Configuring Guest VLAN on AP541N and UC560

I have a AP541N connected to a UC560.  We are currently configured for Wireless Voice and Data.  We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.  Any help would be appreciated.
Additional Info:
AP541N-K9-1.7(2)
UC560  15.0(1)XA2, RELEASE SOFTWARE (fc2)
CCA 3.0

https://supportforums.cisco.com/docs/DOC-14855
We are experincing the exact same problem in our lab.
There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
Hope this helps.
Terry

Similar Messages

  • Wired guest vlan with ISE

    Hi all,
    For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
    Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
    Thanks
    Sent from Cisco Technical Support iPad App

    I will try to answer all of your quesitons:
    1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
              - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
    2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
              - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
    3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
              - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

  • 802.1.x guest VLAN problem

    Hi,
    I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
    I'm using XP sp2 with:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
    cantModeDWORD Value = 3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
    deDWORD Value = 0
    Could someone give some help,please.
    Thanks
    BR

    The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
    As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
    I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
    *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
    *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
    *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
    Hope this helps.

  • HQ and Remote Wired Guest VLAN

    Hello all,
    I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
    Each location has its own guest vlan.  On ISE the standard rule are:
    Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
    This rule is working good for HQ.
    Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
    This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
    with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
    Let me know if anyone has idea or have solved this problem.
    Thank you.

    Hi,
    You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
    Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • 802.1x Auth-Fail VLAN and Guest-VLan not available

    Hi Pros,
    Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
    I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
    Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
    I found this link on Cisco's site:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
    That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
    EZVPN_Remote(config-if)#int fa1
    EZVPN_Remote(config-if)#dot
    EZVPN_Remote(config-if)#dot1?
    dot1q
    EZVPN_Remote(config-if)#dot1
    EZVPN_Remote(config-if)#int vlan1
    EZVPN_Remote(config-if)#dot1x ?
      default           Configure Dot1x with default values for this port
      host-mode         Set the Host mode for 802.1x on this interface
      max-reauth-req    Max No.of Reauthentication Attempts
      max-req           Max No.of Retries
      pae               Set 802.1x interface pae type
      port-control      set the port-control value
      reauthentication  Enable or Disable Reauthentication for this port
      timeout           Various Timeouts
    Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
    EZVPN_Remote#sh ver
    Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 12-Jul-11 21:02 by prod_rel_team
    ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
    EZVPN_Remote uptime is 6 hours, 1 minute
    System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
    System restarted at 14:52:47 UTC Thu Oct 13 2011
    System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
    Last reload type: Normal Reload
    Last reload reason: Reload Command
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
    Processor board ID FTX153482GK
    5 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    256K bytes of non-volatile configuration memory.
    126000K bytes of ATA CompactFlash (Read/Write)
    License Info:
    License UDI:
    Device#   PID                   SN
    *0        CISCO881-SEC-K9       xxxxxxxx
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    Thanks in advance!

    Shamless bump...

  • 802.1x Guest Vlan and Routed access layer design

    Hi!
    For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
    Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

    You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
    The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
    Hope this helps,

  • 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

    Hello,
    i have tried to configure a dot1x based Authentication.
    With an single host including guest-vlan, everything works fine.
    But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
    Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
    i have  just tried so...
    interface GigabitEthernet0/4
    switchport access vlan 121
    switchport mode access
    switchport voice vlan 200
    authentication event fail action authorize vlan 99
    authentication event server dead action authorize vlan 121
    authentication event server alive action reinitialize
    authentication host-mode multi-host
    authentication order dot1x
    authentication port-control auto
    authentication periodic
    authentication violation restrict
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 1
    spanning-tree portfast
    Thanks, for any possible solution!

    unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
    I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
    Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
    What are using for a radius server?

  • Configuring Guest Access using 2 LWAPs and 2504 WLC

    Please advise,
    I have 2 APs, Cisco Aironet 1040, and 2504 WLC.
    Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?

    Yes you can. You can have up to 16 SSIDs per AP, but not suggested to have all 16. You can either use one port on the 2504 for both SSID/vlan or specify which port is for corporate and which one is for guest.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • Is Guest VLAN configurable on the E-series WEB GUI yet

    I logged on this board 2 months ago inquiring the availability of the Guest VLAN feature on the WEB GUI of the E-series home router and the answer back then was no.
    I saw the Cisco Connect has been updated to work in synch with the WEB GUI and the new firmware has some minor bugs fixed on the Guest VLAN feature. My original:
    Is Guest VLAN feature now available to configure on the WEB GUI of the E-series home router?

    Are your talking about Guest VLAN or Guest WLAN?
    Guest WLAN Feature is only available in E4200.In E4200 Router you have an option to configure the Guest WLAN using the WEB Interface.

  • Need help configuring multiple VLANs and SSIDs

    Hi,
    We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
    We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
    We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
    We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
    Here are some specifics on how the traffic needs to route:
    1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
    2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
    3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
    4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
    Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
    The SGE2000P has the following IP addresses assigned to the VLANS:
    10.7.3.252 - VLAN 100
    10.7.40.254 - VLAN 1000
    192.168.254.254 - VLAN 1100
    Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
    Thank you!
    Gary Smith

    Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
    With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
    interface FastEthernet0/1
    switchport mode access
    switchport access vlan 10
    switchport voice vlan 100
    This results in the same configuration as:
    interface FastEthernet0/1
    switchport mode trunk
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport trunk allowed vlan 100
    With the exception of CDP packets being sent advertising the Voice VLAN.
    With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
    Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
    I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
    HTH
    Andy

  • Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

    Hi,
    I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
    Router (RV016 10/100 16-Port VPN Router) as gateway mode:
    IP : 172.16.0.1/24
    DHCP Server :
    IP : 172.16.0.2/24 GW: 172.16.0.1
    2 subnets :
    172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
    172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
    Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
    IP 172.16.0.254 (vlan 8 default)
    Vlan 1 : 172.16.1.1
    Vlan 2 : 172.16.2.1
    1 device connected on each vlan
    a workstation on the vlan 1
    a laptop on the vlan 2
    In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
    But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
    I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
    I hope the explanations are clear enough and my English too
    Any help will be highly appreciated,
    Zoubeir

    Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
    A couple things I notice in your description-
    48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
    The connection between the switches, is it 1u, 2t?
    The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
    We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
    The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
    We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
    Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
    -Tom
    Please rate helpful posts

  • Multiple Guest VLANs and Shared WLC

    Hi,
    I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
    I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
    Please advise how best I should implement this.
    many thanks
    Sankung   

    It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
    Then on the internal anchor the SSID to the same SSID in the DMZ
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • ISE Wired Guest + user without supplicant and dynamic vlan change

    Hi All,
    I have two issues:
    Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
    This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
    I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
    Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
    What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
    Is this possible if the guest doesnt have a supplicant?

    One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
    Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

  • SSID/VLANs for Guest/Staff with 3600 and 2504 Controller

    We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall.  We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID.  Any pointers to documentation on how to configure?

    in the WLAN configuration, you select what interface you want it to be linked to.
    In the Controller Tab, on the left, go to interfaces.  This is where you create teh interface name, set the VLAN,and the IP address.
    Steve

  • Guest VLAN and SSID with a DHCP router

    I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
    Does anyone have any insight on this, or another way to setup the guest VLAN?

    You can create a guest VLAN.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827

Maybe you are looking for

  • Internal Error when Exporting to PDF

    Hello all, I have created a report in SSRS 2008. My report was running fine until I inserted an extra row. Once I would insert this row,(no matter where I insert it) whenever I try to view the print layout or export to a PDF I get the following error

  • Error mesage when trying to load songs onto ipod, computer is authorized

    my husband and I have 2 different user IDs on vista and when I tried to load some songs from our public itunes directory onto his ipod, an error pops up saying this computer is not authorized to play these songs. When I try to authorize the computer

  • Chinese characters in GroupWise message on smart phone

    GroupWise 2014. GMS Version: 2.0.1 Build: 53 Just ran into an odd one. User received an email from outside our company. It shows up fine in his GroupWise client, but when he views it on his smart phone (synced via GMS) the message body is all Chinese

  • Lots of channels to manage

    Hello Everyone, I have written a VI that will allow me to collect data from 200 different channels across 25 different wireless sensor nodes. I started a second vi that will access the files that I am writing the data to in order to generate graphs.

  • Table Data delete not working

    Hi, I m trying to simply delete all records in a Z table. I insert data into this table from another program. Until 1/2 hr ago both insertions and deletions were working fine. But now suddently the delete program is hanging on statement DELETE FROM S