Connect an AP to a Guest Anchor WLC?

We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
Thanks
Sankung

Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
Sent from Cisco Technical Support iPhone App

Similar Messages

Mobility Group Requirements for Guest Anchor WLC

Hello -
I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible. So I have set out to test this.
I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu. This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups.
Thanks
Chuck

Not only is it possible, I would recommend it. However, you may be confusing some concepts.
The Mobility Group is different than the Mobility Domain. I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC, but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
Does that make sense?

Implementing Two Guest Anchor WLCs

Hello -
I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor.
I am looking to bring my current guest service onto the DMZ. Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP. We do not use our corporate internet service for guest. In any event. The DMZ design I am working on would include two WLCS sitting on our DMZ. I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border. Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border. So I would need to configure both anchors on the guest WLAN of each WLC. I'm just wondering if this is possible and if the failover will actually work.
Any input is appreciated. I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
Thanks
Chuck

Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
Does that answer your question?

Guest-Anchor-WLC and NAC integration guide

I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

Guest Anchor N+1: Failover Time

Hi Wireless Experts,
Wondering if any one tested how fast a foreign WLC would detect an internet guest anchor WLC went down and switch the internet traffic to the EoIP tunnel to the other guest anchor WLC?
From the end user experience, I assume the guests would expect service interruption and a new login screen to reconnect. Is it correct?
Thanks
Cedar

Usually it will switch once the mobility is shown as down. The foreign wlc will then have to send the traffic to the other anchor WLC and if your using webauth or possibly a different subnet, then that is the amount of time it will take. WebAuth, the clients will have to authenticate again.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Guest Cert problems ISE and Anchor WLC

I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
1.1.1.1 is the Virtual interface of the Anchor WLC.
How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
This is when the problems started happening, I was using the default ISE Authorization profile
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
The next step I tried was to change the Authorization Profile to
(wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

25 APs / Port Anchor WLC versus Guest WLC

Greetings, first timer here.
We're adding public internet access to our existing wireless network. We are using a 4402 WLC for our guest controller, and our secure WLC is a 4404.
Cisco recommends placing a limit of 25 APs per distribution port, and we utilize that practice on our 4404. My question is, once we add the guest controller, which uses the same APs as the Anchor controller, do we have to re-apply the 25 AP/port rule to the guest controller?
The 4404 obviously has 4 distribution ports giving a max of 100 APs, and the 4402 has 2 resulting in only 50 APs. We've got all of our APs covered by the best practice on the 4404, but would exceed that on the 4402.
I thought that because the data is moving between the WLCs via the ether tunnel, I was covered by the 4404.
Thoughts or suggestions?
I can't seem to find anything in the white papers or best practices.
Thanks to all
Larry

I have no factual information to back up what I am about to say and it may be partially incorrect, but this is how I always explained the process of guest anchoring:
So the 25AP suggestion per interface I think is because of the fact that if you had more than 25 APs on one port, you could theoretically be over subscribing the bandwidth than the port could provide (25AP@40mbps = 1000mbps)....
Anyhow, unless you plan on actually sending a gig worth of traffic to your Guest Controller, I don't think there is any real need to split your anchor. I'm pretty sure Guest Controllers are usually for internet access and 1Gb worth of internet bandwidth sure seems like alot to me..
Also, I had always thought of the anchor tunnel similar in nature to an AP LWAPP tunnel. The controller that supports 25 APs is designed to support 25 LWAPP tunnels. The 50AP model, supports 50 LWAPP tunnels. This same logic could be applied to the WLAN Anchor tunnels. Think of each WLAN Anchor Tunnel as an AP connected to a controller.
When a guest is anchored to the Public Controller, it isn't the AP that is tunneled there nor the client, it is the WLAN. So you could have 25 APs with the same guest WLAN, but really it is still just 1 WLAN anchored to the controller. If for some reason you wanted to do more than 25 different WLANs, then I would suggest splitting those WLANS between your interfaces...
I think the bottom line though is that if you aren't worried about over-subscribing your interface on the anchor controller, there shouldn't be any concerns.

Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
and the internal controller must match. Else, DHCP request from clients are dropped and you
see this error message on the internal controller......
However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
Many Thanks
Kam

Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope. With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

GUest WLAN with Anchor WLC - roaming problems

Hello,
my wireless network consists in 3 WLC 4402 which manage 40 APs.
I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
Everiting works fine but I have a problem:
If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
Thnks everybody

Here are the output of show mobility summary.
The last WLC is the anchor.
WLC1
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
WLC2
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
WLC3
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
WLCAnchor
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 4
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up

Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

I have a general question about securing the guest WLAN in FlexConnect deployment -
Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
I would highly appraciate your input on this topic.
Thank you.

Yes, you're right.
Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

3850's using WLC 2504 as a guest anchor

Hi,
Does anyone know if it's possible to use a WLC2504 as a guest anchor when we have deployed 3850's for regular corporate WLAN?
The corporate stuff is all up and running OK using 3850's but i've now to come to look at the guest provisioning and i'd like it to terminate on a guest anchor in the DMZ if possible, just wondering if it's possible to do this with that setup?
Thanks,
Ian.

Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
Good to see my blog helps you & thanks for the comment.
HTH
Rasika
**** Pls rate all useful responses ****

ISE 1.2 - CWA supplicant provisioning with anchor WLC

Hi all,
Having an issue with supplicant provisioning via CWA on an anchor controller. I am able to connect via CWA and authenticate etc no problems but when the device registration page appears it says "unable to connect to the network at this time" - the mac address is populated but the button says try again. Once I click try again it cycles back to the original guest portal login page. In the reports section the failed supplicant provisioning message is "Error while trying to determine access privileges: Fail to get hostName from session cache.".
I have tried the same policy without the anchor (ie local controller) and it works perfectly. Interestingly enough if I manually register the device first then connect to the guest portal it allows me to click register and proceed to supplicant provisioning. I have also tried the anchor setup using peap and the NSP redirect - this also works perfectly.
I can confirm ahead of time that firewalls etc are not an issue with permit IP any any between all working parts - no blocks no drops etc. The policy is the standard trustsec CWA setup with Enable self-provisioning ticked. For what it is worth I am absolutely confident with the config having deployed this before - albeit without an anchor controller.

Stephen,
I was able to work with TAC the customer account team to find a resolution. The issue is with the Anchor WLC and the session not being replicated. I was able to get around it by disabling radius accounting for the ssid on the anchor controller, but when looking at the bug it looks like an alternative fix is to disable fast ssid switching, which would cause issues with BYOD in the dual ssid world. I'm still doing testing, but the accounting change seems to have solved it. The bug ID is: CSCui38627

Access point register on anchor wlc in DMZ

Hello,
I have an environment in which two WLC 4400 are connected to an anchor WLC 4400 in DMZ, This WLC in DMZ pass the Guest Wlan to other two WLC and terminate tunnel CAPWAP. The Ap in the remote sites, that are configure to register to WLCs in the remote sites, usually are registered on the two WLCs but sometimes they register to WLC in DMZ, how is possible if between WLC in DMZ and other WLC there is a firewall that block all the traffic except CAPWAP traffic?
If I reboot the APs they register on the two correct WLCs in remote sites.
Thanks

AP also uses CAPWAP. you should only allow capwap connection from internal controllers only on the fw.

Guest access to the Internet with Guest Anchor Controller

Hi;
We are doing our initial implementation of an enterprise wireless system. I deployed a WLC 5508 connected to our data center core switch using LAG. The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices. Employee wireless access has been rolled out and is working well.
I am designing guest access. As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet. We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508? A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
Thanks for the assistance! Glenn Morrison

you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
HTH,
Steve

Web Auth using 5760 Guest Anchor and ISE

I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor. ISE is being used as the guest auth server.
When no auth requirements are set on the guest wlan, everything works fine. I get an IP address and can get to the internet, VPN, etc. As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state. When I check the client on the controller, it is in a Policy Manager State of START.
As soon as I remove the security web-auth commamd from the wlan, I connect right up. It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
Any thoughts on what I am missing on my guest anchor, or MA config? Do I need to make any changes to the wlan on the MC? Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

I hope this may help you
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
HTH
Rasika
*** Pls rate all useful responses ****

Connect an AP to a Guest Anchor WLC?

Similar Messages

Maybe you are looking for