06-11-2013 03:06 PM - edited 07-04-2021 12:13 AM
with Cisco Expert Nicolas Darchis
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to trobuleshoot, configure and deploy any Cisco Wireless LAN controller with Cisco subject matter expert Nicolas Darchis.
Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server since 2007. He also focuses on filing technical and documentation bugs. Nicolas Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification number 25344.
Remember to use the rating system to let Nicolas know if you have received an adequate response.
Nicolas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community, Getting Started with Wireless discussion forum shortly after the event.
This event last through Friday June 28, 2013. Visit the community often to view responses to youe questions of other community members.
06-18-2013 06:43 AM
ACS 5.4 supports MAR cache in the distributed deployment :
Therefore any other ACS node should be aware of the laptop was already machine authenticated or not if they are part of the same distributed deployment.
06-18-2013 08:10 AM
Hi
How to migrate the configuration from WLC 4400 series to WLC 5500 series box
06-18-2013 08:48 AM
Hi,
it's not really a problem if you are using NCS/WCS as you can simply repush all templates.
Otherwise, the best method out of my experience is the "show run-config commands" or backup the 4404 config via tftp (it's mostly commands). Paste all commands on the new WLC. You will have to repush the certificate and a few other basic details though.
06-19-2013 12:46 AM
Hello Nicolas, thanks for the response...
I have ACS with default configurations - does this configuration look like what we should have configured.
Also I found this link here.......
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-19-2013 01:47 AM
the link I gave you clearly stated black on white :
MAR Cache Distribution Groups
ACS 5.4 has the option to group ACS nodes in MAR cache distribution groups. This option is used to control the impact of MAR cache distribution operations on ACS performance and memory usage.
A text label is assigned to each ACS node, which is called the MAR cache distribution group value. ACS nodes are grouped based on the MAR cache distribution group value. You can perform MAR cache distribution operations only between the ACS nodes that are assigned to the same MAR cache distribution group.
If the group value of an ACS node is empty, then it is considered as not assigned to any MAR cache distribution group. Such ACS nodes do not participate in any MAR cache distribution operations.
So you need to configure the same MAR cache group, otherwise magic does not happen.
The link you found is for ACS 4 which didn't have a MAR cache.
06-19-2013 01:53 AM
Hi Nicolas, I realised that when I read again shortly after I posted, thanks. I'll give it a go.
I do want to understand why the WLC's opt to go with another ACS which has the lowest priority, rather than the other two though - unless they just don't respond quick enough to the request.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-19-2013 02:16 AM
I cannot make remote guesses but a WLC has by default a passive failover behavior. I.e. if for some reason the radius server number 1 does not respond to one authenticaiton request, WLC will start using the 2nd server. If 2nd server works fine it will keep using that one until the next problem ...
In Security->Radius->general you can configure failover behavior to be more active where it will go back to using the primary ACS if it's back alive.
It doesn't mean that primary ACs was down at some point, it may have consciously not replied to a WLC auth request for many reasons (in ACS, you can configure when to drop or to reject failed auth scenarios)
06-19-2013 02:21 AM
Thanks Nicolas, appreciate your time and help.
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-18-2013 09:32 AM
Nicolas Darchis wrote:
Hi Jino,
yes you can enable it. Indeed the RRM algorithm was improved to evalute potential changes and prevent any cascading effects.
Of course the result will not be as good as if all APs were cleanair (so you might have cases where the APs do not adapt when they should theoretically have), but overall, it shouldn't be any major problem
Hi Nicholas,
Many thanks for answering the question.
I would like to know if there is any configuration guidelines/best practise for configuring Clean Air in mixed environment. Say on a controller I have APs from two different coverage areas/sites. One site has only clean air APs and the other with Non Clean AIR APs. Should they be seperated into different APgroups/RF profiles or is it ok to have them on the same AP Group?
Many Thanks
Jino
06-18-2013 09:38 AM
There isn't such a guide to my knowledge because it's pretty much straighforward. There is no need in playing with RF groups. Indeed, if you have one WLC with let's say 100 access points, but spread over 10 buildings far from each other. Then the WLC will create 10 RF groups. Although the WLC is configured with only 1 RF group name, it only combines together APs that can hear each other. Therefore APs in different building will end up in different RF groups in reality.
The RF group name works as a kind of pre-shared key. Meaning, if put close to each other, APs will be able to form adjacency and form an RF group. But if 2 WLCs have different RF group name, even if APs are close to each other, they will treat each other as rogues and will not discuss RF between them.
I hope it clarifies.
06-18-2013 04:49 PM
06-18-2013 10:44 PM
Hi Brett,
Quoting the center part of your query :
Is the allocation of per floor IP subnets considered best practice? I'm under the
understanding that if a wireless client moves from Level 2 to Level 3 for example, an IP
address change occurs when the client associates to the Level 3 AP so this would cause a
brief drop to the client connection?..OR should the client retain its original IP?
Is there an automated or configurable feature on the WLC that allows for the client to
retain its original IP that it had on Level 2.
WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address.
Same goes if you have APs spread across 2 WLCs and your 2nd WLC has interfaces in totally different subnets. The WLC will tunnel traffic back to your original WLC so that you can keep using your original ip address. Same goes when you have "AP groups", i.e. group of APs on the same WLC with different client subnet. The first AP to which you connect determines your subnet/ip address. You can then roam to wherever you want and you will retain your ip address.
If you stay offline for longer than the "client user idle timeout (5 mins by default)" then your client entry is deleted and when you reassociate again, you get a new ip address.
Tuning this behavior would mean reducing idle timeout so that if you take more than 30 seconds for example to come back into coverage area, you get a new ip (or 30 seconds of sleep mode on the laptop).
But I don't see any reason on earth why one would not want to retain the original ip address. Should you really want to have different ip per floor, you would need different SSIDs on each floor or the same SSID , as simple as that.
Regarding the "best practice" side of things, there are multiple scenarios :
-You want to segregate users : the ideal is actually radius authentication and the radius server assigning a different vlan depending on the username.
-You simply want "load balancing" of the subnets and ip address : you may be better off using "interface groups" to an SSID. i.e. different subnets are given in a round robin manner.
-Per floor segregation is perfectly fine. But it achieves a poor load balancing (what if there are way more users on one floor than on another ?) and it does not achieve real separation (i.e. if you change floors, you keep your original ip).
06-18-2013 11:16 PM
Hello Nicolas,
Thank you so much for your prompt reply.
The problem is that my clients are getting a new IP address when they associate with an AP on another floor - ie they dont keep their original IP and I dont know why as you have stated in your initial reply:
"WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address."
What configuration change on the floor switches that the APs connect to or on the WLC will prevent this from happening
so that the client keeps the same IP address?
Regards
Brett
06-18-2013 11:52 PM
Something has to be wrong somewhere.
The client traffic is tunneled from the AP to the WLC, so the floow switch configuration does not matter at all, client traffic is released in the core where WLC is plugged.
I would need to see a "debug client
But I suggest opening a discussion on the forum rather than putting so much info in this general thread.
Regards,
Nicolas
06-20-2013 03:46 AM
Hi, I've been having the same issue, I found when we added some mobility anchors added to external agencies, this somehow effected our own local mobility group, on the wlan on the right hand side, check the mobility anchor for you lan, there shouldn't been any thing in there, we found all differnt settings, I was told that this was a bug,
hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide