For the WCS/Clean Air issue with spectrum experts, verify that you have it added to WCS.

To add a Spectrum Expert, follow these steps:

As this discussion is only related to WCS/MSE/Location Appliance, please post the question for ISE in the correct forum with respects to ACS/ISE. For the trade up program, you will need to contact your reseller about current promotions.

Below are a few links that talk about ISE, Downloading ISO to install on your existing ACS appliance, and migration path from ACS.

For more info on ISE:

http://www.cisco.com/en/US/products/ps11640/index.html

Release notes:

http://www.cisco.com/en/US/docs/security/ise/1.0/release_notes/ise10_rn.html#wp96296

Downloading ISE:

http://www.cisco.com/cisco/software/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.0&relind=AVAILABLE&rellifecycle=&reltype=latest

Migrating from ACS to ISE:

http://www.cisco.com/en/US/docs/security/ise/1.0/migration_guide/ise10_mig_overview.html

Hi Nael,

i have a Problem with the cisco-av-pair string on the Cisco ACS and a SSID.

We have here some SSID and some AD Groups. It was no Problem with the old Cisco ACS 4.2. I have here configured the string: cisco-av-pair ssid=myssid. The Clients have only rights to this ssid. It works without Problems.

On the new ACS 5.2. I have here Problem to configure this.

My Configuration is a new Identity Policy.

Compound Condition:

Radius-Cisco -->cisco-av-pair-->equals-->myssid

But this string works not.

Did you have any ideas about this Problem.

Thanks

regards

Andreas

@Andrea

First off ACS is not my area of expertise and this discussion should focus on WCS/MSE/Location Appliance, but I will try my best to assist you.

What protocol are you using to authenticate the wireless users?

What version of WCS are you using?

What version of WLC are you using?

What errors appear on the ACS?

Do a “debug aaa all enable” and “debug aaa local-auth” and capture the outputs and post it for review. Keep in mind the data will be available for all to view whatever is posted on the forums if that is ok with you.

@Craig: How does WLC determine if the acs/radius server is dead?

WLC uses standard radius traffic to probe the authenticating server to determine if it’s up or not. It uses one of the three statuses:

“OFF” states if the radius server fails, move to the next radius server in a round robin fashion until you get a response.

“PASSIVE” states treat the list in an orderly fashion based on radius preferences.  From the top, if one fails, mark it down for a period of time and move on to the next in the list. Each acs/radius attempts to start from the top of the order and continue to that last and skips acs/radius servers if still in dead timer mode.

“ACTIVE” mode sends a probe packet (radius traffic and requests based on RFC http://www.faqs.org/rfcs/rfc2865.html access-request) to see if the radius server responds by checking the username configured in the active mode settings of WLC. The user does not have to exist on the acs/radius, it just needs to respond to the probe coming from WLC to determine if it’s up or down.

Hi Nael

Thank for reply, but stil missing the answer.

Heres what happend, 2 ACS, 1 is on a VM box.  The VM session failed, no clients where authenticating, couldn't connect to ACS on the box, only thing could do is ping the box.  But it didn't fail over.  Had to restart the VM session, then every thing came back..

How does WCS probe the ACS to see if it is authenticating?

Cheers

Craig

WCS uses a round robin fashion to probe the ACS server based on the settings you have configured under WCS --> Administration --> AAA --> TACACS+. Post screenshot of this page.

1. What version of WCS are you running?

2. Enable tracing from Administration --> Logging --> Change message level to Trace.

3. Duplicate the problem.

4. Download and attach the WCS logs from Administration --> Logging --> Download Log.

Keep in mind this is a WCS discussion so any issues with the ACS server itself, it would be best to post that in the respective forums as to why the ACS session froze.

https://supportforums.cisco.com/community/netpro/security/aaa

@Steve, thanks for the great questions.

For the WLC 2500 series, there is a 50 AP max, 500 clients, and 500 tags limitation. If you don’t need to scale beyond those limits, then 2500 series controller should suit your needs.

In addition, it supports 802.11N, Clean Air, and Mesh AP along with other features. The following AP’s are supported with the 2500 series:

• CAP3500 (Max 400 Clients per AP)
• LAP1260 (Max 400 Clients per AP)
• LAP1040 (Max 400 Clients per AP)
• LAP1250 (Max 400 Clients per AP)
• LAP1140 (Max 400 Clients per AP)
• Legacy Cisco Aironet AP’s (LAP1130, LAP1240, LAP1230, LAP1500)

You mentioned that you occupy a 55k square foot building with 3 floors and outdoor space of 45k. I’d recommend you do a site survey to determine your needs to get an idea of how many AP’s is needed, placement location, antenna type, coverage area, power consideration, wiring requirements, and extra capacity if needed.

The goal of the site survey should be high availability, scalability, manageability, and interoperability. In WCS, you can use the planning mode option from WCS --> Monitor Maps --> System Campus --> Building --> Floor --> From select command chooses “Planning Mode”. Use the generate proposal option and this will detail the amount of AP’s needed based on the location and size.

More info can be found here to use this feature:

http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/maps.html#wp1179446

This is assuming you have WCS installed and configured to manage your wireless network environment.

@Ana,

Here is some docs for debug and show commands and understanding debugs on the WLC:

Understanding Debug Client on WLC:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008091b08b.shtml

WLC Debug and Show Commands:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b3e118.shtml

Use the Bug Toolkit to decode the errors to see if existing bugs are impacting the WLC:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Copy the error messages and paste it into the keyword search.

@ evarmer, Thanks for the great questions. The steps below will outline how to backup and restore your AP, controllers, and MSE configuration using the WCS 7.0.x.x or later.  Note when backing up the WLC, it will take care of saving your AP configuration for you so no additional steps are needed unless you have custom AP templates.

Backup Configuration from Controller

You have two options to backup the configuration from the WLC to WCS.

Option 1: WCS → Configure → Controller → Select IP address of controller and from the select command menu, choose “refresh config from menu” and go. You will be presented with two options, one that ask to retain configuration in the WCS database or use the configuration on the controller currently. Most likely the second option is what you want when backing up.

Option 2: Choose Administration > Background Tasks, then click Controller Configuration Backup to access this page.

From the Administration > Background Tasks page, you can execute, enable, or disable this task. To execute, enable, or disable this task from the Administration > Background Tasks page, follow these steps:

1. Choose Administration > Background Tasks.
2. Select the check box of the Background Task that you want to execute, enable, or disable.
3. Use the Select a command drop-down list to perform one of the following task:
4. Execute the task now—Select the check box of the task you want to execute. From the Select a command drop-down list, choose Execute Now and click Go. The status changes in the Enabled column.
5. Enable the task—Select the check box of the task you want to enable. From the Select a command drop-down list, choose Enable Task and click Go.

Restore Configuration to Controller

1. Choose Configure > Controllers.
2. Click the IP address of the applicable controller.
3. From the left sidebar menu, choose System > Commands. The following parameters appear:
4. Configuration and select Restore Config To Controller—Choose this command to restore the configuration from the WCS database to the controller.

Backing Up Mobility Services Engine Historical Data

To back up mobility services engine data, follow these steps:

1. In Cisco WCS, click Services > Mobility Services.
2. Click the name of the mobility services engine that you want to back up.
3. From the left sidebar menu, choose Maintenance > Backup.
4. Enter the name of the backup.
5. Enter the time in seconds after which the backup times out.
6. Click Submit to back up the historical data to the hard drive of the server running WCS.

Restoring Mobility Services Engine Historical Data

To restore a file back into the mobility service, follow these steps:

1. Choose Services > Mobility Services.
2. Click the name of the mobility service whose properties you want to edit.
3. From the left sidebar menu, choose Maintenance > Restore.
4. Choose the file to restore from the drop-down list.
5. Select the Delete synchronized service assignments check box if you want to permanently remove all service assignments from the mobility services engine.
6. Click Submit to start the restoration process.
7. Click OK to confirm that you want to restore the data from the Cisco WCS Server hard drive.

When restoration is completed, WCS displays a message to that effect.