MY80211.com

Since the very beginning the AP manager on a Cisco WLC would never respond to pings. Well that has all changed if you use LAG and a AP manager with 7.x code!

I like how Cisco hides little nuggets in their documentation. It states, in LAG mode, the management and AP manager uses the same base LAG MAC address.

Note With the 7.0 release onwards, the MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.

LAB

A show ARP on the distribution switch you can see the MAC is identical for both the manager and AP manager.

NOTE --

This was tested on 4402,4404 and 5508 model controllers.

AP manager(s) aren't needed with a 5508.

This only applies to a WLC in LAG mode w/ AP Manager

Additional Reading Material:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1117168

Note the WPS vulnerability is with home and soho devices and not with Cisco enterprise gear. Note the models below:

Cisco Response

On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755

The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode.  Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network.  A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.

The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known.  This effectively reduces the PIN space from 10⁷ or 10,000,000 possible values to 10⁴ + 10³ which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.

While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.

Vulnerable Products:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Products Confirmed Not Vulnerable:

Additional Information

Workarounds:

Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

Fixed Software:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Exploitation and Public Announcements:

Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

This vulnerability was discovered by Stefan Viehböck and Craig Heffner.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History

Did you know ? If you purchased a Cisco 5508 WLC with a 12 access point license you just limited yourself to 487 access points?

The Cisco 5508 is licensed based which means you can add access point licenses as your wireless grows. The Cisco 5508 allows a maximum of 500 access points. This is a new model for Cisco Wireless Lan Controllers. The now legacy 2000,2100,4400 and WISM1 were licensed by the hardware itself.

You can purchase Cisco 5508 WLC with a 12,25,50,100,250 or 500 access point capacity. Or you can purchase what Cisco calls adder licenses in the quantities of 25,50,100, and 250 access points after the fact.

The license limitation becomes an issue with your initial purchase of a 5508 with a 12 access point license.

Since Cisco only resells 25,50,100 and 250 access point licenses the MAX you will ever get on your WLC is 487 access points.

Note: A 5500 Series WLC with a base license of 12 can only support up to 487 total APs because only 25, 50, 100, and 250 adder licenses are supported.

 Read:

Understanding Cisco 5508 Wireless LAN Controller Licensing

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78104.shtml

p.s. Thanks Patton for the link!

Special Guest Post By: Steven Rodriguez
Since Cisco is locking down software downloads, you may have a need to pull code off your existing access points. Here is a quick recap showing how to process the code with the archive command!

Ever lost the code you were running on an AP?  Then need to load that code to another?  What if that codes not available for download from CCO anymore?  Well, there's a pretty easy process to get through to get the image from an AP, and onto your TFTP server.

In this example, I am using a 1131, running 12.4(21a)JY

The first thing you need, is a TFTP server.  There are plenty of free ones out there.  I tested this with TFTPd32 on a PC, and with TFTPServer on a Mac(10.6).

So on the PC, it's pretty easy.  Configure your TFTP Server

Once you've stopped then started the server, you simply need to issue the command

archive upload-sw tftp://192.168.15.11/c1130-k9w7-mx.124-21a.JY.tar

As this command is running, it extracts the current running IOS, including the HTML files, and tar them as it's sending to the TFTP server.  <Term mon if you want to watch the process run.>


On the Mac, I found it to be a little bit different.  With my Mac, even though I did a chmod 777 on my tftp directory, I had to do the following before I attempted to upload the software.

Once the file is 'created' in my target directory it becomes the same as the PC version.

archive upload-sw tftp://192.168.15.6/c1130-k9w7-mx.124-21a.JY.tar


Now, if you have multiple versions of code that have been extracted to your AP, there is a switch that can be used, /version

archive upload-sw /version c1130-k9w7-mx.124-21a.JY tftp://192.168.15.6/c1130-k9w7-mx.124-21a.JY.tar
                                                 ^this would be the version you wanted to upload.

A more recent bug found on 1.4(1) 792x handset code. Something to take note if you're on this code and using voice on 802.11a

CSCtk58591 Bug Details

792x phone may not reconnect when invalid 5 GHz beacon received
Symptom: 792x phone may not reconnect when invalid 5 GHz beacon received. Conditions: 792x phone going out of range then comes back in range when set to scan 5 GHz. Workaround: Power cycle the phone. Use 802.11b/g only mode.	Status Open Severity 3 - moderate Last Modified In Last 3 Days Product Cisco Unified IP Phone 7900 Series Technology Wireless, Mobile 1st Found-In 1.4(1)
Interpreting This Bug Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following: This bug has a Moderate severity 3 designation. Things fail under unusual circumstances, or minor features do not work at all, or things fail but there is a low-impact workaround. This is the highest level for documentation bugs. (Bug Toolkit may not provide access to all documentation bugs.) Severity levels are designated by the engineering teams working on the bug. Severity is not an indication of customer priority which is another value used by engineering teams to determine overall customer impact. Bug documentation often assumes intermediate to advanced troubleshooting and diagnosis knowledge. Novice users are encouraged to seek fully documented support documents and/or utilize other support options available.

Salil Prabhu from Cisco TAC did a great post on how to recover WEP, ADMIN and Guest account passwords. Note this will not yield the PSK key. As you can not pull the PSK from a WLC.

Procedure to Recover WEP,Admin,Guest account Password from WLC

Step 1 :

1. (Cisco Controller) >show switchconfig

802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled

(Cisco Controller) >config switchconfig secret-obfuscation disabled

Secret (de-)obfuscation may take a few minutes.

Please wait...  Done!

(Cisco Controller) >config passwd-cleartext enable

The way you see your passwds will be changed

You are being warned.

Enter admin password: ***********

Enabling cleartext viewing of passwords

Step 2:

2. Download config from the WLC. Commands --> Upload configuration from
WLC to tftp server.

Step 3:
3. Open the file in notepad :

WEP :

config wlan security static-wep-key encryption 4 40 hex encrypt 0 0 0 128 313233343500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  1

40 = 40 bit key

ADMIN :

config mgmtuser add encrypt admin1 0 0 0 8 436973636f31323300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write

Guest-Account :

config netuser add encrypt username guest-1 password 0 0 0 7 67756573742d310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  wlan 0 usertype guest lifetime 86400

Step 4:

4. Use this tool to convert to Ascii : ( Use red colour digits ..)

http://www.dolcevie.com/js/converter.html

WEP : Key size = 40bit.
HEX :3132333435 
Ascii : 12345 ( using the tool ) 


ADMIN : Username : admin1 
HEX : 436973636f313233 
Ascii : Cisco123 

Guest-Account: Username: guest-1 
HEX: 67756573742d31  
Ascii : guest-1 

From Aaron Leonard - Cisco

All Cisco Aironet wireless access points and bridges currently being shipped run IOS.  The only exception is the OEAP602.  (Some older Cisco access points did not run IOS, such as the Aironet 340 which ran only VxWorks, and the 1000 series lightweight APs.)

Access Point IOS is distributed as a tar file.  These tar files can be downloaded from cisco.com SDS; lightweight IOS images (k9w8) are also bundled in the WLC software images (.aes.)

The IOS image names include the following components:

platform-featureset-tar.version.tar

• platform- the access point hardware model or family supported by the image       
  • examples: c1250; ap3g1 - 3500/1260; ap801- AP embedded in 881W; c1520 - 1520/1550
• featureset- the set of software features supported by the image - one of:      
  • k9w7 - autonomous IOS
  • k9w8 - full lightweight IOS (this is what is bundled in the WLC .aes image, and is factory installed on "mesh" APs)
  • rcvk9w8 - lightweight recovery image - this is factory installed on lightweight APs, unless a "mesh" image is specified; it lacks radio firmware
• version- the IOS version       
  • There is a 1:1 mapping between the lightweight IOS software version (such as 12.4(23c)JA) and the CUWN version (such as 7.0.98.0)  
    • see the Wireless Solutions Software Compatibility Matrix on CCO

Example: c1240-k9w7-tar.124-25d.JA1.tar

• Platform: c1240: 1240 series AP
• Featureset: k9w7: autonomous IOS
• Version: 124-25d.JA1: 12.4(25d)JA1
  

As AP IOS is always distributed as a tar file, the AP cannot directly execute such a file (thus, if you were to copy c1240-k9w7-tar.124-25d.JA1.tar directly onto AP flash, and then try to boot it, this could not work.)  The tar file contains, in addition to the IOS image proper, the radio firmware files, the HTML GUI files (if present), and various other files.  The AP IOS tar file must be unbundled into AP flash using the archive exec command (this is done in an automated fashion when a lightweight AP is upgraded after joining a WLC.)  After unbundling, the IOS image itself be in a file called flash:/platform-featureset-mx.version/platform-featureset-mx.version - for example, flash:/c1240-k9w7-mx.124-25d.JA1/c1240-k9w7-mx.124-25d.JA1.  The AP is configured to boot this image if the bootloader BOOT environmental variable is set accordingly.

From Tac:

Cisco TAC does not support running autonomous IOS (aIOS) on the 3500 or 3600 Series Access Points.  These access points are  supported only when running in lightweight mode (Cisco Unified Wireless Network.)

The 12.4(25d)JA1 aIOS image for the 1260 series access point (ap3g1-k9w7) will load on a 3500 series AP, and may be used on an "as-is" basis.  Cisco will provide no support for this use case, and will not warrant that future 1260 aIOS images will continue to load on 3500 series APs.

The 1260 series AP aIOS images will not load on a 3600 series AP, which requires an ap3g2 image.  There are no aIOS images available for the 3600 series.

This is a handy trick to test your cable from a Cisco switch. My buddy Leo wrote this up.

What is Time-Domain Reflectometer (TDR)?

“A time-domain reflectometer (TDR) is an electronic instrument used to characterize and locate faults in metallic cables (for example, twisted wire pairs, coaxial cables)¹.”

For the sake of this document, “TDR testing” and “TDR” are used interchangeably in this document to sow confusion to the un-initiated. They both mean the same.

How can TDR help me?

TDR, in its simplest form, can help you determine IF you have a cable problem, WHICH pair(s) is/are faulty and HOW FAR away the fault is.

Typically, when you have a Layer 1 issue there are a lot of factors to consider:

1. Local-end Side (LeS) patch cable;
2. Local-end Side (LeS) patch panel (including punch block);
3. Horizontal cable;
4. Remote-end (Red) patch panel (including punch block);
5. Remote-end (Red) patch cable; and
6. Remote-end (Red) device NIC

 So you see, dear readers, TDR minimize the guess-work.

Picture this …

Before we begin, let me give you the “lay of the land”. Presume the following scenario:

What model of Cisco switch does TDR work on?

Firstly, not all switch model support TDR. TDR feature first came out with the Catalyst 2960. So here is the list of which ones will work and will not:

Note:  

1.        The 2960 will support TDR in both the FastEthernet and dual-personality GigiabitEthernet port, however, when used on a FastEthernet port, TDR will only test the first two pairs, namely Pairs A & B.  For obvious reasons, Pairs C and D will not be tested when used on non-GigabitEthernet ports.

2.       Except the WS-C2960-48PDL, when using the copper GigabitEthernet port of the Catalyst 2960, one must manually set the interface to copper using the command “media rj” before the test can be conducted.

3.       Confirmed by Cisco TAC, Ankur Garg.

The list does not include modules/blades for the Catalyst 4000/4500, 5000/5500, 6000/6500 although it is mentioned here that TDR was introduced with IOS Release 12.2 ZY for the Catalyst 6000/6500. It’s not included in the list above because I don’t have the resources to test and verify.

Legacy Cisco Catalyst models 1900, 2900XL/3500XL, 2940/2950/2955, 2948G and 2970 are not supported. Routers are also not supported. I do not have any resources to test router Ethernet Switch Modules (NME, HWIC, EHWIC). Wireless Access Points do not support TDR.

Why doesn’t the FastEthernet-flavoured 3560 and 3750 support TDR and but the cheaper FastEthernet 2960 support TDR?

Base on the time-line, the “plain” (or non-GigabitEthernet copper port) 3560 and 3750 came out BEFORE the 2960. The “chip” for the TDR was included in the design of the 2960. When Cisco released the 3560G and 3750G later, someone made the ultimate decision to include the TDR feature as a standard. Therefore, the plain 3560 and 3750 are the only two series that WON’T HAVE the TDR feature. (Take note reader: Emphasis on the words “WON’T HAVE”)

Any Gotchas I need to be aware of?

• Switches need to run IOS version 12.2 or later. TDR is supported in IOS version 15.0. IOS version 12.0 and 12.1 do NOT support TDR.

• If you are running IOS version 12.2(46)SE or earlier, TDR test is DISRUPTIVE. During the test, the interface will go down and up. For obvious reasons, anything connected will lose network connectivity.

• If the remote-end device is a power-over-ethernet (PoE) device, the test will cause the device to lose power. If you have, for example, a Voice over IP (VoIP) phone and a PC client is connected to the phone, both the phone and client will lose network connectivity because the phone does not have a bypass functionality. This will affect ALL IOS versions.

• Particularly when you are running old IOS versions, the test can take between five (5) to seven (7) seconds.

• TDR works on 10/100/1000BaseTx. Fibre optic ports (any flavours) is not covered/discussed here. TenGigabitEthernet copper port DOES NOT (YET) support TDR.

• Cisco GLC-T/GLC-TX SFP module does NOT support TDR.

The next two Gotcha items are for those who plan to use the TDR feature on Cisco Catalyst 2960 and 2960G (2960S not included):

• 1. The 2960 will support TDR in both the FastEthernet and dual-personality GigiabitEthernet port, however, when used on a FastEthernet port, TDR will only test the first two pairs, namely Pairs A & B. For obvious reasons, Pairs C and D will not be tested when used on non-GigabitEthernet ports. Pairs C and D will report a result of “Not Supported”.

• 2. Except the WS-C2960-48PDL, when using the copper GigabitEthernet (Gig 0/1 and Gig 0/2) ports of the Catalyst 2960, one must manually set the interface to copper using the command “media rj” before the test can be conducted.

How to use TDR?

The commands are very simple: One to start the test and the second command to display the result. Here is simple procedure:

1. Command to start the TDR: “test cable tdr interface <interface of your choice>”;
2. Wait for about 5 to 7 seconds for the test to run; and
3. Command to show the result of the TDR test: “show cable tdr interface <interface of your choice>”

See? Easy! Now let’s see what the I results would look like.

So what does this result above tell us?

1. Port tested is on GigabitEthernet 0/1;
2. Port has negotiated to 1 Gbps;
3. Cable use is a straight-through cable (look and compare the values of “Local pair” and “remote pair”);
4. Cable length is approximately 3 metres long and an error (length-wise) of 1 metre; and
5. All four pairs are working fine (Pair status)

Under “Pair status” you can get the following results:

An ideal result is “Normal”. In practice, whether the remote-end device is FastEthernet or GigabitEthernet, I will never accept a TDR result other than “Normal” in all four pairs.

Cable Pairs explained?

This is how I see what each Pairs control:

More examples

Normally, this result would freak me out. Look at the items in RED. Pairs C and D are reporting a cable value of “0”. Next I move to the “Pair status” and it’s reported as an Open circuit. No pin contact. Whao! But look at the speed. It’s 100 Mbps. So it’s normal … I guess.

But wait. What if the remote-end side (Red) client is a GigabitEthernet. So where is the faulty cabling? Which one of the patch cables? Or is it a horizontal cabling? Does the client support GigabitEthernet or not?

Here’s another clue: Look at the length of the cable for Pair A and B. It’s reporting around 12 to 13 metres. Experience has taught me that my Local-end Side (LeS) cable doesn’t exceed two metres. So that rules out my cable, however the horizontal cabling is more than 10 metres. So what’s between the horizontal cabling and the remote-end client? You have three suspects: 1) The remote-end punch block; 2) the remote-end patch cable; and 3) remote-end client.

Culprit was the remote-end punch block and the horizontal cabling: Cable contractors only terminated two pairs.

Never ask a boy to do a man’s job!

Its results like the ones above that makes me want to cry.

Ok, I look under “Pair status” and I see “Short/Impedance Mism” for Pair C and D. No question about it. It’s bad cabling. This is not what makes me want to cry. Look at under “Pair length” of Pair A and B. NOW cry.

Should I be worried?

Looking at the result, I can confidently say that the appliance was a 48-port Cisco Catalyst 2960. How? Look under “Interface”. Look at “Pair status” for Pair C and D. Only the plain 2960 FastEthernet ports can support TDR.

But look at “Pair status” for Pairs A and B. What does that mean?

It means that the remote-end (Red) patch cable is missing.

Wireless Solutions Software Compatibility Matrix

This document lists the software compatibility matrix information for the Cisco wireless devices used in a Cisco centralized and distributed wireless LAN solution.

Contents

This document contains the following sections:

•Conventions

•Software Release Compatibility Matrix

•Mesh and Mainstream Controller Software Releases

•Cisco Prime Network Control System Compatibility Matrix

•Wireless Control System Compatibility Matrix

•Inter-Release Controller Mobility (IRCM)

•Cisco Support Community

•Obtaining Documentation and Submitting a Service Request

Conventions

See Cisco Technical Tips Conventions for information about document conventions.

Software Release Compatibility Matrix

Table 1 lists the Wireless Software compatibility matrix.

Mesh and Mainstream Controller Software Releases

Table 2 lists the mesh and controller software releases and the compatible access points.

Note See the relevant release notes before you perform any software upgrade. The release notes are available at http://www.cisco.com/en/US/products/ps10315/prod_release_notes_list.html.

Software Release Support for Access Points

Table 3 lists the controller software releases that support specific Cisco access points. The First Support column lists the earliest controller software release that supports the access point. For access points that are not supported in ongoing releases, the Last Support column lists the last release that supports the access point.

Cisco Prime Network Control System Compatibility Matrix

Table 4 lists the compatibility matrix of Cisco Prime NCS, controller, access point images, Identity Services Engines (ISE), and mobility services engines (MSE).

Wireless Control System Compatibility Matrix

Table 5 lists the Wireless Control System (WCS) compatibility matrix.

WCS and Navigator Compatibility

Cisco WCS and Cisco WCS Navigator must be from the same release in order to be compatible (see Table 6). Although the release numbers will not be the same, you must verify whether they were part of the same release.

For example, Cisco WCS Navigator 1.0 is compatible with Cisco WCS 4.1, and Cisco WCS Navigator 1.1.x is compatible with any Cisco WCS 4.2.x.

Note When Cisco WCS Navigator is upgraded to a new version, the corresponding Cisco WCS must also be upgraded to the corresponding new version. For example, if Cisco WCS Navigator is upgraded to version 1.6, Cisco WCS must also be upgraded to the corresponding version 7.0.

Inter-Release Controller Mobility (IRCM)

Table 7 lists the inter-release Controller Mobility (IRCM) compatibility matrix.

Medtronic ignore original attempts to fix this problem back in August. As a wireless engineer focusing in the Healthcare vertical its always important to test all your medical devices prior to deployment. A simple port scan could yield valuable information and potential means to access these devices. Often times, vendors will leave default logon credentials allowing access.

The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker Halted conference in Miami. It was delivered by McAfee's Barnaby Jack, the same researcher who last year showed how to take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills.

Read more:

http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

I wanted to show some love to my buddy Blake Krone. Blake completed his CCIE wireless journey a few weeks ago. He is a true inspiration to us all …

Blake worked hard and diligently in search of the elusive CCIEW number. After his 4th attempt we chatted briefly and he shared his thoughts about giving up. He was so close the last few attempts he decided to give it one more try before v2. And we’re all glad that he did! I understand he is perhaps #48 to have passed ... Truly a great achievement !

I want to wish Blake and his family a very relaxing and enjoyable holiday season.

Blake Krone - CCIE#31229

You can read about Blake’s journey at his blog: http://blakekrone.com/2011/10/26/im-now-known-as-a-number

Cisco VoWLAN checklist is a great way to plan your config and to reference when you are having voice issues.

http://www.cisco.com/en/US/docs/wireless/technology/vowlan/troubleshooting/VoWLAN_Troubleshooting_Checklist.html

Cisco releases a 'special' for the AP3600

 I understand this code is only for new gen WLCs. You will only find this code under these controllers.

The purpose of this document is to strip the domain from users that authenticate with the format: username@domain in ACS 5.x.

Wireless supplicants sometimes present the user creditials in different formats. One such device is the Motorola handhelds. They present the user ID as 'user@domain' to the radius server who then sends this to the AD server. In some cases if you didnt use a FQDN as your domain name (in the handheld) and you were on ACS 4.x it would still authenticate. ACS 4.x would strip this suffix and present the raw ID to AD.

But ACS 5.x doesnt do this easily. You actually have to create a PROXY ACS inside your ACS server. There is no easy check box to strip the prefix or the suffix in ACS 5.x.

If you use LDAP, different sorry. You have the option to strip both with a simple check box under external / ldap section of ACS 5.x.. Below is a document I received from Cisco TAC showing how to strip the prefix and or suffix in ACS 5.x within a ACS proxy.

RADIUS PROXY SERVER

Configure the ACS server as a network device and choose as the authentication option Radius.

Define the ACS server as an External Radius server under Network Resources. The external radius server on this case is the ACS itself.

Create a new access service and point the new policy to use the Radius Proxy service type.

Once the access service is enable configure the advance options of the new service selection rule to strip the domain after the @.

Go to service selection rule and create a new rule pointing to the Proxy Radius Server created previously and include a compound condition as follows:

With the previous configuration when we use the username@domain the user is able to authenticate because check the first rule pointing to the proxy radius server which is set up to strip the domian.

When the ACS first receives the request and strips the domain part from the username, the server will Proxy the request to itself in which case the ACS will act as a AAA client striping the domain and showing the passed authentication as follows:

On the previous screenshot you can see that once the ACS strips the domain is going to hit the second access service rule which just accept the radius request that does not contain any UPN format.

End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco 2100 Series Wireless LAN Controllers. The last day to order the affected product(s) is May 2, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2011-11-04 16:30:00.0

Noticed a tweet on twitter about release notes for 7.0.220.0 being available for download. As of this blog entry, 7.0.220.0 code is not available for download.

Link to release notes: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_220_0.html#wp784169

Arron Leonard from Cisco TAC released a great post about ORA on CSC.

OmniPeek Remote Assistant

VERSION 4 

Did you go HUH?, like I did when I seen the LDPE code rev for the Cisco WLC? I opened a TAC case to find out what this was and this is what I was told.

Client data encryption is normally not done. LDPE  feature is Licensed Data Payload Encryption (LDPE). Data Payload Encryption allows for the data that travels between the Access Point and the WLC to be Datagram Transport Layer Security   (DTLS) encrypted.

Note: Non Russian customers using Cisco 5508 Series Controller do not need data DTLS license. If your controller does not have a data DTLS license and if the access point associated with the controller has DTLS enabled, the data path will be unencrypted

   AIR-CT5500-K9-7-0-116-0.aes (Regular image)

·         AIR-CT5500-LDPE-K9-7-0-116-0.aes (LDPE image)

It would appear that Russia has some requirements to encrypt their AP to WLC traffic internally.

NOTE: I came across a post by blogger/friend Sam C. @ sc-wifi.com that covers this subject in more detail. Thanks SAM! I should have called and opened a ticket with you instead! LOL

http://sc-wifi.com/2011/04/30/cisco-wlc-ldpe-images/