Hello all. I'm trying to do what I thought would be a simple config. 2 APs connected directly to a controller. The controller's 2 management interfaces are in our management VLAN (used for all switches, servers, etc), and I created a new VLAN for the APs and clients per this link: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml. However, I am unable to get the APs to join the controller. Controller was NIB before I configured, and the APs are also NIB with the default config.
have you set the time correctly on the controller? if the time is not correct your AP's will fail to register
Also you need to make sure the controller and AP are the same radio domain
If all else fails turn on lwapp debugging to see what the problem is
Thanks for the response. I did set the time after reading a thread here about the certificate issue.
So the radio domain will prevent a connection even if the AP is directly attached to the controller?
Make sure you LWAPP Transport mode is set to Layer 2 and your WLAN are admin enabled. Also, make sure the interface name under WLAN is pointing to the AP VLAN you created.
According to the config guide, Layer 2 is not supported on a 2100 series controller. This seems to be correct as the only option I have in the GUI is Layer 3.
I do have the WLAN admin enabled, and the interface the AP is connected to is in the AP VLAN.
Have you configured either the DHCP option of the DNS option for the APs to find the controller? Also try hard coding the ip address of the management inface on the access point. If you set the DHCP and DNS, make sure you are using the management IP, not ap manager.
I'm trying to use the WLC's internal DHCP server. I've also tried hardcoding the WLC IP address on the AP. After reading through pretty much all of the configuration examples, I'm getting the impression that connecting the APs directly to the WLC is not supported. All of the config examples I read show the WLC and AP(s) connected via a router or switch.
If direct connection is supported, what do you use for a default gateway on the WLC's dynamic interface?
Direct connect to the 2106 is supported. I think that you have your interface configured incorrectly. As far as the gateway, that would be the gateway for the VLAN. If you are using direct connect you configure the interface for the same VLAN as management on that port.
I see. So with direct connect, you can't have the dynamic interface in a different VLAN? That may be the issue (or at least part of it), as that's what I'm trying to do.
Yes, the dynamic interface would by definition be in a different VLAN. You may want to simplify the config as it sounds like there is a issue with the config. If you configure a dynamic interface you have to have something to route said interface as the controller is only a layer 2 device (no VLAN routing).
I believe swyatt is correct. With my 4400 WLC, I have my WLC trunked to a external switch with ip routing enabled. I have all my static and dynamic vlans defined on the switch. I was lead to believe that 2106 had a built in switch, but it does not.
Here's an example of my switch config:
(management and ap-management static vlan)
ip address 10.32.150.1 255.255.255.248
no ip redirects
description "Wireless Users"
ip address 10.32.152.1 255.255.255.0
no ip redirects
Put your AP's on the same vlan as the management ip on the WLC's. Make sure the ap can get a dhcp address or manually set one. This is just temporary....
If the ap's join then move them to the other vlan you created but make sure you have routing configured correctly for connectiviy back to the WLC subnet.
Well, as often happens, I had to put this one on the shelf for a bit as other projects cropped up. I've made a bit of progress. I was able to get an AP to join the controller by putting it in the management VLAN temporarily, then assigning it a new address from the WLC.
The issue I'm running into now is that wireless clients can connect to the AP, but are unable to pull an address from the 2106's DHCP server. Config attached.
I have the WLC attached to a trunk port, and the AP on a port configured for my guest VLAN (151). I've added a 2nd inside port on my firewall, also in the 151 VLAN, and my plan is to route those wireless users directly to the firewall.
Well, I managed to fix the DHCP issue. I had the DHCP override checked from when I was testing with the AP directly connected to the WLC. Now I need to figure the best way to route this guest VLAN directly to our firewall. Using a 2nd inside port on the firewall won't work, as the guest VLAN is part of our larger inside address block, and the firewall can't handle the routing.
Wireless LAN Controllers don't route (the exception is the management interface, and the 2106 doesn't have on of those.) All routing is via the default gateways. If you are on a SSID that is associated to a virtual interface called "DMZ", the traffic would route out the gateway for that interface. The gateway would then have to route that traffic on its merry way.
On a 2106 you can plug the one of the physical ports into a DMZ. You would create a virtual interface and add it to the physical port that is plugged into the DMZ. Connect an SSID to that virtual interface and off you go.
Swayatt is correct, but it is actually dynamic interfaces you would create. The virtual is used for other stuff.
Thanks for the replies. I was able to get things working. I set up the APs (and dynamic interface on the WLC) in a 10.x.x.x block, and put them in a VLAN routed directly to the 2nd inside interface on the ASA via DG. Things seem to be working as hoped, when connected to the guest VLAN, I am unable to access anything on our private network.
Several of the posts in this thread have been very helpful. Is there any issue with scoring multiple posts in a thread?
Glad you got it working.... now you have to work on a custom WebAuth page for the guest and 3rd party cert.
Actually, these APs will be implemented in an Emergency Operations Center in our Public Safety Building (I work for a county gov't). We were thinking about just running with no auth, just fine-tuning the radios so they don't bleed outside the EOC. If someone wants to try war-driving in a secure building also staffed by our Sheriff's Dept, more power to them. :)
But, I'm always open to suggestions...
That is a bad idea, especially if these APs are on the EOC network. WPA-PSK is so simple to do it isn't funny, and I asssume that since this is the EOC there is a domain controller in use for some of the apps that run. PEAP would be very easy to implement as well.
I've worked in a 911/EOC during a huricane and we had to support a bunch of folks that came in during the event that needed wireless. In that case it is easy to implement a temporary WPA-PSK SSID for the outside folks and take it back down during the emergency.
I must agree again. Since you are a government entity, being secure should be on the top of your list. you don't want to be on 60 minutes for being hacked. WPA2-PSK should be your minimum type of encryption. Turning down the power so the signal won't bleed out is not going to help. all they will need is a yagi antenna and sit far enogh away where they will not be caught. Wardrivers will post locations and encryption keys for anyone to use.
Like I said, I'm open to suggestions. For now, we're going to go with WPA-TKIP-PSK, and web auth. One anomaly I've noticed with web auth: I can authenticate, then browse the web, but even if I close my browser, disconnect from the WLAN, and reconnect, I do not get prompted to authenticate again. Is this controlled separately from the WLAN session timeout setting?
You would have to be disconnected for more than 300 seconds (default) before the controller would think that you where gone.