Cisco Wireless :: WLC 5500 7.4 HTTPS Access On Service Ports Using HA AP SSO
Mar 5, 2013
I use the Service port connected to the managementVLAN to manage the WLCs. When configuring HA with AP SSO, I lost HTTPS connectivity to the WLC, telnet still works fine.I researched the deployment guide and it states:
- When AP SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup.Why is remote access disabled using GUI when using HA, and how can I keep management of my WLC using HTTPS and an address in the ManagementVLAN.
View 10 Replies
ADVERTISEMENT
Oct 1, 2012
I understand that Cisco have at long last provided a facility to separate HTTP web authentication from HTTPS WLC management on WLC code 7.2.x for the new 5500 series WLCs.
My question is does Cisco intend to provide the same much needed functionality on the 4400 series WLCs that are running 7.0.x code? I was looking through the release notes for v7.0.235.3 code and that did not seem to mention this functionality. I know we can get around the problem by purchasing an SSL certificate so that guest users with web authentication do not have to see the same security warning each time they log in but the idea to separate the HTTP web authentication from HTTPS WLC management seems so much simpler.
View 6 Replies
View Related
Sep 14, 2012
I have an ASA 5505 running 8.4.4.1. I've configured three WAN interfaces and have assigned failover on one of them (we have two ISP's, and a total of 3 static IP's in 3 different subnets). I've noticed that all the traffic is flowing through only one of the three interfaces, but I need to allow incoming https traffic on the second WAN port so I can access our Exchange server (we already use https on the first WAN port to access another server).
[code] WAN1 is the default outgoing route and we've configured several incoming services on it (smtp and https for example) and appears to be working properly as mail is coming and going and users can access the RDS gateway.I need to configure WAN2 to accept https traffic and send it to our Exchange server to enable OWA (webmail) access.I've configured the same Access and NAT rules on all three WAN interfaces for smtp (but I suspect only the first one is currently functioning at this point, I'll test it next chance I get). I thought all I'd have to do is configure an access and NAT entry on WAN2 (same as on WAN1), but direct the traffic to the OWA server instead of the rds gateway server, but it is not working.
In the realtime log I can see that it appears to be receiving the traffic on the WAN2 IP, but seems to be passing this through to the inside via the WAN1 interface.
View 5 Replies
View Related
Nov 15, 2011
I recently installed an RV042 v1.1 vpn router (older hardware revision but using the latest available firmware 1.3.12.19-tm) and set up VPN access with the QuickVPN client. QuickVPN requires that the HTTPS setting be enabled under the Firewall options, so I did. I then scanned our static IP with grc.com's ShieldsUP! to check for open or non-stealthed ports and discovered that ports 80 and 443 show as wide open, while port 113 is closed but not stealthed. If I disable the HTTPS setting under Firewall, then ports 80 and 443 become stealthed. Is there any way to use QuickVPN and keep these ports stealthed?
View 1 Replies
View Related
Jun 4, 2013
I have a 5500 controller that we use to manage our lightweight access-points. We have had complaints that the 'guest' vlan in the boardroom is not usable. Our guest vlan is in fact overloaded.
I went back to the original site survey and noticed that coverage for the room is not ideal so I would like to have a new lightweight access-point installed in the boardroom and somehow limit the access to it to only a few people.
View 11 Replies
View Related
May 14, 2013
How to create a mixed service ports on ASA 8.4(2)?I need to create a service group which has ICMP, TCP ports and also different UDP ports.Normally you would create different service group based on TCP/UDP/TCP-UDP/ICMP/Protocol and add then to new nested service group.But I want to create a new service group where you can define everything without the need to different service groups and nesting them into a new one.
View 1 Replies
View Related
Oct 29, 2011
I recently purchased an SG300-10 switch. Is it possible to change the TCP port numbers for the administrative services on this device? For example, if I wanted to change the web admin port from being availble on port 80 to port 8080, or move the SSH port from 22 to 2022, how would I do this?
I've looked over the web admin interface, and the Security > TCP/UDP services option looks like what I want, but I see no way to change a service's listening port. Is this possible?
View 3 Replies
View Related
Jul 18, 2011
I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself. What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router. Each of the remote locations only have 1 serial interface. It is a flat network with few routes and a small shoretel voip system running across it. Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
[code]....
If I try to apply the policy map to serial0/0/0, I get the following error:
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error. We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask). I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing.
View 2 Replies
View Related
Sep 27, 2010
We have recently upgraded the software on our two WLC 4404 from software release 4.0.xxx to 4.2.xxx to 6.1.199.4 and lastly to version 7.0.98.0.
We could access the WLC's GUI's using https when it was on version 4.0.xxx. When we did the upgrades from version 4.2.xxx to 6.1.199.4 we couldn't access the Admin page through https anymore but only through normal http. We enabled https through the GUI and through the CLI and we did do the re-generation certificate , without any success. We then upgraded to version 7.0.98.0 and we still have the same result , cannot access Admin GUI through https.
View 2 Replies
View Related
Jul 11, 2012
I have an rv180 and I'm trying to setup a custom service that contains both multiple disjoint ports (some UDP some TCP), as well as a TCP port range. This has lead me to a couple of questions.1) Is it even possible to have a single custom service with disjoint ports? Is it just going to be necessary to define multiple partial services for this?2) Is it possible to forward a range of ports? It's clear how to define a service with a port range, but the port forwarding table interface only allows me to select one LAN-side port for any service. Is there a secret notation that I need to do here that will just forward to the same LAN-side port as the WAN-side port---effectively one-to-one NAT forwarding, but just for the selected service?
View 8 Replies
View Related
Feb 29, 2012
I can not access my Linksys E3000 router via https://192.168.1.1.Before this mishap, I was able to gain access to my Linksys E3000 router via http://192.168.1.1 and/or the Cisco Connect software application on Windows 7. Yesterday, I went into my router's administration page and disabled http, and enabled https. I then closed out all browsers, restarted them and entered https://192.168.1.1
After that, I learned quickly I made a huge mistake to make these changes. I simply can not access my router admin wired or wirelessly. Accessing the internet works great, but router admin page is a no go.Firefox and IE states, "There is a problem with this website's security certificate." and was unable to proceed.Firefox even gave me the option to accept a security exemption to proceed, but that failed.
I have also tried using the Cisco Connect utility, and that also failed. I have taken these steps and not been able to access my router's admin page.I don't want to take the last final resort to reset my router and re-enter my settings again. I know I saved the router's backup file somewhere, but can't find it.Is there another way for me to gain access via https with http disabled? All I want to do now is go back in and change it back to enable http access.
View 9 Replies
View Related
Jan 28, 2012
To improve the security of my 4200 v1 router, I turned on in the router configuration "Access via HTTPS" and after the reboot I could not access my router via the browser even when I click on the browser message to continue. What do I need to configure either in the router or my browser to use HTTPS?
View 9 Replies
View Related
Jan 30, 2013
I have a Cisco aironet 3502i access point which I am using with a 5500 Wireless Controller. I was configuring the AP for flexconnect and accidentally enabled PPPoE authentication - but never set configured login details for PPPoE. Now when the AP boots up it tries to use PPPoE but fails - it never even looks for an IP address. I have no way to get the AP connected to the controller again.I tried logging into the AP via console, the AP gives me output but I never get a login, even when I hold down the Mode button during startup.I also tried holding the Mode button and waiting for the AP to boot with its default IP (10.0.0.1) and connecting to the AP via telnet, but I was unable to connect or even ping with my PC on the same network configured as 10.0.0.2.What can I do to set this AP back to defaults, to become a normal DHCP client, and reconnect to the wireless controller where I can reconfigure it?
View 9 Replies
View Related
Feb 16, 2012
I was unable to access the web admin on my WRT160n v3 w/ latest firmware this morning. Reset config to defaults & was able to get in. Enabled HTTPS access & disabled HTTP access & was right back where I started; reset to defaults again & left both boxes checked. Can access via HTTP, but HTTPS requests get refused/reset.
The reason I needed access was that when I booted up my laptop this morning, my wireless card wasn't picking up an IP address via WIFI, only worked via ethernet, so I need to see what was going on there — several reboots of the router didn't fix, nor has it fixed the HTTPS access problem described above.
View 6 Replies
View Related
Apr 15, 2012
Interface management on WCL 5508 is assigned ip 192.168.255.200 and from a PC ( on different subnet), i can ping but cannot access https to WCL but From a PC ( in the same subnet) i can ping and https.
View 11 Replies
View Related
Aug 8, 2012
In the ISE documentation is states that under a Guest_Activity report you must have guest access logging enabled on the NAD in the ISE network. My question is where do I enable guest access logging in the WLC that is our NAD?
View 1 Replies
View Related
Mar 8, 2012
When accessing the E3200 router using then ERROR 501.Not Implemented.That method is not implemented. The error occured after enabling the "Local Management Access, Access via: HTTPS" option on the Administration > Management tab.I tried different browsers FireFox (version 10), Internet Explorer (version 8,9), the same error was displayed and no acces granted to the E3200 router. I reseted the router and tried the latest firmware 1.0.03 build 9 Feb 1, 2012, but after enablib the option the issue occured again and it is not possible to connect to the router.
View 9 Replies
View Related
May 20, 2012
I have a new WLC 5500 series which i upgraded to a newer version. We got brand new AP's 1242 from Cisco. My ex-colleague had said that we can pre-image the AP's using the controller, so the new AP's get the image directly from the Controllers.
I have the following devices with me for this: A WLC 5500, 1242 AP ( 12 No.'s) and a 2960 switch. I tried to create dhcp pool in wlc so the ap get the ip and gets the image . However, i cant see the ap appearing in wireless tab.
The WLC & AP will be connected to this same switch.
What configuration needs to be done on the WLC & the Switch so that the 1242 AP's when connected physically to the ports on the switch will get the image from the WLC.
View 7 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
Nov 1, 2012
Got a bit of a quandary with joining new access points to our 5500 series W LAN Controller. It looks like the LAP is initially able to see the W LAN controller, but after that things go sideways. The LAP is pulling a valid IP address from DHCP, and the W LAN Controller is able to ping it.
In the controller's AP Join Statistics we get this:
Last AP Message Decryption Failure
Last AP Connection Failure -Timed out while waiting for ECHO repsonse from the AP
Last AP Disconnect Reason
[code]...
View 7 Replies
View Related
Feb 2, 2012
One of techs accidentally connected two access ports from different switches together. Since then, LMS is alerting them as being Link ports down. I tried to default the config and set them to access ports without any success. what I should do in LMS to recognize them as access ports?
View 2 Replies
View Related
Apr 30, 2012
We have recently been given this unusual task. The setup is a series of CAP3502P access points, and a wireless controller (either 2500 Series or 5500 Series), as well as other standard network infrastructure.
In this network, the client (mobile/wireless) devices must be able to detect when they change what access point they are communicating through, while also requiring a seamless transition. Ie, if the client device is communicating via access point A, and displaying the application menus for A, when the user walks to the area services by access point B, it must detect that sot he application can display menus for B, without the user having to select "B".
Is there a way for the client device to detect which access point it is using and provide that to an application? Or alternatively a way for a host service residing on a server to get that information from the wireless controller?
View 2 Replies
View Related
Jun 15, 2012
i have cisco CAP 3602e series access point to work with 5500 series controller with code 7.0i did not find VCI option 60 for this type of APs to configure DHCP. How I can let these APs will join the controller, i mean through which process DNS discovery methode and what about if i need to configure option 60 and 43 in dhcp for ap joining process to controllers.
View 4 Replies
View Related
May 30, 2011
I have access to free wireless service but it requires a security key? How do I get this key?
View 3 Replies
View Related
Aug 31, 2011
access https sites from my PC? I cannot access these sites from IE 9 nor Firefox 6. I even disable firewall to try getting access to the secured websites but to no avail. But this problem recently cropped up when i upgraded my PC from XP to Windows 7.
View 11 Replies
View Related
Jul 15, 2012
I have a 2911 which works perfectly except I cannot access it via HTTPS. HTTP and SSH both work. I've regenerated the RSA-key several times but to no avail.The box has a host- and domain-name configured.
View 8 Replies
View Related
Mar 15, 2012
I installed the LMS as ova template on ESXi and be able to connect via SSH, but when I try to connect via http or https I got the following error.
ForbiddenYou don't have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
View 11 Replies
View Related
Jan 5, 2012
We have an ASA5505 UL bundel, updated with this license "L-ASA5505-SEC-PL=" to enable traffic from DMZ to Inside. No NAT or rules deployed for that yet.
On the Inside we have Exchange 2007 in a single server installation. The public url for smtp, ActiveSync, OWA and Outlook Anywhere is mail.company.se. There is a static NAT for outside traffic to access above mentioned services on inside. Now, on DMZ there is the WLAN for guests to access the Internet. How ever, our Smart Phones with WLAN turned on, cannot sync to the Exchange Server on the Inside! The DMZ gets IP-addressen from ASA on DMZ Interface with external DNS configured. How can I configure the ASA to achieve the function of ActiveSync from DMZ to Inside with the public URL from the phones?
View 15 Replies
View Related
Nov 18, 2012
I have a closed network that is not connnected to the internet, just other sites that we want to communicate with. We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505. I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites. Data is not allowed to mingle between the five DMZ's.
Alll connections to the other separate nodes are handled with the router on the external interface. IPSEC GRE tunnels have been established between all sites and BGP routing has been verified. Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites. Inter and intra traffic is enabled.
When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
Why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound. Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
View 3 Replies
View Related
Nov 15, 2012
So, i have set up a working Anyconnect solution, (see attached picture)
Firewall is a 5585-x ssp20 running 8.4.3
Core is cat 6500
Anyconnect client version: 3.1.00495
Configured vpn with a tunneled default route to 172.19.16.1 (Core - cat6500) No split tunnel is configured, everything has to be tunneled and monitored by WCCP in Firewall. Authorization is by Certificate Only.
I can reach inside servers (for example 172.18.254.37) i can reach DMZ server (for example 192.168.138.36) i can surf the internet on regular HTTP (port 80)
but, i cannot surf the internet or DMZ servers using HTTPS (port 443) also, ftp does not work. i have tried to reach external ftp servers who are open to all.
both https and ftp works from the INSIDE network.
I have tried to change the port for Anyconnect, to 444 (for dtls as well) and i can see that all the vpn traffic is going over 444, so 443 should be undisturbed.
but this is not working.. could it be a certificate problem, or am i missing something? NAT/PAT?
This is my NAT configuration:
nat (DMZ,INSIDE) source dynamic NET-VPN-DMZ-PORTWISE-NATED-BOTK HOST-172.18.254.69 destination static NET-VPN-REMOTE NET-VPN-REMOTE
nat (DMZ,INSIDE) source static NET-DMZ NET-DMZ destination static NET-ALL-INSIDE
[Code].....
View 6 Replies
View Related
Aug 1, 2011
I am working in an environment with 6 4402 all running 6.0.119.4 code and WCS 6.0.196.0. I keep getting an alert from WCS that the controllers cannot be reached "Controller '10.x.x.x' is unreachable. - Controller Name: 'Name'"
Now when I go to access the WLC through HTTPS I have no access at all but controller still responds to ICMP, HTTP, Telnet, SSH. I know I should have HTTP and Telnet disabled but since HTTPS keeps failing I would have no way to get into the controller. Is this a known issue in the 6.0.199.4 code? should I consider upgrading? The only fix I have found to work is to disable HTTPS reboot controller enable HTTPS and reboot again.
View 2 Replies
View Related
Oct 25, 2011
when my Linux VM is running!How's this for a mystery - last night I noticed that I could no longer access my gmail. Thought it might be down. This morning, I still couldn't access it. Thought I would try comcast, no joy either. Changed computers, no difference. Changed routers, no difference. Bought a new router and started plugging in network cables one at a time. My main machine first, everything works - http and https sites, a second computer, all good. The switch. Fine. Powerline. Still good. Then I plug in a Windows server running a Linux VM. Https sites on all the other machines stop working. Pause the Linux VM, restart router - https sites return to life. Went to Linux machine, re-enabled ipv6 (the only recent change on the Linux machine was to disable ipv6 since upon a reboot, Linux didn't have an ipv4 address). Restart Linux everything seems fine. A few hours go by, try to connect my wife's new laptop and at that moment wireless seems to stop. Restart router, wireless is back. But lo and behold, https is gone again. Unplug the machine that has the Linux VM, restart router, all is good.Ever see anything this weird?
View 3 Replies
View Related
Mar 21, 2012
Iv tried about everything you can find when you google things about not being able to access a particular website but none work checking out all security settings, deleting all cache, disabling security, checking date and time, flushdns, use opendns, try other devices (not one device in my household can get to https pages on this one site), making sure root certificates are updated, bypassing router, unplugging internet and router to ''reset'', trouble shooting with isp, website, ssl issuer, other wildblue users, other website users, other tech forum, checking for virus and malware and I'm sure there's more that I can't recall at the moment. I am not the only user of this website with a problem and all us having a problem have satellite internet (different providers), however not everyone with my satellite internet (wildblue thru dishnetwork) has this problem as I have asked here...some do some don't Wildblue ''blocking'' a website's ssl? - WildBlueWorld.com Forums
I can go to the website toontown.com but I can not access any pages that are ''secure'' or https. Can't login and using satellite internet?
View 14 Replies
View Related
