getXML('Security and Network Management5084 artur.pintoNov 2, 2009, 4:32am PSTHi,<br /><br />I have a costumer that has a wireless network with a WLC 4400 (ver 6.0.182.0) and several Aironet APs (1250 version 12.4).<br />He also has a Wireless IP Phone. The IP Phone loses the communication with the LAN very often.<br />In the WLC logs we can see the following error:<br />Client Excluded: MACAddress:00:24:c4:55:11:58 Base Radio MAC :00:25:84:89:fe:20 Slot: 0 <br />User Name: unknown Ip Address: 10.70.18.113 Reason:802.11 Association failed repeatedly. ReasoCode: 2<br />In the documentation I did not see any information regarding this error, anybody has a clue about the meaning of this error? How can I fix it?<br />Best Regards,<br /><br />Artur Pinto <br /><br /><br /> 30 dancampbNov 2, 2009, 6:58am PSTIf memory serves correct reason code 2 means that a duplicate IP address was detected. lotten1981Nov 17, 2009, 9:24am PSTI'm getting this also a 1252 AP attached to a WiSM running 5.2tdrumond@almavivadobrasil.com.brNov 17, 2009, 6:05am PSTHi all,<br />I would like to configure MAC filtering on my 851W Router. I mean, only certain MAC address could have access to the wirelless network.<br />Is that possible?<br />How is the best way to do that on this router?<br /><br />Thank you<br />Regards Charles_Chi4Nov 14, 2009, 12:11am PSTHi,<br /><br />I just set up PEAP for my client with WEP encryption with EAP. Then the client ask me to eliminate any key before prompting user's credential.<br /><br />I tried to remove encryption but the EAP itself won't work with encryption disabled. Then my client look into windows wirelesss NIC setting and found that below "network key" there's a option for "The key is provided for me automatically"<br /><br />For that reason, Access Point should be able to generate WEP key without user entering it. Does any body knows how to enable this feature? 30Robert.N.BarrettNov 15, 2009, 10:10am PSTHow are you performing your PEAP authentication? That would help us answer your question. swyatt@sycomtech.comNov 16, 2009, 1:32pm PSTTo support dynamic wep you will need to setup a RADIUS server for authentication. You would then configure PEAP or EAP-TLS for athentication. IAS (Server 2000, 2003) or NPS (Server 2008) is free, but if you are going to dynamic WEP why not go with WPA. yusuf.ujjainwalaNov 12, 2009, 6:47am PSTI have a WLAN setup using the Cisco WiSM, Cisco ACS 4.1.3 as the Radius Server. We are using PEAP as the WLAN Security. THe issue is that all the clients who have Windows OS are able to connect to the WLAN and PEAP works fine.However the users who have Apple MAC OS are unable to connect to the WLAN that has PEAP as the Security setting. The MAC has OS 10.5.6 and I tried upgrading the image however the prob persists. On the ACS server I get in the Failed Log as "Internal Error". <br />Can someone help what does the Error mean , and any resolution for the issue. 30Robert.N.BarrettNov 12, 2009, 8:07am PSTCan you provide some detail about how you created the user profile on the Mac? Also - did you put the ACS server's certificate into the Mac's System store so that the Mac will trust the ACS server (or configure the PEAP profile on the Mac to ignore the ACS server's certificate)? yusuf.ujjainwalaNov 12, 2009, 10:45pm PSTI went to the Airport Network Preferences and created the profile. I have configured the PEAP profile to ignore the ACS's certificate.Robert.N.BarrettNov 13, 2009, 4:47am PSTDon't know of any reason why it wouldn't work. I have clients with hundreds of Macs using PEAP (with user credentials, not machine credentials).<br />weterryNov 15, 2009, 8:26pm PSTPerhaps your ACS is configured to only allow PEAP-MSChapv2? Don't Apples use PEAP-GTC?<br /><br />Doesn't explain the error though...Robert.N.BarrettNov 16, 2009, 12:32pm PSTSomething in the back of my mind is reminding of an "Internal Error" message in the ACS logs when the Active Directory user account is disabled. john.judge@carat.comNov 16, 2009, 12:31pm PSTHi,<br />Has anyone been able to configure restrictive access to the Management interface? I created an ACL that specifies our Management VLAN and set the action to "permit". I then added this ACL to the management interface, but I'm still able to login from any IP. The WLC is running 4.2.176.0 and to my knowledge there are no known bugs related to this. Thank you.<br />-John jhansen@qualys.comNov 16, 2009, 9:26am PSTIn order to replicate a bug, I'm looking to add a Cisco WAP to my lab which has an ssh banner of SSH-2.0-OpenSSH_4.0.<br />Does anyone know of a hardware / software version which runs this version of SSH?<br />I have a 350, 1100 and 1220B but they are all running SSH-1.5-Cisco-1.25<br />Thanks! paulo.sNov 12, 2009, 10:52am PSTHi.<br />I read CWCS Configuration Guide release 5.1 about ACL, applied ACL to WLAN, but didn't work.<br /><br />I want to restrict wireless client access any networks.<br /><br />If anyone knows, please help me.<br /><br />Thks.<br /><br />Paulo Maurício 30 dancampbNov 12, 2009, 11:15am PSTKeep in mind with ACLs on the controller they are written with the assumption that you are on the controller and traffic is coming from the wireless clients in regards to the inbound and outbound directions. Also you need to write an inbound and outbound rule for each condition. They aren't like IOS ACLs that will automatically allow the return traffic through.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml')">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml</A><br /> paulo.sNov 12, 2009, 11:41am PSTThks for help. <br /><br />I will test.<br /> paulo.sNov 13, 2009, 6:44am PSTOk, it works!!!<br /><br />I found the error. I was configuring by WCS, and when I configured protocol to ANY, returned this message: Protocol : 256 : Value for this attribute is invalid. (Valid Range: is 0 <> 255 )<br /><br />My WCS version is Version 5.1.64.0, and controller software version is 4.2.112.0.<br /><br />Thks for help.danletkemanAug 21, 2009, 6:01am PSTHello,<br /><br />I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:<br /><br /> Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4<br /><br />I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?<br /><br />Thanks.<br />Dan. 30Robert.N.BarrettAug 21, 2009, 7:12am PSTCongrats on getting your first controller set up. Since you don't have any 802.1X configured, could it be that the client in question is trying to use an incorrect PSK?danletkemanAug 21, 2009, 8:39am PSTI don't think so. All of the clients connect, but then get disconnected with the 802.1x error message.<br /><br />Dan.danletkemanAug 21, 2009, 9:36am PSTIf I click on the client and look at the client details it shows under the policy manager state that 802.1x is required. Is there something configured wrong on the client?<br /><br />Clients > Detail<br /> <br />Client Properties<br />MAC Address 00:21:00:f9:dd:50<br />IP Address <br />Client Type <br />WGB MAC Address <br />Number of Wired Client(s) <br />User Name <br />Port Number <br />Interface <br />VLAN ID <br />CCX Version <br />E2E Version <br />Mobility Role <br />Mobility Peer IP Address <br />Policy Manager State 8021X_REQD<br />Management Frame Protection danletkemanAug 22, 2009, 1:41pm PSTI have come across some more information reguarding my problem.<br /><br />When the lap cannot connected to the wlc then everything works! The clients can connect just fine without problems. As soon as I take the acl of the switch port and allow the lap to connect back to the controller, the client's cannot connect.danletkemanAug 22, 2009, 3:11pm PSTJust another note.<br /><br />When i set the Wlan to no authentication (open system) then I can connect to the ap when it is in h-reap mode and communicating with the controller. When i have the Wlan set to wpa/aes/psk i cannot connect.<br /><br />Is there a know bug in 6.0.182.0?<br /> kristoferheylAug 25, 2009, 11:08pm PSTI had a similar problem a while ago, caused by WCS not setting the PSK correctly on the WLC. Cisco TAC informed me that the error message not necessary is a dot1x error message, it can also indicate a PSK error (wrong key).<br /><br />Are you using WCS to push the PSK to the WLC?danletkemanAug 26, 2009, 9:41am PSTNo I am not using WCS. I contacted TAC and it looks like it might be a bug in the 6.x software. There next step was to re-create it in there lab.Robert.N.BarrettAug 26, 2009, 8:44pm PSTIf you are using WPA with AES, then I would change that setting - either use WPA with TKIP, or use WPA2 with AES (even if that does not solve your problem). Even though you are supposed to be able to mix and match WPA/WPA2 and TKIP/AES, I have seen some clients that work better using WPA/TKIP or WPA2/AES.danletkemanAug 27, 2009, 9:41am PSTIt's not that either. I have tried every combination of WPA and WPA2...the only ones that work is WEP or Open System.<br /><br />WPA and WPA2 work when the ap connection to the controller is lost. So it looks like the ap is not operating in H-Reap mode when it has a connection to the controller.<br /><br /> mcoverdiNov 12, 2009, 10:28pm PSTDoes your PSK have any numbers, special characters or is it exceptionally long? Try temporarily changing the PSK to something short with lower case characters only to see if that allows you to connect.danletkemanNov 13, 2009, 6:01am PSTI fixed the problem a while ago with a restart of the controller. I had never restarted it after the initial bootup. robert-hoNov 12, 2009, 6:29pm PSThey all, have a simple question.<br /><br />the page below indicates that it can handle up to 10 vpn connections with a base license. does it mean that we can only configure 10 vpn user/pass credentials? or, we can create, say 50 user/pass accounts, but only 10 can remote in at the same time.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html')">http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html</A><br /><br />thanks for the help.<br />-robert janet.maxwellNov 12, 2009, 11:48am PSTHello, I am looking into the ability to Use Active directory to Login to the wism controllers. I have been looking on Cisco website and It does not seem to be supported. It seems Like you can use LDAP to query the Controllers for credientials. However, LDAP is only supported if the LDAP server is set up to return a clear-text password. My controllers are version 4.2.185 we cant upgrade at this time we have legacy 1020AP. Can AD be Used? 30 dancampbNov 12, 2009, 12:47pm PSTThe controllers can only talk directly to AD through LDAP. The other option to use AD is to go trough a Radius server. Since you have Windows servers why not just enable IAS?gary@iler.comNov 12, 2009, 10:51am PSTHi, <br /><br />We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet. <br /><br />We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access. <br /><br />We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too. <br /><br />We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS. <br /><br />Here are some specifics on how the traffic needs to route: <br />1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN. <br />2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication. <br />3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good. <br />4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000). <br /><br />Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100. <br /><br />The SGE2000P has the following IP addresses assigned to the VLANS: <br />10.7.3.252 – VLAN 100 <br />10.7.40.254 – VLAN 1000 <br />192.168.254.254 – VLAN 1100 <br /><br />Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find! <br /><br />Thank you! <br /><br />Gary Smith<br /><br /><b>Attachment Keywords : </b> <br />1) Visio-Wireless_Configuration.pdf<br /> Visio-Wireless_Configuration.pdf123511application/pdfpdf9135211/12/2014noybilterystNov 10, 2009, 5:57am PSTHello.<br /><br />we are in evaluating process to purchase WCS and ACS View. At the beginning of the POC with WCS evaluation software and ACS View on VMware, we were able to have in WCS all Authentication records coming from ACS View, but now, don't know why, each time we try, we have the errror "Unable to connect to any ACS View server.java.lang.NullPointerException"<br />In attachment, a screenshoot. ACS View is functioning properly and WCS too except this funectionality.<br /><br /><br />Thanks in advance for your help.<br />Yab<br /><br /><b>Attachment Keywords : </b> <br />1) WCS.JPG<br /> WCS.JPG123434image/jpgimage3352911/10/2014no30 lavramovNov 10, 2009, 9:29am PSTCan you set your logging in WCS on trace, reproduce the issue and attach the wcs-log file containing the timestamp when you did the recreate.<br /><br />Provide me your ACS / ACS view versions and you seem to be using WCS 6.0 is that correct?<br />ybilterystNov 12, 2009, 1:38am PSTHi,<br /><br />I just did the test.<br />Here in attachement the trace logs<br /><br />WCS is 6.0.132.0<br />ACS View is 4.0.1<br /><br /><b>Attachment Keywords : </b> <br />1) logs.zip<br />logs.zip123491application/x-zip-compressedzip260114011/12/2014noeoinwhiteNov 11, 2009, 11:03am PSTNormally when i'm configuring guest access for customers who dont want to go putting an anchor WLC in the DMZ first I ensure the guest VLAN is locked down and then go ahead and create a guest WLAN with Layer 3 Web authentication and use LobbyAdmin to hand out guest accounts from WCS or the WLC.<br /><br /><br />My question is this ... do you think this is secure enough? As the over the air traffic is unencrypted is it possible for someone to sniff the guest user-name & password and gain unauthorized access to the guest network.<br /><br />Is it possible to encrypt over the air traffic dynamically without having to set a static pre shared key aswell as using layer 3 authentication?<br /><br />Just curious more than anything.<br /><br />Cheers 30 klein425@hotmail.comNov 11, 2009, 6:38pm PSTAssuming you left the SSL settings to default (on), then the guest authentication page uses a self-signed cerficate when passing the username and password. You can upload a real cert to the WLC if you are concerned. <br /><br />You could create a VLAN with no layer 3 interface on your production equipment and add a cable modem/router from another ISP and route all guest traffic to it (and of course block any traffic to your private net).<br /><br />I always create guest networks with the assumption that someone will gain access to it. Then decide whether your security policies will hold from there. If not, more security (anchoring, physically separate access points, etc.)william.hostetlerNov 10, 2009, 4:25pm PSTI have not used security with my APs as the enviroment has been fairly small and it is a school setting where the "hackers" if there were any would be the students anyways.<br /><br />Now that we have wireless almost deployed across 4 buildings with about 200 APs. I'm thinking I would like to get started. <br /><br />I am running the 6.0 software on 2 5508s and a 4402. I will be instituing WCS but that will be awhile off.<br /><br />I do not want to touch almost 1000 laptops to configure them for security. Am I best to try to just have the users use a name and password everytime, ldap auth., keys, etc. so that the controller knows the laptop is friendly?<br /><br />Later on I want to do guest access but first things first.<br /><br />I'm open to suggestions.<br /><br />Gary 30 leolaohooNov 11, 2009, 1:17pm PSTFive Steps to Securing Your Wireless LAN and Preventing Wireless Threats<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns642/net_implementation_white_paper0900aecd804909a5.pdf')">http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns642/net_implementation_white_paper0900aecd804909a5.pdf</A><br /><br />Five Ways to Improve Your Wireless Security<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns642/net_brochure0900aecd80491099.html')">http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns642/net_brochure0900aecd80491099.html</A><br /><br />Hope this helps. misha_bacNov 11, 2009, 12:43pm PSTHello, on "new AAA" WLC configuration page i see ipsec parameters, but i can't find how to use them with Cisco ACS - does it support ipsec connection? jpeterson6Oct 7, 2009, 9:00am PSTThe wireless environment has been growing quickly at the university campus I work at. From roughly 500 users a couple years ago to nearly 1000 today.<br /><br />This is starting to cause issues. Clients are reporting that they can 'associate' but they are unable to browse to any website.<br /><br />WCS (v4.2.128.0, WiSM is v4.2.207.0 on both controllers) is reporting several load threshold violations, which is to be expected with so many extra clients.<br /><br />- What are the best steps to help resolve the issue?<br />- I have Aggressive Load Balancing turned on with a threshold of 12- should I increase the threshold?<br />- How do I set the actual 'load threshold' of the individual APs, if possible?<br /><br />We don't have very many APs to deploy unfortunately, as our current campus-wide model is the 1010, which is EoS/EoL. At most we can deploy 1 or 2 in the busiest areas.<br /><br />----<br /><br />Also, I'm getting several critical security alerts reporting 'large NAV fields', 'broadcast floods' and 'NULL probe responses'.<br /><br />I included this problem with my initial questions because I have a hunch that its a direct result of the load issues, but I may be wrong.<br /><br />- Do these seem like a result of association issues due to load (ie, false alarms)?<br />- If they are actual attacks, what's the best course of action?<br /><br /><br />Thanks in advance. 30 jeromehenryOct 7, 2009, 1:45pm PSTHi,<br />Unfortunately, there is not much tuning you can do on your controller if you have too many users. Basically your issue is that there are too many users for the given available wireless space. What you need is more wireless space (more APs, especially in 5 Ghz, but also in 2.4 Ghz wherever you can add them without interfering with the others).<br />You can change the Aggressive Load Balancing threshold, but this will do is simply to change the threshold (number of users) from which you controller will consider the AP as overloaded... but then the users have to be sent somewhere else, which supposes 2 factors:<br />1. That other access points in the neighboring environment hear the incoming new clients, with a signal good enough to take them onboard (in other words, that you have enough APs in this area, which does not seem to be the case).<br />2. That the clients are not "sticky", that is to say that when the receive the Authentication Deny - reason 17 from the first AP, that they actually try the second best AP, which is not always the case. Many clients will stick to the first heard AP and Aggressive Load Balancing will not work.<br />So here the only solution is again more wireless space, i.e. more APs on unused channels.<br /><br />You cannot set the load threshold per AP, as it is a controller wide collective effort...<br /><br />Large NAV are very often the clear sign of the load excess you describe. Every time you send an 802.11 frame and fail (collisions / no ACK from the AP), you basically double your NAV and retry. Large NAVs usually are the sign that you re-try too many times without success, which is a sign of important interferences or too many users per AP.<br />Broadcasts floods and NULL probe responses can be many different things ranging from PC misconfiguration to real attacks. Too many users per AP is one possibility. If these messages come from the same APs that have too many clients, I would try to solve the too many users issue first.<br />Technically, the best fix is unfortunately probably not on the controller, but in the wireless coverage...<br />Hope it helps<br /><br />Jerome jpeterson6Oct 9, 2009, 6:49am PSTHmm.<br /><br />Thanks, that gives me a few things to think about. Also thanks for the confirmation of my hunch (about the NAV field alerts).<br /><br />I suppose it's time I look into ordering new model APs. We're running the latest version of 4.2, so we'll need to use LWAPP still. <br /><br />Are the 1100 models considered acceptable 'replacements' for the 1000 model APs? Do they play well together when associated to the same controller? ericgarnelOct 12, 2009, 6:52am PSTJerome,<br /><br />Well said... You touch on a lot of points that tend to get overlooked in high-density deployments and key issues to look for trouble-shooting<br /><br />5 points to you<br /><br />-Eric noc@kofax.comNov 11, 2009, 12:29pm PSTDoes anyone know what the load threshold is on these APs in terms of users, or is it determined by some other metrics? colin.lynchJul 21, 2009, 6:42am PSTHi All<br />I am using PEAP with the following setup<br /><br />WLC 4404<br />ACS Solutions Engine 4.01 (self signed cert)<br />Windows AD database.<br /><br />PEAP user authentication works fine.<br /><br />The issue is, I need to only allow machines which are in AD as such I have configued Machine authentication.<br /><br />However this is failing with the below log.<br /><br />host/wks1.lnd.uk Authen failed EAP-TLS or PEAP authentication failed during SSL handshake<br /><br />I have configured the ACS for PEAP machine auth in all required places and on the client. I have read lots of info saying I need to configure AD to allow Machine Authentications, and cert auto enrollment etc.., is this the case and if so whats the easiest way to do it?<br /><br />Thanks in advance<br />Colin 30 colin.lynchJul 21, 2009, 12:57pm PSTMay have made some progress, as far as I can tell as long as the ACS cert is copied to the client and put in the Local Computer store. That I believe should be enough.<br />I think when I installed the ACS cert on the client I went with the default which is NOT the Local Computer store.<br />(This is not the same as installing an idependant cert on the client, but rather just the Local machine, trusting the ACS)<br />Thats my thoughts anyway, I'll give it a try tomorrow. colin.lynchJul 22, 2009, 1:21am PSTOK<br />Logged into the laptop as a local admin and imported the ACS self signed cert in to: Physical Store: Trusted Root Cert Auths>Local Computer.<br /><br />This had the effect that my Machine Auth now no longer fails with the SSL error but now fails with "External DB user invalid or bad password"<br /><br />Unknown user policy is working as Domain user authentication is still working fine.<br /><br />Anyone got any ideas? roman.rodichev@iementor.comJul 22, 2009, 5:49am PSTWhat username do you see in that "External DB User invalid" error in Failed Attempts log? Maybe it's "CN=<user>"? colin.lynchJul 28, 2009, 3:31am PSTusername in failure log is host/FQDM<br />ie host/laptop.x.xpandapritamAug 4, 2009, 2:35am PSTHi colin, <br />will u able to solve the problem if yes then can you share the solution among us colin.lynchAug 4, 2009, 2:43am PSTHi Yes <br />Did solve the problem, in my case I just loaded the Agent on another server and all Machine Auth is now working perfectly and all login scripts etc run ok. So it must have been an issue between the Agent and the server which happened to be a DC. Another company had tried getting this working before and failed so I suspect they messed around with the Agent privilages on the DC.<br />I have drawn up a diagram showing all PEAP components end to end and what needs to be configured and how. If you want a copy let me know ur E-mail address.<br />Regards<br />ColinpandapritamAug 4, 2009, 8:57pm PSThi colin,<br /><br />thanks 4 the reply. i desperately need ur help.<br /><br />MY Emailid :<A HREF="mailto:pritam.panda1@wipro.com">pritam.panda1@wipro.com</A><br /><br />Thanks again... lacushimeAug 4, 2009, 9:55pm PSTHi,<br />I'm experience quite same problem with machine authen failed with host/ in another Domain Forest. Anyway could you also send me your diagram and how to setup agent.<br /><br />Thank you.<br /><A HREF="mailto:nuttea@mfec.co.th">nuttea@mfec.co.th</A> kamlesh.patelAug 21, 2009, 11:25am PSTHi Colin,<br /><br />Please send me @<br /><br /><A HREF="mailto:k.patel@tatacommunications.com">k.patel@tatacommunications.com</A><br /><br />Thx jimcantireAug 30, 2009, 9:17pm PSTHi Colin,<br /><br />Please send me a copy @:<br /><br /><A HREF="mailto:jimhuangca@yahoo.ca">jimhuangca@yahoo.ca</A><br /><br />Thankspatgeo1984Sep 29, 2009, 4:04pm PSTI'm in the process of implementing the same site, and I have presented a problem similar to yours I be able to obtain a copy of your diagram <br /><br /><A HREF="mailto:pgonzalez@coasin.cl">pgonzalez@coasin.cl</A><br /><br />Thank you very muchedunn@mtm.comOct 21, 2009, 5:43am PSTCan you please send me a copy of that diagram to <A HREF="mailto:ernandcorb@msn.com">ernandcorb@msn.com</A>. Thanks chuckdillonNov 3, 2009, 7:11pm PSTHi Colin, Could you please send me a copy of your diagram to <A HREF="mailto:charlespdillon@gmail.com">charlespdillon@gmail.com</A><br />Thanks jason_majieNov 9, 2009, 6:13pm PSTHi Colin, Could you also send me the solution? thanks a lot.<br />my email is <A HREF="mailto:jason.majie@gmail.com">jason.majie@gmail.com</A>Robert.N.BarrettOct 24, 2009, 10:51am PSTremoved - wrong thread...sorryspirotsaresSep 15, 2009, 2:33pm PSTI'm in the process of deploying the same setup. Would I be able to get a copy of your diagram @<br /><br /><A HREF="mailto:mrspiro@gmail.com">mrspiro@gmail.com</A><br /><br />Thanks<br /> fmirza007Oct 23, 2009, 6:40am PSTI am also trying to implement the same solution, would I be able to get a copy as <A HREF="mailto:well....farhan.mirza@gtsi.com">well....farhan.mirza@gtsi.com</A>..<br /><br />Thanks dmcushingOct 29, 2009, 5:10am PSTI am having a problem getting LAPs that are in other subnets to join our WLC. If I take the LAP and place it on the same VLAN/subnet as the WLC, it joins as expected. If I move it to another subnet, I get the following:<br /><br />*Mar 1 00:00:13.065: %SYS-5-RESTART: System restarted --<br />Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)<br />Technical Support: <A HREF="javascript:newWin('http://www.cisco.com/techsupport')">http://www.cisco.com/techsupport</A><br />Copyright (c) 1986-2008 by Cisco Systems, Inc.<br />Compiled Fri 08-Feb-08 17:24 by prod_rel_team<br />*Mar 1 00:00:13.119: %SSH-5-ENABLED: SSH 2.0 has been enabled<br />*Mar 1 00:00:13.519: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset<br />*Mar 1 00:00:14.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down<br />*Mar 1 00:00:14.536: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset<br />*Mar 1 00:00:14.545: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 24 seconds<br />*Mar 1 00:00:15.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down<br />*Mar 1 00:00:28.133: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY<br />*Mar 1 00:00:28.171: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up<br />*Mar 1 00:00:28.177: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset<br />*Mar 1 00:00:28.192: SSC Load Current Size crypto_mykey 120, offset 9389, Saved Size soap_cert_crypto_mykey 124<br />*Mar 1 00:00:28.390: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up<br />*Mar 1 00:00:28.892: Logging LWAPP message to 255.255.255.255.<br /><br />%LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up<br />%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated<br />%LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset<br />%LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up<br />%LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset<br />%LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up<br />%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up<br />%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up<br />%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 192.168.115.75, mask 255.255.255.192, hostname AP0013.c3a7.bf97<br /><br />Translating "CISCO-LWAPP-CONTROLLER.mydomain.here"...domain server (X.X.X.X) [OK]<br /><br />%LWAPP-3-CLIENTEVENTLOG: Did not get vendor specific options from DHCP.<br />%LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.<br />%LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.mydomain.here<br />%LWAPP-3-CLIENTEVENTLOG: Controller address Y.Y.Y.Y obtained through DNS<br />%LWAPP-5-CHANGED: LWAPP changed state to JOIN<br />%LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down<br />%LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down<br />%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down<br />%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down<br />%LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - 2169-WLC4402-1)<br />%LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain<br />%SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.<br />%LWAPP-5-CHANGED: LWAPP changed state to DOWN<br /><br />I have checked the WLC for any messages that look like crypto or other problems, but I don't see anything that stands out. Any suggestions or pointers would be greatfully accepted. 30 jeromehenryOct 29, 2009, 11:22am PSTI would try to ping the controller from the AP CLI. I can get the same message when there is asymmetric routing between the AP and the controller (so the controller gets the join request, but the AP never gets the join response).<br />I would also do a debug lwapp events enable on the controller to see if the AP is seen and how the controller reacts to that join request.<br />I would bet 2 cents on asymmetric routing issue...<br />:-) dmcushingOct 30, 2009, 4:03am PSTMy core routers use GLBP - do you think that would that cause any problems? Other than that, I don't think there is any asymmetric routing (we only have routing at the core).<br /><br />Unfortunately, once I converted the AP to an LWAPP, I cannot access the cli (or if I can, I do not know the credentials I am supposed to use).<br /><br />I did run the lwapp events enable, but didn't see anything unusual. I will capture and post that in case I am missing something that someone with more experience may catch. Thanks for the help. j.boyersNov 9, 2009, 6:59am PSTI looked at this again, and yes, GLBP appears to be the issue. Per the release notes for 5.0.148.0, GLBP is not supported. <A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html')">http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html</A>. I just took a quick look and there are no versions 4.2 and above that support it. So, you will need to have a fixed IP address for your wireless management subnet. dmcushingNov 9, 2009, 7:27am PSTI must've missed that when I did the upgrade (sigh). RTFM bites me again. Thanks very much for the help. dmcushingNov 9, 2009, 7:35am PSTI've confirmed that GLBP is the issue. Once I pointed the AP Manager interface to a static IP, the AP was able to join properly. Thanks for the good catch - hope this thread helps someone else out too. leolaohooOct 29, 2009, 7:13pm PST%LWAPP-3-CLIENTERRORLOG: Set Transport Address: <b>no more AP manager IP addresses remain</b><br /><br />Can you provide more information such as: <br /><br />1. How many APs can the WLC4402 support and how many are currently joined? <br /><br />2. What is your WLC's firmware? <br /><br />3. Is there a possibility of a duplicate IP address in your network?<br /><br />Troubleshoot a Lightweight Access Point Not Joining a Wireless LAN Controller<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml')">http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml</A> dmcushingOct 30, 2009, 3:58am PST1. The WLC can support 50, there are currently 38 joined.<br /><br />2. WLC firmware is 5.0.148.0<br /><br />3. I've tried the LWAPP on multiple subnets with DHCP, all failed. The only subnet that works is the same subnet the WLC is on. leolaohooNov 1, 2009, 1:28pm PSTWhat's your trunk port configurations like? Is the VLAN of the AP and WLC allowed? j.boyersNov 2, 2009, 7:47pm PSTActually, if the AP is on a different VLAN than the AP manager, you don't want to trunk that APs VLAN to the WLC. The AP will think that it can connect, but the WLC won't be able to respond since it receives the request from a VLAN that is not the AP manager VLAN. If you have the AP VLAN trunked to the WLC, remove the VLAN and see if that fixes the issue. dmcushingNov 9, 2009, 6:50am PSTThe APs that I am having a problem with are on a VLAN that is not trunked to the WLC. The AP VLAN (ie. 200) *has* to go through L3 routing at the core (dual 7206 routers with GLBP). No matter what VLAN or router I have tried, the WLC fails to see the packet from the AP.<br /><br />If the AP is on the same VLAN as the WLC (ie. the AP Management VLAN) there is no problem. j.metzgerNov 9, 2009, 6:12am PSTYou do have the controller configured for Layer 3 mode don't you (controller, general settings)? dmcushingNov 9, 2009, 6:44am PSTYes, I have it configured in L3 mode :) Thanks for getting me to double check though. j.metzgerNov 9, 2009, 7:24am PSTHave you tried to change the AP VLAN gateway from GLBP to static or HSRP?<br />m.bailey7@ntlworld.comNov 7, 2009, 7:01am PSTHi,<br /><br />Have just installed WCS 6.0.132.0 as part of a new installation.<br /><br />Have defined my buildings and loaded floor plans (PNG) however every time I try and use the Map Editor it just hangs at "Loading(%) 0%" and nothing happens.<br /><br />Have ensured flash is installed.<br /><br />Any ideas? 30 lavramovNov 7, 2009, 9:46am PSTYes, this is a bug I filed : <br />CSCtc41084 WCS map import from file fails and does not provide an error message <br /><br />The problem is that images over 72 dpi are not yet supported in WCS 6.0. The next wcs release should fix this.<br /><br />In the meantime, your workaround is to save the image under a different format or the same format but not over 72 dpi resolution.<br /><br />BTW, feel free to post any WCS questions at the ASK THE EXPERT SECTION and I will answer there.<br /><br /><A HREF="javascript:newWin('http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd4e34e')">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd4e34e</A>m.bailey7@ntlworld.comNov 7, 2009, 10:58am PSTThanks, slightly frustrating as every piece of image editting software I have saves at 96 dpi and when I try to reduce to 72 dpi they become unreadable.<br /><br />Will have to keep on trying I suppose or buy alternate image software!<br /><br />Thanks again lavramovNov 7, 2009, 5:44pm PSTOr save them as jpeg, that may workm.bailey7@ntlworld.comNov 8, 2009, 1:27am PSTNo luck I'm afraid, saved to 72dpi JPG as attached and map editor still doesn't do anything as attached.<br /><br /><b>Attachment Keywords : </b> <br />1) image_properties_72dpi.JPG<br />2) map_editor_hung.JPG<br />image_properties_72dpi.JPG123307image/pjpegimage1476011/08/2014nomap_editor_hung.JPG123308image/pjpegimage2570011/08/2014nom.bailey7@ntlworld.comNov 8, 2009, 10:07am PSTSorted now - problem with the client.<br /><br />Used a different client with IE7 (original only had IE6) and with 72dpi image all is fine.<br /><br />ThanksthanmadNov 5, 2009, 8:50am PSTI'm trying to get our cert onto the WCS but it's proving difficult. Does anyone have actual documentation for this? Everything i've googled so far is proving rather unhelpful.<br /><br />As i understand it, in the "Download Web Auth Certificate to Controller" section i have a number of fields. Server Name and IP need to correlate to the settings of my virtual interface.<br /><br />but then we get into "Server File Name" and "Password:". is server file name the name i want to give the cert when it's on the server? What is this password field? 30 lavramovNov 5, 2009, 10:29am PSTDo you want to downlad a cert from WLC to WCS?<br />Or push a cert from WCS to WLC?<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0tasks.html#wpmkr1077669')">http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0tasks.html#wpmkr1077669</A>thanmadNov 5, 2009, 1:22pm PSTI'm not a cert expert by any means, i'm just trying to make the rediculous cert error i get in web-passthru to disappear.<br /><br />I was able to get the CA to the controller (via wcs) but i can't seem to get the server cert installed. we're using a wildcard cert (*.domain.com) so i'm a little unsure if that is causing problems or not.<br /><br /> lavramovNov 6, 2009, 4:28pm PSTOk got it. If your cert is for FQDN, then your WCS hostname should be FQDN too. Remember that the license for WCS is bundled to your hostname and if lets say you change your wcs hostname from wcs to wcs.domain.com then you need to change your WCS license.<br /><br />Having said that, here is how to install a CSR on your WCS server:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6305/products_configuration_example09186a00808a94ca.shtml')">http://www.cisco.com/en/US/products/ps6305/products_configuration_example09186a00808a94ca.shtml</A> BarryhoyNov 6, 2009, 10:28am PSTI seem to be having issues with my guest network on a intermittent basis. The guests get on the network and get a correct ip address with no problem every time. the only thing is when they open their browser and try to go to google or any other web page, they are not being redirected to the login authentication page. We are just using the default web page. I am not sure if it is a DNS issue or some kind of certificate issue. It will just seem to start working again. Does anyone have any ideas. I have read the doccumentation on troubleshooting the web authentication. 30 BarryhoyNov 6, 2009, 3:51pm PSTI may have found the problem. I have changed the DNS addresses and am waiting to hear if it has resolved the issue. dan.letkemanOct 28, 2009, 6:16pm PSTI need to setup a guest wlan on a single 5508 controller. Currently all of my ap's are in h-reap mode and all in remote buildings connected via a high speed wireless wan.<br /><br />The guest network could consist of 500 users in the near future, so i'm wondering what is the best way to configure the guest wlan so I don't have one big broadcast domain across my entire network? 30 klein425@hotmail.comNov 6, 2009, 12:12pm PSTThe best way would be to use AP Groups which sets an SSID on a specific access point to belong to specified VLAN.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/partner/products/ps10315/products_installation_and_configuration_guides_list.html')">http://www.cisco.com/en/US/partner/products/ps10315/products_installation_and_configuration_guides_list.html</A> (see page 6-47 for exact configuration instructions).<br /><br />I'm assuming that you want guest traffic tunneled back to the controller.dan.letkemanNov 6, 2009, 2:32pm PSTOk. I already have my ap's in ap groups (per building) and I have different vlans in each building with the same ssid company wide. I'm doing this via h-reap.<br /><br />My question is how do I accomplish the same thing with the guest wlan, but without h-reap. Or do i use h-reap and just setup acl's to block the traffic? But then does web authentication work the same?<br /><br />The confusion for me comes in at the controller level with the guest-wlan interface I created having to be attached to a vlan. Is this not needed to do web authentication?<br /><br /><br />Thanks,<br />Dan. wowsersusaNov 14, 2006, 12:00pm PSTI am basically trying to take the e-mail pass-through page and manipulate the simple html code say Signature instead of Email Address. However Every time I copy the code and open up the login.html that I upload with the custom webauth page I no longer have a submit button and even when I hit enter it no longer redirects me anywhere. Basically the need for this is to have the users name in the system to log them. We are just trying to figure out if there is a way for a guest to self register themselves by reading a license agreement and then signing at the bottom. Thanks in advance for any help that could be provided 30 wdrootzNov 20, 2006, 11:49am PSTTry these links:<br /><A HREF="javascript:newWin('http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40users.htm#wp1048609')">http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40users.htm#wp1048609</A><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008076cf0c.html')">http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_chapter09186a008076cf0c.html</A> blawrimore1Nov 21, 2006, 8:14am PSTim having the same issue, and ive looked up and down cisco's site for some help. the most ive come up with is a general guide on what fields to code, like "make sure you capture the redirect url".<br /><br />ive copied the source code of the internal auth page, modified it, tar'd it, and uploaded successfully. the javascript does not work, there is no submit button, and none of the basic cisco banners are there. i assume its because of the directory structure, which is not documented.<br /><br />i do see in figure 9-14 (here: <A HREF="javascript:newWin('http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40users.htm#wp1053578')">http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40users.htm#wp1053578</A> ) that there is a submit button and a terms button. i would be ecstatic if i could find out how that terms button works.<br /><br />all i need is a "ive read the terms and agree to them" page, along with the terms for them to read. modifying the internal page does not allow for carraige returns so this is not acceptable for my use.<br /><br />please help with this issue, ive seen it posted a few times and no answers that i can find.alvin1976Feb 7, 2007, 12:26am PSTHello,<br />When i followed the instruction given by cisco literature on creating a customized webauth page, it doesn't work. The downloaded sample has a "no-action" javascript which basically does nothing. In order for the submit button to work, you need to configure the WLC to work with the internal webauth page, associate to the WLAN with webauth and open IE browser to be prompted with the actual login page. There you need to save the webpage and you'll get the REAL sample with workable login javascript. make sure you have the file "loginscript.js" in the "web Authentication_files" directory. Do your modification and tar the entire package. Don't forget to rename the html to login.html. Make sure you "APPLY" the customized page in security>web login> I'm still having some problem with this method, but I'll post this in another thread. wowsersusaFeb 7, 2007, 5:06am PSTWell Thank you for your post but I figured this out lte november. You are correct in saying about the javascript.js file. My problem was I edited it using VI and for some reason it put some non-standard ascii characters in my Javascript. I just downloaded the page again and it works. The only other problem I had was inside the controller I had to make sure under WLAN passthrough had e-mail checked in order for me to send login information to an accounting server.<br /> jennifer.huberFeb 7, 2007, 11:46am PSTCan you assist me with redirecting via editing the javascript.js file? I have the js file, but don't know where to put the url. I'm using SourceEditor (it's free) Thanks much! wowsersusaFeb 7, 2007, 12:17pm PSTHello Ms. Jennifer,<br /><br />What exactly are you trying to do? What we did for our company is create a custom webpage with a EULA designed by lawyers with a signature block at the bottom instead of E-mail. Then under the WLAN Layer 3 Security I selected WebPolicy then I selected passthrough and E-mail input. Essentially I cheated and made the Input E-mail ay Signature. I will be glad to help in any way I can. jennifer.huberFeb 7, 2007, 12:18pm PSTI have edited the basic web splash screen, and want the accept/submit button to redirect guest users to a different website. I believe when I upload a custom web auth page, I need to have a complete html file, and cannot use the redirect field that is only present on the controller when I am using the internal (default) web auth page. I do not know how to redirect based on a javascript file. I don't know where to specify the url, or how the js file parses the url. Thanks for your help! wowsersusaFeb 8, 2007, 6:19am PSTActually it is on your splash screen html file where you need to put the redirect.<br />Look for Form method part of your html code and this is what I had to enter for it to redirect the url to another website. Do not edit the javascript file it will screw things up. I learned that lesson. Let me know if this helps.<br /><br /><FORM method="post" ACTION="/login.html"><br /><INPUT TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE="www.google.com"> jennifer.huberFeb 8, 2007, 6:44am PSTThe FORM section of the html I pulled down looked like this:<br /><br /><FORM action=/login.html method=post><INPUT type=hidden maxLength=15 size=16 <br />value=0 name=buttonClicked> <INPUT type=hidden maxLength=15 size=16 value=0 <br />name=err_flag> <INPUT type=hidden maxLength=31 size=32 name=err_msg> <INPUT <br />type=hidden maxLength=15 size=16 value=0 name=info_flag> <INPUT type=hidden <br />maxLength=31 size=32 name=info_msg> <INPUT type=hidden maxLength=255 size=255 <br />name=redirect_url><br /><br />I edited this section to get the redirect to work:<br /><br /><FORM action="<A HREF="javascript:newWin('http://www.google.com')">http://www.google.com</A>" method=post><br /><br />Thanks so much for heading me in the right direction!<br /><br />I also realized that I had accidentally made the login.html a login.htm and the webauth bundle would not extract properly. I kept getting the error:<br /><br />Error extracting webauth files.<br /><br />Once I renamed the login.htm to .html the upload worked. jennifer.huberFeb 8, 2007, 8:20am PSTActually - my post wasn't correct - the redirect worked from the controller preview, but not as a redirected user.<br /><br />The section I edited to make it work was this:<br /><br /><INPUT type=hidden maxLength=255 size=255 <br />name=redirect_url value="<A HREF="javascript:newWin('http://www.google.com')">http://www.google.com</A>"><br /><br />Wanted to clarify for any other people having issues. Controller code version is:4.0.206.0, and it is a WLC 4402-50. mmatulevichFeb 27, 2007, 8:53am PSTThis is a good thread, as I have been having problems with web passthrough for guests since day 1 of upgrading to 4.0.179.11. I feel as though I am very close, a guest user now will see our custom passthrough page, click a button stating they have read the above usage information, and get to the "connection successfull" page.<br /><br />From here, nothing happens: there is no redirect. You can manually change your url and use the internet as you should. If you click your home page button you end up back at the passthrough page, where if you click the button again it just loops the same page. Here is the popular part of my html: If anyone has any suggestions, I greatly appreciate it. TAC has responded that they will not assist with custom made pages. If anyone wants to email me directly, I am at <A HREF="mailto:mikematulevich@yahoo.com">mikematulevich@yahoo.com</A>.<br /><br /><FORM method="post" ACTION="/login.html"><br /><INPUT TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" VALUE="0"><br /><INPUT TYPE="hidden" NAME="err_flag" SIZE="16" MAXLENGTH="15" VALUE="0"><br /><INPUT TYPE="hidden" NAME="err_msg" SIZE="32" MAXLENGTH="31" VALUE=""><br /><INPUT TYPE="hidden" NAME="info_flag" SIZE="16" MAXLENGTH="15" VALUE="0"><br /><INPUT TYPE="hidden" NAME="info_msg" SIZE="32" MAXLENGTH="31" VALUE=""><br /><INPUT TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE=""> wowsersusaFeb 27, 2007, 11:35am PSTMike what you have to edit or add is up above the FORM method area. I remember having to add in some of my own code which I posted pretty much a whole block and you should be able to figure out where it goes.<br /><br /> <br /></STYLE><br /><script language="javascript" src="./loginscript.js"></script><br /><script><br /> var url = "";<br /> if(url != ""){<br /> var link = document.location.href;<br /> var searchString = "?redirect=";<br /> var equalIndex = link.indexOf(searchString);<br /> var redirectUrl = "www.google.com";<br /> if(equalIndex > 0) {<br /> equalIndex += searchString.length;<br /> redirectUrl += link.substring(equalIndex);<br /> //attach the redirect url only if the ext web auth url doesn't contain it<br /> searchString = "&redirect=";<br /> equalIndex = url.indexOf(searchString);<br /> if(equalIndex < 0){<br /> url+= "&redirect=";<br /> url+=redirectUrl;<br /> }<br /> }<br /> window.location.href = url;<br /> }<br /><br />function getErrorMsgIfAny(){<br /> if(document.forms[0].err_flag.value == 1){<br /> document.writeln(' \\<br /> <tr align="center"> <td colspan="2" style="color:#CC0000">Login Error.</td>\\<br /> </tr><tr align="center"> <td width="350" class="message" colspan="2"> Please try again.</td></tr>\\<br /> <tr> <td class="caption" colspan="2"> </td></tr>');<br /> }else{<br /> document.writeln(' ');<br /> }<br />}<br /><br />function noenter() {<br /> return !(window.event && window.event.keyCode == 13); }<br /><br /></script><br /></head><br /><body bgcolor="#ffffff" text="#000000" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"><br /><FORM method="post" ACTION="/login.html"><br /><INPUT TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" VALUE="0"> mmatulevichFeb 27, 2007, 1:40pm PSTThanks wow, good stuff. You didn't do any modifications to your javascript file I hope?<br /><br />I think the only real difference in the html I somehow missed was the<br /><br />var redirectUrl = "www.google.com"<br /><br />I thought for some reason if all these values were set to "", then it would redirect the user's specific home page. I will give this a shot. That being said, for the line a little lower on your html:<br /><br /><INPUT TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE=""><br /><br />Did you have to specify the VALUE="www.google.com" in that portion, or did you leave it ""<br /><br />Thanks in advance! wowsersusaFeb 28, 2007, 4:34am PSTFYI for anyone. DO NOT Modify the java script I had many problems when I did. mmatulevichFeb 28, 2007, 6:06am PSTWell I gave a few more bundles a try, modifying the html only by adding a redirect url in different areas. Upon clicking the button as a guest user, you still just end up at a "Connection Successfull" screen with the url of "1.1.1.1/login.html" - and it just sits there. <br /><br />I noticed in your html you have some session information after ACTION="/login.html"<br /><br />I never see that so I am wondering if this is where my problem is?<br /><br /> mmatulevichFeb 28, 2007, 11:51am PSTAh nevermind that, thats something that is getting pasted by the cisco website when I send a forum reply. So, this is where I am - even I have editied these two fields in the html from "":<br /><br />var redirectUrl = "<A HREF="javascript:newWin('http://www.google.com/')">http://www.google.com/</A>";<br /><br /><INPUT TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE="<A HREF="javascript:newWin('http://www.google.com/')">http://www.google.com/</A>"><br /><br />As a guest, the passthrough page displays properly. I noticed the full url at this point was:<br /><br /><A HREF="javascript:newWin('https://1.1.1.1/fs/customwebauth/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=xx:xx:xx:xx:xx:xx&wlan=xxxxxx&redirect=my_browser_homepage')">https://1.1.1.1/fs/customwebauth/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=xx:xx:xx:xx:xx:xx&wlan=xxxxxx&redirect=my_browser_homepage</A><br /><br />Checking the source at that point showed the original values of "" instead of the defined <A HREF="javascript:newWin('http://www.google.com.')">www.google.com.</A> When I click the button to proceed, I get the Connection Successfull page with the url:<br /><br /><A HREF="javascript:newWin('https://1.1.1.1/login.html')">https://1.1.1.1/login.html</A><br /><br />Checking that page's source also does not show <A HREF="javascript:newWin('http://www.google.com')">www.google.com</A> as a value, but rather:<br /><br /><FORM method="post" ACTION="/login_success.html"><br /><INPUT TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE=""><br /></FORM><br /><br />So I do not know why but something is overwriting the bundle changes I make. I did verify the .tar and apply/save config to the controller prior to testing. Any thoughts?<br /><br /> sethc@systemsconnect.comFeb 28, 2007, 5:06pm PST(Don't yell at me) but I just changed the logo and text of the sample web auth page with Frontpage and it worked fine.<br /><br />My questions is this.. I'm planning on having web auth against ACS for the internal wireless network, but for a guest network, I'd like to do passthrough. Is there any way to have separate custom pages to do this? <br /><br />If it's not possible I may just try and restrict SSID's via ACS and make a guest account, although at first try the NAR for restricting SSID's didn't work mmatulevichMar 1, 2007, 11:46am PSTProgress is a good thing, I think. I left all the values as they were at default for redirection in the html source. ("") Uploaded the bundle and applied it. CLI'ed into the controller and entered 'config custom-web redirectUrl <A HREF="javascript:newWin('http://www.google.com.'')">www.google.com.'</A> <br /><br />I had thought that field only applied when using the default (Internal) web login page. saved the configuration, logged in as guest and after clicking the button, passed through and redirected to google!<br /><br />The only problem left, which is potentially a forseeable one for guests, is that we will most likely redirect to our company homepage. A guest will probably then hit their browser homepage button, which sends them back to the passthrough page with a statuscode=1 at the end of the url, leaving them in a loop if they refresh.<br /><br />If they open another browser session, there is no problem and they go to their usual homepage and are fine. If anyone has any input on that or something to try let me know! almost there! sethc@systemsconnect.comMar 1, 2007, 12:50pm PSTI did observe the same thing as you today as I'm doing a new WCS/WISM/Wireless deployment.. you beat me to posting it! Even though you choose custom web auth, you still do have to use the config custom-web redirectURL command on the controller itself.<br /><br />I actually noticed the same thing as you w/ the guest page but didn't try to open a new browser session.. that's the only thing I have to get around as well! mmatulevichMar 5, 2007, 12:55pm PSTI was able to get the homepage button to send you to your browser's original homepage after using the passthrough page. I was missing a line in my html that prevented cache. I guess without this line the browser session was holding the passthrough page as the homepage. The line was:<br /><br /><meta http-equiv="Pragma" content="no-cache"><br /><br />So now redirection works as well as the user's homepage button after passthrough! Many thanks to the forum as this was my absolute only means to information. <br /><br />I am still continuing to work on the page to get it to function like the internal passthrough, meaning it would redirect you to your own browser homepage. I will keep an eye on this thread to help out anyone if I can, and post my own progress.<br /> sethc@systemsconnect.comMar 15, 2007, 8:28am PSTMy HTML page already had that line.<br /><br />The problem I am running in to now is that when using custom web auth page, the web-passthrough page gets changed as well, and it's different.<br /><br />TAC had me downgrade controller software to 4.0.179.11.<br /><br />If you use the default internal web auth pages, you'll see that you get served a different page when you use a WLAN with web-auth versus one with web-passthrough + email input. <br /><br />I'll let everyone know what I found out with my case.. mmatulevichMar 15, 2007, 9:15am PSTDefinately, there are more scripts added that reference the javascript file when you do more than passthrough. After all the testing I did just to get passthrough working, your custom html working depends highly on where you place the scripts. I'm sure you will figure it out as long as you include the new ones in your page - good luckkjetil.carlsen@gmail.comMar 17, 2008, 3:53am PSTI'm using the "custom web auth page", and everything works fine exept when i get rederected back to the webpage if wrong password/username/allready loggen inn etc.<br /><br />If running the "default web auth page" im returned with this url:<br /><br />https://xxxxxxx/login.html?switch_url=http://xxxxxx/login.html&ap_mac=xx:xx:xx:a8:27:e0&wlan=xxxx-guest&redirect=www.google.com&statusCode=5<br /><br />If I switch too the "custom web auth page" I’m missing the parameter "statusCode=" - and therefore gets no alerted errormessage..<br />Anyone know why?<br /> ibm.alexlFeb 9, 2009, 2:23am PSTFor the redirect page, is it also works on https page? I have customer who want to redirect to a SSL page (intranet) when users connect to the wireless network. <br /><br />Could it done by modifying the custom login page redirect_url hidden html field??<br /><br />Thanks. robert_braverNov 6, 2009, 12:02pm PSTHas anyone figured out getting redirect to the user's desired page working on a custom web auth configuration?<br /><br />TIA for any pointers. robert_braverNov 6, 2009, 1:17pm PSTWorking: redirect to user's desired URL<br /><br />Not long after I posted asking about redirecting to the user's desired page, I found a workaround.<br /><br />I had been using the built-in default web auth files as a template and customized.<br /><br />There are webauth bundle examples on CCO that someone mentioned, so I searched and found them. In those examples, they don't use a loginscript.js - they just put whatever functions they need in the html page.<br /><br />At any rate, there is a newer submitAction function in the example I looked at. I replaced the previous version and all works as expected. james.taiwoOct 22, 2009, 2:24am PSTHi<br /><br />We have head office with 4402 controller and few 1130AG series access points. Clients PCs access to wifi network after authentication throu http site (service is woking on 4402 controler). <br />In other branch (connected to head office throu WAN-VPN) we have one 1130AG AP and we would like to use the same www authentication for clients. Is is possible ? How is the best way to do this ? Can we do this using differents LAN ip addressing for branch AP and clients ?<br /><br />thanks in advance<br />James 30 klein425@hotmail.comNov 6, 2009, 12:27pm PSTThe ideal solution would be to use the 4402 web-auth page and then route Internet traffic locally, instead of through the VPN. Unfortunatly I'm not aware of such a solution.<br /><br />If you don't have the remote 1130 AP set to HREAP mode all traffic will be tunneled back to the WLC and clients will be forced to use the web-auth on the 4402.<br /><br />If you are using HREAP, traffic would get routed locally and not forced to the 4402 page.<br /><br />Depending on the remote users' traffic patterns and how secure you want authentication/encryption, it might be okay just to tunnel the traffic back. This is also dependant on a good WAN. If it goes down, no wireless access at remote side. kenneth.hallNov 3, 2009, 5:34pm PSTWLC 2125 (running 5.2.193.0) - Trying to determine if it is possible to have a Guest SSID hand out an address from the internal DHCP server and have that NAT'd out a physically separate interface that just goes to a local ISP? Or is the only way to connect the separate port to a router/DHCP server for that network and let the external router do the NAT'ing?!?<br /><br />-k 30 dennischolmesNov 6, 2009, 9:50am PSTExternal routing from a router, ASA, PIX, or other layer 3 device only. The controller has no ability to NAT. lynne.meeksOct 29, 2009, 7:30am PST We have just discovered a problem with 802.1x authentication and Atheros cards.<br />We have seen this on both MAC OS X 10.6.0 systems and an XP System<br /><br />This appears to be a DHCP problem in that clients don't get an IP address unless they reboot- which usually fixes it. Sometimes the controller will think the client is connected with a valid IP but the client doesn't actually get the address (never sends an ACK to the offer)<br /><br />Then it will work until they try to reconnect again after a suspend or roaming to a new AP<br /><br />Anybody seen this? It's making our network look bad since we have a lot of MACs with Atheros cards...<br /><br />thanks,<br /><br />Lynne 30 dennischolmesNov 6, 2009, 6:44am PSTTry disabling dhcp by proxy. That tends to slow down the dhcp process significantly and disabling it allows you to track dhcp requests and lease times easier. In the WLC gui go to controller, advanced, dhcp, and then take the check mark out of the box. This will stop the dhcp relay mechanism where all dhcp requests appear to the dhcp server to come from the virtual interface of the controller. jain.nitinNov 5, 2009, 12:16am PSTHi All, we are facing problem in upgrading wism image from 3.2.78 to 3.2.195. When Ever I try to upgrade image of controllers i get an error message failed to store in flash.. I tried to upload boot loader file as well which is of 4MB, but I am getting same message..I am using TFTD32 software. I also noticed that controllers have two images in its memory, primary & backup. I want to delete the backup one so that memory can be free..if its a memory problem...can any body help me on this..I want to resolve this issue asap. 30 leolaohooNov 5, 2009, 10:07pm PSTWow. That's pretty old firmware. Why don't you upgrade to 4.2.207.0 instead?<br /><br />Don't bother deleting the 2nd boot flash because this will save your skin when the 1st boot flash fails.dan.letkemanNov 4, 2009, 4:16pm PSTHello,<br /><br />When I'm running reports in wcs we have a lot of our new machines show as unknown in the vendor list. Is there a way to make manual entries for certain oui's? Or even better, a way to update the list?<br /><br />Thanks,<br />Dan. 30 lavramovNov 5, 2009, 10:09am PSTThis is not supported as of now. It's a good thing to be requested as a Personnal Enhancement Request via your sales / account team. news2010aNov 3, 2009, 11:26am PSTImagine that I have this scenario:<br /><br />Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)<br /><br />One of my users is complaining about the following:<br />When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1. <br /><br />Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.<br /> news2010aNov 3, 2009, 9:10am PSTThis is not a Cisco product related, but in case someone can confirm I'd appreciate it:<br /><br />Imagine from a web server (let's say the Microsoft IIS web server thing) you generate a "certificate request" and submit that to the CA (Certificate Authority, Verisign for example).<br /><br />Then Verisign process your request and send you the certificate via e-mail and then you install that certificate on the web server Microsoft IIS web server.<br /><br />Question:<br />The certificate that Verisign sent over e-mail is (or contain) the public key, correct?<br /><br />How about the private key? Was that private key generated when such "certificate request" was processed at the very first step in the Microsoft web server, correct?<br /> 30 dancampbNov 3, 2009, 10:25am PSTYou are correct with your thoughts of public and private keys. ')