[Device] cisco controller 建置

cisco controller 建置

http://www.cisco.com/c/en/us/support/docs/wireless/2500-series-wireless-controllers/113034-2500-deploy-guide-00.html?mdfid=283848165

[Troubleshoot] apple iphone / ipad 在 cisco 設備遇到roaming 問題

直接跳結論

因為Apple產品不在Cisco的CCX認證裡面,所以就有可能會遇到無法roaming的問題
要roaming, 可以, 用802.1x認證


debug client mac

debug client
http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/100260-wlc-debug-client.html?mdfid=283848165


show {802.11a | 802.11bg} l2roam rf-params
show {802.11a | 802.11bg} l2roam statistics ap_mac
show client roam-history client_mac
debug l2roam {detail | error | packet | all} enable 
最後一個指令可以看到設備因CCX不支援出現的log


有解法再更新...

參考連結/作法/Troubleshoot
http://ccie-or-null.net/2011/05/16/control-roaming-wlc/

https://discussions.apple.com/thread/3714890?tstart=0
Real-time Traffic over WLAN Roaming 

[Device] SG-300 switch 基礎中的基礎設定

比較特別的地方


 *access prot 設vlan
interface GigabitEthernet 2
switch mode access
switch access vlan 123



*trunk port 要帶 vlan

int GigabitEthernet 24
switch mode trunk
switch trunk all vlan add all
<<VLAN ID or all>>


完成後show vlan
就可以看到trunk port 和要帶的vlan
ex:  gi1,gi4


*telnet

目前看到作法是先用網頁開啟在去把telnat功能打開
security裡面吧

[Device] Aruba switch 基礎中的基礎設定

預設帳密
admin / admin123 / enable


更改 admin 密碼
mgmt-user admin root
password
password


VLAN IP / default gate-way
(S2500) (config) #interface vlan 1
(S2500) (vlan "1") #ip address 192.168.7.2 255.255.252.0
(S2500) (vlan "1") #exit
(S2500) (config) #ip-profile
(S2500) (ip-profile) #default-gateway 192.168.7.254


telnet SSH連線倒是不用特別設定
預設就可以直接用SSH2連線
帳密管理員那組就可以

[Troubleshoot] AP無法Join controller debug方式 debug pm pki enable

#int vlan  ap網段

#ip helper-address controllerip

#ip forward-protocol udp 5246

#ip forward-protocol udp 5247

在Controller輸入SHA1 Key Hash
debug pm pki enable/disable

找到MAC和 SSC Key Hash後(00:11:93:00:04:2c /c27c7c2e7da64383108f19e83777121efe3619db )


在controller 介面  Security> AP Profile > 按下Add按鈕 後
在Add AP to Authorization List裡面Certificate Type選 SSC
填入 MAC 和 SHA1 Key Hash後,<<<就是上面那串紅字>>>
 即可完成

以下log會推算這MAC是這Hash key,是因為時間都相同,同一秒 所以猜測是同1個AP的資訊


(Cisco Controller) >Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: locking ca cert table
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: calling x509_alloc() for user cert
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: calling x509_decode()
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: <subject> L=San Jose, ST=California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1100-00119300042c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: <issuer>  L=San Jose, ST=California, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1100-00119300042c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Mac Address in subject is 00:11:93:00:04:2c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
Wed Oct 29 03:18:46 2014: ssphmSsUserCertVerify: self-signed user cert verfied.
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (current): 2014/10/29/03:18:46
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (NotBefore): 2011/04/19/06:07:30
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: ValidityString (NotAfter): 2020/01/01/00:00:00
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: getting cisco ID cert handle...
Wed Oct 29 03:18:46 2014: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key Data
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  30820122 300d0609 2a864886 f70d0101
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  01050003 82010f00 3082010a 02820101
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  00e6bfcd 007d970b 5d463933 68080b5c
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  e794736b 754139bf 9bfe8aaa 0eb234cb
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  d6bf98cc e420d854 ec25e1b8 8d1a3228
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  3b480b2e a45fbbce aaa4cd4e dea2f7dc
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  7ad33d55 108b6ea9 55407d1d ba2d5a7e
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  0c171a35 f195931a ec6ee725 d67a3339
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  e61a38e2 6ce68bcb ec55a58c 9aee34f9
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  26d161a7 cbb23b44 f560a008 e0deab82
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  3b64c01e 8955c326 0f368ac9 122c1a95
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  eb8e81cc fa3ecbea a9806d5e b147dcf5
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  f4459ef2 2a53f767 fd5ef31b 739c82cd
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  fa04ad8f d809c9f2 c2ec268b 24a7983b
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  92b2f554 16d75bff 5dc53e43 9ac4c3c8
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  5f0f64f4 b4f71b9f eaa0a5be d0ff7388
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  f0f59223 b01aed74 a167d102 44274178
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  429aaad6 c6cb87e8 c9dad1db 5fd71043
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: Key Data  2f020301 0001
Wed Oct 29 03:18:46 2014: sshpmGetIssuerHandles: SSC Key Hash is c27c7c2e7da64383108f19e83777121efe3619dbWed Oct 29 03:18:46 2014: sshpmGetCertFromHandle: calling sshpmGetCertFromCID() with CID 0x1f7e88a7
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: called to get cert for CID 1f7e88a7
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
Wed Oct 29 03:18:46 2014: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
Wed Oct 29 03:18:48 2014: sshpmFreePublicKeyHandle: called with 0x159501ec
Wed Oct 29 03:18:48 2014: sshpmFreePublicKeyHandle: freeing public key
debug pm pki disable

AP join controller success log

*Oct 21 15:37:44.284: %CDP_PD-4-POWER_OK: Full power - INJECTOR_CONFIGURED_ON_SOURCE inline power source
*Oct 21 15:37:45.319: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 21 15:37:46.320: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 21 15:37:49.232: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
*Oct 21 15:37:58.233: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Oct 21 15:38:10.234: %CAPWAP-3-ERRORLOG: Selected MWAR 'WLC4404'(index 0).
*Oct 21 15:38:10.234: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 21 02:21:33.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.240.231.1 peer_port: 5246
*Oct 21 02:21:35.482: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.240.231.1 peer_port: 5246
*Oct 21 02:21:35.483: %CAPWAP-5-SENDJOIN: sending Join Request to 10.240.231.1perform archive download capwap:/c1130 tar file

RADIUS server 認證 switch 設定 802.1X authentication

To enable 802.1X authentication on a switch port, on the switch CLI, enter these commands:

Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# radius-server host ip_addr auth-port port acct-port port key key
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end

How to reset a Wireless LAN Controller (WLC) to factory defaults

Resolution

Complete these steps to reset the WLC to factory default settings using the CLI:

1. Enter reset system at the command prompt.
   
2. At the prompt that asks whether you need to save changes to the configuration, enter Y or N. The unit reboots.
   
3. When you are prompted for a username, enter recover-config to restore the factory default configuration.
   
   The WLC reboots and displays the  Welcome to the Cisco WLAN Solution Wizard Configuration Tool message.
   
4. Use the configuration wizard to enter configuration settings.

Note: Once the WLC is reset to defaults, you need a serial connection to the WLC in order to use the configuration wizard.

For more information on resetting the device to default settings using GUI, refer to the Resetting the Device to Default Settings section of Configuring Controller Settings.

 

source 

cisco 2504 controller web setting

command 改csico controller ip 

>wlan disable all 

>configure interface address managent IP-ADDRESS SUBNETMASK GATEWAY

>wlan enable all

show ap join stats summary all

show ap summary

在interface 編輯 DHCP server  

security>AAA>TACACS+>Local Net Users可以看建立哪些帳號

web認證  

security>Web Auth> Web Login Page> web authentication type(選internal)

management>Mgmt Via Wireless> Enable Controller ... Clients口 要打勾

這樣才能從底下AP連上來的client管理controller 

management>Local Management User >建立管理帳號

Lobbyadmin介紹:建立臨時帳號的管理者 

改Controller IP等資訊

Controller>Interfaces>Interface Name點進去

[Device] cisco controller setup final

Would you like to terminate autoinstall? [yes]:

System Name [Cisco_b8:71:c4] (31 characters max):
AUTO-INSTALL: process terminated -- no configuration loaded
2504
Enter Administrative User Name (24 characters max): cisco
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password                 : ********

Enable Link Aggregation (LAG) [yes][NO]: no

Management Interface IP Address: 192.168.45.200
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 192.168.45.254
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1 to 4]: 1
Management Interface DHCP Server IP Address: 172.16.41.1

Virtual Gateway IP Address: 1.1.1.1

Multicast IP Address: 239.0.0.1

Mobility/RF Group Name: poc

Network Name (SSID): poc

Configure DHCP Bridging Mode [yes][NO]:

Allow Static IP Addresses [YES][no]:

Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]: TW

Enable 802.11b Network [YES][no]:
Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]:
Enter the NTP server's IP address: 211.22.103.158
Enter a polling interval between 3600 and 604800 secs: 3600

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Configuration saved!
Resetting system with new configuration...


Configuration saved!
Resetting system with new configuration...
Restarting system.

cisco ap >> ERROR!!! Command is disabled.

喔我好強XD

1. 刪除現有的ios,讓他回復到最初機器上面的
2. clear pre-config


ERROR!!! Command is disabled.

出現這訊息,就不用在ap上踹了,直接到controller的web介面
找到這台ap的mac 或hostname, 直接在上面修改 hostname or ip等資訊
收工~

若硬要console設定ap 下文說是需要給ap一組username/password
我沒試過..因為上面做完就收工了.

Q. When I enable some LWAPP commands on my LAP, I get an error that says the command is disabled. Why is this?

 
AccessPoint#clear lwapp ap controller ip address 
ERROR!!! Command is disabled.

A. Once your AP has successfully joined a controller, the LWAPP commands are disabled. In order to enable LWAPP commands again, you must set the username/password of the AP from the controller CLI with the config ap username <name> password <pwd> <cisco-ap>/all command. Once that is done, you can do a clear lwapp private-config in the AP CLI to allow you to manually re-issue the AP LWAPP configuration commands.
Note: If you are running WLC version 5.0 and later, use this command to set the username and password on the AP:

config ap mgmtuser add username AP_username 
password AP_password secret secret {all | Cisco_AP}

cisco ap ERROR!!! Command is disabled.

cisco 4506 Password Recovery

1.Press Ctrl-C within 5 seconds to prevent autoboot.

2.
rommon 1 > set
rommon 1 > confreg

 Configuration Summary :
 => load ROM after netboot fails
 => console baud: 9600
 => autoboot from: commands specified in 'BOOT' environment variable

 do you wish to change the configuration? y/n  [n]:  y
 enable  "diagnostic mode"? y/n  [n]:  n
 enable  "use net in IP bcast address"? y/n  [n]:  n
 disable "load ROM after netboot fails"? y/n  [n]:  n
 enable  "use all zero broadcast"? y/n  [n]:  n
 enable  "break/abort has effect"? y/n  [n]:  n
 enable  "ignore system config info"? y/n  [n]:  y

 change console baud rate? y/n  [n]:  n

 change the boot characteristics? y/n  [n]:  n
=======================================================
 Configuration Summary :
 => load ROM after netboot fails
 => ignore system config info
 => console baud: 9600
 => autoboot from: commands specified in 'BOOT' environment variable

 do you wish to save this configuration? y/n  [n]:  y
 You must reset or power cycle for new configuration to take effect
===========================================================

rommon 1 >confreg=0x2142
You must reset or power cycle for the new configuration to take effect.
Issue the reset command so that the module reboots.
Due to the changes that you made in step 2, the module reboots but ignores the saved configuration.
rommon 2 > reset

Resetting .......

rommon 3 >




3.
Switch#configure memory


4.
config t
no no enable secret

enable secret cisco

config-register 0x2102

wr

sh ver
.
.
.
Configuration register is 0x2142 (will be 0x2102 at next reload)


reload


cisco password recovery

Cisco PI 圖面

Multiple SSID With Multiple VLANs (Cisco AP)

<<<Configuration on the AP - Step 1>>> 

Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
!
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
!
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
!

!

<<<Step 2 - Assigning the Encryption to different SSIDs with respective VLANs>>> 

Int dot11 0
Mbssid
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm 

ssid one
ssid two
ssid three
<<<Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.>>>
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native

!
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
!
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
!
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Multiple SSID With Multiple VLANs  

cisco controller add outdoor ap

cisco controller add outdoor ap

aruba lacp config

interface gigabitethernet 1/0
        description "GE1/0"
        trusted
        trusted vlan 1-4094
        switchport access vlan 12
        lacp group 0 mode active
!

interface gigabitethernet 1/1
        description "GE1/1"
        trusted
        trusted vlan 1-4094
        switchport access vlan 12
        lacp group 0 mode active
!