l have implemented mac filtering auth on my wireless network, l have 2 WLC ( 1 WLC 5508 and 1 WLC 4402, and I wonder if you can migrate the mac address database of a WLC to another and how can l do this.
View 4 RepliesI've been asked to configure mac-address filtering on our WLC 4402 and it was basically straight forward. however i noticed that in creating the filter you can only choose 1 SSID or the other option would be to choose all? My question then is what happens if i need a user one 2 specific SSIDs? can i create separate filters for each SSID but using the same mac?
View 1 Replies View RelatedI have a 4402 being used as a dmz anchor and we use WCS to allow our Helpdesk to create lobby ambassador accounts. Recently they have been getting error messages when attempting to create accounts. I am seeing the database maxxed out at 2048. The docs state database entries are made up of mac filters(don't use)..ap mic/ssc(don't use)..Dynamic interfaces(minimal) management users(2) local netusers (100 approx)..and excluded clients(none). So the numbers don't add up.I am on 4.2.61.0 code.. I will say also that WCS shows alot more netuser accounts than my anchor does but no where the numbers to max out the database. Is there some other criteria that hits against the datasbase number?? And what can I do on the WCS to insure it si synch'd up against the dmz anchor other than a audit..
View 3 Replies View RelatedWhen I try to add new MAC entrys to the WLC I get the following message unable to add mac entry to database, reached max size the problem is when I look at the stats there is only 386 MAC entry and the databse size was set to 1024 entry..The work around was to increase the size of the database to 2048.Is there any why to clean up the database?
View 2 Replies View RelatedWe have implemented a local MAC address filter database on a WLC 4402. Right now, management access is restricted to a select few administrators. We would like to extend the ability of our PC services group to add MAC entries to this database via a script (avoiding the necessity to create Read/Write management user accounts). Is this possible? Is there a better way to accomplish this objective ?
View 7 Replies View RelatedReceiving the following syslog message from a 4402 WLC:
%CAPWAP-3-AP_DB_ALLOC: capwap_ac_db.c:145
Unable to allot AP entry in database. We receive this message about once a minute on average. I can't find any documentation saying what it is. It looks like a database error, which makes think it might be a memory issue or an issue with having too many AP's on the WLC. However, that controller has less than 30 AP's on it.
we use wlc 4402 (Software Version 7.0.98.0) and want to allow only several wlan nic vendors to connect to a wlan ssid.According to this, is it possible to configure MAC Filtering with wildcards, e.g. aa:bb:cc:* ?
View 1 Replies View RelatedI work at a campus and use the WCS to control access to my network for staff and only internet access for students. The Staff are assigned Username/password thru active directory and the student uses another SSID with only WPA --a password for all. I was tasked with adding more securing for students -- by adding a user/password. I do not want them connecting to my Active Directory for two reason--security risk and I have too many to input (over 1000). So, I wanted to use our internal database to validate users. I create a webpage with "WebAuth" that opens my logon page from my site and validates the login fields against the database. It works and this allows the user to navigate thru my website but not outside the site. If they try an outside url it redirect them to my logon script. I now understand why, so I'm looking for code I can add to my logon page that would allow me to redirect me to the controller's (once users are authenticated by my database) to call the WCS controller so I can enter a preset username/password so the policy management file would allow them access. I presently use "External" and don't know if "Custom" would work. Finding a way in using a database instead of adding one person at a time?
View 3 Replies View RelatedI am trying to block clients based on MAC addresses connecting to our Wireless Guest network.
My scenario is: We have 2 interfaces (corporate and a guest). Users are connecting to our guest network after they have automatically connected to our corporate network and logged into Windows. When they realise that things are not quite working in the way they want (access to servers etc...), they reboot and then find they cannot logon to the laptop at all. This is because the laptop has automatically rejoined the guest network and has no access to AD. I then have to locally logon to the laptop and remove the guest network.
It’s starting to become a bit of a pain as we are an educational establishment and... well... you would wouldn’t you
Hardware: WLC5508, Software Version 7.3
So far I’ve tried enabling MAC Filtering under “Security -> AAA -> MAC Filtering”, but found out that it’s a white list. The opposite of what I’m trying to achieve, but I like the fact you can link it to a specific interface.
I’m just looking at the “Disabled Clients” again under “Security -> AAA ->”, but think this is more a total ban as I cannot see a method at attaching it to an individual interface. I'm kindda stuck and my good old friend Google is not yielding great results.
I’m not by any means a wireless expert, so there is probably a better method. I would prefer to use the controller as a way of achieving this, but if you think I’m wasting my time and should be looking at a Windows Group Policy method then I’ll go with that?
I am curious if I can do an either or sitution with a single SSID. If you are on the mac filtering list then you gain access to the network, if not then enter your WPA2-ENT credentials. I have a minimal ammount of users that need mac filtering, but do not want to give them there own SSID.
Cisco WLC 5508 7.4 code
I need to install one 5508 and a 4402 together to bring redundancy to a wireless environment.Can I do this?. What are the neccesary steps to perform this?, the idea behind this is to bring redundancy is the primary WLC falls for any reason.
View 4 Replies View RelatedWe are deploying two 5508 WLC running 7.2 ios. Is it possible to anchor these to a 4402 running 7.0.116.0. Is there any version mismatch issues. We can find documents on the older compatibility but not on the new code.
View 9 Replies View RelatedWe have 2 WLCs, 4402 (main) and 5508 (backup). While we turn on both devices, 4402 have 10 APs, and 5508 have 10 APs as well. Total connected clients will be 120+, but when we turn off either 1 wlc, let's say only 4402 is power on, total 20 APs joined, but the total client will be 90+, never reach over 100 clients. The same happened on 5508, is there any maximum associated connection on WLC?
View 1 Replies View RelatedMy customer has a 4402-25-K9 and need a backup (failover) controller to avoid data transmision break when primary controller goes down.4402 are end of sale so I have a question can I use 5508 to get Controller Failover Protection with 4402 ?
View 3 Replies View RelatedAny instructions on performing an upgrade from a 4402 to 5508?
View 7 Replies View RelatedI had configured one access point CAP3602E in flex connect mode through a WLC 5508 after deploying the access point in flex control mode the local mac-filering is not working. before it was working when ap was in local mode. any body have to know is the mac-filtering working in flex-control mode ?
View 2 Replies View RelatedAny chance the filtering features on the 5508 controller code will make it into WCS at some poiint? Being able to sort these lists would be invaluable.
View 5 Replies View RelatedI am running 5508 wireless controllers. I pass along another agency's WLAN across my wireless network that is anchored to their older 4402 controller.
I wish to run the new 3600 series APs and am planning on migrating to NCS and the new 7.2 code.
I know that the older 4400 series controllers will not handle the newer 7.1 or 7.2 code. However, i still wish to maintain this anchor relatiosnhip with the older 4402 controller. I need to know if this will work or not.
I'd like to replace my 4402 Wireless controller with a new 5508. I have migrated the exact configuration from my 4404 controller to the 5508 and they are both running the same version of code. I'm worried that if I replace the 4402 with the 5508 controller, the Access Points will not rejoin to the new controller or they will join but will have lost their configuration e.g. AP Name/location etc etc. AP models registered to the existing controller are 1131, 1142 and 3502. I am also using Cisco WCS.
As long as the new controller has the exact same configuration, is it possible to replace the 4404 with the 5508? Will the existing Access Points join the new controller? Is there any other configuration required? I have read about doing this using mobility groups however would rather not if possible.
We currently run six 4402 Wireless lan controllers - these are managed by a WCS server - soon to be replaced by Cisco Prime. We run a mixture of LAP1242 and LAP1142 wireless access points. I need to add more but have been told by my supplier that the both these AP's are now end of sale and cannot be purchased.
The replacement AP's are the 2600 series - but I have been told that these are not compatible with my existing 4402 controllers.
To make matters worse I was then advised that if I purchase the new 5580 controllers the older LAP1242 access points will not work with it and require replacing - this, for me, is a lot of access points.
What I need to know is:
What access points, if any, are currently available that are compatible with my 4402 controllers and a future 5508 installation?
I ssem to be in a situation now where I cannot buy any access points that will work with my 4402's but if I upgrade all my current 1242's will not funtion with the new 5508 controller!
We have got a WLC 4402 as an anchor that provides guest internet access to our visitors. Our wan sites have 4402's running a tunnel to this anchor for guest traffic. We have got a new site coming up that will have a 5508 as its WLC. I am trying to determine if the 5508 will successfully form a tunnel with the existing 4402 anchor. I am assuming that it will be ok or maybe the 4402 will require an ios upgrade. Our AP's everywhere are 1131's but the new site will have the later versions which can work with the CAPWAP based 5508.
will the tunnel between the 4402 and 5508 work well or will it require an ios + bootstrap upgrade on the 4402 and subsequently the rest of the 4402's or it will not work altogetherwill the CAPWAP AP's at the new site work well with the 4402 LWAPP anchor - I am assuming that they will since the CAPWAP compatibility requirements are really between the AP and its local WLC. Our 4402's are on 4.2.61.0 and I am proposing to management that we should upgrade these to 7.0.116.0 to prepare the infrastructure for any potential issues.
My client has on cisco 4402 controller running with 48 AP on this. Client requires to add another 25 AP but licence on the current controller is not supported client bought another controller 5508 with 25 AP.
I have been tasked to installe 5508 with conjestion of 4402. I have make the software version on both of them as below
AIR-CT5500-K9-7-0-235-3.aes
AIR-WLC4400-K9-7-0-235-3.aes
To match the same IOS version on both the controller. I have following challenges with me.
- 5508 will registered 25 AP while .. 4408 will continue with 48 AP.
- 5508 is going to be in DC and it will be directly connected to firewall as default gateway for guest SSID. 4402 is going to be on another building.
- How can I make sure that Users connected to AP registered with 4402 will have the same deafult gateway as 5508. Thre is no layer 2 connectivity between this two controllers.
- There is no romaing going to happen between this two controller as both are two different locations and user will leave one location will disconnect and it joines bak when it reach to another controller.
- Is there any way to configure 5508 as master and 4402 as slave kind of connections?
I have attached a diagram of the current topology. At present, we have two 5508 connected to our core. We also have a 4402 behind the firewall (DMZ) just purely for guest access. So the staff users connect to the access point which in turns connects to the Staff WLC 1 (if this fails then to Staff WLC2). any guest user connect to the access point which in turn connects to Staff WLC which anchors to Guest WLC which then provides access. Since the guest is behind the DMZ they can only access the internet and not out internal network.
Now we want to office extend our network - we want our users to use 1132 AP at home to access the Infrastructure. is there a way we can do this without disturbing the existing infrastructure. On reading Cisco website, i know the best practice is to use 2 5508 (one behind the firewall and the other anchored to this access the internet network ) i thought since we have a Cisco (dmz) switch (48 port) and only the 4402 (Guest WLC) is connected to it, maybe purchase another 5508 WLC and connect to the 48 port Cisco (dmz) switch. will this work?
I just upgraded to the Belkin N750 DB router from the version just below it and couldn't get the wireless card (Ralink RT2760) in my daughter's dual-boot WinXP/Ubuntu 10.04 to connect to the WPA security setting (WEP only) on the Ubuntu side. There is an updated driver, but it's way above my Linux skill set, so instead I just disabled security completely, and used the MAC Address filtering to add all of our household devices.This solved her connection problem, but I am wondering if there is any danger to this method that I might not have considered
Originally Posted by BelkinMAC Address FilteringThe MAC Address Filter is a powerful security feature that allows you to specify which computers are allowed on the network. Any computer attempting to access the network that is not specified in the filter list will be denied access. When you enable this feature, you must enter the MAC address of each client on your network to allow network access to each. To enable this feature, select "Enable MAC Address Filtering". Next, enter the MAC address of each computer on your network by clicking "Add" and entering the MAC address in the space provided. Click "Apply Changes" to save the settings. To delete a MAC address from the list, simply click "Delete" next to the MAC address you wish to delete. Click "Apply Changes" to save the settings.
I have 10 Access-Point model 1131 AG are new AP.
When I connect the access-Point to the network, the AP associate only one time but i go to wireless for see the AP, i can see downloading of IOS, but the ios is 3.0.59, the ap don not nothing. I can not change any parameters.
I have two WAP 321 devices set up in our building they are on the same subnet with the same SSID and are using the WDS bridge mode. My question is, if i enable mac-address filtering on one of these devices will this infomation be passed to the other bridged device? or would the allow/deny list need to be populated manually on each device?
View 2 Replies View RelatedWe currently have all of our foreign AP controllers on software version 7.0.116. This consists of a mixture of 4400 and 5508 WLC's. Our guest anchor is a 4402 on version 7.0.116. We are replacing the guest anchor with a 5508. We are also upgrading our 5508 wireless controllers to version 7.2 to support the 3600 series AP's. My question is what is the recommeded code that the anchor controller should be on? Should it also be upgraded to 7.2? If we upgrade the anchor controller to version 7.2, will this affect anchoring to 4400 series foreign controllers still on7.0.116?
View 9 Replies View Relatedi am using two Cisco AP 4410N series in my network .Wants to use MAC address Filtering but it supports only 20Nos of MAC to add in the AP.
Is there any way like IOS upgrade the AP supports more MAC Address to add.
I'm attempting to block about 10 to 15 users on the wireless by using MAC address filtering on the Aironet. I referenced the following link: URL,The policy does indeed work, but once I apply the filter all traffic on the wireless for that particular VLAN stops. Why would this happen? I wouldn't think I need to configure anything else for this to work, but maybe I'm wrong.I was looking over the config and I noticed that each time I added a MAC address to the filter, it would create and access-list 701 deny 0000.0000.0000 ffff.ffff.ffff Once I removed this access-list, traffic starting flowing again, but when I add another MAC address the access-list shows up again.
View 15 Replies View RelatedCAn we filter MAC address in LAN using ASA 5520 , whats the method ?
View 2 Replies View RelatedDoes ASA 8.3 support MAC address filtering, I want to allow a single specific laptop to login to the ASA 8.3 firewall (for management) from anywhere on the internet, I know I can do it through VPN but I want a simple MAC address access list or something......
View 3 Replies View RelatedHow does MAC address filtering secure a network?
View 9 Replies View RelatedI have had a great experience with my old DIR-655 (rev A) router. However, I would like to upgrade to a newer and better D-link router for my home that contains many well-connected children. Which routers are like my DIR-655, and have better overall performance than the DIR-655 without necessarily using the benefit of the 5 GHz second band. What better performing routers can record more than 24 MAC addresses in the Network Filtering area? I understand many people don't agree with MAC address filtering, but I like it to keep my kids from giving out my network password to all the neighbor kids and their friends too. So, MAC address filtering works for me. Or, should I just get an updated version of the DIR-655?
View 5 Replies View Related