Anchor Guest controller and DHCP configuration

Similar Messages

• Guest LAN and DHCP Options not passing through

  Managed to get the Guest LAN up and running for wired clients and all's working well.  Users are sat behind a proxy and if I force the use of a appropriate wpad file I can get the WLC auth to happen and then push off to the proxy.
  I'm trying to use option 252 in DHCP to present the WPAD url.  Only issue that happens is that while the DHCP server on the egress interface is handing out addresses to clients on the ingress interface correctly, the WLC doesn't appear to be handing through the option 252 I have set in DHCP.  I've used network monitor to see what the dhcp request process is dishing out in terms of options, and all look good if I'm not behind the WLC.
  Anyone know if theres a limitation on the WLC that prevents DHCP options being passed through to the guest LAN?
  TIA

  When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.
  For more information please refer to the link-http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

• Open Guest Network and DHCP utilisation

  For guests to be able to easily access our wireless network, the Layer 2 security is Open, with Web Authentication implemented at Layer 3.
  The problem I have is with having no layer 2 security (open), is that my dhcp pool is utilised by devices that may never authenticate. It becomes more of a problem if the DHCP pool is associated with DMZ Public addresses...
  Is there anyway of moving the client to a different DHCP pool after web authentication? (ie. from a Private pool to Public pool).
  I can see from the documentation that Dynamic VLAN assignment is not possible with web authentication :(

  In the case of DHCP, a DHCP server must be available locally and must be able to provide the IP address for the access point at bootup.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.0/configuration/guide/wschreap.html

• NAC guest server and pre-configured duration of accounts

  There seems to be a bug in the way the NAC guest server handles the pre-configured duration of guest accounts.
  I have followed the manual and I did:
  - Configured 3 durations (24h, 48h and 1 week) under the templates/accounts/accounts durations.
  - And set "maximun duration of account" under User Groups
  As I understand I should now be able to select one of the three configured durations when I login as a sponsor.
  However I only get the number which I specified under User Group.
  The odd thing is that if I change the Maximum duration under User Group, I get this as the only choice (e.g. 14 days).
  Have other experienced this?
  Best regards,
  Steffen Lindemann

  You can use any one of the option ie number of days or number of hours.
  For days;
  Authentication > User Groups > Add Group | Edit Group includes two new settings for Number of days in the future the account can be created and Maximum duration of account (in days)
  For hours:
  User Interface > Templates > Add Template | Edit Template > Accounts > Account Duration
  http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/11/gsrn110.html

• 3850 as MC and 5508 as Anchor Guest

  Can i use a 5508 WLC with relase 7.4.121.0 as anchor guest for a 3850 configured as Mobility Controller?
  The Converged access (new mobility) is supported only in 7.3.112 or 7.5 and later relase, but i don't need to configure the 3850 as Mobility Agent.
  I need to configure the 3850 to connect to my anchor guest controller 5508 in DMZ.

  Hi
  You need to run 7.6.110.0 on your 5508 & enable "New Mobility" feature on your 5508 if you want to have Anchor-Foreign setup between 3850 & 5508.
   NB: 7.3.x & 7.5.x codes are differed & 7.4.x code does not support this "new mobility"
  HTH
  Rasika
  **** Pls rate all useful responses *****

• WLC+Anchor+Guest NAC

  Hello all
  I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
  1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
  2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
  3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
  4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
  Sorry for the long post..
  Raj

  Greg
  Thanks again.. that was useful too. One last query.. and this was grilling my head:
  1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
  2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
  3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
  Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
  Raj

• Guest anchor WLAN and DHCP

  hi,
  I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
  Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
  Local Controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest" - assigned it to the management interface.
  Have tried the following with regards to DHCP on this WLAN.
       Set it to "override" and specified the DMZ controller's mangement interface
       Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
       Left DHCP server blank on the local controller's management interface
  Setup the DMZ controller as the mobility anchor for the "guest" WLAN
  DMZ controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest"
  Created a dynamic interface called "guest" associated to the "guest" WLAN
  Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
  Created an internal DHCP server scope and enabled it
  Have tried the following with regards to DHCP on the "guest" WLAN
       Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
       Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
       Set DHCP to "override" and specified the DMZ controller's management interface IP
       Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
  After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
  Any help would be appreciated.
  Thanks
  Lee

  on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
  For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
  while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

• Do Anchor controller and foreign controller have to run on the same code version?

  Hi All,
  I have a 4402 anchor controller and 8 4402/4404 foreign controllers all running on code 4.2.61.0 for 1 year without any problem. All guest users are connected to the foreign controllers and then tunneled back to the anchor controller. Right now I need to replace a 25-AP license 4402 foreign controller with a 50-AP license 4402 controller. The new controller is running on code 7.0.116.0. I am wondering if the new controller can join the mobility anchor group so that guest users won't lose connectivity after the swap.
  Please advise. Thank in advance.
  Robert

  Hi,
  The below link will answer ur question!! (Inter Release controller Mobility )
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp568458
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Changing DHCP Scope on Guest Controller

  I currently have a class C network configured on my guest controller. I need to change to a class B to expand my range of IP's for DHCP.

  You cannot change a class B network to a class C network, What you can do is subnet the existing IP range to include more IP addresses.

• Cisco 4402 Guest lan and product lan DHCP assignment

  I'm currently setting up a wirless lan with a Cisco 4402 Wireless Lan Controller and 1 cisco 1242AG Access points.
  All the devices include:
  Cisco catalyst 6505
  Cisco 4402
  D-Link broadband router
  Connection between them:
  6505 trunking with 4402 (dot1q and trunk vlan 1 and vlan 3, but i found that all vlan on the 6506 will trunk together), wlan 1 is production lan while vlan 3 is Guest lan)
  6505 vlan 3 is connecting to D-Link broadband router as a guest lan
  both vlan 1 and vlan 3 have DHCP server for production PC and guest notebook respectively.
  On 4402, i have two interfaces and 2 WLAN. one interface for production lan pointing DHCP server to product DHCP address and the other interface for guest lan, which pointing to guest lan DHCP server.
  when a notebook connec to guest lan, it will assign an address from guest DHCP server, while connecting to production lan, a production IP will be assigned last week. But the things change w/o changing the structure, when i connect to guest lan SSID, the ip suppose assign by the Guest lan DHCP, but it failed, the notebook got ip address from production lan.
  Is it trunking makes those all Vlan "mixed", and get ip from the DHCP server with faster respone time?
  How can i make sure when i connect to guest lan, the ip will be assigned from Guest Lan DHCP server and vice versa?
  Many thanks!

  Here is the URL for the Cisco Guest Access Using the Cisco Wireless LAN Controller which will help you :
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html

• Solaris 10 zone configuration with sysidcfg and dhcp and hostname

  Hi
  Excuse me if I look like a n00b... it's probably because I'm a n00b.
  I've been struggling in the dark for more than 2 days now and I'm wondering if I'm thinking about this all wrong...
  I have stand-alone server where I need to run zones. I want to create zones and automagically configure them at boot (read: by running a script). So here's what I need...
  A zone
  starting from unconfigured state
  whose hostname is not the same as the zone name
  using corporate DHCP to get its IP address
  with DNS config coming from the DHCP server
  registering its address the DNS
  with a preconfigured root password
  (I don't own the corporate DHCP or DNS servers, I can't put my own DHCP or DNS servers on the network.)
  I would lke to create the zone, throw some config at it, then boot the zone and walk away. I am using zones with exclusive-IP. I can construct the zones and manually configure them once they're started to have DHCP, my own name, registered IP address with DNS and everything else I have specified above. But I don't want to do it manually...
  Sysidcfg seems to do some of what I want but not entirely.
  In sysidcfg I can set the root_password, the primary interface using DHCP, DNS server. I can't set a hostname in sysidcfg AND use configure it for DHCP. So the hostname is not what I want it to be after the zone is started and ready to go. The DHCP server is providing the DNS configuration, Solaris does not seem to honour it, but i'll ignore that for the moment.
  I have tried various combinations of using sysidcfg, /etc/nodename, /etc/hostname.+interface+ and /etc/dhcp.+interface+ but I can't find any combination that actually works.
  I can write to the zonestorage/etc/nodename to set the nodename, that works. But it does not match the DHCP address, so I get prompted for a new name service because it can't find a DNS entry for the name.
  I can write to the zonestorage/etc/hostname.+interface+ and /etc/dhcp.+interface+ (to get the system to register its name with the DNS server after getting its DHCP address) but then I get a system with no root password and no DNS configuration, even though they are set in the sysidcfg file.
  I can write a script that gets part of the way using sysidcfg and /etc/... files, then boots the zone and then runs a bunch of voodoo via zlogin commands to fix all the stuff that couldn't be done 'properly', but that's not a 'boot and walk away' environment. I can write a script that uses sysidcfg and hacks around with other files in /etc (like nsswitch.conf, resolv.conf), but that just feels likes a dirty hack to fix something that wasn't done properly in the first place.
  So where am I going wrong and how do I do it right (within the constraints defined)? Why can't I configure, boot and walk away?
  Thanks

  Thanks abrante
  Thanks for your response!
  I don't think the config is messed up after the installation. I think the installation is fine, it's just not what I want :-)
  I'm trying to decouple the zonename from the system name and get DNS registrations working. After installation, a DHCP client can get its hostname from DNS but I'm trying to do it the other way around. I want the DHCP client specify its own hostname, get an address from the DHCP server and then register its hostname with DNS. If the system gets its name from DNS/DHCP then I have to configure those to provide the system name and I don't own the DHCP/DNS infrastructure. These zones are for a development/QA environment, so we create and reconfigure these frequently. Hence the need to specify the system name within the zone and register that name in the DNS.
  I have tried fiddling with the PARAM_REQUEST_LIST but it does not seem to be working as I expect. :-$ Removing 12 did not help with setting the hostname from the system. DNS does not have a registered name for this system anyway, so even if it tried to get a name for this system, it would get nothing.
  I also do want the DHCP to change the DNS server and domain name, but this does not happen even though my dhcpagent includes 6 and 15 in the PARAM_REQUEST_LIST. I still have to set them in the sysidcfg file because it is always ignored in Solaris (S10u8 with 10_Recommended 30-Jul-2010)
  As stated, I know I can hack around with the system after it has booted. But I'm trying to configure the system before it starts and let it take care of itself and not have to touch it. Frankly I'm surprised that the sysidcfg does not allow you to set a hostname name when you are using DHCP, that the default DHCP configuration does not register the system name with the DNS server, and the DNS config from the DHCP response is ignored. Even a sys-unconfiged system requires DNS configuration during initial boot, when I know that the DHCP response contains DNS information.
  FYI: Windows systems using DHCP work as expected in this respect by default, i.e. set system name, use DHCP --> system gets address from corporate DHCP, DNS settings are set from DHCP information, DNS registration is made for system name.
  I'm working around this at the moment... I call my zone by the system name I want, I hardcode the DNS settings in the sysidcfg file and I create the hostname.+nic+ and dhcp.+nic+ files in the zone storage to get the system to register its name with DNS, them boot.
  Edited by: cydonian on Aug 19, 2010 7:45 PM

• How do I configure my PCI-GPIB cards so that one is a controller and the other is a device being controlled by the first card

  I have 2 PC's, both fitted with PCI-GPIB cards. One will be the system controller and the other will be a device on the GPIB bus. How do I configure both cards using LabWindows/CVI v7.0 to achieve this ? What commands are used to send and receive the data ?

  Hi Pete,
  For the controller board you don't really need to do anything. By default the GPIB interface is configured as controller.
  The non-controller can be configured in MAX. Right-click on the interface, uncheck the ono-controller box and change the primary address. It is usually a good idea to set these parameters programatically. Use ibpad to set the primary address and ibrsc to release system control.
  For the controller you can use a device descriptor (using ibdev) or a board descriptor (ibfind).
  You can only open a reference to the non-controller board using ibfind (ibfind("gpib0"), for example). This will open a board reference. You cannot use a device reference because that implies that the board is capable of addressing the bus. On
  ly the system controller can.
  Here are some links I found on the web on this subject:
  Passing GPIB Control -- System Controller vs. Controller In Charge
  Tutorial: Programmatic File Transfers over the GPIB
  Example: Using a C Program as a GPIB Non-Controller with LabVIEW as the GPIB Controller
  Example: Serial Polling Between Two Computers (Controller and Non-controller)
  Hope this helps.
  DiegoF
  National Instruments.

• Guest LAN and WLAN on Controller

  Hi,
  While creating new ssid, i can see the option guest lan and wlan, whats the difference? which one is preffered?
  Thanks in advance..

  Hi,
  I remember answering this few days and also George joined the thread.. or max week back..
  Guest LAN WLAN =
  1> The clients connecting to the WLAN will have a time limit on the connectivity, for example you can configure the Guest WLAN for 24 hours or something which you want..
  2> I guess George pointed this in the previous thread.. Can be used for Wired Guest Users configuration as well , here is the link..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
  WLAN =
  Just nothing but a SSID with security which doesnt have any time limit.
  which one is preffered? =
  Its your network and what ever meets your requirements you can use that.. however both of them does its job with different features involved.
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• WLAN and DHCP with WLC controller

  Hi,
  I've a question about how works dhcp for wifi clients.
  On the WLAN edit I've seen that my option are:
  1) DHCP override-> i insert the dhcp server address here
  2) without DHCP override -> the WLAN will use the DHCP server configured under the management interface
  Based upon these informations: why I can configure DHCP server also in other interfaces and not only in the "management" interface ?
  If I configure 2 DHCP servers on a "user interface" ( without the "override" option in WLAN ) my clients will use these DHCP or the DHCP on the "management" interface ?
  Many thanks in advance
  Luigi

  from the on-line help it seems different ;-/
  =====
  DHCP Server (Override)
  When selected, you can enter the IP address of your DHCP server. This is a required field for some WLAN configurations. There are three valid configurations:
  DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Required: Requires all WLAN clients to obtain an IP address from the DHCP Server.
  DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Not Required: Allows all WLAN clients to obtain an IP address from the DHCP Server or use a static IP address.
  DHCP Server Override OFF: Forces all WLAN clients to use the DHCP setting in the Management Interface, not the static address.
  ===========
  It seems that i can Use external DHCP server, putting the address :
  - in the box that appair when i flag the "override" option
  - or in the management interface
  I think documentation is not so clean
  many thanks
  Luigi

• How to configure HA between local controller and remote controller in DC

  Good day,
  If I have two Cisco 5508 Controllers, running Software version 7.4, how would my failover happen when the AP's run in local mode, and the local controller fail, and you configured your remote controller as your secondary controller.  Question is, will the APs automatically convert to FlexConnect mode when they failover to the remote controller in the DC?  I know you cannot configure HA as the controllers have to be connected with ethernet copper cable on the redundancy port, giving you a distance limitation of 100m.
  Thank you in advance
  Adrian

  Hello ,
  As per your query i can suggest you the following solution-
  In wireless network deployments that run controller versions earlier than 5.0, when a controller goes down, it takes a long time for all the APs and the associated clients to move to a backup controller and for wireless service to resume.
  The features discussed in the document are implemented on the controller CLI in WLC software release 5.0 in order to decrease the time that it takes for access points and their associated clients to move to a backup controller and for wireless service to resume after a controller goes down:
  In order to reduce the controller failure detection time, you can configure the heartbeat interval between the controller and access point with a smaller timeout value.
  In addition to the option to configure primary, secondary, and tertiary controllers for a specific access point, you can now also configure primary and secondary backup controllers for a specific controller. If the local controller of the access point fails, it chooses an available controller from the backup controller list in this order:
  •o primary
  •o secondary
  •o tertiary
  •o primary backup
  •o secondary backup
  The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list. You can now configure a primary discovery request timer in order to specify the amount of time that a controller has to respond to the discovery request of the access point before the access point assumes that the controller cannot be joined and waits for a discovery response from the next controller in the list.
  Hope this will help you.