Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3165
Views
0
Helpful
25
Replies

Office Extend Deployment Questions

Go to solution
alex.dersch
Level 4
Level 4

‎06-11-2013 09:35 AM - edited ‎07-04-2021 12:13 AM

Hello,

I have a couple of question regarding office extend deployment. We have an existing WLC 5508 with 30 access points; now we’d like to deploy 3 offices extend antennas in home offices, to provide the same SSID as in the main office. We got a WLC 2504 which I think is the best to place it in the DMZ. I read I have to open the ports udp/5246 and udp/5247 on the outside firewall in direction to the DMZ. What ports do I have to open from the DMZ to my inside network?

When I configure the WLC 2504 as an anchor controller is all the traffic send then first to the internal controller? If so which ports are involved?

Thanks in advanced

Alex

Labels:
0 Helpful
25 Replies 25

Go to solution
alex.dersch
Level 4
Level 4
In response to George Stefanick

‎06-17-2013 09:32 AM

Hi Scott,

yes i'll fly to Miami on Thursday, drive to Orlando on Saturday. Which session do you mean? Sure i'll pass by.

Dropping the traffic in the DMZ is not an option, i would have to open to much ports.

Alex

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-17-2013 09:33 AM

Its the 802.11ac at 1pm .. I dont have the session number handy ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to alex.dersch

‎06-17-2013 09:42 AM

Yup, thats the one!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to George Stefanick

‎06-17-2013 09:45 AM

Just registerred, see you there.

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to alex.dersch

‎06-18-2013 02:53 AM

Hi George, Scott

I got a new related issue. I changed the authentication type from mab to eap-tls, but anyconnect gets an authentication fails message. It's really odd because in my ACS i get an authentication message.

I attached the debug from the controller.

any ideas?

regards

Alex

15362433-certifcate-log.log.zip
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to alex.dersch

‎06-18-2013 04:04 AM

I'm confused here. So the OfficeExtend is working okay it's the authentication that's not?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Scott Fella

‎06-18-2013 05:05 AM

Hi Scott,

i have to SSIDs broadcasted on my oe ap. one is MAB authentication based, the other one is eap-tls based. MAB is working fine, EAP-TLS not. In the ACS server i see both request are authenticated properly.

thanks

alex

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to alex.dersch

‎06-18-2013 09:37 AM

So EAP-TLS is working fine on your other non OEAP access points correct?  The OEAP will pass traffic the same as the other AP's so if the radius is passing the accept, the WLC should allow the client on.  First thing is first.... you do have cleints using the same ssid that works correct?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to Scott Fella

‎06-19-2013 11:15 AM

Hi Scott,

sorry for coming back to early, but i didn't have antenna with me. So just verified the config of the both ssids, everything is the same except the Interface in the General tab, on the anchor controller it is the management interface and on the foreign controller it is a dedicated interface for the ssid. I check the mobility group configuration as well, everything looks fine.

Any idea?

I really like to bring it with to cisco live

regards

alex

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to alex.dersch

‎06-19-2013 11:34 AM

I really don't know what to do anymore. Here is a screenshot from my ACS server. It's seems client and ACS are exchanging succesfully EAP messages. I just tried to add another mac lookup based SSID. No problems at all, it just works fine.

On the anchor controller i get this

Client Deauthenticated: MACAddress:60:67:20:48:68:60 Base Radio  MAC:00:3a:9a:f0:2a:c0 Slot: 1 User Name: Alex Dersch Ip Address: unknown  Reason:Unspecified  ReasonCode: 1

69 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card