Anchor Controller with 8021.x
Hello,
I would like to know if the Anchor controller is compatible with 802.1x.
For my guest Wireless I would like to authentification with WPA2 AES on Layer 2 and a second authentification in Layer 3 with web authentification.
I have tested it with my controller and it's working but when I apply my anchor mobiltity group it don't work.
Could you please help me.
Best Regards
The process? The foreign elf and the anchor has to have the same configuration on the WLAN. The only exception is really the profile name and the interface. If the layer 3 is using radius to authenticate, then your guest anchor has to communicate to the radius. If your using local username and password, then that has to be defined in the anchor.
Mid you haven't setup anchoring before, create a new open ssid and make sure anchoring works.
https://supportforums.cisco.com/document/11936816/cisco-guest-access-using-wlc-anchor-setup-–-release-70
-Scott
Similar Messages
-
Wireless Anchor Controller Web-Authenication Redirect Page
I configured a wireless guest anchor controller with a custom web-authenication acceptable use policy splash page with an email box and accept or reject button. Everything is working properly except if someone types their email in the box and hits enter instead clicking on accept it redirects the custom page to the default Cisco page. After entering the email on the Cisco page and click on accept it allows connectivity.
I opened a case and TAC had me make two different changes and it still did not resolve my problem. I had to edit the login HTML file with the following in bold to resolve:
Email AddressonKeypress="Javascript: if (event.keyCode==13) submitAction();"> -
Using ISE for guest access together with anchor controller WLC in DMZ
Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
FrankSo i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node. -
Guest ssid with anchor controller and Web policy
We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?
Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.
-
Central Web Auth with Anchor Controller and ISE
Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
RogerHi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma -
Guest access to the Internet with Guest Anchor Controller
Hi;
We are doing our initial implementation of an enterprise wireless system. I deployed a WLC 5508 connected to our data center core switch using LAG. The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices. Employee wireless access has been rolled out and is working well.
I am designing guest access. As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet. We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508? A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
Thanks for the assistance! Glenn Morrisonyou'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
HTH,
Steve -
IOS device failed to get ip address on multiple wlan on the same anchor controller
Dear Experts:
in my implementation, we need 2 WLANs be served on the same anchor controller.
WLAN1: wep/40bit, integration with NAC/OOB on anchor controller for guest wlan service.
and guest account controlled by NACguest server.
WLAN2: wep/40bit, no layer3 secuirty for temporary using.
foreign controller: WiSM on v6.0.196.4 (also testing on 6.0.182.0)
anchor controller: WLC4402 on v6.0.196.4
on WLAN1:
Windows7 client get ip address correctly.
iOS (iPhone4 on 4.3.1/4.3.2, iPad2 on 4.3.1/4.3.2) can get ip address correctly on WLAN1.
WLAN2, iOS device cannot get ip address.
compare with debug message "debug clien mac" + "debug dhcp message enable"
on both foreign and anchor controller.
on foreign controller:
PM state has changed from: DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
on anchor controller:
PM state always stay on: DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
Enable/Disable DHCP Address Assignment Required is not work.
Enable/Disable DHCP proxy is not work.
Any hit this issue when get ip address failed in multiple WLANs on the same anchor controller?
In attachment log file,
DMZ.log: anchor controller on DMZ.
S3p1.log: WiSM on v6.0.182.0
S3p2.log: WiSM on v6.0.196.4
client mac: 00:1f:3b:05:33:c1, Windows7 Client
client mac: 58:55:ca:cf:d2:07, iPhone4 with 4.3.1,
WLAN1 subnet: 10.61.246.0/23
WLAN2 subnet: 10.61.248.0/23Hi, Nicolas:
just checking the attachment for the run-config on foreign/anchor controller.
DMZ_run.config - anchor controller
s3p1_run.config - WiSM on v6.0.182.0
s3p2_run.config - WiSM on v6.0.196.4
at this moment, we have disable the wlan 10 on foreign controller, and wlan 2 on foreign controller.
Wilson... -
Auto-Anchor Controller's Best Practice
Hi All,
I got confused with this setup. I have 2 Wlc's.One is the internal controller and another one configured for the anchor controller (different subnet-DMZ zone) for guest traffic. Where do i configure DHCP assignment for this users..? Should Production controller intervine in this dhcp process or shall i direct to Anchor to take care of everything..? which is recommended ?
And also any best practice doc is available for this ..?
Please help...
thanks in advance.Prasan,
Just keep in mind that there are best practices that are published and best practices that you learn from experience. Being a consultant, I get to implement wireless in various networks and everyone's network is quite different. Also code versions can change a best practice because of bug issues or how a standard might of changed and how that standard was implemented in code. The biggest best practice secret is really working with various client devices, scanner's, laptops, smartphones, etc., and seeing how those change because of newer models and it firmware updates. It's amazing to understand how some devices will require a few checkboxes in the WLAN to be disabled compared to others. Even with anchoring for guest and using a custom WebAuth to make sure the splash page works with various types of browsers.
What I can say is to always try the defaults if possible when you have issues and then enable things one by one.
Sent from Cisco Technical Support iPhone App -
I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
-if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
- I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
some one please advise
vlan192 4/1 vlan 192 int g0/0 192.168.2.201
6500 ----- switch ---- router--------- (outside)
| | |
| DHCP server
WLCA couple of questions, is VLAN 192 allowed across the trunk link to the wlc? Do you have an interface tagged for vlan 192, with a valid address? What is providing the DHCP?
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
AAA, WLC, and AP Groups, Anchor Controller, Problem
All,
First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up. Here are the details and the problem(s):
Have Cisco ACS using backend AD for user authentication
MSCHAP, 802.1x
Three wireless controllers running ver 7.0.98.0; one controller is 4404 the other two are on WiSM blade in 6509.
Many AP Groups and a few mobility achor setups.
Wifi clients used to test are Intel and have the proper drivers 12.4.4.5 and 13.1.1.1
First authentication problem is via SSIDs associated with anchor contollers. Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
Second authentication problem is related to AP Groups. Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
Note that all the above works fine as long as I am not using 802.1x. If I am using PSK, it all works flawlessly.
One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly. The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
It is not a routing problem....
I have gone through two TAC engineers and the problem is still not resolved. So close, but not succesfull.
Any interoperability/Security experts out there that can help nail this thing?
ThanksJeff,
Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem. I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem. They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS. I was able to apply the patch, but never could get the OS upgrade to take. For the heck of it, I re-checked the problem after applying the patch and YooHoo! Works as advertised!
Thanks for showing the interest, it was definetly a pain-point for my customer. -
AP Groups - Guest Access - Anchor Controller
Need clarification - I think it does work
Does the AP Group feature work with the anchor controller guest access feature
SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
ie
Guests in Building 1
SSID guest VLAN 10
Guests in Building 2
SSID guest VLAN 11
MarkHi,
As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
Kind regards
Johan -
Wireless Guest Network using Cisco 4402 as an Anchor Controller
Hello,
We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
This is basically the setup guide that we followed.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
Thanks!Hi,
Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
This will help us as well..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
Guest Anchor Controller DNS issues
Hi,
I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
Change required (which were attemped).
1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
Problems
The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
Diagnosis
It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
A reboot of the controller did not make any difference.
Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
We had to roll back the changes to the original configuration in order to bring the service back on-line.Hello Eoin
Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
Check the release notes for any bugs on this software:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
Raj -
Hi Experts ,
Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
how about internet traffic for Guest SSID , which one will be recommanded :
1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
ThanksHi George ,
Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
how about if I have another anchor controller in lets say in other office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ? -
WLC user rate limit on guest ssid anchor controller
Hi,
I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Thanks guys!
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version
7.0.230.0Amjad,
Thank you for taking the time to respond as well as the document link.
It was pretty clear on the steps and what it would impact.
Two things that push me for a different solution (assuming their is one).
Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
#1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
The idea is to limit WAN utilization.
#2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
***One last question about this and any other changes***
Will any change I make be on the "Foreign, Anchor" or both Controllers?
Maybe you are looking for
-
I purchased a movie and downloaded it and when I conected my I Pod to my computer, now I get a message "The requested URL was not found on this server". What do I do to fix it?
-
Where is OCA605290.zip in 8iLite download
I downloaded & installed 8iLite & Forms6i in WIN95. 8i release notes said to "copy OCA605290.zip file from the \WIN32 folder of the Oracle8i Lite CD-ROM" but I can't find it in the un-zipped folder. I found a similar file in Forms6i folder and it wor
-
Hello, i am using loadmovie for load a swf file. I use this: _root.content._x = 0; _root.content._y = 0; loadMovie("other.swf", _root.content); _root.content.stop(); But don´t work. Other.swf is an animation, and i haven´t MC. I want to control with
-
SVG Plugin and Operation Can't be Completed Error Msg
Just added the HTML5 Pack to Illustrator and now I get two error msgs every time I open Illustrator that says "error loading plugins SVG file format.aip" and a "Operation cannot be complete because of an unknown error." Is there a fix to this? I'm on
-
How to get Business content WAD reports in BI 7.0
Hi All I am generating CRM reports in BI. I got all the business content query designer reports but I am not able to find its corresponding WAD reports. BW 3.5 business content CRM WAD repots are available. I am working on BI 7.0 so if I implement BW