admin to create guest accounts.

Problem with this is that the guest account must be created on 3 WLC.

I installation WCS and want to know how to extract the 3 existing wlc and their config in the WCS.

Can the admin of lobbay can create accounts on the WCS and grow them into all wlc

Hi RR,.

>I install WCS and want to know how to extract the 3 existing wlc and their config in the WCS.

It's pretty easy. You must add a new controller via the configuration-> page controllers. The option 'Add the new controller' is in the drop-down list at the top right of the screen. You can use a list separated by commas of IP addresses to add all three at the same time. WCS audit of the controller software and get to the bottom of the config.

>Also can the admin Hall can create accounts on the WCS and grow them into all wlc

I have not used the account Admin Hall (it is not really appropriate in the office where I work), but I know that you can create a guest account in the controller model launch pad. It is under Security in the sidebar. This model can then be applied to all three WLCs at the same time, that will simplify things. I guess you would need to make sure that your Hall administrator can access this particular part of the WCS.

Hope that helps.

-Jason

SNMP and DHCP requests on collector

Hello world

I want to see the SNMP and DHCP requests on the interface of collector.

How can I see these queries?

Y at - it logs through which we can see or some CLI to run on systems CASE.

Please help me on this and suggest.

Thank you

Abuzar

Hello

a newspaper would be quickly filled if she provided details on all packages.

The easiest way is to run a tcpdump on the collector.

tcpdump for example eth0-i

You can use tcpdump - help for more info.

Hope this helps,

Nicolas

===

Please note the answers that will help you

Series of unmanaged switches 100 and DHCP

Hi all, we have a router RV082 switch 8 ethernet ports, it is actually 8 lan with a DHCP address assignment devices (router is used as switch/router and DHCP server).

Now we need to increase the number of attached LAN devices (other pc, printers, etc.), and we think buy Cisco 100 ethernet switch Series 16 or 24 ports to connect to RV082.

In this case RV082 will be able to assign DHCP addresses for devices connected to the eth switch ports?

Thanks in advance.

Hi Loris, yes it is not a problem. You should be able to switch on a lan port, connect computers to the switch and things should be OK.

-Tom
Please mark replied messages useful

SGE2010 - traffic relay and DHCP configuration

Hei

We bought just a switch SGE2010 we want to use to replace the switches in the control panel of our office. So far I managed to access the switch and assigned a static ip.adress on our net, but I can't get to our entry point switch relay traffic. I have a test machine that is configured with a static IP as well and tried the ok sign, but as soon as I put the switch between traffic is not relayed.

The idea was to use this switch as a DHCP as well. But I thought it would be a start to get at least the traffic relayed before starting the dhcp part.

Only configuration settings I have done factory settings are the following: (note that the IP is slightly adjusted, but consistent for reasons of confidentiality)

Configuration of the IP4
1. Assigned to a static ip address: 95.59.69.148
2. Assigned a subpattern: 255.255.255.192
3. Assigned to a user-defined gateway: 95.59.69.129
DNS configuration
1. Assigned to an ip address dns address: active 95.59.0.100
2. Assigned to a dns ip address: 95.59.0.200
All these settings are the default settings that we use when we assign a server with a static ip address, so it is not a pick up of our filtration dhcp server. So my main question is why on earth isn't it relay traffic?

In addition, we are interested to kill the former (with stones, I hope) dhcp server and dhcp on the sge2010 configuration. The current dhcp is an operating system. X dhcp server (Yes a mac) with the following configuration:
- (Dynamic ip) subnet
  From ip: 95.59.69.179
  Ending ip: 95.59.69.190
  Subnet: 255.255.255.192
- Router ip: 95.59.69.129
  Rental time: 3 hours
- The range 95.59.69.130 to 95.59.69.149 we set up manually on the servers, hardware, etc.
- DNS server: 95.59.0.100 & 95.59.0.200
  Default search domain: No. - dns - available.example.com
- And then we have a group of static mappings to Mac-addresses
  ip address: 95.59.69.150
  IP: 95.59.69.178
I tried to see in the configuration where I could the mappings static spesify range etc, but I can't say it got me anywhere. So my second question is how to install a server dhcp of Eric as a designated above?

It's nice to finally convince the CEO to move the dhcp to a better metal, but it's not as nice having a hard time setting up. I would apprecitate every possible leeds and suggestions since I'm kinda stuck.

Thanks in advance

Rafn.R

Hello

My SGE2000P forwards DHCP requests on my DHCP server.

I used my default VLAN1 as an interface routed to unicast request DHCP relay on my server (router ISR UC520) that resides on that VLAN 1.

My interface Vlan 1 on my SGE2000P has an IP 192.168.10.254.

My gateway address for potential hosts in VLAN 2 IP will be the ADDRESS IP I AI ASSIGNES to VLAN 2, because the PC or the IP hosts connected to VLAN2 will use IP VLAN2 interface as the gateway. It's just how it works!

Hosts of PC on VLAN 2 need of a default route and they use the IP I assigned to VLAN2 as their next jump out VLAN2 on the real world.

This address can be seen below.

DHCP relay is enabled with the option 82

I chose VLAN2 as an interface VLAN, as shown below.

I have two ports not signposted in the VLAN2, and I joined an IP host to G1 so that I can test the DHCP relay.

I get the following debug output from my dhcp server, so I know the relay is working.

002624: 19:40:08.575 Dec 5: DHCPD: looking for expiry of the leases.

002625: 19:40:58.408 Dec 5: DHCPD: DISCOVER notification to:

002626: 19:40:58.408 Dec 5: DHCPD: htype 1 CHADRR 0025.84d8.d008

002627: 19:40:58.408 Dec 5: DHCPD: id remote 020a0000c0a80a0101080001

002628: 19:40:58.408 Dec 5: DHCPD: id circuit 00000000

002629: 19:40:58.408 Dec 5: DHCPD: see if there is a specified internal pool class:

But I must confess that I have opened a case on it with the Small Business Support Center, because I think I can see something wrong on my DHCP server debugging.

But the key is that I see the router WAN/DHCP server, see the query from DHCP.

The only way to the broadcast DHCP requests can get to the DHCP server, if the switch SGE2000P takes these DHCP broadcast requests and unicast these or relay to my server DHCP IP address 192.168.10.1.

So in other words he tries to relay DHCP.

I would ask you to please check the SGE2010 Administrator's guide because it clearly shows how to configure the DHCP on the SGE2010 relay.

Even if the screen capture shows and the old version of the code below. I have day my SGE2000P tonight at the generally available (GA) version of the code.

Just outa interest, if you telnet to the switch, is your mode of layer 3 or Layer 2 switch.

I can also say from your screenshot that your uplink ports are in overlay mode.

Maybe if you don't use stacking, you can set your switch to the layer 3 mode and standalone mode

Best regards, Dave

Cisco WLC and Apple TV Hello

Hello

I followed the guide on http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html on activation of Cisco WLC 7.5 with Apple TV good morning however I have a weird problem. I have some clients unable to see the apple TV connected to a different wireless access point while some may see the Apple connected TVs. I have attached my setup for reference. I would like to inquire about the use of LSS and so perhaps someone has encountered similar problems? The apple TV is discovered by the wlc on mdns-domain names.

According to the document, multicast has been activated not however the discovery of the apple tv is intermittent of apple customers. Customer can discover apple tv 1 and 3 but not apple tv 2 and sometimes it can discover all 3 apple TV while client B is able to perceive all apple TV devices 3. All 3 apple TV devices are discovered by WLC and only apple TV service has been activated on WLC. I was wondering if anyone has seen a similar question? Not too sure what can be the cause of it?

Any suggestion is appreciated.

Some of the docs didn't do it, but it is required as all my installation requiring Hello, set multicast implementation.

Thank you

Scott

Help others using the system of rating and marking answers questions like "answered."

WLC and Linksys DHCP problem

Hello

I have a WLC 2112 and a DHCP Server enabled on a Linksys router. I set up a wireless LAn to have the IP address of the Linksys DHCP server, but it does not work and when I configure the DHCP anthor server it works.

Can you help me please

Your controller cannot ping the LinkSys Router? In addition, you set up the DHCP server on the interface of the controller, correct?

ISE with WLC AND switches

Hello

We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

version 12.2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
!
Test-RADIUS username password 7 07233544471A1C5445415F
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
Group AAA authorization auth-proxy default RADIUS
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting system by default
!
!
!
!
AAA server RADIUS Dynamics-author
Client 10.178.5.152 server-key 7 151E1F040D392E
Client 10.178.5.153 server-key 7 060A1B29455D0C
!
AAA - the id of the joint session
switch 1 supply ws-c2960s-48 i/s-l
cooldown critical authentication 1000
!
!
IP dhcp snooping vlan 29,320,401
no ip dhcp snooping option information
IP dhcp snooping
no ip domain-lookup
analysis of IP device
!
logging of the EMP
!
Crypto pki trustpoint TP-self-signed-364377856
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 364377856
revocation checking no
rsakeypair TP-self-signed-364377856
!
!
TP-self-signed-364377856 crypto pki certificate chain
certificate self-signed 01
30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
7C96AA15 CC4CC1C0 5FAD3B
quit smoking
control-dot1x system-auth
dot1x critical eapol
!
pvst spanning-tree mode
spanning tree extend id-system
No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
!
!
!
errdisable recovery cause Uni-directional
errdisable recovery cause bpduguard
errdisable recovery cause of security breach
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause FPS-config-incompatibility
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable cause of port-mode-failure recovery
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-AI-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery cause psp
!
internal allocation policy of VLAN ascendant
!
!
interface GigabitEthernet1/0/10
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/16
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/24
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/33
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/34
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/44
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

!
interface GigabitEthernet1/0/46
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard

interface GigabitEthernet1/0/48
switchport access vlan 320
switchport mode access
IP access-group ACL-LEAVE in
authentication event fail following action method
action of death server to authenticate the event permit
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
authentication violation replace
MAB
dot1x EAP authenticator
dot1x tx-time 10
spanning tree portfast
spanning tree enable bpduguard
!
interface GigabitEthernet1/0/49
Description link GH
switchport trunk allowed vlan 1,2,320,350,351,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!

interface GigabitEthernet1/0/52
Description link CORE1
switchport trunk allowed vlan 1,2,29,277,278,314,320,401
switchport mode trunk
MLS qos trust dscp
IP dhcp snooping trust
!
!
interface Vlan320
IP 10.178.61.5 255.255.255.128
no ip-cache cef route
no ip route cache
!
default IP gateway - 10.178.61.1
IP http server
IP http secure server
IP http secure-active-session-modules no
active session modules IP http no
!
!
Access IP extended ACL-AGENT-REDIRECT list
deny udp any any domain eq bootps
permit tcp any any eq www
permit any any eq 443 tcp
IP extended ACL-ALLOW access list
allow an ip
IP access-list extended by DEFAULT ACL
allow udp any eq bootpc any eq bootps
allow udp any any eq field
allow icmp a whole
allow any host 10.178.5.152 eq 8443 tcp
permit tcp any host 10.178.5.152 eq 8905
allow any host 10.178.5.152 eq 8905 udp
permit tcp any host 10.178.5.152 eq 8906
allow any host 10.178.5.152 eq 8906 udp
allow any host 10.178.5.152 eq 8909 tcp
allow any host 10.178.5.152 eq 8909 udp
allow any host 10.178.5.153 eq 8443 tcp
permit tcp any host 10.178.5.153 eq 8905
allow any host 10.178.5.153 eq 8905 udp
permit tcp any host 10.178.5.153 eq 8906
allow any host 10.178.5.153 eq 8906 udp
allow any host 10.178.5.153 eq 8909 tcp
allow any host 10.178.5.153 eq 8909 udp
refuse an entire ip
Access IP extended ACL-WEBAUTH-REDIRECT list
deny ip any host 10.178.5.152
deny ip any host 10.178.5.153
permit tcp any any eq www
permit any any eq 443 tcp

radius of the IP source-interface Vlan320
exploitation forest esm config
logging trap alerts
logging Source ip id
connection interface-source Vlan320
record 192.168.6.31
host 10.178.5.150 record transport udp port 20514
host 10.178.5.151 record transport udp port 20514
access-list 10 permit 10.178.5.117
access-list 10 permit 10.178.61.100
Server SNMP engineID local 800000090300000A8AF5F181
SNMP - server RO W143L355 community
w143l355 RW SNMP-server community
SNMP-Server RO community lthpublic
SNMP-Server RO community lthise
Server SNMP trap-source Vlan320
Server SNMP informed source-interface Vlan320
Server enable SNMP traps snmp authentication linkdown, linkup cold start
SNMP-Server enable traps cluster
config SNMP-server enable traps
entity of traps activate SNMP Server
Server enable SNMP traps ipsla
Server enable SNMP traps syslog
Server enable SNMP traps vtp
SNMP Server enable traps mac-notification change move threshold
Server SNMP enable traps belonging to a vlan
SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
!
RADIUS attribute 6 sur-pour-login-auth server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
RADIUS vsa server send accounting
RADIUS vsa server send authentication

any help would be really appreciated.

I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

4402, ASA 5505, network comments and DHCP

Currently I have a Setup 4402 with a guest network vlan. 4402 is connected to a 6509. A port on the 6509 is defined as an access port to the vlan comments. This port is directly connected to a router DSL Verizon, which overlooks the DHCP (192.168.1.X). The DSL router is not defined for links or it recognizes VLAN, everything happens without a label. This configuration works. We are changing suppliers and I have a spare ASA5505 that I am using. I put it up to the same subnet that the dsl modem has been installed (192.168.1.x) and activated as DHCP server. All cable connections work fine. When I connect it to the 6509 comments wireless cannot obtain a DHCP address. I can ping the 4402 ASA and ASA of the 4402. I assumed that because the traffic leaving the ASA untagged it would work. Any ideas.

Thank you

Brian

The ASA will not allow proxy dhcp, so you'll need either to deactivate it on the WLC

or change the functionality of the dhcp server on the ASA to the WLC.

-John

WLC and DHCP

Similar Questions

Maybe you are looking for