how-to_ >
cisco_wlc_
IPv6 Accounting
Normally WLC will report only IPv6 prefixes on radius accounting. This is a cli-only per WLAN setting.config wlan radius_server acct framed-ipv6 both <wlanID> |
Cisco New AP's 2700 and 3700 do not join WLC sw ver 7.x
They in fact come with firmware suitable for WLC SW version 8.x This should be not a problem, but indeed they do not auto join the controller..# capwap ap controller ip address <wlc ip address> boot command (do not ask me why this should use different firmware/configuration cthan the stock one).*Mar 1 00:01:05.139: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS. *Apr 28 15:43:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: xxx.xxx.xxx.xxx peer_port: 5246 *Apr 28 15:43:00.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 140.105.48.33 peer_port: 5246 *Mar 1 00:01:50.607: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP. |
Get SFP serial number on Cisco WLC 5508
Use this undocumented, unsuggested cli command to get sfp bays inserted media serial numbers debug fastpath cfgtool --dump.sfp (WLCTS 5508) >debug fastpath cfgtool --dump.sfp (WLCTS 5508) debug>FP0. Port SFP Vendor Transceiver Type OUI PartNumber Rev SerialNumber DateCode Auth 1 CISCO-METHODE (0x08)1000BaseTX SP7041 E 00000MTC655363SA 08127501 ok 2 CISCO-METHODE (0x08)1000BaseTX SP7041 E 00000MTC655356KS 08127501 ok 3 Not Present (0x00)NOT_SUPPORTED fail 4 Not Present (0x00)NOT_SUPPORTED fail 5 Not Present (0x00)NOT_SUPPORTED fail 6 Not Present (0x00)NOT_SUPPORTED fail 7 Not Present (0x00)NOT_SUPPORTED fail 8 Not Present (0x00)NOT_SUPPORTED fail FP0. |
CoA change of authorization RFC 3576 on Cisco WLC5508
On WLC web interface select Security -> AAA -> Radius -> Authentication For each server, enable the RFC 3576 Support.You can now use the following simple script to do the job: #!/bin/sh IP=<ip address of wlc> PORT=<usually 3799> SECRET=<Radius shared secret> RESULT=`echo "User-Name = $1" | radclient $IP:$PORT 40 $SECRET ` echo $RESULT echo $RESULT | grep "code 42" >/dev/null if [ $? == 0 ]; then echo User $1 NOT CONNECTED on $NAME. fi echo $RESULT | grep "code 41" >/dev/null if [ $? == 0 ]; then echo User $1 SUCCESSFULLY DISCONNECTED from $NAME. fi Please pay attention to the radius SECRET since de wlc silently discards unauthenticated packets making you mad! Debug it using show radius rfc3576 statistics command and looking for " Bad Authenticator Requests" using WLC CLI. |
Airopeek Remote Sniffing using Wireshark
This poorly documented feature enables remotely sniffing the airspece usine an lightweight AP in Sniffer mode.
More info : https://supportforums.cisco.com/docs/DOC-19214 |
Meaningful accounting Called-Station-Id
I'm using a 5500 Cisco WLC As long as you use meaningful "talking" AP names clearly identifying the location of the AP, you can use the following to give sense to radius accunting packets: config> radius auth callStationIdType ap-name-ssid config> radius accounting callStationIdType ap-name-ssid Other possible types in WLC software 7.5 are: ap-group-name Sets Called Station Id to the AP Group Name ap-location Sets Called Station Id to the AP Location ap-macaddr-only Sets Call Station Id Type to the AP's MAC Address ap-macaddr-ssid Sets Call Station Id Type to the format <AP MAC address>:<SSID> ap-name Sets Called Station Id to the AP Name ap-name-ssid Sets Called Station Id to the format <AP Name>:<SSID> flex-group-name Sets Called Station Id to the Flex Connect Group Name ipaddr Sets Call Station Id Type to the system's IP Address macaddr Sets Call Station Id Type to the system's MAC Address vlan-id Sets Called Station Id to the VLAN id P.S. Don't forget to save! |
How to verify a Lightweight AP startup configuration
I needed to verify the startup CAPWAP configuration before delivering a Lightweight AP far far away.
|
1-7 of 7