Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss how to successfully plan, manage and troubleshoot your wireless network using Cisco Wireless Control System (WCS) with Cisco expert Paul Lysander. Paul is a technical marketing engineer with the Wireless Networking Business Unit at Cisco. He was previously a member of Cisco's Access Technology Group product team, managing the Cisco Integrated Services Router platforms.
Remember to use the rating system to let Paul know if you have received an adequate response.
Paul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
Can you recommend to best way to monitor network utilization for the overall wireless network? Is there any way to determine how much bandwidth is being used for each SSID? For example, how much usage is on the 'Guest' wireless network VS the 'Secured' wireless network?
Are there any other utilities that are capable of reporting this information?
The release notes from 'Unified Wireless Network' mentions templates that are available to report per-user bandwidth usage. I had hoped that there would also be a report of cumulative bandwidth without using a 3rd party application.
Just to be clear, WCS provides extensive monitoring and various statistical reports can be generated under the "Monitor --> Access Point". Details on monitoring wireless devices can be found in the WCS configuration guide at the URL below.
I appreciate the advice but unfortunately the method 'Monitor->Access Point' only allows 5 APs to be queried at a time. My objective is to generate an automated report of the traffic per SSID from all of the 120 AP's and 4 WISM blades. Management is interested in how much wireless bandwidth is currently being used for Guest access VS Machine Authenticated access. I'm sure that usage by Campus, building and floor would also be useful. At this point it seems that the most likely method to get an aggregate usage trend is to monitor the VLAN trunks on the 6500 chassis.
We are having difficulty adding and refreshing existing controllers (running 220.127.116.11) into the WCS (4.1.91). I have heard various issues related to controller configuration elements (Radius servers, AP Groups, etc.) causing the import process to abort. I have since reinstalled the WCS, and when attempting to add 36 controllers via a CSV file (18 WiSMs), it fails after 2 controllers. Is there anything that can be done to fix this beside clearing the controller configs (not a viable solution)? Should we try to go back to WCS 4.0? Doesn't this go against the principle of upgrading the WCS before upgrading controller code?
There could be something wrong via SNMP credentials or the import file. Please add controllers manually entering required credentials. If we still see an issue after just the first 2 controllers, then it could be an issue with the import file. If that is not the issue, resolving this problem would require more extensive troubleshooting than can be discussed on this forum.
FYI - The 18.104.22.168 WiSMs are hitting the WCS AP Groups bug CSCse36426. According to the notes, this defect was initially found in the controller version 22.214.171.124 and it applies to 126.96.36.199 too, as explained in the release notes at:
This defect has been fixed in 188.8.131.52, 184.108.40.206 and 220.127.116.11.
Hi Paul, I am a WLAN newbie and have a good question. :)
Below is excerpted from Sybex CCNA Study Guide 6th Edition Page 715:
the controller only forwards LWAPP packets coming from an LWAPP-enabled port, which means a switch or router is required to take an LWAPP packet and forward it out as IP data to a non-LWAPP network. A mid-range switch can handle the routing.
Below is excerpted from "Deployment Guide: Cisco Mesh Networking Solution Release 3.2": A switch or router between the Cisco wireless LAN controller and the RAP is required because Cisco wireless LAN controllers do not forward Ethernet traffic coming from an LWAPP-enabled port.
Pay attention to the lines: "forwards LWAPP packets coming from an LWAPP-enabled port", and "do not forward Ethernet traffic coming from an LWAPP-enabled port".
My first question would be what is the definition for "LWAPP-enabled port"? What is it? Where is it? By knowing this, I think I can understand the sentences. :)
Additionally, can someone eleborate more about why switch or routing is required for routing wireless data for me to have better visualization?
I have used Google and Wikipedia but no light. Hope can find some light here. Thanks in advanced. :)
Unfortunately, the documentation you found is rather confusing. The concept behind LWAPP is really simple.
The AP (standard AP or MESH RAP) talks to the controller via LWAPP. LWAPP is protocol that sits inside of an IP packet. So all you need to worry about is that you have IP connectivity between the AP and the Controller. This can be across router boundries (different subnets) or on the same switch (same VLAN)... When the controller gets the LWAPP packets from the AP, it strips off and processess the LWAPP information and then forwards (if appropriate) the ethernet frames onto the VLAN/Ethernet port connected into the controller..
I hope this helps.
Manager, Technical Marketing
Cisco's Wireless Networking Business Unit
Wires?!? We don't need no stinking wires!
We are currently making a unified wlan solution validation on our customer site.
LAP1310AG APs are connected to 3 WLC 4402 managed by a WCS.
2 ACS engine (18.104.22.168) perfome the AAA between the WLCs and the NOVELL Directory Server
The wireless client is using novell client software using 802.1x/PEAP to authenticate via Wireless.
We are facing an authentication issue that seems to be due to a non supported feature on ACS: PEAP and external LDAP DataBase.
1/ The following CCO documents gives notice that the ACS 4.1 can interact with a Novell Directory server when configured on the ACS as a Generic LDAP server:
Authentication and User Databases
ACS supports a variety of user databases. It supports the ACS internal database and several external user databases, including:
â¢Windows User Database
â¢Generic Lightweight Directory Access Protocol (LDAP)
â¢Novell NetWare Directory Services (NDS) when used with Generic LDAP
â¢LEAP Proxy Remote Access Dial-In User Service (RADIUS) servers
â¢Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)
Authentication Protocol-Database Compatibility
Q. What support is there for Lightweight Directory Access Protocol (LDAP)?
A. Support for LDAP on Cisco Secure ACS Solution Engine is identical to support on the Cisco Secure ACS software version. Cisco Secure ACS supports user authentication against records kept in a directory server through LDAP. Cisco Secure ACS supports the most popular directory servers, including Novell and Netscape, through a generic LDAP interface.
2/ The following CCO document gives notice that peap is not supported by the ACS when interacting with LDAP server:
- Could you please confirm us that the ACS engine 4.1 does not support PEAP (with wireless client) when user database is a external LDAP database?
- Could it be another solution permitting to use PEAP (between wireless client and ACS) and ldap (between ACS and Novell Directory server).
We could also use EAP-TLS as it seems to be supported by the ACS interacting with LDAP. This issue is that we will then need to provision each wireless device with user certificates and as multiple usesr can use a wireless client, it could be quickly the mess to provision...
Many thanks for your help
If you don't mind i have a question about WLC.
How can i secure LAP registration to the WLC since any Cisco LAP can register itself with my WLC without any authentication?
Thanks in advance
I am also interested in this issue. Currently, Cisco recommends that you have the LWAPs authenticate back to an ACS - adding significant cost in labor and product).
The problem is significant because not only can ANY Cisco LWAP automatically join a WLC by default, but after it joins, it automatically begins transmitting the first eight active SSIDs/WLANs defined in the system. Also, ignoring what we learned in the autonomous days (where the default state of the radios was eventually changed to OFF), the LWAP radio default state is ON after connecting to the controller.
This behavior creates a security issue if certain SSIDs/WLANs carry sensitive data are only intended for specific areas of the building.
Also, the auto-join-and-carry-traffic-by-default behavior means that if a hacker wishes to bypass WLAN security, all they need to do is purchase one Cisco LWAP, put it on the wired network, and sniff unencrypted *data* LWAPP traffic on the *wired* side of the LWAP (since all layer 2 encryption is on the RF side of the LWAP. The LWAP data traffic is not encrypted. Any clients associated with the rogue Cisco LWAP can have their traffic captured - *** with no rogue AP alarms ***
One very simple fix for this problem is to change the Cisco default LWAP radio state for a newly-joined LWAP to be OFF instead of ON. This behavior would then accurately reflect what the sticker on the LWAP box says "Radios are off by default". The admin would then
Or... the Cisco controller could "park" LWAPs that are attempting to join the controller and prevent them from fully joining (i.e.: detect newly-connected LWAPs, but not allow them to pass traffic without administrative authorization).
Paul: Is there anything in the works to address this without having to buy a $12,000 ACS?
Some WCS enhancement requests:
1) Could the WCS import a comma-delimited .CSV file which loads the AP Serial Numbers/AP Names into the WCS?
Currently, this process is the most labor-intensive process when configuring the WCS. If this feature is added, then all I would have to do is place the LWAPs on the heat map and use access point templates to make bulk changes to the access points).
If the LWAP is not yet seen by a controller, a placeholder record could be created (similar to what we have today in the WCS when an LWAP is no longer connected to the system) that would store the name of the AP.
2) Currently, there is no way to configure virtual interfaces using a controller template in the WCS. This is conspicuously missing among the list of controller templates. For larger installation, configuring virtual interfaces consistently requires no small effort as each controller must be individually configured with what is often the same set of virtual interfaces.
Is it possible to add new Controller Template for configuring virtual interfaces in the controllers.
The need for this is significant. For example, in order for an LWAP to fail over from one controller (and have it actually permit client traffic), the appropriate virtual interfaces must existing on ALL controllers (Primary, Secondary, and Tertiary) to which the LWAP might connect. In order to ensure consistent configuration among the various controllers, a WCS template that permits groups of virtual interfaces to be applied to a group of controllers would save a tremendous amount of time and reduce user input errors.
3) Is it possible to add new Controller Template to setup Mobility Groups. Currently, this is a manual, controller-by-controller administrative task that must be repeated each time a controller is added (or replaced). Ideally, might even be possible for these templates to be automatically built for each group of controllers that have the same mobility group name.
4) When adding LWAPs to a heatmap, is it possible for the WCS to initially place them in a *column* on the left-hand side of the map (instead of a *row* across the top of the screen)? That way you could actually read the AP name tag. Right now, the name tags get covered up as the APs overlap and it is sometimes impossible to read the AP name tags.
Is anyone else running into these limitations?
1) For importing autonomous AP's into WCS, this is supported in WCS 4.2 (from Configure - -> Access Points --> Add autonomous APs - select the "file" option). LWAPP AP's are not manually imported into WCS as they are auto-discovered when controllers are added to WCS.
The other items/ideas that you have listed sound like good feature requests. Please provide any further input that you have on these feature requests.
Thanks & regards
What do you think?
Could you forward these onto the WCS product as a feature enhancement?
You can tell WLCs to only create LWAPP tunnel to LAP if the LAP ethernet MAC address is in the table you configure in WLC.
MAC address for LAP must be in Primary & Secondary & Tertiary WLC database.
I know it's painful to administer but works fine.
I want to upgrade 1200 AP IOS software to 1240 IOS but is giving me:UPGRADE ERROR: FILE NOT FOUND,SERVER NOT FOUND OR WRONG FILE FORMAT. What can I do.
1) Are there any plans to improve the Config Groups feature to make it more user friendly, perhaps making it more like the WLC GUI per Controller Group, rather than a 2-column display of raw and abstract config elements, to permit better Controller config containment and configuration checking?
2) Are AP Groups being considered as a more scalable means of applying WLAN override?
We continually look for ways to make WCS more feature rich. We are looking into both of the enhancements that you have described. Would be useful if you could provide further details on how to enhance both the Config Groups and WLAN override features.
Thanks & regards,
new to this but I have a question.I am studying for my ccna and have limited financial resources but want to know how many chances you have if you pay for exam.once or twice per pay.thanks
You'll need to check on the Career Certifications Forum to answer this question. Please go to: http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Career%20Certifications&topic=Certifications&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee702b1
Thanks & regards,
We are working with WCS 3.2 and someone changed the password of the superuser account. Is there a way to do password recovery?
For password recovery with WCS prior to release 4.1, you need to open a TAC case and someone from TAC will help you through the process. Document at the URL below provides details on password recovery procedure when running WCS 4.1 or greater.
I want to use the WCS to:
1. detect rogue aps
2. assess threat levels and answer the question, "is the rogue on the network?"
I did a test...I turned on RLDP and plugged a rogue cisco fat ap on my wired network. the WCS identified it as on the network.
however, i was told that if I plugged in a Linksys wireless router (NAT on), the WCS will not be able know if the rogue is on the network. Since wireless routers with NAT on are more common threat, can you tell me how to configure WCS to be able to asses the correct threat level of these wireless routers with NAT?
WCS provides very comprehensive discovery and threat detection of Rogue Access Points. From the scenario you describe the RLDP feature will work for a NATed rouge as well. RLDP does the following: 1) pretends to be a client and tries to connect to the Rogue AP SSID 2) Tries to get an IP address via DHCP, 3) pings it's controller. If it gets a response, it nows the rogue is on the network and will elevate the rogue status to Threat. This works for both NAT and directly L2 connected access points.
This works great for OPEN rouges. If the Rogue AP has some form of encryption, we have a Rogue Detector mode on our APs that will allow the AP to monitor a trunk port and look for ARP requests on the wire. It matches up arping clients to knows wireless rogue clients.
Manager, Technical Marketing
Cisco's Wireless Networking Business Unit
Wires?!? We don't need no stinking wires!