10-08-2008 03:06 AM - edited 07-03-2021 04:34 PM
Hello,
my wireless network consists in 3 WLC 4402 which manage 40 APs.
I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
Everiting works fine but I have a problem:
If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
Thnks everybody
Solved! Go to Solution.
10-08-2008 07:23 PM
Here is my findings I have attached. This should fix your issue. Fisrt thing to do is change the VIP of wlc1, wlc2 and wlc3 to 1.1.1.1 and then reboot the wlc's. You can keep the wlcanchor VIP as 1.1.1.4. Look at the other suggestions I posted.
10-10-2008 03:50 AM
On the WLAN said, change the session timeout to what you require. That should fix the issue you are having.
10-08-2008 03:44 AM
Did you setup your mobility groups and verify that the control path and data paths are up. In the wlc run a show mobility summay. Do this on allyour wlc's and your guest anchor. Also if you enable symetric mobility tunnel, then make sure you have that enabled on all your wlc's
10-08-2008 04:15 AM
Here are the output of show mobility summary.
The last WLC is the anchor.
WLC1
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
WLC2
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
WLC3
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
WLCAnchor
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 4
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
10-08-2008 05:40 AM
Okay.... well wlc 1, 2 & 3 should all be configured in each others mobility group. The wlan ssid used for guest on WLC 1, 2 & 3 needs to have mobility anchor configured with the WLCAnchor and on the WLCAnchor you need to configure the wlan guest ssid mobility anchor to itself.
Take a look at this doc:
10-08-2008 06:36 AM
Ok I made the changes.
Unfortunately the problem is still alive:
If I roam from a WLC to another I need to reauthenticate via WEB.
What am I doing incorrectly?
10-08-2008 06:39 AM
Can you post your config from the wlcanchor and also two of your wlc's in which you roamed from one to the other. Seems to be a configuration issues somewhere.
10-08-2008 06:45 AM
which is the command in CLI to show the whole configuration?
10-08-2008 06:51 AM
Do a show run-config not a show running-config.
And keep hitting the space bar... it will take a while.
10-08-2008 08:22 AM
10-08-2008 08:41 AM
Let me review the config and I will post my findings.
10-08-2008 07:23 PM
Here is my findings I have attached. This should fix your issue. Fisrt thing to do is change the VIP of wlc1, wlc2 and wlc3 to 1.1.1.1 and then reboot the wlc's. You can keep the wlcanchor VIP as 1.1.1.4. Look at the other suggestions I posted.
10-09-2008 05:35 AM
Thank you very, very, very much!
The problem is solved and everithing is ok.
I only would like to ask you my last question:
I upgraded the boot loader to the last version but I don't know what is the ER.
Here is the show version of my WLC, are all firmware up to date?
Thanks again and best regards
Johnny
System Information
Manufacturer's Name......Cisco Systems Inc.
Product Name........ Cisco Controller
Product Version........... 5.1.151.0
RTOS Version........... Linux-2.6.10_mvl401
Bootloader Version.......... 4.2.112.0
Build Type................... DATA + WPS
10-09-2008 06:09 AM
Glad I could help. It so much easier to look at the config so I'm glad you posted it. There is a 5.0.148.2 BOOT that is the ER, the 4.2.112 is the latest boot image out there. So what you can do is upload to the controller 5.0.148.2 BOOT just so you know you have everything up to date. This will not show up on the sysinfo though, so as long as it shows you that it successfully loaded, you are good.
10-10-2008 02:44 AM
Hi,
I have a new issues about web auth.
Now everithing is ok with roaming but now the problem is that randomly after 20 -30 minutes I loose authentication and I need to reauthenticate even if I didn't roam.
Do I Have to open a new topic for this issue?
Thanks and best regards
JOhnny
10-10-2008 03:50 AM
On the WLAN said, change the session timeout to what you require. That should fix the issue you are having.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: