Tags
Network Mobility Services Protocol (NMSP) manages communication between the mobility service engine and the wireless controller. Transport of telemetry, emergency, and RSSI values between the mobility service and the controller is managed by this protocol. Below diagram shows how NMSP fit in Cisco Unified Wireless Network (CUWN) setup
Now let’s see how to enable this communication between MSE & WLC. I have used 3850/5760 (IOS based WLC) & 5508 (AireOS based WLC) for this post.
Since NMSP works over SSL, you have to configure MSE credential at WLC. MSE use its MAC address & Key Hash, so WLC should be aware of these two parameters. You can obtain this detail via MSE CLI as shown below.
[root@mse ~]# cmdshell cmd> show server-auth-info invoke command: com.aes.server.cli.CmdGetServerAuthInfo AesLog queue high mark: 50000 AesLog queue low mark: 500 ---------------- Server Auth Info ---------------- MAC Address: 00:50:56:89:2b:4a SHA1 Key Hash: b45bfbec4db0403c55a9d094963ed259b108a243 SHA2 Key Hash: a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da39 Certificate Type: SSC
First we will look at how to configure this setting on a converged access (5760/3850/3650) platform. I have used 5760 for this example. First you have to enable NMSP on your switch & then configure MSE MAC address as username and key hash as password as shown below. Note that SHA2 encryption cipher support added in IOS-XE 3.6 & it is the version running on my 3850/5760.
5760-1(config)#nmsp enable 5760-1(config)#aaa attribute list NMSP 5760-1(config-attr-list)#attribute type password A471B440B7DD6D972DE9D4FE0733434EA6E0344EC2531D879A86DF425FF1DA39 5760-1(config-attr-list)#exit ! 5760-1(config)#username 005056892b4a ? aaa AAA directive access-class Restrict access by access-class algorithm-type Algorithm to use for hashing the plaintext secret for the user autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback common-criteria-policy Enter the common-criteria policy name dnis Do not require password when obtained via DNIS mac This entry is for MAC Filtering where username=mac nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links view Set view name <cr> 5760-1(config)#username 005056892b4a mac ? aaa AAA directive password Specify the password for the user <cr> 5760-1(config)#username 005056892b4a mac aaa ? attribute AAA attribute directive 5760-1(config)#username 005056892b4a mac aaa attribute ? list AAA attribute list 5760-1(config)#username 005056892b4a mac aaa attribute list NMSP
Once you do that, you have to go to Prime Infrastructure (Services -> Synchronize Services -> Controllers” & select the 5760 & click “Change MSE Assignment” button. Then you need to select the appropriate MSE & services (CAS & WIPS in my case) you want to synchronize between WLC & MSE.
Once synchronize completed you can verify it from WLC, MSE or PI GUI. Here is how you can verify it from 5760 CLI
5760-1#show nmsp ? attachment show attachment suppress interfaces capability Display NMSP Capabilities. notification Show the notification intervals statistics Show the NMSP Counters status Show the status of active NMSP connections subscription Display mobility services subscribed on controller by Mobility Services Engine. 5760-1#show nmsp status MSE IP Address Tx Echo Resp Rx Echo Req Tx Data Rx Data ------------------------------------------------------------------- x.x.32.9 12293 12293 104883 24 5760-1#show nmsp subscription summary Mobility Services Subscribed ---------------------------- Server IP Services -------------------------- x.x.32.9 RSSI, Info, Statistics, IDS, Attachment, Wired Location 5760-1#show nmsp subscription detail Mobility Services Subscribed by x.x.32.9: Service Subservice -------------------------- RSSI Mobile Station, Tags, Rogue Info Mobile Station, Rogue Statistics Mobile Station, Tags Attachment Wired Station Location Subscription IDS Services WIPS
You can verify the same from MSE GUI in v8.0 (https://<MSE_IP>/mseui/> as well. You have to go for NMSP status as shown below.
Now if you have multiple 3850 acting as MA (Mobility Agents) you have to configure same on them as well. Here is the summary commands required in my case.
3850-1(config)#nmsp enable 3850-1(config)#username 005056892b4a mac aaa attribute list NMSP 3850-1(config)#aaa attribute list NMSP 3850-1(config-attr-list)#attribute type password A471B440B7DD6D972DE9D4FE0733434EA6E0344EC2531D879A86DF425FF1DA39
In IOS based controller, if you want to troubleshoot NMSP connection issues you can use NMSP debugs or traces. Typically traces are more useful & less processor intensive. As you can see below it clearly shown the NMSP connection establishment over SSLv3.
3850-1#set trace nmsp connection level debug 3850-1#show trace messages nmsp [09/25/14 10:58:34.811 AEST 55d 12683] Allocated new NMSP connection 0 [09/25/14 10:58:34.811 AEST 55e 12683] sslConnectionInit: SSL_new() conn ssl 50587920 [09/25/14 10:58:34.811 AEST 55f 12683] sslConnectionInit: SSL_do_handshake for conn ssl 50587920, conn state: INIT, SSL state: HANDSHAKING [09/25/14 10:58:34.811 AEST 560 12683] SSL state = 0x6000; where = 0x10; ret = 0x1 [09/25/14 10:58:34.811 AEST 561 12683] ret_type_string=unknown [09/25/14 10:58:34.811 AEST 562 12683] ret_desc_string=unknown [09/25/14 10:58:34.811 AEST 563 12683] SSL_state_string=before/accept initialization [09/25/14 10:58:34.811 AEST 564 12683] SSL state = 0x6000; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.811 AEST 565 12683] ret_type_string=unknown [09/25/14 10:58:34.811 AEST 566 12683] ret_desc_string=unknown [09/25/14 10:58:34.811 AEST 567 12683] SSL_state_string=before/accept initialization [09/25/14 10:58:34.811 AEST 568 12683] SSL state = 0x2210; where = 0x2002; ret = 0xffffffff [09/25/14 10:58:34.811 AEST 569 12683] ret_type_string=unknown [09/25/14 10:58:34.811 AEST 56a 12683] ret_desc_string=unknown [09/25/14 10:58:34.811 AEST 56b 12683] SSL_state_string=unknown state [09/25/14 10:58:34.811 AEST 56c 12683] -- returns WANT_READ for conn ssl 50587920 [09/25/14 10:58:34.811 AEST 56d 12683] sslConnectionInit() success with Connection state: INIT, SSL state: HANDSHAKING [09/25/14 10:58:34.814 AEST 56e 12683] doSSLRecvLoop: Handshake has not completed for conn 0 [09/25/14 10:58:34.814 AEST 56f 12683] sslConnectionInit: SSL_do_handshake for conn ssl 50587920, conn state: INIT, SSL state: HANDSHAKING [09/25/14 10:58:34.814 AEST 570 12683] SSL state = 0x2110; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.814 AEST 571 12683] ret_type_string=unknown [09/25/14 10:58:34.814 AEST 572 12683] ret_desc_string=unknown [09/25/14 10:58:34.814 AEST 573 12683] SSL_state_string=SSLv3 read client hello A [09/25/14 10:58:34.814 AEST 574 12683] SSL state = 0x2130; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.814 AEST 575 12683] ret_type_string=unknown [09/25/14 10:58:34.814 AEST 576 12683] ret_desc_string=unknown [09/25/14 10:58:34.814 AEST 577 12683] SSL_state_string=SSLv3 write server hello A [09/25/14 10:58:34.814 AEST 578 12683] SSL state = 0x2140; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.814 AEST 579 12683] ret_type_string=unknown [09/25/14 10:58:34.814 AEST 57a 12683] ret_desc_string=unknown [09/25/14 10:58:34.814 AEST 57b 12683] SSL_state_string=SSLv3 write certificate A [09/25/14 10:58:34.814 AEST 57c 12683] SSL state = 0x2160; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.814 AEST 57d 12683] ret_type_string=unknown [09/25/14 10:58:34.814 AEST 57e 12683] ret_desc_string=unknown [09/25/14 10:58:34.814 AEST 57f 12683] SSL_state_string=SSLv3 write certificate request A [09/25/14 10:58:34.815 AEST 580 12683] SSL state = 0x2100; where = 0x2001; ret = 0x1 [09/25/14 10:58:34.815 AEST 581 12683] ret_type_string=unknown [09/25/14 10:58:34.815 AEST 582 12683] ret_desc_string=unknown [09/25/14 10:58:34.815 AEST 583 12683] SSL_state_string=SSLv3 flush data [09/25/14 10:58:34.815 AEST 584 12683] SSL state = 0x2180; where = 0x2002; ret = 0xffffffff [09/25/14 10:58:34.815 AEST 585 12683] ret_type_string=unknown [09/25/14 10:58:34.815 AEST 586 12683] ret_desc_string=unknown [09/25/14 10:58:34.815 AEST 587 12683] SSL_state_string=SSLv3 read client certificate A [09/25/14 10:58:34.815 AEST 588 12683] SSL state = 0x2180; where = 0x2002; ret = 0xffffffff [09/25/14 10:58:34.815 AEST 589 12683] ret_type_string=unknown [09/25/14 10:58:34.815 AEST 58a 12683] ret_desc_string=unknown [09/25/14 10:58:34.815 AEST 58b 12683] SSL_state_string=SSLv3 read client certificate A [09/25/14 10:58:34.815 AEST 58c 12683] -- returns WANT_READ for conn ssl 50587920 [09/25/14 10:58:35.115 AEST 58d 12683] doSSLRecvLoop: Handshake has not completed for conn 0 [09/25/14 10:58:35.115 AEST 58e 12683] sslConnectionInit: SSL_do_handshake for conn ssl 50587920, conn state: INIT, SSL state: HANDSHAKING [09/25/14 10:58:35.121 AEST 58f 12683] Peer certificate Validation Done for conn ssl 50587920, calling authlist.. [09/25/14 10:58:35.121 AEST 590 12683] Client Cert Hash Key [a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da39] [09/25/14 10:58:35.123 AEST 591 12683] AAA Password Located - [09/25/14 10:58:35.123 AEST 592 12683] 00000000: a4 71 b4 40 b7 dd 6d 97 2d e9 d4 fe 07 33 43 4e .q.@..m.-....3CN [09/25/14 10:58:35.123 AEST 593 12683] 00000010: a6 e0 34 4e c2 53 1d 87 9a 86 df 42 5f f1 da 39 ..4N.S.....B_..9 [09/25/14 10:58:35.123 AEST 594 12683] Authlist authentication successful for conn ssl 50587920 [09/25/14 10:58:36.121 AEST 595 12683] Peer Validated against the AuthList [09/25/14 10:58:36.121 AEST 596 12683] SSL state = 0x2180; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.121 AEST 597 12683] ret_type_string=unknown [09/25/14 10:58:36.121 AEST 598 12683] ret_desc_string=unknown [09/25/14 10:58:36.121 AEST 599 12683] SSL_state_string=SSLv3 read client certificate A [09/25/14 10:58:36.140 AEST 59a 12683] SSL state = 0x2190; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.140 AEST 59b 12683] ret_type_string=unknown [09/25/14 10:58:36.140 AEST 59c 12683] ret_desc_string=unknown [09/25/14 10:58:36.140 AEST 59d 12683] SSL_state_string=SSLv3 read client key exchange A [09/25/14 10:58:36.144 AEST 59e 12683] SSL state = 0x21a0; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.144 AEST 59f 12683] ret_type_string=unknown [09/25/14 10:58:36.144 AEST 5a0 12683] ret_desc_string=unknown [09/25/14 10:58:36.144 AEST 5a1 12683] SSL_state_string=SSLv3 read certificate verify A [09/25/14 10:58:36.147 AEST 5a2 12683] SSL state = 0x21c0; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.147 AEST 5a3 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.147 AEST 5a4 12683] ret_type_string=unknown [09/25/14 10:58:36.147 AEST 5a5 12683] ret_desc_string=unknown [09/25/14 10:58:36.147 AEST 5a6 12683] SSL_state_string=SSLv3 read finished A [09/25/14 10:58:36.147 AEST 5a7 12683] SSL state = 0x21d0; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.147 AEST 5a8 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.147 AEST 5a9 12683] ret_type_string=unknown [09/25/14 10:58:36.147 AEST 5aa 12683] ret_desc_string=unknown [09/25/14 10:58:36.147 AEST 5ab 12683] SSL_state_string=SSLv3 write change cipher spec A [09/25/14 10:58:36.148 AEST 5ac 12683] SSL state = 0x21e0; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.148 AEST 5ad 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.148 AEST 5ae 12683] ret_type_string=unknown [09/25/14 10:58:36.148 AEST 5af 12683] ret_desc_string=unknown [09/25/14 10:58:36.148 AEST 5b0 12683] SSL_state_string=SSLv3 write finished A [09/25/14 10:58:36.149 AEST 5b1 12683] SSL state = 0x2100; where = 0x2001; ret = 0x1 [09/25/14 10:58:36.149 AEST 5b2 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.149 AEST 5b3 12683] ret_type_string=unknown [09/25/14 10:58:36.149 AEST 5b4 12683] ret_desc_string=unknown [09/25/14 10:58:36.149 AEST 5b5 12683] SSL_state_string=SSLv3 flush data [09/25/14 10:58:36.149 AEST 5b6 12683] SSL state = 0x3; where = 0x20; ret = 0x1 [09/25/14 10:58:36.149 AEST 5b7 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.149 AEST 5b8 12683] ret_type_string=unknown [09/25/14 10:58:36.149 AEST 5b9 12683] ret_desc_string=unknown [09/25/14 10:58:36.149 AEST 5ba 12683] SSL_state_string=SSL negotiation finished successfully [09/25/14 10:58:36.149 AEST 5bb 12683] SSL state = 0x3; where = 0x2002; ret = 0x1 [09/25/14 10:58:36.149 AEST 5bc 12683] current_cipher_str=AES128-SHA [09/25/14 10:58:36.149 AEST 5bd 12683] ret_type_string=unknown [09/25/14 10:58:36.149 AEST 5be 12683] ret_desc_string=unknown [09/25/14 10:58:36.149 AEST 5bf 12683] SSL_state_string=SSL negotiation finished successfully [09/25/14 10:58:36.149 AEST 5c0 12683] SSL_do_handshake() succeeded for conn ssl 50587920 [09/25/14 10:58:36.149 AEST 5c1 12683] NMSP connection success! for conn 0 [09/25/14 10:58:36.449 AEST 5c2 12683] SSL_read() 9 out of 9 bytes. [09/25/14 10:58:36.450 AEST 5c3 12683] SSL_read() 68 out of 68 bytes. [09/25/14 10:58:36.751 AEST 5c4 12683] SSL_read() 9 out of 9 bytes. [09/25/14 10:58:36.751 AEST 5c5 12683] SSL_read() 10 out of 10 bytes. [09/25/14 10:58:36.751 AEST 5c6 12683] SSL_read() 9 out of 9 bytes.
Now let’s see how we can configure it on a 5508 (or any other AireOS controller) you can add MSE mac address & hash key on to auth-list as shown below.
(5508-1) >config auth-list ? add Creates an authorized AP entry. ap-policy Configures an AP authorization policy. delete Delete an existing AP entry. (5508-1) >config auth-list add ? lbs-ssc Location Server has a Self-Signed Certificate. lsc AP has a Locally Significant Certificate. mic AP has a Manufacturing-Installed Certificate. sha256-lbs-ssc Location Server has a Self-Signed Certificate. ssc AP has a Self-Signed Certificate. (5508-1) >config auth-list add sha256-lbs-ssc ? <LBS mac> Enter MAC address. (5508-1) >config auth-list add sha256-lbs-ssc 00:50:56:89:2b:4a ? <LBS key> Enter a key value of 32 bytes in hex. (5508-1) >config auth-list add sha256-lbs-ssc 00:50:56:89:2b:4a a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da3
As explained earlier you can go to Prime Infrastructure & synchronize the services between 5508 & MSE. Once you do that you can verify that by using “shonw nmsp status” CLI output of 5508. Also if you enable “debug nmsp connection” prior to synchronize the services you could see the establishment of NMSP connection as well.
(5508-1) >show auth-list Authorize MIC APs against Auth-list or AAA ...... disabled Authorize LSC APs against Auth-List ............. disabled APs Allowed to Join AP with Manufacturing Installed Certificate.... yes AP with Self-Signed Certificate................ no AP with Locally Significant Certificate........ no Mac Addr Cert Type Key Hash ----------------------- ---------- ------------------------------------------ 00:50:56:89:2b:4a LBS-SSC-SHA256 a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da39 (5508-1) >show nmsp status MSE IP Address Tx Echo Resp Rx Echo Req Tx Data Rx Data -------------- ------------ ----------- ------- ------- x.x.32.9 19 19 32 12 (5508-1) >debug nmsp connection enable (5508-1) >*nmspRxServerTask: Sep 25 19:28:06.749: Accept succ for http socket addrtype=IPV4(0xa852009) *nmspRxServerTask: Sep 25 19:28:06.750: Allocated new NMSP connection 0 *nmspRxServerTask: Sep 25 19:28:06.750: sslConnectionInit: SSL_new() conn ssl 0x2c75f990 *nmspRxServerTask: Sep 25 19:28:06.750: sslConnectionInit: SSL_do_handshake for conn ssl 0x2c75f990, conn state: INIT, SSL state: HANDSHAKING *nmspRxServerTask: Sep 25 19:28:06.751: -- returns WANT_READ for conn ssl 0x2c75f990 *nmspRxServerTask: Sep 25 19:28:06.751: sslConnectionInit() success with Connection state: INIT, SSL state: HANDSHAKING *nmspRxServerTask: Sep 25 19:28:06.828: doSSLRecvLoop: Handshake has not completed for conn 0 *nmspRxServerTask: Sep 25 19:28:06.828: sslConnectionInit: SSL_do_handshake for conn ssl 0x2c75f990, conn state: INIT, SSL state: HANDSHAKING *nmspRxServerTask: Sep 25 19:28:06.829: -- returns WANT_READ for conn ssl 0x2c75f990 *nmspRxServerTask: Sep 25 19:28:07.144: doSSLRecvLoop: Handshake has not completed for conn 0 *nmspRxServerTask: Sep 25 19:28:07.144: sslConnectionInit: SSL_do_handshake for conn ssl 0x2c75f990, conn state: INIT, SSL state: HANDSHAKING *nmspRxServerTask: Sep 25 19:28:07.193: Peer (LBS) certificate Validation Done for conn ssl 0x2c75f990, calling authlist.. *aaaQueueReader: Sep 25 19:28:07.193: AuthList Callback returned SUCCESS for conn ssl 0x2c75f990 *nmspRxServerTask: Sep 25 19:28:08.196: Peer Validated against the AuthList *nmspRxServerTask: Sep 25 19:28:08.334: SSL_do_handshake() succeeded for conn ssl 0x2c75f990 *nmspRxServerTask: Sep 25 19:28:08.334: NMSP connection success! for conn 0
Now your MSE get all location based informations from your WLC & it can provide location base analytic that you require.
Note: Sometimes without manual configuration you may able to sync WLC to MSE. In that case PI will take care of required configuration by pushing them to your controllers.
References.
1. BRKEWN-2012 -Connected Mobile Experience (CMX) – 2014 San Francisco
(you can watch recorded video session from this link)
2. CMX Troubleshooting
3. IOS Controllers 5760/3850/3650 MAC Address Entry for NMSP – Doc ID 117477
4. Cisco IOS Configuration Fundamentals Command Reference
mrn-cciew 
Thanks very much for this. Learning something new every day. I had a problem where I always had to have RW snmp permissions when initially syncing an MSE with a controller. After which I could change to RO with no impact to location services. I was totally unaware that prime made config changes in the background to allow sync to function correctly. Added the key to my 2504 and created a new vMSE and it worked straight away. (I did notice that the 2504 only supports sha-1 on 7.6.130).
Keep up the excellent work! Your blog is amazingly informative.
Kindest
Zak
Hi Zak,
Thanks for compliments… Good to know 2504 only support sha-1. In my case I used 5508 with 8.0 code for this post.
Rasika
Hello Rasika,
How are you ?
I have some question about the MSE and NMSP protocol.
I was calibrating the MSE in the customer with an a device (a tablet) with CCX to probe all channels and etc
But i was thinking……If this device have tx power better or worst than a smartphone or a notebook, how will the MSE calculate this position ?
Because if i’m not wrong the position is based in the RSSI arriving in the Access Point but if this client have tx power diferrent from other clients, will i have some wrong position in the map ?
Thank You !
From 8.0 onwards you can use client data packets to determine their locations (you require 3700/3600 though)
Yes, if you calibrate using particular type of device & then those accuracy may be applicable to similar type of devices if it is based on RSSI
This gives some overview of location analytics
http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9742/white_paper_c11-728970_ns1205_Networking_Solutions_White_Paper.html
HTH
Rasika
Hi Rasika,
good one!!
So, do you know if exsist a client or a server script software that can implement NMSP ? I woul like understand how the WLC send data to MSE.
TKS!
Leonardo
Not that I am aware of.
Hi Wellington,
Location is calculated by the relative power different APs receive. It does not matter whether a client is stronger or weaker than the other. What matters is that particular client is heard stronger on AP1 than on AP2 at the same time, meaning it should be closer to AP1 than to AP2 on that particular point in time.
Hi Rasika, thank you for this informative post. So is NMSP simply a back-to-back self-signed-certificate SSL session between WLC and MSE with some defined data transport formats? Are there any special non-standard handshakes involved to setup the SSL session? I am wondering if there is a public link available to look at the NMSP protocol specification in details? Thank you!
Hi,
Sorry, Do not have in depth knowledge on the topic 🙂
Rasika
Thanks, very infomative. This post helped me to solve the problem why the 5008 did not send any data to MSE after upgrade.
Hi Dan,
Good to hear that.. 🙂
Rasika
Very Informative Rasika….I also wanted to know if there are any CCIE practice racks available in Melbourne that you are ware of….Cheers
I do not think so, I used IPX remote racks hosted in USA. Fastlane also hv some remote racks
Best information of MSE stuff out there,A lot of thanks for this post.I have on confusion that IS MSE 8.0 with virtual mage generate SHA 1 & 2 but when ready to integrate with PI it require SHA-1 to be active.
Thanks for the complements..
Do you still having issues sync MSE to PI ?
Rasika
One more I want to integrate catalyst 3750 POE switch with PI but not successful in order to access.problem is some snmp showing after.i have gien this follwing config on switch .
conf t
snmp-server community V2Community RW
snmp-server group V3Group v3 auth read V3Read write V3Write
snmp-server user V3User V3Group v3 auth sha Password1 priv aes 128 Password1
snmp-server view V3Read iso included
snmp-server view V3Write iso included
and i made a same community on v2c and v3 on wlc as well.
plz help
Did you try SNMPv2 without having both configured ?
Rasika
Thanks
good one Rasika 🙂
Tks Viten, good to see you guys get time to read & feedback.
I was growing tired of chasing NMSP inactive across our ~100 WLC’s and the 4 vMSE’s we have (2x HA pairs), and expressed this frustration to a Mobility Engineer I was chatting with… He gave me this little snippet:
on your MSE(s), do this:
cmdshell
config unauthenticated-nmsp true
exit
Then do a service restart. /etc/init.d/msed restart
We’re (currently) on PI2.2, MSE 8.0.110 / 120, and WLC’s (2504, 5508, and WISM-2) on 8.0.110, and this works brilliantly.
Yes, it could in theory allow a “rogue” device to do some impersonation, but I don’t lose sleep at night worrying about that. 🙂
Hope it helps.
Thanks for sharing this useful info.
nice Article, Is there anyway to disable NMSP completely on a 3850 so that it does not show up in a port scan
I do not know. Usually “nmsp enable” is the way to enable it. Did you try disable it ?
HTH
Rasika
Hi How to check the Server auth info in CMX proxy for cloud connector