Net Worker World

The virtual interface is not attached to any physical ports, is not routable across the network, and is only used by the WLC internally. Only IP 1.1.1.1, new recommended IP 192.0.2.x. The WLC intercepts client DHCP discovery packets, inserts it's own IP address configured on the egress interface into the relay agent field, and unicasts the DHCP packet to the configured DHCP server. Once the server response is received by the WLC, it modifies the DHCP offer and changes the DHCP server ID to the virtual interface address, client will see DHCP server Ip is WLC virtual IP. http://www.revolutionwifi.net/revolutionwifi/2011/03/explaining-dhcp-server-1111.html

WLC regular ACL 1. The regular ACL is applied on dynamic interface, with ISE authorization,  a new ACL can overwrite interface ACL and applies on client session. 2. Controller ACLs cannot block virtual IP address, and hence DHCP packets for wireless clients. 3. ACL do not affect broadcast or Multicast traffic, so DHCP is not blocked. 4. ACL has direction from the standpoint of WLC. So for permit access, needs one inbound rule and one outbound rule. 5. ACL is created on WLC, ISE  authorization profile only applies  Airespace ACL Nam e to wireless client session. 6. ACL applies to wireless client session only when AP works in local mode or Flexconnect mode with central switching, in these setup, all user data are sent to WLC via CAPWAP tunnel, then from WLC are sent to wire world. WLC FlexConnect ACL 1. FlexConnect ACL is used when AP is in FlexConnect mode and WLAN is on Local Switching mode, in this case, client data traffic are not sent to WLC, instead, switching loc

Regular DHCP packets 1. PC sends  DHCP Discover as broadcast, contains the IP assigned previously     we see two discover packets here, note the previous assigned IP 192.168.2.205 2. DHCP server responses with DHCP offer , also is broadcast 3. PC sends DHCP Request , also is broadcast.      it has DHCP server IP in order to confirm that PC will take its assignment. 4. DHCP server acknowledge the DHCP request. 5. PC sends ARP probe to verify no duplicate IP on the network. 6. If  PC gets ARP response which indicates duplicated IP exists on the network, PC will sends DHCP Decline, then restart DHCP discover     note there is no previous assigned IP in the new DHCP Discover message 7. PC may send DHCP Inform to obtain other info such as default gateway and DNS. ================================================================ Issue when "Device tracking" is enabled on access switch Symptoms: DHCP server has lots IPs marked as BAD-ADDRESS when assigning IPs. Cause : access switch

Domain Machine & User  Authentication and Authorization with Flexonnect Certral Switching 1. When the domain PC boot up, the PC will use domain computer account to connect to 802.1x WLAN if it is configured with "automatically connect" previously. 2. Controller interface can have a default ACL, when ISE authorization profile specify an Airespace ACL, for a wireless session, the default ACL will be replaced with the Airespace ACL . This Airespace ACL mush exists on the WLC, ISE only sends the ACL name. Normally this Airespace ACL only allows DNS/DHCP and deny everything else. 3. When an domain user login the PC, an user authentication request is sent to ISE, By checking the user's AD group, ISE authorization profile can assign a new Airespace ACL, then CoA is sent to WLC, WLC replace the ACL on client's session.

Understanding Access Point OS Images AP 2700 image recovery ap power up with empty flash: ap:dir flash: set IP_ADDR 10.0.0.1 set NETMASK 255.255.255.0 set DEFAULT_ROUTER             --- optional tftp_init tar -xtract tftp://10.0.0.88/ap3g2-rcvk9w8-tar.153-3.JPO.tar flash: boot flash:ap3g2-rcvk9w8-mx Reset the CAPWAP Configuration on Cisco IOS and ClickOS APs https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/99763-reset-lwappconfig-lap.html#toc-hId--466648378 === Connect the console cable Unplug the power or network cable if connected to a POE switch Press and hold the Mode button Plug the power back into the AP Wait until the output on the console says button is pressed. Wait for button to be released… Once that message is displayed release the button and allow the AP to boot You should now be at the ap: prompt Type dir flash: Enter the command delete flash:private-multiple-fs Press y when prompted Type reset to reboot the AP Username: Cisco Password: Cisc

For device doesn't support Dot1x, MAB can be used to authenticate with ISE, but MAB is not secure and it doesn't support user authentication. In case user authentication is required, WebAuth can be used along with MAB to allow user to enter their credential via Web. CWA (Central Web Authentication) can be configured on ISE and NAC (switch and WLC). In wired environment, a non-802.1X PC connects to a MAB enabled port, MAB authentication is initiated, on ISE, it first passes the wired MAB authentication, for authorization policy, its condition can be MAB and other requirement like office location, then the access profile defines a dCAL to be download to switch port, this dCAL also called Captive Portal dACL, which only allows web traffic, DNS and ISE portal access, also the redirect URL name will be sent to the switch, the URL must exists on the switch,  only the name is sent from ISE. When the user login the non-802.1x enabled PC, opens the browser and type an url,  becaus