Tags
The Cisco MSE (Mobility Service Engine) provides two primary services
1. Context Aware Services (CAS)
Ability to track the physical location of Network Devices, both wired and wireless, using wireless LAN controllers (WLCs) and Cisco Aironet Lightweight Access Points (LAPs). This solution allows a customer to track any Wi-Fi device, including clients, active RFID tags, and rogue clients and access points (APs).
2. Adaptive Wireless Intrusion Prevention System (wIPS)
wIPS software provides visibility and comprehensive threat prevention for the mobility network through monitoring, alerts, classifying, and remediation of wireless and wired network vulnerabilities
Below diagram shows the typical interaction between MSE , WLC & WCS.
Communication among the system components involves the following protocols:
1. Control and Provisioning of Wireless Access Points (CAPWAP)—This protocol is the successor to LWAPP and is used for communication between access points and controllers.
2. Network Mobility Services Protocol (NMSP)—The protocol handles communication between controllers and the mobility services engine. In a wIPS deployment, this protocol provides a pathway for alarm information to be aggregated from controllers and forwarded to the mobility services engine and for wIPS configuration information to be pushed to the controller. This protocol is encrypted.
–Controller TCP Port: 16113
3. Simple Object Access Protocol (SOAP/XML)—The method of communication between the mobility services engine and WCS. This protocol is used to distribute configuration parameters to the wIPS service running on the mobility services engine.
–MSE TCP Port: 443
4. Simple Network Management Protocol (SNMP)—This protocol is used to forward wIPS alarm information from the mobility services engine to the WCS. It is also employed to communicate rogue access point information from the controller to WCS.
Full list of protocol/port used for MSE-WLC-WCS can be found from below link (Cisco Document ID 113344)
Cisco Unified Wireless Network Protocol and Port Matrix
Here are some settings of Context Aware Service (CAS) deployment.
Following shows the historical information you can keep within MSE. You have to configure which parameters you need to record & how long that information to be kept.
in WCS under “Services-> Mobility Services -> Context Aware Services->Location Parameters“, you can change location specific information. An element is declared “inactive” if it is remain inactive for 1 hour.If it remain inactive for 24 hours (Absent Data Cleanup Interval) it is removed from the tracking table. But element’s history will be in MSE for 30 days by default.
The RSSI Cutoff is an important field that can be tuned for a particular environment. This field specifies the minimum RSSI value below which the MSE ignores when it calculates the location for a given element. This value is only applicable to track clients, that is, it does not apply to tag tracking.
If you specify a very high RSSI Cutoff, such as -60 or -50 with low AP density, it leads to poor location calculation since the MSE excludes RSSI values of reliable hearing APs from its calculation.
If you use a low RSSI Cutoff, such as -85 of -90 and operate in an open space area or with low walls, inter-floor attenuation areas lead to poor location calculation because the MSE includes RSSI values from outlying APs in its calculation.
You can change Tracking Parameter values as shown in the value.
If you want to configure notifications to send to 3rd party system (Northbound Notifications) you can do this under Notification Parameters in Advanced Settings of CAS.
Here are few reference guides I found useful when configuring MSE. Please feel free to read it & understand different settings on this platform.
1. Cisco Mobility Services Engine – Context Aware Mobility Solution Deployment Guide
2. Cisco Adaptive Wireless Intrusion Prevention System Configuration Guide Release 7.0
3. Cisco Context-Aware Service Configuration Guide Release 7.0
Related Posts
1. Wired Client Tracking in MSE
2.
mrn-cciew 
Wow! Very informative, thanks alot
Thank your for the feedback…
Hi
what is the difference MSE and cisco prime
MSE is to collect location specific information from WLCs.
Prime is the central management platform to present all meaningful information. Data is collecting from WLC, MSE, ISE, etc.
HTH
Rasika
Hi
what is the difference between MSE and WLC
in wlc we to have configure MSE or MSE is seperate device
Hi
i understand from previous answer diff b/w mse and ciscoprime
MSE is seperate device first we have to integrate with wlc ane mse then we have to add both MSE and WLC is WCS
is i am right or wrong
Hi
Here is the workflow
1,Add MSE,WLC to the PI (Prime Infrastructure ) or WCS
2,Sync MSE with WLC. (Here MSE sync with WLC using NMSP ) once MSE sync with WLC. WLC will start sending all the location details of wireless device to MSE
PN: MSE is a separate device comes both in appliance and VM
Thanks
Shajesh AK
Thanks Shajesh for responding…
HI Rasika
I have a flex controller with many different clients, if I want to add MSE to one particular client, is the controller or MSE smart enough to send only that one clients data or does it send data from all the clients on the controller to MSE
I don’t think you can filter clients data. It is all or nothing
HTH
Rasika
HI Rasika
Sorry let me rephrase that, for eg I got 5 different customers connected to one flex controller, each customer has around 100 APs, each customer has their own maps on Prime, can customer A sync to MSE if I only sync his map to the MSE, or will it send all 5 customers data to the MSE?
Dear Rasika ,
I cant add MSE to WCS , a message appear telling me that there is no HTTP service found ……. can you help me plz
Did you try to stop the service & start the service of MSE ?
check the IP connectivity + check MSE service is started.
Dear nayarasi,
Is there any MSE VM that can work with WCS VM
I know that there was demo MSE version which is compatible with WCS. Not sure how you can get it.
hi guys,
what if i have wlc + mse only deployment without wcs/prime? will it still be a useful setup? or does it have to be deployed all together? in a nutshell, without prime/wcs what will be the disadvantages? tia
In the past without prime/wcs you cannot use MSE. Now at least MSE is having its own GUI accesss. But still you require prime to get use of your MSE. Like locating users, rogues all require map information
HTH
Rasika
is there a way to simulate cisco MSE?
There is VM image available for this. You can trial it
Hi Rasika,
Is it possible to explain the alerts (like DOS & Rogue) and mitigation procedure..?
Dear nayarasi,
For network design ,is there any best practice or recommendation for installing MSE , is there any problem for installing MSE & WCS inside datacenter behind firewall
OR it is better to install WCS & MSE beside WLCs without firewall
Dear Rasika,
I have MSE 3300 configured long back but unfortunately i forget the password.. how do i recover the password..??
Regards,
Dear Rasika,
I have 3310 mse and prime,But my NMSP connection is inactive.Do you know what is a problem?
Thanks and appreciated
Is this with WLC 8. X code ?
Hello Rasika,
Problem solve by Tac, im just upgraded my mse to 8.0.100.x and prime to 2.2 then connection come active.Your website is very helpful thanks and appreciate.
Good to hear that Joe.
Rasika
may be WLC and MSE ‘s question,you can check the wlc ap policies! use ssc or lsc….
hi ,
i deployed an mse+PI+wlc , how can verify that the context aware i configured is working? =( tia
chris
Hi is it possible to deploy MSE without prime and can mse block DDOS attack if we have wIPS license.. what would be requirement to block DDOS attack…AP in local mode or monitor mode or ELM or wIPS module ?
MSE 10.0 does not require Prime
thanks for reply. Except MSE 10.0 other MSE version requires Prime…right..
Yes, other version of MSE required PI to integrate MSE to wireless setup.
Hi Nayarasi, really helpful website..
Do you have any troubleshooting steps for WLC + MSE + CPI? … if so would be great if you can share the info with us!
will do as I come across.
Hi there,
I have a deployment in which i am having Cisco PI 2.2 with Wism-2 8.0 and MSE 8.0. I have CAS and wIPS license on MSE as well. Now i have heard of a limitation in MSE that we cannot run both licenses on same box. Is it true? Moreover, i cannot find any MSE 8.0 configuration guide for CAS. Do you have link for those? Lastly can you also explain what is CMX and its licenses in MSE? Thanks
Hi
This may be the link your referring to
http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-0/MSE_CMX/8_0_MSE_CAS.html
HTH
Rasika
Hi,
I got one issue when deployed cisco MSE version 8.0. the error when i accessing GUI shows the requested URL/ was not found on this server. This is a virtual cisco MSE and i noticed that http is null. i try to enable using “enablehttp” but the result still the same. Is that because of http is null make GUI enable to access / error?
*This is my first time deployed cisco MSE.
Thanks.
Did you try it in below format
https:///mseui/
HTH
Rasika
i cannot reach the URL that u provided..the error is “Server not found”.
i still cannot reach using that format.
make sure server is up & services are running.
Rasika
Hi Nayarasi,
Thanks for your advise. Finally my issue solved. 🙂
Great, what was the cause?
Hey!
Try https:///mseui/
Let me know if it works and please try it in different browsers
Hth!
Tim
Hello,
Can you use MSE CAS licenses with CMX 10.x?
Thanks, I enjoy reading your blog!
Hi TJ,
I do not think MSE CAS license work with CMX 10.x. There is no upgrade path from MSE 8.x to CMX 10.x.
HTH
Rasika
Thanks Rasika, that is what I was afraid of.
Hello,
We are using Cisco Prime 3.2 + WLCs, and just installed Cisco MSE.
But we are experiencing big issues with very old wireless clients which are no more able to associate (when i stop MSE, they can associate again). I am a bit surprised, i was thinking MSE had only limited interactions with WLC (basically read information about clients).
Any idea of what could be the source of the problem ?
Have you taken any client debug to see what it tells about association failures ?
What AP model and software version you got this issue ?
Rasika
Unfortunately the problem is so impacting that i did not have time to get client debug, as this old wireless clients (datalogic barcode readers) are criticals for production.
This does not seems to be related to any specific access point (we have warehouse using old 1242, some others 1532 , other 1602…).
On WLC side, we are mostly using 8.0.133.0 ; but 2 sites are using 8.2.141.0. The 2 sites using 8.2.141.0 did not notice any impact (but have only a few of thoses clients). So i would suspect WLC version.