Unanswered Question
Sep 11th, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address your Wireless Security concerns with Cisco expert Sangita Patel. Sangita is a Mobility Solutions Manager at Cisco. As a Solutions Manager, Sangita is responsible for the marketing strategy of Cisco Mobility Solutions with an emphasis on articulating the business value of wireless security as well as the unified wired and wireless approach to enterprise-wide mobility. She has over 15 years of networking industry experience. Prior to joining Cisco, Sangita served as a Product Manager at Symbol Technologies / Motorola and was responsible for some of their flagship Wireless LAN infrastructure and management portfolio. Sangita holds a B.S. in Computer Science from San Jose State University and M.S. in Engineering Management from Santa Clara University.

Remember to use the rating system to let Sangita know if you have received an adequate response.

Sangita might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 25, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
wendellm1 Sat, 09/12/2009 - 09:59

I was wondering how to setup a network between to separate buildings on the same property, yet both have their own DSL circuit from AT&T. No underground conduit is available to connect the two buildings. I would like to use (2) Cisco WRVS4400N Gigabit Security Routers to do this, because both buildings want wireless networking plus wired networking available. The main building already has a small "home" network created between (8) PC and their OS is Win XP Pro.

Sure would appreciate the help!


wendellm1 Sun, 09/13/2009 - 10:37

Thanks for the response.

Yes, I figured the ADSL lines coming in both modems would need to be bridged to the Cisco WRVS4400 routers on both sides, I'm just not sure what to do from there. How will computers from the second building access the file server and join the one network located in the main building? Is there more of a step-by-step instruction manual I can get for these routers or the procedure I'm trying to setup between both buildings?

Sure appreciate the feedback!


Leo Laohoo Sun, 09/13/2009 - 15:45

I meant configure two Access Points as Bridges.

Wireless Bridges Point-to-Point Link Configuration Example

Access Point as a Workgroup Bridge Configuration Example

Hope this helps.

sangipat Thu, 09/17/2009 - 07:17

Sales Engineer should be able to help design and point you to the right configuration documents.

sangipat Wed, 09/16/2009 - 14:28

This is certainly one option. Best to design our with an SE.

rod.flores83 Mon, 09/14/2009 - 12:36

Hello everyone;

I'm trying to configure cisco aironet 1250N, but I can not get a rate faster than 54mbps, which is passing, I have a linksys WMP300N wireless card, someone could help me?

sangipat Thu, 09/17/2009 - 07:15

Best to follow client security recommendations to properly secure the network including clients.

sangipat Tue, 09/15/2009 - 16:24

Hi Rod - so there could be few things happening. I will try and provide some information but if this doesn't help you might want to contact TAC and do further troubleshooting. Assuming your controller is at 4.2.x or later maker sure that have configured the radios for bonded channel configuration. n order for your clients to be able to realize 11n rates, necessary WLANs need to be enabled for WMM (either 'allowed' or 'required', depending on your needs and client support).

Also, you should have AES cryptography on all encrypted links. You should haveo have WPA2 AES enabled (with either PSK or back-end AAA) or that WLAN won't work at all for 11n rates. You can go for a mixture (WPA with TKIP or AES and WPA2 with TKIP), just so long as you have WPA2 with AES enabled.

The easiest way to make sure that your clients are connected at these rates (after you make sure your WLAN config set per recommendation) is to check the client records in the WLC GUI or via WCS.

sangipat Wed, 09/16/2009 - 12:22

Hi thanks for the post. Overall this is more a general deployment topic and you would be best suited to work with a Sales Engineer and do a design session so that you can design optimal network for the applications you are deploying.

Leo Laohoo Sat, 09/12/2009 - 18:36

Thanks for the opportunity to open this topic. A significant number of the forum experts are unhappy as to the implications and solutions to the recently announced vulnerability of OTAP that was first discovered by Jerome Henry and made public by AirMagnet.

According to some, even when OTAP is disabled (by default) the details of the WLC's IP and MAC address are still being advertised in the open.

Hope to hear from you soon, Sangita.

sangipat Wed, 09/16/2009 - 14:24

Hi thanks for the message. Yes the OTAP vulnerability is known and is going to be completely disabled in a 6.0.x patch. Having said that there are ways to apply best practices for your WLAN to help minimize security risk.

Below are good references on understanding OTAP and detecting Rogues.

Useful References for customers:

1. IntelliShield alert

2. Tech Note - “Understanding OTAP”

3. Whitepaper - “Rogue Detection under Unified Wireless Networks”


5. Safeguard with LSC - Locally Significant Certificates on Wireless LAN Controllers Configuration Example

Leo Laohoo Thu, 09/17/2009 - 00:28

Thanks for this. Do you know when is the 6.0.X patch scheduled for release?

sangipat Thu, 09/17/2009 - 07:14

The patch release is coming soon though I do not have a specific release date. Again there is very little risk if OTAP is not being used and rogue detection and other wireless security best practices are in place.

Leo Laohoo Thu, 09/17/2009 - 16:19

Hi Sangita,

Thanks for your response. Me and my team members agree with your response, however, we must respond to the Paranoid Team (aka IT Security). And they haven't taken their hourly dose of Prozac. This is why I'm asking for the release date of the 6.0.X just to calm them down.

sangipat Fri, 09/18/2009 - 08:25

I can understand the paranoia. Our team is currently working on the patch and testing so it should be coming soon.

sangipat Wed, 09/16/2009 - 06:50

Hello there. So VSP is more a SMB and a Service Provider solution and I am not best suited to answer you questions as I am in the Enterprise Wireless group. I would suggest contact your local Cisco rep. You can find the Cisco offices by visiting Cisco Website at

x1petvah62 Tue, 09/15/2009 - 04:18

Hi! I'm trying to find information about LDAPS support for WLC 5.2 and how to configure LDAPS (Port 636) on WLC/WISM 5.2. LDAP works just fine but when I configure LDAPS, actually just by configure Portnumber 636, it doesn't work. What more needs to be configured?

Regards Peter

Can you clarify the use of validating the certificate for PEAP?

My original understanding was that a certificate was REQUIRED in order to properly authenticate against an ACS Radius server. However, after many Iphone and other handheld devices have proven, only 802.1x AD credentials are required to get on a Wlan secured by PEAP.

I believe I understand that windows machines that are validating the certificate are more securely PEAPing than those that are not by encrypting the original handshake - but is there a way to enforce the use of a certificate to authenticate with PEAP?

cjoseph23 Wed, 09/16/2009 - 06:56

I am trying to install a certificate on my WiSM controller (Running 6.0) so that my Guest clients do not get the certificate error while redirected to the login page.

I added DNS Host Name under the controller -> interfaces ->virtual so that the redirect will go to a more meaningful name. i.e.

Added an A record in my DNS server for to resolve to (not sure if this is needed or not.)

I used the following document to generate the certificate on my CA server and am going to upload this afternoon.

Is there anything I am missing? Will this certificate work for my purpose or do I have to purchase a cert from Verisign or RapidSSL? I am really try to avoid purchasing a cert but if that is the only option then I will.

In order to resolve this error on a guest wlan, you can disable the https management on both your local and anchor controllers, reboot them - and the certificate warning will no longer come up.

This is due to the clients not trusting the self signed cert on the WLC when they are attempting to go to the virtual IP address.

sangipat Thu, 09/17/2009 - 07:12

Brian thanks for providing input. Everyone should always follow the security best practices and not take and short cuts unless aware of the risks.

Robert.N.Barrett_2 Sun, 09/20/2009 - 04:49


If your clients automatically trust the certificate you generated (because they already trust the CA that issued the certificate), then you should be in business.

If your clients do NOT trust the certificate, then you should either manually install the certificate (without the private key) on all the clients, or you should generate/install a 3rd Party certificate for your WLC that comes from a vendor that is already trusted by your clients (and, if necessary, update the DNS Host Name entry on the virtual interface to match the CN on the certificate).

Thank you for your reply, but my question is rather specific to a Cisco environment.

I use Cisco controllers, Cisco AP's, Cisco Radius server all interconnected by a Cisco LAN and managed by Cisco WCS.

The 2 links provided are very vague and do not offer much info around my specific question about enforcing the use of certificates with PEAP via ACS or other.

Robert.N.Barrett_2 Sat, 09/19/2009 - 10:19


Whether or not a RADIUS (ACS) server certificate is required is completely up to the configuration of the wireless clients and has nothing to do with how many Cisco network products are in the mix.

Most wireless clients/supplicants have an option to enable/disable whether the client checks the RADIUS server certificate. There is nothing that the RADIUS/ACS server can do to force the client to check the certificate. Therefore, for many clients, having a certificate on the RADIUS server is not required and is something that can easily be skipped. It is, however, a good practice to configure your clients to check for that certificate. It doesn't really improve the security of your wireless network, but it does help ensure that your clients are connecting to your SSID and not someone spoofing your SSID.

sangipat Thu, 09/24/2009 - 12:34

See responses/suggestions provided by other folks on this forum. If your question is still not answered you could repost your question in the WCS NetPro forum.

bghobadi2 Wed, 09/16/2009 - 07:30


I have deployed Unified Wireless Networks to many locations. I see hunderds of ADHoc access points reported by the controllers.

1. I am not sure the security risks they pose.

2. I am not sure what is their negative impact on the networks' performance, stability, users impact, and etc.

I would appriciate if you can direct me to some documents about the tops of my concern.



sangipat Wed, 09/16/2009 - 14:16

Bo, thanks for the message. Couple of things to look at based on your posting. WCS Plus provides ability to look at the network and provide information as to the risk they pose. There is also a built in help that will show details of the various threats. Additionally there is the wIPS solution that can provide IDS/IPS solution. More information on WCS & wIPS can be found at (WCS Modules: &

bobtodd01 Wed, 09/16/2009 - 14:01


We are running wcs and wisms

running We are having problems with clients using eap-ttls supplicants.

When the clients roam they don't deauth and therefor no stop records are ever sent to the radius server. They reauth but still have an active session on the radius server. The radius server rejects authentications because we don't allow multiple concurrent sessions.

Our radius vendor has asked if the Nas (wisms) support radius accounting interim updates which can sort of be used as keep-alives if no stop records have been sent.

I have searched cisco's web site and accounting interim updates seem to be supported on some platforms but apparently not on wisms????

Can anybody confirm this?


Bob Todd

sangipat Thu, 09/17/2009 - 07:10

Hi Bob thanks for the posting. Generally the official releases are the same for both WLC and WiSMs. Interim releases sometimes are meant more for specific platforms. Would advise to go to release specifically for your platform if possible. You could also work with the support organization. (

Robert.N.Barrett_2 Sat, 09/19/2009 - 13:46


I did some quick poking around about the interim updates. The updates don't look to be a standard part of a normal RADIUS authentication, but rather something that gets requested during the initial authentication process. If I understand the process -- when your RADIUS server authenticates someone, the access-accept packet coming from the RADIUS server will include attributes that specify interim updates, and how often those updates should be made. This appears to be done via RADIUS attributes 27 & 29. While I don't see anything (at all!) listed in the WLC 5.1 manual, these attributes are specifically listed in the WLC 5.2 manual. I'd say you probably want to enable the feature on your RADIUS server and then see if the status messages show up in the logs.

Table 5-3 Authentication Attributes Honored in Access-Accept Packets (Standard)

Attribute ID Description

6 Service-Type1

8 Framed-IP-Address

25 Class

26 Vendor-Specific

27 Timeout

29 Termination-Action

40 Acct-Status-Type

64 Tunnel-Type

79 EAP-Message

81 Tunnel-Group-ID


bobtodd01 Mon, 09/21/2009 - 06:35

Hi Robert,

You are correct. Our radius server does request them and they are working. We finally verified. I just couldn't find anything in the wism or wcs documentation.

Looks like the acount status type has

VALUE Acct-Status-Type Interim-Update 3



Robert.N.Barrett_2 Sat, 09/19/2009 - 13:25


I am not familiar with radius accounting interim updates, but you should not experience any roaming issues like what you describe if all of your WiSMs are in the same mobility group (assuming the SSID is the same).


bobtodd01 Mon, 09/21/2009 - 06:21

Hi Robert,

All of our wisms are in the same mobility group. We have open cases with Cisco. Ther problem is somewhat related to eap-ttls and a fix is coming in 7.0.

As we understand it... the problem is our radius server has an active connection. Roaming occurs and local client re-auths. The radius server fails the authentication because because there is already an active connection. If the clients sends a de-auth everything works. Apparently client activity when roaming occurs is not defined in the 802.11 spec.

I think the mobility handoff works for other protocols, but the controller does not cache credentials for eap-ttls to allow "everything" to wrok properly.

charles.cabanlit Wed, 09/16/2009 - 19:55


Setting up a Unified Wireless Network using a WLC and a Cisco AP 1250; the logs are showing the following error:

"Tue Aug 11 16:25:43 2009 Impersonation of AP with Base Radio MAC 00:18:74:c5:87:b1 using source address of 00:20:e0:cc:f1:56 has been detected by the AP with MAC Address: 00:18:74:c5:87:b0 on its 802.11b/g radio whose slot ID is 0"

we found a known bug for WLC :

Bug CSCsz56454 -> Controller logs are sometimes flooded with messages about access points impersonating legitimate access points.

The problem is that the MAC address mentioned in the logs is a client and not an AP, but somehow the AP is seeing the client as an AP and reporting the error above.

Do you have any input on why this is so?

Thank you



charles.cabanlit Wed, 09/23/2009 - 18:13

Hi sangipat,

I went to the link provided but there are alot of information in the site - would you be able to point me on where I could post this question?

Thank you.



MATS KARLSSON Fri, 09/18/2009 - 05:53

Is it possible in a wireless Guest WLAN configuration, to let the account for the Lobbyadmin to be authorized locally in the WLC (ver. and to let other management users be authorized on an external Radius server?

In other words, can I separate these two types of management users so they have different authentication servers.

sangipat Fri, 09/18/2009 - 08:24

Hi thanks for the posting. Guest access and security is very important. There is flexibility depending on the components you have and how you network is designed. Two very useful documents that cover specifically the Guest WLAN are and

Lucien Avramov Sun, 09/20/2009 - 09:12

Yes this is possible:

go to Administration -> AAA -> AAA mode and checkbox the enable fallback and choose the second option: auth failure or no server response.

MATS KARLSSON Sun, 09/20/2009 - 09:34

Thanks, I see that now . . BUT it is on the WCS. Is it also possible to do the same on the WLC ?

(I would love to have that opption in the WLC.)

As I use my WCS for many customer networks and the system it selv is not directly acceseble from customer network. I would prefer to let each coutomer lobbyadmin to access there own WLC with a local account and our operators (as we sell this as a service) to use radius accounts.


This Discussion