Calling & Called station ID

In this post we will learn / see how there format looks like with an example. It’s very important to know these because in exam we may need to create a policy using this.

My topology:

Client~~~~~~~~~~~AP—————–Switch——————–WLC

Call1

AP Details:

Call2

Default Format:

Called-Station-ID: Normally Contains (1) the MAC address of the Access Point and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon.  Example: “AA-BB-CC-DD-EE-FF:SSID_NAME”.

Calling-Station-ID: Contains the MAC address of the wireless device.  Example: “AA-BB-CC-DD-EE-FF”.

Local mode AP:

Let’s see the log:

***I removed the middle part

Call3

Here our Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

And

Calling Station-ID: F8:16:54:20:F4:C2 (this is from ISE), Normally ACS 5.2 shows like this (F8-16-54-20-F4-C2)

HREAP Connected Mode

*** In HREAP Connected mode it’s the same as in Local mode.

Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

Calling Station-ID: F8-16-54-20-F4-C2

HREAP Standalone Mode

***In HREAP standalone mode its bit different:

Called-Station-ID: 381c.1ac5.6621

*** Its BSSID(We can also find it via command line: show ap wlan 802.11a/b <AP name>)

Calling Station-ID: F816.5420.F4C2

(Not mentioned SSID name in called station-id and also the last number is 21 because its add the WLAN id to its mac address)

*** My wlan id is 2.

ACS Policies based on SSID

If we need to Create Policy in ACL which needs to be include SSID then either we must use the End Station Filters or we need to create a custom profile(Policy Elements > Session Conditions > Custom)

End Station filter:

Policy > Network Conditions > End Station Filters

Create a new and enter the *SSID_Name(example – *RSCCIEW) unders CLI/DNIS.

Call4

Note: *RSCCIEW must be under DNIS but here in ACS it shows under CLI (This is due to bug-CSCtk16271).To resolve this we must click submit again to swap these entry.

Custom Profile:

Then click on Create, give the name to this custom profile.

Under Condition Tab:

We must use Dictionary: Radius-IETF

Attribute: Called-Station-ID

Policy Elements > Session Conditions > Custom

Call5

That’s all about Calling and Called Station ID 🙂 don’t have much time otherwise would love to go more in to details.

Fast SSID Change

Today I faced an issue on my iPhone while changing SSID, Here is the problem explanation and solution:

Scenario:

WLC have software version 7.0.240.0
WLC Model: AIR-WLC2106-K9

There are two SSID’s from same WLC / AP. If I connected to one and try to connect to other, iPhone shows unable to connect: see the screenshot:

Pic1: Handy connected with RSCCIEW SSID

1

Pic2: When I tried to change to different SSID its show this:

2

Debugs in WLC shows that it’s connected and getting an IP.

(WLC1) >*apfMsConnTask_0: Jun 05 13:56:04.571: 54:26:96:3e:4b:ee Association received from mobile on AP 00:22:bd:98:3a:30
 *apfMsConnTask_0: Jun 05 13:56:04.572: 54:26:96:3e:4b:ee Deleting client immediately since WLAN has changed
 *apfMsConnTask_0: Jun 05 13:56:04.572: 54:26:96:3e:4b:ee Scheduling deletion of Mobile Station:  (callerId: 50) in 1 seconds
 *apfMsConnTask_0: Jun 05 13:56:04.883: 54:26:96:3e:4b:ee Ignoring 802.11 assoc request from mobile pending deletion

But still it’s showing connected and getting IP.

Solution:

There is an option in WLC to enable FAST SSID change. By default its disable.

When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID.

Enable FAST SSID via GUI:

  1. Login WLC GUI: Go to Controller to open the General page.
  2. From the Fast SSID Change drop-down list, choose Enabled to enable this feature
  3. Click Apply
  4. Click Save Configuration on the right side on top.

 4

Enable FAST SSID via CLI:

  1. Enable or disable fast SSID changing by entering this command:

config network fast-ssid-change {enable | disable}

(WLC1) >config network fast-ssid-change ?
 enable/disable] Enable or disables fast SSID changing for mobile stations
(WLC1) >config network fast-ssid-change enable
  1. Save your changes by entering this command:

save config

 (WLC1) >save config
 Are you sure you want to save? (y/n) y
 Configuration Saved!

Pic3: Just after change to enable I tried again and this was the resultJ

3

Thats all we need to switch quickly 🙂

Single SSID configuration on Autonomous AP

Today I  learnt to create SSID with different authentication in my test LAB on cisco Autonomous AP.

In this post, will see the configuration for one SSID with WPA authentication

Before starting the configuration, there are few things which we should remember:

    • SSID are a case sensitive and can contain up to 32 alphanumeric characters.
    • There should be no space in SSID.
    • There is limitation of max SSID on cisco AP(Depends on which model you have)
    • If there is only one SSID then we must use guest-mode command under SSID.
    • If we have multiple SSID then :

Mbssid under the radio interface and mbssid guest-mode under SSID config section
Dot11 mbssid under the global config section and mbssid guest-mode under the SSID config section

Just few things:

      • I have a DHCP server config on my Cisco Switch in VLAN 101.
      • Vlan 100 is for management.

Let’s start with the configuration:

Fist switch side configuration for this AP is:

int fa 0/15
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100, 101

 Step1: Configure the SSID and map to a VLAN

Config t
 Dot11 ssid data1
 Vlan 101
 Authentication open
 Authentication key-management wpa version 1
 wpa-psk ascii cisco123
 Guest-mode ------> To broadcast the SSID
 end

 Step2: Configure the radio and Ethernet interface

Interface dot11Radio0
  ssid data1----->Mapping the SSID to Radio Interface
  exit
 !
 Interface dot11Radio0.100
  encapsulation dot1Q 80
 !
 Interface dot11Radio0.101
  encapsulation dot1Q 101
  bridge-group 101
  exit
 !
 int fa 0.100
  encapsulation dot1Q 100
 !
 Interface fa0.101
  encapsulation dot1Q 101
  bridge-group 101
 exit

Step3: Assign encryption (if wpa or wpa2 types is used) to SSIDs with VLAN

Int dot11Radio0
 encryption vlan 101 mode ciphers tkip

Step4: Configure AP for management

Int BVI1
Ip address 10.35.100.250 255.255.255.0
 !
Ip default-gateway 10.35.100.254

Step5: To verify the results:

      1. Sh ip int br
ap#sh ip int brief
 Interface                  IP-Address      OK? Method Status                Protocol
 BVI1                       10.35.100.250    YES manual up                    up
 Dot11Radio0                unassigned      YES unset  up                    up
 Dot11Radio0.100             unassigned      YES unset  up                    up
 Dot11Radio0.101             unassigned      YES unset  up                    up
 Dot11Radio1                unassigned      YES unset  administratively down down
 FastEthernet0              unassigned      YES other  up                    up
 FastEthernet0.100           unassigned      YES unset  up                    up
 FastEthernet0.101           unassigned      YES unset  up                    up
  
      1. Sh dot11 associations
ap#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] 
 MAC Address    IP address      Device        Name            Parent         State
 5426.963e.4bee 10.35.101.251    unknown       -               self           Assoc
  

Configure Dynamic Interface on WLC

A dynamic interface is simply an interface that maps a WLAN to a wired vlan or subnet.

Dynamic interfaces to be used to control and secure the traffic on the WLAN just like we would use vlans and subnets on the LAN for that purpose.

Maximum number of VLANs supported on Cisco Wireless Controllers

Wireless LAN Controllers

Max. VLAN Supported

Virtual WLC

512

WLC Module for ISR G2

16

WLC 2500 Series

16

WLC 5500 Series

512

WLC 6500 Series WISM2

512

WLC Flex 7500 Series

4096

WLC 8500 Series

4096

  • We must use tagged VLAN for Dynamic Interfaces

Configure Dynamic Interface is a very easy task either via GUI or CLI, here is the procedure:

Via GUI

GUI is the easiest way to configure multiple Dynamic interfaces on Cisco Wireless Controller. Here are the screenshots:

Choose Controller > Interfaces > New to open the Interfaces page.

New Interface

Click Apply, after this Interface > Edit page will appear, Enter the details

Untitled

 

After entering all the detail, click on Apply, That’s it.

Via CLI

Here are the basic commands to create a dynamic interface via CLI on Cisco wireless LAN Controller:

(WLAN1)  >config interface create testinterface 84
(WLAN1)  >config interface address dynamic-interface testinterface 192.168.84.1 255.255.255.0 192.168.84.254
(WLAN1)  >config interface port testinterface 1
(WLAN1)  >config interface dhcp dynamic-interface testinterface primary 192.168.99.1 secondary 192.168.99.3

Same like above I created one more dynamic interface “bde

(WLAN1)  >config interface create bde 85
(WLAN1)  >config interface address dynamic-interface bde 192.168.85.1 255.255.255.0 192.168.85.254
(WLAN1)  >config interface port bde 1
(WLAN1)  >config interface dhcp dynamic-interface bde primary 192.168.99.1 secondary 192.168.99.3


Both the ways are very easy and not so much time consuming. Its all depends on you to configure from which method.

For me:

By GUI method it takes 2-3 minutes. By CLI method it takes 3-4 minutes (Can’t remember all commands that’s the reason its taking long time).

Remembering Points to create Dynamic Interface:

  • Create a Dynamic interface and define a name and ssid.
  • Assign IP address, Subnet mask and Gateway
  • Assign a physical port number
  • And last is to config DHCP servers(Primary or secondary: atleast one is necessary)

Configure Interface Groups on Cisco WLC

Now In this post we will learn about, how to create a interface group and assign many interface to this group.

Interface groups are logical groups of interfaces. An interface can be part of multiple interface groups.  For this, first we have to create an interface group and then we can assign dynamic interfaces to it.

When many APs support the same WLAN, all users of that WLAN, on all APs connected to the same controller, are sent to the same dynamic interface. To reduce this broadcast domain. One way to achieve this reduction is to break up the WLAN into multiple segments. You can do so by associating the WLAN to an interface group rather than a single dynamic interface. This is achieved by creating a new interface group, and by choosing the already created dynamic interfaces that the group should contain. Then, map WLANs to the group.

Via GUI:

Choose Controller > Interface Groups, on main page right side click on add group

Interface Group

*Here I created interface group as ”test-bde”

Click on add.

Interface Group des

Click on the interface group “test-bde”.

Int Grp add Int

Here you can click on Add Interface and assign to Interface Group.

Via CLI:

By command line we can use these commands to configure Interface group and assign interface to this group.

(WLAN1)  >config interface group create test-bde
(WLAN1)  >config interface group description test-bde "Just for learning"
(WLAN1)  >config interface group interface add test-bde testinterface
(WLAN1)  >config interface group interface add test-bde bde

Assign Interface Group to a WLAN

After creating Dynamic interface/ interface group now we have to assign these interfaces / Interface groups to WLAN.

First of all create a WLAN and then map these interface to it:

Here is the procedure:

Via GUI:

Step1: create a WLAN

Login GUI of WLC then click on WLAN, click on Go (select Create new)

Create WLAN

Step2: Enter the details as shown in screenshot

WLAN ssid profile

Step3: Click on Apply, WLAN > Edittest-bdepage will appear.

Enable WLAN, Select Interface or Interface Group and Select Broadcast SSID (If you want to)

WLAN Status

Step4: Click on Apply

Via CLI:

By command line it’s very easy but it needs more and more practice to remember these commands:

In this example:

Mapped “bde to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7

or we can Map interface group “test-bde” to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 test-bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7