Guest Anchor

Similar Messages

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

  DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
  In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
  and the internal controller must match. Else, DHCP request from clients are dropped and you
  see this error message on the internal controller......
  However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
  Many Thanks
  Kam

  Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

• Multicasting with a guest anchor configuration.

  Hi All
  First time posting. :-)
  I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
  Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
  In case of Auto Anchor:
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
  Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
  Could someone advise?
  Thank you in advance!!

  Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
  A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
  unofortunately it seems that multicast over EoIP does not work.

• Mobility Group Requirements for Guest Anchor WLC

  Hello -
  I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
  I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
  To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
  Thanks
  Chuck

  Not only is it possible, I would recommend it. However, you may be confusing some concepts.
  The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
  The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
  If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
  Does that make sense?

• Guest anchor across different versions

  Hi all,
  I'm looking for information on the issues that could arise or what the impact is of a guest anchor between WLC's with different versions.
  There is a 4400 in the core running 7.0 and a 2504 in a branch running 7.2. I need to extend a web auth guest SSID to the branch.
  7.2 is required because of 2602 AP's.
  Looking for information and experiences.
  Cheers
  Darren
  Sent from Cisco Technical Support iPhone App

  Here is a compatibility matrix
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp102554
  Sent from Cisco Technical Support iPhone App

• Using 2504 as Guest Anchor.

  So I've got a few 7510 Flex Controllers and am looking to setup a mobility anchor for guest networks. I see this functionality has recently been extended to the 2504. However there is one thing I am curious about: the QoS profile, I have a QoS profile configured on my Guest WLAN, customized the bronze profile, from what I remember about the 2504 is it does not support the QoS functionality that is supported on the larger WLC models, and I know WLAN settings must match between WLC's and their anchors, so I don't know what happens with my QoS profile or if I can even utilize the 2504 as a mobility anchor for the 7510 due to this QoS issue.
  Has anyone tested this, or stumbled any documents about 2504's being mobility anchors?
  CCNP, CCIP, CCDP, CCNA: Security/Wireless
  Blog: http://ccie-or-null.net/       

  Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
  Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
  Good to see my blog helps you & thanks for the comment.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Guest access to the Internet with Guest Anchor Controller

  Hi;
  We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
  I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
  What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
  Thanks for the assistance!  Glenn Morrison

  you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
  HTH,
  Steve

• Web Auth using 5760 Guest Anchor and ISE

  I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
  When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
  As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
  Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

  I hope this may help you
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Guest Anchor N+1: Failover Time

  Hi Wireless Experts,
  Wondering if any one tested how fast a foreign WLC would detect an internet guest anchor WLC went down and switch the internet traffic to the EoIP tunnel to the other guest anchor WLC?
  From the end user experience, I assume the guests would expect service interruption and a new login screen to reconnect. Is it correct?
  Thanks
  Cedar

  Usually it will switch once the mobility is shown as down.  The foreign wlc will then have to send the traffic to the other anchor WLC and if your using webauth or possibly a different subnet, then that is the amount of time it will take.  WebAuth, the clients will have to authenticate again.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• DHCP loadsharing with redundant Guest Anchor Controllers

  Hi
  I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
  This is how I tried to distribute
  network. 10.1.0.0/23
  gateway: 10.1.1.254
  Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
  Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
  As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
  I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
  Any suggestion will be greatly appreciated.
  Regards

  Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
  I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

• 5508 Guest Anchor 7.4MR2

  We are upgrading all Foreign 5508 WLC's to 7.4MR2.  Out Guest Anchor is currently on 7.0.235.  Any reason not to upgrade the Guest Anchor to 7.4MR2?  Has anyone encountered any issues doing this?  We are not having any issues on 7.0, and I just did not want to introduce any.

  mine is with the following. Still trying to figure out why.
  *osapiBsnTimer: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
  *apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile f8:16:54:07:a8:78 on AP 00:e1:6d:b2:a6:90 from Associated to Disassociated
  *apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
  *annyway, i've tried increasing the Session Timeout to 8hours and still testing it .. As my problem is not consistent, i have to monitor and see if its solved.

• Connect an AP to a Guest Anchor WLC?

  We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
  Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
  Thanks
  Sankung

  Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
  Sent from Cisco Technical Support iPhone App

• Guest Anchor Controller

  Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor.  Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ.  I would welcome feedback on the validity & security of this alternate solution.
  Thanks.

  Hi Marvin,
  Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.
  Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.
  In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.
  I hope this helps.
  Does this make sense?