Customized Webauth Page Error

In this post we will learn about how to tar the webauth bundle and which software we need to use it to compress.

Today I spent almost 3 hours to upload webauth bundle to WLC.

I tried to archive tar file by using these software.
1. Power Archiver
2. 7 Zip
3. Winzip

But that always give me this error:

Cuwebauth1

I tried with both above mentioned software but that couldn’t work. It shows that’s there is something wrong with the tar file.

There are some limitations with custom webauth that vary with versions and bugs. Things to watch for include:

***The .tar file size (no more than 1Mb)
***The number of files in the .tar(I did not find a single document which shows the max number of files in .tar file)
***The filename length of the files (should be no more than 30 characters)

I have these files in my .tar:

Cuwebauth2

***I was having Evaluation PicoZip software earlier and it worked for me but now it’s expired. (So if you have it I think it will/should work, at-least it worked for me)

But frankly speaking I don’t believe that any windows based software will work.

I have already told that today I wasted almost 3 hours to get it work.
The magic software through which I Finally got it working is: CYGWIN (It worked for me like a charm)

From here we can download: https://cygwin.com/install.html

How to use this:
I am not good at linux but what I used here is very basic commands.

1. Make a directory

RSCCIEW ~
 $ mkdir webauth

2. Put the all files under this directory

Cuwebauth3

3. Then jump to this directory

RSCCIEW ~
 $ cd webauth

Check which files are under this directory?

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html yourlogo.jpg

4. Now start archiving into .tar format

RSCCIEW ~/webauth
 $ tar -cvf testwebauth.tar *
 aup.html
 failed.html
 login.html
 logout.html
 yourlogo.jpg

5. Verify .tar file under the directory

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html testwebauth.tar yourlogo.jpg
RSCCIEW ~/webauth
 $

That’s it.

Now let’s go to WLC and try to upload this file (testwebauth.tar ).

***Don’t forget to put this file in the root directory for TFTP server

Cuwebauth4

Cuwebauth5

Cuwebauth6

That must/should be successful.

Cisco Load Balancing Feature

In this post we will learn about Load Balancing feature on WLC.

Normally this feature is called as Aggressive Load Balancing. This feature mainly does the Wireless clients load-balance across APs.

As per my opinion, it’s a very cool feature be able to balance client distribution on the wireless network.

Must Remembering Points:

***Note: Clients are load balanced between access points on the same controller. Load balancing does not occur between access points on different controllers.

***Note: It works at the association phase.

How it works:

When a Client tries to associate to a LAP, association response packets are sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP is busy (Means no more can associate to me, so please find other AP) .

The AP responds with an association response bearing ‘success’ if the AP threshold is not met, and with code 17 (AP busy) if the AP utilization threshold is reached or exceeded and another less busy AP heard the client request.

Now here arises a problem: If AP discarded or sends a status code 17 to Client then client have to decide to ignore it or still use the same AP. Some of client driver uses the same AP for connection once again but most of the other type of clients tries to find other AP for connection. (So this process depends on vendor drivers, you cannot force them to use specific AP).

Globally configuration:

Via GUI:

Wireless > Advanced > Load Balancing

Load-Balance1

 Via CLI:

(WLAN1) >config load-balancing ?
 denial         Configures Aggressive Load Balancing denial count.
 window         Configures Aggressive Load Balancing client window.
(WLAN1) >config load-balancing window ?
 <client count> Number of denials <0 to 20>.
(WLAN1) >config load-balancing denial ?
 <denial count> Number of denials <1-10>.
(WLAN1) >config load-balancing denial 3

Client Window Size:  The client size window and client on least loaded AP determine the load-balance threshold value.

Before configure the load balancing intelligence, remember the formula. An AP is considered busy once it has a number of associated clients equal to the Client Window Size plus the number of clients on the least loaded AP in the area.

Load-balancing threshold = Client window size + number of clients on the least loaded AP

Example: Suppose I have 3 AP.

AP1: 9 Clients
AP2: 7 Clients
AP3: 4 Clients

As per last screenshot I have Client Window Size is 5.

As per the formula, Load balance Threshold is = 5+4 = 9

Means if any new client wants to Join AP1 then client will get the status 17 (Busy) message or in other words this AP (AP1) considered to be busy.

The Maximum Denial Count parameter allows the user to configure the number of times the client associations will be rejected for a particular AP. The Maximum Denial Count can have a value between 0 and 10.

Configuration Per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Load Balancing

Load-Balance2

Via CLI:

(WLAN1) >config wlan load-balance ?
 allow          Allow|Disallow Load Balance on a WLAN.
 (WLAN1) >config wlan load-balance allow  ?
 enable         Allow Load Balance on a WLAN.
 disable        Disallow Load Balance on a WLAN.
(WLAN1) >config wlan load-balance allow  enable 8
 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show load-balancing
 Aggressive Load Balancing........................ per WLAN enabling
 Aggressive Load Balancing Window................. 5 clients
 Aggressive Load Balancing Denial Count........... 3
 Statistics
 Total Denied Count............................... 0 clients
 Total Denial Sent................................ 0 messages
 Exceeded Denial Max Limit Count.................. 0 times
 None 5G Candidate Count.......................... 0 times
 None 2.4G Candidate Count........................ 0 times
(WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Enabled
(WLAN1) >

That’s all about this feature 🙂

Cisco Band-Select Feature

In this post we will learn about this feature. Today I faced a problem while a client was continuously trying to connect to 2.4 GHz even though the traffic was full congested/fully loaded/Full with interferences. Then I thought, is it a way to force dual band clients (Which support both frequency range 2.4GHz and 5 GHz) to connect with 5 GHz radio and tried to find out cisco docs or tech-notes and finally came out with this feature.

So let’s discuss this feature in detail:

This feature provides option for the dual band clients to join the 5 GHz radio compared to the 2.4 GHz range. As we all know that clients on this band (2.4GHz) typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other APs because of the limit of three non-overlapping channels.

We can use this feature to improve overall network performance. Band direction enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point.

Must Remember Points:

***Note: Band Select is configurable only when Radio Policy is set to ‘All‘.

***Note: Band select on supported on all types APs

***Note: This Feature only works when a client first associates to AP.

***Note: This feature will not start when the AP notices a high client count or high channel utilization.

***Note: This feature only goes in one direction (2.4GHz à 5GHz) not the other way (5GHz à 2.4GHz).Means it will not load balance clients on AP.

How it works:

The Cisco accomplishes  this is by delaying/suppressing the first few 802.11b/g probe frames so that client will accept  the 802.11a probes because it will appear to have a quicker response time.

Configuration:

By default it’s disabled.

We can configure this feature globally: Wireless > Advanced > Band Select, and also can be enabled on per WLAN Basis: WLAN > Advanced > Client Band Select. This is useful if we want to disable band selection for a specific WLAN or specific client which is running time sensitive applications (Like:  Voice).

Enable Globally:

Via GUI:

Wireless > Advanced > Band Select

Bandselect1

When configuring the global Band Select features:

  • The cycle count is the number of times a client is denied before being allowed on 2.4 GHz.
  • The cycle period is how much time needs to pass for the next associating attempt to be considered a unique attempt.
  • Age Out Suppression: When the clients will be declared as “new” and may have their probe frames delayed/ignored again.
  • Age Out Dual Band: The AP will not respond to a 2.4 G-Hz probe until a (dual-band) client is no longer marked as dual-band (default is 60 seconds). This is to prevent clients associated on 5 G-Hz radio from switching back to 2.4 G-Hz radio.
  • And the Acceptable Client RSSI is how well a 2.4 GHz client needs to be heard before trying to push them to the 5 GHz band.

Via CLI:

(WLAN1) >config band-select ?
 client-rssi    Sets the client RSSI threshold.
 cycle-count    Sets the Band Select probe cycle count.
 cycle-threshold Sets the time threshold for a new scanning cycle.
 expire         Sets the entry expire.

Enable this feature on per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Band Select

Bandselect2

Via CLI:

(WLAN1) >config wlan  band-select ?
 allow          Allow|Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow ?
 enable         Allow Band Select on a WLAN.
 disable        Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow enable  ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLAN1) >config wlan  band-select allow enable  8
 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show band-select
 Band Select Probe Response....................... per WLAN enabling
 Cycle Count................................... 2 cycles
 Cycle Threshold............................... 200 milliseconds
 Age Out Suppression........................... 20 seconds
 Age Out Dual Band............................. 60 seconds
 Client RSSI................................... -80 dBm
 (WLAN1) >
 (WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Disabled
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 (WLAN1) >

That’s all about this feature.

Schedule a reboot to Controller via CLI

In this post we will see to schedule reboot to wlc.

Schedule a reboot Time for WLC via CLI. This is really a good option on CLI to reboot WLC at specific time.

Let’s see the configuration guide.

What are the options on WLC CLI to reset:

(WLC1) >reset system ?
 at             Reset the system at a specified time.
 in             Reset the system after a specified delay.
 cancel         Cancel a scheduled reset.
 notify-time    Configures trap generation prior to scheduled resets.
(WLC1) >

RESET SYSTEM AT:

Specify a date and time for the devices to reboot by entering this command: This command allows us to enter a specific date and time to reboot controller.

*** The swap operand in the reset command will result in the swapping of the primary and backup images on both the controller and the access point.

(WLC1) >reset system at 2014-07-11 18:00:00 image no-swap reset-aps save-config
 System reset is scheduled for Jul 11 18:00:00 2014.
 Current local time and date is Jul 11 09:10:19 2014.
 A trap will be generated 10 minutes before each scheduled system reset.
 Use 'reset system cancel' to cancel the reset.
 Configuration will be saved before the system reset.
 (WLC1) >

RESET SYSTEM IN:

Specify the amount of time delay before the devices reboot by entering this command: This command allows us to enter a specific time to reboot controller.

(WLC1) >reset system in 18:00:00 image  no-swap reset-aps save-config
 System reset is scheduled for Jul 12 03:10:59 2014.
 Current local time and date is Jul 11 09:10:59 2014.
 A trap will be generated 10 minutes before each scheduled system reset.
 Use 'reset system cancel' to cancel the reset.
 Configuration will be saved before the system reset.
(WLC1) >

RESET SYSTEM NOTIFY-TIME :

Set up an SNMP trap message that announces the upcoming reset by entering this command: After configuring this command, controller sends the announcement trap the configured number of minutes before the reset.

(WLC1) >reset system notify-time 10
 A trap will be generated 10 minutes before each scheduled system reset.
(WLC1) >

RESET SYSTEM CANCEL:

Cancel the scheduled reboot by entering this command: We scheduled a system reset and need to cancel it then we just need to apply the reset system cancel command.

(WLC1) >reset system cancel
 Scheduled reset cancelled.
(WLC1) >

SHOW RESET:

Use show reset command to display scheduled resets.

(WLC1) >show reset
 System reset is scheduled for Jul 12 03:11:51 2014.
 Current local time and date is Jul 11 09:11:53 2014.
 A trap will be generated 10 minutes before each scheduled system reset.
 Use 'reset system cancel' to cancel the reset.
 Configuration will be saved before the system reset.
(WLC1) >

Reset Cisco WLC to Factory Default

Just a small post regarding WLC reset, it can be done without NCS and it’s very handy.

Via CLI:

Step1: We need to login to WLC with valid username and password then we need to reset the WLC by using “reset system” at the command prompt.

(WLAN1) >reset system
 The system has unsaved changes.
 Would you like to save them now? (y/N) Y
 Configuration Saved!
 System will now restart!

Step2:  At the prompt it will ask whether we need to save changes to the configuration, enter Yes or No, then controller will reboot.

.
.
(WLAN1)
 Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)
 User:

Step3: When we are prompted for a username then we must enter recover-config to restore the factory default configuration.

User:  recover-config
Press enter and the controller will reset back to factory default.

Via GUI:

  1. login to WLC GUI with valid username and password.
  2. Go to Command > Reset to Factory Default.
  3. Click Reset.

 

Resetwlc1

That’s all  🙂

Fast SSID Change

Today I faced an issue on my iPhone while changing SSID, Here is the problem explanation and solution:

Scenario:

WLC have software version 7.0.240.0
WLC Model: AIR-WLC2106-K9

There are two SSID’s from same WLC / AP. If I connected to one and try to connect to other, iPhone shows unable to connect: see the screenshot:

Pic1: Handy connected with RSCCIEW SSID

1

Pic2: When I tried to change to different SSID its show this:

2

Debugs in WLC shows that it’s connected and getting an IP.

(WLC1) >*apfMsConnTask_0: Jun 05 13:56:04.571: 54:26:96:3e:4b:ee Association received from mobile on AP 00:22:bd:98:3a:30
 *apfMsConnTask_0: Jun 05 13:56:04.572: 54:26:96:3e:4b:ee Deleting client immediately since WLAN has changed
 *apfMsConnTask_0: Jun 05 13:56:04.572: 54:26:96:3e:4b:ee Scheduling deletion of Mobile Station:  (callerId: 50) in 1 seconds
 *apfMsConnTask_0: Jun 05 13:56:04.883: 54:26:96:3e:4b:ee Ignoring 802.11 assoc request from mobile pending deletion

But still it’s showing connected and getting IP.

Solution:

There is an option in WLC to enable FAST SSID change. By default its disable.

When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID.

Enable FAST SSID via GUI:

  1. Login WLC GUI: Go to Controller to open the General page.
  2. From the Fast SSID Change drop-down list, choose Enabled to enable this feature
  3. Click Apply
  4. Click Save Configuration on the right side on top.

 4

Enable FAST SSID via CLI:

  1. Enable or disable fast SSID changing by entering this command:

config network fast-ssid-change {enable | disable}

(WLC1) >config network fast-ssid-change ?
 enable/disable] Enable or disables fast SSID changing for mobile stations
(WLC1) >config network fast-ssid-change enable
  1. Save your changes by entering this command:

save config

 (WLC1) >save config
 Are you sure you want to save? (y/n) y
 Configuration Saved!

Pic3: Just after change to enable I tried again and this was the resultJ

3

Thats all we need to switch quickly 🙂

Timeout setting on Wireless LAN Controller

In this post we will the check the specific timeout on WLC. I did some test on idle timeout and session timeout.
Let’s see how it works and what does it means:
Session Timeout
Session timeout is a value that forces a re-auth when the timer expires. This value starts copying down when the client is authenticated.
The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If we use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full re-authentication. The session timeout is specific to the WLAN.
How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to WLAN > WLAN ID > Advanced

SessionTimeout
By default session timeout set to 1800sec, we can also uncheck this box or change the timeout value to bigger one. The session timeout can be configured as per WLAN, from 300~86400 seconds.
When the session timeout is being triggered, the PMK cache will be removed, and the client will have to do the authentication again.
Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.
If we configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types.

Via CLI:

 (WLAN1) >config wlan session-timeout ?
 <WLAN id> Enter WLAN Identifier between 1 and 16.
 (WLAN1) >config wlan session-timeout 8 ?
 <seconds> The duration of session in seconds (0 = infinity is true only for open system).
 (WLAN1) >config wlan session-timeout 8 65535

User Idle Timeout

The user idle timeout is a global parameter for controller. If the AP/WLC does not receive any packets from the client, after a certain period of time, the client entry will be deleted or when a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to re-authenticate and re-associate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.
Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate. Default is 300 seconds (5 minutes).
The user idle timeout can be configured from 15~100000 seconds.

How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to Controller > General > User Idle Timeout

Idle Timeout

 

Via CLI:

Here is very simple way to configure by command line.

(WLAN1) >config network usertimeout ?
 <seconds> Recommended user idle timeout in seconds between 90 and 100000. Range <15 - 100000>. Default is 300
(WLAN1) >config network usertimeout 86400

ARP Timeout

The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.
Increasing this timeout increases the CPU load and distorts statistics for the number of simultaneous users. The default value is 300 seconds (5 minutes). The is a global parameter for controller.
How to configure it..

Via GUI:
Log in to WLC GUI, then go to Controller > General > ARP Timeout.

ARP Timeout
Via CLI:

Very easy way by CLI:

(WLAN1) >config network arptimeout ?
 <seconds> The ARP entry timeout in seconds. Min is 10, Default is 300
(WLAN1) >config network arptimeout 86400

So it is very important to design and configure the proper value for these timeout parameters otherwise you face the problem of re-Logining every after 5 minute.

Country Code on WLC

Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as –E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or DE for Germany). Configuring a country code ensures that each radio’s broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.

Generally, we configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later releases allows us to configure up to 20 country codes per controller. This multiple-country support enables us to manage access points in various countries from a single controller. This rule is not application for MESH Access Points.

*** Note: Mesh AP doesn’t support Multi country code on WLC.

*** We can not change the country’s regulatory domain on Access Points, If by chance you bought the AP with wrong Regulatory domain then you must change or replace this Access Point.

*** Here is the Wireless LAN Compliance Status

There are some Limitations for Multiple Country code configuration:

  • When the multiple-country feature is being used, all controllers that are going to join the same RF group must be configured with the same set of countries, configured in the same order.
  • When multiple countries are configured and the RRM auto-RF feature is enabled, the RRM assigns the channels that are derived by performing a union of the allowed channels per the AP country code. The APs are assigned channels by the RRM based on their PID country code. APs are only allowed to use legal frequencies that match their PID country code. Ensure that your AP’s country code is legal in the country that it is deployed.
  • The access point can only operate on the channels for the countries that they are designed for.
  • The country list configured on the RF group leader determines what channels the members would operate on. This list is independent of what countries have been configured on the RF group members.

Procedure to add Country Code on WLC:

 Via GUI:

Before Configuring / Changing the Country code on WLC, we must disable the both networks

Steps to disable the 802.11a and 802.11b/g networks:

Step1: Choose Wireless> 802.11a/n > Network.

Unselect the 802.11a Network Status check box.

802.11a_enable

Click Apply to commit your changes.

Step2: Choose Wireless > 802.11b/g/n > Network.

Unselect the 802.11b/g Network Status check box.

802.11b_enable

Click Apply to commit your changes.

Step3: Choose Wireless > Country, Select the check box for country where our access points are installed. If we selected more than one check box, a message appears indicating that RRM channels and power levels are limited to common channels and power levels.

Click ok

Here my all Access Points are in Europe domain and I am sitting in Germany so Choose DE(Germany).

Wirecountry

Step4: If we would have configured multiple country code on WLC then we could choose per AP for their country:

Here we chose only one Country so there is no other option for this AP.

AP_Country

Step5: Re-Enable the 802.11a and 802.11b/g networks (As we did in Step1 and Step2)

Step6: Click Save Configuration to save settings.

Via CLI:

Step1: Disable the 802.11a and 802.11b/g networks:

(WLAN1) >config 802.11a disable network
(WLAN1) >config 802.11b disable network

Step2: Configure the country codes for the countries where our access points are installed:

(WLAN1) >config country DE

*** If we choose multiple Country code on WLC then this will appear:

(WLAN1) >config country DE,US,MX
Changing country code could reset channel & RRM grouping configuration.
If running in RRM One-Time mode, reassign channels after this command.
Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n) y
Configured Country............................. Multiple Countries:DE,MX,US
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory doamin allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg     :
Channels     :                   1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E   ,-E   ): A * * * * A * * * * A * * .
MX (-A   ,-NA  ): A * * * * A * * * * A . . .
US (-A   ,-AB  ): A * * * * A * * * * A . . .
Auto-RF         : C x x x x C x x x x C x x .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a      :                         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels     : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
--More-- or (q)uit
DE (-E   ,-E   ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
MX (-AN  ,-NA  ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
US (-A   ,-AB  ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
Auto-RF         : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
4.9GHz 802.11a  :
Channels     :                   1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E   ,-E   ): . . . . . . . . . . . . . . . . . . . . . . . . . .
MX (-AN  ,-NA  ): * * * * * * * * * * * * * * * * * * * A * * * * * A
US (-A   ,-AB  ): * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF         : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Step3: We can choose country per AP (If we configured multiple country cod eon WLC). In my example I configured only DE, so No need to assign to specific AP.

Choose Country for AP:

(WLAN1) >config ap country DE AP001

Step4: Re-Enable the 802.11a and 802.11b/g networks

(WLAN1) >config 802.11a enable network
(WLAN1) >config 802.11b enable network

Step5: Save settings:

(WLAN1) >save config

Step6: See the country code configured on WLC:

(WLAN1) >show country
Configured Country............................. DE  - Germany
Configured Country Codes
DE  - Germany................................... 802.11a Indoor,Outdoor / 802.11b / 802.11g

Configure RADIUS Server on WLC

Here is the new posts about RADIUS configuration on WLC , The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.

RADIUS server can provide the central Authentication. In WLC, RADIUS server can handle two functions, namely Authentication & Accounting. And TACACS can handle all 3 methods (Authentication, Accounting and Authorization)

Here is the procedure to configure RADIUS in WLC:

Authentication

Step1: Via GUI

From the WLC GUI, click Security. From the menu on the left, click RADIUS > Authentication. The RADIUS Authentication servers page appears. Add  a new RADIUS Server, click New.

RADIUS New

In the RADIUS Authentication Servers > New page, enter the parameters specific to the RADIUS server.

*** Check the Management box , if you want to allow the RADIUS Server to authenticate users who login to the WLC.(I don’t want to authenticate the WLC users via RADIUS)

RADIUS Edit

Make sure that the shared secret configured on this page matches with the shared secret configured on the RADIUS server. Only then the WLC can communicate with the RADIUS server.

Same procedure to add another redundant RADIUS server 🙂

Both Radius

Step2: Configure Authentication Via CLI

(WLAN1) >config radius ?
acct           Configures a RADIUS Accounting Server.
aggressive-failover Enables/Disables Aggressive Failover
auth           Configures a RADIUS Authentication Server.
backward       Configures RADIUS Vendor Id backward compatibility
callStationIdCase Configures Call Station Id case in RADIUS messages.
callStationIdType Configures Call Station Id information sent in radius messages
fallback-test  Configures server fallback test.
(WLAN1) >config radius auth ?
add            Configures a RADIUS Authentication Server.
delete         Deletes a RADIUS Server.
disable        Disables a RADIUS Server.
enable         Enables a RADIUS Server.
ipsec          Enables or disables IPSEC support for an authentication server
keywrap        Configures RADIUS keywrap
mac-delimiter  Configures MAC delimiter for caller-station-ID and calling-station-ID
management     Configures a RADIUS Server for management users.
network        Configures a default RADIUS server for network users.
retransmit-timeout Changes the default retransmission timeout for the server
rfc3576        Enables or disables RFC-3576 support for an authentication server

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius auth mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius auth add 1 192.xx.xx.14 1812 ascii cisco -> Secret
(WLAN1) >config radius auth retransmit-timeout 1 2  -> Default 2 sec
(WLAN1) >config radius auth network 1 {enable|disable}
(WLAN1) >config radius auth {enable|disable} 1 -> by default enable

If you are not authenticating management user via RADIUS then you must disable it:

(WLAN1) >config radius auth management 1 {enable|disable} -> Enable by default

Follow Same procedure to add  2nd Authentication server.

Accounting:

Step1: Via GUI

Configure RADIUS Accounting

Go to Security -> RADIUS -> Accounting

RADIUS Acct

Follow same step to add 2nd Accounting server.

Here is the screenshot of both the Accounting server in WLC:

RADIUS Both Acct

Step2: Via CLI

Here is the basic CLI configuration for a RADIUS Accounting on a WLC.

(WLAN1) >config radius callStationIdType ipaddr
(WLAN1) >config radius acct mac-delimiter {colon|hyphen|none|single-hypen}
(WLAN1) >config radius acct add 1 192.xx.xx.15 1813 ascii cisco ->secret (WLAN1) >config radius acct retransmit-timeout 1 5 -> default is 2s
(WLAN1) >config radius acct network 1 {enable|disable}
(WLAN1) >config radius acct {enable|disable} 1 -> by default enable

Do the same for 2nd accounting server via CLI.

So till now we added both the server for Authentication and accounting.

Now time to verify it.

(WLAN1) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    N     192.xx.xx.14       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
2    N     192.xx.xx.15       1812    Enabled   2     Enabled   Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     192.xx.xx.15       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
2      N     192.xx.xx.14       1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none
(WLA1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.xx.xx.14
Msg Round Trip Time.............................. 47 (msec)
First Requests................................... 27328
Retry Requests................................... 123
Accept Responses................................. 2439
Reject Responses................................. 140
Challenge Responses.............................. 24736
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 147
Unknowntype Msgs................................. 0
Other Drops...................................... 1
Server Index..................................... 2
Server Address................................... 192.xx.xx.15
Msg Round Trip Time.............................. 29 (msec)
First Requests................................... 14345
--More-- or (q)uit
Retry Requests................................... 98
Accept Responses................................. 1264
Reject Responses................................. 52
Challenge Responses.............................. 13026
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 114
Unknowntype Msgs................................. 0
Other Drops...................................... 0

Now we will add the WLC to Radius Server and don’t forget the shared secret because shared secret must match between WLC and RADIUS (ISE) server:

Login to ISE, go to Administration > Network Resources > Network Devices > add

 

Untitled

That’s it for today 🙂 Enjoyyyyy