3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

Similar Messages

• Anchoring multiple Guest SSIDs to the same WLC

  Hi All,
  I've currently got a typical 'anchored' Guest WLAN solution where several WLCs tunnel guest traffic back to an isolated WLC for WebAuth - this all works fine using a mix of 5508 / 4400, all on v7.0.98.0 code.
  The question is, can I add a second Guest SSID to the estate and anchor it back to the same Guest Anchor WLC that I'm already using?
  I can't find anything to say it won't work and have found this that says it should, but none of this is very concrete...  Does anybody know of any better references and/or have you done this in the wild?
  https://supportforums.cisco.com/message/1276785
  Cheers,
  Richard

  Hi,
  yes it's totally ok.
  On the foreign, just create a second WLAN and anchor it to the other WLC. On the anchor, create the same second WLAN that you anchor to itself ...
  Nothing speciali in order to configure it.
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• NAC Guest Server and Multiple Guest SSID's/Splashpages

  Hi All,
  If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
  I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
  TIA,
  Eoin.

  Hi Nicolas,
  Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
  Regards,
  Eoin.

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Need to understand WebAuth using 3850 MA, 5760 MC and 5508 GA

  All,
  I would appreciate if anyone could provide clarification on my current understanding of Converged Access mobility design for WebAuth and guest access. My setup is as follows:
  (WAP)---(MA)---(MC)---(Firewall)---(GA)
  Wireless Access Point (WAP) - 3500
  Mobility Agent (MA) - Cisco 3850 (running IPServices)
  Mobility Controller (MC) - WLC 5760
  DMZ Firewall
  Guest Anchor (GA) - WLC 5508 (running 7.5.110.0 and new mobility feature enabled)
  I have my mobility domain configured with an SPG and the 3850 MAs configured into the domain. All status indicators are up for MC to MA and MC to GA. The WAPs are connected to the 3850 MA and appear on the MA using the command 'show ap summary'. There are also a number of WAPs that associate directly to the 5760 MC.
  My configuration on the MC has a guest wireless service using WebAuth, which anchors over to the GA. Clients connecting to the WebAuth service on WAPs associated directly to the 5760 MC receive and IP address from the GA DMZ and are redirected to the GA WLC. This is as expected with the usual centralized wireless model.
  My initial thoughts with the Mobility Agents (MA) was that it was a simple case of pointing the 3850s to the MC and the wireless service (WLAN) configurations would automatically appear. Through configuration tests and converged access deployment guides, I now believe this to no longer be the case. Therefore, for MAs to advertise wireless services they have to be individually configured. Am I correct with my thoughts?
  This was proved with a Secure 802.1x WLAN on the MA and it was a simple case of replicating the 5760 Secure WLAN on the MA.
  For the deployment of WebAuth wireless services on the MA 3850 switches, I have not managed to find a guide that explains how an MA anchors wireless clients to the GA. I have found documents that describe combined MC/MA configurations to GA, but not when the 3850 is just an MA. Is it is case that:
  1. MA WebAuth wireless service is configured to anchor to the GA using the command 'mobility anchor <GA IP Address>'. This would require the DMZ firewall to allow mobility tunnels between the MA to GA and MC to GA, or;
  2. MA WebAuth wireless service is configured to anchor to the MC using the command 'mobility anchor <MC IP Address>'. This would mean the traffic from the MA for WebAuth is tunneled to MC and then onwards to GA.
  I suspect option 1 is the correct method, but would appreciate confirmation.
  Also, I have not configured a Mobility Oracle (MO) since I only have one MC and the GA. If it is advisable to do, then would it be best to enable the MO on the MC or GA?
  Thanks in advance
  Ian

  Hi Ian,
  It is a long post & many questions 
  I will try to answer as much as I can.
  "I have not configured a Mobility Oracle (MO) since I only have one MC and the GA. If it is advisable to do, then would it be best to enable the MO on the MC or GA?"
  No, you don't want MO unless your set-up is extremely large (it is similar to use of BGP route reflector to reduce complexity of having full mesh)
  "My initial thoughts with the Mobility Agents (MA) was that it was a simple case of pointing the 3850s to the MC and the wireless service (WLAN) configurations would automatically appear. Through configuration tests and converged access deployment guides, I now believe this to no longer be the case. Therefore, for MAs to advertise wireless services they have to be individually configured. Am I correct with my thoughts?"
  Yes, you have to configure your WLAN configuration in MC & MA, it won't automatically propagate to MA.
  "For the deployment of WebAuth wireless services on the MA 3850 switches, I have not managed to find a guide that explains how an MA anchors wireless clients to the GA. I have found documents that describe combined MC/MA configurations to GA, but not when the 3850 is just an MA"
  I have not configured this, but this is my understanding.  You would configure MA WLAN  pointing to GA as mobility anchor. Still traffic will transit through MC as it will manage MA & SPG (any thing outside SPG should go through MC)
  Here is the some useful reference information I gathered over the timel. (white paper is the one you should read to cover everything)
  https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
  HTH
  Rasika
  *** Pls rate all useful responses ****

• 3850's using WLC 2504 as a guest anchor

  Hi,
  Does anyone know if it's possible to use a WLC2504 as a guest anchor when we have deployed 3850's for regular corporate WLAN?
  The corporate stuff is all up and running OK using 3850's but i've now to come to look at the guest provisioning and i'd like it to terminate on a guest anchor in the DMZ if possible, just wondering if it's possible to do this with that setup?
  Thanks,
  Ian.

  Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
  Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
  Good to see my blog helps you & thanks for the comment.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC user rate limit on guest ssid anchor controller

  Hi,
  I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
  We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
  Both the foreign and anchor controller are here at my location.
  I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
  As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
  We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
  I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
  So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
  Thanks guys!           
  Oh and here is my hardware & software levels.
  5508wlc - forgeign
  4402wlc - anchor
  Software Version
  7.0.230.0

  Amjad,
  Thank you for taking the time to respond as well as the document link.
  It was pretty clear on the steps and what it would impact.
  Two things that push me for a different solution (assuming their is one).
  Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
  As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
  #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
  The idea is to limit WAN utilization.
  #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
  Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
  ***One last question about this and any other changes***
  Will any change I make be on the "Foreign, Anchor" or both Controllers?

• Cisco 5760 - Anchor config issue

  Hi,
  I am having an issue where the 5760 Anchor WLC has 4 Subnets but half of the VLANS need to go to a seperate gateway and the other half to another gateway.
  Below image is what the network looks like:
  The router (Content Filtering) is the Gateway for 4 x SSID’s/VLANs
  The Firewall is the Gateway for the Management VLAN
  The issue here is that we have 2 separate Gateways and there is no way to define separate gateways for each VLAN on the 5760 WLC
  We have an default IP route 0.0.0.0 0.0.0.0 10.1.1.254 which is pointing to the Firewall. The firewall is not the gateway for the other 4 x SSID/VLANs that exist on the Anchor so we do not want all traffic going to the Firewall, only management traffic.
  Is there a way to set different gateways for different subnets/VLANs on the 5760 WLC? Keeping in mind that there is an default route pointing to the Firewall.
  Also does the 5760 WLC acts as a Layer 3 device?
  Thanks

  All types of deployments listed below for the Anchor configuration.
  Case solution :
  Wireless WebAuth and Guest Anchor Solutions
  The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
  Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
  release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and CLI configuration for webauth.
  Configure Parameter-Map Section in Global Configuration
  The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
  ! First section is to define our global values and the internal Virtual Address.
  ! This should be common across all WCM nodes.
  PARAMETER-MAP TYPE WEBAUTH GLOBAL?
  VIRTUAL-IP IPV4 192.0.2.1
  PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
  TYPE WEBAUTH?
  BANNER TEXT ^C WEBAUTHX^C
  REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
  REDIRECT PORTAL IPV4 9.12.128.50
  Configure Customized WebAuth Tar Packages
  Transfer each file to flash:
  copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
  copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
  copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
  copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
  Configure Parameter Pap with Custom Pages
  parameter-map type webauth webparalocal
  type webauth
  custom-page login device flash:webauth_consent.html
  custom-page success device flash:webauth_success.html
  custom-page failure device flash: webauth_failure.html
  custom-page login expired device flash:webauth_expired.html
  Configure Parameter Map with Type Consent and Email Options
  parameter-map type webauth webparalocal
  type consent
  consent email
  custom-page login device flash:webauth_consent.html
  custom-page success device flash:webauth_success.html
  custom-page failure device flash:webauth_failure.html
  custom-page login expired device flash:webauth_expired.html
  Configure Local WebAuth Authentication
  username guest password guest123
  aaa new model
  dot1x system-auth-control
  aaa authentication login EXT_AUTH local
  aaa authorization network EXT_AUTH local
  aaa authorization network default local
  or
  aaa authentication login default local
  aaa authorization network default local
  Configure External Radius for WebAuth
  aaa new model
  dot1x system-auth-control
  aaa server radius dynamic-author ?
  client 10.10.200.60 server-key cisco ?server-key cisco ?
  auth-type any
  radius server cisco
  address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
  key cisco
  aaa group server radius cisco server name cisco
  aaa authentication login EXT_AUTH group cisco
  or
  aaa authentication login default group cisco
  Configure WLAN with WebAuth
  wlan Guest-WbAuth 3 Guest-WbAuth
  client vlan 100
  mobility anchor 192.168.5.1
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security web-auth
  security web-auth authentication-list EXT_AUTH
  security web-auth parameter-map webparalocal
  no shutdown
  Configure HTTP Server in Global Configuration
  !--- These are needed to enable Web Services in the Cisco IOS® software.
  ip http server
  ip http secure-server
  ip http active-session-modules none
  Other Configurations to be Checked or Enabled
  !--- These are some global housekeeping Cisco IOS® software commands:
  ip device tracking
  ip dhcp snooping
  SNMP Configuration
  From the CT5760 console, configure the SNMP strings.
  snmp---s er v er co mmuni t y p ub l i c r o
  snmp---s er v er co mmuni t y p r i v a t e r w
  IPv6 Configuration
  IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
  Enable IPv6 Snooping - CT5760
  There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
  ipv6 nd raguard attach-policy testgaurd
  Trusted-port
  Device-role router
  interface TenGigabitEthernet1/0/1
  description Uplink to Core Switch
  switchport trunk native vlan 200
  switchport mode trunk
  ipv6 nd raguard attach-policy testgaurd
  ip dhcp snooping trust
  Enable IPv6 on Interface - CT5760
  Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
  vlan configuration 100 200
  ipv6 nd suppress
  ipv6 snooping
  interface Vlan100
  description Client VLAN
  ip address 10.10.100.5 255.255.255.0
  ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
  ipv6 address FEC0:20:21::1/64
  ipv6 enable

• DMZ Anchor WLC setup for Wireless Guest Access

  I have the following setup.
  A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
  An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
  Both WLCs are running the same 4.2.176 code.
  DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
  I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
  The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
  1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
  What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
  Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
  In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
  2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
  3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
  4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
  Thanks.

  One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• AIR-AP1142N-A-K9 configuration issue for guest ssid

  I'm trying to get the guest ssid working.  I was frustrated so saved my old config and wiped out everything on this AP.  Now my bvi1 does not come online.
  ap#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  BVI1                       192.168.2.249   YES NVRAM  down                  down    
  Dot11Radio0                unassigned      YES NVRAM  up                    up      
  Dot11Radio0.50             unassigned      YES unset  up                    up      
  Dot11Radio0.51             unassigned      YES unset  up                    up      
  Dot11Radio1                unassigned      YES NVRAM  administratively down down    
  GigabitEthernet0           unassigned      YES NVRAM  up                    up      
  GigabitEthernet0.50        unassigned      YES unset  up                    up      
  GigabitEthernet0.51        unassigned      YES unset  up                    up      
  ap#
  ap#sh int bvi
  *May  6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
  BVI1 is down, line protocol is down
    Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
    Internet address is 192.168.2.249/24
    MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       3 packets output, 180 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ap#
  I have a private vlan 50 and the public vlan 51.  The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
  I get this output when trying to connect with my cell phone. 
  *May  6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  SSID [PUBLIC] :
  MAC Address    IP address      Device        Name            Parent         State     
  847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc    
  ap#
  ap#show run
  Building configuration...
  Current configuration : 2746 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 syslog
  dot11 ssid PRIVATE
     vlan 50
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 01150F035E050E0A2D
  dot11 ssid PUBLIC
     vlan 51
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 045D02010A2F444B05
  username Admin privilege 15 password 7 0526071D3545175840
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 50 mode ciphers aes-ccm
   encryption vlan 51 mode ciphers aes-ccm
   encryption mode ciphers aes-ccm tkip
   ssid PRIVATE
   ssid PUBLIC
   antenna gain 0
   mbssid
   station-role root
  interface Dot11Radio0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   bridge-group 50 subscriber-loop-control
   bridge-group 50 block-unknown-source
   no bridge-group 50 source-learning
   no bridge-group 50 unicast-flooding
   bridge-group 50 spanning-disabled
  interface Dot11Radio0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   bridge-group 51 subscriber-loop-control
   bridge-group 51 block-unknown-source
   no bridge-group 51 source-learning
   no bridge-group 51 unicast-flooding
   bridge-group 51 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   dfs band 3 block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   no bridge-group 50 source-learning
   bridge-group 50 spanning-disabled
  interface GigabitEthernet0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   no bridge-group 51 source-learning
   bridge-group 51 spanning-disabled
  interface BVI1
   ip address 192.168.2.249 255.255.255.0
   no ip route-cache
  ip default-gateway 192.168.2.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end      
  switch config:
  interface FastEthernet1/0/46
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 50
   switchport trunk allowed vlan 50,51
   switchport mode trunk

  Hi
  I know the bridge-group have to be identical to the sub interface number and vlan number
  This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
  It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
  http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

  Hi Experts ,
  Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
  how about internet traffic for Guest SSID , which one will be recommanded :
  1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
  2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
  Thanks

  Hi George ,
  Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
  how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
  Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

• AP1131 multiple SSID issue

  Hello,
  Very new to Cisco wireless, trying to figure this out.
  I have an ASA that will be handling the VLAN traffic.
  VLAN1 = default internal VLAN.
  VLAN10 = guest VLAN.
  On my AP1131 I want to have "Staff" SSID associated with VLAN1,
  and "Guest" SSID associated with VLAN10.
  Interfaces 6 & 7 on the ASA are PoE so I think I'm good on that.  I have those two ports on the ASA set as trunks with Vlan1 as native.
  My biggest pain right now is that I can't seem to get "Guest" and "Staff" broadcasting at the same time!
  I don't really need the "A" radio, so I'm just trying to get the two SSID's broadcasting on the "G" radio.
  I'm configuring via the GUI, but frequently looking back at the CLI.
  Is this a common issue?  Something that someone can point to a common mistake?
  Attached is running-config; though I'm still very much playing with it.

  Hi Scott,
  Check out these two excellent related threads
  https://supportforums.cisco.com/message/1308205#1308205
  https://supportforums.cisco.com/message/1286462#1286462
  Cheers!
  Rob
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com/docs/DOC-8727

• Rate limit guest ssid 5500 foreign to 2504 anchor

  Hi
  We have a need to limit bandwidth on guest ssid that is tunnelled to anchor controller.  The 2504 doesn't have rate limiting options but the 5500 does.  If we enabled the rate limit on the SSID details on the foreign would it work (seeing as though the anchor can't have same settings).  I would have thought that the access points terminate on the foreign therefore the rate limit would apply there.
  Would this work or do I need another 5500 as the anchor so that rate limits can match on the SSID?

  Thanks.  It would be nice if Cisco documentation actually clarified this as all guest anchor docs seem not to mention having to have both controllers supporting QoS profiles.