Compatible APs for Cisco WLC 2504

Similar Messages

• Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

  HI,Friends.
  I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
  question:
  one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
  I was using radius authentication or ldap certification to do web authentication ?which is good. ？？？
  I specified child ou, ou its users superiors can not be landed on

  hi ,Scott Fella
  Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
  the err:
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
  then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

• Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

  I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
  Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

  Hi Sandeep
  The info is correct, if we're using code below 7.3.101.0.
  This issue is fixed via the below bug id.
  CSCto01390 Unable to ping AP's directly connected to a 2500 controller
  check the fix that is updated on 7.4, 7.5 RNE.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
  Note
  Directly connected APs are supported only in Local mode.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
  Thanks
  Saravanan

• Cisco WLC 2504 sofware update

  Dear Friends,
  I am using Cisco WLC 2504 current software version is 7.0.220.0 and I want to upgrade it to the latest version which is 8.x.x.x.
  Could you please help and advice the best way of doing it? Also can I upgrade direct to the latest version or do I have to upgrade step by step?
  Thank you very much for your help and support.
  Thanks
  Umar

  Hi
  Could you please help and advice the best way of doing it? Also can I upgrade direct to the latest version or do I have to upgrade step by step?
  Yes, you can go directly to 8.0.x from 7.0.x code. Refer below link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr1.html#68333
  Make sure you refer the release notes for any known issues with this code. Also upgrade FUS to 1.9.0.0 as well. This will take around 30 min downtime as well.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/fus_rn_OL-31390-01.html
  If you have different AP models, MSE, Prime products, refer this compatibility matrix as reference.
  http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Query About Cisco WLC 2504 TDLS

  Dear Friends,
  One of my client want to encrypt data over the wireless. I have cisco WLC 2504 IOS Version 7.2.0.0.
  Please help me on this. I think by-default data encrypt is enable. If not so how can I enable it. If I enable it is there any impact to my wireless user's.
  Please help me out .....
  Thanks & Regards,
  Rahul Wankhade

  How to enable:
  http://www.cisco.com/c/en/us/support/docs/wireless/2500-series-wireless-controllers/113034-2500-deploy-guide-00.html#enable
  Impact:
  2500, WiSM2, WLC2—These platforms by default will not contain DTLS. To turn on data DTLS, you must install a license. These platforms will have a single image with data DTLS turned off. To use data DTLS you will need to have a license.
  http://www.cisco.com/c/en/us/products/collateral/wireless/2500-series-wireless-controllers/data_sheet_c78-645111.html
  AS per cisco: Encryption limits throughput at both the controller and the access point.
  Regards
  Dont forget to rate helpful posts

• Cisco WLC 2504 and ways to authenticate users

  Hi All,
       What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
       and any one can give me case study for this issue
  System consist of Cisco 2504 and Cisco LAP 1140
  Thanks

  To implement radius based authentication is the best practice for the small & enterprise environment.
  Information About RADIUS
  Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
  •Authentication—The process of verifying users when they attempt to log into the controller.
  Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
  •Accounting—The process of recording user actions and changes.
  Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
  RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
  You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on. 
  For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947

• Backing up config on Cisco WLC 2504

  I need to upgrade the software on my controller but first need to take a backup of the config.
  I log into the GUI of the controller and then go to Commands / Upload File, I then select my options:
  File Type: Configuration
  Transfer Mode: TFTP
  IP: 10.x.x.x
  File Path: C:\Cisco\WLC
  File Name: ciscowlc.cfg
  Click Upload
  After about a minute it receive the following error:
  % Error: Config file transfer failed - Error from server: The specified operation is not supported.
  I can't seem to find any information on this error.
  Any help would be greatly appreciated.
  Thanks,
  James

  What TFTP server are you using... I use 3CDeamon and I also select the folder from the TFTP server so my path would just be ./
  Make sure that the firewall on the tftp server is disabled and also make sure your doing the tftp to a wired machine and not a wireless machine.  TFTP and FTP is not allowed when your associated to an AP that is joined to that WLC.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• TFTP image to Cisco WLC 2504

  I am trying to TFTP an image to a Cisco 2504 WLC. The management interface is 10.1.1.1 /24 and I have my PC connected to a port on the WLC with the IP address 10.1.1.10. However, I still do not have connectivity between the PC and WLC. Any advice?

  If you are connected directly to the WLC, you need to make sure the management interface is untagged, set to '0'.
  You really should be connecting the WLC to a switch since the WLC isn't really a switch and TAC doesn't support connecting devices like AP's or PCs to the WLC.
  Sent from Cisco Technical Support iPhone App

• Nokia Lumia support for Cisco WLC

  Dear All,
  I am using Cisco Wireless LAN Controller 4404 in my network, All devices (Laptops, samsung mobile phones, Iphone, HTC, etc) are connecting and working perfectly but NOKIA Lumia mobile phone is unable to connect.
  Is there any hotfix for WLC available? please advise
  Regards,
  Junaid

  Please find below debug details, I started debugging the device by command debug client (client mac) and then tried to connect the device.
  *dot1xMsgTask: Sep 25 12:14:03.096: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
  *dot1xMsgTask: Sep 25 12:14:03.097: ec:f3:5b:d3:99:20 Sending EAP-Request/Identity to mobile ec:f3:5b:d3:99:20 (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 Received EAPOL START from mobile ec:f3:5b:d3:99:20
  *Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
  *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.035: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
  *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
  *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
  *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
  *Dot1x_NW_MsgTask_0: Sep 25 12:16:05.112: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
  And on cell phone it shows the following message:
  connection unsuccessful,
  the credentials provided by the server couldn't be validated,
  I tried to connect it without any encryption and it got connected successfully, issue only on wpa2-Enterprise.
  Please advise,,,
  Regards,
  Junaid

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• WLC 2504 can't change WAP name or switch off CDP via WLC gui

  Hi All,
  Please can you assist? I have 1 x Cisco WLC 2504 & 2 x Cisco WAP AIR-CAP1602I-E-K9 running 7.4.100.60.
  All three devices are installed and working correcty within a corporate environment. However, there are a few tweaks that I would like to do, to tidy up the configuration and switch certain elements on or off. For example, my core networking hardware is Huawei and I would like to switch off 'CDP' on the WAP's as the associated error messages are filling up my logging buffer on my switch. So, I https to my WLC, locate the WAP in question, goto 'interfaces' and untick the box for 'CDP state' hit apply, then I get the following error message "controller name is mandatory when controller ip address is configured" and then the tick reappears!
  At present I have two WAP's. Both have static IP addresses and both are reachable on the network. The one WAP did allow me to change the name to something meaningful, but the other WAP would not let me and still has the default MAC address as its name. I have the same issue, when I try to change the name on the WAP it says "controller name is mandatory when controller ip address is configured"
  I have also tried to CLI directly in to the WAP to make these alterations, but as soon as i launch 'putty' it quits out. I guess this is locked down once the WAP's associate with the WLC.
  And around I go.... Someone must have been in this situation, what am i missing? Thanks in advance!

  Hi Andy,
  By default SSH & Telnet is disabled for WLC controlled APs. So you have to enable it first via WLC GUI in order to access the AP via telnet or SSH.
  Wireless -> Select your AP -> Advanced -> Tick Telnet/SSH boxes.
  If you could not change AP name via WLC GUI (it may be a bug), but as I said earlier try to change it via WLC CLI (not AP CLI itself). SSH  to your WLC & then try the following.Old AP name is the one with its mac address.
  (WLC) >config ap name
  (WLC) >save config      
  Are you sure you want to save? (y/n) y
  Configuration Saved
  HTH
  Rasika
  *** Pls rate all useful responses ****

• WLC 2504 HA Configuration

  Hi Guys,
  What configuration should I use in order to configure HA using 2x Cisco WLC 2504 ?
  - Do I need to have licenses for 2x Controllers ? I have only one WLC with license installed.  
  At the moment I have the following scenario below.
  AIR-CT2504-K9 – Primary (30 Aps Supported)
  AIR-CT2504-HA-K9 – Secondary (0 license)
  Software Version - 7.6.130.0 (Both Controllers)
  Both controllers are going to be in the same place.
  Can anyone help me please ?
  Thanks,
  Everton

  Thanks Scott Fella !
  Just one more question.
  Should I use a crossover cable to connect the primary controller to the secondary ? Or should I use a switch to connect them ?
  Thanks,
  Everton

• AP1121 can'T join WLC 2504

  Hi there,
  It's me again... same devices which making trouble.
  I have an allready configured WLC 2504 running in the network. Every LAP i add to the network joins imidiatly to the Controller.
  But not the AP1121G AP.
  It fails the Handshake everytime and the Controller shows me an failmessage at the statistics in the GUI.
  GUI Message:
  RADIUS authorization is pending for the AP
  CLI Debug:
  *spamApTask0: May 23 17:29:18.258: 00:11:20:6e:2b:14 Allocated index from main list, Index: 16
  *spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS keys for Control Plane are plumbed successfully for AP 192.168.1.100. Index 17
  *spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS Session established server (192.168.1.10:5246), client (192.168.1.100:1716)
  *spamApTask0: May 23 17:29:18.260: 00:11:20:6e:2b:14 Starting wait join timer for AP: 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.263: 00:11:20:6e:2b:14 Join Request from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 Deleting AP entry 192.168.1.100:1716 from temporary database.
  *spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 AP with same name AP0011.206e.2b14 exist. Using default name AP0011.206e.2b14 for this AP.
  *spamApTask0: May 23 17:29:18.265: 00:11:20:6e:2b:14 In AAA state 'Idle' for AP 00:11:20:6e:2b:14
  *spamApTask0: May 23 17:29:18.266: 00:11:20:6e:2b:14 State machine handler: Failed to process  msg type = 3 state = 0 from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Failed to parse CAPWAP packet from 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.267:
  *spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Finding DTLS connection to delete for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 Disconnecting DTLS Capwap-Ctrl session 0x1458bd60 for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 CAPWAP State: Dtls tear down
  *spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 DTLS keys for Control Plane deleted successfully for AP 192.168.1.100
  *spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 DTLS connection closed event receivedserver (172:16:58:250/5246) client (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 Entry exists for AP (192.168.1.100/1716)
  *spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 No AP entry exist in temporary database for 192.168.1.100:1716
  *spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  192.168.1.100:1716)since DTLS session is not established
  *spamApTask0: May 23 17:29:18.277: 00:11:20:6e:2b:14 Received LWAPP JOIN REQUEST from AP 00:11:20:6e:2b:14 to 84:78:ac:b3:73:c0 on port '1'
  *spamApTask0: May 23 17:29:18.278: 00:11:20:6e:2b:14 incomingRadJoinPriority = 1

  Problem solved
  Hey guys, i solved the problem. It wasn't the firmwareversion. I downgraded the WLC and the problem still exists.
  Problem reason: The AP1121G series doesn't  has a MIC - Manufactured Installed Certificate - which is compatible/ accpeted by the WLC 2504 and it's parameters for the RADIUS server. Maybe it has no MIC, i don't know.
  So you need the SSC - Self Signed Certificate - for the join authentication.
  Solution:
  1. Logon to GUI or CLI of the WLC.
  2. Enable "Accpet Self Signed Certificate"
            GUI: Security > AP policy
            CLI: (Cisco Controller) >config auth-list ap-policy ssc enable
  3. Look for the SSC Hash of the AP:
            CLI: (Cisco Controller) >debug CAPWAP events enable
            There you'll find an event which is called e.g.:
       Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
  4.Add the ap manually to the controller
            GUI Security> AP policy > Add               There you have to set the right parameters, ap MAC, Cert. type: "SSC"           and the Key.
            CLI:    
            (Cisco Controller) >config auth-list add ssc 00:0e:84:32:04:f09e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
  5. Maybe you should reboot the ap.
  And it's done

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Configure a second Wlan on WLC 2504

  Hello,
  I  created a topic about this problem on the learningnetwork cisco site too. You can find it here: https://learningnetwork.cisco.com/thread/73201.
  The problem is:
  We have the Cisco WLC 2504 with a couple of access points. On this WLC we have a network connection via a radius server for our employees. The DHCP server for this connection is the server you see on the drawing. The connection from the switch to the WLC is connected on port 1 of the WLC. This connection works like a charm.
  Now I want to create a second network (which is divorced from our internal network) for our guests, but it doesn’t work till now. What we have at the moment is:
  A connection from the firewall via the router to the internet
  A connected cable from the firewall to the WLC on port 2
  A configured interface (port 2) on the WLC
  A configured Wlan on the WLC (it is possible to connect to the guest Wlan with a static ip)
  The SSID of the guest network is broadcasted via the AP’s which also broadcast the internal network SSID
  The problem I have now is:
  I have no connection between the WLC Port 2 (192.168.10.2) and the firewall (192.168.10.1). When I try to ping the firewall (192.168.10.1) I get a no reply received message.
  How can I get this working? I hope someone can help me with this. Thanks in advance!
  Screenshots:
  Guest interface
  Network layout
  Show int sum
  Show wlan sum
  Wlan general
  Wlan advanced

  Frank,
  The issue is that the WLC will not route between VLANs.  In order for the scenario that Rasika recommended to work, the switch needs to be a layer 3 switch or needs a layer 3 device attached to it to route between the VLANs.
  In my WLC, I have a guest interface as well:
  The gateway listed in the VLAN 50 Interface on my L3 Switch:
  I then have a route established on my switch to send that traffic to my ASA:
  Due to that, I can ping the ASA from my WLC:
  Of course, my WLAN for guests only has access to the guest Interface Group:
  Try these changes on your switch (or other Layer 3 Device) and let us know if it worked for you.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton