Cisco :: 5508s / FlexConnect Local Authentication / Usernames Not Showing In WLC / NCS?
Aug 5, 2012
I am working on a new install where the customer is using local RADIUS servers at each of their many campuses (for local dynamic VLAN assignment), while using a single set of controllers at the core of their network. For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.
Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.
I have several 2602 AP's that I want to operate in FlexConnect mode. The WLC is at a central HQ and the Ap's are remote. There are central radius servers at the HQ for the wlans. At the remote lcoation, there is a local radius server we want to use for the primary radius server for these AP's. This radius server has been added to the WLC. I have setup a FlexConnect Group, designated the the primary and secondary servers, and then added the AP's to the group. It does not look like radius requests are being sent to the local controller.
For this to work, do we have to check the box under the wlan for FlexConnect Local Auth? Currently, we only have FlexConnect local switching selected.
I recently installed additional licenses on my 2 WLC 5508s. Then I installed NCS on a virtual appliance. Installed the NCS license, added the controllers, refreshed configs, created templates, etc. However, when I go to look at the License Center, I can't see any controller licenses. When I log directly on to the controllers themselves, the licenses say they are installed and "in use". I've looked all over and cannot determine why the controller licenses do not show up.
I am using 3945E Router as Easy VPN Server, with 15.1 IOS. On router I have bunch on usernames for VPN authentication, I want to restrict Router management access for them(ssh,telnet, http and so on).
after upgrading to 7.4.100.0 im getting this error message when trying to apply changes on the wlan id."mDNS profiling cannot be enabled with flexconnect local switching"if unselect mDNS snooping under (wlan id/advanced) i can apply the changes, but only temporary.when im looking the next time, the tick box mDNS snooping is enabled again.is this a bug or what?
I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
I got a WLC4404 running software version 5.1.151.0 with 40 LWAPPs (mostly 1242AG). We got new Dell Latitude E6500 Laptops with Intel 5100 NICs. After upgrading the bios to the latest version and installing the latest wlan driver, wireless is working the most time.After about 4 reboots I see the following message in the WLCs logfile: "Thu Sep 18 13:53:10 2008 AAA Authentication Failure for UserName:host/hostname.domain.name User Type: WLAN USER".After I disable the wlan-card, it's working again.
I run several game servers here locally.... Counter Strike Source, Unreal Tournament 3, Call of Duty 4, Call of Duty 4 GunGame, Garry's Mod.
They all run in their own VM's. All VM's are accessable on wireless via any other protocol RDP and UT3 web admin. None of the games show up in the in game server browsers in the LAN. If you connect wired to the gig switch they show up.
If you go into the console of a game and connect directly to the IP of the machine you can enter the game. There is no problem connecting with the server only that it doesnt show up in the browser on wireless
Obviously my wireless router is funky. WRT160N with DDWRT. Currently setup as an AP.
if there was a way in which i could get every username and password associated with my email, sent to my email account. I want to delete some old accounts and stuff but where ive made so many ive forgotten all the passwords and usernames ect?
The link to Local area connection on the PC i am working on is no longer showing under Network and Sharing center. However the connection is up and I can access the internet. If I do an ipconfig /all I see the adapter setting as I set them. In device manager the device is working properly. I checked the BIOS and the NIC is enabled
im having trouble setting up site to site vpn from my 527w to my 877 series and thought it would be much easier to see whats going on the 527 if i could see command line
so ive ssh'd to the 527s ip address but none of the usernames/password combos work that let me in the web gui, what are the logins?
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs. Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok.For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.How can we check or make sure it?
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
Is it possible to use both LDAP (to Active Directory) authentication for a WLAN defined on a 5500 series controller, and use the local user account database (AAA) for the guest vlan?
I have a new 2911 that I am trying to bring up but local authentication is failing. I know I have typed the username and password correctly but no go. When I try to http in it is failing as well. I even create a "Cisco, Cisco" account. I have a console connection and even that is failing.
Should I trunk the port to the AP or not. I have a WLC 5508 in the head office and have AP in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local sub net at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different sub nets?
I'm having a problem configuring local EAP Authentication using CA (Windows Server) and LDAP server. I followed the URL:
[URL]
but it seems that CA has no effect. Any wireless client who has his own LDAP account can access to the network.What I want is just allow some wireless clients to access if they have approved CA before.
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
I have 2 5508s (foreign and anchor both running 7.2.110.0) with an open WLAN configured via mobility anchors. This configuration works and has no problems. My next task is to incorporate a webauth page (accept/reject) to present the clients with AUP information, etc. On the foreign controller I created a test WLAN (open) and setup webauth Passthrough using the Cisco webauthbundle (wap.html), this works as intended, no issues. However I am at a loss as to how to incorporate the webauth Passthrough functionality on the WLAN that is configured for the mobility anchor.
Having performance issues running two 5508 controllers on the same network? One is running 7.3.101.0, the other is running 7.0.98.0. The legacy APs are connected to the WLC on the older code to support older hardware. The new WLC is accepting all the new 3600 APs. Once all legacy APs are replaced, the 5508 on old code will be disabled.
I recently upgraded our 5508s to 7.0.98 I am now seeing this message on the primary WLC while running adebug on a client *apfMsConnTask_1: Sep 29 11:05:36.114: Deleting the client immediately since WLAN is changed.
I have a problem configuring ClientLink on a FlexConnect local switching AP (3602i), the problem is that I can not see the clients that are using the ClientLink feature when entering the show interface dot11radio 1 lbf rbf command, the AP shows "Hardware beamforming stats not supported (radioid 0x3B00)" message instead of show the client information. I am using a 2504 Wireless LAN Controller running 7.3.101.0 software version, why is not working properly?
A customer have a bad coverage in a corner of his branch office. He like to add a mesh AP (MAP) in the near of that corner.
I checked allready the documention about Mesh but i'm not sure if Flexconnect and Mesh works togheter. This MAP is in a branch office and the WLC is in the head quarter therefore he likes to uses Flexconnect togheter with Mesh.
We have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
Still Can't see the WLANs under the Flexconnect tab on the AP?
A customer of mine has a centralized 2504 WLC with 7.2 code running. They have 1142N APs deployed locally as well as in remote sites (3) in FlexConnect mode. For no apparent reason last Thursday all the remote APs disassociated with the controller and could not rejoin. All the local APs remained up and unaffected.No changes to the WLAN, LAN, Firewall or MPLS WAN occured to cause this.The customer opened a TAC case and their determination was that ports 5246-5247 were not getting thru. When the customer engaged me this morning I had him run a packet capture on the Sonicwall firewall to prove out if the CAPWAP signals were leaving and returning across the WAN. Sure enough we can see this bi-directional traffic (pic attached). Also, I had the MPLS provider run a trace at the far end and they see the same traffic leave the remote site. And then an odd thing happened; one of the APs at one of the remote sites all of a sudden Joined the controller. So I tried rebooting the AP that is located in the same office, and it fails to Join. When I look on the controller under AP Join statistics, the last activity shows the controller receiving a Discovery Request and response is sent, but no further Config Request and response or Join Request and response.
However, I now have a number of devices... certain smartphones so far... that will NOT connect to a FlexConnect AP if it's a 1262AGN AP, but my older 1242G AP will accept the devices without issue. Same SSID, same encryption standards.
If I connect the devices to my guest network (no security), they will connect just fine to both APs, and Non-FlexConnect 1242 and 1262 APs will both accept the devices without issue using my private network.
In other words, it seems to be an issue specific to 1262AGN with my encryption security. My security is WPA2/AES with PSK. No additional security on the SSID.
We have a problem when I call bettween two 7925 in same SSID, VLAN voice. They cannot hear each other. The SSID and LAPs are in Flexconnet. From desk phones there are no problem and betwen one deskphone and one wireless phone there no problem too.
I want to use the flexconnect in the same network where the wlc is located. Normally we will do it for over WAN and branch office. But I want to use in the same main office to avoid more bandwidth utilization on my distribution layer. Wlc is connected on Distribution switch.I want to do local switching in the access layer switch.
The below is the sample topology. But real topology contains nearly 200 AP's(3600 series) and 20 access switches and so on.....So there is a chance of 200 AP * 350 Mbps can flow on the distribution layer.So ,
1)If I use flexconnect any issues will be occuring?
I have one WLC 2504 with 7.3.101.0 code and 4 APs 1142 in Flexconnect mode all of them are in one group with 2 SSIDs in two differents VLAN:
-Admin VLAN 151 -Corporate VLAN 158 -Guest VLAN 159 -The auth is 802.1x using an ACS ver 4.2
I connect my Laptop to the corporate SSID and start to have access to web services, intranet services, etc but arround 15 25 min after i connect i lost connectivity to my GW and all the services but i still have my IP info. I do some tests on MAC books, Laptop with Windows XP, 7 and 8 and its the same for all. I config one switch port in the corporate VLAN and i never loose connectivity.
If i reset the WLAN connection all start to works.The ports in the SW are in trunk mode and almost always the APs are in connect mode.
