BBSM and ISA for WLAN Guest Access
We are considering the purchase of a BBSM to help provide wlan guest access to the Internet.
I know that Micrsoft's ISA server is one component of the BBSM, but can anyone tell me:
1) what version of ISA is implemented in BBSM?
2) is the ISA compoenent at all customizable? That is, can I add poilicies to BBSM's ISA to restrict the Internet sites users can go to?
Thanks very much.
John
I am not sure what version of ISA it is but from our experience you can not filter what addresses the user can go to. we have customised it some in that we forward all of the web traffic comming in to a web filter box and allow the filter box to block sites.
Similar Messages
-
CPI 1.2 WLAN Guest Access, multiple account
Hello All
Is it possible with the CPI 1.2 built-in WLAN guest access functionality to create a WLAN guest account that can simultaneously by severall users?
Or if that is the normal behaviour, is it possible to restrict one guest user to one computer?
Thanks,
PatrickTo answer my own question, this is done under:
Configure - Templates - Controller Template Launch Pad (if you are working with templates), then Security - User Login Policies and here it's the setting "Maximum Number of Concurrent Logins for a single user name". Set it to 0 for unlimited times the same username.
Sadly that means that I can not restrict it per guest user, but only global. -
Possible to use Airport Extr and Express for WIRED Guest Network?
Situation and landscape:
My house has a Comcast cable-modem, which is connected to an Airport Extreme (AEx).
The AEx is running WPA WiFi, and this is all good.
There is one ethernet wire running out of the AEx, which goes 150 feet to the rear of my house, across a short corridor (protected from weather with insulated pipe) and into my garage apartment, where it terminates into an Airport Express (APress.) This garage apartment is frequently used as part of a rental property. The APress is extending the same WiFi SSID/settings.
When guests arrive, they are able to plug-in their notebook computers to the APress ethernet port, or use the WiFi.
Well, the problem with that, obviously, is that they can "see" the other computers on the network, and printers, etc.
It would be perfect to set configure the AEx and APress to the WiFi "guest network." However, there are problems with this:
1) Believe it or not, many guests still use direct-plug and do not have nor know how to set up their WiFi -- so they MUST have a direct ethernet wire.
2) When I use Airport Utility for the APress, it does not show any WiFi guest network option -- maybe because another dependent setting is not allowing this (i.e. Bridge Mode?")
3) The distance between the AEx and this garage apartment is too long between them to shoot a WiFi guest network from AEx and to be picked-up by the Airport Express... and there's a center core in my old house that is impervious to all radio frequencies and could block a nuclear blast. Well, it causes a degradation of wireless. And this brings us back to #1 above...in that I need a cable ethernet option.
Picture attached of current landscape:
So, maybe....
I've spent the better part of a couple of hours searching here, particularly for the terms "access point" but the terminology isn't what I need. What I wonder if perhaps I need to place an APress beside the AEx, turn on Guest Network at the AEx, then "pick it up" with a second APress, and carry the ethernet signal to the garage apartment and allow guest WiFi and wired. (see second picture) Will this work?OK, here how to set this up.
Open up AirPort Utility 5.6.1, select the Express, and click Manual Setup
Click the Wireless tab located below the icons
If you want the Guest Network to have a different SSID (recommended), then change the name of the wireless network, adjust the security settings if needed, and change the Wireless Password and Verify
Click the Internet icon up at the top of the window
Click the Internet Connection tab just below the icons
Change the setting for Connection Sharing to Share a public IP address
Click the DHCP tab located under the icons
Change the DHCP Beginning Address to read something different.....like 10.0.5.2
Click Update and give the Express a full minute to restart
At this point, the Express indicator light will be slowly blinking amber
Open up AirPort Utility again, select the Express and click directly on the word Status (2nd line)
You should see a Double NAT notice with an option to "ignore" the item
There may also be an Setup over WAN notice with an option to "ignore" the item
Click in the boxes to ignore both items, then click Update again and the Express will restart and display a green light
Try things out to verify that the Guest Network cannot "see" any devices on the main network...and vice versa. -
Grocery List Needed for WLAN Guest NAC
Hello - what I want to do is put a solution in place that will control any guest wireless that is out of bounds. What i mean by that for locations that have a DSL line along side the corporate network to be controlled through a NAC guest server.
Scope of the enterprise is:
* 2k8 domain.
* cisco 1200 and 1240 AP's
* 1 cisco NAC guest server
* 1 acs
* sites are all connected via MPLS
What else do I need? Of course I am trying to be mindful regarding budgetary numbers.
From reading the configuration guise for the clean access server I assume I need the Client Access manager NAC appliace as well, to have this all tie together?
Please advise on any other things, tips or tricks. :)
thank you kindly in advance.NAC Out-Of-Band (OOB) Wireless Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml -
SA 540 and DMZ Issue for Wireless Guest Access
I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540. My goal is to provide internet access to wireless guest users without giving them access to the entire LAN. The internet access for the wireless guest users is painfully slow. It takes 5 minutes to access Google. Has anybody else had issues with slowness. I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers. Just to humor myself, I configured firewall rules to allow DMZ full access to the LAN and WAN. I am still having the same results. Any thoughts and suggestions?
Hi,
I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
Firmware 1.0.39
BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset. -
WLC 2500 and WCCP for Wireless Guest Users
Hi there
I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.
You advice will be highly appreciated.
RegardsFor guest wireless traffic redirect to proxy server
https://supportforums.cisco.com/thread/2126486 -
DMZ Anchor WLC setup for Wireless Guest Access
I have the following setup.
A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
Both WLCs are running the same 4.2.176 code.
DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
Thanks.One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.
-
We are about to deploy a 'guest' ssid. The scenario we are struggling with is when a employee connectes to the LAN and the laptop automatically connects to the 'guest' WLAN (dual homed PC with default gateway on LAN). We are trying to figure out how to prevent this since our users will not disable the wireless nic.
This is more a Microsoft issue. It just associates to any AP if the AP broadcasts the SSID:
http://support.microsoft.com/default.aspx?scid=kb;en-us;811427&Product=winxp
I am thinking a hack. I try the following in the lab:
1. configure an AP so that it broadcasts a SSID which uses open authentication and no encryption. I assume that this is your configuration
2. I use a XP laptop (I guess that you use XP). The XP picks up the SSID broadcast from the AP. I configure the SSID; so that I enable WEP encryption and enter a bogus WEP key.
I do not get an IP address on the wireless NIC. Of course, I assume that you pick an unique SSID; so that no user use the same SSID at his/her home. -
Expiry Notification for User Guest Access on WLC
Is it possible and where to configure warning notification sent to guest users that their account is about to expire?
Also, is there a function in WLC to specify the start date for a local guest user?
Thanks....That's not possible.
You may look into the NAC Guest Server for advanced features with guest users. Be aware that it's not tied to NAC necessarily. Not sure why they put "NAC" in the product name :-) -
ISE with CWA and wired guest access via WLC Anchor
Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports. I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan. This Im sure i have done before.
So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
It comes out as:
https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client. So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would
-
Hi,
I have deployed web proxy in explicit mode with integration with Active directory.
When my users are authenticated they are getting the access to the internet as per the policies.
I want to know, if any guest user's come and try to access the internet he wont be a authenticated user hence there will be no access to rule.
Is there any way to create a guest access policy that if the user is not found in the AD but he should get access through the second policy.
I have seen there is a option for the guest but not sure how this works.Please see the user guide: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa8-0/WSA_8-0-0_UserGuide.pdf and go to page 112 for "Granting Guest Access After Failed Authentication"
Basically when you create an Identity with authentication, tick the option for "Support Guest privileges if a user fails authentication.
Then ideally you will need to create 2 Access Policies using that Identity:
1. Access Policy that is using the authentication.
2. Access Policy that is using the same Identity and when you specify the Identity use and under "Authorized Users and Groups" select the "Guests (users failing authentication) then submit. (please note to put this second access policy under the authenticated access policy not place it before the authenticated access policy), after this you can specify the level of access for this access policy.
Hope this helps -
Voucher based guest access for vWLC (time restricted pre created user auth codes)
Hi all,
Is it possible to create voucher based user auth tickets for guest wireless on the Cisco WLC?
We are running the vWLC latest version
Cheers, SimonNo you can not create voucher using vWLC But you can create guest access using vWLC.
For the Guest access deployment ,plesae refer to the document below.
http://www.cisco.com/c/en/us/td/docs/wireless/technology/guest_access/technical/reference/4-1/GAccess_41.html#wp1000477 -
Guest Access in 4.2.112/130 code
I've just upgraded our controllers from 4.1.185 to 4.2.130 and have noticed some new settings and features for Guest access, specifically on the interfaces and the wlans. Can some one point me to an updated guide on the explanation of these new additions and the recommend setup now? Until I see an explanation on paper so as I can fully understand it, I don't want to change my current setup. i.e. Guest Lan, Ingress Interface, Egress Interface.
Here is an even better link:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
the nutshell....
"A growing number of companies recognizes the need to provide Internet access to its customers, partners, and consultants when they visit their facilities. With the new Wired Guest Access feature support on the Cisco WLAN Controllers that uses Cisco Unified Wireless Software Release 4.2.61.0 and later, IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same wireless LAN controller.
Guest users must be allowed to connect to designated Ethernet ports and access the guest network as configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect to the WLAN Controllers with the current guest access features. In addition, WCS, along with basic configuration and management of WLAN Controllers, provides enhanced guest user services. For customers who have already deployed or plan to deploy WLAN Controllers and WCS in their network, they can leverage the same infrastructure for wired guest access. This provides a unified wireless and wired guest access experience to the end users." -
Wired guest access on WLC 4400 with SW 7.0.240.0
Hello,
after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
wired guest access don't work anymore.
All other things works fine, incl. WLAN guest access!
When we try wired guest access, we get the web-authentication page and can log in.
On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
to RUN.
But then there is no access to the internet.
We tried also SW 7.0.250.0, same problem!
Log Analysis on the WCS:
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
Has someone a idea how to solve this problem?
Regards
ManfredHi
Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC. -
Ask the Experts: Wired Guest Access
Sharath K.P.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
Remember to use the rating system to let Sharath know if you have received an adequate response.
Sharath might not be able to answer each question due to the volume expected during this event.
Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
through January 27, 2012. Visit this forum often to view responses to your questions and the questions
of other community members.Hi Daniel ,
Wonderful observation and great question .
Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios where we have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Two separate solutions are available to the customers:
A single WLAN controller (VLAN Translation mode) - the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
Two WLAN controllers (Auto Anchor mode) - the access switch trunks the wired guest traffic to a local WLAN controller (the controller nearest to the access switch). This local WLAN controller anchors the client onto a DMZ Anchor WLAN controller that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor controller, the DHCP IP address assignment, authentication of the client, etc. are handled in the DMZ WLC. After it completes the authentication, the client is allowed to send/receive traffic.
So as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
We have already opened a bug for the same (Little late though )
BUG ID :CSCtw44999
The WLC Config Guide should clarify our support for redundancy options for wired guest
Symptom:
Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will
generate unpredictable results.
Some of the other tthat changes we will be making as a part of doc correction would be
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
1. The WiSM2 needs to be added as a supported controller. (Not sure about the 7500, check with PM)
2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
"Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will
generate unpredictable results."
3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
Now if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would respond to the client associtation request .
Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
I hope the above explanation could clarify your doubts to certain extent and also keep you
informed on Cisco's roadmap on this feature .
Regards ,
Sharath K.P.
Maybe you are looking for
-
SendRedirect - can not find server
Hi, I have a jsp page with a form. This form's action is another jsp. This jsp checks some values in the request and redirects the call to a servlet. I am using response.sendRedirect. The application works well if the webserver is running in port 80.
-
hi, i have a jsp code which can successfully return results from MySQL database. But once i change the SQL statement from a select statement to a insert statement, it does not add in a new row in the database. It has no error while compiling but it a
-
Please help i got this app froma different app called "AppGratis" that everyday lets you download something that costed money for free for just 24 hours. This ringtone app requires a file sharing section but i do not know how to find it. can anyone h
-
Converting indd or pdf to fif, xft, or idf
Is there any software that can open/import an InDesign file or a PDF file and save/export it as an FIF, XFT, or IDF file that can be opened in Adobe Output Designer?
-
Having issues with iPhone 6+ landscape rotation in AIR 16 (Released Jan 13th)
When rotating the screen from portrait to landscape the iOS status bar disappears and some buttons in my UI become unclickable. I created a bug for it here. Is anyone seeing this issue on other devices like iPhone 6 perhaps? The iPhone 4 with an olde