You are sometimes in the position where you have just configured DHCP or DNS for AP discovery and you need the AP to get an IP address and start the discovery process.
You can reboot the AP, or you can release and renew to start the process without the need for a reboot...
release dhcp f0
renew dhcp f0
Showing posts with label WLC. Show all posts
Showing posts with label WLC. Show all posts
Monday, 18 April 2011
Thursday, 24 March 2011
Local EAP and Radius EAP - Network User
I used to believe that when you use Local Radius you must not have an External Radius server configured as the External Radius is always preferred. Well this can be true, but it depends on the settings on the Radius server setup.
If you have the "Network User" box ticked on the Radius server configuration. This becomes the default Radius server for all AAA authentication. You need to have "Network User" selected if you set up AP Policies and want the AP's authenticated against AAA as there is nowhere to configure a specific server.
Where you can specify a server, such as 802.1x authentication within a WLAN, there is no need to have "Network User" selected and Local Radius and External Radius can work in harmony!
If you have the "Network User" box ticked on the Radius server configuration. This becomes the default Radius server for all AAA authentication. You need to have "Network User" selected if you set up AP Policies and want the AP's authenticated against AAA as there is nowhere to configure a specific server.
Where you can specify a server, such as 802.1x authentication within a WLAN, there is no need to have "Network User" selected and Local Radius and External Radius can work in harmony!
Friday, 18 March 2011
LDAP Authenticated Bind
You can bind to an LDAP server for local authentication. Authenticated bind is possible and easier as you dont need to make changes to the AD for anonymous bind.
Monday, 14 March 2011
Per User QoS Roles Bug
There appears to be a bug when entering the values for per user bandwidth roles on the WLC in 4.2.
If I enter the values 40,40,50,50 in that order to specift the standard traffic and UDP traffic values, I get the following after I click apply.
You see, they are not in the order I applied them. This workaround appears to be to enter the values in the CLI.
config netuser guest-role create visitor
config netuser guest-role qos data-rate average-data-rate visitor 40
config netuser guest-role qos data-rate burst-data-rate visitor 40
config netuser guest-role qos data-rate average-realtime-rate visitor 50
config netuser guest-role qos data-rate burst-realtime-rate visitor 50
show netuser guest-roles
Role Name........................................ visitor
Average Data Rate........................... 40
Burst Data Rate............................. 40
Average Realtime Rate....................... 50
Burst Realtime Rate......................... 50
If I enter the values 40,40,50,50 in that order to specift the standard traffic and UDP traffic values, I get the following after I click apply.
config netuser guest-role create visitor
config netuser guest-role qos data-rate average-data-rate visitor 40
config netuser guest-role qos data-rate burst-data-rate visitor 40
config netuser guest-role qos data-rate average-realtime-rate visitor 50
config netuser guest-role qos data-rate burst-realtime-rate visitor 50
show netuser guest-roles
Role Name........................................ visitor
Average Data Rate........................... 40
Burst Data Rate............................. 40
Average Realtime Rate....................... 50
Burst Realtime Rate......................... 50
Tuesday, 1 March 2011
Coverage Hole Algorithm
Client SNR Cutoff Value (|dB|) = [AP Transmit Power (dBm) – Constant (17 dBm) – Coverage Profile (dB)]
Normally you would be given the SNR value that you want the algorithm triggered on. Lets say that you are asked to increase the power of the AP, should the client SNR fall below 20dB SNR. You also need the current power level. 17 in this case (Power level 2 FCC)
19=17-17-x
x=- -19.
So the Coverage Profile should be 19
Normally you would be given the SNR value that you want the algorithm triggered on. Lets say that you are asked to increase the power of the AP, should the client SNR fall below 20dB SNR. You also need the current power level. 17 in this case (Power level 2 FCC)
19=17-17-x
x=- -19.
So the Coverage Profile should be 19
Monday, 28 February 2011
AP Failover with Mobilty Groups
In WLC 4.2, there is only a field for the name of the Primary, Secondary and tertiary controller. If the AP only learns about one WLC during discovery, it can use these names for other WLC's, but as there is no IP address to be configured here, the WLC uses mobility group information to establish the IP.
Now, if the WLC's are in different mobilty groups. There is no way to provide this information via the GUI. A CLI command is required.
config ap primary-base WLC1 AP1 10.10.10.10
config ap secondary-base WLC2 AP1 10.10.10.11
An AP reboot will probably be required!
Now, if the WLC's are in different mobilty groups. There is no way to provide this information via the GUI. A CLI command is required.
config ap primary-base WLC1 AP1 10.10.10.10
config ap secondary-base WLC2 AP1 10.10.10.11
An AP reboot will probably be required!
Wednesday, 23 February 2011
TACACS+ WLC User Authentication
Use this process to configure the WLC for Tacacs
Add a TACACS Authentication server
Add a TACACS Authorisation server (also required)
Go to ACS add NAS
Go to interface config and add PPP SHELL and ADVANCED TACACS (for user also if required)
Add ciscowlc and common under new services
Select these attributes in either user or group and add the required roles for access
role1=ALL (full admin rights)
role1=WIRELESS
role2=WLANS (for specific WLC tab access)
roleX=X
role1=MONITOR (read only rights)
Add a TACACS Authentication server
Add a TACACS Authorisation server (also required)
Go to ACS add NAS
Go to interface config and add PPP SHELL and ADVANCED TACACS (for user also if required)
Add ciscowlc and common under new services
Select these attributes in either user or group and add the required roles for access
role1=ALL (full admin rights)
role1=WIRELESS
role2=WLANS (for specific WLC tab access)
roleX=X
role1=MONITOR (read only rights)
WLC Syslog Levels
This caught me out when going through the IPX workbook and I also had a similar issue at the Fastlane bootcamp.
If they ask you in the lab to configure a specific log level, its not clear in the GUI what level it is as they are not in level order. So I thought, check the 4.2 config guide. ITS WRONG. The 5.0 config guide has the correct information! Learn if you can, but if you forget, remember to check the 5.0 Guide for reference!
To set the severity level for filtering syslog messages to the syslog servers, choose one of the following options from the Syslog Level drop-down box:
If they ask you in the lab to configure a specific log level, its not clear in the GUI what level it is as they are not in level order. So I thought, check the 4.2 config guide. ITS WRONG. The 5.0 config guide has the correct information! Learn if you can, but if you forget, remember to check the 5.0 Guide for reference!
To set the severity level for filtering syslog messages to the syslog servers, choose one of the following options from the Syslog Level drop-down box:
•
Emergencies = Severity level 0
Emergencies = Severity level 0 •Alerts = Severity level 1 (default value)
Alerts = Severity level 1 (default value) •Critical = Severity level 2
Critical = Severity level 2 •Errors = Severity level 3
Errors = Severity level 3 •Warnings = Severity level 4
Warnings = Severity level 4 •Notifications = Severity level 5
Notifications = Severity level 5 •Informational = Severity level 6
Informational = Severity level 6 •Debugging = Severity level 7
Debugging = Severity level 7 Tuesday, 22 February 2011
WLC CLI Commands Only - Work in progress
Commands that are only available in the CLI
config advanced eap request-timeout 20
config advanced eap identity-request-timeout 20
Generally considered best practice to configure these. The phone is slow and can time out the request if the default is set to 1.
config network secureweb cipher-option high enable
Changes level of encryption on HTTPS GUI
config network arp unicast enable
Turns on proxy arp. The controller will provide its own mac to clients requesting a mac not in its database. It will then make the request on behalf of the client.
config advanced dot11-padding enable
Pads proxy arp responses to 60 bytes. Some non Cisco clients can have an issue with arp responses that are below this level.
config advanced 802.11a logging txpower on
Example, can be used for both radios and different logging metods for the AP's.
config advanced client-handoff x
Used to inform CCX clients of the amount of excessive retries required before a roam is forced.
config mobility secure-mode enable
Configures secure mobility on port 16667. All members of mobility group need it. Not supported in 2100's
config wlan security tkip hold-down 0 [wlan id]
This is used to stop the 60 second counter measure when 2 TKIP MIC errors are detected on an SSID.
config advanced eap request-timeout 20
config advanced eap identity-request-timeout 20
Generally considered best practice to configure these. The phone is slow and can time out the request if the default is set to 1.
config network secureweb cipher-option high enable
Changes level of encryption on HTTPS GUI
config network arp unicast enable
Turns on proxy arp. The controller will provide its own mac to clients requesting a mac not in its database. It will then make the request on behalf of the client.
config advanced dot11-padding enable
Pads proxy arp responses to 60 bytes. Some non Cisco clients can have an issue with arp responses that are below this level.
config advanced 802.11a logging txpower on
Example, can be used for both radios and different logging metods for the AP's.
config advanced client-handoff x
Used to inform CCX clients of the amount of excessive retries required before a roam is forced.
config mobility secure-mode enable
Configures secure mobility on port 16667. All members of mobility group need it. Not supported in 2100's
config wlan security tkip hold-down 0 [wlan id]
This is used to stop the 60 second counter measure when 2 TKIP MIC errors are detected on an SSID.
Configuring WLC Interfaces in Notepad
It can take all year to set up interfaces that span multiple controllers via the GUI. A good trick is to do this in Notepad and just change the values for each interface, once they are built for a single controller, just chance the IP address and paste to the others! If you cant remember the commands do one interface in CLI using Tab, if you cant do it using Tab, learn!
Also, only use lower case for inteface names, if you use upper case, they will show in GUI as lower case, but not map to WLAN's correctly!
config interface create guest 11
config interface address dynamic-interface guest 10.10.11.15 255.255.255.0 10.10.11.1
config interface dhcp dynamic-interface guest primary 10.10.210.6
config interface port guest 1
Also, only use lower case for inteface names, if you use upper case, they will show in GUI as lower case, but not map to WLAN's correctly!
config interface create guest 11
config interface address dynamic-interface guest 10.10.11.15 255.255.255.0 10.10.11.1
config interface dhcp dynamic-interface guest primary 10.10.210.6
config interface port guest 1
Subscribe to:
Posts (Atom)