Cisco Wireless :: 2602 Check Box Under Wlan For FlexConnect Local Authentication
Apr 4, 2013
I have several 2602 AP's that I want to operate in FlexConnect mode. The WLC is at a central HQ and the Ap's are remote. There are central radius servers at the HQ for the wlans. At the remote lcoation, there is a local radius server we want to use for the primary radius server for these AP's. This radius server has been added to the WLC. I have setup a FlexConnect Group, designated the the primary and secondary servers, and then added the AP's to the group. It does not look like radius requests are being sent to the local controller.
For this to work, do we have to check the box under the wlan for FlexConnect Local Auth? Currently, we only have FlexConnect local switching selected.
I am working on a new install where the customer is using local RADIUS servers at each of their many campuses (for local dynamic VLAN assignment), while using a single set of controllers at the core of their network. For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.
Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.
after upgrading to 7.4.100.0 im getting this error message when trying to apply changes on the wlan id."mDNS profiling cannot be enabled with flexconnect local switching"if unselect mDNS snooping under (wlan id/advanced) i can apply the changes, but only temporary.when im looking the next time, the tick box mDNS snooping is enabled again.is this a bug or what?
I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
We have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
Still Can't see the WLANs under the Flexconnect tab on the AP?
I'm reading up on H-REAP in the Deploying and troubleshooting Cisco Wireless LAN Controllers book (Chapter 13) and I would like some clarification on the except below.:"Also notice that, as part of the WLAN configuration, no mention was made of choosing and interface for the WLAN. Unless you will have APs in local mode servicing a WLAN configured for local switching in conjunction with H-REAP APs, the controller interface is irrelevant because the controller will not bridge the client traffic on the network.The H-REAP performs that function. Even if you will not be using any local mode APs, you must choose an interface to be associated with your WLAN. In this case, you could use the management interface or create a quarantine VLAN interface, for example if you do not want client traffic to be bridged by the controller if the client traffic is no longer locally switched."Our corporate office has 2 5508 controllers and 150+ APs in local mode. I'm preparing to deploy a couple of H-REAP APs to a remote site to test. Is this saying you have to choose an interface when creating a WLAN, but if the WLAN will only be used by H-REAP APs w/ local switching it does not matter which interface is used when creating the WLAN. If there are APs in local mode using the same WLAN, the interface the WLAN associates with needs to be on the same subnet as the devices connecting the the WLAN?
Charter tech came today to solve my problem of my new modem not working, he fixed the Modem but i think he did something to the lan proxy settings after.I'm trying to set up my Belkin wireless G router but i do not have the orginal CD. What should my address be under the "Use a Proxy server for your LAN" checkbox and what is the port and should i check off the bypass proxy server for local address box?
I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.
Is it possible to use both LDAP (to Active Directory) authentication for a WLAN defined on a 5500 series controller, and use the local user account database (AAA) for the guest vlan?
Should I trunk the port to the AP or not. I have a WLC 5508 in the head office and have AP in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local sub net at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different sub nets?
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
I have Cisco WLC 2504.I was configured one wlan with external web-authentication.External web server is apache on freebsd.When user connect to wlan and open web browser, wlc redirects client to external web page, where client must input hist credentials.When client click "submit" button on external web auth page, wlc initiates RADIUS request to radius server.Radius server(freeradius) is on the same server, where apache running.
sometimes, when client enter credentials on external page and click "submit" button, wlc suddenly redirect client on internal default auth page.
I'm trying to configure WLAN authentication on my WCS to prompt users about their credentials.I'm using a Windows 2008 NPS as Radius server but I can also use a Cisco ACS 3.3 if needed.With each setup I tried, the credentials are sent automatically to the Radius server using the Windows user session credentials.How can I force the WCS to ask for a username and password before sending them to the Radius Server ?
how to chance the web authentication certificte on WLAN 2100 controller. My users are complaining that they need to accept the security certificate before proceeding to the actual authentication?
I have an 2602 AP. Recently I tried to move it from one controller to another, however in doing so the image must have gotten corrupted. So no I'm in AP ROMMON. I can't find any recovery procedures specifically for the 2600's, but I what I did find doesn't seem to work :
ap: set IP_ADDR 10.4.208.3 ap: set NETMASK 255.255.255.0 ap: set DEFAULT_ROUTER 10.4.208.1
We have a campus with both office and industial areas with various propagation problems. Historically I have been installing and maintaining access points in the 1200 range, the latest being the 1242. All these have a similar antenna setup based on diversity pairs.Since Cisco seems to be dropping the old series any week now I have been looking at the 2602 as a replacement.I can find no good documentation on antenna selection and mounting suggestions for these.If I want a proper omni coverage pattern with dual band antennas, do I just set them to a H form assuming the unit is sitting on a wall?
We typically use the 2602 series AP in lightweight mode, however I have a scenario where we are going to be installing one with the stand-alone software. I understand that we will not be able to utilze certain features that you get with the WLC such as RRM, rogue detection, and clean air.
We do want to utilze both the 2.4GHZ and 5GHZ bands. In order to do this with the 2602 stand-alone AP, will we have to configure 2 separate SSID's? I really do not want to do this to if I do not have to to minimize confusion for clients.
i'm configuring a standalone AP 2602 with IOS 15.2.When i connect to AP from my notebook i only get 65Mb speed, when i connect to other APs from the notebook my speed connection 150-300Mb.
What configuration(CLI) do i need to be able to connect to the AP on connection speed to 130-450Mb ? Currently I connect to SSID with WPA2 encryption and "speed default" on radio 0 interface.
Instead of stocking every known AP and every external connector, I would like to query which APs to stock for general site surveys....
I have 2 customers that will require surveys in the near future...one plans on using the 2602e AP, and the other a 3602e AP. I have read somewhere that the 1140 makes an excellent proxy for the 2602 and several other Cisco APs (as the RF characteristics are similar) so that I only have to stock that one AP to use for those site surveys- but I haven't seen any recommendations about the 3600 series AP yet...
What AP to stock for doing Cisco site surveys? Maybe one or two models only?
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs. Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok.For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.How can we check or make sure it?
I have a problem, where we are installing a Cisco 2602 access piont, the AP is getting power as the lights are on (changing colors Green, White, Red). In the switch side the LED for the interface is blinking green only when I chosse PoE. Also I cannot see the AP in CDP neighbours.
It seems to be a physical problem but the cable is tested and showing connected for all pairs and parallal (straight) connection.
Access Point was connected directly to the same interface (I mean with a patch cable to the switch) and working
it seams, that the mounting blade for the 1142 access point and the 2602 access point are identical.
We have ordered the new 2602 with internal antennas for deploying WLAN in a new building, but I never hold this accesspoint in my hands. We have a few mounting blades in spare from the 1142 accesspoint. The question is, can I prepare the mounting of the 2602 access point with the 1142 mounting blade?
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
I have a new 2911 that I am trying to bring up but local authentication is failing. I know I have typed the username and password correctly but no go. When I try to http in it is failing as well. I even create a "Cisco, Cisco" account. I have a console connection and even that is failing.
I'm having a problem configuring local EAP Authentication using CA (Windows Server) and LDAP server. I followed the URL:
[URL]
but it seems that CA has no effect. Any wireless client who has his own LDAP account can access to the network.What I want is just allow some wireless clients to access if they have approved CA before.
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
I have a problem configuring ClientLink on a FlexConnect local switching AP (3602i), the problem is that I can not see the clients that are using the ClientLink feature when entering the show interface dot11radio 1 lbf rbf command, the AP shows "Hardware beamforming stats not supported (radioid 0x3B00)" message instead of show the client information. I am using a 2504 Wireless LAN Controller running 7.3.101.0 software version, why is not working properly?
A customer have a bad coverage in a corner of his branch office. He like to add a mesh AP (MAP) in the near of that corner.
I checked allready the documention about Mesh but i'm not sure if Flexconnect and Mesh works togheter. This MAP is in a branch office and the WLC is in the head quarter therefore he likes to uses Flexconnect togheter with Mesh.
