WLC 2504 Guest Wifi

Similar Messages

• WLC 2504 Guest Wifi login Page

  Hi
  Need some help. I have setup guest access on the controller and this is not working at the moment.
  DHCP server setup on the controller for the Guest users.
  You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
  Need to know how to fix this.
  Regards
  Chris

  George:
  Thank you for the ratiing.
  For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.
  If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?
  This is why I suggested to check DNS.
  From the link I posted above I quote:
  ...........The next step in the process is DNS  resolution of the URL in the web browser. When a WLAN client connects to  a WLAN configured for web authentication, the client obtains an IP  address from the DHCP server. The user opens a web browser and enters a  website address. The client then performs the DNS resolution to obtain  the IP address of the website. Now, when the client tries to reach the  website, the WLC intercepts the HTTP Get session of the client and  redirects the user to the web authentication login page.Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........
  If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.
  If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.
  You can still comment on this if you see it not accurate.
  Regards,
  Amjad

• WLC 2504, guest user life time

                     Hi ,
                      Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
                          any idea?
                      Thanks.

  Hi, no the limit is 30days if the user is created in the WLC.
  Info from the user guide = Range: 5 minutes to 30 days
  You'd configure a longer lifetime if you use the WCS/NCS.
  If you configure 90 days via the WCS/NCS you also see on the WLC 30days but the WCS/NCS will update this unitil the 90days are over.
  Kind regards,
  Ron

• How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

  Dear All
  I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
  We have one SG300 switch in the office and the rest are basic switches.
  Our firewall/router is a Fortigate UTM 240D
  Find the attached network diagram for the issue.
  Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)? 
  Thanks.
  - See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

  Complete these steps in order to configure the devices for this network setup:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
  Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
  Create WLANs for the Guest and Internal Users
  Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

• Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

  I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
  WLC 2504
  1142 LAPs
  4510R+E
  ASA 5510
  Existing configuration as follows:
  WLC management interface and APs addressed on the 192.168.126.0 /25 network
  Internal WLAN mapped to the management interface
  Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
  WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
  4510 connected to ASA inside interface (security level 100)
  Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
  ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
  What is the best way to add guest wireless to our existing configuration?
  Note: I need the guest wireless to be filtered by Websense as our internal wireless is
  Any advice would be greatly appreciated!

  Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
  Any input would be greatly appreciated...
  JW

• WLC 2504 - French characters for guest web login page

  Good day,
  I have recently installed a WLC 2504 and I have the following issue:
  When I modify the text for the web login page (Under security/Web Auth/Web Auth page), if I use french caracters such as (é, è, à, etc...) in the message body, it does not show up correctly on users computers. As we're a bilingual country, I must put a bilingual text message. Are there any settings or workaround out there to rectify this?
  We're on version 7.2.103.0
  Thanks,
  Eric

  Thanks Scott, I'll have a look at the documentation.
  Right after sending this post, I tried typing the actual HTML code for the character instead and it seems to be working. I'm curious about custom webauth page, we may be able to customize it more than we thought we could do.
  Cheers,
  Eric

• How to set up guest wifi network on 1200 series APs with disclaimer web portal?

  I've been thinking about this one for awhile. I want to set up a guest wifi network without any security (AES / TKIP) that allows guests to connect. Ideally, their web browser would be redirected to a web portal containing legal disclaimers, and they would need to accept the terms and conditions to use the guest wifi. I would also like to have them be required to visit the web portal again every 8 hours after that to accept the terms and conditions again.
  I have a Cisco 1240AG access point already. What else do I need to make this work?

  I don't believe you can do this just with an AP running in autonomous mode you would need to have a WLC to configure the splash page.
  Have a look here:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049273
  Alternatively you can use software running on a PC/Server. Something like http://www.antamedia.com/hotspot/
  Hope that helps!
  Matty

• DHCP Error with WLC 2504 and Aironet 2600 setup across subnets

  Hey guys
  I have just setup a new WLC 2504 controller to manage a WiFi service that will span 6 geographic locations.  The local networks at each location are on different subnets (all 192.168.x.x) and are linked up via IPSEC VPN links, and there is Active Directory spanning the sites, with DNS and DHCP servers running at each location.
  I tested the WLC at our main office with a single AP, and it worked fine.  The AP set itself up, and wireless devices connect with no probs. Great!  Yesterday I headed out to one of our remote sites, and connected an AP to their network - and that seemed to work fine too.  Within a few minutes I was able to see the WiFi network I'd setup, and my smartphone connected to it straight away (as I'd rpeviously connected at the main office), so I was pretty happy that all was working well.
  This morning however I've had notification that wifi performance at the remote site isn't great.  I've got someone to check their ip address, and I've found that their IP address and default gateway match the LAN at the main office where the WLC is based - NOT the LAN where the wireless client is.  Obvioulsy this is not ideal!
  So I guess my question is, what have I done wrong?  (I guess I HAVE done something wrong!?).  And how can I get wireless clients at remote sites to pick up an IP from the DHCP server at THEIR site?
  Any help would be greatly appreciated! 
  Thanks!           

  Hello Tim,
  What mode your APs are in? Local mode? or FlexConnect mode?
  If local mode, then all the traffic will be tunnelled to the WLC and they'll be same as if you are connecting from the WLC location.
  If you use FlexConnect APs (which is recommended for remote sites) you can configure FlexConnect groups on the WLC and add each location in a specific group. In that group you can decide what VLAN the users should be in.
  Check this link for FlexConnect group configuration
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1230080
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Certificate error using webauth on guest wifi

  I am trying to setup a guest wifi.  We have our custom page package loaded and it looks great with our graphics, logo.  Basically you have to check a box and click accept to the terms of service, and then it forwards you through to VLAN 12 in this case, which is directed to an untangle software based firewall / router with its own outside IP address.
  The issue is that when you initially join the wireless network, the page at 1.1.1.1/login.htm throws a certificate error and you have to continue anyway (Internet Explorers language).
  Does this mean we need to put our wildcard certificate on it for our *.domain.com (GoDaddy signed) or does it need another kind of certificate?  What format would it need to be in (I have a pfx but can convert it if need be).
  We are not passing any credentials, so it doesn't NEED to be https, so under Management > HTTP-HTTPS I changed WebAuth SecureWeb to Disabled.  However when doing this, WebAuth is still putting https://1.1.1.1 and I get a page cannot be displayed. I  take the s out of https and then the webauth page works.
  So two things here, how could I just use it in http, or if preferred, what format and what kind of certificate needs to make https work in webauth?  This is primarily for vendors that visit, or guests in our waiting lobby with their tablets or smartphones.
  The WLC is a 5508 running 7.4.121.0.

  I also tried this site as well:
  http://www.packethead.net/2013/08/05/cisco-wlc-wireless-lan-controller-certificate-install-mac-os-x/
  I tried it command line, and it tftp's fine in all instances above but I get:
  TFTP Webauth cert transfer starting.
  TFTP receive complete... Installing Certificate.
  Error installing certificate.
  Might have to open a case with tac if this doesn't work.
  I have openssl 1.0.1j is that maybe a bad version? also every time I run it it says WARNING: can't open config file: /usr/local/ssl/openssl.cnf
  Well of course not, that is a *nix based bath and this is the 64-bit windows version.
  What I can get is a download from go daddy and the wildcard cert is already generated.  I cannot submit a new cert request.  We have this key and I've tried different ways of converting it with OpenSSL, I've imported it to windows and in the mmc for certificates exported in various formats.  Nothing will work with this WLC. 

• WLC 2504 v7.5.102.0 Client Association Issues. Association not consistent

  Hi All,
  I'm having a strange issue whereby client association to my corporate or guest wifi ssid are not consistent. Sometimes I have no issues connecting repeatedly and other times I cannot connect and receive the "Windows was unable to connect to *SSID*"
  I'm unable to determine whether it is a wireless association issue or if its a authentication issue as I have troubles connecting to both my secure (WPA2, AES, 802.1x) corporate wifi or my guest (Open Auth) wifi.
  Currently per day I have about 15 users using the wifi on both SSID's. The access points are right in the vicinity of the users. I have 2 LAP1142 access points on separate 802.11a/b/g/n channels and signal strenght is always high.. I'm certain its not co-channel interference or interference whatsoever. RSSI values are -60dBm and SNR 30+ dB. On average I will have 10 users on the wireless fine but one or two people are unable to connect.
  I have had wireshark run and when it does not connect I do not see anything in the logs. No traffic is captured!
  I cannot see the AAA capturing anything. Signal strength as stated above is high ( I have the AP on my desk!)
  Sometimes I can instantly connect with no troubles and other times its not association at all. I've recently updated to version 7.5 and these issues started to occur. Previous version 7.3 had no problems at all for years!.
  The logs in the WLC show
  *Dot1x_NW_MsgTask_0: Nov 27 04:42:09.956: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:864 Received invalid EAPOL-key M2 msg in START  state - invalid secure bit; KeyLen 24, Key type 1, client 3c:a9:f4:4x:xx:xx
  Does anyone have an idea what could this issue could be?
  Many thanks

  Thanks for your reply Sandeep. Been working on it all afternoon with debugging.
  To answer your question, sometimes I can connect and sometimes I cannot. This afternoon I haven't been able to connect much at all. 2 out of 20 times perhaps. Other users I can see are connected to the two access points in this office. This isn't just happening on my laptop but several laptops. Same symptom.
  Heres the dot1x output I have captured from the debug of a FAILED association attempt.
  (Cisco Controller) >show debug
  MAC Addr 1.................................. 3C:A9:F4:36:1C:48
  Debug Flags Enabled:
    dot1x aaa enabled.
    dot1x packet enabled.
    dot1x events enabled.
    dot1x states enabled.
  (Cisco Controller) >*DHCP Socket Task: Nov 27 07:44:49.842: 3c:a9:f4:36:1c:48 apfMsRunStateInc
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Processing RSN IE type 48, length 22 for mobile 3c:a9:f4:36:1c:48
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Received RSN IE with 0 PMKIDs from mobile 3c:a9:f4:36:1c:48
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Found an cache entry for BSSID 20:bb:c0:c9:26:92 in PMKID cache at index 0 of station 3c:a9:f4:36:1c:48
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Removing BSSID 20:bb:c0:c9:26:92 from PMKID cache of station 3c:a9:f4:36:1c:48
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Resetting MSCB PMK Cache Entry 0 for station 3c:a9:f4:36:1c:48
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Setting active key cache index 0 ---> 8
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 unsetting PmkIdValidatedByAp
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMsRunStateDec
  *apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMs1xStateDec
  *dot1xMsgTask: Nov 27 07:45:15.287: 3c:a9:f4:36:1c:48 Disable re-auth, use PMK lifetime.
  *dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state
  *dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 1)
  *dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message  to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3
  *dot1xMsgTask: Nov 27 07:45:15.288: 00000000: 02 00 00 3c 01 01 00 3c  01 00 6e 65 74 77 6f 72  ...<...<..networ
  *dot1xMsgTask: Nov 27 07:45:15.288: 00000010: 6b 69 64 3d 54 50 49 2d  57 49 46 49 2c 6e 61 73  kid=PI-WIFI,nas
  *dot1xMsgTask: Nov 27 07:45:15.288: 00000020: 69 64 3d 4d 2d 54 50 49  2d 51 4c 44 2d 44 43 30  id=M-PI-QLD-DC0
  *dot1xMsgTask: Nov 27 07:45:15.288: 00000030: 30 31 2d 57 43 30 31 2c  70 6f 72 74 69 64 3d 31  01-WC01,portid=1
  *dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Failure sending WPA EAPOL-Key due to invalid state 0 to mobile 3c:a9:f4:36:1c:48
  *dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to send WPA key to mobile 3c:a9:f4:36:1c:48
  (Cisco Controller) >*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to update broadcast key to mobile 3C:A9:F4:36:1C:48
  *osapiBsnTimer: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 802.1x 'txWhen' Timer expired for station 3c:a9:f4:36:1c:48 and for message = M0
  *dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state
  *dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 2)
  *dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message  to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3
  *dot1xMsgTask: Nov 27 07:45:45.126: 00000000: 02 00 00 3c 01 02 00 3c  01 00 6e 65 74 77 6f 72  ...<...<..networ
  *dot1xMsgTask: Nov 27 07:45:45.126: 00000010: 6b 69 64 3d 54 50 49 2d  57 49 46 49 2c 6e 61 73  kid=PI-WIFI,nas
  *dot1xMsgTask: Nov 27 07:45:45.126: 00000020: 69 64 3d 4d 2d 54 50 49  2d 51 4c 44 2d 44 43 30  id=M-PI-QLD-DC0
  I can see that the WLC has tried to send a EAP-Request/Identity request to the client but no response back. I just don't understand why it works at times and why it doesn't.
  It has the same issues on my guest network which is open authentication. Nothing has changed in regards to configuration and it has been working for years. Only thing that changed was a version upgrade to 7.5 three weeks ago.
  Here is the debug output of the client MAC when attempting to association to the GUEST network.
  (Cisco Controller) >debug client 3C:A9:F4:36:1C:48
  (Cisco Controller) >*apfProbeThread: Nov 27 07:53:48.059: aggregated probe IE: TIMESTAMP
  *apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Adding mobile on LWAPP AP 20:bb:c0:c9:26:90(0)
  *apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Association received from mobile on BSSID 20:bb:c0:c9:26:91
  *apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Global 200 Clients are allowed to AP radio
  *apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Max Client Trap Threshold: 0  cur: 5
  *apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Rf profile 600 Clients are allowed to AP wlan
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Re-applying interface policy for client
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4565 setting Central switched to TRUE
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4568 apVapId = 2 and Split Acl Id = 65535
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying site-specific Local Bridging override for station 3c:a9:f4:36:1c:48 - vapId 2, site 'default-group', interface 'guest'
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Local Bridging Interface Policy for station 3c:a9:f4:36:1c:48 - vlan 650, interface id 12, interface 'guest'
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 20:bb:c0:c9:26:90 vapId 2 apVapId 2 flex-acl-name:
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfMsAssoStateInc
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Idle to Associated
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2:session timeout forstation 3c:a9:f4:36:1c:48 - Session Tout 65535, apfMsTimeOut '65535' and sessionTimerRunning flag is  0
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Scheduling deletion of Mobile Station:  (callerId: 49) in 65535 seconds
  *apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Func: apfPemAddUser2, Ms Timeout = 65535, Session Timeout = 65535
  *apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 Sending Assoc Response to station on BSSID 20:bb:c0:c9:26:91 (status 0) ApVapId 2 Slot 0
  *apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 apfProcessAssocReq (apf_80211.c:7957) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Associated to Associated
  *apfMsConnTask_4: Nov 27 07:58:02.026: 3c:a9:f4:36:1c:48 Updating AID for REAP AP Client 20:bb:c0:c9:26:90 - AID ===> 4
  *apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
  *apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5716, Adding TMP rule
  *apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 20:bb:c0:c9:26:90, slot 0, interface = 1, QOS = 0
    IPv4 ACL ID = 255, IPv
  *apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 650, Local Bridging intf id = 12
  *apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
  *pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  *pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 Sent an XID frame
  *IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Pushing IPv6 Vlan Intf ID 12: fe80:0000:0000:0000:f0a7:e03b:151a:3af8 , and MAC: 3C:A9:F4:36:1C:48 , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
  *IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Link Local address fe80::f0a7:e03b:151a:3af8 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
  (Cisco Controller) >

• Configure a second Wlan on WLC 2504

  Hello,
  I  created a topic about this problem on the learningnetwork cisco site too. You can find it here: https://learningnetwork.cisco.com/thread/73201.
  The problem is:
  We have the Cisco WLC 2504 with a couple of access points. On this WLC we have a network connection via a radius server for our employees. The DHCP server for this connection is the server you see on the drawing. The connection from the switch to the WLC is connected on port 1 of the WLC. This connection works like a charm.
  Now I want to create a second network (which is divorced from our internal network) for our guests, but it doesn’t work till now. What we have at the moment is:
  A connection from the firewall via the router to the internet
  A connected cable from the firewall to the WLC on port 2
  A configured interface (port 2) on the WLC
  A configured Wlan on the WLC (it is possible to connect to the guest Wlan with a static ip)
  The SSID of the guest network is broadcasted via the AP’s which also broadcast the internal network SSID
  The problem I have now is:
  I have no connection between the WLC Port 2 (192.168.10.2) and the firewall (192.168.10.1). When I try to ping the firewall (192.168.10.1) I get a no reply received message.
  How can I get this working? I hope someone can help me with this. Thanks in advance!
  Screenshots:
  Guest interface
  Network layout
  Show int sum
  Show wlan sum
  Wlan general
  Wlan advanced

  Frank,
  The issue is that the WLC will not route between VLANs.  In order for the scenario that Rasika recommended to work, the switch needs to be a layer 3 switch or needs a layer 3 device attached to it to route between the VLANs.
  In my WLC, I have a guest interface as well:
  The gateway listed in the VLAN 50 Interface on my L3 Switch:
  I then have a route established on my switch to send that traffic to my ASA:
  Due to that, I can ping the ASA from my WLC:
  Of course, my WLAN for guests only has access to the guest Interface Group:
  Try these changes on your switch (or other Layer 3 Device) and let us know if it worked for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Guest WiFi Time Profile

  I have created a guest user and selected a Time Profile that is supposed to allow the user to remain logged in for 3 weeks (by selecting the default time profile in Sponsor portal, Three_Weeks). According to ISE guidelines, this user should not be disconnected from first login until 3 weeks!
  In testing this setup with a user having an Android phone, the user stayed connected the whole day. However when the user came in the next day, this morning and connected to the guest WiFi SSID, he was prompted to login. In ISE the Authentication logs show that the user is still logged in since yesterday.
  The expectation was that the guest user will not be required (i.e. prompted) to login again the next day. How can this be achieved with Android and other smartphones (iPhone, Windows)?
  Systems Infor: ISE ver 1.1.1; WLC 5508 software ver 7.2.111.3
  Many thanks.
  Sankung

  Hi Sankung
  Time profiles allow a sponsor to assign different levels of access time to a guest account. For example,
  you can assign a time profile that allows a guest access during a workweek day but not during a weekend
  day.
  After time profiles are created, you must change the sponsor user group to allow sponsors in that group
  to be able to provision accounts to the appropriate time profiles that are created. You can choose the
  sponsor user groups that are allowed to assign certain time profiles to guests.
  By default, a sponsor user group has the ability to assign guests to the default time profile.
  Administrators can choose which additional time profiles the sponsor can be assigned, and they can also
  remove the default time profile from the user group.
  Each sponsor user group must have the ability to assign guests to at least one time profile.
  If a sponsor user group has only one time profile selected, sponsors will be able to select that time profile
  alone. If sponsors can choose more than one time profile, they can view a drop-down menu from which
  they can choose the time profile to be assigned to the account during the account creation.
  Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings.
  Step 2 In the Settings panel, select Guest > Time Profiles.
  Step 3 Click one of the following:
     • Add—to create a new time profile
     • Edit—to edit an existing time profile
     • Duplicate—to duplicate an existing time profile
  Step 4 Enter the name and description of the new time profile.
  Step 5 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest
             account associated with that time profile would not be granted access to the network or guest portal.
  Step 6 From the Account Type drop- down menu, choose one of the predefined options:
     • StartEnd—allows sponsors to define start and end times for account durations
     • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login
     • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation
  Step 7 Set the Duration for which the account will be active. The account expires after the duration set here
             has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.
  Step 8 Set the Restrictions for the guest access.
             These restrictions are composed of a day of the week and a start and end clock time. The Time Zone
              value specified in the time profile affects the clock times set in any of the Time Restrictions within the
               time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday
               6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within
              the time zone of the time profile. Any other day of the week would have no time restriction in this example and 
              system access would be granted at any time.
  Step 9 Click Submit.
  Time profiles do not define the start and end times. This is done during the account creation. The time profile can have restrictions that fall outside the start and end time specified in a Guest account while creation. Only those restrictions that cover the start end time of the account will be applied to the account.
  Best Regards:
  Muhammad Munir

• Guest WIFI

  Hi All
  We are using  WCS v5.0.56.0, a 4400 series WLC for Guest access, plus a mixture of 2100 series and 4400 series WLC's in our WIFI environment. The WLC's are running v5.2.193.0
  I am running a unique client report in WCS filtering by our Guest SSID to establish which Guest users are accessing our WIFI network. However for most of the connections shown in the report the guest username field is blank. There are 1 or 2 usernames shown for some connections but not many.
  I have checked the set up of the guest users and they are all the same with no difference to the ones actually showing in the report. In addition the guest users are connecting using the same foreign controller as the ones that are showing in the report.
  Does anyone have any ideas why the majority of guest usernames do not show in the report ?
  thanks

  Hi Mick,
  First of all, WCS 5.0 is not compatible with WLC 5.2.
  Second, as suggested by Leo, you need to upgrade (unless you have a valid reason not to do so). 5.x versions are full of bugs comparing to later versions that are more stable.
  Third, You don't see the username on the WCS, but what about the WLC? does it show the correct username?
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Guest Wifi daily disconnect between 12:00 - 13:00

  Hi,
  Daily between 12:00 - 13:00 all users unable to connect to Guest Wifi. It seems like a policy/setting on WLC, but I don't know where to find these settings.
  Please advise.
  Thanks,

  Thanks both Leo & Scott.
  Its only happening for Guest users, other are fine. 
  During that time, Iam getting logs on WLC  "%SIM-DHCP_SERVER_NO_REPLY:sim_interface.c 1039 Failed to get DHCP response on interface 'guest-wifi" Marking interface dirty.
  %DOT1X-3-MAX-EAP_RETRANS Max rap retransmission exceed for client client_macaddress.
  Are these log messages suggest that where I can look to remove these timing issues for guest users?
  Thanks

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"