–This release improves the reliability of fast roaming on workgroup bridges by allowing the unit an additional retry when it needs to reassociate to the root access point.
–This release also improves the method that workgroup bridges use to select the "best parent" access point. Workgroup bridges can share association histories with rot access points, which can build and share a list of best root access points among workgroup bridges. This method improves helps workgroup bridges select the best root access point when roaming.
VideoStream support on workgroup bridges (when used as a client): VideoStream improves the reliability of an IP multicast stream by converting the multicast frame, over the air, to a unicast frame. VideoStream was not supported for workgroup bridge clients in previous releases because a workgroup bridge's wired clients cannot be added to the controller (WLC) multicast table. In this release, the workgroup bridge is added to the WLC multicast table, and the workgroup bridge converts the VideoStream unicast frame into an Ethernet multicast frame and sends it out to its wired clients.
Enter this command on the controller to enable VideoStream for workgroup bridges:
config media-stream wired-client enable
How to configure WGB with PEAP
In this example, the 1260 Autonomous Access Point is configured as a workgroup bridge and connects to the LWAPP network. Use the SSID WGB-PEAP for the connection to the WLAN and use the PEAP for the authentication of the WGB to the LWAPP network.
Configure ACS to Let the WGB authenticate in EAP
Complete these steps in order to configure the ACS to let the WGB authenticate in ACS:
Add the WLC as a NAS (AAA client)
In the ACS GUI, click Network Configuration on the left.
Under AAA Clients, click Add Entry.
Enter a name under AAA Client Hostname.
Enter the management interface IP address of the WLC under AAA Client IP Address.
Enter the RADIUS key under Shared Secret and make a note of it.
In the Authenticate Using drop-down menu, choose RADIUS (Cisco Airespace).
2. Enable EAP-TLS in ACS
Choose System Configuration > Global Authentication Setup.
Under EAP-TLS, for example, the top-level EAP-TLS, after EAP-FAST, not the EAP-TLS under PEAP, check Allow EAP-TLS.
Check all three of the certificate verification options.
Choose Submit + Restart.
3. Add the WGB as an ACS
In User Setup, enter the name of the WGB in the User panel, and click Add/Edit. This example uses "WGB".
Enter a hard-to-guess password. This is required, although not used in EAP-TLS.
Configuring Work Group Bridge (WGB)
Setting the hostname, domain name and time of the WGB as needed.
Note: The hostname must match the username entered for it in ACS as in the previous step:
WGB-Client#clock set 14:00:00 5 Dec 2012
Note: The time must be correct, for the certifications to work (clock set exec CLI, or configure an SMTP server).
2. Configure the trustpoint for the Certificate Authority:
WGB-Client(config)#crypto pki trustpoint WGB-PEAP
Note: subject-name CN=<ClientName> is required. Without it, the Microsoft CA fails to issue the cert, with the The request subject name is invalid or too long. 0x80094001 error message.
Note: The revocation-check none command is necessary to avoid the problem described in Cisco bug ID CSCsl07349. WGB disassociates/reassociates often and takes a long time to reconnect.
Note: To stop a debug, use the no debug all or undebug all commands. Verify that the debugs have been turned off using the command show debug.
Remember that the commands no logging console and terminal no monitor only prevent the output from being output on the console, Aux or vty respectively. It does not stop the debugging and therefore uses up router resources.
Hi all, I must implement QoS on a 5520 WLC already working in local mode, I am new to QoS on WLC and I can't find much on the web. Any help for a usefull guide of how to configure QoS on WLC? I know differences between DSCP, ToS, CoS, and DSCP i...
Hi,I just upgraded firmware of WLC to 17.3.20200621 but after the upgrade, whenever i login to controller it shows password policy message.I tried configuring password policy by going to Configuration -> AAA -> AAA Advanced -> Password policymade...
hi everybody i have tested wired guest lan with one C9800 Foreign in the LAN and one C9800 Anchor in the DMZ.it works very well with this.but with this architecture "foreign/anchor", i must have 2 C9800 and use a DMZ. it's possible to use a gues...
Hi,Currently have a couple of C9800 controllers in a LAB environment for a POC. They both at this time connect to the same switch but on different subnet's so no firewall to consider. Each WLC can ping each other, yet I am struggling to bring up the ...