At the ACS Server you can create Network Access Profiles (NAP) and choose which authentication you’re allowing.

You won’t see LEAP at NAP. This is a global setting at the System Configuration…
If you enable it with NAP, the client can do LEAP instead of the required authentication. (Like EAP-FAST for instance)

If you create a NAP and disable under protocols EAP-FAST, the client can’t do EAP-FAST.
Make sure the priority of the NAP is also correct.. If it’s matching the first NAP, it will sticks to that configuration.

IOS : Configure Replace

Where have I been ????
I didn’t know the command : configure replace, but that’s working fine.

First, save your config to flash:
copy run flash:running_dec.txt
the do your thing on the switch/router
conf t
int g 2/1

and if you want to revert back to the old config, without rebooting :

Wifi_6503#configure replace disk0:running_dec.txt
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: yes

00:25:30: Rollback:Acquired Configuration lock.
Total number of passes: 1
Rollback Done

WGB settings

Jerome got a nice blog about WGB :

To summarize :

Root ap :

dot11 ssid hereIam

int do1
station-role root
infrastructure-client (Reliable multicast)

dot11 ssid hereIam
infrastructure-ssid (Works without)

int do 1
statioin-role workgroup
infrastructure-client (Reliable multicast)

AP Authentication / MAC

When you do an AP Authentication with the ACS, there are different was to show the MAC of the AP to the ACS.

You can configure it at :

When you play with the settings, you’ll see at the ACS the diffent kind of formats :

If you’re creating a user, make sure that the format is exactly the same.
Password is the same as the username…

Option 7 at IOS DHCP

Ofcourse you want all logging goto a syslog server. (It’s also a Cisco recommendation. See WLC Configu Guide)
You can configure a IOS DHCP Scope like :

ip dhcp exclude
ip dhcp pool VLAN1
network /24
option 7 ip
option 43 hex f1040a0a0a0a

In my own lab the option 7 wasn’t working !
I had tested the WLC with versions 4.2.130 and 4.2.176.

Then I saw :
%LWAPP-3-CLIENTEVENTLOG: Did not get any DNS options from DHCP.
That’s not good..

After changing it to 4.2.209 the option 7 is working and you’ll see at the LWAPP :

%LWAPP-3-CLIENTEVENTLOG: Got log server settings( from DHCP.


There is default a TFTP server at the WCS server which I’m using a lot….

When you do a restore of the WCS server with no controller configured, the TFTP server isn’t working.
You need to add atleast one Controller before the TFTP service is active (It’s a WCS service and not a windows service, so you can’t start it manually.).

Then you can upload/download files from the WCS TFTP Service.

AP Groups

When your SSID Domain is much greater that is will span multiple vlan’s, you can use AP Groups.

First configure the needed interfaces.

Create an AP Group with the correct VLAN Mappings.

Configure the AP the use this AP Group.

Reset the AP.

Test the config and you’ll see it’s working.