What happens if you strip your WLAN config back down to basics to help understand further about where the problem is? Do troublesome laptops still work on an Open network? Or one with WPA2-AES PSK? Does changing EAP type make any difference? ... View more

I don't know anything about iPerf, but it seems to me like you've already answered your own question... Wireless performance is seldom the same from one minute to the next in the real world and there's any number of reasons why it changes. If you wanted to get more insight the first thing I'd do is to repeat the test (as closely as possible) via the Wired LAN and check you have consistent results that make sense there first.  If you don't get consistent LAN results, you will never get consistent WLAN results. ... View more

Not sure about a specific OID for exactly what you want, but the WLCs will send Traps if you get too many Users per Radio - the alert thresholds are all configurable on the WLC, which should basically achieve the same thing. ... View more

To do it properly you need to enable "Machine only" machine authentication a part of a protocol like PEAP-MSCHAPv2.  This means you need a RADIUS Server and some SSL Certificates as well. The cheap and cheerful way however, is to put a WPA2-AES PSK on your WLAN and pre-configure your machines with the key. ... View more

Correct... 2504 just does N+1 HA from 7.5, whereas the bigger platforms do AP SSO and Client SSO. ... View more

Hi Leo, ISE can't configure a hidden SSID today. As to why you're using a hidden SSID anyway, I'm not sure? It generally doesn't achieve much, and has been known to introduce security risks of its own.  Why not just broadcast the SSID? ... View more

I don't see why not, just make sure you account for the extra losses of the N/RP-TNC adapter when configuring the antenna gain on the AP. Sent from Cisco Technical Support iPad App ... View more

I'm not sure you can do what you want in IOS.... Can you buy a WLC? ... View more

I don't want to sound too rude here, but I think you're probably better off deleting all of your config, reading the SRND and ISE Config Guides, and starting again from scratch. ... View more

You need a pre-auth ACL to be defined on the Anchor WLC and it needs to allow TCP 8443 to the ISE.  This ACL is then referenced by name in the ISE Authz Profile.  When the User performs their initial MAB, the ISE returns the Redirect URL and the ACL Name to the WLC, both of which are then imposed upon the User in order to get them to see the ISE's login page. There's no need for any "Layer3 Security" configuration in the WLC whatsoever. ... View more

With anything short of physically separate infrastructure, there's always the risk of an accidental Config error causing you problems... It sounds to me like you probably already know about ACLs, VLANs, VRFs, SGT, Anchor Controllers, Private VLANs, DHCP Snooping, etc etc.... So what exactly are you looking for? All approaches (industry best practise, or otherwise) are all about mitigating risk and balancing effort, complexity and cost. Which of these factors is more important to you? Sent from Cisco Technical Support iPad App ... View more