Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

officeextend - cant connect

Hi,

I am trying to connect using officeextend but couldnt . I have managed to connect the officeextend AP  to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address

oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)

Infact i cant even see myself authenticating on the ACS server

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

officeextend - cant connect

Maybe we should take a step back to the beginning and talk about how you have this setup.

Typically the WLAN is anchored to your internal WLC and dumped onto your network there instead of the DMZ. So you think of this as a reverse guest. The internal WLC is anchored to itself, then the DMZ WLC is anchored to the internal.

A couple of my blog posts on the topic:

http://blakekrone.com/2011/03/10/cisco-officeextend-always-connected

http://blakekrone.com/2011/05/01/cisco-officeextend-ap600

25 REPLIES
Silver

Re: officeextend - cant connect

authentication to an acs or other radius happens from the DMZ WLC, so yes you need those servers on the DMZ WLC.

I would put dhcp on something other than the WLC, I dont like to run extra stuff off the WLC if I don't have to.

Sent from Cisco Technical Support iPhone App

New Member

officeextend - cant connect

so is it enough if it is on dmz wlc or on both is needed ? also if dont create a dhcp scope the authentication should still work, isnt it ? i get an unknown NAS error on the ACS server

Silver

Re: officeextend - cant connect

the aaa server only needs to be configured on the DMZ wlc to support officeextend.

The unknown nas is typically cause you don't have the device defined as an endpoint in acs.

Sent from Cisco Technical Support iPhone App

New Member

Re: officeextend - cant connect

yep thats ture.. but how owuld i be able to add this device on the acs (as it requires ip and hostname) and shared key (but i wouldnt be able to enter the shared key on the AP)

Re: officeextend - cant connect

You would use the WLC as your NAS thus the shared key lives on WLC, not on the AP.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

officeextend - cant connect

sorry figured that out after my previous post silly me !!

I added the dmz wlc onto the Cisco ACS network configuration and its seems to be connect

However it gave me a message saying this connection was untrusted and if i would like to terminate the connection (but i opted to connect and it connected me ) dont know why that msg came up

Silver

Re: officeextend - cant connect

You probably saw that message on the client device I take it? If yes that is because you are using a self signed certificate on your ACS box so the client doesn't automatically trust it. Nothing to worry about, some devices just warn that it is a self signed certificate so you understand the risks before sending your credentials.

Re: officeextend - cant connect

Piggy back on Blake ..

There is a certificate that lives on your ACS. This cert is used to secure the transmission of your wireless clients credentials. If this is not a signed cert or if its not in the wireless clients root store you will get the message to accept this cert. Once you do, the wifi client builds a TLS tunnel between itself and the AP and then sends its goods.

Make sense?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Silver

Re: officeextend - cant connect

George is correct, it's the same as any WLC deployment with AAA authentication, the WLC is the NAS.

Authentication yes will work if you don't have DHCP running, but depending on the client you use for testing you may or may not see a successful association, for example iOS devices will fail connecting to a network if they don't get DHCP if they are not setup for static.

New Member

officeextend - cant connect

Cheers both. Now i am stuck up in Limited access. It did give me an ip initially since then it gets stuck at Limited access (authentication is succesfully).

I am sure this is to do with DHCP. I have givent he dhcp address on manangement interface of both controllers and DHCP overide on WLANs on both conrollers..still no joy (alloed on firewall also)

Silver

officeextend - cant connect

Maybe we should take a step back to the beginning and talk about how you have this setup.

Typically the WLAN is anchored to your internal WLC and dumped onto your network there instead of the DMZ. So you think of this as a reverse guest. The internal WLC is anchored to itself, then the DMZ WLC is anchored to the internal.

A couple of my blog posts on the topic:

http://blakekrone.com/2011/03/10/cisco-officeextend-always-connected

http://blakekrone.com/2011/05/01/cisco-officeextend-ap600

New Member

officeextend - cant connect

yep just followed your post

the dmz wlc is anchored back to the internal wlc with the ports specified on your blog. Authentication is fine now. Just that its not getting a dhcp add and says limited access.

Silver

officeextend - cant connect

What code version and are you using an OEAP600 or other AP?

New Member

officeextend - cant connect

using 1132AP

code on dmz wlc is 6.0.199.4

code on internal wlc is 7.0.98.0

it connected initially and since then its giving trouble saying connection was unsucessfully (but authentication has passed - on acs server just getting 169 address)

Silver

officeextend - cant connect

Is there a reason for the code mismatch? There might be some issues going from lower to higher.

I haven't tested that configuration personally, always been at the same code revs.

Have you done a debug client on both WLCs to see what is going on? Also a debug mobilty handoff and directory to make sure the mobility is working properly.

New Member

Re: officeextend - cant connect

i have attached the capture and i cant figure out anything

the client id is 1c:65:9d:98:4e:af, it associates first and then disassociates for some reason

Silver

Re: officeextend - cant connect

Did you run debug mobility handoff and debug mobility directory?

Doesn't appear that the client is being anchored properly so the DHCP request is being dropped.

New Member

Re: officeextend - cant connect

the ones we are looking for are 192.168.50.250 dmz wlc and 172.22.30.60 (internal wlc) and 172.22.30.50 (internal wlc) - 2 internal wlc's

apart from there is there is another wlc that is formed a tunnel but pls ignore this as this is working fine

Silver

Re: officeextend - cant connect

Not seeing anything that sticks out in terms of a mismatch.

So on the DMZ WLAN profile you have that set to anchor to the 172.22.30.60 and172.22.30.60?

Then on the .60 WLC's you have the WLAN profile anchor set to local?

Are you using the DMZ today as an anchor for guests? Do we know that it at least works that direction? Your firewall isn't blocking say the EoIP tunnel on the inbound from DMZ to internal is it?

New Member

Re: officeextend - cant connect

It was actually a bug with the software version i was using. This bug does not allow Internal controllers to act as DHCP. So i had to run int on a windows server (or l3 switch) and checked dhcp assingment reqd on both (not sure if this is needed) though

https://supportforums.cisco.com/thread/2073587

Should the OfficeExtend SSID be enabled in the Internal controller also as our users might get confused .

Silver

Re: officeextend - cant connect

.I was wondering of you were hitting that bug. Typically the officeextend ssid and your internal ssid are the same to make it easy for the user to connect at home. The whole purpose of officeextend is to easily transition from office to home. Never understood why people used different ssids and didnt anchor the officeextend ssid directly into their internal network.

Sent from Cisco Technical Support iPhone App

New Member

Re: officeextend - cant connect

nope was just asking if the interneal ssid should be broadcasted on internal wlc (not enabled - apologies) as uses might get confused - but havent broadcasted this.

Now we have two internal controllers.

OR

the firest controller ip is 10.10.10.50

second controller ip is 10.10.10.40

and when i anchor to the second controller, it comes up first in the list. if i delete the second one and add the second wlc as first anchor and the first wlc as second anchor it still ends up  with wlc 2 first in the list (not sure if it goes by ascending order of ip). As soon as i add the second nchor the wlan to the second ssid i dont get dhcp address - does officeexten support mobility anchor to one controller only ?

Silver

Re: officeextend - cant connect

As far as I've tested I've only ever used a single anchor. I don't see why it wouldn't support two anchors, it would just default to round robin fashion for picking which anchor to go to.

New Member

Re: officeextend - cant connect

cheers, your blog helped me a lot. you certainly need a 5+

officeextend - cant connect

Hello,

For More information on OEAP-600, please watch the "Community Tech-Talk Series" Cisco Office Extend Access Point OEAP-600

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2012/02/24/cisco-office-extend-access-point-oeap-600

Thanks,

Vinay Sharma

Community Manager - Wireless

Thanks & Regards
972
Views
30
Helpful
25
Replies
CreatePlease to create content