Guest Access WLC Help

I have 2 WLc 4402. 1 Remote and 1 DMZ. I have read the deployment guide for guest access 20 times and still cannot get it to work. a couple answers that I don't see in the guide. 1. Do AP's need to be associated with the DMZ WLC? 2. Am I anchoring my management IP or a different Dynamic IP? I have verified with Eping and mping that the tunnels should be able to be created, how do I verify? An issue that concerns me is that I cannot ping (ICMP) my remote WLC mgmt interface from the DMZ WLC. I know I have connectivity because of eping, mping and https mgmt from the same subnet as the DMZ WLC MGMT Interface. should I be concerned about this? It could just be ICMP blocked at the FW.
I am trying no to open a support ticket as I am sure this is a simple issue. One of my problems is that my VLANs cannot be tagged because the DMZ VLAN does not reside on our core switches and hence I cannot do 802.1Q which is discussed on page 4 of the dep. guide. to get around this I configured IF/2 on my Remote WLC to an IP from my DMZ subnet? Is this ok, is it needed?
Summary Internal IF 1.1.1.1 for both WLC
remote WLC
MGMT = 10.160.24.30 IF/1
AP-MGMT = 10.160.24.31
Service = 192.168.0.10
guest = 10.160.80.16 IF/2
DMZ WLC
MGMT = 10.160.80.15
ap-mgmt = 10.160.24.33 (don't need?)
service = 192.168.0.10
internet = public IP to be natd by FW
I am a newbie to the Cisco WIFI world, but not to IT/networking.
Any help would be greatly appreciative

1. Do AP's need to be associated with the DMZ WLC?
a) No
2. Am I anchoring my management IP or a different Dynamic IP?
a) No IP gets anchored. You Anchor the WLAN on one controller to your DMZ. On the DMZ, you anchor that wlan to itself.
3) I have verified with Eping and mping that the tunnels should be able to be created, how do I verify?
a) from CLI: show mobility summary
This will should you if everything is UP, or if control/data path is down. EPING/MPING should verify this as well if they are successful.
I'm not sure what you mean about port 2. Are you placing a link straight out to your DMZ? Normally everything goes out the main interface and "routes" out to your dmz.

Similar Messages

  • WIRED GUEST ACCESS WLC 5508

    Hi Guys, 
    I've just set up a wired guest access for my HQ but I'm wondering if it is possible to do the same in a branch office because We do not have another controller in this site, could this be accomplished using the wlc of the hq?
    Any ideas please.
    Regards
    Oscar

    If you have L2 communication between HQ &  BR, this is possible (then you can extend your wired user vlan to your WLC).
    Otherwise you have to have a WLC at your branch as well.
    http://mrncciew.com/2013/03/26/wired-guest-access/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC and ISE guest access COA

    We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
    Anyone have any suggestions?  
    Thanks,
    Joe

    Hi Joe,
    I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
    Regards
    Dhiresh
    **Please rate helpful posts**

  • Snmp error for guest access ticket on two WLC

    Hi,
    I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
    Thks.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
    The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
    For the configuration following URL may help you
    http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

    When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
    I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
    Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
    Thanks.

    OK, so to recap;
    - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
    - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
    And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
    UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
    and:
    •TCP 161 and 162 for SNMP 
    •UDP 69 for TFTP 
    •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
    •TCP 23 or 22 for Telnet, or SSH for CLI access
    Thanks to confirm that

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Need help getting guest access to work.

    I have searched and Googled and found very little about enabling temporary guest access on an AEBS.
    What I could find said just type in "the PIN number." OK, what PIN number? It appears that the device seeking access is supposed to supply it somehow and then I type it in while using the Airport Utility. I see no such number on the device. I also tried the "first one to try" method and got nowhere.
    In both cases I was using an iPhone that wanted to use my network. Does this work with iPhones?
    Many thanks,
    -dan

    This thread http://discussions.apple.com/thread.jspa?messageID=4088108&#4088108 looked helpful but I can't get guest access to work for my son's guest using a Dell XP laptop (using Dell wireless management) despite allowing timed access. Neither the PIN nor the first attempt option allowed him on the network without giving him our password.
    It's still not clear if or when this will work. At the very least, the documentation is terrible.

  • WLC based mobility-anchor guest access solution

    Hi everybody,
    My new setup with WLC baesed guest access solution is working well. I am using web based login authentication for wired & wireless solution. And everything is running through out the WLC. The WLC is granting access to is the internet for the guests. My question is how about printers and other devices that cannot make web based authentication. How can i get them to work in the same setup?
    best regards,
    Sahin

    For wired, you simply need to configure mac aut bypass on the printer switchports and point that to the ACS.
    If it's accepted, the port will go in the printer vlan, if not, you can chose the behavior (block access, put in another vlan, etc ...).
    For wireless, you need to enable "mac filtering" on the SSID, so it's best to create a separate SSID for the printers then because you want to authenticate those by mac address and you don't want that for the other clients probably.
    You can then also point the mac filtering towards ACS on the wlc.
    From there you can either have the macs stored locally on ACS or in your ACtive Directory or wherever you want.

  • WLC 5500 guest access logging

       Hello,
    In the ISE documentation is states that under a Guest_Activity report you must have guest access logging enabled on the NAD in the ISE network. My question is where do I enable  guest access logging in the WLC that is our NAD?

    Try under snmp configuration. There you can choose what traps to send. You can choose to send traps for auth clients.
    HTH
    Amjad

  • WLC Wireless Guest Access

    Hi
    When a user attempts to connect to a WLC
    guest access SSID, does the web login page open up automatically?
    Also is the web login page "https" secure rather than "http" clear text
    Mark

    As long as the WLC can resolve the users home page, which is not an intranet site or https, then the user will get a certificate error page first in which he or she will have to accept. Then he or she will get the webauth page. To eliminate the certificate error page, you need to install a 3rd party certificate, one that is standard on the device trusted certificate store.

  • Configuring Guest Access using 2 LWAPs and 2504 WLC

    Please advise,
    I have 2 APs, Cisco Aironet 1040, and 2504 WLC.
    Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?

    Yes you can. You can have up to 16 SSIDs per AP, but not suggested to have all 16. You can either use one port on the 2504 for both SSID/vlan or specify which port is for corporate and which one is for guest.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • Guest Splash Page with Cisco WLCs Help

    Hi,
    I need some guidance using Web Authentication / Web Pass-through to create a mandatory splash page that is presented to users of our guest WLAN.  Currently our guest WLAN is wide open, users connect and go straight through to get Internet Access. Here's what we'd like to accomplish.
    1. Have the page hosted on an external web server (i.e not on the controller)
    2. Present Terms of service
    3.
     a. Present an optional field to enter an email address & date of birth (DOB) to opt in for marketing purposes
            OR
     b. Present a mandatory field to enter an email address with an optional check box and DOB to opt in for marketing (the idea behind option b, is that whether they opt in for marketing or not, we could still some how use the email as a username, but not require a password.  In the hopes of then using this as a unique identifier in the WLC for troubleshooting / reporting purposes)
    4. At the very end, have an "I Agree" button
    5. Re-direct to our copmany's public facing website
    Our controllers are 5508s, running 7.4.121.0.  I more or less have an idea of how to accomplish this, but I've never used Web Auth / Web Passthrough with a Cisco Controller before, so I'm hoping someone can clear up a few things for me.
    1. Am I correct that, when using an External server to host the login.html page, we must use Web Authentication, since Web Pass-through is only an option when using an Internal Page? Web Pass-through seems ideal for us, since we don't care about credentials, but from what I'm reading, it seems restricted to Internal (on the Controller) deployments only.
    Based on these
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#passthrough
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html
    2. If Web Pass-through is not an option when using an External deployment, is there any way we could use an email address as a username, but not require a password?  If not, is hiding the username/password fields in the html code of the splash page, and using a single pre-configured default username / password the only other option ? As described here: https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo
    3. It sounds like SSL cert warnings may be an issue even if we use an External deployment, because the controller still acts as a middle man.  Is this correct, and is the best fix to install a valid 3rd party cert on the controller?
    P.S. I’m aware of the Big Brother type things that can be done with Cisco MSE and Connected Mobile Experiences, as far as guest tracking / marketing / analytics go. However, that’s way more than we’re looking to do at this point.
    Thanks in advance for any guidance you can provide!

    Hello Jonathan,
    The idea you have is fine, the only exception is the extra fields of information that you want to collect. From the WLC perspective this is not possible to gather.
    The example given on https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo looks very interesting, and as long as the WLC receive the information it needs to authenticate the client, you can modify the HMTL code as you want. However, as somebody state on that post, Cisco provides the html example, but we do not really support the html content creation or modification.
    Anyway below on answer #2 I am giving you an idea that could work (again Im not html expert I don't know if that could be achieved that way) maybe you can have a better idea.
    To answer your queries:
    1) The customized web-passthrough page can be hosted on an external Web Server.
    When the pages are on an external webserver, the passthrough is still performed on the WLC, just the pages reside on the external server. It is a good idea to be sure that the pages come up ok on the external server without webauth involved since webauth will not work unless the external webserver works
    2) We have examples of what HTML content a customized Web Passthrough page should include. If you add extra fields on the HTML code (like email address & date of birth), the WLC won't be able to handle this data and most probably you won't be able to gather this information from the WLC , unless you customize the web page in such way that it sends the fields email address & date of birth to another server (rather than to the WLC) to gather this information, but at the end what matter for the WLC is to receive the click on the "Accept" button to authenticate the client.
    3) Regarding the certificate, there are two options, the cheapest and easiest is to disable HTTPS for web authentication. Then, your guests will open an HTTP web page, without having the certificate warning.
    Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
    In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.
    This link provides information about WebAuthentication on an External Web Server, however exactly the same applies for Web Passthrough:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
    Also, you can download the WebAuthentication bundle, with the examples and some useful information about different customized web pages, it can be used as a template to build your page. Here you will see that Web Passthrough to an external server is indeed a valid option, when you download and unzip it, open the "readme.html"
    https://software.cisco.com/download/release.html?mdfid=282600534&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest
    Hope this helps

  • Wired Guest Access

    Hi!
    I enabled Wired Guest Access to connect Wired Ethernet Users to WLC. It doesn't explained on user guide how WLC does? If WLC strips 802.3 frame and encapsultes it with 802.11 or not. Any way, I couldn't redirect the ethernet flux to WLC and then to the external controller authenticator (Captive portal authentication).  Need a help!
    Cheers!

    In order to provide the wired guest access, the designated ports in the layer-2 access layer switch need to be configured on the guest VLAN by the administrator. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller. The local controller tunnels the guest traffic across a EoIP tunnel to a DMZ Anchor controller. This solution requires at least two controllers.
    Here is the URL for the Wired Guest Access using Cisco WLAN Controllers Configuration
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#ancwlan

Maybe you are looking for

  • Sound is distorted.

    Heya Guys, Having some issues with my Apple TV. When you play any format of media, movie, tv show, audio synced or streaming it is horribly distorted. The introduction menu theme has the same distortion so I have ruled out the media, it worked before

  • Can we store day wise Inventory in DSO or cube

    Hi, Can we store day wise inventory in DSO or in Cube using 2LIS_03_BF. Is there any standard infocube or dso is available for storing the day wise inventory. As far as my knowledge is concern we cannot store inventory (correct me if i m wrong). We h

  • How can I preserve Client Port on CSS

    Hi guys, I'm wondering if there is a way to configure CSS11503 running 8.10 so that the servers in the content rules can see the client port number?? The servers can see the client IP, but not the port!! It seems when forwarding packets to the server

  • Sent Date in email is invalid

    Hi All, I want one solution, in our application we will send a email notification to some user but the sent date that appears in mail is been shown as 01 jan 1991 even if we send mail on today's date, can anybody please give me solution for this. Tha

  • LSMW - The source field is longer than the target field in MEK2

    Hi, I tried to create a simple LSMW script to end date condition records using MEK2 transaction. I provide Condition type, Plant, Material, Start Date and default Valid from and Valid to dates. When the program is generated, it defines just 1 charact