Identity PSK with Cisco WLC 8.5 and Microsoft NPS

I had some time to take a dive into Identity PSK using a vWLC (8.5MR6) and Microsoft NPS as RADIUS backend (Windws 2012 R2). Not because I had a particular use case but I wanted to see it working and getting the NPS part working (most examples use ISE or FreeRADIUS).

 

Cisco Universal AP problems and solutions

Today I was asked by a customer to revive a few 2702i access points. These access points were unable to join the WLC. The WLC told me : 

Country UX for this APis not configured
The system detects an invalid regulatory domain 802.11bg:-E     802.11a:-E for AP

Uhm ok. The regulatory domain is okay (they're in the Netherlands) but it seems the country code isn't. After strugling to get some information on this (almost none) and trying several methods to get these back to live again, I found a way to revive them:

1. Connect a console cable, login and do 'clear capwap private-config'. Do a reload without saving the config.

2. Let the AP join the WLC, it will work this time but it will be unprimed. Add this AP to the Priming WLAN AP Group.

3. After the AP gets back, open in in the WLC interface and do a 'clear config' (aka a factory reset).

4. When it it is back online, use the AP on your phone to start the priming.

This way I got 4 APs back to life. This all takes into account you have a Priming SSID which is only available to APs int the Priming WLAN AP Group. I've tried it without step 2 and it failed, don't know why. This all was on Aireos 8.2.170 and a 2504 WLC.

AAA with Tacacs+ on Debian

A while ago I've tried setting up different authorisation levels on a Cisco router with privilege levels. It failed miserably because this is badly documented by Cisco and the amount of effort needed to get something useful out of it was too much. The main problem is the hierarchical privilege structure of commands and the somewhat illogical relation between these commands (enable write privileges to allow read privilege....).