Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

wgb to lightweight

Hi.

I was wondering if I can connect  a WGB 1231G to a lightweight AP with WPA2 ?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: wgb to lightweight

Yeah I'm based out of the Chicago office.

I was thinking you were still trying to see if you can posture clients behind the WGB:) As long as you separate them and only use radius you will be fine. Hard to read post while driving:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
42 REPLIES
Hall of Fame Super Silver

Re: wgb to lightweight

This link will explain the configuration requires for a WGB in a Unified Wireless Network.

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_lwap.html#wp1881680

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

I have tried couple of things and can't seem to work

here is my config:

dot11 ssid Test-SSID

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa cckm

   authentication client username xxx password 7 xxxxx

   infrastructure-ssid

that's on the WGB

WLC config:

Security Policies

:    [WPA2][Auth(802.1X)]

hreap is not enabled

H-REAP Local Switching 2   Enabled
H-REAP Local Auth                       13   Enabled

and here is the DEBUG

apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

*apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d Scheduling deletion of Mobile Station:  (callerId: 22) in 3 seconds

*osapiBsnTimer: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!

*apfReceiveTask: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Jun 19 11:53:01.889: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [c0:62:6b:67:9a:a0]

Cisco Employee

wgb to lightweight

why it showing webauth?

apfMsConnTask_4: Jun 19 11:52:59.021: 00:1b:d4:e3:af:0d 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

wgb is configured for cckm but the WLAN config on WLC didn't reflect that.

does the wgb connects with simple security like psk.

New Member

wgb to lightweight

I tried switching the to ACS a radius server and it worked totally fine.

I am just not sure if this is compatibile with ISE.

I have tried enabling/disabling CCKM still says WEBAUTH not supported for some reason.

Hall of Fame Super Silver

Re: wgb to lightweight

Well if you got it to work using ACS I'm guessing 802.1x, you should be able to do the same type of authentication using ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: wgb to lightweight

On the SSID on the wlc, make sure you enable passive mode. It's on the advanced tab on the right hand side of the screen.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Yeah but I want to use ISE as RADIOS / NAC and it is saying that I can't have passive client and RADIUS NAC at the same time.

Hall of Fame Super Silver

Re: wgb to lightweight

If you enable passive mode, does the WGB function correctly. If so, then you know it's a requirement for WGB. If ISE doesn't support passive mode, then I don't think your solution will work. You might want to open another thread on the AAA security forum.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Thanks for ur help. Will try to work it out

Sent from Cisco Technical Support iPhone App

New Member

Re: wgb to lightweight

Let's reply here so we don't lose track

Yes i would think that if it works with ACS should work with ISE.. i've tried TWO wgbs and it doesn't work.

When I do a debug from the controller it shows as WEB AUTH not supported for WGB

Hall of Fame Super Silver

Re: wgb to lightweight

Is ISE defaulting to a web redirect? If your policy is the same as in ACS, it should just send an radius accept or reject. You need to look at the detailed logs in ISE and see what authentication and authorization policy the user is hitting.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Cisco Employee

Re: wgb to lightweight

does the wireless client authenticates fine with same WLAN & ISE profile?

ISE & wlc version in question?

New Member

Re: wgb to lightweight

ISE version 1.1

WLC vers:

System Information

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.0.235.0

Bootloader Version............................... 1.0.16

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 15.0

My computer and other devices work perfectly fine.

p.s Fella kind of has a point.. I am not sure if there has to be some tweaking done in ISE to allow the authentication...

maybe ISE is making this error to appear as WEBAUTH.

*apfMsConnTask_5: Jun 19 15:54:23.038: 00:16:46:5a:96:4e 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!

*apfMsConnTask_5: Jun 19 15:54:23.038: 00:16:46:5a:96:4e Scheduling deletion of Mobile Station:  (callerId: 22) in 3 seconds

*osapiBsnTimer: Jun 19 15:54:25.975: 00:16:46:5a:96:4e apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!

*apfReceiveTask: Jun 19 15:54:25.977: 00:16:46:5a:96:4e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfReceiveTask: Jun 19 15:54:25.977: 00:16:46:5a:96:4e 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:85:25:df:ce:c0]

Hall of Fame Super Silver

Re: wgb to lightweight

Maybe the default policy for unknown devices is webauth but the logs will tell you what policy ISE is hitting for that user.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Just tried static end point profile in ISE, added the mac address to treat it as workstation but same error.

New Member

Re: wgb to lightweight

It sucks because I am doing a demo of WLC and i have to return it by tomorrow 20th lol.

Hall of Fame Super Silver

Re: wgb to lightweight

Haha... Try to extend it:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

I'm gonna have to do something... I need WGBs to work.. we have like 800 of them.

Hall of Fame Super Silver

Re: wgb to lightweight

Your going to make me want to lab this out just to see if this works:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Please do so .. I have until tomorrow to pack it up and ship it to Cisco before noon chicago time.

Thank you.. I really appreciate it.

-wgb#sho ver

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEC3, RELEASE SOFTWARE (fc1)

Hall of Fame Super Silver

Re: wgb to lightweight

I won't be able to until I get back from vacation the end of the week.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Alright then. Id still appreciate if ud be able to lab it. Who knows maybe its a bug or not even supported. Thank u

Sent from Cisco Technical Support iPhone App

New Member

Re: wgb to lightweight

Fella. Got it working. Radius NAC not supported. As soon as i removed that it works. So i would need another SSID for WGBs and clients behind it wont be seen by ISE at all

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Re: wgb to lightweight

Thanks for posting the solution! I might still just have to lab it out just to see the logs:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Thanks for your help.

ISE would not generate any log when I had RADIUS NAC in the WLC enabled, so the WGB would not ever hit ISE at all.

On the client list in WLC the wgb would come up as WLAN UNKNOWN PROFILE UNKNOWN... it was weird, as soon as I removed Radius/Nac ISE acted as RADIUS only.

Well hopefully someone finds it helpful.

Take care enjoy your vacation.

Hall of Fame Super Silver

Re: wgb to lightweight

Good info. I was going to start out with that option disabled just to see how the WLC & ISE handles clients behind the WGB. Well at least you completed your testing before they picked up the equipment:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wgb to lightweight

Hey Fella,

Let me know if you lab this cuz I am sure I am getting the WLC AND ISE together and there is a problem.

I have like 100 remote sites that will talk to WLC in the datacenter, now I have all the laptops and WGBs connect to one SSID (example CORPORATE), now if I wanna do profile and posture (Radius NAC option in WLC) for that ssid i wont be able and I will have to have new SSID for WGBs or laptops without RADIUS/NAC option.

Idk maybe should post this in AAA IDENTITY and all that but let me know if u find a work around.

thank you.

Hall of Fame Super Silver

Re: wgb to lightweight

Edon,

I will try to lab this out by next week. I will try to find out if radius NAC will be supported in future release.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: wgb to lightweight

Just asked one of my peers and he mentioned that posturing will not work with an autonomous ap because CoA is not supported, which makes sense.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
2361
Views
5
Helpful
42
Replies