Cisco Wireless :: Intra Controller Roaming And Security WLC 7.0
Feb 10, 2013
Under the section intra controller roaming, WLC 7.0 config guide states that " When the wireless client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point. If necessary, new security context and associations are established as well" URL.Within the phrase "If necessary, new security context and associations are established as well" . What is meant by the new security context ? My understanding is that only an update to the MSCB (with the AP info) is the only requirement as the client is within the same controller and subnet.I just can't think why would the security info needs to be updated.
I am having some troubles with client roaming on a 5508 controller running firmware 7.3.101.0. As soon as a client roams outside the range of an AP they lose data flow and do not seem to transition to another AP for about 1 minute.This is a small network with 6 x AIRCAP3502E-N-K9 AP's (running in H-REAP mode) on the same floor and clients are a mix of HP notebooks, Mac Books, iMacs, iPads and iPhones. There are several seperate SSID's setup and the problem occurs on all. All are WPA2/AES with either a PSK or 802.1X. Both 2.4GHz and 5GHz radios are enabled with auto power and channel selection.
I have tried changing the roaming settings from default and also playing with the AP power settings to no avail.Is this normal behaviour or is there something I can do to improve the reconnection speed?
I'm trying to test fast roaming using a Cisco 2100 Series controller and 2 1140 APs. The initial authentication succeeds fine and the wireless connection works ok using WPA2+CCKM and LEAP with a Cisco ACS radius server.The problem is that the client does not attempt to preauthenticate with the other AP because the RSN Capabilities IE in the AP beacons and probe responses do not set the RSN Preauthentication capable bit. I can't figure out what it takes to get the APs to indicate to clients that it can do preauthentication. I'm been crawling through all the documentation I can find, to no avail.
Is it possible to regain the PSK from the security tab from a 5500 controller in clear text?I need to check the current used password without resetting it, but I fail to find the password in the configuration (CLI & web interface)Obviously I do have admin access to my controller.
I have been monitoring the alarm summary but have been off couple days and i see one of my controllers is down. Getting critical level security and message is port is down on the controller, condition link down. The other issue is config difference found between NCS and Contoller, I tried getting them to sync together but still getting the same message.
OSPF is the routing protocol. Everything works fine.New requirement (exchange 2010 MAPI & DAG subnets)
192.168.5.0 <--> 192.168.30.0 & 10.10.30.0 : Communication should fail 10.10.5.0/24<--> 192.168.30.0 & 10.10.30.0 : Fail Replica@DC <--> Replica@DC: work Replicas --> Rest of the nw- not that of an issue.
Iam thinking of adding a Extended ACLs on Replica-Exchange (DC & DR) and servers Vlan interfaces to block bidirectional communication.
CORE1 &2:
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 deny ip 10.10.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 permit ip any any !access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.5.0 0.0.0.255
[code]....
Similar to the same on DR as well. I wanted to see if ACL is the way to go or any other suggested methods with OSPF being the routing protocol.
Recently, I deployed ASA 5520 as our company firewall, everything was working fine except two main problem I still can not resolve them after I did a lot of research.
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as [URL] will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255 dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.I added an static route and intra-interface permit route inside 10.1.15.16 255.255.255.240 192.168.1.223 1same-security-traffic permit intra-interface I also added access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outbound The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22. If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
If you have a headsite with multiple EZVPN clients (PIX 501 & 515) connected in a star configuration can you have one remote site connect to another remote site using the intra-interface command and modifying the encryption domain on the EZVPN Server?
I have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender HostB - VLAN200 - connected to 5k extender HostC - VLAN100 - connected to 2960 off our core HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
I have 5 access points (WAP4410N) all connected to a befsr41 8 port/switch router, each AP has it's own SSID. Is it possible to to have one SSID for the entire wireless network so users do not have to change SSID's every time they change locations?
I have an issue where I have an AP in one room and another in another.When I walk from one room to the other, I lose signal but manages to see the SSID and join.But, I cannot seem to surf the Internet, I have to manually disconnect and reconnect. Normal wireless routers I reconnect seamlessly without any manual disconnect & reconnect.Currently using cisco 5508 and ap2600.
I currently have a UC540 system with 12x aironet 1130 APs. Seamless roaming does not seem to work, and the recommendation seems to be to introduce a WLAN controller.
I´m trying to find the best configuration to improve the roaming in a WLC 7.3I changed the power threshold under the TPC to -67 and in the client roaming I put in custom mode and the minimun RSSI in -78 dBm.but I was wondering if there is a specific configuration to improve the roaming.
Currently have a 5508 in the lab and testing 4 AP's with it. Eventually there will be 18 AP's spread thru out different floor in our building.
So far access is working fine using WPA, 802.1x and the client configured to use windows logon credentials..But it doesn't seem to automatically transfer between access points.
I have 3 Cisco 1242 WAPs that I have deployed at a site that has NO RADIUS/AAA devices. I have given all of them a different channel (1,6,11), but the same SSID and crypto (WPA2-PSK). The issue is when a machine boots up it associates with the closest/strongest AP, but as the device "roams" it does not which to a different AP. It stays associated with the original AP until that signal is gone. Then it quickly associates with the closest AP with no problem.
How do I get the device to associate with the strongest WAP? I have research "fast roaming and WDS" but it seems like you need EAP/LEAP and they do NOT have that at all.
have configured Cisco IPPhone 7925G with EAP-TLS setting. (With manufacture installed and Userinstalled certificate). My issue is while roaming from 1 AccessPoint to another AccessPoint the call getting droped. I need to restart the IPPhone to reauthentiate again. In ACS am agging the authentication time-out error. (I had changed the time out value for EAP-TLS to 20 in WLC as per recommendation.)
If am using static web key there is no issue in roaming.
What is the reommended setting inorder for the EAP-TLS to work properly.
Is it possible to set up a roaming wireless network with wireless access points that are different brands from one another (i.e., D-Link, Cisco, Belkin, etc.)? If so, is there anything special that needs to be configured?
But my laptop often times changes access points as I move about in my office to try to optimize the signal strength, which causes the network to stop working and I had to do "ipconfig -renew" to continue using internet. Problem now is that the IT desk told me that the AP's are overloaded.
Actually we have a 4402 controller with 1120 APs both of which are marked as EoL products, we want to jump over the new 2600 APs and 5508 Controller for increase signal coverage but we have the following deals:Last firmware for 4402 controller is 7.0.Firmware needed for 5508 to support 2600 APs is 7.3.Is it possible to configure mobility between 4402 and 5508 even with different firmware branch?
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.
I'm looking to deploy a 2504 controller and some AP1142s but would like to provide the client with an alternative, lower initial-cost option in my proposal. I've been researching the AP541N access points but several areas of their implementation seem unclear to me.
Clustering: For the clustering feature is it necessary for the network to have other SBCS components (500 series platforms)? All of their other features are either unapplicable to or already implemented in the network in question; if I have to add another appliance I would rather go the LWAPP route and use a true WLC.
What are the cababilities of clustering? Can I implement some form of wireless resilience by spacing APs closer together than necessary and they will lower transmit dBm and intelligently respond to attempt to cover a new cell where an AP has gone down?
What about roaming? I believe Cisco advertises this as part of a small business voice solution. A client roaming between two access points in the same mobility group (cluster?) on a wireless voip phone should be able to keep connection, as it's analogus to some critical UDP communications that are going to take place on the clients.
I am running a WiFi network built on Cisco 1262 APs and Cisco WLC 5508. My APs broadcast two SSIDs, let call them "WiFi_Pay" and "WiFi_Free". I have a problem: when users migrate from "WiFi_Pay" to "WiFi_Free" (not moving, connecting to the same AP), the connection fails. If they try for second time, it is always successful. My task is to ensure that such migrations run smoothly and be successful from the first attempt.
I know that the 3600 series APs are not supported on the 4404 WLC. However, would the following scenario be supported? I would like to use the 4404 (software rel. 7.0) as a guest anchor with a 5508 (software release 7.2) as the foreign controller supporting series 3600 APs. I ask because the APs do not need to join the guest anchor.
We have a customer that have 2 5508 as primary and backup controller and a 4400 as an anchor controller. We plan to upgrade the 5508 to 7.3.112.0 and the 4400 is already 7.0.116.0. Will there be any issue if the anchor controller is not the same code as the foreign controller? Do I also have to upgrade the acnhor controller to 7.0.240.0?
We are trying to navigate the waters in choosing between a in-house, controller-based, wireless network solution or a cloud-based solution. We have been presented with the usual suspects in cloud-based (Aerohive, Meracki, etc) and with Cisco (5500) and Aruba on the other side. We are a multi-campus organization with approx. 200 APs.Any hard reasons why go with a controller-based vs. cloud-based solution? If we must keep the conversation limited to Cisco, why go Meracki over Cisco's WLC solutions or vise versa?
I am looking to configure a wired and wireless guest network. I have industrial barcode scanners that connect to one SSID and then there is the business network on the office SSID (no vlan seperation for these devices just different SSIDs). There is not really a need to seperate the business network from the scanners in any case. However, there are needs for a guest network and this needs to be seperated. At the bare minumum I would like to have the wireless guest network. Here is what I have: 2125 Wireless LAN controller managing 18 LAPs (1 indoor and 17 outdoors)Cisco Cat 2950 switches (2 x 24 port and soon to be replaced with 2 x 48 port 2960's with 802.1x capability) Sonicwall TZ210 firewallOne existing wired and trunked vlan for PLC infrastructure. One ESXi hosting Windows server guests (soon to be 2 with vMotion) The reason for the wired guest access network is tp prevent anyone from plugging into the wall jack in the office with thier home laptops or anyone else from being on the same subnet as our domain machines. Granted they would be unathenticaed but there would be no layer 2 seperation and that is what I think would be best.
How would I go about doing this on the wireless controller without an anchor controller just using my existing hardware? I would like to have the Guest SSID only availible in the front office. Is it possible to offer a guest network while still servicing the business network SSID on the same access point? Then might I be able to have the guest network be treated as it should at the controller? However this might present another issue altogether as the guest traffic will be over the same wire as the business SSID until it hits the controller for management.
my hardware set-up : 2x AP 1100 series, 2x AP1131AG (not connected to a Cisco Switch)...all with the latest Cisco iOS
What i want to do is connect these APs and broadcast the same SSID (e.g Aironet and NOT Aironet1,Aironet2..etc). Doing that, a user with a laptop can roam between these APs and won't have to re-enter the password of the SSID every time he changes AP. I would also like the encryption to be with a 128bit password key. From what i have read, i need a local authenticator to do what (Something called Local Radius Server).
I have three Autonomous AP´s in a small office running voice applications, all of them are connected to the same infrastructure switch and they have same configuration, voice Vlan is configure to open authentication. I have two models of AP 1252 and 1262 and I paste Radio configuration below.
First issue: During calls users are facing problems when roaming between AP´s, and eventually calls are dropped. Second issue: Sometimes one of these AP´s(1252) lose all transmit signal and when return I got authentication error on log.
Setting up a multi floor WLAN using a 6500 WISM Controller. Each floor has an AP group with the floor WAPs assigned. Each floor has a VLAN and the WLC has an interface configured. Each floor has a WLAN configured with the same SSID and the only change is the interface on the WLAN per floor.DHCP is remote on AD servers and each floor as a scope configured.Each floor works fine - we can get connected and get assigned to correct IP address. The issue we had with this setup was moving between floors. When we move up a floor the client loses connection to the inital floor (coverage - as expected). if we disconnect and reconnect it connects to the new floor SSID and gets an IP from DHCP.When looking into this - I then created an interface group and added all the floor interfaces into the group. I then applied the interface group to each floor WLAN and did soem testing - it worked as expected. I could now move between floors.The issue with this is though. When I was testing I already had an IP address assigned from DHCP - before I changed to interface groups. The issue is that the intial DHCP assignment no longer works and we cant connect to the WLAN anymore,
