I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
One way I tried to do that was by, on the security setup page, where you choose the type of security association you want (Network EAP,OPEN, etc) I noticed that there was the option to NOT check any box. Is it a bug or a feature?
We are using that in order to have the "management Vlan" of the AP on it, and not to allow wireless clients to do it.
My question is, is that safe? Is ti recommended? are there any info against it?
this is exactly what I am doing too. I leave all the boxes unchecked, and it seems to work.
I assume that you are using SSID ID  for the "management vlan". Are you able to change the type of security association for SSID  using the CiscoWorks WLAN Solutions Engine? I cant seem to figure this one out.
I implement two VLANs: one for the users (public Vlan184) and one for management (WAPs only Vlan46). Everything works fine for my Cisco clients; however, the 802.1x clients cannot associate. I checked Cisco's configuration, but it's rather confusing.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...