Cisco :: 5508 Enable AP Mode To Rogue Detector From Details Page Of AP
May 28, 2012
(5508 WLC, 1142N APs).I understand if I enable the AP mode to Rogue Detector from the details page of the AP, the AP stops accepting requests and is now looking for rogue items on the wired network. Is this the same when I enable Rogue Location Discovery Protocol? Will I lose the wireless functionality of all of my APs on the controller?
Next question, when I look at the Rogue Summary on the Monitoring page I see three Adhoc Rogue devices. When I select the Detail link only one shows. I remember the other two were HP mutifuction devices with WIFI enabled but I cannot retrieve that information anymore.
I am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
If you deploy a Cisco 1242 a/b/g access point as a rogue detector, can this be used for 802.11n wired detection as well.i.e Will the controller send the MAC addresses of the 802.11n clients and APs. url...
I'm using a 2504 controller. I dont have WCS.My questions are about the best way to configure a Rogue Detector AP.
In my lab environment I setup the WLC with 2 APs. One AP was in local mode, and I put the other in Rogue Detector mode.The Rogue Detector AP was connected to a trunk port on my switch. But the AP needed to get its IP address from the DHCP server running on the WLC. So I set the native vlan of the trunk port to be the vlan on which the WLC management interface resides. If the trunk port was not configured with a native vlan, the AP couldn't get an address through DHCP, nor could the AP communicate with the WLC. This makes sense because untagged traffic on the trunk port will be delivered to the native vlan. So I take it that the AP doesn't know how to tag frames.Everything looked like it was working ok.
So I connected an autonomous AP (to be used as the rogue), and associated a wireless client to it. Sure enough it showed up on the WLC as a rogue AP, but it didn't say that it was connected on the wire. From the rogue client I was able to successfully ping the management interface of the WLC. But the WLC never actually reported the rogue AP as being connected to the wired network.So my questions are:
1. What is the correct configuration for the trunk port? Should it not be configured with a native vlan? If not, then I'm assuming the rogue detector AP will have to have a static IP address defined, and it would have to be told which vlan it's supposed to use to communicate with the WLC.
2. Assuming there is a rogue client associated with the rogue AP, how long should it reasonably take before it is determined that the rogue AP is connected to the wired network? I know this depends on if the rogue client is actually generating traffic, but in my lab environment I had the rogue client pinging the management interface of the WLC and still wasn't being picked up as an on-the-wire rogue.
I had configured one access point CAP3602E in flex connect mode through a WLC 5508 after deploying the access point in flex control mode the local mac-filering is not working. before it was working when ap was in local mode. any body have to know is the mac-filtering working in flex-control mode ?
I have a 5508 controller with 70 AP's ( a mix of 1131 and 1142). On the Monitor tab I can see under the Rogue Summary numerous "Rogue AP's" as well as the clients associated to these AP's. There are no Rogue AP's on my wired network according to the report. My question is this: What actions should I take regarding these "Roague AP's"? Many of them appear to be just other AP's in the residential area near by. I know I can take action to classify them as Friendly or Malicious as well as Internal or External, but what benefit is there to doing this? Will taking these actions keep my AP's from scanning off channel for Rogues? I read that if a "Rogue AP" is not on the wired network that is really is not considered a threat. Any Cisco best practices regarding how to handle detected Rogue AP's ?
We have recently deployed a wlc5508 & some 40+ 3502i APs at the location.In the wlc I notice quite a few "rogue AP" listed with ssid's.
Is there a way within the wcs or wlc to determine better if any of these rogue AP are on my Lan?If I can locate the mac address of the ethernet port on the rogue AP I can track the port down on the appropriate switch & shut it down.
I have the wireless controller 5508 and many AP1261 registered on site. It detects a lot of rogue access points around. I would like to find out geographic location of these rogue access points. Is it possible?
how to Config the ACS 4.2 server runs in TACACS + mode (users accounts configured the ACS) mode to authenticate enable mode password on the asa using the same AD account?
I have a TWC wideband modem and service. I know that they will enable bridge mode if I ask them. My questions are. After they enable it whats my setup? Do I just run a cable from their modem into a new router that I then set up on my own? Is it that simple?
I have a Cisco 5508 controller and am considering using LAG. Can I enable LAG but only use 2-4 of the 8 available ports on the 5508? I am asking because currently I don't have enough ports on my 3750G switch to accomidate all 8 ports on the 5508.
I am trying to block clients based on MAC addresses connecting to our Wireless Guest network.
My scenario is: We have 2 interfaces (corporate and a guest). Users are connecting to our guest network after they have automatically connected to our corporate network and logged into Windows. When they realise that things are not quite working in the way they want (access to servers etc...), they reboot and then find they cannot logon to the laptop at all. This is because the laptop has automatically rejoined the guest network and has no access to AD. I then have to locally logon to the laptop and remove the guest network.
It’s starting to become a bit of a pain as we are an educational establishment and... well... you would wouldn’t you
Hardware: WLC5508, Software Version 7.3
So far I’ve tried enabling MAC Filtering under “Security -> AAA -> MAC Filtering”, but found out that it’s a white list. The opposite of what I’m trying to achieve, but I like the fact you can link it to a specific interface.
I’m just looking at the “Disabled Clients” again under “Security -> AAA ->”, but think this is more a total ban as I cannot see a method at attaching it to an individual interface. I'm kindda stuck and my good old friend Google is not yielding great results.
I’m not by any means a wireless expert, so there is probably a better method. I would prefer to use the controller as a way of achieving this, but if you think I’m wasting my time and should be looking at a Windows Group Policy method then I’ll go with that?
I am configuring my 5508 WLCs with SW version 7.0.116.0. I configured a guest ssid with web-authentication enabled, but I cannot retrieve the login page on the controller. I configured the virtual interface with the addredd 1.1.1.1 SSID Layer 2 security: None SSID Layer 3 security: Web Policy enabled
I join the ssid with clients, receive the IP address correctly however when I try to open a web page, the login page does not appear. When I check the client status I see that it stuck in WEBAUTH_REQD state.
We’re currently using 5508 WLC’s and leveraging Cisco ISE for radius/authentication rule sets.I’m trying to get a splash page to flash and then redirect to a website after a successful authentication to an SSID. Everything on the wireless side works with no splash page (users connect to SSID,authenticate with AD credentials using 802.1X PEAP to our Cisco ISE box, and gain access to the network).When I enable ‘Splash Page Web Redirect’ on the WLC (under L3 security), I’m unclear on the ISE box where I set this up. When I look in the Cisco documention it says:Splash Page Web Redirect—If you select this option, the user is redirected to a particular web page after 802.1X authentication successfully completes. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server. How I specify this on the ISE box? Or am I totally off base?
I have setup an SSID with external Webauth, which is pointing to the login page on the NAC.All works fine but I cannot use the logout page which is customized on the NAC. I always get the internal default logout.html of the WLC and I cannot customize that.Every customization which I have done to the logout.html (then uploaded it on the WLC) will not be recognized.Is there a way to customize that logout.html?
I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.
How i can enable promiscuous mode on my Atheros AR9285 Wireless Network Adapter? I'm using windows 7 starter.driver version of my Atheros AR9285 Wireless Network Adapter:9.2.0.427.
On my 2650 Router it just has only Telnet password.It has no enable mode password set.After reboot it is goes to prompt mode BB.I am unable to go to enable mode .how can i go back to enable mode on this router?
I configured the below config in Routers it is working good , but when i do the same in SWITCH-2960 , i am getting a problem not able to login to enable mode ... i am getting the basic login only ....
Error msg : % Error in Authentication.
Need to be configured at TAFE Network Devices: Code...
how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
Is there a way to configure a ASA 5500 firewall so that when i access the firewall via SSH, my user is in privileged exec mode immediately after i have entered the log in credentials? So no need to enter "enable" anymore. I know how to do that with a router but couldn't figure it out for the ASA.
So I have a Windows 2008 R2 SP1 Enterprise Server and a gigabit LAN network card onboard. But it refuses to run at gigabit speed and if forced to it, it just says that network cable is unplugged and doesn't work.
I tried switching to a newer and better motherboard (still with gigabit LAN)I have updated drivers.I have checked cables (which are all cat 6 cables and work just fine with other computers in gigabit LAN mode)I've checked and switched ports on the switch and the switch itself...no change. They work just fine with other non-W2008 machines, they get gigabit LAN
I am completely stomped as to what I can do to fix this. It runs just fine in 100 Mbit mode, but can't in any way get it in gigabit mode.I am completely stomped as to why it refuses...is this a limitation of Windows 2008 or something or is there a fix to this?
under ubuntu 10.10.I have the cable DLC5 Xilinx.The problem is: I do not know how to enable the JTAG mode on the DAP-1160.I understand that I must set a pin on the 147 on the RTL8186. but I have no idea where is on the DAP-160 PCB.
I've been asked to create 2 wireless networks for guest access. They are to be used by clients of 2 different companies and they have asked for the website of each company to automatically open as a landing page. e.g.
-WLAN1 - password is companyname1 - landing page = www.companyname1.com -WLAN2 - password is companyname2 - landing page = www.companyname2.com
Is this possible with our 5508 WLC? I have googled it and can see that you can set a web auth page but I need different landing pages depending on which WLAN is connected to.
I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
At present I have a WLC5508 as a guest anchor in a DMZ and a web-auth passthrough WLAN configured. There is a custom web bundle providing a terms and conditions page.
We want to start to capture the minimum data from a user that logs onto the guest wireless ( email address ) and would like to use the check email function on the controller - BUT - at the same time move from using the web bundle locally hosted splashpage on the controller to an external web server provided splashpage / walled garden.
From my understanding not sure that this is possible as the email check function is only valid in passthrough I think.
We have a centralized WLC with some branch office with AP's in Flexconnect Mode. The Wlans are configured to use Web Authentication (Landing Page). The Landing Page is Cisco Default.
We're experiencing some problem with Apple Devices, on some the Landing Page apperars on some not. The WLC Software is about 1 year old. On a XP machine the landing page doesn't appear too, but you can type in the address manually and it works.
Whats the best solution to include the Apple Devices successfully in the WLC Wireless World.
I have a 5508 WLC running 6.0.202.0. It functions as the Anchor Controller for the guest network. It sits in our Internet DMZ and is isolated from the rest of the network. It does not connect to AD, ACS, etc. The guest wireless WLAN is configured for Web Policy - Authentication. I have a customized login page. Credential management is done by WCS.
Users are connecting to the guest wireless network and entering their creds with no issues using mobile devices (iPad, etc). Then the mobile device goes to sleep / turns off and when they go to use it again, they have to type their creds in again. They dont like retyping their creds throughout the day.
good way mitigate the multiple logins? Something like a 'save password' option on the customized page?
