Using MIB Browser for SNMP Walk/Query

At times you would need to quick easy way to do a SNMPwalk/query for specific OIDs of your managed devices for some troubleshooting purpose.

This could be done using open/free snmp tools available on the internet. I found the Ireasoning mib browser quick helpful and easy.

http://ireasoning.com/mibbrowser.shtml

Install the Mib Browser and add your managed device using v2/v3.

Configured the MIB browser as following: Tools > Options > Agent > Add > Add the managed device ip address and the community string.

Get the correct MIB file for your managed device. I am using Cisco WLC as the managed device and got the MIB downloaded from the Cisco support Site.

http://software.cisco.com/download/release.html?mdfid=284493532&flowid=34542&softwareid=280775088&release=8.0&relind=AVAILABLE&rellifecycle=&reltype=latest

Load the correct MIB file on the Mib Browser. File > Load Mibs > Choose the file location.

Browse and poll for the related OID.

I am polling for the AP native vlan Id as follows:

 

If you know the OID, you can directly use the OID and do get to get the related information:

 

Hope this would be helpful.

 

SNMPWALK from Prime Infrastructure

Many a times when information is not polled correctly on Cisco PI, from your WLC or any other added devices, you would like to check if the device is responding to SNMP queries send by the Cisco Prime or not.

SNMP walk would be good test to check if are getting any SNMP response from the managed devices. Following would be the syntax for the Snmpv2 and Snmpv3 for doing an snmp walk from your Cisco Prime.

You need to have root access to run the snmpwalk on the Cisco Prime.

SNMPWALK VERSION 2
nms-pi/admin#
root
Enter
root patch password :
Starting root bash shell …
ade # su – [root@nms-pi ~]# snmpwalk -v2c -c <community> <ip>

You can also follow this with the OID or the MIB identifier you want to query, like:

[root@nms-pi~]#snmpwalk -v2c -c bharath 10.10.10.10 1.3.6.1.4.1.9.9.513.1.2.10.1.2
[root@nms-pi~]#snmpwalk -v2c -c bharath 10.10.10.10 cLApDot11RadioRateStatsRxPackets

SNMPWALK VERSION 3

[root@nms-pi ~]#snmpwalk -v3 -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>]  [-x DES|AES] [-X <privaphrase>] <ipaddress>[:<dest_port>]

[root@nms-pi ~]#snmpwalk -v3 -u piv3user -l authPriv -a SHA -A piv3user1234 -x AES -X piv3user1234 10.10.10.1 cLApDot11RadioRateStatsRxPackets

Hope this would be helpful..

CCIE Wireless v3.1 Written Topics

Cisco is changing the CCIE Wireless Exam from July 25th 2016. Following are the written exam topics.

 

Source: https://learningnetwork.cisco.com/community/certifications/ccie_wireless/written-exam-v3/exam-topics

 

https://learningcontent.cisco.com/cln_storage/text/cln/marketing/exam-topics/400-351-w-cciewireless-v31.pdf

 

Written Topics:
=============
 

 

 
 
11% 1.0 Planning & Designing WLAN Technologies
1.1 Describe WLAN organizations and regulations
1.2 Describe IEEE 802.11 standards and protocols
1.3 Plan & design wireless solutions requirements
1.3.a Translate customer requirements into services and design recommendations
1.3.b Identify ambiguity and/or information gaps
1.3.c Evaluate interoperability of proposed technologies against deployed IP network
infrastructure & technologies
1.3.d Select an appropriate deployment model
1.3.e Regulatory domains and country codes
1.4 RF planning, designing and validation
1.4.a RF Design / Site survey
1.4.a [i] Define the tasks/goals for a preliminary site survey
1.4.a [ii] Conduct the site survey
1.4.a [iii]Determine AP quantity, placement and antenna type
1.4.b Architect indoor and outdoor RF deployments
1.4.b [i] Coverage
1.4.b [ii] Throughput
1.4.b [iii]Voice
1.4.b [iv]Location
1.4.b [v] HD
1.4.c Construct an RF operational model that includes:
1.4.c [i] Radio resource management (Auto-RF, manual, hybrid, TPC and DCA)
1.4.c [ii] Channel use (radar, non-WiFi interference)
1.4.c [iii] Power level, overlap
1.4.c [iv] RF profiles
1.4.d Validate implemented RF deployment
10% 2.0 Configure and Troubleshoot the Network Infrastructure
2.1 Configure and troubleshoot wired infrastructure to support WLANs
2.1.a VLANs
2.1.b VTP
2.1.c STP
2.1.d Etherchannel
2.1.e HSRP
2.1.f VSS
2.1.g Stacking
2.2 Plan network infrastructure capacity
2.3 Configure and troubleshoot network connectivity for:
2.3.a WLAN clients
2.3.b WLCs
2.3.c Lightweight APs
2.3.d Autonomous Aps
2.4 Configure and troubleshoot PoE for Aps
2.5 Configure and troubleshoot QoS on the switching infrastructure
2.5.a MQC
2.5.b Mls qos
2.6 Configure and troubleshoot multicast on the switching infrastructure
2.6.a PIM-SM
2.6.b Auto-RP
2.6.c Static-RP
2.6.d IGMP
2.6.e IGMP snooping
2.6.f MLD
2.7 Configure and troubleshoot IPv4 connectivity
2.7.a Subnetting
2.7.b Static routing
2.7.c Basic OSPF
2.7.d Basic EIGRP
2.8 Configure and troubleshoot basic IPv6 connectivity
2.8.a Subnetting
2.8.b Static routing
2.8.c Basic OSPFv3
2.8.d Basic EIGRP address families
2.9 Configure and troubleshoot wired security
2.9.a ACLs (v4/v6)
2.9.b dot1X
2.9.c Port-security
2.9.d SXP, SGT
2.10 Configure and troubleshoot network services
2.10.a DNS
2.10.b DHCPv4 / DHCPv6
2.10.c NTP, SNTP
2.10.d SYSLOG
2.10.e SNMP
2.10.f CDP, LLDP
2.10.g SDG. mDNS
10% 3.0 Configure and Troubleshoot an Autonomous Deployment Model
3.1 Configuring and troubleshooting different modes and roles
3.1.a Root
3.1.b WGB
3.1.c Bridge
3.2 Configuring and troubleshooting SSID/MBSSID
3.3 Configuring and troubleshooting security
3.3.a L2 security policies
3.3.b Association filters
3.3.c PSPF
3.3.d Local radius
3.3.e dot1x profiles
3.3.f Guest
3.4 Configuring and troubleshooting radio settings
3.5 Configuring and troubleshooting multicast
3.6 Configuring and troubleshooting QoS
18% 4.0 Configure and Troubleshoot a Unified Deployment Model (Centralized)
4.1 Configuring and controlling management access
4.2 Configuring and troubleshooting interfaces
4.3 Configuring and troubleshooting lightweight APs
4.3.a dot1x
4.3.b LSC
4.3.c AP modes
4.3.d AP authentication / authorization
4.3.e Logging
4.3.f Local / global configuration
4.4 Configuring and troubleshooting high availability and redundancy
4.4.a Clients
4.4.b APs
4.4.c WLCs
4.5 Configuring and troubleshooting wireless segmentation
4.5.a RF profiles
4.5.b AP groups
4.5.c Flexconnect
4.6 Configuring and troubleshooting wireless security policies
4.6.a WLANs
4.6.b L2/L3 security
4.6.c Rogue policies
4.6.d Local EAP
4.6.e Local profiling
4.6.f ACLs
4.6.g Certificates
4.7 Configuring and troubleshooting Flexconnect and Office Extend
4.8 Configuring and troubleshooting Mesh
4.9 Implement RF management
4.9.a Static RF management
4.9.b Automatic RF management
4.9.c CleanAir
4.9.d Data rates
4.10 Configuring and troubleshooting WLC control plane security
4.10.a AAA
4.10.b CPU ACLs
4.10.c Management via wireless interface
4.10.d Management via dynamic interface
4.11 Configuring and troubleshooting mobility
4.11.a L2/L3 roaming
4.11.b Multicast optimization
4.11.c Mobility group scaling
4.11.d Inter-release controller mobility
4.11.e New mobility
4.11.f Mobility anchoring
4.12 Configuring and troubleshooting multicast
11% 5.0 Configure and Troubleshoot a Unified Deployment Model (Converged)
5.1 Configuring and controlling management access
5.2 Configuring and troubleshooting Interfaces
5.3 Configuring and troubleshooting lightweight APs
5.3.a dot1x
5.3.b AP authentication / authorization
5.3.c Logging
5.3.d Local / global configuration
5.4 Configuring and troubleshooting high availability and redundancy
5.4.a Clients
5.4.b APs
5.4.c WLCs
5.5 Configuring and troubleshooting wireless segmentation
5.5.a RF profiles
5.5.b AP groups
5.6 Configuring and Troubleshooting wireless security policies
5.6.a WLANs
5.6.b L2/L3 security
5.6.c Rogue policies
5.6.d Local EAP
5.6.e ACLs
5.6.f Certificates
5.7 Implement RF management
5.7.a Static RF management
5.7.b Automatic RF management
5.7.c CleanAir
5.7.d Data rates
5.8 Configuring and troubleshooting WLC control plane security
5.8.a AAA
5.8.b Basic control plane policing
5.9 Configuring and troubleshooting mobility
5.9.a L2/L3 roaming
5.9.b Multicast optimization
5.9.c Mobility group scaling
5.9.d Inter-release controller mobility
5.9.e Mobility anchoring
5.9.f SPG
5.9.g MC/MA
5.10 Configuring and troubleshooting multicast
10% 6.0 Configure and Troubleshoot Security & Identity Management
6.1 Configure and troubleshoot identity management
6.1.a Basic PKI for dot1x and webauth
6.1.b External identity sources (AD, LDAP)
6.2 Configure and troubleshoot AAA policies
6.2.a Client authentication and authorization
6.2.b Management authentication and authorization
6.2.c Client profiling and provisioning
6.2.d RADIUS attributes
6.2.e CoA
6.3 Configure and troubleshoot guest management
6.3.a Local web authentication
6.3.b Central web authentication
6.3.c Basic sponsor policy
10% 7.0 Configure and Troubleshoot Prime Infrastructure and MSE
7.1 Configure and troubleshoot management access
7.1.a AAA
7.1.b Virtual domain
7.2 Perform basic operations
7.2.a Create and deploy templates
7.2.b Operate maps
7.2.c Import infrastructure devices
7.2.d High availability
7.2.e Audits
7.2.f Client troubleshooting
7.2.g Notification receivers
7.2.h Reports
7.3 Perform maintenance operations
7.3.a Background tasks
7.3.b SW image management
7.4 Security management
7.4.a Understand rogue management
7.4.b Manage alarms and events
7.4.c Understand security index
7.5 Implement and troubleshoot MSE
7.5.a Management access
7.5.b Network services
7.5.b [i] Location
7.5.b [ii] CMX
7.5.b [iii]CleanAir
7.5.b [iv]WIPS
7.5.c NMSP
7.6 Integrate ISE
7.7 Integrate netflow
10% 8.0 Configure and Troubleshoot WLAN media and application services
8.1 Configure and troubleshoot voice over wireless
8.1.a QoS profiles
8.1.b EDCA
8.1.c WMM
8.1.d BDRL
8.1.e Admission control
8.1.f MQC
8.2 Configuring and troubleshooting video and media
8.2.a Mediastream
8.2.b Multicast-direct
8.2.c Admission control
8.3 Configuring and troubleshooting mDNS
8.3.a mDNS proxy
8.3.b Service discovery
8.3.c Service filtering
8.4 Configuring and troubleshooting AVC and netflow
10% 9.0 Evolving Technologies
9.1 Cloud
9.1.a Compare and contrast Cloud deployment models
9.1.a (i) Infrastructure, platform, and software services (XaaS)
9.1.a (ii) Performance and reliability
9.1.a (iii)Security and privacy
9.1.a (iv)Scalability and interoperability
9.1.b Describe Cloud implementations and operations
9.1.b (i) Automation and orchestration
9.1.b (ii) Workload mobility
9.1.b (iii)Troubleshooting and management
9.1.b (iv)OpenStack components
9.2 Network programmability (SDN)
9.2.a Describe functional elements of network programmability (SDN) and how they
interact
9.2.a (i) Controllers
9.2.a (ii) APIs
9.2.a (iii)Scripting
9.2.a (iv)Agents
9.2.a (v) Northbound vs. Southbound protocols
9.2.b Describe aspects of virtualization and automation in network environments
9.2.b (i) DevOps methodologies, tools and workflows
9.2.b (ii) Network/application function virtualization (NFV, AFV)
9.2.b (iii)Service function chaining
9.2.b (iv)Performance, availability, and scaling considerations
9.3 Internet of Things
9.3.a Describe architectural framework and deployment considerations for Internet of
Things (IoT)
9.3.a (i) Performance, reliability and scalability
9.3.a (ii) Mobility
9.3.a (iii)Security and privacy
9.3.a (iv)Standards and compliance
9.3.a (v) Migration
9.3.a (vi)Environmental impacts on the network

Thanks…

CCIE Wireless v3.0 Written and Lab Topics

With effect from July 26th 2016 Cisco is changing the CCIE Wireless Written Exam. Following is the list of existing topics for the 3.0 version. Next post will follow the 3.1 topics.

Source: https://learningnetwork.cisco.com/community/certifications/ccie_wireless/written-exam-v3/exam-topics

 

Written Topics:
============

 

1.0 Planning & Designing WLAN Technologies (14%)
1.1 Describe WLAN organizations and regulations
1.2 Describe IEEE 802.11 standards and protocols
1.3 Plan & design wireless solutions requirements
1.3.a Translate customer requirements into services and design recommendations
1.3.b Identify ambiguity and/or information gaps
1.3.c Evaluate interoperability of proposed technologies against deployed IP network infrastructure &
technologies
1.3.d Select an appropriate deployment model
1.3.e Regulatory domains and country codes
1.4 RF planning, designing and validation
1.4.a RF Design / Site survey
1.4.a [i] Define the tasks/goals for a preliminary site survey
1.4.a [ii] Conduct the site survey
1.4.a [iii] Determine AP quantity, placement and antenna type
1.4.b Architect indoor and outdoor RF deployments
1.4.b [i] Coverage
1.4.b [ii] Throughput
1.4.b [iii] Voice
1.4.b [iv] Location
1.4.b [v] HD
1.4.c Construct an RF operational model that includes:
1.4.c [i] Radio resource management (Auto-RF, manual, hybrid, TPC and DCA)
1.4.c [ii] Channel use (radar, non-WiFi interference)
1.4.c [iii] Power level, overlap
1.4.c [iv] RF profiles
1.4.d Validate implemented RF deployment
2.0 Configure and Troubleshoot the Network Infrastructure (10%)
2.1 Configure and troubleshoot wired infrastructure to support WLANs
2.1.a VLANs
2.1.b VTP
2.1.c STP
2.1.d Etherchannel
2.1.e HSRP
2.1.f VSS
2.1.g Stacking
2.2 Plan network infrastructure capacity
2.3 Configure and troubleshoot network connectivity for:
2.3.a WLAN clients
2.3.b WLCs
2.3.c Lightweight APs
2.3.d Autonomous APs
2.4 Configure and troubleshoot PoE for APs
2.5 Configure and troubleshoot QoS on the switching infrastructure
2.5.a MQC
2.5.b Mls qos
2.6 Configure and troubleshoot multicast on the switching infrastructure
2.6.a PIM-SM
2.6.b Auto-RP
2.6.c Static-RP
2.6.d IGMP
2.6.e IGMP snooping
2.6.f MLD
2.7 Configure and troubleshoot IPv4 connectivity
2.7.a Subnetting
2.7.b Static routing
2.7.c Basic OSPF
2.7.d Basic EIGRP
2.8 Configure and troubleshoot basic IPv6 connectivity
2.8.a Subnetting
2.8.b Static routing
2.8.c Basic OSPFv3
2.8.d Basic EIGRP address families
2.9 Configure and troubleshoot wired security
2.9.a ACLs (v4/v6)
2.9.b dot1X
2.9.c Port-security
2.9.d SXP, SGT
2.10 Configure and troubleshoot network services
2.10.a DNS
2.10.b DHCPv4 / DHCPv6
2.10.c NTP, SNTP
2.10.d SYSLOG
2.10.e SNMP
2.10.f CDP, LLDP
2.10.g SDG. mDNS
3.0 Configure and Troubleshoot an Autonomous Deployment Model (10%)
3.1 Configuring and troubleshooting different modes and roles
3.1.a Root
3.1.b WGB
3.1.c Bridge
3.2 Configuring and troubleshooting SSID/MBSSID
3.3 Configuring and troubleshooting security
3.3.a L2 security policies
3.3.b Association filters
3.3.c PSPF
3.3.d Local radius
3.3.e dot1x profiles
3.3.f Guest
3.4 Configuring and troubleshooting radio settings
3.5 Configuring and troubleshooting multicast
3.6 Configuring and troubleshooting QoS
4.0 Configure and Troubleshoot a Unified Deployment Model (Centralized) (20%)
4.1 Configuring and controlling management access
4.2 Configuring and troubleshooting interfaces
4.3 Configuring and troubleshooting lightweight APs
4.3.a dot1x
4.3.b LSC
4.3.c AP modes
4.3.d AP authentication / authorization
4.3.e Logging
4.3.f Local / global configuration
4.4 Configuring and troubleshooting high availability and redundancy
4.4.a Clients
4.4.b APs
4.4.c WLCs
4.5 Configuring and troubleshooting wireless segmentation
4.5.a RF profiles
4.5.b AP groups
4.5.c Flexconnect
4.6 Configuring and troubleshooting wireless security policies
4.6.a WLANs
4.6.b L2/L3 security
4.6.c Rogue policies
4.6.d Local EAP
4.6.e Local profiling
4.6.f ACLs
4.6.g Certificates
4.7 Configuring and troubleshooting Flexconnect and Office Extend
4.8 Configuring and troubleshooting Mesh
4.9 Implement RF management
4.9.a Static RF management
4.9.b Automatic RF management
4.9.c CleanAir
4.9.d Data rates
4.10 Configuring and troubleshooting WLC control plane security
4.10.a AAA
4.10.b CPU ACLs
4.10.c Management via wireless interface
4.10.d Management via dynamic interface
4.11 Configuring and troubleshooting mobility
4.11.a L2/L3 roaming
4.11.b Multicast optimization
4.11.c Mobility group scaling
4.11.d Inter-release controller mobility
4.11.e New mobility
4.11.f Mobility anchoring
4.12 Configuring and troubleshooting multicast
5.0 Configure and Troubleshoot a Unified Deployment Model (Converged) (14%)
5.1 Configuring and controlling management access
5.2 Configuring and troubleshooting Interfaces
5.3 Configuring and troubleshooting lightweight APs
5.3.a dot1x
5.3.b AP authentication / authorization
5.3.c Logging
5.3.d Local / global configuration
5.4 Configuring and troubleshooting high availability and redundancy
5.4.a Clients
5.4.b APs
5.4.c WLCs
5.5 Configuring and troubleshooting wireless segmentation
5.5.a RF profiles
5.5.b AP groups
5.6 Configuring and Troubleshooting wireless security policies
5.6.a WLANs
5.6.b L2/L3 security
5.6.c Rogue policies
5.6.d Local EAP
5.6.e ACLs
5.6.f Certificates
5.7 Implement RF management
5.7.a Static RF management
5.7.b Automatic RF management
5.7.c CleanAir
5.7.d Data rates
5.8 Configuring and troubleshooting WLC control plane security
5.8.a AAA
5.8.b Basic control plane policing
5.9 Configuring and troubleshooting mobility
5.9.a L2/L3 roaming
5.9.b Multicast optimization
5.9.c Mobility group scaling
5.9.d Inter-release controller mobility
5.9.e Mobility anchoring
5.9.f SPG
5.9.g MC/MA
5.10 Configuring and troubleshooting multicast
6.0 Configure and Troubleshoot Security & Identity Management 12%)
6.1 Configure and troubleshoot identity management
6.1.a Basic PKI for dot1x and webauth
6.1.b External identity sources (AD, LDAP)
6.2 Configure and troubleshoot AAA policies
6.2.a Client authentication and authorization
6.2.b Management authentication and authorization
6.2.c Client profiling and provisioning
6.2.d RADIUS attributes
6.2.e CoA
6.3 Configure and troubleshoot guest management
6.3.a Local web authentication
6.3.b Central web authentication
6.3.c Basic sponsor policy
7.0 Configure and Troubleshoot Prime Infrastructure and MSE (10%)
7.1 Configure and troubleshoot management access
7.1.a AAA
7.1.b Virtual domain
7.2 Perform basic operations
7.2.a Create and deploy templates
7.2.b Operate maps
7.2.c Import infrastructure devices
7.2.d High availability
7.2.e Audits
7.2.f Client troubleshooting
7.2.g Notification receivers
7.2.h Reports
7.3 Perform maintenance operations
7.3.a Background tasks
7.3.b SW image management
7.4 Security management
7.4.a Understand rogue management
7.4.b Manage alarms and events
7.4.c Understand security index
7.5 Implement and troubleshoot MSE
7.5.a Management access
7.5.b Network services
7.5.b [i] Location
7.5.b [ii] CMX
7.5.b [iii] CleanAir
7.5.b [iv] WIPS
7.5.c NMSP
7.6 Integrate ISE
7.7 Integrate netflow
8.0 Configure and Troubleshoot WLAN media and application services (10%)
8.1 Configure and troubleshoot voice over wireless
8.1.a QoS profiles
8.1.b EDCA
8.1.c WMM
8.1.d BDRL
8.1.e Admission control
8.1.f MQC
8.2 Configuring and troubleshooting video and media
8.2.a Mediastream
8.2.b Multicast-direct
8.2.c Admission control
8.3 Configuring and troubleshooting mDNS
8.3.a mDNS proxy
8.3.b Service discovery
8.3.c Service filtering
8.4 Configuring and troubleshooting AVC and netflow

 

LAB Topics:
==========
 
 
 

 

1.0 Configure and Troubleshoot the Network Infrastructure (12%)
1.1 Configure and troubleshoot wired infrastructure to support WLANs
1.1.a VLANs
1.1.b VTP
1.1.c STP
1.1.d Etherchannel
1.1.e HSRP
1.1.f VSS
1.1.g Stacking
1.2 Plan network infrastructure capacity
1.3 Configure and troubleshoot network connectivity for:
1.3.a WLAN clients
1.3.b WLCs
1.3.c Lightweight APs
1.3.d Autonomous APs
1.4 Configure and troubleshoot PoE for APs
1.5 Configure and troubleshoot QoS on the switching infrastructure
1.5.a MQC
1.5.b Mls qos
1.6 Configure and troubleshoot multicast on the switching infrastructure
1.6.a PIM-SM
1.6.b Auto-RP
1.6.c Static-RP
1.6.d IGMP
1.6.e IGMP snooping
1.6.f MLD
1.7 Configure and troubleshoot IPv4 connectivity
1.7.a Subnetting
1.7.b Static routing
1.7.c Basic OSPF
1.7.d Basic EIGRP
1.8 Configure and troubleshoot basic IPv6 connectivity
1.8.a Subnetting
1.8.b Static routing
1.8.c Basic OSPFv3
1.8.d Basic EIGRP address families
1.9 Configure and troubleshoot wired security
1.9.a ACLs (v4/v6)
1.9.b dot1X
1.9.c Port-security
1.9.d SXP, SGT
1.10 Configure and troubleshoot network services
1.10.a DNS
1.10.b DHCPv4 / DHCPv6
1.10.c NTP, SNTP
1.10.d SYSLOG
1.10.e SNMP
1.10.f CDP, LLDP
1.10.g SDG. mDNS
2.0 Configure and Troubleshoot an Autonomous Deployment Model (10%)
2.1 Configuring and troubleshooting different modes and roles
2.1.a Root
2.1.b WGB
2.1.c Bridge
2.2 Configuring and troubleshooting SSID/MBSSID
2.3 Configuring and troubleshooting security
2.3.a L2 security policies
2.3.b Association filters
2.3.c PSPF
2.3.d Local radius
2.3.e dot1x profiles
2.3.f Guest
2.4 Configuring and troubleshooting radio settings
2.5 Configuring and troubleshooting multicast
2.6 Configuring and troubleshooting QoS
3.0 Configure and Troubleshoot a Unified Deployment Model (Centralized) (23%)
3.1 Configuring and controlling management access
3.2 Configuring and troubleshooting interfaces
3.3 Configuring and troubleshooting lightweight APs
3.3.a dot1x
3.3.b LSC
3.3.c AP modes
3.3.d AP authentication / authorization
3.3.e Logging
3.3.f Local / global configuration
3.4 Configuring and troubleshooting high availability and redundancy
3.4.a Clients
3.4.b APs
3.4.c WLCs
3.5 Configuring and troubleshooting wireless segmentation
3.5.a RF profiles
3.5.b AP groups
3.5.c Flexconnect
3.6 Configuring and troubleshooting wireless security policies
3.6.a WLANs
3.6.b L2/L3 security
3.6.c Rogue policies
3.6.d Local EAP
3.6.e Local profiling
3.6.f ACLs
3.6.g Certificates
3.7 Configuring and troubleshooting Flexconnect and Office Extend
3.8 Configuring and troubleshooting Mesh
3.9 Implement RF management
3.9.a Static RF management
3.9.b Automatic RF management
3.9.c CleanAir
3.9.d Data rates
3.10 Configuring and troubleshooting WLC control plane security
3.10.a AAA
3.10.b CPU ACLs
3.10.c Management via wireless interface
3.10.d Management via dynamic interface
3.11 Configuring and troubleshooting mobility
3.11.a L2/L3 roaming
3.11.b Multicast optimization
3.11.c Mobility group scaling
3.11.d Inter-release controller mobility
3.11.e New mobility
3.11.f Mobility anchoring
3.12 Configuring and troubleshooting multicast
4.0 Configure and Troubleshoot a Unified Deployment Model (Converged) (17%)
4.1 Configuring and controlling management access
4.2 Configuring and troubleshooting Interfaces
4.3 Configuring and troubleshooting lightweight APs
4.3.a dot1x
4.3.b AP authentication / authorization
4.3.c Logging
4.3.d Local / global configuration
4.4 Configuring and troubleshooting high availability and redundancy
4.4.a Clients
4.4.b APs
4.4.c WLCs
4.5 Configuring and troubleshooting wireless segmentation
4.5.a RF profiles
4.5.b AP groups
4.6 Configuring and Troubleshooting wireless security policies
4.6.a WLANs
4.6.b L2/L3 security
4.6.c Rogue policies
4.6.d Local EAP
4.6.e ACLs
4.6.f Certificates
4.7 Implement RF management
4.7.a Static RF management
4.7.b Automatic RF management
4.7.c CleanAir
4.7.d Data rates
4.8 Configuring and troubleshooting WLC control plane security
4.8.a AAA
4.8.b Basic control plane policing
4.9 Configuring and troubleshooting mobility
4.9.a L2/L3 roaming
4.9.b Multicast optimization
4.9.c Mobility group scaling
4.9.d Inter-release controller mobility
4.9.e Mobility anchoring
4.9.f SPG
4.9.g MC/MA
4.10 Configuring and troubleshooting multicast
5.0 Configure and Troubleshoot Security & Identity Management (15%)
5.1 Configure and troubleshoot identity management
5.1.a Basic PKI for dot1x and webauth
5.1.b External identity sources (AD, LDAP)
5.2 Configure and troubleshoot AAA policies
5.2.a Client authentication and authorization
5.2.b Management authentication and authorization
5.2.c Client profiling and provisioning
5.2.d RADIUS attributes
5.2.e CoA
5.3 Configure and troubleshoot guest management
5.3.a Local web authentication
5.3.b Central web authentication
5.3.c Basic sponsor policy
6.0 Configure and Troubleshoot Prime Infrastructure and MSE (10%)
6.1 Configure and troubleshoot management access
6.1.a AAA
6.1.b Virtual domain
6.2 Perform basic operations
6.2.a Create and deploy templates
6.2.b Operate maps
6.2.c Import infrastructure devices
6.2.d High availability
6.2.e Audits
6.2.f Client troubleshooting
6.2.g Notification receivers
6.2.h Reports
6.3 Perform maintenance operations
6.3.a Background tasks
6.3.b SW image management
6.4 Security management
6.4.a Understand rogue management
6.4.b Manage alarms and events
6.4.c Understand security index
6.5 Implement and troubleshoot MSE
6.5.a Management access
6.5.b Network services
6.5.b [i] Location
6.5.b [ii] CMX
6.5.b [iii] CleanAir
6.5.b [iv] WIPS
6.5.c NMSP
6.6 Integrate ISE
6.7 Integrate netflow
7.0 Configure and Troubleshoot WLAN media and application services (13%)
7.1 Configure and troubleshoot voice over wireless
7.1.a QoS profiles
7.1.b EDCA
7.1.c WMM
7.1.d BDRL
7.1.e Admission control
7.1.f MQC
7.2 Configuring and troubleshooting video and media
7.2.a Mediastream
7.2.b Multicast-direct
7.2.c Admission control
7.3 Configuring and troubleshooting mDNS
7.3.a mDNS proxy
7.3.b Service discovery
7.3.c Service filtering
7.4 Configuring and troubleshooting AVC and netflow

Thanks….

Problem uploading Thawte issued certificate on the Cisco WLC….Certificate not properly chained.

Recently I came upon couple of scenarios where the Cisco WLC would not accept a web-auth server cert issued by Thawte (Known CA). This is because the later version of the Cisco WLC (I believe 7.6 and above) need to have a chained certificate before you can upload it on the WLC.If you do further debugging on the WLC you will see the following error logs, which clearly points to the problem with the issuer certificate:

*TransferTask: Feb 12 12:26:05.987: Adding cert (7728 bytes) with certificate key password.
*TransferTask: Feb 12 12:26:06.015: sshpmCheckWebauthCert: Verification return code: 0
*TransferTask: Feb 12 12:26:06.015: Verification result text: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.015: Error at 2 depth: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.027: sshpmAddWebauthCert: Error decoding certificate, Deleting it.
*TransferTask: Feb 12 12:26:06.027: RESULT_STRING: Error installing certificate.
*TransferTask: Feb 12 12:26:06.027: RESULT_CODE:12
*TransferTask: Feb 12 12:26:06.027: Memory overcommit policy restored from 1 to 0
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: found match in row 4
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: called to evaluate <bsnSslWebauthCert>
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

When you open the cert it does not appear to have any problem and the cert will look perfect. You OS will also not recognize it as invalid, this is because your laptop already has the Root and the Intermediate Certificate installed and even if the cert is not correctly chained it marks it as valid unlike the WLC.

 

Following is the mmc snapshot of the known Trusted CA on my laptop.

Now lets look at where the problem is:
==================================
One you open the certificate in a notepad you will see the following format:

Server Cert >>> Intermediate Cert >>> Root Cert (Generally the Root Cert should validate itself i.e the Root Cert is Root CA issuing itself a cert like below, where the issuer and the issued to is the same.)

The certificate looks something like this: (For security I have not shown the entire certificate).

Bag Attributes
localKeyID: 3B DB 85 15 63 AF CA B7 57 27 4E A3 E5 0B 84 32 1D AC 06 18
subject=/C=XX/ST=XX/L=Sydney/O=XX/OU=XX/CN=XY.com.au
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2

—–BEGIN CERTIFICATE—–
MIIE/TCCA+WgAwIBAgIQF//T50TPBQL4+/7Iqh7dsTANBgkqhkiG9w0BAQsFADBB
—————-Snipping————————————
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
—–END CERTIFICATE—–

Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2
issuer=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA

—–BEGIN CERTIFICATE—–
MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB
———————Snipping————————————-
sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq
YBLqJop4
—–END CERTIFICATE—–

Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

—–BEGIN CERTIFICATE—–
MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
————————Snipping————————————
95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
—–END CERTIFICATE—–

So if we go through the certificate we see the certificate being issued to XY.com.au by thawte SSL CA – G2 (Intermediate CA).

Down the chain we see the Intermediate CA cert, cert issue to thawte SSL CA – G2 by thawte Primary Root CA (Can be a Root or another Intermediate CA).

Further down the chain we see thawte Primary Root CA being issued a cert by Thawte Premium Server CA and there is no other cert following this.

So the problem here is either thawte Primary Root CA can be a Root CA or an Intermediate CA. If it is a Root CA, the last cert is chain should had been for thawte Primary Root CA issued by thawte Primary Root CA itself.

If it is an intermediate CA, there should have been another cert down the chain, issued to Thawte Premium Server CA by itself, it being the Root.

In this scenario the WLC is looking for the Root Cert which is not there is the chain and thus marks the certificate as invalid.

How to fix this:
==============

Thawte do provide the Root CA and Intermediate CA cert on its website from where you can download the missing cert easily.

https://www.thawte.com/roots/index.html

So the fix would be either make thawte Primary Root CA as the Root CA and download the cert file for the Thawte website and replace the last cert in the chain, so that we have the cert for thawte Primary Root CA issued by thawte Primary Root CA.


Or, keep the same chain and download the Root CA cert for Thawte Premium Server CA and add it at the end of the chain so that the certificate chain is complete.

Once the chain is complete please follow the Cisco document to compile the cert along with the private key and get the final cert.

Please refer to the previous posts on certs:

http://rameshkumarroy.com/creating-chained-certificate-fro/

Hope this was helpful.

 

DHCP Fingerprinting

DHCP Fingerprinting is a method of detecting the end device OS based on the dhcp exchange packets. In today’s network where we are talking about IoE , BYOD it is required to identify the devices in your network and mark them accordingly.

Why do we need Fingerprinting:
========================

With BYOD personal devices are making their way into the workplace, and it is a tough job for the network administrators to dynamically detect these devices and make sure these devices are compliant and to enforce required polices on these devices. Detecting the devices type/OS is also part of the play.

Due to the proliferation of BYOD (Bring Your Own Devices)/mobile devices connecting mostly over the Wireless Network, it becomes difficult to identify and control the types of devices that can connect to the network, and once connected, to determine what access privileges they might have.

With DHCP Fingerprinting, DHCP Servers or devices like IPAM Controllers or Wireless Controllers, can use DHCP Fingerprinting to identify the device type, manufacturer name and OS of the clients/devices connecting to the network, categorize them into ACLs, and control which device can connect to the network and what it can do.

How it works:
===========

DHCP Fingerprinting is one of the methods that help us in identifying the OS on the devices bases on the dhcp option.

The complete DHCP process is like this:

 

The DHCP packets contain multiple options. One of the most important option which is used for dhcp fingerprinting is the option : 55 called Parameter request list, this option is present in the packets sent from the client end i.e the Discover and Request Packets.

 

The option 55: Parameter Request list in the above capture is :

1,6,15,44,3,33,150 and 43

A DHCP discover request asks for DHCP options in a specific sequence. This makes DHCP Fingerprinting possible – identifying a device or OS requesting an IP address based on the requested DHCP options.

Fingerbank has got a repository of such fingerprints:

https://fingerbank.inverse.ca/

Some of the captured fingerprints in hex:

Android_device    3C64686370636420342E302E3135
Android 2.X           3c6468637063642034
Android 2.2           3701792103061c333a3b
Android 2.3.X        0c616E64726F69645F
Android 4.0.X        37012103060f1c333a3b
Android 4.0.X(2)    37012103061c333a3b
Blackberry 2          3C426C61636B4265727279
Blackberry(2)         370103060F775ffc2c2e2f
iOS Device             370103060F77FC
iPad                        37011c02030f06770c2c2f1a792a
OS X 10.6               370103060f775ffc2c2e2f
OS X 10.7               370103060f775ffc2c2e
Win Mobile            3c4d6963726f736f66742057696e646f77732043450
Win Mobile6          370103060f2c2e2f

Aruba implementation of DHCP Fingerprinting:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/COTD-DHCP-Fingerprinting-how-to-ArubaOS-6-0-1-0-and-above/td-p/11164

http://community.arubanetworks.com/t5/Controller-less-WLANs/DHCP-FINGERPRINTING-WITH-Aruba-Instant/ta-p/183272

Hope this was informative.

 

IPERF to measure throughput

Iperf is a handy tool to measure the bandwidth and the quality of a network link. It is a commonly used network testing tool that can create Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) data streams and measure the throughput of a network that is carrying them.Iperf allows the users to vary various parameters that can be used for testing the network, or alternatively for optimizing and tuning a network. Iperf has a client and server functionality, and can measure the throughput between the two ends, either unidirectionally or bi-directionally.

Iperf can be installed very easily on any Linux or Microsoft Windows system, where one host can be configured as a client, the other one as server.

Setup required for running the iperf test:

1. Download the iperf setup, you can download it from: https://iperf.fr/
2. Copy the setup file on the two hosts you would be using to perform the test.
3. Set one host in the server mode and the other in the client mode with the following syntax:

To set the host in server mode use the command : iperf -s

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf -s
————————————————————
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
————————————————————

To set the client in client mode use the command : iperf -c <server ip address>

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf -c 192.168.1.5      // Where 192.168.1.5 is server ip address.

The other parameters available in iperf are:

C:\IOS\Imagesiperf-2.0.5-2-win32>iperf –help

Usage: iperf [-s|-c host] [options]
       iperf [-h|–help] [-v|–version]
Client/Server:
  -f, –format    [kmKM]   format to report: Kbits, Mbits, KBytes, MBytes
  -i, –interval  #        seconds between periodic bandwidth reports
  -l, –len       #[KM]    length of buffer to read or write (default 8 KB)
  -m, –print_mss          print TCP maximum segment size (MTU – TCP/IP header)
  -o, –output    <filename> output the report or error message to this specified file
  -p, –port      #        server port to listen on/connect to
  -u, –udp                use UDP rather than TCP
  -w, –window    #[KM]    TCP window size (socket buffer size)
  -B, –bind      <host>   bind to <host>, an interface or multicast address
  -C, –compatibility      for use with older versions does not sent extra msgs
  -M, –mss       #        set TCP maximum segment size (MTU – 40 bytes)
  -N, –nodelay            set TCP no delay, disabling Nagle’s Algorithm
  -V, –IPv6Version        Set the domain to IPv6
 
Server specific:
  -s, –server             run in server mode
  -U, –single_udp         run in single threaded UDP mode
  -D, –daemon             run the server as a daemon

 

Client specific:
============

 

-b, –bandwidth #[KM]    for UDP, bandwidth to send at in bits/sec
                           (default 1 Mbit/sec, implies -u)
  -c, –client    <host>   run in client mode, connecting to <host>
  -d, –dualtest           Do a bidirectional test simultaneously
  -n, –num       #[KM]    number of bytes to transmit (instead of -t)
  -r, –tradeoff           Do a bidirectional test individually
  -t, –time      #        time in seconds to transmit for (default 10 secs)
  -F, –fileinput <name>   input the data to be transmitted from a file
  -I, –stdin              input the data to be transmitted from stdin
  -L, –listenport #       port to receive bidirectional tests back on
  -P, –parallel  #        number of parallel client threads to run
  -T, –ttl       #        time-to-live, for multicast (default 1)
  -Z, –linux-congestion <algo>  set TCP congestion control algorithm (Linux only)
 
Miscellaneous:
  -x, –reportexclude [CDMSV]   exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
  -y, –reportstyle C      report as a Comma-Separated Values
  -h, –help               print this message and quit
  -v, –version            print version information and quit
 
[KM] Indicates options that support a K or M suffix for kilo- or mega-

 

The TCP window size option can be set by the environment variable TCP_WINDOW_SIZE. Most other options can be set by an environment variable.
IPERF_<long option name>, such as IPERF_BANDWIDTH.
Report bugs to <iperf-users@lists.sourceforge.net>
C:\IOS\Imagesiperf-2.0.5-2-win32>

 

Server side:
=========

 

#iperf -s
———————————————————— 
Server listening on TCP port 5001 
TCP window size: 8.00 KByte (default) 
———————————————————— 
[852] local 10.1.1.1 port 5001 connected with 10.6.2.5 port 33453 
[ ID]   Interval          Transfer       Bandwidth 
[852]   0.0-10.6 sec   1.26 MBytes   1.03 Mbits/sec 

 

Client side:
=========
#iperf -c 10.1.1.1
———————————————————— 
Client connecting to 10.1.1.1, TCP port 5001 
TCP window size: 16384 Byte (default) 
———————————————————— 
[ 3] local 10.6.2.5 port 33453 connected with 10.1.1.1 port 5001 
[ 3]   0.0-10.2 sec   1.26 MBytes   1.05 Mbits/sec 

 

Another example:
Use the syntax with some additional parameters ” iperf.exe – c  <IP address of the server>   -P 10  -w 1000k ” (  -P refers to the number of parallel TCP streams and –w referes to the TCP window size  )

 

Hope this was helpful.

Using filters on Cisco WLC

The WLC outputs makes me crazy when you have to search for a specific entry in the logs. Recently I came across the filter option available on the Cisco WLCs. Not sure which code version it has been supported from, but it is awesome..

You can now use the ‘grep’ command to get the specific match. This is especially useful when the output of any commands is lengthy and you have to scroll down to get to the information that you are looking for. Lets take some examples and the related syntax.

(WLC-Primary) >grep ?

include        Include lines that match.
exclude        Exclude lines that match.

(WLC-Primary) >grep include ?

<pattern>      Pattern to be searched.

 

(WLC-Primary) >grep include uptime ?
<command>      Enter complete show command in double quotes.

 

Lets try to find the uptime of the WLC:

 

(WLC-Primary) >grep include ime “show sysinfo”
Press yes to continue(y)y
System Up Time…………………………….. 0 days 5 hrs 47 mins 57 secs
System Timezone Location……………………. (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata
System Stats Realtime Interval………………. 5

 

There are 3 lines matching the pattern ime

 

Since this is case sensitive I searched for the value “ime”.

 

Lets see another example, let suppose I want to see all APs except a specific AP.

 

(WLC-Primary) >show ap summary
Number of APs……………………………… 3
Global AP User Name………………………… gce-apac
Global AP Dot1x User Name…………………… Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Country  IP Address       Clients
——————  —–  ——————–  —————–  —————-  ——-  —————  ——-
L3500-3              2     AIR-CAP3502I-E-K9     40:55:39:ca:8a:99  default location  AE       10.105.132.249   0
TEST-AP-1            2     AIR-CAP2602E-A-K9     6c:41:6a:78:d8:32  default location  US       10.105.132.247   0
AP-3602AP-1          2     AIR-CAP3602I-A-K9     e4:d3:f1:c9:04:ca  default location  US       10.105.132.251   0

 

We will use the option exclude this time.

 

(WLC-Primary) >grep exclude “L3500-3” “show ap summary”
Press yes to continue(y)y
Number of APs……………………………… 3
Global AP User Name………………………… gce-apac
Global AP Dot1x User Name…………………… Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Country  IP Address       Clients
——————  —–  ——————–  —————–  —————-  ——-  —————  ——-
TEST-AP-1            2     AIR-CAP2602E-A-K9     6c:41:6a:78:d8:32  default location  US       10.105.132.247   0
AP-3602AP-1          2     AIR-CAP3602I-A-K9     e4:d3:f1:c9:04:ca  default location  US       10.105.132.251   0

 

There are 12 lines not matching the pattern L3500-3

 

Hope this was informational.

Creating chained certificate from an unchained certificate.

Many a times we see that the CA (Third Party Certificate Authority) does not provide a chained cert rather they provide  a signed Server Cert and might provide us the Intermediate CA cert and the Root CA cert separately.

 

In couple of cases they just provide you a signed Server Cert and might expect you to download the Intermediate cert and the Root cert and chain the final cert if required and use it. Many vendor devices do not support an unchained Server cert and they expect you to get a chained Server cert  before it could uploaded to the device.

 

Lets see how we can generate a chained cert from an unchained certificate. I’ll use the following server cert as an example.

 

 

 

The above cert is a Server cert issue by “Go Daddy” well known CA. However the certificate is not  chained, if you open the certificate in notepad you’ll find that it is just a Server cert.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For generating a chained cert you need to append the Server cert with the Intermediate CA cert and the Root CA cert. In our case “Go Daddy Secure Certificate Authority” is the Intermediate CA and “Go Daddy Class 2 Certificate Authority” is the Root CA.

 

The way you need to append the file is, you need to keep the Server cert on top, followed by Intermediate CA cert and then the Root CA cert i.e it is just the opposite as it is show in the Certificate Path on the server Cert. Open all the certificates in notepad, also open a blank notepad and copy paste the Server cert, followed by Intermediate cert and then the Root cert and save this as a final cert which should be ready to be uploaded to the device.
—–BEGIN CERTIFICATE—–
Server Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate CA Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–

 

 

All the certificates on windows 7 are stored in the windows register and not in any specific folder. You can view the certificates using the cert manager (Type certmgr.msc and it will bring up the following window).
For Mac users the certificates are stored in Keychain Access (In the Finder, open Utilities and then open Keychain Access.)
These are the repositories where all the certificates are stored and referenced to check if any certificate is valid or not i.e the Certificate Authority is a Trusted Root CA or not.
There are chances that the Intermediate CA certificate may have expired which will cause the entire certificate to go invalid (untrusted).
In a recent incident DigiCert’s Intermediate Certificate expired, which caused multiple users to get the untrusted certificate error.
The expired certificate in question was the “DigiCert High Assurance EV Root CA” [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.The problem was related to the locally installed legacy intermediate certificate that was no longer used and no longer required for the certificate installation. This certificate was not been used for over three years and was unnecessary for installations, however the device having issues were not updated. The users affected appear to have the expired intermediate in the ‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.
DigiCert fixed the issue for the customer’s by getting the old cert removed from their machines and new valid Intermediate cert updated on these devices.
How to create the chained cert when the Root CA cert and Intermediate CA cert is not provided the CA.
Usually your CA will provide you the Intermediate CA cert and the Root CA cert or the steps to get them from their Website. However if this is not the case for you and if these are some well known CA’s we should already have their Intermediate and Root cert on your laptop in the registry or the Keychain Access. Lets see how we can get the Intermediate and the Root CA certificate.
Click on the Server cert to open it. Goto the “Certificate path” click on the Intermediate Certificate for your test certificate it is “Go Daddy Secure Certificate Authority”
Click on View Certificate on the lower right corner, which will open up the Intermediate CA cert. Now we want to export this cert so that we can use the cert for chaining. Goto the Details tab for the certificate.
Click on Copy to File, which should open up the export Wizard.

 

Click Next > Choose the format : ” Base-64 encoded x.59″
Click on Next > Browse and give a name to the file. (Remember this is the Intermediate CA cert so save it some where on your laptop and give it a name like intermediatecert). Click Next and Finish. This will successfully export the Intermediate CA cert on you desktop, now repeat the same process to get the Root CA cert exported on your desktop you click on the Root CA cert in the server or the Intermediate CA cert.
Once you have successfully exported both the Intermediate and the Root CA cert you can open them in notepad and append the Server cert as we already discussed initially.
Hope this was helpful 🙂

 

Added information:

The certificates are stored in the registry at HKLM/Software/Microsoft/SystemCertificates

Personal certificates, or other certificates specific to the logged in user are at HKCU/Software/Microsoft/SystemCertificates

They are stored as binary blobs, so they need to be decoded, and the MMC plugin is a good way to do this.

Cisco Wireless HA N+1 configuration (Lab Testing)

With software release 7.4 and above Cisco has introduced the N+1 HA feature set within the Cisco Unified Wireless Network (CUWN) framework which allows a single WLC to be used as a backup WLC for N primary controllers.

 

Following is the configuration/documentation guide:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/Introduction.html

The N+1 HA architecture provides redundancy for controllers across geographically separate data centers with low cost of deployment. Lately I had been working in couple of scenarios and had been not been sure if this is supposed to work over L3 network and so did a small Lab to test the same.

My network setup:
=================

WLC1 (vlan 100)————-L3 Switch—————–WLC2(vlan200)
                                                 |
                                                 |
                                                 |
                                              APs
                                         (vlan 300)

Vlan 100: 192.168.100.0/24
Vlan 200: 192.168.200.0/24
Vlan 300: 192.168.300.0/24

WLC1 Primary:
==============

(WLC-Primary) >show interface summary

Number of Interfaces…………………….. 6

Interface Port Vlan Id IP Address Type Ap Mgr Guest
Name
——————————– —- ——–
management 1 100 192.168.100.5

(WLC-Primary) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Primary
Unit ID =50:3D:E5:1A:27:20
Redundancy State = N/A
Mobility MAC = 50:3D:E5:1A:27:20
Redundancy Management IP Address……….192.168.100.10
Peer Redundancy Management IP Address…..192.168.100.11
Redundancy Port IP Address…………….169.254.100.10
Peer Redundancy Port IP Address………..169.254.100.11

(WLC-Primary) >show advanced backup-controller

AP primary Backup Controller …………..WLC-Secondary 192.168.200.5
AP secondary Backup Controller ………………

WLC2 Secondary:
================
(WLC-Secondary) >show interface summary
Interface Port Vlan Id IP Address Ap Mgr Guest
Name
Number of Interfaces…………………….. 6
——————————– —- ——–
management 1 200 192.168.200.5 Static Yes No

(WLC-Secondary) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Secondary – HA SKU
Unit ID = E0:5F:B9:46:99:00
Redundancy State = N/A
Mobility MAC = 50:3D:E5:1A:27:20Redundancy
Management IP Address………..192.168.200.10
Peer Redundancy Management IP Address……192.168.200.11
Redundancy Port IP Address……………..169.254.200.10
Peer Redundancy Port IP Address…………169.254.200.11

(WLC-Secondary) >show advanced backup-controller

 AP primary Backup Controller ………………..0.0.0.0
AP secondary Backup Controller ………………

L3 Switch:
==========

AP-SWITCH1#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source
Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac RelayDevice ID Local Intrfce Holdtme Capability Platform Port ID
WLC-Secondary Gig 1/0/1 152 H AIR-CT550 Gig 0/0/1
TEST-AP-2 Gig 1/0/7 142 R T AIR-LAP12 Gig 0.1
TEST-AP-1 Gig1/0/20 150 R T AIR-CAP26 Gig 0.1
WLC-Primary Gig1/0/3 140 H AIR-CT550 Gig 0/0/1

AP-SWITCH1#show runn int gig 1/0/1
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
end

AP-SWITCH1#show runn int gig 1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
end

AP-SWITCH1#show runn int gig 1/0/7
switchport access vlan 300
switchport mode access

Testing:
========
APs configured with dhcp option 43 to join the Primary WLC (192.168.100.5). Once the APs join the Primary WLC , under high availability configured the Primary and the Secondary WLCs.

Make sure you have configured the secondary WLC (HA-SKU) on the other L3 network as Backup Primary Controller:

In our setup both the APs were on the Primary WLC initially:

Once the connectivity to the Primary WLC is lost (We shut down the port to the Primary-WLC on the Switch). We find the APs automatically falling back to the Secondary.

AP-SWITCH1(config)#int gig 1/0/3
AP-SWITCH1(config-if)#shut
AP-SWITCH1(config-if)#
1w1d: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down
1w1d: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down

Licensing:

 

HA-SKU as Secondary Controller
============================
 
With Release 7.4, an HA-SKU controller can be used as a secondary controller. In this example, the secondary controller is running a 50 AP permanent license and is configured to be an HA-SKU controller. Therefore it has a maximum AP capacity of 500.

Hope this post was helpful….