Foreign controller functionality for wired guest on Cat 3850s

Similar Messages

• Preauth ACL for Wired guest not working

  Hi Guys,
  I have 5508 wireless lan controller running code 7.2. We recently implemented Wired guest access on the WLC and configured necessary changes on the switch. We also have wireless guest profile as well configured on the WLC. We have some people who usually use Jabber client for video conferencing so what we have done is we have configured a preauth acl so that if any users connect to the wireless guest profile they automatically connect to the Jabber server without going through the Web auth. We have applied the same ACL in the Wired guest profile as well but the problem is that Jabber is not able to connect unless we manually go through web browser and then authenticate, but it is working normally for wireless guest access without the web authentication. Let me know if this is some kind of bug or a known issue which can fixed in some way. Thanks in advance
  - Krishna

  Krishna:
  Can you please confirm if other type of traffic (other than jabber traffic) is allowed by the pre-auth ACL?
  try - for testing - to allow traffic -by same ACL -  to some other destination and try via normal user to ping to open whatever session with that destination.
  let me know if that works or not.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Possible to use Airport Extr and Express for WIRED Guest Network?

  Situation and landscape:
  My house has a Comcast cable-modem, which is connected to an Airport Extreme (AEx).
  The AEx is running WPA WiFi, and this is all good.
  There is one ethernet wire running out of the AEx, which goes 150 feet to the rear of my house, across a short corridor (protected from weather with insulated pipe) and into my garage apartment, where it terminates into an Airport Express (APress.)   This garage apartment is frequently used as part of a rental property.  The APress is extending the same WiFi SSID/settings.
  When guests arrive, they are able to plug-in their notebook computers to the APress ethernet port, or use the WiFi.
  Well, the problem with that, obviously, is that they can "see" the other computers on the network, and printers, etc.
  It would be perfect to set configure the AEx and APress to the WiFi "guest network."  However, there are problems with this:
  1)  Believe it or not, many guests still use direct-plug and do not have nor know how to set up their WiFi -- so they MUST have a direct ethernet wire.
  2)  When I use Airport Utility for the APress, it does not show any WiFi guest network option -- maybe because another dependent setting is not allowing this (i.e. Bridge Mode?")
  3)  The distance between the AEx and this garage apartment is too long between them to shoot a WiFi guest network from AEx and to be picked-up by the Airport Express... and there's a center core in my old house that is impervious to all radio frequencies and could block a nuclear blast.  Well, it causes a degradation of wireless.   And this brings us back to #1 above...in that I need a cable ethernet option.
  Picture attached of current landscape:
  So, maybe....
  I've spent the better part of a couple of hours searching here, particularly for the terms "access point" but the terminology isn't what I need.  What I wonder if perhaps I need to place an APress beside the AEx, turn on Guest Network at the AEx, then "pick it up" with a second APress, and carry the ethernet signal to the garage apartment and allow guest WiFi and wired.  (see second picture)   Will this work?

  OK, here how to set this up.
  Open up AirPort Utility 5.6.1, select the Express, and click Manual Setup
  Click the Wireless tab located below the icons
  If you want the Guest Network to have a different SSID (recommended), then change the name of the wireless network, adjust the security settings if needed, and change the Wireless Password and Verify
  Click the Internet icon up at the top of the window
  Click the Internet Connection tab just below the icons
  Change the setting for Connection Sharing to Share a public IP address
  Click the DHCP tab located under the icons
  Change the DHCP Beginning Address to read something different.....like 10.0.5.2
  Click Update and give the Express a full minute to restart
  At this point, the Express indicator light will be slowly blinking amber
  Open up AirPort Utility again, select the Express and click directly on the word Status (2nd line)
  You should see a Double NAT notice with an option to "ignore" the item
  There may also be an Setup over WAN notice with an option to "ignore" the item
  Click in the boxes to ignore both items, then click Update again and the Express will restart and display a green light
  Try things out to verify that the Guest Network cannot "see" any devices on the main network...and vice versa.

• DHCP issues for Wired Guest LAN

  Hi Everyone,
  I've a 1751 acting as a DHCP server for client PCs on a guest network A.B.8.x (using an Anchor controller) on the DMZ of my firewall. The 1751 reports the following
  Nov 30 15:35:45: DHCPD: DHCPDISCOVER received from client 0100.1708.37a3.55 through relay A.B.7.y.
  Nov 30 15:42:41: DHCPD: there is no address pool for A.B.7.y.
  I'd tied my guest vlan and corresponding DHCP scope on the router to A.B.8.x, but as A.B.7.x is the DHCP relay for the Anchor controller I don't understand why the DHCP server on the router is not doing what I expected it to.
  As ever any help will be appreciated.
  Many Thanks
  Scott

  Hi Cristian,
  After much pulling of hair and gnashing of teeth I have got it working - what was not clear to me, and it looks as though you've fallen into the same trap, is that the egress interface on the anchor controller (ie the management port) defines the addresses given to the clients. The dhcp scope on your server has to be from the same network as the address of the management interface (so my guest clients get a A.B.7.x address). In fact the ingress interface addresses have no bearing (as I'm sure I read somewhere afterwards!) on how the guest access operates and can (should?) be dummy addresses.
  I tried creating another vlan (with A.B.8.x) on the anchor controller and assigning that to the egress of the guest WLAN on the anchor and I could get A.B.8.x addresses from my DHCP server as I had planned, but, and this is a big but, web authentication just will not instigate. So it would seem that guest access is reliant on using the management interface as the egress on the anchor of the guest WLAN.
  I hope this is helpful,
  Regards
  Scott

• Anyone seen strange behavior with wired guest access on WLAN Controller?

  Cisco Doc ID 99470 spells out how to deploy wired guest access over wireless LAN Controllers.
  That said, everything has been up and working for almost a year.  Guest wireless uses anchor controller in DMZ - no issues.
  Recently configured two wired ports for wired guest networking.  The desktops get the correct IP address via DHCP.  A wireless client (on the table right next to the wired clients) on the guest wireless gets an IP address as expected as well.
  Open a continuous ping to the gateway 172.16.16.1 on all three machines.
  The two desktops will ping for a few minutes and then stop for 30 seconds or longer.  Wireless client will keep its connection.  (you might think it would be the other way around)
  I understand there is a 65,535 second inactivity timeout, but I am only sitting here for minutes, not 18 hours when this happens.
  On the wired desktops, you have to bring up a browser and log back in just as you do on a wireless client ever few minutes.  After debugging the client, I found a "failed to find scb" message in the output.
  The other trick here is that the wired clients are miles away from where I can actually get on the CLI of the controller.  This makes it difficult to run a debug and bring up a browser since I am not local to the machines when running debugs.
  Has anyone ever see this behavior?  Has anyone see the "failed to find scb" message?
  Thanks in advance!
  Succ
  essfully plumbed mobile rule (ACL ID 255)
  *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 tokenID = 5
  *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef Set bi-dir guest tunn
  el for 00:25:b3:ce:cb:ef as in Export Foreign role
  *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 Added NPU ent
  ry of type 1, dtlFlags 0x4
  *spamReceiveTask: Dec 30 11:34:54.569: CCKM: Send CCKM cache entry
  FP08:(33207772)[cmdSendNodeInfo:3787]failed to find scb 0023.2422.c6eb
  *mmListen: Dec 30 11:35:58.539: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi
  le Station: (callerId: 73) in 1 seconds
  *mmListen: Dec 30 11:35:59.471: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi

  I found it in the document
  B.1 How Logout Works
  The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
  The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
  Well, I havn't got that far in the document:)
  Thanks a lot for your help.
  -Wei

• Wired guest

  Respected members of this community... :) I need help.
  The last couple of days i spend implementing unified wireless at a customers site.
  We used the latest versions of the controller and WCS software.
  This new software offers a new feature, wired guest.
  Since we already implemented 802.1x with a guest VLAN on the wired network last year, we wanted to offer the guest access functionality on the wired LAN as well.
  So first we implemented wireless guest access, which worked fairly quickly.
  Then we added another interface on the controllers, which matched the already existing wired guest VLAN. First we wanted to use that VLAN for wireless guests as well as wired, but we found out that is not possible (so we created a new wireless guest VLAN). Then we added a new WLAN wich we marked for wired guest.
  Anyway, we followed the documentation and...could not get it to work.
  The network is a layer 3 routed network with 40 or so VLANs. The controllers are connected to the core switch (with nicely configured trunks), which does all the routing.
  DHCP is the first thing that didn't work. The interfaces we created on the controllers have the guest lan checkbox checked, ingress interface is the guest VLAN, egress interface is the mngt interface.
  The DHCP relay function did not work.
  DHCP will work with IP-helper configured on the VLAN interface on the core router, but this al goes outside of the controllers.
  This is by the way the major thing i do not understand. With wireless, all traffic goes via de controller through the LWAPP tunel. But with wired, my layer 2 VLAN ends on the core switch, not on the controller.
  So what should the default gateway be for that VLAN? The interface VLAN of the coreswitch or one of the controller IP adresses?
  Traffic should be directed to the controllers (i guess?) to enable them to catch HTTP and send the redirect to the webauth page.
  But if you set the default gateway to the controllers, DNS does not work because the controllers do not forward traffic untill after authentication, but for this to work, you need DNS for the client to start the HTTP session.
  Is there anyone out there who has this working, including DHCP?
  The customers network is flexible, we can build almost anything we want there, so iw we need to change something, we can.
  Wireless guest was no problem at all, and de data WLAN, including 802.1x, auth on AD and dynamic VLAN assignment worked perfectly. So we did get something to work actually... :)

  Does this help?
  <http://www.cisco.com/warp/public/102/wired_guest_access.pdf>
  Also keep in mind that the clients and the controller needs L2 adjacency (i.e. the Guest-VLANs would need to be trunked directly to the controller where you define the Guest-WLAN).
  I assume you have already deployed an anchor controller for wireless Guest traffic. So, the idea is to leverage the same EoIP tunnel infrastructure also for wired guest traffic. DHCP/DNS traffic should be blindly tunneled across this infrastructure, so your network services should be deployed in the anchor controller location (i.e. DMZ). Keep in mind again, that this design implements a logical L2 connection from the endpoints to the anchor controller.
  Hope this helps,

• Ask the Experts: Wired Guest Access

  Sharath K.P.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
  Remember to use the rating system to let Sharath know if you have received an adequate response. 
  Sharath might not be able to answer each question due to the volume expected during this event.
  Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
  through January 27, 2012. Visit this forum often to view responses to your questions and the questions
  of other community members.

  Hi Daniel ,
  Wonderful observation and great question .
  Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  Two separate solutions are available to the customers:
  A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
  Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
  So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
  I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
  We have already opened a bug for the same (Little late though )
  BUG ID :CSCtw44999
  The WLC Config Guide should clarify our support for redundancy options for wired guest
  Symptom:
  Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results.
  Some of the other tthat changes we will be making as a part of doc correction would be
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
  1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
  2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
  "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results."
  3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
  Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
  Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
  Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
  00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
  I hope the above explanation could clarify your doubts to certain extent and also keep you
  informed on Cisco's  roadmap on this feature .
  Regards ,
  Sharath K.P.

• "Out of the box" or "out of my mind"? (Wired Guest from 4.1 to 5.X)

  As we all know and love, the 1000 Series Access Points are no longer supported past 4.2. And I haven't quite heard the fate of the 1510 Mesh AP's either. However, I hate for this to prevent me from going to 5.X when the time comes right. Since I use Anchoring for Guest Access, and you are not supposed to anchor between 4.1 and 5.x I've come up with a "plan".
  I'll leave all my 1000 Series and Mesh AP's on a 4.1 Mesh Controller and instead of anchoring the GUEST SSIDs to my DMZ Controller, I'm going to dump the WLAN to a Layer2 VLAN. On another controller at 5.x, I'm going to pick up this VLAN as a "Wired Guest". And then, I'm going to Anchor this to my DMZ Controller just like I do my Wireless Guest SSIDs.
  In theory, any "Guest" users on the Mesh controller will dump on to the Wire in a VLAN that isn't routed, be picked up on the 5.x controller, be anchored to the DMZ controller, and dumped in to the DMZ like all other Wireless Guest Users.
  I was waiting for 5.2 before I did it, but what do you think?

  I'm trying to get asimilar solution working: I have some autonomous AP350s which I'm not allowed to get rid of, and am trying to bring guest traffic from those APs in through my controller system as wired guests.
  Haven't gotten it working yet - clients are not receiving DHCP offers (although the offers are making it back to the controller from the DHCP server). Will post resolution if/when I have one.

• Wired guest access support on SRE G2

  I have been trying to find info on support for wired guest access on SRE wireless module. Is it supported? Also, does 2100 wlc support it? I am running into sizing issues as I am seeing in documentation that it is supported on WiSM, 4400 (end of life), 5500, and 3750G (end of life). So, Am I only left with 5500? These are bunch of branch offices and do not know if having 5500 in each site is financially feasible. There is a requirement to have all these networks separate so we cannnot share controllers. Thank you in advance.

  It's more like "all WLCs support what is in config guide unless stated otherwise".
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
  the Cisco 2100 Series enables administrators to  securely manage WLANs and mobility services, such as enhanced security,  voice, guest access, and location services."
  It says nowhere that the SRE can't do wired/wireless. So it does the same as other WLCs from that point of view

• NAC Guest server for wired and wireless

  Hi
  My customer wants the NGS to install for both wired and wireless users. For wireless users we can integrate it with the WLC but i don't know how it will work for wired users at the same time. Pls suggest.
  Thanks

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks

• Wired guest access on WLC 4400 with SW 7.0.240.0

  Hello,
  after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
  wired guest access don't work anymore.
  All other things works fine, incl. WLAN guest access!
  When we try wired guest access, we get the web-authentication page and can log in.
  On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
  to RUN.
  But then there is no access to the internet.
  We tried also SW 7.0.250.0, same problem!
  Log Analysis on the WCS:
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
  Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
  Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
  Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
  Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
  Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
  Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
  Has someone a idea how to solve this problem?
  Regards
  Manfred

  Hi
  Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
  The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

• Wired Guest Using ISE Interface

  Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
  The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
  Thanks in advance!

  If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
  You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

• Wired Guest in 5.x 4402 - Does it Work???

  Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
  Thanks for all responses....

  Armonk-
  See next post with attached .doc
  This post was trimmed.
  4402 config
  -Ingress int
  Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
  Check the box that says Guest LAN
  This interface has no IP, it is Layer2 only!
  If there is an IP associated with this VLAN (anywhere), create another VLAN.
  -Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called “Egress” on the wireless, just interface. If you don't have one already, you need to create it
  Create a new interface , assign it a different VLAN <55> than your ingress interface
  Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
  I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
  Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
  If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
  Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
  -Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
  Start <192.168.100.100 > (same subnet as "egress")
  End <192.168.100.200>
  Network <192.168.100.0>
  Mask <255.255.255.0>
  Lease <86400>
  Default router <192.168.100.1> (same as your gateway above)
  This is really just an IP to route between VLANs, it may not exist yet
  Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
  You can route between VLANs (that's what I did) on your router
  DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
  Status = Enabled
  -WLAN
  Create a new WLAN, select Guest LAN as the type
  Ingress is a L2 VLAN
  Egress is a L3 VLAN or previously configured VLAN
  Security Tab, select Web Auth/Pass
  Advanced Tab, specify your DHCP
  Check override (required for external DHCP)
  Was not able to check DHCP Addr. Assignment = Required (bug?)
  General Tab, check status = Enabled
  Ignore the error; this is a bug!
  Core Switch configuration (these commands are in CatOS)
  Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
  You need to configure your core switch to allow VLAN traffic from your WLC interfaces
  VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
  # set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
  # set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
  If you already have a vlan for wireless guests this step is already done
  Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
  # set trunk 3/5 on dot1q - - - IOS will be different
  This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
  I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
  Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
  Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
  # set vlan 44 3/6 - - - IOS will be different
  It's possible you may also need to allow your egress VLAN depending on your setup
  Dumb switch
  Plug switch into the port specified

• Cisco wired guest with one wlc

  Hello my name is Ivan
  I have a question:
  You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
  Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
  I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
  I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
  My deployment is to flex connect wireless authentication, and local switching center
  How I can do this?
  Thanks for your answers.

  Hi Scott, thanks for your answer:
  My scenary is:
  Site A Corporate
  WLC 5508 Flex Connect Central Auth + Local Switching
  1. int management:  vlan 10 - 10.1.1.2/24
  2. int virtual: 1.1.1.1
  3. wired-guest: vlan 30
  wlans:
  1. corporate - mapped to interface  management 802.1x wpa, 2pa2
  2. guest - mapped to interface management web auth
  3. wired-guest: web auth, ingress wired, egress management
  Cisco ACS v5.4
  Site B: Branch
  AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
  Switches Cisco,
  The branch have a router of internet to users guest.
  The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
  Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
  Please could you give and advice to resolv it?
  Regards for your answers.

• Wired guest access with 5508

  Hi
  I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
  VLAN 101 access points and 5508 management interface
  VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
  VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
  VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
  There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
  The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
  LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
  I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
  Thanks
  Pat

  Hi
  Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
  The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.