E2500 with multiple APs for guest access

I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
Jim

Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
So first of all remove all the networks from the preferred list of the computer and then try to connect.  

Similar Messages

  • 2504 with new-architecture enabled breaks MAC auth for guest access

    Hello,
    We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
    When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
    Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
    Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

    You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
    HTH
    Rasika

  • Create a flat file with multiple characters for enclosures

    Hello,
    we use OWB 11g2 (11.2.02).
    Now we try to create a flat file with multiple characters for enclosures. The manual wrote:
    "Enclosures (Left and Right): Some delimited files contain enclosures that denote text strings within a field. If the file contains enclosures, enter an enclosure character in the text box or select one from the list. The list displays commonenclosures. However, you may enter any character. The default for both the left and right enclosure is the double quotation mark ("). You can specify multiple characters and hexadecimal characters as field enclosures."
    But it will not work. The OWB use the first character from the left enclosure definition as left enclosure and the second one as right enclosure !?!
    Did anyone know this behavior? Is there a solution for this problem?
    Thanks and regards
    Norbert

    HI Raghu,
               Use the function module 'GUI_UPLOAD'.
               In that you have to specify the field_separator value = 'X' in export section.
    Regards,
    S.C.K

  • Snmp error for guest access ticket on two WLC

    Hi,
    I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
    Thks.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
    The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
    For the configuration following URL may help you
    http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

    When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
    I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
    Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
    Thanks.

    OK, so to recap;
    - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
    - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
    And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
    UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
    and:
    •TCP 161 and 162 for SNMP 
    •UDP 69 for TFTP 
    •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
    •TCP 23 or 22 for Telnet, or SSH for CLI access
    Thanks to confirm that

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • Advantages of using a seperate controller for guest access?

    Can someone give me a good reason to use a seperate controller in a DMZ for guest users versus just trunking a DMZ VLAN to the controller. Certainly it makes sense to have a guest controller when you DMZ is not accessable to the controller locations (or you have a bunch of remote locations, but only one internet connection), but in the event that the controllers are located in a place that it can hit the DMZ is there a good reason to use a guest controller.

    I'm not even sure if that is a good reason. You can alway trunk to another non-routed VLAN and stick a cable modem and firewall to give guest user access. I'm working with someone now that thinks this is the way to go, but I've got to add a 4402-12, a switch (need GB connectivity for the controller) at a minimum. Again, it would make perfect sense if the location of the internet was not in the same building.

  • Any Best Practices for Guest Access?

    Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
    I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
    My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

    ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

  • Webproxy for guest access

    Hi,
    I have deployed web proxy in explicit mode with integration with Active directory.
    When my users are authenticated they are getting the access to the internet as per the policies.
    I want to know, if any guest user's come and try to access the internet he wont be a authenticated user hence there will be no access to rule.
    Is there any way to create a guest access policy that if the user is not found in the AD but he should get access through the second policy.
    I have seen there is a option for the guest but not sure how this works.

    Please see the user guide: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa8-0/WSA_8-0-0_UserGuide.pdf and go to page 112 for "Granting Guest Access After Failed Authentication"
    Basically when you create an Identity with authentication, tick the option for "Support Guest privileges if a user fails authentication.
    Then ideally you will need to create 2 Access Policies using that Identity:
    1. Access Policy that is using the authentication.
    2. Access Policy that is using the same Identity and when you specify the Identity use and under "Authorized Users and Groups" select the "Guests (users failing authentication) then submit. (please note to put this second access policy under the authenticated access policy not place it before the authenticated access policy), after this you can specify the level of access for this access policy.
    Hope this helps

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • Create URL with multiple values for one parameter

    Post Author: cbamberg
    CA Forum: General
    While I have no problems to create the URL to open a report with a single value for a parameter from my Java application, I don't know how to format multiple values for a parameter when I want to pass the "&prompt0=" value. The values I want to pass are numbers, not strings.
    Anyone can help?

    Hi gayatri,
    you need to select both the product id and custname.put a count on the prodid column and write a condition of count>1 and apply it.
    Thanks
    Hari

  • Cisco WLC Whitelist for Guest Access? and securing guest-access?

    Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
    Looking at a 5508 model at the moment
    Thanks

    Hello Stephen,
    Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
    I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
    For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
    The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
    So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
    Thanks!
    Chris Slater-Walker
    Senior System Analyst
    Nokia UK Ltd.

  • Sft soundfonts with multiple voices; can only access the default.

    Does anyone have any idea how I can access anything but the first instrument in a sf2 soundfont in GB? My midi controller (m-audio 61-es) can't seem to do, When I use the standard procedure for changing voices, anything past the first voice gives me nada.
    Any help would be much appreciated!
    -e

    Elanb,
    I believe the demo version will only allow you to access a few octaves of any particular soundfont. The full paid version will access all octaves of a soundfont set. As far as volume is concerned I do not believe that is a function of Soundfont Synth in any way. Volume changes are more than likely to be the individual characteristic of whatever soundfont set you have accessed. The quality of soundfont vary from really bad to really good.
    With soundfont synth you can access a particular soundfont set and then make that instrument a new saved preset. Name it and it will appear in your instrument list.
    Hopefully GB3 will have a feature that does what Soundfont Synth does.

  • How can I create a hashmap() with multiple values for the same key?

    I am trying to write an application that will us something like a Map() with multiple values but some have the same key. Is this possible?

    i had the same question. just create a List, add all the values u want to it, and then put the List into the map like u would a normal single value. e.g.
    List list = new ArrayList();
    list.add(value1);
    list.add(value2);
    map.put(key, list);
    i bet u r doing the same course as i am =)

Maybe you are looking for

  • The necessity of WiFi on the iTouch.

    I am looking ot buy my first Touch... upgrading from a nano. I live in a rural area, where the Wifi connections aren't plentiful. I want a touch for 'option' of email and web, but also for some the apps that would be very useful to my business/work.

  • OS 6.0.2 Battery Issues

    Is there way to revert back to the old version? I wasn't having a wifi issue like many other users here. I am now finding myself trying to charge my phone whenever possiable to just keep a charge for 1 day. This was never an issue befoere 6.0.2

  • ODBC driver not recognized by Windows ODBC Data Source Administrator

    Using Windows XP Professional with all patches. I installed Oracle 10g Client, then removed ODBC driver and loaded 10.1.0.1.3 ODBC driver. Windows ODBC Data Source Administrator will not see this driver. (It also didn't see the previous driver, which

  • Main in Leopard Issues

    After installing Leopard, my Mail program doesn't work. Everything else works, but when I double click on Mail, it says, "You cannot use the application "Mail" with this version of Mac OS X."

  • How to read sampled data info from a "*.au"file into an array?

    I need to manipulate the sound file directly using DSP, the first step is to read sampled data from "*.au" file into an array. How can I do that? Thanks a lot!!