Currently I am trying to get WDS setup on a test subnet. My current problem is that I am not able to authenticate thru my WDS master on any secure Vlans. I am able to get thru on an unsecure visitor vlan and also gain a DHCP IP address on it.
This is not the case on the secure vlans. The client devices state that they are tyring to get an IP address. They are running with EAP WPA+TKIP and MAC authentication. I am using WinXP for my client device OS. Any help is appreciated.
If WDS/WLCCP is configured, all radius servers for EAP and MAC authentication in infrastructure APs are ignored.
Assume that all infrastructure APs are configured for EAP and/or MAC authentication. If a mobile node (i.e. wireless client) tries to associate to an infrastructure AP, the infrastrcuture AP just ignores the radius settings on EAP and MAC authentication. It sends the authentication request to the WDS AP using WLCCP protocol. The WDS AP relays the authentication request to the radius server, which is defined by the wlccp authentication-server client commands. Thus, only need to define WDS AP as AAA NAS clients in the radius server.
I removed the ACS servers from the infrastructure AP and the client does authenticate its MAC to the ACS server and the server states that it is AUTH ok. The client never finishes authentication at this point. I do not get any errors on the ACS or WDS master. I do see a client failed message on the infrastructure AP. Any other ideas would be great.
I tested on my test setup and it will not work. My ACS server shows that that user is AUTH OK but it does not get to the WDS. I think the problem is coming from the fact that we have Vlan1 shut off for security purposes and BVI1 only likes to talk on that Vlan. My WDS master does authenticate with its BVI1 address to the ACS server. I have tried several configurations of sub interface IP addressing and cannot get it work. WDS will not work with out BVI1 enabled. Currenlty we are not using BVI1 on the production AP's and they work fine. Is there way to get WLCCP to use a subinterface and not BVI1?
BVI 1 is not tied to a particular VLAN. You should always use BVI 1 to set the IP address of the AP. You can bridge BVI 1 to any sub-interface (which would have the encapsulation set for a particular VLAN). You should not use VLAN 1 for any production traffic.
I tested the communication with the aaa server and it would only talk to it not back. I also was working with TAC on this issue and they helped by finding that I needed to set the native Vlan on my access layer SW that the AP is hooked to. This made the WDS communicate like is should. Thanks for all your help.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...