wgb to lightweight

Answered Question
Jun 18th, 2012

Hi.

I was wondering if I can connect  a WGB 1231G to a lightweight AP with WPA2 ?

I have this problem too.
0 votes
Correct Answer by Scott Fella about 1 year 9 months ago

Yeah I'm based out of the Chicago office.

I was thinking you were still trying to see if you can posture clients behind the WGB:) As long as you separate them and only use radius you will be fine. Hard to read post while driving:)

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Scott Fella Mon, 06/18/2012 - 14:43

This link will explain the configuration requires for a WGB in a Unified Wireless Network.

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_lwap.html#wp1881680

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 09:53

I have tried couple of things and can't seem to work

here is my config:

dot11 ssid Test-SSID

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

   authentication client username xxx password 7 xxxxx

   infrastructure-ssid

that's on the WGB

WLC config:

Security Policies

:    [WPA2][Auth(802.1X)]

hreap is not enabled

H-REAP Local Switching 2   Enabled
H-REAP Local Auth                       13   Enabled

and here is the DEBUG

apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

*apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d Scheduling deletion of Mobile Station:  (callerId: 22) in 3 seconds

*osapiBsnTimer: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!

*apfReceiveTask: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [c0:62:6b:67:9a:a0]

saravlak Tue, 06/19/2012 - 11:09

why it showing webauth?

apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

wgb is configured for cckm but the WLAN config on WLC didn't reflect that.

does the wgb connects with simple security like psk.

edondurguti Tue, 06/19/2012 - 12:21

I tried switching the to ACS a radius server and it worked totally fine.

I am just not sure if this is compatibile with ISE.

I have tried enabling/disabling CCKM still says WEBAUTH not supported for some reason.

Scott Fella Tue, 06/19/2012 - 13:25

Well if you got it to work using ACS I'm guessing 802.1x, you should be able to do the same type of authentication using ISE.

Sent from Cisco Technical Support iPhone App

Scott Fella Tue, 06/19/2012 - 09:55

On the SSID on the wlc, make sure you enable passive mode. It's on the advanced tab on the right hand side of the screen.

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 09:56

Yeah but I want to use ISE as RADIOS / NAC and it is saying that I can't have passive client and RADIUS NAC at the same time.

Scott Fella Tue, 06/19/2012 - 10:26

If you enable passive mode, does the WGB function correctly. If so, then you know it's a requirement for WGB. If ISE doesn't support passive mode, then I don't think your solution will work. You might want to open another thread on the AAA security forum.

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 10:42

Thanks for ur help. Will try to work it out

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 13:40

Let's reply here so we don't lose track

Yes i would think that if it works with ACS should work with ISE.. i've tried TWO wgbs and it doesn't work.

When I do a debug from the controller it shows as WEB AUTH not supported for WGB

Scott Fella Tue, 06/19/2012 - 13:43

Is ISE defaulting to a web redirect? If your policy is the same as in ACS, it should just send an radius accept or reject. You need to look at the detailed logs in ISE and see what authentication and authorization policy the user is hitting.

Sent from Cisco Technical Support iPhone App

saravlak Tue, 06/19/2012 - 13:49

does the wireless client authenticates fine with same WLAN & ISE profile?

ISE & wlc version in question?

edondurguti Tue, 06/19/2012 - 13:54

ISE version 1.1

WLC vers:

System Information

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.0.235.0

Bootloader Version............................... 1.0.16

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 15.0

My computer and other devices work perfectly fine.

p.s Fella kind of has a point.. I am not sure if there has to be some tweaking done in ISE to allow the authentication...

maybe ISE is making this error to appear as WEBAUTH.

*apfMsConnTask_5: Jun 19 15:54:23.038: 00:16:46:5a:96:4e 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

*apfMsConnTask_5: Jun 19 15:54:23.038: 00:16:46:5a:96:4e Scheduling deletion of Mobile Station:  (callerId: 22) in 3 seconds

*osapiBsnTimer: Jun 19 15:54:25.975: 00:16:46:5a:96:4e apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!

*apfReceiveTask: Jun 19 15:54:25.977: 00:16:46:5a:96:4e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Jun 19 15:54:25.977: 00:16:46:5a:96:4e 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:85:25:df:ce:c0]

Scott Fella Tue, 06/19/2012 - 14:01

Maybe the default policy for unknown devices is webauth but the logs will tell you what policy ISE is hitting for that user.

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 14:07

Just tried static end point profile in ISE, added the mac address to treat it as workstation but same error.

edondurguti Tue, 06/19/2012 - 14:10

It sucks because I am doing a demo of WLC and i have to return it by tomorrow 20th lol.

Scott Fella Tue, 06/19/2012 - 14:39

Haha... Try to extend it:)

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 14:40

I'm gonna have to do something... I need WGBs to work.. we have like 800 of them.

Scott Fella Tue, 06/19/2012 - 14:49

Your going to make me want to lab this out just to see if this works:)

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 15:04

Please do so .. I have until tomorrow to pack it up and ship it to Cisco before noon chicago time.

Thank you.. I really appreciate it.

-wgb#sho ver

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEC3, RELEASE SOFTWARE (fc1)

Scott Fella Tue, 06/19/2012 - 15:05

I won't be able to until I get back from vacation the end of the week.

Sent from Cisco Technical Support iPhone App

edondurguti Tue, 06/19/2012 - 15:25

Alright then. Id still appreciate if ud be able to lab it. Who knows maybe its a bug or not even supported. Thank u

Sent from Cisco Technical Support iPhone App

edondurguti Wed, 06/20/2012 - 07:28

Fella. Got it working. Radius NAC not supported. As soon as i removed that it works. So i would need another SSID for WGBs and clients behind it wont be seen by ISE at all

Sent from Cisco Technical Support iPhone App

Scott Fella Wed, 06/20/2012 - 07:32

Thanks for posting the solution! I might still just have to lab it out just to see the logs:)

Sent from Cisco Technical Support iPhone App

edondurguti Wed, 06/20/2012 - 07:36

Thanks for your help.

ISE would not generate any log when I had RADIUS NAC in the WLC enabled, so the WGB would not ever hit ISE at all.

On the client list in WLC the wgb would come up as WLAN UNKNOWN PROFILE UNKNOWN... it was weird, as soon as I removed Radius/Nac ISE acted as RADIUS only.

Well hopefully someone finds it helpful.

Take care enjoy your vacation.

Scott Fella Wed, 06/20/2012 - 07:44

Good info. I was going to start out with that option disabled just to see how the WLC & ISE handles clients behind the WGB. Well at least you completed your testing before they picked up the equipment:)

Sent from Cisco Technical Support iPhone App

edondurguti Fri, 06/22/2012 - 09:19

Hey Fella,

Let me know if you lab this cuz I am sure I am getting the WLC AND ISE together and there is a problem.

I have like 100 remote sites that will talk to WLC in the datacenter, now I have all the laptops and WGBs connect to one SSID (example CORPORATE), now if I wanna do profile and posture (Radius NAC option in WLC) for that ssid i wont be able and I will have to have new SSID for WGBs or laptops without RADIUS/NAC option.

Idk maybe should post this in AAA IDENTITY and all that but let me know if u find a work around.

thank you.

Scott Fella Fri, 06/22/2012 - 10:54

Edon,

I will try to lab this out by next week. I will try to find out if radius NAC will be supported in future release.

Sent from Cisco Technical Support iPhone App

Scott Fella Fri, 06/22/2012 - 11:22

Just asked one of my peers and he mentioned that posturing will not work with an autonomous ap because CoA is not supported, which makes sense.

Sent from Cisco Technical Support iPhone App

edondurguti Fri, 06/22/2012 - 11:44

Hey thanks for your input but I think you didn't get my point;

I am trying to connect a WGB to  LIGHTWEIGHT AP so it's not autonomos.

As I said before the WGB is making me have a separate SSID for them because when i choose RADIUS/NAC the WGB doesn't connect and i don't want to posture clients behind it or the WGB itself, I am ok with just letting the WGB connect to the same SSID.. so I can profile/posture other devices that connect to the same SSID.

I figured they dont' support CoA and I have to live with it but at least use just RADIUS while i have selected RADIUS/NAC in the controller

edondurguti Fri, 06/22/2012 - 11:58

Lol I figured u work for CDW and in Chicago... that's from where were gettin the products

Correct Answer
Scott Fella Fri, 06/22/2012 - 12:45

Yeah I'm based out of the Chicago office.

I was thinking you were still trying to see if you can posture clients behind the WGB:) As long as you separate them and only use radius you will be fine. Hard to read post while driving:)

Sent from Cisco Technical Support iPhone App

edondurguti Fri, 06/22/2012 - 12:59

lol don't read and drive then

I gave up the posturing thing behind WGB I just want to be able to connect to the same SSID where other clients get postured and profiled, but in order to do that you need to select RADIUS/NAC in the controller so you can profile and posture normal users, but when you select RADIUS/NAC for that SSID the WGB does not connect and it's forcing me to setup a new SSID for WGBs.

If you try it u'll know what I mean.

Have a safe trip home to our beautiful chi-town :}

edondurguti Fri, 08/10/2012 - 15:04

If somebody reads it, WGBs are supported on lightweight (do not use RADIUS/NAC, as explained above).

WGBs can switch VLANs in CapWap mode (central switching).

So i've got 1 SSID=Corp.

then on ISE I have authorization profiles:

if device=Cisco Access Point(WGB)= VLAN-10

if device=Apple-Device(IPAD,Iphone)= VLAN-20

if device=Micro$oft Workstation(laptops)= VLAN-30

Limitations are that if you want just one SSID u would not be able to posture client as Radius/Nac would be necessary to use.

I have to thank Scott Fella for his contribution in this community.

George Stefanick Fri, 08/10/2012 - 16:13

Edon,

Great conversation and I am glad you raised this concern. I have a number of WGBs and have ISE running. But I dont have Radius/NAC enabled on the wlan where I have the WGBs.

Sounds like you did a lot of testing. One thing that pops out at me and would like your feedback. Have you used MAB on ISE to 'overlook' the WGBs?

edondurguti Fri, 08/10/2012 - 18:39

I am not sure what u mean by overlook?

Sent from Cisco Technical Support iPhone App

edondurguti Sun, 08/12/2012 - 12:10

Do u mean. How did I authenticate or how did i profile them?

Sent from Cisco Technical Support iPhone App

sroberts@ca.ibm.com Fri, 11/30/2012 - 11:43

Hi, just starting a proof of concept for a customer and i'm having the same issue.

Did you find a workaround to keep only one SSID and keep the RADIUS NAC option enable?

Thanks

edondurguti Fri, 11/30/2012 - 11:45

NO not really.. it wouldn't work for me as soon as I enabled radius/nac

edondurguti Thu, 02/28/2013 - 14:13

If someone reads this again, it does work with WLC 7.3.

I was able to connect a WGB to a 3502 access point, can't connect when RadiusNac is selected so I had to create another ssid for WGBs and all the clients behind get connected aswell , it's a life saver for me.

George Stefanick Fri, 10/25/2013 - 01:09

Edondurguti,

Sorry, but do you mean with 7.3 a WBG connects with Radius NAC enabled on the WLAN ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Actions

Login or Register to take actions

This Discussion

Posted June 18, 2012 at 2:37 PM
Stats:
Replies:42 Avg. Rating:5
Views:1761 Votes:0
Shares:0
Tags: wgb, lightweight
+

Related Content

Discussions Leaderboard