Cisco Wireless :: EAP-TTLS Over WLC4402
Apr 18, 2012
I try to use EAP-TTLS on one of my wireless networks and the 802.1x authentification fails at this moment:
*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.800: 00:16:cb:66:29:bc Processing Access-Accept for mobile 00:16:cb:06:09:bc
*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.801: %APF-6-RADIUS_OVERRIDE_DISABLED: apf_ms_radius_override.c:204 Radius overrides disabled, ignoring source 2
*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.801: 00:16:cb:66:29:bc Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.802: 00:16:cb:66:29:bc apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 20, reasonCode 2
where I can find what are deleteReason 20 and reasonCode 2?
View 23 Replies
ADVERTISEMENT
Mar 14, 2013
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Does CISCO WLC 2500 support EAP TTLS, if yes then how to configure. So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP. But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius. My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC
View 8 Replies
View Related
Mar 14, 2013
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. Will CISCO WLC 2500 support EAP TTLS, if yes then how to configure.
So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.
My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLC?My android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
View 1 Replies
View Related
Mar 14, 2013
My client wants to test their new product with wireless authentication 802.1x EAP TTLS. They have CISCO WLC 2504. If CISCO WLC 2500 support EAP TTLS, if yes then how to configure.So far I have added Radius TTLS server into my WLC. Under Radius on WLC added radius server IP and key and created new SSID 802.1x WPA+WPA2 ( WPA policy2 and WPA encryption AES) after that under SSID AAAservers selected drop down same server IP.But user tried and didn’t work also we didn’t see any hit on radius server. Yea policy has added on radius.My client wants to use TTLS instead of TLS because in TLS you have to use client certificate on client side but on TTLS you can use certificate on client side but it is optional. So they want to stick with TTLS. But I am not seeing any documentation on TTLS with cisco WLCMy android phone galaxy II has TTLS option under EAP 802.1x, so android devices support TTLS.
View 2 Replies
View Related
Oct 1, 2012
info regarding my LAP521 access points that are refusing to join the WLC4402-12.This is my first lightweight access point implementation and I have 3 LAP521's and 1 AIR-CAP3502I-E-K9 access points on my network.They are meant to pick up ip address from external dhcp server and then join the WLC but only the 3502i joins successfuly while the 521's get dhcp address but do not join the WLC. From the logs, I can see that the WLC is discovered by the 521's and even get a response message from the controller but they are still unable to join as shown in the screenshot below.My WLC is running software version 7.0.230.0 and the 521's are running an lwapp image version 4.2.61.8. [code]
View 3 Replies
View Related
Dec 6, 2012
We have 2 AIR-WLC4402-K9 devices at a remote location that will both drop their network connections some undetermined time after a reboot. We cannot reach them via telnet, SSH or HTTP. In fact, we cannot even ping them once they drop connection. The only cure we've found so far is to power-cycle the controllers. The controllers are in separate rooms and connected to separate switches. We've confirmed the links are configured as trunks and have the correct speed/duplex settings. I tried updating the IOS & boot loader on one of them but that had no effect on the problem.
View 19 Replies
View Related
Apr 25, 2011
today i upgraded our WLC4402 from 7.0.98.0 to 7.0.116.0. After the upgrade (also bootloader upgrade) the Aironet 1142 AP's do not joint the controller anymore. Error in log:*spamReceiveTask: Apr 26 11:30:46.301: %CAPWAP-3-DISC_INTF_ERR2: capwap_ac_sm.c:1468 Ignoring Primary discovery request received on a wrong VLAN (21) on interface (29) from AP ec:c8:82:ab:ed:00 Nothing changed in infrastructure. AP's are in VLAN 21, AP-Manager interface is in VLAN 21. Ap-Manager, Management Interface and Dynamic Interfaces are in PortChannel (LAG) = Interface 29.
View 8 Replies
View Related
Dec 5, 2011
has WiFi controller WLC4402 mac address table and can I show it somehow?
View 1 Replies
View Related
Mar 12, 2013
I have a Cisco 4402 WLC running version 4.2.112.0 controlling 20+ AIR-LAP1242AG-E-K9 access points running IOS 12.4 (10b). I'm trying to setup an additional AP as MESH. When I try to change the mode from local to bridge, on what will be the rootAP, I get a message stating that bridging is not support on this unit.
View 4 Replies
View Related
Mar 2, 2013
Is there is is any posibility to run WLC4402 and 104x family in H-REAP mode.
View 8 Replies
View Related
Feb 14, 2012
I have one WLC 4402 & arround 29 Access point (1130) in our enterprise network. Wireless users LAN segment is diffrent from wired users.Wireless users like Laptop users, Mobile users & ipad users which are connetced with this wireless & using enterprise network.
Presently we are using WEP mode for security key. This WEP key are week & can be cracked easily. so security point of view i want to put strong encription mode.Presently i do not have any radius server.I found there are some modes are available Like WPA, WPA2 with PSK etc.
will there any problem with wireless users to access application after changing the mode? Which mode will be stronger & could not be crack. Could we achieve without radius server or not?
View 24 Replies
View Related
Sep 1, 2011
Our costumers has implemented 2 AIR-WLC4402-50-K9 with Software Release 7.0.98.0, the wireless infrastructure consist in 2 Root-Mesh-LAP and 8 Mesh connect over-the-air to deploy outdoor coverage.
All the LAP are Aironet 1520 Series Mesh Access Points with equipped with 3 antennas for 2.4GHz and 1 antenna for 5GHz (backhaul).For one year all seems to be ok, yesterday after a power outage of one Mesh-Root-LAP, 5 Mesh-Lap continues reload each 10-12 minutes, on the WLC Log you can see event like a reboot from AP Console, on the LAP console i can capture this event before the reload:
Log on LAP Mesh
%DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0
%SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason:
Radio Not Beaconing for too long ....
LWAPP-5-CHANGED: CAPWAP changed state to DOWN
AP1780-Mesh uptime is 11 hours, 10 minutes
System returned to ROM by power spike
%DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0%SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason:Radio Not Beaconing for too long ....*Sep 1 16:05:43.399: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
What does it mean? That the beacon signal trasmitted from Root-Mesh-LAP cannot reach the Mesh-Lap and so the Mesh-LAP force a reload?Where we should search the cause? In the power instability or in a interference on the 5GHz radio interface?
On one of mesh Lap I found a strange reason for a releoad:AP1780-Mesh uptime is 11 hours, 10 minutesSystem returned to ROM by power spike
Log on WLC
Log System Time Trap
0 Thu Sep 1 17:31:11 2011 AP Disassociated. Base Radio MAC:00:22:be:41:33:00
1 Thu Sep 1 17:31:11 2011 AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA
2 Thu Sep 1 17:31:11 2011 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA
[Code]....
View 7 Replies
View Related
Jun 6, 2012
my question regards to a pair of WLC 4402 with 7.0.98.0 software.Actual, our security policy does not really allow any peer-to-peer communication in a wireless LAN. Therefore we set the 'P2P Blocking Action' to drop, and the 'Broadcast Forwarding' feature to disabled (default).But now there is a special requirement for two mobile endpoints to communicate with each other, because one device controls the other.To test the communication, we first disabled P2P Blocking (without success) and further enabled Broadcast Forwarding to bring the communication up. Now it works, but the configuration disagrees with our policy.
1. Is there an alternative configuration as described possible, so that we do not violate the security policy? To allow only p2p connection between the two devices, ist should also be possible to drop any else by an ACL. But how to fix the problem with the broadcast, because of the needed ARP? My idea was to use a static ARP entry, but as far as i know, one of the both devices is not able for it.
2. Because, I did not find any detailed documentation:
2a. with enabled Broadcast Forwarding, the controller forwards all broadcast for any configured SSID, right?
2b. is the broadcast limited to the source VLAN/SSID?
2c. is the broadcast limited to an AP, to an WLC, or is it broadcasted to every AP on every WLC that has the relevant SSID?
we already have two new 5508 but not in an operational state now, because we plan to implement new 3600 APs.Do these WLCs offer more/another circumstances or possibilities?
View 1 Replies
View Related
Jan 2, 2013
I'm trying to connect to my wireless network using an android device with certificate but with no success.I'm using a WLC4402 7.0.235.3 SSID Security (WPA2 Auth802.1X + CCKM) [code]
View 7 Replies
View Related
Jun 21, 2007
I made a lot of tests during some days with a wlc4402 and everything was ok.
One day when I tried to reset the system I had a lot of errors (see attach) and could not go on. After changing the image the following output appeared: "RAM Disk Image Integrity Check Failed (Bad Magic Number) Hanging". Now I have no response from the controller.
View 4 Replies
View Related
Sep 18, 2011
I have AIR-WLC4402-50-K9 WLC i that current IOS is 7.0.98.218 and i upgraded with 7.0.116.0 IOS but after upgrading and reboot the WLC from 15 access point 3 access point are not coming up and 12 are coing up and working fine (4 1142 and 11 1131 series access point) 3 which are not coimg is 1131 series access point. when i login with console to 3 access point its rebooting 2 times and coming on ap: prompt.
In between that i reloaded the WLC one more time because from 15 acess point only 4 aceess point are came up and i also cleck the show boot on wlc its output is 7.0.116.0 (default) 7.0.98.218 (active) so i reload the wlc and checked out of 15 acess point now 12 acess point are up and still 3 are not. And i also checked the output of show boot command its 7.0.116.0 (default)(active) 7.0.98.218
So i things its because of when 2nd time i reload the wlc the remaining 3 access point are getting.
View 1 Replies
View Related
Mar 1, 2012
I have an issue with my primary WLC AIR-WLC4402-50-K9 running version 7.0.220. After a reboot of the WLC only one AP can join, all others are rejected. After waiting a few hours (about 3) all APs can join the WLC. What I have done is a software upgrade (from 6.0.199.4) on both primary wlc (wlc with the issue) and backup. Following procedure:
1. Reboot primary wlc so that APs failover to backup (succeeded with no issue).
2. Upgarde software on primary wlc
3. To failback all APs from backup to primary I reboot all APs, so that they join again their primary wlc.
A reboot of the first AP was fine, It joined the primary wlc, get new software downloaded, rebootet, joined wlc successful again. Then rebooting the next AP. But this one then does not join the primary wlc for several hours. But it is also not falling back to the backup wlc as the primary is up and reachable. I tried a reboot with the next AP, but same behavior. I was waiting then until both APs were joining the primary wlc again. This happened after around 3 hours. After that I have rebootet all other APs on the backup wlc also. All was fine they immediately joined the primary without any issue. There are no log messages during the time when the WLC does not allow APs to join.. I had similar behaviour last year with version 6 when I rebooted the device. So I dont think this is software related. Also I dont think it's a configuration issue as 1) I have another WLC that uses the same backup controller and this one has the same configuration but works fine also after a reboot. 2) why doesn't it work after a reboot for a few hours, but then all is fine without any config change. After a few hours all is fine for months (until the next reboot).
View 5 Replies
View Related
May 10, 2012
We are using WLC4402 for our Aironet 1240AG access points. The clients are connecting to the access points and are authenticating to the RADIUS server. I am seeing the logs in Server 2008 but they are being rejected due to Network Policy on the NPS server.
Where do I see the Authentication Type on the WLC4400 or the 1240's? In order for the clients (authenticated via Active Directory user) I have to set the Authentication in the NPS Connection Request Policy to "Allow clients to connect without negotiating an authentication method".
I do not have a certificate on the server and my method options are MS-CHAP-v2, MS-CHAP, CHAP, PAP, SPAP, and allow without negotiating. This RADIUS server was moved from Server 2003 IAS to Server 2008 NPS and there were no issues in Server 2003 IAS. I have all authentication methods allowed and it still gives me the error below. Only when I check "Allow clients to connect without negotiating an authentication method" it allows the authentication to proceed.
Client Machine:
Security ID: NULL SID Account Name: Fully Qualified Account Name: OS-Version:
Called Station Identifier: 00-17-a2-87-54-00: SSID NAME
Calling Station Identifier: 00-41-96-b6-e3-27
NAS:
NAS IPv4 Address: 192.168.90.24
NAS IPv6 Address: -
[code]...
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
View 2 Replies
View Related
Jun 19, 2012
I have an WLC with below details:
Model No:- AIR-WLC4402-50-K9
Current IOS:- 4.2.99.0
Upgrade to :- 7.0.220.0
I wants to upgade WLC with7.0.220.0 IOS. My question is that should i go for direct upgarde from 4.2.99.0 to 7.0.220.0 or is there any IOS version i have to upgarde.
View 1 Replies
View Related
Mar 14, 2012
I have one WLC AIR-WLC4402-50-K9 which is hitting some bug. So I done RMA for that devices and now i got the new WLC.Now i want to install that RMA WLC in network. So can any one tell me what is the process for installtion of WLC. I already have the old WLC in working now. Which file backup i need to take from old WLC.
View 3 Replies
View Related
Apr 8, 2010
AIR-WLC4402-25-K9 running 5.2.193.0 and I setup guest internet-only access which worked for 2 days. I change both the "User Idle Timeout (seconds)" and "Enable Session Timeout " to 10hours (36000) as guest was complaining he had to re-authenticate again. Anyways, guest was still able to pickup ip address and logs show that life "appears" fine but he had not internet guest access. He had a Windows7 box...anyways, before I can finish troubleshooting, he had to leave....My question is if there is any issues with Windows 7 that others had a problem...or is it the timers I tweaked - or both?
Thu Apr 8 15:19:06 2010User joe logged in. Client MAC:00:12:f0:99:71:ce, Client IP:192.168.55.110, AP MAC:00:00:00:00:00:00, AP Name:N/A15Thu Apr 8 15:09:28 2010User joe logged in. Client MAC:00:12:f0:99:71:ce, Client IP:192.168.55.107, AP MAC:00:00:00:00:00:00, AP Name:N/A
View 1 Replies
View Related
Feb 20, 2012
I have a WLC 4402 on my network. Recently mobile phones can connect to the wireless network and obtain a valid IP address. This IP is pingable from a workstation anywhere else on the network. However, these phones will not display web pages. They come up page cannot be displayed. I even tried putting Google's IP address in the phone's browser and it still did not display. I can connect through the same WLAN via a laptop or iPad. These devices have no problem displaying web pages. I even went ahead and created a new TESTWLAN with no encyption but to no avail. Same results: laptops connect and display web pages and smart phones connect, gain IP but do not display web pages. Comes up page cannot be displayed. This matters not whether its an iPhone or Android platform.
View 8 Replies
View Related
Mar 20, 2011
I have two sites.Main site (local) has two Vlans: Vlan1 and Vlan2. Each has its own IP address range.VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.33.4.*VLAN 2 is for guest access to the internet IP range 10.10.10.*I have a WLC4402 on the this site with 2 WLANs: CORP on Vlan1 and GUEST on Vlan2.
Branch site (remote) which has 2 Vlans: Vlan1 and Vlan2. Each has its own IP address range.VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.125.15.*VLAN 2 is for guest access to the internet IP range 10.10.11.*I have an 1141 on this site using HREAP.
Locally, if you connect to CORP, you get a CORP ip address and access to CORP network. If you connect to GUEST, you get a guest ip address and guest access to the guest network. Simple so far....
Remotely, if you connect to CORP, you get a CORP ip address 10.125.15.x and access to CORP network (great). If you connect to GUEST, you get a CORP ip address 10.125.15.x and access to CORP network (not great). This is with the HREAP native vlan ID for the access point set to 2 on the controller.If I set the native vlan ID to 1 on the controller, I can not get an IP address at all.If I do not set the native vlan ID on the controller, I can not get an IP address at all.
View 2 Replies
View Related
Dec 6, 2011
Trying to implement HREAP over WAN between main and remote site. The WLC4402 is on main site. There will be a secondary DHCP at the remote site. Does the switch at the remote site any preparation?
View 4 Replies
View Related
May 30, 2012
I am having a problem associating an AIR-LAP1142-E-K9 AP to our WLC4402 Controller (running version 7.0.230).I have connected a console cable to the device and when it boots up it picks up an IP address. I have then entered the controller IP using the command: [code] The Controller is set to 'GB' (regional code -E), and has the correct time zone (though I do notice this is GMT and not BST) but when the AP connects it shows the time an hour earlier than the time on the WLC GUI.
View 2 Replies
View Related
Oct 29, 2012
I have a Netgear WNR3500L wireless router. I assume it's v1 because on the back it doesn't have "v" anything. Firmware version V1.2.2.44_35.0.53NA.When I connect using g I get 22+Mbps download speed. When I connect using n I get 10 Mbps. I've tried using both WPA2 only (laptop reports 130 Mbps connection I believe) as well as the combo WPA+WPA2 (laptop reports connection of 117 Mbps).Broadband download results don't change - they stay at the 10 Mbps level. I've fiddled with some of the settings on my laptop's wireless card - but the results are the same.For now I'm just trying to figure out where I should focus my investigation and fiddling efforts - on the laptop or on the router.
View 5 Replies
View Related
Jan 6, 2013
i have a Netgear N600 Wireless ADSL2+ router on wireless a/b/g/n dual band and all that but what i want to know is will i get better performance if i use a WirelessN card over G on a 10 - 15mb/s connection gaming wise and will it b a great increase over the G causeif its not a HUGE increase then i wont waste my money on a newer card?
View 3 Replies
View Related
Jun 3, 2012
My Acer Aspire 5610Z laptop will automatically connect to public hotspot wireless network but when I attempt to connect to a wireless network at home, set up using a Netgear modem, I only ever get 'local' internet connection only. My wife's HP laptop has no problem making the home wireless connection.
View 6 Replies
View Related
Jan 31, 2013
I am running windows vista and have installed the software and windows sees the adapter and states it is working but when it searches for available networks it can't find any. How can I download the driver and install it?
View 1 Replies
View Related
Oct 19, 2011
I have a setup involving 3 clustered AP541 running off a sg300 switch. The wireless network setup VAP has one entry for vlan 1 with station isolation disabled. Is there anything more I need to do to allow one wireless client to ping another wireless client - am I missing something - i assume this is possible.Needless to say wireless clients can ping non wireless clients and vice versa quite happily. Everything is running with factory default settings more or less.
View 4 Replies
View Related
Nov 6, 2012
output are here
*Mar 1 01:28:21.018: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 01:28:21.022: %LWAPP-3-CLIENTERRORLOG: bsnSetCurrentBHRate : fail to set
radio control and data rate
*Mar 1 01:28:21.179: %CDP_PD-2-POWER_LOW: All radios disabled - AC_ADAPTOR (00
00.0000.0000)
*Mar 1 01:28:21.984: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0, changed state to up
*Mar 1 01:28:34.341: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
d DHCP address 192.168.10.244, mask 255.255.255.0, hostname AP2c54.2d0d.c3c4
View 1 Replies
View Related
May 1, 2012
I have a WLC 5508, AIR-LAP1142N APs and a SSID for students to connect to who bring their own device. I am still testing this and it has not been rolled out but I am running into some serious issues with joining the network. I am authenticating them through a RADIUS server (2008 R2). Problem: many of them cannot connect because they are lacking the certificate.
1. What is a good setup for authentication in a BYOD environment
2. If my setup is good what can I do to allow kids to use their computers on the wireless either without the certificate (which I know is unlikely) or what do I need to have them do to connect. I am hoping it does not involve hard wiring and getting the certificate from the server.
View 1 Replies
View Related
Oct 24, 2011
have a Cisco 5508 controller (version 6.0.199.4) that when I enable global multicast mode it will work for an hour or two and then it will kill the network. All internet both wired and wireless, access to server everything dead. I then have to directly connect to the service port and disable the global multicast mode. Then two reasons for enabling it are Docs2Go and LanSchool both require multicast to be enabled. I have it enabled on our wired network and it works OK there. ted.
View 10 Replies
View Related