Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5508 Anchor Configuration Guide

Can someone point me to a link that will give configuration examples of a wireles anchor config with one controller in a DMZ. I have tried this on my own and have some problems in my test enviorment. I believe my issues were with the firewall but not exactly sure. Thanks in advance for the help

Anthony

4 REPLIES
New Member

5508 Anchor Configuration Guide

Setting up a mobility anchor can be tricky.  The key thing to keep in mind is that the WLAN configuration parameters must match *exactly* (with only a couple exceptions) or else it won't work.  The Enterprise Mobility Design Guide 4.1 (found on the WCS product support page) is what I used to muddle through the first time I did this:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns279/c649/ccmigration_09186a00808d9330.pdf

Go straight to the chapter for "Cisco Unified Wireless Guest Access Services" and carefully read all of it.  The example it uses is exactly what you're trying to do.

Also, the WLCs use UDP port 16666 for the mobility anchor tunnel (EoIP).

Hope this helps!

-Rob

New Member

5508 Anchor Configuration Guide

Just one more advice.. keep the SSID at both the ends similar. I mean, its case sensitive.. so be aware of it..sometimes this small mistake takes a long time to get noticed and corrected

New Member

5508 Anchor Configuration Guide

We run a 5508 anchor in a DMZ, we don't use the Service-Port in this setup.  So the management-interface has to be connected as a trunk port. 

In order to correctly sync with internal controllers the following ports have to be opened up between them - UDP 1666-7, UDP 5246-7, icmp echo-request (type 8), Ethernet-over-IP protocol 96 and 97. 

We also keep the anchor in a seperate mobility-domain but which is connected to the same mobility-group as the internal controller(s).  It is important to mirror your guest wlan configuration through all your controllers, if you are using your anchor as the web-authentication route-point, I would recommend using a publically-routable IP address associated with a FQDN (fully qualified domain name) as your virtual-interface IP address; this will allow you to assign a valid publically signed SSL certificte down the track - this is best practice and stops the annoying security error pop-ups in most browsers on most devices. 

SSL certification for Web-Auth is poorly documented on the Cisco website so - If you want to get a valid SSL certificate make sure you use version 0.9.8 of OpenSSL to generate your certificate request (there are too many bugs in the latest version of OpenSSL apparently, also most public certificate authorities will only sign a request with a bit depth of 2048 or more - the results you get back from your chosen public certification authority needs to be concatenated into a chained certificate file in PEM format - web-auth SSL supports chained certs on the 5508 so you'll be fine with this.  (https management interface does NOT however support chained certs). 

Hope this helps?

New Member

5508 Anchor Configuration Guide


Thanks Guys for the links and advice. I did get the controllers talking to each other yesterday. Turns out I had them in different mobility groups (Dumb Mistake on my part). I will also be implementing Cisco ACS for authentication and Cisco IPS for Security. Is there anything to look out for when using an ACS in this setup. I have worked with ACS for many years but not in this type of install. Thanks again for the replies.

Anthony

2992
Views
0
Helpful
4
Replies
CreatePlease login to create content