cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14400
Views
82
Helpful
146
Replies

Ask the Expert: Cisco Wireless LAN Controllers (WLCs)

ciscomoderator
Community Manager
Community Manager

Read the biowith Cisco Expert Nicolas Darchis

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to trobuleshoot, configure and deploy any Cisco Wireless LAN controller with Cisco subject matter expert Nicolas Darchis.

Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server since 2007. He also focuses on filing technical and documentation bugs. Nicolas Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification number 25344.

Remember to use the rating system to let Nicolas know if you have received an adequate response.

Nicolas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community, Getting Started with Wireless discussion forum shortly after the event.

This event last through Friday June 28, 2013. Visit the community often to view responses to youe questions of other community members.

146 Replies 146

ACS 5.4 supports MAR cache in the distributed deployment :

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1307694

Therefore any other ACS node should be aware of the laptop was already machine authenticated or not if they are part of the same distributed deployment.

Hi

How to migrate the configuration from WLC 4400 series to WLC 5500 series box

Hi,

it's not really a problem if you are using NCS/WCS as you can simply repush all templates.

Otherwise, the best method out of my experience is the "show run-config commands" or backup the 4404 config via tftp (it's mostly commands). Paste all commands on the new WLC. You will have to repush the certificate and a few other basic details though.

Hello Nicolas, thanks for the response...

I have ACS with default configurations - does this configuration look like what we should have configured.

Also I found this link here.......

http://blogs.technet.com/b/networking/archive/2008/03/21/windows-wireless-and-cisco-acs-machine-access-restriction-don-t-always-play-nice-together.aspx?Redirected=true

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

the link I gave you clearly stated black on white :

MAR Cache Distribution Groups

ACS 5.4 has the option to group ACS nodes in MAR cache distribution  groups. This option is used to control the impact of MAR cache  distribution operations on ACS performance and memory usage.

A text label is assigned to each ACS node, which is called the MAR cache  distribution group value. ACS nodes are grouped based on the MAR cache  distribution group value. You can perform MAR cache distribution  operations only between the ACS nodes that are assigned to the same MAR  cache distribution group.

If the group value of an ACS node is empty, then it is considered as not  assigned to any MAR cache distribution group. Such ACS nodes do not  participate in any MAR cache distribution operations.


So you need to configure the same MAR cache group, otherwise magic does not happen.

The link you found is for ACS 4 which didn't have a MAR cache.

Hi Nicolas, I realised that when I read again shortly after I posted, thanks. I'll give it a go.

I do want to understand why the WLC's opt to go with another ACS which has the lowest priority, rather than the other two though - unless they just don't respond quick enough to the request.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

I cannot make remote guesses but a WLC has by default a passive failover behavior. I.e. if for some reason the radius server number 1 does not respond to one authenticaiton request, WLC will start using the 2nd server. If 2nd server works fine it will keep using that one until the next problem ...

In Security->Radius->general you can configure failover behavior to be more active where it will go back to using the primary ACS if it's back alive.

It doesn't mean that primary ACs was down at some point, it may have consciously not replied to a WLC auth request for many reasons (in ACS, you can configure when to drop or to reject failed auth scenarios)

Thanks Nicolas, appreciate your time and help.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Nicolas Darchis wrote:

Hi Jino,

yes you can enable it. Indeed the RRM algorithm was improved to evalute potential changes and prevent any cascading effects.

Of course the result will not be as good as if all APs were cleanair (so you might have cases where the APs do not adapt when they should theoretically have), but overall, it shouldn't be any major problem


Hi Nicholas,

Many thanks for answering the question.

I would like to know if there is any configuration guidelines/best practise for configuring Clean Air in mixed environment. Say on a controller I have APs from two different coverage areas/sites. One site has only clean air APs and the other with Non Clean AIR APs. Should they be seperated into different APgroups/RF profiles or is it ok to have them on the same AP Group?

Many Thanks

Jino

There isn't such a guide to my knowledge because it's pretty much straighforward. There is no need in playing with RF groups. Indeed, if you have one WLC with let's say 100 access points, but spread over 10 buildings far from each other. Then the WLC will create 10 RF groups. Although the WLC is configured with only 1 RF group name, it only combines together APs that can hear each other. Therefore APs in different building will end up in different RF groups in reality.

The RF group name works as a kind of pre-shared key. Meaning, if put close to each other, APs will be able to form adjacency and form an RF group. But if 2 WLCs have different RF group name, even if APs are close to each other, they will treat each other as rogues and will not discuss RF between them.

I hope it clarifies.

brettcodey
Level 1
Level 1

Hello Nicolas,

Please reference the attached text file with my wireless query.

Regards

Brett

Hi Brett,

Quoting the center part of your query :

Is the allocation of per floor IP subnets considered best practice? I'm under the

understanding that if a wireless client moves from Level 2 to Level 3 for example, an IP

address change occurs when the client associates to the Level 3 AP so this would cause a

brief drop to the client connection?..OR should the client retain its original IP?

Is there an automated or configurable feature on the WLC that allows for the client to

retain its original IP that it had on Level 2.

WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address.

Same goes if you have APs spread across 2 WLCs and your 2nd WLC has interfaces in totally different subnets. The WLC will tunnel traffic back to your original WLC so that you can keep using your original ip address. Same goes when you have "AP groups", i.e. group of APs on the same WLC with different client subnet. The first AP to which you connect determines your subnet/ip address. You can then roam to wherever you want and you will retain your ip address.

If you stay offline for longer than the "client user idle timeout (5 mins by default)" then your client entry is deleted and when you reassociate again, you get a new ip address.

Tuning this behavior would mean reducing idle timeout so that if you take more than 30 seconds for example to come back into coverage area, you get a new ip (or 30 seconds of sleep mode on the laptop).

But I don't see any reason on earth why one would not want to retain the original ip address. Should you really want to have different ip per floor, you would need different SSIDs on each floor or the same SSID , as simple as that.

Regarding the "best practice" side of things, there are multiple scenarios :

-You want to segregate users : the ideal is actually radius authentication and the radius server assigning a different vlan depending on the username.

-You simply want "load balancing" of the subnets and ip address : you may be better off using "interface groups" to an SSID. i.e. different subnets are given in a round robin manner.

-Per floor segregation is perfectly fine. But it achieves a poor load balancing (what if there are way more users on one floor than on another ?) and it does not achieve real separation (i.e. if you change floors, you keep your original ip).

Hello Nicolas,

Thank you so much for your prompt reply.

The problem is that my clients are getting a new IP address when they associate with an AP on another floor - ie they dont keep their original IP and I dont know why as you have stated in your initial reply:

"WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address."

What configuration change on the floor switches that the APs connect to or on the WLC will prevent this from happening

so that the client keeps the same IP address?

Regards

Brett

Something has to be wrong somewhere.

The client traffic is tunneled from the AP to the WLC, so the floow switch configuration does not matter at all, client traffic is released in the core where WLC is plugged.

I would need to see a "debug client " showing a client switching floor and getting a new ip as well as a "show run-config" of your WLC to understand what could possibly be wrong.

But I suggest opening a discussion on the forum rather than putting so much info in this general thread.

Regards,

Nicolas

Hi, I've been having the same issue, I found when we added some mobility anchors added to external agencies, this somehow effected our own local mobility group, on the wlan on the right hand side, check the mobility anchor for you lan, there shouldn't been any thing in there, we found all differnt settings, I was told that this was a bug,

hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: