Guest-Anchor-WLC and NAC integration guide

I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

Similar Messages

  • Mobility Group Requirements for Guest Anchor WLC

    Hello -
    I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
    I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
    To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
    Thanks
    Chuck

    Not only is it possible, I would recommend it. However, you may be confusing some concepts.
    The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
    The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
    If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
    Does that make sense?

  • Connect an AP to a Guest Anchor WLC?

    We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
    Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
    Thanks
    Sankung

    Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
    Sent from Cisco Technical Support iPhone App

  • Implementing Two Guest Anchor WLCs

    Hello -
    I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor. 
    I am looking to bring my current guest service onto the DMZ.  Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP.   We do not use our corporate internet service for guest.   In any event.  The DMZ design I am working on would include two WLCS sitting on our DMZ.  I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border.   Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border.   So I would need to configure both anchors on the guest WLAN of each WLC.   I'm just wondering if this is possible and if the failover will actually work.
    Any input is appreciated.   I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
    Thanks
    Chuck

    Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
    When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
    As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
    Does that answer your question?

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • Anchor Points and Intersect Guide Lines Disappeared

    Hi! I must have hit some type of command on my keyboard but now my anchor points and intersect guides have disappeared that would normally appear when I roll my mouse over the anchor point or the intersecting paths. I have hit Ctrl + H as well as went to the menu manually and my edges are showing. How do I turn back on this ability to see my anchor points and intersecting lines guide in Illustrator?
    Thanks in advance!!
    Edit: I run on Adobe Illustrator CS5

    Is View > Smart Guides turned on? If not, enable it.
    If Smart Guides are already turned on, check if Align to Grid is enabled in the View menu and turn it off.

  • Multicasting with a guest anchor configuration.

    Hi All
    First time posting. :-)
    I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
    Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
    In case of Auto Anchor:
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
    Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
    Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
    Could someone advise?
    Thank you in advance!!

    Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
    http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
    Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
    A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
    unofortunately it seems that multicast over EoIP does not work.

  • ISE 1.2 - CWA supplicant provisioning with anchor WLC

    Hi all,
    Having an issue with supplicant provisioning via CWA on an anchor controller. I am able to connect via CWA and authenticate etc no problems but when the device registration page appears it says "unable to connect to the network at this time" - the mac address is populated but the button says try again. Once I click try again it cycles back to the original guest portal login page. In the reports section the failed supplicant provisioning message is "Error while trying to determine access privileges: Fail to get hostName from session cache.".
    I have tried the same policy without the anchor (ie local controller) and it works perfectly. Interestingly enough if I manually register the device first then connect to the guest portal it allows me to click register and proceed to supplicant provisioning. I have also tried the anchor setup using peap and the NSP redirect - this also works perfectly.
    I can confirm ahead of time that firewalls etc are not an issue with permit IP any any between all working parts - no blocks no drops etc. The policy is the standard trustsec CWA setup with Enable self-provisioning ticked. For what it is worth I am absolutely confident with the config having deployed this before - albeit without an anchor controller.

    Stephen,
    I was able to work with TAC the customer account team to find a resolution.  The issue is with the Anchor WLC and the session not being replicated.  I was able to get around it by disabling radius accounting for the ssid on the anchor controller, but when looking at the bug it looks like an alternative fix is to disable fast ssid switching, which would cause issues with BYOD in the dual ssid world.  I'm still doing testing, but the accounting change seems to have solved it.  The bug ID is: CSCui38627

  • Guest Anchor N+1: Failover Time

    Hi Wireless Experts,
    Wondering if any one tested how fast a foreign WLC would detect an internet guest anchor WLC went down and switch the internet traffic to the EoIP tunnel to the other guest anchor WLC?
    From the end user experience, I assume the guests would expect service interruption and a new login screen to reconnect. Is it correct?
    Thanks
    Cedar

    Usually it will switch once the mobility is shown as down.  The foreign wlc will then have to send the traffic to the other anchor WLC and if your using webauth or possibly a different subnet, then that is the amount of time it will take.  WebAuth, the clients will have to authenticate again.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Wireless DMZ with foreign wlc - EoIP - anchor wlc

    Hi,
    We are trying to setup a a segregated DMZ wireless network.
    I've attached a simple topology to illustrate. So we have foreign controller and anchor controller. Firewall ports UDP16666,16667 and IP97 have been enabled and EoIP tunnel itself is up.
    The client is also able to connect to the TEST ssid and obtain IP address from the DHCP server. But the client can't reach the gateway or any other network. The client's gateway is the firewall where the Anchor is connected.
    Does anyone have experience setting up EoIP tunnels and DMZ wireless? What could be the issue?
    I've been reading the Cisco guide and searching all over the internet without any success.
    Any help will be appreciated.
    Regards,
    Delgee

    Doesn't look like your tunnel
    Is working. If you didn't open up dhcp from the DMZ to the dhcp server and back, the clients should not be able to get a dhcp address. Look to make sure the mobility is up between the foreign and the anchor. Also you should see the client on both the foreign and the anchor. The WLAN SDID's also need to be exactly the same for e caption of the interface and you need to anchor the foreign SSID to the anchor wlc and the anchor wlc SSID to itself.
    Review this doc as it e plains what needs to be done on both WLCs
    http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html
    Sent from Cisco Technical Support iPhone App

  • Guest Cert problems ISE and Anchor WLC

    I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
    Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
    In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
    1.1.1.1 is the Virtual interface of the Anchor WLC.
    How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
    My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
    Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
    https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

    I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
    This is when the problems started happening, I was using the default ISE Authorization profile
    cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
    The next step I tried was to change the Authorization Profile to
    (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
    cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
    I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
    I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
    Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

  • URL Logging for Guest Traffic using Guest Anchor and ISE

    Hi there all,
    I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
    I'm wondering if anyone has managed to do this using ISE?
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

    Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
    I have tried your suggestion and I cannot get the same results as you.
    I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
    i have this configuration...
    dACL
    3k-access#sh ip access-list int fa0/1
         permit udp host 10.1.10.103 any eq domain
         permit icmp host 10.1.10.103 any
         permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
         permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
         deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
         permit ip host 10.1.10.103 any
    Logging config...
    logging esm config
    logging trap debugging
    logging origin-id ip
    logging host 10.1.100.21 transport udp port 20514
    with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
    DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
    Mario

  • DMZ Anchor WLC setup for Wireless Guest Access

    I have the following setup.
    A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
    An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
    Both WLCs are running the same 4.2.176 code.
    DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
    I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
    The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
    1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
    What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
    Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
    In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
    2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
    3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
    4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
    Thanks.

    One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

  • ISE and Anchor WLCs?

    Hi All,
    I'm trying to put together a Guest WLAN setup and want to know the best approach.
    If I use ISE for Guest portal/access control do I still have the standard setup of Anchor WLCs in DMZ for the guest WLANs?
    Or does the ISE tell the internal WLC's to place the allowed guest users onto a guest VLAN accessible to the internal WLCs?
    Do I lose anything with ISE compared to the old WCS/WLC guest portal methods?
    Any thoughts would be appreciated.
    Thanks,
    Brendan

    Brendan,
    From my experience you still should use a dmz guest anchor controller. The only difference is the ports you will need to open on the FW between the guest anchor and ISE. Now you can still do this without a guest anchor if there isn't an existing one or one not planned for.
    Thanks,
    Scott Fella
    Sent from my iPhone

Maybe you are looking for

  • Error while executing a procedure in pl/sql

    Hi, iam execvuting a procedure in pl/sql and i get the following error, proc Running: Wed Sep 7 06:13:20 IST 2005 Table truncated. BEGIN <procedure_name> ; END; ERROR at line 1: ORA-01555: snapshot too old: rollback segment number 75 with name "RBS74

  • Permissions issues - Adobe CC programs

    Hi,      I have been having continuous problems with the new Adobe CC programs, and after many times of running Adobe's cleaner tools, reinstalling and following the suggestions laid out by Adobe and the forums with no success  - I am am going to try

  • If Firefox 20 is in Private Browsing mode then a possible persona is disabled and the default theme is used - oh god, no - what can I do to keep both?

    Cor-el answered on the 4.4.13: " If Firefox 20 is in Private Browsing mode then a possible persona is disabled and the default theme is used. So you will have to make a choice." Can I go back to an older version of FF? I really do not want to choose.

  • Can't create a logical system

    Hi Just created a system copy and can't create a logical system. I get an errror message <b>change and transport system not configured and then action terminated</b> in transaction BD54. I don't need a transport system. Can anyone help me with this T

  • Question about packs and kits

    I just got Garageband recently and love it. My question is, are there packs and kits out there that are free to download? Or do I need to get the Jam Packs to do this.