Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot WCS related issues with Cisco expert Lucien Avramov. Lucien is a Customer Support Engineer working in San Jose TAC center. He is a technical leader within the Network Management Team and has been supporting WCS for about 2 years. He handles world-wide escalations related to Network Management, including WCS. He has a Bachelor Degree in General Engineering and a Master's Degree in Computer Science from the French prestigious Ecole des Mines (Mining School). Lucien holds a CCIE in Routing and Switching (CCIE #19945).
Remember to use the rating system to let Lucien know if you have received an adequate response.
Lucien might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 20, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
i want to audit all controllers at once, we have about 40, I goto configure, controllers, audit now and i try and check multiple boxes, so i can update them all at once,and it tells me pick one only. how can i get it to audit all of the controllers at once? running verson 4.2.128 i believe
You are correct, you can only audit one controller at the time from the audit menu.
However, if you upgrade your WCS, starting version 5.1 you can configure the background task "Configuration Sync" that will actually periodically audit your controllers. This background task is by default disabled. You can find it at : Administration -> Background Tasks -> Configuration Sync.
If you plan on upgrading your WCS to get this functionality, skip 5.1, 5.2 and upgrade directly to WCS 6.0 latest release.
Here is the configuration guide regarding this background task:
hope you are all doing well,
I have an LAP 1310 has joined with WLC 4402 and I need to downgrade it to Autonomous to use it as a bridge, I used a command (config ap tftp-downgrade tftp-server-ip-address filename access-point-name) from the console in my WLC where the LAP1310 joined and the LAP1310 load the Image from tftp successfully but after it reboot I notice it still searching for WLC to get new image, and join it again, how can I do a Downgrade from LAP to Autonomous in a right way?
This forum is for WCS questions and not WLC. The correct place to post them is Wireless -> General.
However let me address your question:
Do connect the AP directly to your PC not the Router.
The best way to do this is to console into the AP and then make sure the AP can reach the laptop either through a switch or a crossover cable directly attaching the laptop and AP.
With your console cable, you will be able to see if you have pressed the button for 20 seconds.
Using a TFTP Server to Return to a Previous Release
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated. Monitor the TFTP program to see the code transfer to the AP.
Step 3 Rename the access point image file in the TFTP server folder to
c1200-k9w7-tar.default for a 1200 series access point,
c1130-k9w7-tar.default for an 1130 series access point, and
c1240-k9w7-tar.default for a 1240 series access point, and so on.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable. This needs to be a crossover cable if directly connected to the AP. Or normal ethernet cable if the AP and laptop are connected to a switch.
Step 5 Disconnect power from the access point.
Step 6 Press and hold MODE while you reconnect power to the access point.
Step 7 Hold the MODE button until the status LED turns red
(approximately 20 to 30 seconds) and then release.
Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
If the image doesnt download from your pc's tftp server, you may need to delete the previous tar image on the AP from the console:
Just hold the mode button until the LED is red.
Then, using the console port, make sure the prompt is AP: and do a "show flash:" on the device and make sure that there is no image that starts "c1130-rcvk9w8-tar...". If there is an image that starts with that then
delete it with "delete flash:
Hey, wanted to know about how does WCS gets data from Location Appliance? Communication is through WebService or it directly access the Location Appliance Solid DB?
For many operations (e.g. Uploading Maps) no webservices are exposed from Location Appliance...but from WCS it is possible to perform these operations. How does it happen?
I have 3 Cisco WAP200G Bridges , I need to configer them as point to multipoint Bridge mode.
is't possible to conect 3 different LANs (3 separated buildings) with this product.
1 bridge --> tow bridges (independents)
WCS helps you to manage your wireless network and configure your controllers.
The wap200G devices are not supported by WCS as per the release notes, section Cisco Unified Wireless Network Solution Components:
WCS is a software oriented to mainly manage wireless networks that are designed around controllers.
Here is an overview of the unified wireless network WCS is managing:
Have you any recomendations about how to best deal with rough accesspoints reported in wcs?
Whats is the main reason why some clients being reported for AP impersonation?
I'm glad you asked.
First the AP impersonation is triggered by an snmp trap send by the WLC. The trap send is : bsnAPImpersonationDetected.
This happens when a radio of an authenticated access point has heard from another access point whose MAC address neither matches that of a rogue nor is it an authenticated neighbor of the detecting access point.
On aggressive environments, a helpful feature is to enable access point authentication with a threshold of 2. This permits both to detect possible impersonation and minimize false positive detections.
This is how to configure it from the CLI of the Wireless Lan Controller (WLC):
config wps ap-authentication enable
config wps ap-authentication threshold 2
Finally, you can change the severity of the AP impersonation alarm in WCS from critical to lower, so you get less bothered by WCS. This is only a cosmetic change.
In WCS 6.0, its in Administration -> settings -> Severity configuration
In earlier versions it's in Monitor -> Alarms -> Configure Severity Level
Finally if you get the message : Wireless LAN Controller (WLC) error message "AP Impersonation with MAC '00:00:00:00:00:00' is detected by authenticated AP '00:00:00:00:00:00' on '802.11b/g' radio and Slot ID '0'"
Then this is related to a bug.
I am really new to Wireless Solution. What will be the best management option for the Cisco 1310 or 1410 being used as Bridge(Pairs: Root and Non-Roots)? I am planning to use WLSE for managing 1410 Bridges as suggested in the Cisco Docments but at the same time in one of the documents they are suggesting to migrate from WLSE to WCS!Is it advisable to use WCS instead of WCS for Wireless Bridges? What will you recommend?
Please advice. Thank you.
Asked yourself what are you planning to do in the long run.
Is it mainly a tool you need for managing your 1310 and 1410, or are you thinking down the line to expend your wireless network.
WLSE can help you achieve the management of the bridges, and that may be just fine for your needs.
However WLSE is End of Life and there is not more you can expect to get from WLSE in the future, besides the features already existing. If you think you may be expanding your network, have WLC (Wireless Lan Controllers) and you are looking for a long term solution, then convert your WLSE appliance (if you already have one) to WCS is certainly better.
Here are the documents related to the end of sale, end of life and support announcements:
If you don't have a WLSE appliance yet, then I recommend you to directly make the move to WCS on a standalone server. Be advised that WCS can also run on windows, linux or on vmware.
Here are the release notes for WCS, you can see the hardware requirements there:
Thank you so much Lucien for your quick response. Right now we are not having any product on live network. We are planning for Wireless Solutions for Video Surveillance IP camera network for football field for our client. We just want cisco bridge to carry data from our camera to the root bridge connected to the core network. We are only going for bridging solution using Cisco bridges. So I will be using Cisco 1310 as autonomous bridge. And Series 1410 is autonomous bridge. Do you think I can use WLC as a management interface, specially for 1410 bridges? If so, Do you think that WCS will be better and cost effective in this scenario? Please advice.
Thank you once again.
If you are only using those two devices, I dont think that you really have a need for a WLC. I don't think it's necessary.
WCS comes really useful when you have multiple WLCs and a wireless unified network that you want to manage and monitor.
Reading by your description, It may not be needed for now.
However if your infrastructure will be growing and you are planning on having WLC and APs, then WCS will be very handy.
If you want to get a feel of WCS regardless, feel free to download it from http://www.cisco.com/go/downloads and get a 30 days eval license from: http://www.cisco.com/go/license, click on the first link for users that dont have a PAK and that will let you go to the trial license tool. Select : Wireless Control System Trial License.
Thank you once again. Can you suggest me what will be the best management interface in this case? I believe WLSE is the only option I have got from Cisco! In this case can I configure WLSE on my existing Windows Server?
Please advice. Thank you.
WLSE runs on appliance, it wont be possible to use that on a windows server.
Also here is the configuration guide :
I strongly recommend you to contact your sales team / partner and evaluate the two options WLSE / WCS regarding the costs and take it from there.
I have lost the root password for my High avaiablity WCS server ? What is the default password to access the web page. https://secServer:8082.. I tried resetting it by
C:\Program Files\WCS220.127.116.11\bin using command passwd root-user
I understand it's the login password that you want to reset on your WCS primary for GUI login.
Stop the WCS server :
Then run the root-user command:
C:\Program Files\WCS18.104.22.168\bin\passwd root-user PASSWORD
Start the WCS server:
If this fails, please post your error messages from the CLI.
WCS helps you in several ways regarding AP placement and coverage. The coverage is based on standard calculation, customization of your map or a site survey, whcih nothing more than walking around the building / floor and taking measures of the wireless signal. Once this is defined, the coverage is established and it's not dynamic.
You can see on a map the coverage of your access points. WCS is equipment with ah RF prediction standard feature that will display you the default coverage for your access points. It will take into account the AP model, the power, the elevation, the orientation of the antenna.
You can see an example at :
Figure 5-31 RF Prediction Heatmaps
Also the WCS will provide you an almost real time monitoring of your wireless computers location on the map if you have a location license for WCS and an MSE location appliance in your network.
The MSE is a dedicated server that does the computing for the triangulation of every client and provide this to the WCS so it displays it on the map.
Am trying to setup WLC to authenticate against ACS and allow users access to different SSID's.
Have read through:
Is there a way to allow a user access to multiple SSID?
e.g. An Admin user can access ADMIN and SALES SSID, whereas a Sales user can only access SALES SSID?
Can it be done at a group level somehow and then add users to groups?
This question is more oriented towards WLC rather than WCS.
However, by reading through the documentation you provided and seeing how you configure this in ACS, it should be possible.
As per this document, by default all users are grouped under the default group. If you want to assign specific users to different groups, refer to the User Group Management section of User Guide for Cisco Secure ACS.
You should be able to assign your users in different groups and specify for the groups the ssids, in the NAR (Network Access Restrictions)
Hi there (again),
I have a question with respect to DHCP Proxy to an external DHCP server.
Is it possible to force the DHCP proxy to use the Management Interface as the source for all DHCP requests?
My Wireless setup has all the dynamic wireless VLAN's going straight into a "dirty firewall" which then allows internet access etc.
I therefore don't want to place my DHCP server alongside this firewall.
The management interface of the WLC is connected to our internal management network where there is a DHCP server already (behind a L3 router).
How can I setup the WLAN's and Interfaces so that when a client requests a DHCP address the WLC forwards it to the DHCP server on the management network via the management interface?
This section is dedicated to WCS related question.
Please post this question to the Wireless-> General section?
from Update a WCS from 4.2 to 22.214.171.124 have we following problem :
After a discover a new AP ist this AP visible with ap...mac-address.
Under Configure/Access Points - AccessPoint Detail change I the AP name and save. Unfortunately this change will not save to the AP.
Have ever hear about a similar problem.
This is interesting, I have not seen this issue yet.
Can you please turn the debugs to trace level in Administration -> Logging and then reproduce this and attach the logs.zip so I can review them?
Also can you attach a screenshot?
I did not find a bug on this yet.
Hi. Is there any solution where I can make a full redundant WCS? Let say I have two (2) sites, in each site, there are two (2) 4404-50 WLCs which controls 40APs and only 1 WCS to cater both sites.
Both sites is linked via a metro-ethernet connectivity. What if this link fails? This WCS can only manage the directly connected site where it is currently located. How can I make WCS fully redundant?
You can install starting WCS 5.2 (and higher vesion) high availability: that consists in installing WCS on 2 servers.
One server will be the actual primary server you have at your main location. The other server can be redundant and located on the other site. This way, when your metro-ethernet link will go down, the secondary server will become active and manage the 2 WLC that are on that site. Once the metro-ethernet link is back up, the primary will get the updated database and will take over again automatically.
This feature is called HA (High Availability), here is the configuration guide that explains how to configure it:
The other option you may have is to make daily backups of your main WCS and copy them over on a storage. Once the link is down, you could have a backup server where you could restore the database, but that is not as convenient as having HA configured.