Ask the Expert: Cisco Unified Wireless and Cisco Unified Access - Page 3

ciscomoderator · ‎05-31-2013

With Richard Hamby, Patrick Croak and Nicholas Tate

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco experts Richard Hamby, Patrick Croak, and Nicholas how to configurre, troubleshooot and design your network using Cisco Unified Wireless and Next Generation Unified Access Wireless. The Next Generation Unified Access Wireless includes the new IOS-based wireless features on the Cisco Catalyst Swtiches 3850 and 5760. You can ask questions about the Cisco Wireless portfolio of controllers, access points, and latest WLAN features.

Richard Hamby is a technical support engineer in the Cisco Technical Assistance Center in Richardson, Texas. He is an expert in wireless products that include the Cisco Unified Wireless Network and the new Unified Access Wireless products. Prior to his current position, Hamby was a customer support engineer with the authentication-authorization-accounting team supporting Cisco identity management solutions..

Patrick Croak is a technical leader for the global wireless support team at the Cisco Technical Assistance Center, responsible for solving complex and challenging enterprise wireless issues. He also works closely with the Wireless Business Unit and Account teams for product development and innovation. He has more than seven years of experience working at Cisco. Croak holds CCIE certification (#34712) in wireless and a bachelor’s degree in computer engineering from the University of Wisconsin.

Nicholas Tate is a senior customer support engineer in the global technical assistance center supporting wireless technologies, where he works on complex wireless enterprise issues. He has published numerous wireless documents to Cisco.com and the Cisco Support Community. Tate has been with working at Cisco since 2011 and holds a degree in information computer technologies from East Carolina University.

Remember to use the rating system to let Richard, Patrick, and Nicholas know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community, Getting Started with Wireless discussion forum shortly after the event.

This event lasts through June 14, 2013.. Visit this forum often to view responses to your questions and the questions of other community members.

Nicholas Tate · ‎06-14-2013

Shruti,

In order to just achieve 802.11n, you will need at minimum to upgrade your Aps to newer models. 1140, 1250, 1260 and 3500 Aps will function on a 4402 with 7.0.116.0 code or higher. If you upgrade to 7.x code your 1130s and 1240s will remain supported. Keep in mind that the newer Aps such as the 1600, 2600, and 3600 will not be supported on the older 4400 platforms or older 7.0.x code. In order to have the newer features of those Aps as well as new features in 7.2 and later code you will need a 5508 WLC.

In regards to 802.11n Aps connected to FA ports this is not recommended at all. 802.11n speeds give clients 300mbps+ (depending on the spatial streams on the newer Aps). If a client is really trying to pull this much data it will overwhelm the port and will have undesired effects such as frame discards and even the AP falling off the WLC.

I would suggest you review the release notes in the 7.0 train of code and determine if your needs are met by upgrading your 4400 code and replacing your APs with the 802.11n Aps supported by 7.0.x. Also, check out the release notes in the later codes such as 7.2, 7.3 and 7.4. There have been a lot of new features implemented into these codes. These newer codes also allow you to use the newer Aps such as the 1600s, 2600s, and 3600s.

Release notes

http://www.cisco.com/en/US/products/ps10315/prod_release_notes_list.html

Nick

patrick.kofler · ‎06-14-2013

Hi,

currently, it is possible to use MAC filtering in conjunction with dot1x authentication of devices when using ACS 5.

However in order for that to work you would need to specify the same ACS instance for both methods, which posed a problem to me when using a particular set of certain mobile devices, where the ACS forwards the EAP request to Active Directory after succesful MAC address check.

Do you know if future releases plan to outsource MAC filtering to a dedicated AAA server, similar when using EAP authentication? There is such a thing already for Mesh APs as well as an option to authorize APs with a MIC over an AAA server.

This way you do not exhaust the database size of the WLCs when using local MAC authentication and you only have to configure the MAC addresses in one AAA server instead of multiple WLCs, which is a more scalable approach.

Regards,

Patrick

Nicholas Tate · ‎06-14-2013

Patrick,

This configuration isn’t seen every day in regards to requiring BOTH MAC Filtering and EAP Authentication. It sounds like you have this working with MAC Auth occurring locally on the WLC and EAP authenticating to a RADIUS server.

If this part is working fine, then configuring the SSID with just MAC Auth and a RADIUS server listed on the AAA tab should make the WLC query the RADIUS server for a client’s MAC address. At the RADIUS server, you should configure the client’s MAC address as the username so that authentication is successful.

This one would be best looked into via a TAC case. This should work fine now with current code.

Nick