Configuring Guest VLAN on AP541N and UC560
I have a AP541N connected to a UC560. We are currently configured for Wireless Voice and Data. We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs. Any help would be appreciated.
Additional Info:
AP541N-K9-1.7(2)
UC560 15.0(1)XA2, RELEASE SOFTWARE (fc2)
CCA 3.0
https://supportforums.cisco.com/docs/DOC-14855
We are experincing the exact same problem in our lab.
There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
Hope this helps.
Terry
Similar Messages
-
Hi all,
For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
Thanks
Sent from Cisco Technical Support iPad AppI will try to answer all of your quesitons:
1. "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
- I suppose the standard is to have the port in the regular/standard VLAN and only put failed authentications in the guest VLAN. However, with that being said, it really depends on what you are trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor deployed it that way so I highly recommend you try that in the lab
2. "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
- Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc, might not know that a VLAN was changed, thus never request a new IP address. As a result, they get stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed authentications through the guest portal. There you can control who is guest and who is not via dACLs.
3. " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things like PXE booting that needs to happen"
- So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the one granted in the Low-Impact mode ACL otherwise things will break -
802.1.x guest VLAN problem
Hi,
I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
I'm using XP sp2 with:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
cantModeDWORD Value = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
deDWORD Value = 0
Could someone give some help,please.
Thanks
BRThe key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the users credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
*machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
*user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
*Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
Hope this helps. -
HQ and Remote Wired Guest VLAN
Hello all,
I am having trouble to create a standard condition for Policy Authorization. Basically there are HQ and remote locations configure for guest access.
Each location has its own guest vlan. On ISE the standard rule are:
Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
This rule is working good for HQ.
Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
with internal users since the condition is Unknown OR MTL_Devices. There is no AND condition for this.
Let me know if anyone has idea or have solved this problem.
Thank you.Hi,
You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
Thanks,
Tarik Admani
*Please rate helpful posts* -
802.1x Auth-Fail VLAN and Guest-VLan not available
Hi Pros,
Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
I found this link on Cisco's site:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
EZVPN_Remote(config-if)#int vlan1
EZVPN_Remote(config-if)#dot1x ?
default Configure Dot1x with default values for this port
host-mode Set the Host mode for 802.1x on this interface
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
EZVPN_Remote#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 12-Jul-11 21:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
EZVPN_Remote uptime is 6 hours, 1 minute
System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
System restarted at 14:52:47 UTC Thu Oct 13 2011
System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
Processor board ID FTX153482GK
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO881-SEC-K9 xxxxxxxx
License Information for 'c880-data'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
Thanks in advance!Shamless bump...
-
802.1x Guest Vlan and Routed access layer design
Hi!
For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
Hope this helps, -
802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan
Hello,
i have tried to configure a dot1x based Authentication.
With an single host including guest-vlan, everything works fine.
But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
i have just tried so...
interface GigabitEthernet0/4
switchport access vlan 121
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 99
authentication event server dead action authorize vlan 121
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
spanning-tree portfast
Thanks, for any possible solution!unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
What are using for a radius server? -
Configuring Guest Access using 2 LWAPs and 2504 WLC
Please advise,
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.
Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?Yes you can. You can have up to 16 SSIDs per AP, but not suggested to have all 16. You can either use one port on the 2504 for both SSID/vlan or specify which port is for corporate and which one is for guest.
Thanks,
Scott Fella
Sent from my iPhone -
Is Guest VLAN configurable on the E-series WEB GUI yet
I logged on this board 2 months ago inquiring the availability of the Guest VLAN feature on the WEB GUI of the E-series home router and the answer back then was no.
I saw the Cisco Connect has been updated to work in synch with the WEB GUI and the new firmware has some minor bugs fixed on the Guest VLAN feature. My original:
Is Guest VLAN feature now available to configure on the WEB GUI of the E-series home router?Are your talking about Guest VLAN or Guest WLAN?
Guest WLAN Feature is only available in E4200.In E4200 Router you have an option to configure the Guest WLAN using the WEB Interface. -
Need help configuring multiple VLANs and SSIDs
Hi,
We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
Here are some specifics on how the traffic needs to route:
1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
The SGE2000P has the following IP addresses assigned to the VLANS:
10.7.3.252 - VLAN 100
10.7.40.254 - VLAN 1000
192.168.254.254 - VLAN 1100
Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
Thank you!
Gary SmithBased on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
switchport voice vlan 100
This results in the same configuration as:
interface FastEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 100
With the exception of CDP packets being sent advertising the Voice VLAN.
With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
HTH
Andy -
Multiple vlans configuration issue with RV016 router and SG 300-10MP witch
Hi,
I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
Router (RV016 10/100 16-Port VPN Router) as gateway mode:
IP : 172.16.0.1/24
DHCP Server :
IP : 172.16.0.2/24 GW: 172.16.0.1
2 subnets :
172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
IP 172.16.0.254 (vlan 8 default)
Vlan 1 : 172.16.1.1
Vlan 2 : 172.16.2.1
1 device connected on each vlan
a workstation on the vlan 1
a laptop on the vlan 2
In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
I hope the explanations are clear enough and my English too
Any help will be highly appreciated,
ZoubeirHi Eric, the small business group doesn't support the ASA config, but I can help with the switch.
A couple things I notice in your description-
48 port (192.168.1.254) and the other 24P (192.168.1.253) we have a second vlan 20 set up on the 24P switch (192.168.2.253) we have ports 1-12 set for vlan20 (untagged and trunk), the remaining ports on on the default vlan 1.
The connection between the switches, is it 1u, 2t?
The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
We have the 24p and 48p switches connect using GE1 and GE1. We are unable to ping a device on vlan 20 ( on the 24p switch
The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
We have a static route set on the 24p switch (0.0.0.0 192.168.1.0).
Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
-Tom
Please rate helpful posts -
Multiple Guest VLANs and Shared WLC
Hi,
I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
Please advise how best I should implement this.
many thanks
SankungIt sounds like you already have this done. You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
Then on the internal anchor the SSID to the same SSID in the DMZ
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
ISE Wired Guest + user without supplicant and dynamic vlan change
Hi All,
I have two issues:
Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
Is this possible if the guest doesnt have a supplicant?One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell.. -
SSID/VLANs for Guest/Staff with 3600 and 2504 Controller
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
in the WLAN configuration, you select what interface you want it to be linked to.
In the Controller Tab, on the left, go to interfaces. This is where you create teh interface name, set the VLAN,and the IP address.
Steve -
Guest VLAN and SSID with a DHCP router
I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
Does anyone have any insight on this, or another way to setup the guest VLAN?You can create a guest VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827
Maybe you are looking for
-
Internal Error when Exporting to PDF
Hello all, I have created a report in SSRS 2008. My report was running fine until I inserted an extra row. Once I would insert this row,(no matter where I insert it) whenever I try to view the print layout or export to a PDF I get the following error
-
Error mesage when trying to load songs onto ipod, computer is authorized
my husband and I have 2 different user IDs on vista and when I tried to load some songs from our public itunes directory onto his ipod, an error pops up saying this computer is not authorized to play these songs. When I try to authorize the computer
-
Chinese characters in GroupWise message on smart phone
GroupWise 2014. GMS Version: 2.0.1 Build: 53 Just ran into an odd one. User received an email from outside our company. It shows up fine in his GroupWise client, but when he views it on his smart phone (synced via GMS) the message body is all Chinese
-
Hello Everyone, I have written a VI that will allow me to collect data from 200 different channels across 25 different wireless sensor nodes. I started a second vi that will access the files that I am writing the data to in order to generate graphs.
-
Hi, I m trying to simply delete all records in a Z table. I insert data into this table from another program. Until 1/2 hr ago both insertions and deletions were working fine. But now suddently the delete program is hanging on statement DELETE FROM S