Enterprise Wireless Guest IP Address Management
Hi
We have requirement to deploy wireless guest access for the Enterprise.
Would appreciate feedback as to wether to use internal DHCP which is centrally managed or using WLC DHCP.
Some Considerations
1. IP Address reporting historical on number of addresses used, this could be provided by the guest access server on users logged or can WLC
provide historical IP address reporting
2. Centralised address configuration versus distributed on each controller.
3. Correlating guest user to IP address allocated, we need to use this for forensic identification of the IP address to the user as guest access will be authenticated via the Radius server and from there access the Internet via a transparent proxy. No requirement for second authentication when accessing the Internet.
Any feedback on real world experiences would be greatly appreciated.
Regards
Bill
Hi,
The below doc is the design and deployment Guide for Guest access.. This is just like a bible!!
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
Lemme know if this helps.. and please dont forget to rate the usefull posts!!
Regards
Surendra
Similar Messages
-
Hi I need help in configuring unified wireless guest access. i have followed the guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
Can someone help point out my mistake.Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
I know this becuase I seen this for my self when I had anchor issues.
I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired. -
Wireless Guest Network using Cisco 4402 as an Anchor Controller
Hello,
We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
This is basically the setup guide that we followed.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
Thanks!Hi,
Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
This will help us as well..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
Wireless guest access with CWA and ISE using mobility anchor
My team is trying to demo wireless guest access using CWA with an ISE server. We appear to be hitting an issue when combining this with mobility anchoring.
When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound. The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.FOREIGN
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID = 255,
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP requested ip: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP siaddr: 10.30.4.173, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP server id: 1.1.1.2 rcvd server id: 1.1.1.2
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 3600 seconds
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4 -
I am looking for how to track the number of wireless guest users that have used wireless during a month. I see the enterprise guest management options but that is real overkill in this situation because I only have two 1200 series autonomous APs that we want to track guest usage on.
If you are on the technical side of things you could modify the piece of code that I wrote for a WLC to create guest accounts. I am currently working on logging of the users that are created with this code. Then you could simply add up the users and and have date and times. Find the code here: https://sourceforge.net/projects/simple-swag/ The original intention of the code was a simple way for administrators to provide simple Lobby Ambassidor like function to a simple web interface and then provide customized guest user instruction page. In the background it uses ssh to talk to the controller and setup the account. Its written in PHP so feel free to try your hand at it.
-
Hello,
I would like to add a wireless guest to a UC 540
A couple of questions, how can I point DHCP to guest ?
I need a route to the public gateway ?
Need assistance with an ACL
Thanks for any help
Thuis is what I am planning to add:
dot11 ssid guest
vlan 99
authentication open
authentication key-management wpa
wpa-psk ascii 0 porkguest
interface Dot11Radio0/5/0.99
encapsulation dot1Q 1 native
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 spanning-disabled
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
interface Dot11Radio0/5/0
no ip address
encryption vlan 99 mode ciphers aes-ccm
ssid guest
interface Vlan99
ip address
bridge-group 99
ip route 192.168.99.0 new gateway
ip dhcp excluded-address 192.168.99.1 192.168.99.3
ip dhcp pool guest
network 192.168.99.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
no domain-nameJust came back from a 6-week holiday in Europe. I'm actually surprised how "well known" the Cisco brand is (not!). For example, we went to Venice and stayed in the island of Lido. It'a big, big hotel but when I looked up there was this big and ugly Zyxel wifi router. This wifi router was servicing around 25 metres length and both sides of the hall.
If you want to keep it low-cost, the cheapest I can think of is Cisco 1130 which you can get from Cisco Refurbished Equipment BU.
However, before you go and consider this, I would seriously look at your internet bandwidth. 0.6 Mbps is not a nice speed to do anything. Trust me, I know because I used to have 256 kbps UL/32 kbps DL home internet and it was a pain.
What I'm saying is, maybe spending money on the wireless is not going to help because your internet speed is slow. You'll get more complaints from guest about slow internet speeds than the lack of wireless. -
Wireless Guest Portal with Device registration
Hi,
I have configured the ISE for wireless guest authentication. Once i got the guest portal and enter usernam/password, it redirecting to Self Provisioning portal for Device Registration. (attached)
I have unchecked the option "enable my device portal" under My Device-->Portal configuraiton (attached)
Can someone please advise, why I'm still getting Self provisioning portal, although I might need this later for On-board provisioning, at this time I just want guest user authentication and allow access to internet.
Thanks in advance.I think you should disable in the DefaultGuestPortal (Administration >> Web Portal Management >> Settings >> Guest >> Multi-Portal Configurations >> DefaultGuestPortal >> Operations .... Uncheck the option Enable Self-Provisioning Flow
Daniel Escalante. -
Hi Guys, I have a wireless requirement from a customer and the customer is looking for the below: 1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected. 2. Customer is looking to add their own logo and change the formatting of the captive portal. Questions: 1. For email verification, does this feature come straight from the WLC standalone box or must ISE be purchased? 2. If the WLC is able to do this without ISE, any online guides that is able to do this? 3. For security reasons, am I able to limit the number of concurrent users using this captive portal? 4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal? 5. Can I customize the captive portal page on the WLC and how do I go about doing it?
Hi Mohanak,
It looks like the formatting ran out. Anyway, not sure if we are on the right topic here but let me get this straight. Customer has a Cisco 2504 Wireless LAN Controller. So, they would like to achieve the below features:
1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected.
2. Customer is looking to add their own logo and change the formatting of the captive portal.
So, some of the questions I have are:
Questions:
1. There is a configuration on the WLC that allows guest users to login using email verification only. Does this feature come straight from the WLC standalone box or must ISE be purchased.
2. If the WLC is able to do this without ISE, is the WLC able to check if the inputted field is a valid email? And can I configure in such a way a particular domain is allowed? (e.g. example.com is permitted but example.org and anything else is reject).
3. For security reasons, am I able to limit the number of concurrent users using this captive portal?
4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal?
5. Can I customize the captive portal page on the WLC and how do I go about doing it? -
WLC 2500 and WCCP for Wireless Guest Users
Hi there
I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.
You advice will be highly appreciated.
RegardsFor guest wireless traffic redirect to proxy server
https://supportforums.cisco.com/thread/2126486 -
Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?
Hi,
I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
The WLCs are running 7.3 and ISE is 1.1.1
I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
The credentials will be created by the sponsor, using the sponsor portal on the ISE.
Now to the questions:
Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
Thankyou very much :-)
Best Regards,
Niels J. LarsenHi,
I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
The WLCs are running 7.3 and ISE is 1.1.1
I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
The credentials will be created by the sponsor, using the sponsor portal on the ISE.
Now to the questions:
Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
Thankyou very much :-)
Best Regards,
Niels J. Larsen -
Wlc 5508 and wireless guest vlan
Hi guys,
I have a 5508 running(version 6).
I have an adsl releasing public IP for guest users mapped into vlan 10.
Now i want use this adsl only for wireless guest users
how can i create an ssid and associate to vlan 10 without using ip address(dynamic interfaces requires an ip address,mask,defaul gateway,etcc..).
Thx in advance.Hi,
the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
Hope this helps,
Nicolas -
Wired + Private Wireless + Guest Networks
I'm attempting to setup a configuration that I don't seem able to get correct. I have a small wired network at my church with a file server and a couple of dozen users, some of which have laptops and would like to be able to roam wirelessly through the building. In addition, I would like to have an unsecured wireless guest network for visitors which provides access to the internet and does not have access to the file server.
The specifics are a wired 192.168.1.xxx network with a NAT'd DSL modem/router. I have 4 Airport Extreme dual radio N devices. I've tried setting the first Airport Extreme unit to shared IP, the only setting that allows me to also use a guest network, with a private SSID handing out 172.0.xxx.xxx addresses and a guest network handing out 10.0.xxx.xxx addresses. It seems logical to me that I would want to used bridged mode to allow my private wireless uses to see the server, but the Airport Extreme tells me I can not use a guest network with that setting.
With this setup, I can not get to my server by name, but I can get to by IP address. I guess that's not a huge problem since I have such a small number of users, I can add the server IP address to a hosts file on each client. What bothers me most is that I can get to the server IP from the guest network as well as the private network. Am I missing something?
My second point of confusion is when I try to configure the other 3 Airport Extremes to extend the network. The configuration tools asks me which wireless network I want to extend, and allows me to choose only the private network OR the guest network. I thought it should be able to extend both networks simultaneously. Am I mistaken on this as well?
I'm certain I've left out plenty of information you may need to assist so please ask, I will gather what ever I can. Thanks in advance.Hello muellgre. Welcome to the Apple Discussions!
Unfortunately, Apple does not provide you with very many options when it comes to their Guest network feature. It is basically designed to work with a single AirPort/Time Capsule router in your network configuration.
As you have found out, it will only be available if you have the AirPort configured as a NAT router and not as a bridge. Also you cannot extend a Guest network. I'm actually surprised that you were given this option.
Since you have a DSL gateway upstream of your AirPorts that is performing as your primary Internet router, you would want all of your AirPorts to be configured as bridges. Regardless if you were connecting them all back to the DSL gateway by Ethernet or creating a WDS extended network.
If you go the route of configuring a single Extreme as a router, you will have a Double NAT configuration, which is not bad in itself, but does add some complexity when attempting to share between network segments.
One option would be to reconfigure the DSL gateway as a bridge, and then, configure one of the Extremes as a router to allow it to handle NAT & DHCP services for the network. This will also give you your guest network. You can also extend this Extreme with the others, but not its guest network ... so, overall, this might not satisfy all of your networking requirements. -
IPv6 Address Management and Security Questions
I'm trying to draft an IPv6-based version of our location's current routing configuration in anticipation of when our ISP will finally roll it out, and address management has been giving me the biggest headache - ironic, considering IPv6 was supposed to simplify address allocation.
My first config draft was made assuming that I would be getting a static /56 or /60 prefix from the ISP, and I was just going to insert the prefix into my DHCP pools and there would be no issues. That was before reading around and discovering that some ISPs are considering prefix delegation (PD) for both residential and business accounts instead of static blocks. Now I have questions about how to stick as close to the current IPv4 configuration as possible.
For the PD scenario, what I am looking at now are two addresses ranges for each network - a ULA /120 space that I want to control using stateful DHCPv6, and the global space which can be /64 and auto-configured. That way there will be a "private" address space for internal routing in the event of a prefix change or an extended outage. But I'm not sure how the config should look for such a scenario. What I have drafted so far is this:
ipv6 dhcp pool DHCP6_INTERNAL
address prefix FDAB::1:0/120
domain-name whatever.net
dns-server FDAB::1:1
ipv6 dhcp pool DHCP6_DMZ-WIFI
address prefix FDAB::2:0/120
domain-name guest.whatever.net
dns-server FDAB::2:1
interface GigabitEthernet0
description WAN-LINK
ipv6 enable
ipv6 address dhcp
no ipv6 unreachables
no ipv6 redirects
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/56
ipv6 dhcp client pd ISP-PREFIX
zone-member security OUTSIDE
speed auto
duplex auto
no cdp enable
interface FastEthernet8.1
description VLAN_1-INTERNAL
encapsulation dot1Q 1 native
ipv6 enable
ipv6 address FDAB::1:1/120
ipv6 address ISP-PREFIX ::1:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security INSIDE
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_INTERNAL
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
interface FastEthernet8.2
description VLAN_2-DMZ-WIFI
encapsulation dot1Q 2
ipv6 enable
ipv6 address FDAB::2:1/120
ipv6 address ISP-PREFIX ::2:0:0:0:1/64
ipv6 flow ingress
ipv6 flow egress
ipv6 virtual-reassembly in
zone-member security DMZ
ip tcp adjust-mss 1300
ipv6 dhcp server DHCP6_DMZ-WIFI
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
Will this config work? By which I mean: will the DHCPv6 servers provide ULA addresses, and will SLAAC work for global address allocation? If not, what needs to be changed?
Also, another question. I found a few references to a prefix name (the "ISP-PREFIX") which can be used as part of a static IPv6 address on an interface, which is a good idea in case the prefix changes. But that brings up another concern - if the prefix changes, that will invalidate ACLs referencing the global addresses using the previous prefix. Is there anything similar to the prefix name string that can be used in ACLs to keep this from occurring?DHCPv6-PD is not necessarily dynamic the same way as DHCP was with the public IPv4 addresses in the IPv4 world.
While the outside network (PPPoE, DHCPv6, anything) might be truly dynamic and changing with possibly every login session, the DHCPv6 delegated prefix might be tied to your login credentials or DHCPv6 client's DUID after the first connection. A bit like a DHCP lease reservation.
If that is the case, there is some possibility that your ISP will run reverse route injection, and will always route your "fixed" prefix to the currently active dynamic "outside" address.
Talk to your ISP and have them confirm that, once the PD'd /48 or /56 is initially assigned, it won't change, and that the same prefix will be delegated every time. Then you can treat it as if it were fully static, and you won't have to go down the ULA path.
I contacted one of our local ISPs, and they're doing it exactly that way: PPPoE for IPv4 and IPv6 (fully dynamic), and DHCPv6-PD with the /48 tied to the PPPoE login credentials. I might change to that ISP sooner or later.
With my current ISP, my IPv6 access is 6RD based. I get a /60, with my current public ipv4 address (by DHCP) embedded into those 60 bits. Readressing is bound to happen sooner or later, and it happens every so often, and it breaks my IPv6 ACLs.
I'm also looking for a way to write IPv6 ACLs with wildcard bits, not prefix/mask, so I can use them with ZBFW. So far, no sign of it.
A few more comments:
ULA addressing:
It may look tempting, plausible and intuitive to use dual global and ULA addressing.
I started this way as well. However, it turns out that Windows 7 has (had?) some issues with proper source address selection. The "longest common prefix" rule never seemed to work properly. In some cases, it would pick the global address to talk to ULA hosts, or stubbornly insist to use the ULA address to talk to an IPv6 internet host. It was a frustrating experience. Be sure to test this to the full extent (and back, and again and then some more) with every operating system you intend to use.
Using /120:
Be sure to test this as well, and very thoroughly. Subnet masks longer than /64 are sometimes called "uncharted territory" in IPv6. Longer subnet masks will break SLAAC, and there may be (embedded) devices that will not react benevolently to a subnet mask other than /64, or simply lack support for DHCPv6.
adjust-mss
I see you have "ip tcp adjust-mss 1300". While PMTUd may be mandatory with IPv6, I found it being broken already :-( . "ipv6 tcp adjust-mss .... " is now a separate command since IOS 15.4(1). I would suggest considering it, depending with your experience with PMTUd on IPv6. -
1801W wireless (guest access) config issues
Trying to setup wireless on 1801w ISR. Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
Trying to setup wireless "guest" access with Internet access only (no access to LAN).
Wireless will not come up. Dot11Radios show "reset/down".
Below is the wireless config and a couple of troubleshooting commands as well:
dot11 ssid open
vlan 2
authentication open
====================================================
!(Sets up DHCP and excluded addresses.)
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.25.1 172.16.25.99
ip dhcp excluded-address 172.16.25.116 172.16.25.255
ip dhcp pool open
import all
network 172.16.25.0 255.255.255.0
default-router 172.16.25.1
dns-server 4.2.2.1 4.2.2.1
lease 3
====================================================
(Turned on integrated routing and bridging.)
bridge irb
====================================================
(Wireless radio interface config.)
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
encryption vlan 2 mode wep optional
!---(SSID is given as "open")
ssid open
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description LAN
ip address 192.168.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan2
description Wireless VLAN
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly
bridge 1 protocol ieee
bridge 1 route ip
====================================================
Verifying...
RTR#sho dot11 associations
802.11 Client Stations on Dot11Radio1:
802.11 Client Stations on Dot11Radio0:
SSID [open] : DISABLED, not associated with a configured VLAN
====================================================
RTR#sho ip int brief
Dot11Radio0 unassigned YES NVRAM reset down
Dot11Radio0.1 unassigned YES unset reset down
Dot11Radio1 unassigned YES NVRAM reset downYour ssid is configured in vlan 2.
But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
That should allow the radio to broadcast ssid
Nicolas
===
Don't forget to rate answers that you find useful -
E4200 Wireless Guest Access issue
Hello, I'm hoping someone can point me in the right direction. I have the wireless guest access set up in my E4200 flash to the latest firmware.
When I connect to the wireless guest network it comes up under the 192.168.33.xx IP address. I can connect fine but it never pops up the browser so that you can type in the guest password. I'm running Windows 7 but I've also noticed the exact same problem under XP.
The only thing I can guess is the problem is that I have this acting like an access point and all DHCP requests go to my router. I've basically turned off DHCP on this and plugged the network connection into the switch on the back.
Any suggestions?
Thanks
JoshIf I go to 192.168.33.1 it does pop up the browser but when I enter the password It just hangs. Not sure if it was connected or not. Is there no way to pop up the browser automatically?
Maybe you are looking for
-
Document Summarization for Materials Management
Hi All, There exists FI configuration for Document summarization for Material Management . My question is when running MB5B transaction how does it get trigerred and why this message does not appear for all materials in MB5B. Actually ,I am getting w
-
Solaris 10 on 2nd hard drive?
Im new to solaris and would like to install it on a second hard drive. Right now I have xp dual booted with win 7rc on 1 hard drive. And just bought a 2nd blank one. What I would like to do is put solaris 10 on my second drive. Is it possible to boot
-
Opening pdfs on multiple monitors
With Acrobat 9 Pro on secondary monitor and selecting several docs; the first doc opens correctly on the secondary monitor, suceeding docs open on the the primary monitor. Can I get all docs to open on the secondary? Dell XPS400 D2, 1TB, 4GB
-
Wrong supplement language implemented
Hi All, I have implemented wrong supplement language for polish...I implemented French instead of English. Please help me to correct / change the supplement language to English. Thanks in Advance ...
-
I've got a new iphone 5 and i dont know why im unable to complete purchase of Apps from itunes store,i keep getting error message saying contact itunes store support to complete this transaction...i would really appreciate if anyone would assist in