Guest Access and IP addressing usage

Hi there
Have a typical Guest set up, foreign WLC has a tunnel to a WLC in our DMZ (mobility anchor); client  will get a web page, and sign on; and off to the Internet they go.
As we know, client needs an IP address first before it does anything, as the SSID is out there with no authentication.   and the problem we are running into is, we are running out of IPs because we have a bunch of clients picking up IPs but then they are not moving towards authenticating (I suspect many clients simply scan for any open SSID and connect to it, thereby using up an IP.  We clamped down DHCP Lease time to 30 mins, but this only helped to an extent.
Is there anything on the WLC or other wireless network devices that can limit this from happening? Is increasing the scope the only way to resolve this issue?
Many thanks in advance!

ha! No worries, girl in a tech world... used to it LOL
When we changed up this year (went from a private entity to being taken over by the 'mother ship' as I like to call it; they said '2012 is the Wireless Year, we want it everywhere to be able to be used by everyone; we want it easy, and we want to start employee BYOB (to which I grumbled a bit... but oh well) And now just got news we are taking another division on board, so that number I just gave you I say add another 10 or 15 to, not to mention a few WiSMs thrown in there.  We were using Guest NAC,  but then it was though to be easier using a shared ID/PW with it changing weekly, which currently I manage by pushing WCS jobs out each week; and future is to use an AD backend for that instead. And this is slightly off topic- but I also broadcast the SSID for the mother ship into our network and tunnel our WLC back to an anchor on their network so users can pick up IPs from there, and then our WLCs live in their radius server.
... Fun Stuff, eh?

Similar Messages

  • E4200 : Guest Access : No IP-address on cascade routers

    configuration :
    2 E4200 wireless routers.
    LAN-LAN connected through a cable.
    router 1 is connected to internet and has DHCP enabled.
    router 2 is NOT connected to the internet and has DHCP disabled.
    wireless is enabled on both of them with the same SSID.
    guest account/access is both enabled on them.
    this works :
    laptop connects at normal WIFI on router 1 --> internet works (IP: 192.168.1.150)
    laptop connects at normal WIFI on router 2 --> internet works (IP: 192.168.1.150)
    laptop connects at Guest WIFI on router 1 --> internet works (after login screen in Internet Explorer)  (IP: 192.168.33.108)
    this does NOT work
    laptop connects at Guest WIFI on router 2 --> internet does NOT works
                       --> laptop does not get an IP-address
    when I connect to normal Wifi on router 2, I get an IPaddress from the DHCP on router 1
    But when I do the same with the GUEST WIFI on router 2 it does not ask an IP-address at Router 1
    anyone ideas????
    thanks
    Solved!
    Go to Solution.

    can you please tell me.
    what IP address you are getting
    on the laptop which is connected to the guest network
    through the 2nd router and what is the range of the ip address.
    that you are getting.

  • Guest WLAN and IP Address Exhaustion

    Does anybody know of a way to stop a DHCP Server from doling out IP addresses (and subsequently exhausting the DHCP Scope) prior to performing L3 Web Auth to the WLC?
    The problem arises when Students come into School with their iPhones and such like with the WLAN turned on which exhausts the current Guest WLAN DHCP Scope.  Subsequently when a valid Guest User comes along they are unable to obtain an IP.
    Many Thanks

    Hi,
    This is the challenge that we have with the Guest wireless access!! However, we can use WPA/WPA2-PSK along with the WEB-AUTH, SO that thew clients who provide the right PSK will only be able to grab the IP..
    Regards
    Surendra

  • Guest Access and H-REAP

    I have 30 1242 LWAPPs on my network. Six of these are operating in H-REAP mode as they are outside of our main campus area in other states. We use two WLANs on our wireless network.
    One of the WLANs is for all company users and the other is a guest network run off our anchor controller in the DMZ. The 24 APs that are in local mode have very few issues, but more often than not, when someone tries to connect to my guest network on an AP that is running in H-REAP mode I have to reboot the AP in order to get them authenticated.
    This happens about 75% of the time. There are some cases when it just works and I have no issues, but those are few and far between.
    Does anyone have any idea why this may be occuring?

    Are you seeing any errors when the clients try to connect to the guest network? Does it happen with all the LAPs? We will need more information to troubleshoot this issue.

  • WLC/WCS Guest Access and Audit trail

    I am currently using WLC version 4.2.112.0 and WCS version 5.0.56.2 and am looking for a way to keep an audit trail for assigned Guests rather than for the LobbyAdministrator creation and deletion of accouts...is this a feature of the WCS?
    I know that i could use AD and use accounting portion of AAA of the radius server but is this function available on the WCS?

    @Jacobt777   Thank you so much.  Your solution took me about two seconds and the problem is fixed.
    Should have checked this forum an hour ago when I was about ready to throw the phone against the wall, but i love my iphone too much.

  • H-Reap, Guest-Access and CAPWAP

    If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?
    I think so, but I'm not really shure.
    Sven

    Hi Sven,
    If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.
    If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.
    If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.
    Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.
    By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.
    You may find more information about the matter here:
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml
    Hope this is helpful.
    Amjad

  • WLC and ISE guest access COA

    We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
    Anyone have any suggestions?  
    Thanks,
    Joe

    Hi Joe,
    I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
    Regards
    Dhiresh
    **Please rate helpful posts**

  • Extending a network and the new guest access feature

    Hi-
    Currently, I have 3 of the 802.11n Airport Extremes—One creating the network, and two extending the network.
    I would like to get the new feature that allows you to setup guest access---
    My question: Will I be able to purchase ONE of the new Airports, setup guest access and extend it using the older Airports, or will I have to buy three of the new Airports to make this work….
    Thanks for any help or advice!

    It would seem almost certain that the older AirPort Extreme base station (AEBS) would not extend both the normal network and the guest access network. You should be able to extend the normal network.

  • Guest access in bridge mode

    I want to set up a secure wireless network in our small office that will also allow clients to access the internet while in our waiting area. I also want to maintain our current wired network, which is connected to the internet through a Nortel router, connected to a DSL modem. Where would the Airport extreme be installed? - i.e., upstream or downstream from the router? Also, looking over Apple's network documentation, it appears that the Airport Extreme would be in Bridge mode when configured on an existing ethernet network with router, but the documentation is clear on the issue of setting up guest access in this kind of configuration.
    In case you have not guessed, I am not an IT guy, so will be grateful for any helpful suggestions

    Blind Lemon wrote:
    I want to set up a secure wireless network in our small office that will also allow clients to access the internet while in our waiting area. I also want to maintain our current wired network, which is connected to the internet through a Nortel router, connected to a DSL modem. Where would the Airport extreme be installed? - i.e., upstream or downstream from the router? Also, looking over Apple's network documentation, it appears that the Airport Extreme would be in Bridge mode when configured on an existing ethernet network with router, but the documentation is clear on the issue of setting up guest access in this kind of configuration.
    Guest access and bridge mode are incompatible on AirPort base stations. I'd connect an AirPort Extreme to your DSL modem, connect your wired network connections to the Ethernet ports of the AirPort Extreme, and take the Nortel router out of service. Depending on how many wired connections you need, you may also need an Ethernet switch. Besides the WAN port, an AirPort Extreme only has three available Ethernet ports.

  • Self Registration Guest Access

    This is a complete newbie question, but I can't seem to find the answer in any of the technical pages. We would like to set up a guest access point for visitors to our business, but we would like to require them to self register the first time they use the facility. I know that the WAP321 allows guest access and authenticated users, but can't discover if it will allow first time users to register for access.
    Can anyone advise? If not, can you suggest a product that does?
    Thanks
    Peter

    Hi Peter, thank you for using our forum, my name is Luis I am part of the Small business Support community. I am glad to assist you with your configuration, but I don't understand so well what do you mean “self-register the first time they use the facility”?
    Captive Portal allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. The database can be stored locally on the WAP device or on a RADIUS server. But this feature will always request the authentication, to provide access
    You could see more details about Captive Portal in the admin guide in page 143.
    Also here you will see some steps to configure it, if this feature works for you.
    Please let me know if you find this answer useful,
    Greetings,
    Luis Arias.
    Cisco Network Support Engineer.

  • Does WAP4410N support Wireless Guest access solution?

    Does the Linksys AP (WAP4410N) support Wireless Guest access solution?

    Hi - I've got a WAP4410N which I'd like to use to provide wireless guest access, and I've had a look through the configuration pages and manual, and understand:
    1) I've got to add a virtual SSID (although I'd like to know where the DHCP settings are as I don't believe the WAP4410N has DHCP capabilities)
    2) I need to ensure that traffic can't hop across the multiple SSIDs
    What I'd like to know is whether the WAP4410N can be set up to display a terms and conditions page which users have to "OK" or whether it can host a login page that can be administered by someone to allow access - kind of like hotels use to ensure that not everyone can automatically connect?  I don't mind if there has to be a secondary piece of software hosted on a server someone, but I'd like to prevent people from being able to automatically connect straight to our connection and would also like to limit them in some way, at very least the bandwidth that the connection allows, at best the sites they can visit too.
    Any thoughts greatly appreciated,
      Andy

  • WCS Guest Access

    Our current wirleess infrastructure consist of a WCS/WLC and AP's.
    We currently have guest access  and use the lobby ambassdor  feature on the WCS .The Guest users are currentlty created manually by the lobby ambassdor manually
    There was request that came internally to automate the entire process and reduces the time required to create the guest users .
    Our requirement would be to create a set of 50 users with random password created by the WCS  and then push this credentials to the WLC's .
    Our lobby ambassdor would take print out of these user/password details and put in an envelope  and give out to the guest users when requested.
    The users list will only  be valid for a day and for the next day we create another set of 50 users .
    The credentials should only be active for 3 hours  from the time they log in  which means if a user logins at 9 AM he session should only be active for 3 hours.
    Iam looking at insights on how we can acheive the same using WCS or any third paty guest access applications or i can also look at developing my own application with some kind of an API that can talk with WCS.
    TIA
    Sandeep

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    Nicolas - You are right, all my requirements can be met by the NAC Guest server . I had been going through the documentation of this product for the past few days.
    Couple of thoughts   that came into my mind is that all the features that i was looking at is all software based , it has no dependency on hardware .
    Since we already use WCS for lobby ambassador, why did Cisco not integrate the same features on WCS and went and put it in the NAC .
    I agree there is a strong correlation between NAC and Guest access  But Iam not able to justify in getting a new product /Hardware for doing advanced Guest access .
    We bought the WCS primarily for the Guest access and guest account management and controller management was secondary .
    I don't understand Cisco strategy as to putting pieces of the same feature in multiple devices and customer having to purchase different hardware for the different features of the same technology.
    I understand that this is not a forum to comment but just thought of penning down my views .However i will have a talk with the Cisco SE on the same.
    Thanks for your help- Regards

  • Guest access on E2500 not working but everything else is fine.

    HI.. I  did not use the CD to set up,  and instead set this router up manually. We are using this router right now as a hotspot only.. and all is good. I can see both new networks and the WIFI laptops are talking  no problem. Only  issue I have  is that guest access is not working - by that I mean it can't get out on the internet. I can see it as available and connect to it. Guest access and SSID broadcast are both enabled obviously.
    Is there something special guests have to type into a browser? Or did I need to use the CD? (I read on a google search that cisco connect on the CD must be used?)  Any help very much appreciated!

    Really appreciate your help with this. I am a bit of a novice here.. but.. After some more searching on this issue I notice your comments (cut/pasted  below)  with respect to this router and bridging mode. You mentioned that I should update my firmware on this router and that this would (if I am interpreting your reply correctly) facilitate my LAN to LAN connection and of course using this router simply as an access point and more to the point -  having the use of the guest network. So my question is even if I did update firmware,  seems I would still require 3rd party software to make this work? (re your last sentence in your comments below)  Just need to understand the process and determine whether or not it is worth it (or maybe I should upgrade the router) but I don't want to change the configs of the network wired router at this time... and need to use the E2500 or facsimile as  simply an access point with  guest network functionality,  Thanks much appreciated.
    "Again: some E series routers already support wired bridging in firmware, i.e. to use the router as simple access point.
    This is and was always possible using a LAN-LAN setup instead.
    The problem with the LAN-LAN setup is, however, that you have some limitations accessing the network storage or network printer, e.g. the router doesn't have the correct time and you cannot access the storage from remote using port forwarding through your main router.
    These limitations have been overcome with the wired bridge mode (internet connection type = bridge mode).
    But again: this has absolutely nothing to do with wireless bridging. That's something completely different and is not supported on Linksys routers in any firmware version so far. To do wireless bridging (i.e. the Linksys routers connects wirelessly to another main router) you need 3rd party firmware."

  • Wired guest access support on SRE G2

    I have been trying to find info on support for wired guest access on SRE wireless module. Is it supported? Also, does 2100 wlc support it? I am running into sizing issues as I am seeing in documentation that it is supported on WiSM, 4400 (end of life), 5500, and 3750G (end of life). So, Am I only left with 5500? These are bunch of branch offices and do not know if having 5500 in each site is financially feasible. There is a requirement to have all these networks separate so we cannnot share controllers. Thank you in advance.

    It's more like "all WLCs support what is in config guide unless stated otherwise".
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
    the Cisco 2100 Series enables administrators to  securely manage WLANs and mobility services, such as enhanced security,  voice, guest access, and location services."
    It says nowhere that the SRE can't do wired/wireless. So it does the same as other WLCs from that point of view

  • EA4500 Guest Access - Poorly specified - please reconfigure ASAP

    The ability to offer guests internet access without exposing the internal network and its devices is valuable.
    However, the method used to implement this on the EA4500 is not convenient.
    Firstly the naming constraints are unnecessary (same as the 2.4GHz SSID with '-Guest' appended), and
    secondly, the mandatory use of a password is highly irritating.
    Because of these 'features', I have been forced to disable EA4500 guest access and rely on the more user friendly capabilities offered by the access point supplied by another provider.
    R+C

    jlbjlb wrote:
    The average user won't understand why their Internet doesn't work as good as it used to when they leave guest network password disabled. But the neighbor's teenage kids will know why. But their lips will be sealed.
    The average geek is going to understand this and use a cheap router as an access point for guests and turn on AP isolation and/or mac filter and disable broadcast ssid, and be done with it. Most geeks will engage wireless security on the AP 5 minutes after their guests leave.
    There is an existing parameter which gives the user the ability to specify the number of guests on the network at any one time, this gets round the network congestion problem, especially as there are QOS parms which can be adjusted to protect bandwidth for streaming video, VoIP etc.
    Not everybody has neighbours within WiFi range (to be honest they can be quite close and yet out of range with the ea4500), or even freeloading neighbours. Persistent abusers can be blocked.
    If Cisco wants to cut down on support calls about poor network performance, they should take more care with the default set up.
    R+C

Maybe you are looking for