2504 WLC on edge network for guest wifi

I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.
I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.
I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added
ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.
Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
Thanks for any help you can provide.

right, and how does a 'normal/current' user access the internet?  Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.
if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Similar Messages

  • How to make a INTERNET ONLY wifi network for guests at a business..

    hey guys/gals:
    im trying to set up a public network for guests at my business. i only have one internet subscription for the building and a big server and several switches in the basement providing wired 100base-T network connections to all my computers. they are all on the same network and domain. 
    now i want my guests to have internet access ONLY. I don't want them to even be able to see any of my printers, computers, servers or anything! just the web. what equipment do i need and how do i set it up?
    -thanks in advance

    You can use the Wireless router or the Access point to provide the wireless network.However,there is no such option on these devices.
    Guest user can not access your computers,printers or servers unless or until you give "Sharing" permission to them.So if enable sharing and give permission then only the Guest user can share your computers or printers.

  • No connection to EDGE network for past two days

    Has any other iPhone users lost connection to the EDGE network for the past two days? I lost mine on Sunday night and have not had it back since.
    Has anyone else has this issue?

    Nope, no 'E' in the menu bar. Turned the phone off/on several times to no avail. Now on my AT&T plan I have an additional line added for $9.99 (Family Talk Plan). On Sunday night I added 200 text messages for $5.00 to that other line.
    I am not sure if by doing this my iPhone will lose connection to the EDGE network. That's the only thing I can think of that I could have screwed up myself. But why AT&T would make it so that a customer could do this to themselves is odd.
    Thoughts?

  • Please help me with Time Capsule Set up for guest wifi?

    I am just setting up TimeCapsule
    I need help setting up guest wifi.
    I show I have a workgroup ht is that?

    You enable the Guest Network feature on your Time Capsule by using the AirPort Utility.
    For v6.x: AirPort Utility > Select your AirPort base station > Edit > Wireless tab > Enable Guest Network

  • Cannot receive calls when using Edge network for data?

    Hi,
    This afternoon someone was trying to reach me urgently and all her calls to my iPhone went straight into my voicemail. My phone never rang and never showed missed calls.
    I spoke to Aaron at Apple, thinking there might be a problem with my phone, and he told me that when the Edge network is in use, then the phone will not ring and calls will be routed straight to voicemail.
    Is this really expected behavior? I was not aware of it.
    iPhone 8GB    

    This has nothing to do with EDGE all other phones will notify you and pause the connection. i posted about this 2 days ago but the thread got deleted.
    here is a video that proves this, the noise is from the GSM but the user is clearly on the edge network.
    http://youtube.com/watch?v=NMm2AY-_TTY
    this is from Tier 2 suport at Apple.
    Everyone having this issue should call 1-800-MY iPhon. Ask to speak to Tier II support, the person you get may try to help, and may need to give you a case number. You'll probably have to wait a while on hold.
    I just spent an hour on the phone with Tier I & II. The tier I guy started by saying that when you use EDGE it will always go to voicemail. I told him, I was on a user forum & some people said they don't have the issue. He then tested it on his phone & experienced the direct to v-mail issue. We talked about how this was a real problem & how both of our nokia phones didn't have this issue (he actually had the E-61 also). He gave me a case number & transferred my to tier II. The tier II guy told me that this was a software issue. That a pop-up needs to be designed into the software to allow the user the option to disconnect the data connection & accept the voice call, or not. I told him that I'd read on a user forum that some users get voice calls while using EDGE. He said that if they are using you tube the call will automatically interrupt & switch out of you tube. We then tested this on my iPhone & it worked (i.e. the call interupted you tube). He said the software currently decides to disconnect data or send calls to voice mail during EDGE transmissions based on what the user is doing. Phone calls take priority over you tube & widgets (stock & weather)but safari and e-mail take priority over phone calls. He said the thought was, it would be more annoying to users to be in the middle of sending an e-mail and having mail disconnected for a phone call, than having the call go to voicemail. The ideal solution is to have a choice (like other phones allow) but right now the iPhone software does not have a pop-up designed allowing the user to accept the call or keep the data connection. (He seemed to be familiar with this on other phones while being tethered to a macbook to use their data connections & getting voice calls during downloads).
    He said he was submitting this to the engineering group & said the more people that call tier II about this & submit it as an issue via online feedback, the higher priority it will get to be addressed in the first software update. So if you want to see this fixed start calling and submitting the issue http://www.apple.com/feedback/iphone.html in as much detail as possible (specifically say that other existing phones Nokia S60s etc. have this function).
    and here is a thread that is discussing this serious problem. note it is now many pages long.
    http://www.howardforums.com/showthread.php?t=1197377

  • WLC to ISE authentication for Guest

    Hi Experts,
    Hope if you could guide me with our setup for Guest users. Below is what we are doing
    a)     Guest connects to SSID
    b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
    c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
    The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
    'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
    Appreciate your help

    The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
    Please follow below guide for step by step configuration:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • Configuring autonomous 1141 to do DHCP for Guest WiFi

    I have an existing setup consisting of:
    Windows Server - doing DHCP for private wired/wireless
    Cisco 1141 Autonomous WAP with only private wireless access.
    ASA 5505 (with very basic licensing)
    HP switch
    The customer wants to have guest WiFi.
    The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA.
    Can the 1141 do DHCP for the guest WiFi?   Or do I need to do it via the ASA?

    It could but you would have to relay it from the ASA. So might as well just use the ASA for the scope.
    Steve
    Sent from Cisco Technical Support iPhone App

  • WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

    I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
    However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
    any examples on how to do this would be great.
    here is what i have for the dhcp scope:
    Dhcp Scope Info
    Scope: Guest.Data.DHCP
    Enabled.......................................... Yes
    Lease Time....................................... 86400 (1 day )
    Pool Start....................................... 192.168.255.17
    Pool End......................................... 192.168.255.30
    Network.......................................... 192.168.255.0
    Netmask.......................................... 255.255.255.0
    Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
    DNS Domain.......................................
    DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
    Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
    Here is what i have for the wlan
    WLAN Identifier.................................. 2
    Network Name (SSID).............................. Guest.Data
    Status........................................... Disabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. Infinity
    Interface........................................ guest.data
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    Quality of Service............................... Silver (best effort)
    WMM.............................................. Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    --More-- or (q)uit
    Radio Policy..................................... All
    Security
    802.11 Authentication:........................ Open System
    Static WEP Keys............................... Disabled
    802.1X........................................ Disabled
    Wi-Fi Protected Access (WPA/WPA2)............. Disabled
    CKIP ......................................... Disabled
    IP Security Passthru.......................... Disabled
    Web Based Authentication...................... Disabled
    Web-Passthrough............................... Disabled
    Auto Anchor................................... Disabled
    H-REAP Local Switching........................ Disabled
    Management Frame Protection................... E

    when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
    what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
    any other suggestions on guest vlans would be appricated....
    Tom
    Interface Name................................... wireless.guest.data
    IP Address....................................... 192.168.255.1
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 192.168.255.2
    VLAN............................................. 150
    Quarantine-vlan.................................. no
    Physical Port.................................... 2
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Scope: wireless.guest.data.dhcp.server
    Enabled.......................................... Yes
    Lease Time....................................... 86400 (1 day )
    Pool Start....................................... 192.168.255.17
    Pool End......................................... 192.168.255.30
    Network.......................................... 192.168.255.0
    Netmask.......................................... 255.255.255.0
    Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
    DNS Domain.......................................
    DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
    Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

  • WLC in a DMZ for guest access

    I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
    On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

    This should get you on the right track:
    http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
    Brad

  • Using several Airport Extremes to create and extend corporate + guest wifi

    hello all,
    my office has purchased 6 airport extremes for our new office, AirPort Extreme 802.11ac (6th Generation), running version 7.73
    the plan was to hard wire one extreme via the wan port and create both a corporate and guest network
    then link to the others throughout the office by wirelessly extending to provide complete coverage
    after moving around the location of one or two units my coverage is now complete across the office space
    my setup is as follows:
    my network is a windows active directory setup where one of my domain controllers is my DHCP server in the range 192.168.x.x
    to enable the guest network on my extremes i need to have my first hard wired (wan port) extreme unit configured in DHCP mode
    this airport extreme has pulled down an ip address from my windows server in the range 192.168.x.x
    the extreme then uses its own dhcp range to provide connectivity to my clients, 172.16.x.x for corporate wifi and 10.0.x.x for guest wifi
    my issue is
    the dhcp range that the extreme uses for all my corporate wifi users is 172.16.x.x
    i cannot access any servers on my windows network 192.168.x.x by drive maps/hostnames as they are challenged for authentication
    I can only access by using ip addresses instead of hostnames
    all of my shares and wired users are configured to use hostnames for file shares, printers etc on my servers
    the first extreme gets its DNS info from my windows dhcp server correctly but these settings are not passed down to my wifi clients
    is there a way to do this ?
    I have tried using the 'domain name' field on the extreme dhcp config but this had made no difference
    can anyone advise on this ?
    do i need to use a different setup, maybe switch to wired config ?
    what i'd like to have is the following:
    2 wireless networks, one for corporate users and one for guests/visitors
    my corporate users to have access to all my corporate servers as their permissions allow using hostnames for access
    my guest users to have internet access only
    my 6 access points to be connected to each other either wired or wirelessly to provide coverage throughout my office
    i was told that the 6 airport extreme's would allow me to do this but now i'm not so sure
    any help or suggestions would be gratefully accepted,
    thanks

    You are trying to use Apple domestic products in a business setup.. this is not what they were designed for.
    Could you use 3 units to cover the offices.. please have a go as this simplifies things tremendously.. just use three units in bridge.. preferably all connected to your ethernet network and so operating as AP only.
    If that works then use the other 3 units for your guest network.. these should then be placed on a different vlan via your main managed switch.. so they can get internet but have no connection at all to the office network.. but other ways around it could be found. As you have already discovered a simple double NAT might sufficiently block guest access.

  • Usage of Edge Network on Weekends...

    Is the usage of the Edge network for e-mail and internet free on the weekends since minutes are unlimited on the weekends?

    Technically it is not free, each iPhone plan has a unlimited data plan included in the monthly bill
    So each month you pay to have unlimited access to the EDGE network, you not not have to pay anything extra for using any of the widgets, the Mail app or Safari

  • IOS 4.0.1 - call drops in 3G network, but not Edge network !?!

    Upgraded my iPhone 3GS to iOS 4.0.1 and have had dropped calls ever since. Never had dropped calls before. Messaging, emails and internet are fine, but all calls are dropped, even with 5 bars! The only constant is that I've been on the 3G network when the calls dropped, so I turned it off and have been on the Edge network for a few days without issue!
    I have hard-reset my phone at least a dozen times and even restored my phone. I do not have bells & whistles installed.
    Is this a traffic issue on the 3G network? I live in Hawaii, where there aren't tall buildings to block my signal.
    ugh.

    Since upgrading to iOS 4 it seems to me that the signal bars are reversed. In an area where I used to get maximum bars, I now only get 1 or 2. In an area where I never got reception at all (no signal zone) I am suddenly getting 5 bars, but guess what - I can't connect to anything, or send anything from there.
    Either the latest upgrade has just sent the aerial dotty, or someone at Apple IT messed up when writing the signal strength algorithm.

  • How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

    Dear All
    I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
    We have one SG300 switch in the office and the rest are basic switches.
    Our firewall/router is a Fortigate UTM 240D
    Find the attached network diagram for the issue.
    Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)? 
    Thanks.
    - See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

    Complete these steps in order to configure the devices for this network setup:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
    Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
    Create WLANs for the Guest and Internal Users
    Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

  • Using Bride Mode to have private network to ethernet and wifi but also use Guest Network for public?

    Hello,
    I am trying to use my new Apple AIrport Extreme in Bridge mode to have our private wireless network. (This works great) and a guest network for the public. When I create the guest network and update settings and then attempt to connect to the guest network wifi it says no internet. :-(

    Apple assumes that you will be connecting the AirPort Extreme to a simple modem......not a modem/router.
    The correct Router Mode setting with a simple modem is DHCP and NAT....allowing the Guest Network function to work correctly.
    When you have a modem/router "upstream" from the AirPort Extreme, the correct Router Mode setting is Bridge Mode for the AirPort Extreme to avoid having two devices both trying to act as routers on the same network.
    You might be able to get away with having two devices both configured to act as routers on the same network....but at best, there will be negative consequencs. At worst, the AirPort Exteme may not function at all if you try to configure it incorrectly.

  • How to set up guest wifi network on 1200 series APs with disclaimer web portal?

    I've been thinking about this one for awhile. I want to set up a guest wifi network without any security (AES / TKIP) that allows guests to connect. Ideally, their web browser would be redirected to a web portal containing legal disclaimers, and they would need to accept the terms and conditions to use the guest wifi. I would also like to have them be required to visit the web portal again every 8 hours after that to accept the terms and conditions again.
    I have a Cisco 1240AG access point already. What else do I need to make this work?

    I don't believe you can do this just with an AP running in autonomous mode you would need to have a WLC to configure the splash page.
    Have a look here:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049273
    Alternatively you can use software running on a PC/Server. Something like http://www.antamedia.com/hotspot/
    Hope that helps!
    Matty

Maybe you are looking for

  • How to determine the purchasing group using BADI BBP_PGRP_FIND

    Hello Friends We use SRM Server 5.5 (Classic scenario). As you know that, purchasing group has the responsible product categories in PPOMA_BBP, when user creates the shopping cart to determine the purchasing group.  In our case, we should determine t

  • Serious problem due to time constraints, please help.

    Hi, I've taken a DVD from one of our clients, brought it through DVD-DV and imported the DV into iMovie, did the edits, put in chapters, exported to iDVD all set as DVD-NTSC. I've burnt several DVD's and they all play fine on the ole iMac G5, rev b,

  • Spry accordion problem with IE

    I tried to make a site using all different spry-widgets, so I made tabbed panels and in them accordion panels (and in other panels other spry-things). It works well in FF but in IE the accordionpanels stay all open. Can someone help me out. Many than

  • Finding Hidden .pdf File in N73

    HI, Friends please help out in this matter. I was browsing & downloading some files from website. Due to some wrong operation I pressed hide to a dowloading file & it was a .pdf file ;-). Now the problem is I want delete this file, but I'm unable to

  • OPMN failed to start  (but it seems running) during setup

    I got a warning during setup of Grid Control on new database )10g rel 2 (Linux). I tried to set on contnue and after setup OPMN starts (as during setup) but ./emctl start oms fails with unexpected error. Any suggestion? Thanks Fabio