2106 controller 1 port internal 1 port guest

We are finally experimenting with wireless. Our internal wlan is up and running. port 1 is trunked to the internal switch port. New WLAN is associated to internal vlan.
My concern is guest. Is it ok to create a WLAN, associate it to port 6 on the wireless controller , and connect it to a public connection?
Besides lack of URL filtering, what should I be concerned about?
or is it best to create the layer 2 vlan on my switch, connect one of the layer 2 vlan port to my public connection and then it is trunked back to my guest WLAN?
I couldn't find an answer when searching.
thanks

I like this idea of having 1 port internal and 1 port guest, particularly in a small deployment with 2100. This simplifies the management of the switches and firewall. Instead of putting the guest port on a public network I am planning on putting the guest port on a separate interface on an ASA5510 firewall. The ASA5510 will have 3 interfaces configured: outside (public internet), inside (internal), and a guest network interface. This way the guest network is still protected by the firewall but does not have access to the internal network. Are there any issues with this type of configuration?

Similar Messages

Lenovo G500 - Intel Rapid Storage Technology" SATA disk on Controller 0, Port Unknown detected"

Hi Folks,
I have a lenovo G500 laptop which i had purchased during thanksgiving vaction in 2013. The machine was working fine till June 2014 when I stated getting Blue Screen of death with error messages "irql_not_less_or_equal" The OS was windows 8.1. This created lot of problem while booting , the machine would not boot at all.
Along with this message I started getting this message "Intel Rapid Storage Technology" SATA disk on Controller 0, Port Unknown detected". This message was coming very often.
I along with Lenovo support did all the things possible, like factory reset etc. Finally the machine was sent out to depot for repair in July 2014. They replaced the hard drive and sent the machine back.
I got the machine back on 22nd July and since last week ,ie, 14th July I have started to get the issues again. My IE and Firefox will suddenly hangon and the blue screen will appear again with same message "irql_not_less_or_equal" occasionally. Yesterday i started getting Sata disk message again.
I wanted to understand why this message is coming back along with blue screen of death. Is there some problem with Windows OS or hard disk seems to crash again?
Thanks in advance
shailesh

hi Shailesh,
Welcome to the Lenovo Forums.
From this article, this is the IRQL_NOT_LESS_OR_EQUAL possible cause:
"This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high.
The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.
If you encounter bug check 0xA while upgrading to a later version of Windows, this error might be caused by a device driver, a system service, a virus scanner, or a backup tool that is incompatible with the new version."
From your description, It's possible that the HDD or the RAM is faulty but it's also possible that it's a software (driver) issue -- which is the hard drive (SATA) controller.
To verify, I would:
1. Run a diagnostic on the HDD (via Lenovo's Storage Quick Test or via HD Tune)
- http://www.hdtune.com/faq_1.html
2. Run a diagnostic on the RAM (via Memtest86+)
- RAM - Test with Memtest86+
3, Read the BSOD dump file to see what file caused the crash
- How to solve Windows 8 crashes in less than a minute
- If the file is associated with the Intel Rapid Storage Technology Driver (SATA Controller), uninstall the software from the Control Panel > Programs and let Windows install a generic Windows driver.
- Link to picture
If you get an error after running the diagnostic test, I recommend you contact Lenovo and report the issue.
Regards
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
Follow @LenovoForums on Twitter!

5508 controller 8 ports ?

I am looking to configure if, 5508 controller's ports particularly in different VLANs and pull cable from the port and put it in L3 to it's belonging VLAN ? and at the same time all the different SSID will work as usual our standard and best practice that we do.

you could but then you are limiting yourself to 1G of connectivity.
You'd probably be better served by just ether channeling the ports that connect to the WLC and tagging the vlan/dynamic-interfaces so you can have up to 8G of aggregate bandwidth.
HTH,
Steve

Problems with LAP 1042 and 2106 controller

Hello all, we have setup 2 LAP1042's with one 2106 controller. They AP's are plugged into the POE ports 7 and 8 of the 2106. The ap-manager and management interfaces are on port 1, are in the same subnet, and are untagged. We setup to WLAN's, one for guest access and one for internal access. The windows server is the DHCP server for all network devices, including the AP's. Everything is working fine. The internal users connect fine and can access internal devices and the internet. Guests can access the internet only and get the web authentication page prior to being granted access. The only problem we have is that only one AP will register with the 2106, the AP on port 7. The other AP, on port 8, keeps saying that it cannot get an IP. In my mind the problem can't be with the controller or router setup because one AP works fine. We have a third AP that we tried but it wouldn't get an IP either.
Any ideas as to what the problem could be???

Remember that the 2106 is a very basic WLC unit and if you want to have the APs directly connected to the 2106 ports this may work if the APs get an IP address on the same VLAN or subnet as the WLC and it could use an external DHCP server and we need to disable proxy dhcp on the WLC or it could be the WLC the DHCP server itself and we need to leave proxy dhcp enable.
But also we have the following BUG ID CSCsj33229 when APs directly connected to the WLC ports on the 2106.
Conditions:
Access points that are directly connected to 2100 series controller ports may fail to work correctly in a variety of ways:
- systems on the wired network may be unable to ping the APs
- the APs may be unable to get a DHCP address from an external DHCP server
- the AP may have problems communicating in LWAPP or CAPWAP with the WLC, possibly resulting in the tunnel resetting
- if the AP is in RAP mode, it will be unable to bridge LAN packets
- telnet or ssh to the AP will fail
Workaround:
Connect the WLC to a switch, and connect the APs to the switch.
More information:
Cisco does not, and will not, support directly connecting access points to 2100 series WLC ports.
Also check on Best practices for the 2106.
https://supportforums.cisco.com/docs/DOC-11760

Controller - DHCP SERVER INTERNAL

Is There a limitation to the DHCP SERVER INTERNAL in Controller 4402 ? How many users can get ip address if i use the controller as DHCP SERVER ?
thanks !
Claudio

I am concerned because, in configuration guide of controller is show;
"Internal DHCP Server
The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with
the access points on the same IP subnet as the controller. The internal server provides DHCP addresses to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. Only lightweight access points are supported."
I like use the controller as dhcp server, but I'm concern if controller support a number of 50 APs for example.
thanks !
obs: excuse for the orthographic mistakes, my English is not so good.

JRE 1.7 / Java Plug-in - Long delay in retrieving the applet File(JAR) due to a request to the Domain Controller(on port 53)

Description:
A specific group of users/customers (using Windows7 OS with IE and FireFox web browsers) are facing problems with retrieving the applet File, after they upgraded the JRE on the system(PC) to JRE 1.7.0_25-b17 from JRE version 1.6.0_29-b11.
With JRE 1.7.0_25-b17 it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs. The problem occurs consistently.
The current temporary workaround for this group of users is to use JRE version 1.6.0_29-b11.
Problem analysis:
To investigate the problem the below steps were executed:
1) Collected the Java console outputbelow details from the user's system. (The complete output is not posted due to lengthy content, though can be added further to this post if required.)
(a) Works fine with JRE version 1.6.0_29-b11. Kindly refer to Java console output in the code ‘section A’ towards the end of this post.
(b) The problem occurs with problem with JRE version 1.7.0_25-b17. Kindly refer to Java console output in the code ‘section B’ towards the end of this post. The step where the problem is observed, is indicated as(##<comment>##).
2) The network settings in the user's browser was checked. Internet Options > Connections > LAN setting
The configured option is 'Use automatic configuration script' and the value is http://www.userAppX.com/proxy.pac
This configuration remains the same irrespective of the JRE version in use.
3) The network settings in the Java Control Panel was checked.
The used/selected option is "Use browser settings", although values for 'Use proxy server' and 'use automatic proxy configuration script' are filled-in as 'user-proxy.com' and 'http://www.userAppX.com/proxy.pac' respectively.
This configuration remains the same irrespective of the JRE version in use.
4) The proxy PAC file was checked and debugging was done for the request 'https://myAppletHost.com/download/...'. The FindProxyForUrl function (including the conditions defined in it, for the hostname and domain checks) returns PROXY user-proxy.com:80
5) The user also tried the below
a. Changed the option in the network settings in the browser to 'Proxy server' with Address 'user-proxy.com' and Port '80'
b. Restarted the browser.
c. Tried with Java Plug-in 1.6.0_29, JRE version 1.6.0_29-b11. There was no problem and no request to the Domain Controller of the user.
d. Tried with Java Plug-in 10.40.2.43, JRE version 1.7.0_40-b43. The problem occurs with the delay and a request to the Domain Controller of the user is observed.
Kindly refer to Java console output in the code ‘section C’ towards the end of this post.
6) The user also tried setting the below property in the Java Control panel; restarted the browser, and try with JRE 1.7.0_40-b43. The problem stil persists.
-Djava.net.preferIPv4Stack=true
7) The Global Policy Management of the Domain Controller was verified by the user. It has GPO for proxy setting but nothing related to Java security.
Questions:
The problem seems be specific to a particular (user) environment setup, and the user faces the problem when using JRE 1.7.
We would like to know if the issue is in the (user) environment setup or in JRE 1.7.
Could you please help with information/ideas/suggestions to identify the root cause and solution for this problem?
Section A:
Java Plug-in 1.6.0_29
Using JRE version 1.6.0_29-b11 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000IK4bEMoqXH10zsl88rwvoRI:175oe9tjd; BCSI-CS-b1bb5056c5b0e83f=2"
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: 403.293
                Content-Encoding: null
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Sun Microsystems Inc.
java.vm.specification.version = 1.0
java.vm.vendor = Sun Microsystems Inc.
java.vm.version = 20.4-b02
javaplugin.nodotversion = 160_29
javaplugin.version = 1.6.0_29
javaplugin.vm.options =
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.mixcode = ENABLE
Section B:
Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@12adac5
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000UQuXWY5tjxjpwcKHlfJKe_8:175oe9j45; BCSI-CS-2d4ce94a2ae7b460=2"
network: ResponseCode for https://myAppletHost.com/download/myApplet.jar : 200
network: Encoding for https://myAppletHost.com/download/myApplet.jar : null
network: Server response: (length: -1, lastModified: Thu Feb xx yy:yy:yy CET 2013, downloadVersion: null, mimeType: text/plain)
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
                Content-Length: -1
                Content-Encoding: null
Section C:
Java Plug-in 10.40.2.43
Using JRE version 1.7.0_40-b43 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-1d67c8b6508ca09c=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklist
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklisted.certs
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/baseline.version
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklist with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/baseline.version with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklisted.certs with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Oracle Corporation
java.vm.specification.version = 1.7
java.vm.vendor = Oracle Corporation
java.vm.version = 24.0-b56
javaplugin.nodotversion = 10402
javaplugin.version = 10.40.2.43
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
active.deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
active.deployment.proxy.bypass.local = false
active.deployment.proxy.http.host = user-proxy.com
active.deployment.proxy.http.port = 80
active.deployment.proxy.same = false
active.deployment.proxy.type = 3
deployment.browser.path = C:\Program Files (x86)\Internet Explorer\iexplore.exe
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.TLSv1.1 = false
deployment.security.TLSv1.2 = false
deployment.security.authenticator = true
deployment.security.disable = false
deployment.security.level = HIGH
deployment.security.mixcode = ENABLE
PS:
Since the JRE 1.7.0_25-b17 update, it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs.
The problem occurs consistently, and also with JRE 1.7.0_45-b18.
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
cache: Initialize resource manager: com.sun.deploy.cache.ResourceProviderImpl@134a33d
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@1971f66
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-f797d4d262467220=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
                (##THE ABOVE REQUEST CAUSES THE DELAY AND SOMETIMES HANGS##)

My organization is experiencing very similar problems. We have resolved it through several steps.
We upgraded the client to Java 8 and we saw in the console that the hanging connection with the Domain Controller no longer occurs. This may be all that is necessary for your environment as well.

M100: Need driver for SD Card Host Controller & IR Port

Hi,
Can someone tell me were I can get the drivers for M100 Secure Digital (SD) Card Host Controller?
I have had a crash on my M100 and have had to rebuild my machine, everything work fine expect the IR Port & SD Card. Can someone tell me were I can get the drivers.
Raj

Hi
Usually the IR port doesnt need any additionally drivers.
It uses a Windows standard driver and you will not find any Toshiba IrDA drivers for this unit. It doesnt exist.
Use this path to install the IrDA driver;
C:\windows\system32
There you should find all Microsoft standard drivers for common devices
PS: All Toshiba drivers you will find here:
http://eu.computers.toshiba-europe.com/cgi-bin/ToshibaCSG/download_drivers_bios.jsp

WLAN Controller 4402 - Port HA Fails

We have a WLAN Controller 4402, with firmware version 4.0.206.0. The ports are connected to 2 separate switches. 'ap-manager' is on port 1, and 'ap-manager 2' is on port 2. The wireless network is running fine when both ports are connected. However, when I disconnect port 1, the client be disassociated, then re-associated, but unable to grab DHCP IP address. I have also assigned a static IP address on the client, but is unable to ping anywhere, not even the gateway. From what I understand, the ports should be able to backup each other in case of failure, but the HA does not seem to work. What could be wrong?

Let me make sure I understand something about this bug your referring to. In order to see if this might be affecting us I would want to change my controllers ap-manager interface gateway address from that of the hsrp address, to one of the actual ip addresses setup on the router right?
I think this might be the problem with my rollout. Seems like ever so often everyone looses their wireless connection. you can be working one minute perfect signal and everything, then without moving or anything boom your disconnected. Just recently converted every AP to WCS/WLC and then this started happening.
My concern is that I have two VLANs setup for my wireless with HSRP. One VLAN for all my AP's and ap-manager interface and such. One VLAN for wireless clients.
Both VLANs setup on the core 6509's with the standby IP as the default gateway.
Wondering if the problem is only related to the vlan for ap-manager interface? Are maybe I need to do the same for the wireless lan interface for the clients?

Wlan controller distribution port link down

I have one wlc 4402 and in one distribution is a 1000Base T modul from 3Com (3CS93FP).
I have a fast ethernet switch, but i couldn?t configure the port. i see only link status down. What could happened.
Thank?s in advance
tempomat

If you are referring to connecting the 1000BaseT to your FastEthernet port, it is not possible: Although the 1000BaseT is spec'ed as 10/100/1000, the wlc4400 does not currently support anything other than 1000 (1GB) connection.

WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
any examples on how to do this would be great.
here is what i have for the dhcp scope:
Dhcp Scope Info
Scope: Guest.Data.DHCP
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
Here is what i have for the wlan
WLAN Identifier.................................. 2
Network Name (SSID).............................. Guest.Data
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ guest.data
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
--More-- or (q)uit
Radio Policy..................................... All
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
Management Frame Protection................... E

when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
any other suggestions on guest vlans would be appricated....
Tom
Interface Name................................... wireless.guest.data
IP Address....................................... 192.168.255.1
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.255.2
VLAN............................................. 150
Quarantine-vlan.................................. no
Physical Port.................................... 2
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Scope: wireless.guest.data.dhcp.server
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.255.17
Pool End......................................... 192.168.255.30
Network.......................................... 192.168.255.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

Keeping Internal Users off Guest Wireless

Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones.
What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server? Thanks.

I'm closer. I have aaa override working for vlan assignment via RADIUS. On the RADIUS server, I have two access policies. The first is my normal authentication (EAP-TLS) for internal wireless clients where I included the condition member of Windows group Domain Computers. The RADIUS reply for the first policy assigns them to the "internal" vlan. The second RADIUS policy is for the visitor account (AD account with username/password) and the RADIUS reply from that assigns them to the "guest" vlan. The guest vlan exits my WLC on a seperate port to the guess firewall/cable modem, while the internal vlan exits to my internal lan.
That way even if internal user connects to the Guest SSID with a company laptop they still end on the internal lan.
Right now I have the Internal SSID authenticating off one group of RADIUS servers, and the Guest SSID authenticating off another set. My next step is to see if it can be done with only one SSID and one group of RADIUS servers, since assigning the vlan is what really matters.
Are there any security considerations with using a single SSID? I plan on turning on Peer to Peer Blocking if I do that.

Cisco 851W - Internal WLAN and Guest WLAN

I have a Cisco 851W Router, which has an IPSEC Tunnel back to my corporate office.
I want to configure 2 WLANS, one for my internal network (vlan 1) which will have access to my corporate network, and one for guests which will just be for outbound internet access (http, https, ftp, sftp, etc ..).
I have not been able to find any Cisco Documentation with how to accomplish. Can someone inform me where I can find this or supply me with some configuration examples?

create 2 ip dhcp pools on the router for the 2 types of clients
create wlan for each type of client
I'm assuming a wlc is involved, then hreap and allow both vlans, procedure will be slightly different for standalone
acl by address to ban traffic from ipsec tunnel- easier on a WLC interface than on the router, no wlc then on the router
bob

Internal WLAN vs Guest WLAN

Hello
I have a Cisco AIR-CT5508-K9 running revision 7.
Can anyone explain to me the differences between a guest type WLAN and a WLAN type WLAN please? I have searched a fair bit but can't actually find an explanation.
Also, can any one please let me know what the profile name is for please? I see that the SSID is removed on a guest lan so it must be important in some way.
Thanks all in advance
Anthony

Hi,
Q1>> Can anyone explain to me the differences between a guest type WLAN and a WLAN type WLAN please? I have searched a fair bit but can't actually find an explanation.
ANS - Guest WLAN is mostly for the WIRED GUEST USERS and the Normal WLAN is for the Wireless users.. so If you want to create a guest LAN for wired guest users, choose Guest LAN
The below link will explain you on the Wired Guest users..
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wpxref20380
Also most of the Guest WLAN will have a time stamp configured for the client so that after that time stamp the client entry will be inactive..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Error Joining the AP-1242AG with 2106 controller

i have converted Autonomous 1242AG series Ap into lightweight mode.i am using 2106 WLC with software version 4.1.185.the Ap doesn't associate the controller .its produce the following error:
Mar 1 00:00:38.071: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER
*Mar 1 00:00:48.098: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:48.099: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar 1 00:00:48.099: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Mar 1 00:00:49.098: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:49.098: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Oct 6 12:30:57.289: %LWAPP-5-CHANGED: LWAPP changed state to CFG
*Oct 6 12:31:02.289: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
*Oct 6 12:31:02.998: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
*Oct 6 12:31:02.998: %LWAPP-5-CHANGED: LWAPP changed state to DOWN

Hi
I think we have experienced something similar and we did a 'more' on the env_vars file and found that the env_vars contained out of date IP default gateway information.
For example:
We established that the env_vars file contents have not been updating correctly. Documentation on the Cisco site suggests that changes to IP configuration information should be reflected in env_vars after a reload of the WAP.
This does not always seem to happen.
As an example, this env_vars contains the incorrect information that the static IP is XX.11.60.100, which is incorrect and at least least a year out of date, despite having undergone reloads since being reconfigured. Obviously, if the WAP comes up using this info, the gateway address etc. will not work...and the WAP is unable to contact the WiSM. We have also had a case where the incorrect DNS address is stored and used, which might be more of an issue for you looking at your output above.
WAPXXX#more flash:/env_vars
DEFAULT_ROUTER=10.0.0.1
ENABLE_BREAK=no
IOS_DEFAULT_DOMAIN_NAME=XXXXXXXXX
IOS_NAME_SERVER_ADDR=XX.11.159.122
IOS_STATIC_DEFAULT_GATEWAY=10.11.63.250
IOS_STATIC_IP_ADDR=XX.11.60.100
IOS_STATIC_NETMASK=255.255.252.0
IP_ADDR=10.0.0.1
MANUAL_BOOT=no
NETMASK=255.255.255.224
TERMLINES=0
We wrote a script to go around and delete all the env_vars files on the 1240 WAP but then discovered that the LWAPP migration tool forces a reload of the WAP that auto-generates the env_vars file that we just deleted, complete with the wrong information again!
I can offer no solution on how to stop the old information being written to env_vars, as I cannot find where it is stored in the first place, it must be somewhere in the flash, but am aware that other people in UK educational establishments have also experienced this issue without a proper fix being provided.
The usual solution appears to be to get the WAP on your desk, delete the env_vars file and then pull the plug on the power. DO NOT SAVE/RELOAD. Put the power lead back in and the WAP should come up without refering to the env_vars file and will take all and any DHCP info you are providing.

Best security options for 2106 controller on Server 2000 RADIUS?

First, a thank you to all that stop to offer advice. I am getting my feet soaked learning how to deploy an enterprise level wireless solution. I have seen one work in the past, so I was trying to mimic the configuration I was familiar with. The only drawback is I am working off a Server 2000 DC and the PEAP authentication is not available to me (at least from what I have read). I believe this points me to EAP-TLS, but having never deployed something like this, I am at the mercy of searching for advice. I am working with our firewall person and we have already created VLANs for the 2 SSIDs I want to use. I have the guest user SSID all figured out. I have them on a web authorization with a nice custom splash page and all that. The ACLs are all locked down so no access is allowed back in to our network. The second SSID is for our AD users and this is the one I am having an issue with. I'll set the stage:
We are in a mixed domain environment. That is to say that we are not only using 3 domains, but each domain is at a different level (our location is Server 2000, mail Server 2003, and corporate is 2008). Our present configuration for local users is WPA-Personal using home type routers and a shared password. We obviously want to improve on this, so with the new WLC I wanted to go WPA2-Enterprise, AES, and PEAP. Since PEAP is out due to the domain resrtrictions, I figured EAP-TLS was the next best solution.
I know this is going to sound crazy, but is there a method that could be used where users from the corporate domain could also authenticate? I see I can put in up to 3 RADIUS server entries, so if I were to configure a RADIUS on the corporate DC, can I also authenticate to it? I have to assume that the protocol needs to remain the same or does the WLC not care so long as it authenticates to the RADIUS server (can I use PEAP on the 2008 and EAP-TLS on the 2000)? I am also going to have to make our DC a CA so I can create the certificates. I know that once it's rooted there can be a lot of cert issues in the future if something happens to it. Any advice on that?
On the other end, I understand that for EAP-TLS to work I will need to get the cert on both the client system and the server. I plan on using GP to place the cert on the approved devices (basically the Notebook group in our AD). I am also going to create a Wireless Auth group for users and then authenticate the RADIUS against that (second layer of user security). This was the practice I was used to at my previous employer.
Sorry if there were too many questions in there, but I have been mulling over this quite some time. Thank you to all.

With EAP-TLS you need a per-device/user certificate. So you would want to have your own CA to request the certificate from. All the users would need to have the root CA in their trust, pushable via GPO.
with the three domains, is there a federation or bi-directional trust between them?
If so, you should be able to still use PEAP, so long as the AD you hit for the username/password can reach across the boundary and validate them.
Steve

2106 controller 1 port internal 1 port guest

Similar Messages

Maybe you are looking for