Guest Nac & WLC issues

Hello,
I have Guest Nac Appliance & WLC 5508, but I want to know,
1.  IF CAN I USE THE SAME USERNAME AND PASWORD AUTHENTICATED IN GUEST NAC  IN 3 DEVICES? example: Lap Top, MAC, Iphone.
2. How many usernames can be stored in Guest Nac: NAC3310-GUEST-K9??
Thanks a lot

Hi,
1. Don't see a problem with that, or perhaps I'm not understanding the question right?
2. No limit in the software, so as many as you like, until your database fills up your hard drive.
Faisal

Similar Messages

  • WLC+Anchor+Guest NAC

    Hello all
    I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
    1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
    2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
    3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
    4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
    Sorry for the long post..
    Raj

    Greg
    Thanks again.. that was useful too. One last query.. and this was grilling my head:
    1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
    2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
    3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
    Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
    Raj

  • NAC guest server and guest proxy filtering issue.

    Hi all
    Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
    We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
    All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
    What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
    options please ??

    Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    Here is a link for the NGS:
    http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
    The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

  • Mobility Group Requirements for Guest Anchor WLC

    Hello -
    I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
    I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
    To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
    Thanks
    Chuck

    Not only is it possible, I would recommend it. However, you may be confusing some concepts.
    The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
    The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
    If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
    Does that make sense?

  • Connect an AP to a Guest Anchor WLC?

    We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
    Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
    Thanks
    Sankung

    Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
    Sent from Cisco Technical Support iPhone App

  • Cisco Guest NAC access reports

    We have just deployed the Cisco Wireless Guest NAC sponsor server. We are running version 2.0.2. I have created different sponsor user groups and one of the groups allows full access to reporting and audit logs. All of the reports seem to be working properly except for the "Access Reports." There are user accounts that have been created and users have successfully logged in; however, the report always shows "No data" no matter what date range I choose. I have attached a screenshot.
    Additional information:
    Our DMZ controller is a Radius client to the NAC. This Cisco controller is running version 6.0.196. I have checked the firewall for any denied traffic from the NAC server to the DMZ controller and the communication is open. We allow port 1812 between the controller and NAC.

    FlexConnect with Split tunneling may work. 
    Read about this feature & see how that can be used in your branch setup. Here is the Ciscolive presentation slides the above came from.
    BRKEWN-2016: Architecting Network for Branch Offices with Cisco Unified Wireless 
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Guest-Anchor-WLC and NAC integration guide

    I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

    User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

  • NAC WLC OOB integration

    I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

    Faisal
    I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
    10.8.21.11/32           -               0 0
    10.8.21.1/32            -               1 0
    10.8.21.0/24            -               2 0
    0.0.0.0/0               10.8.21.1       1 0
    10.8.17.0/24            -               2 8
    10.8.15.0/24            -               2 8
    172.16.8.0/24           -               2 8
    10.8.21.10/32           -               0 2
    10.8.17.169/32          10.8.21.1       1 0
    10.8.17.152/32          10.8.21.1       1 0
    10.8.17.182/32          10.8.21.1       1 0
    10.8.17.128/32          10.8.21.1       1 0
    10.8.17.119/32          10.8.21.1       1 0
    10.8.17.137/32          10.8.21.1       1 0
    10.8.17.188/32          10.8.21.1       1 0
    10.8.17.200/32          10.8.21.1       1 0
    10.8.17.165/32          10.8.21.1       1 0
    10.8.17.124/32          10.8.21.1       1 0
    10.8.17.113/32          10.8.21.1       1 0
    10.8.17.197/32          10.8.21.1       1 0
    10.8.17.206/32          10.8.21.1       1 0
    Thanks
    Shaffeel

  • Wireless Guest Users DHCP issue

    Dear all
    We have 2 wism as well as Anchor controller
    Guest users are getting ip address from anchor controller.
    We had created DHCP scope on anchor controller itself.
    We had opened particular ports to communicate between guest controller and inside controller for EOIP tunneling to take place.
    Issue is that some times user is getting IP address in the range of AP management vlan.
    Do we require to open ports for bootpc and bootps as well or do we need to create dhcp scope in the switch.
    If any one has faced the above issue pls reply me at the earliest.
    Regards
    -Danish

    If the anchor goes down, or mobility fails, the user should never egress from the Foreign WLC (in my opinion). However, if you are saying that the user gets an IP from the MGMT Interface of the Foreign WLC (not the Anchor), then it is doing exactly what it shouldn't.
    What version of code is this?
    I've seen a lot of deployments implement a "dummy interface" on the Foreign WLC.  So a fake vlan/subnet is created on the WLC and mapped as the default interface for the Foreign's Guest WLAN.   In the event anchoring does fail and the client sticks to the foreign WLC this dummy interface would actually prevent the user from having network access.
    Are you seeing this often?

  • Guest Access WLC Help

    I have 2 WLc 4402. 1 Remote and 1 DMZ. I have read the deployment guide for guest access 20 times and still cannot get it to work. a couple answers that I don't see in the guide. 1. Do AP's need to be associated with the DMZ WLC? 2. Am I anchoring my management IP or a different Dynamic IP? I have verified with Eping and mping that the tunnels should be able to be created, how do I verify? An issue that concerns me is that I cannot ping (ICMP) my remote WLC mgmt interface from the DMZ WLC. I know I have connectivity because of eping, mping and https mgmt from the same subnet as the DMZ WLC MGMT Interface. should I be concerned about this? It could just be ICMP blocked at the FW.
    I am trying no to open a support ticket as I am sure this is a simple issue. One of my problems is that my VLANs cannot be tagged because the DMZ VLAN does not reside on our core switches and hence I cannot do 802.1Q which is discussed on page 4 of the dep. guide. to get around this I configured IF/2 on my Remote WLC to an IP from my DMZ subnet? Is this ok, is it needed?
    Summary Internal IF 1.1.1.1 for both WLC
    remote WLC
    MGMT = 10.160.24.30 IF/1
    AP-MGMT = 10.160.24.31
    Service = 192.168.0.10
    guest = 10.160.80.16 IF/2
    DMZ WLC
    MGMT = 10.160.80.15
    ap-mgmt = 10.160.24.33 (don't need?)
    service = 192.168.0.10
    internet = public IP to be natd by FW
    I am a newbie to the Cisco WIFI world, but not to IT/networking.
    Any help would be greatly appreciative

    1. Do AP's need to be associated with the DMZ WLC?
    a) No
    2. Am I anchoring my management IP or a different Dynamic IP?
    a) No IP gets anchored. You Anchor the WLAN on one controller to your DMZ. On the DMZ, you anchor that wlan to itself.
    3) I have verified with Eping and mping that the tunnels should be able to be created, how do I verify?
    a) from CLI: show mobility summary
    This will should you if everything is UP, or if control/data path is down. EPING/MPING should verify this as well if they are successful.
    I'm not sure what you mean about port 2. Are you placing a link straight out to your DMZ? Normally everything goes out the main interface and "routes" out to your dmz.

  • Cisco ISE Guest Portal - DNS Issue - External Zone

    Hello,
    I have a customer that has the following sceanrio :
    In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
    since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
    My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
    Thank-you in advance for your replies.
    Robert C.

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

  • NAC Agent Issue

    Hi
    I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
    1. Antivirus installation check
    2. Antivirus definition check
    3. File check
    I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
    The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
    "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
    The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
    Has anyone seen this before or know where this is configure?
    Kind Regards
    Terry

    Hi Faisal,
    I am still having this problem.
    Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
    Is there anything that i can do to make this posture / remediation process, automatic and seemless?
    Mario

  • ISE 1.3 Sponsored "Known Guest" emailing credentials issue

    Just ran into an issue with ISE 1.3 email notifications and was hoping that I might have overlooked a setting.
    Basically if I create a self-registered guest ISE will send an email to both the listed sponsor and a confirmation email to the guest with credentials – this works fine. Furthermore I can go to the sponsor portal and click the self registered user then resend the credentials – this also works.
    My problem is when I create a "known guest" user from the sponsor portal. Basically I create the account and hit the notify button, select email and click ok – ISE then throws an error saying unable to send email. I click the user and click resend and likewise I cannot send an email.
    So in summary email notifications work for self registered guest type but not a known guest type.

    Fixed the issue. I did some debugging and looking through logs and found that there is a bug. Basically you need to enable the sponsor to select the language dictionary for email notifications and it fixes the issue.
    It is under the customisation section of the relevant sponsor portal under settings of known guest

  • ACL on WLC issue

    Im seeting up a radius server so it can authenticate a guest server.
    The guest server acting as a radius (192.168.128.154)
    I manage to re-direct guest user to WLC logon page, I then enter username and password, logon without a problem, got Ip address, I could ping everywhere including the Internet, but browsing the web doesnt work.
    Strange thing is I can ping google.com but I cannot browse using the web browser.
    When I remove the 3 AClL, it bypass logon windows and get straight to the Internet.
    What i want is first it get authenticate ( wlc redirect to the radius server - 192.168.128.154), then user can browse the Internet
    Attached is the ACLs.
    Any input is sppeciated.

    Even though it's on a WLC, the ACL stil has that implicit deny at the end of it.
    So you are specifically allowing anyone to access that server, that server to get to anyone and ICMP, but after that you are not allowing any other connections out.
    Basically you would want to add some entries that deny "guest" to "internal" then do a permit any any any.  That way you stop them from getting to internal resources but they can still get to the interwebs
    Cheers,
    Steve
    If  this helps you and/or answers  your question please mark the question as "answered" and/or rate it, so  other users can easily find it.

  • Dot1X guest vlan authentication issue..Real Challenge!!

    Hi Guys!
    I would really appreciate if some one could help me find lead on this issue...
    My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
    Scenario 1
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 1
    802.1X (Quarantine)= VLAN 20
    Non-802.1X (Guest) = UnAouthorized
    Conclusion
    802.1x authentication is working without the guest VLAN feature
    Scenario 2
    interface GigabitEthernet3/0/42
    switchport mode access
    authentication event no-response action authorize vlan 30
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x timeout tx-period 5
    spanning-tree portfast
    Test Workstation behavior
    802.1X (Corporate) = VLAN 30 GuestVlan
    802.1X (Quarantine)= VLAN 30 GuestVlan
    Non-802.1X = VLAN 30 GuestVlan
    Conclusion
    802.1X doesn't work after enabling Guest VLAN feature (no-response)
    Some important notes...
    1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
    so i can not test with any other IOS
    2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
    dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
    so even if you put old command syntax it will get change to new one...
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
    Guys please help me.........

    Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
    When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
    Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

Maybe you are looking for

  • How to display a photoGallery ?

    Hi Friends, i am creating a view-based application in that i am parsing XML file to collect the images in it. I am storing those images into an array. Now i need to display these images like a photo gallery. Can i use UITableView display the images o

  • Enable sequencefileload callback through VC++ and TS API

    Hi, I would like to enable the Sequence File Callback "Sequence File Load". Using TestStand's Sequence Editor, this is done in about 3 mouse clicks and there is nothing to wonder about. Unfortunately (!), I am using VC++ and TestStand's API to progra

  • Not enough speed when using AVI read

    Hello! I have a problem with the speed, when I'm using the 'AVI read' VI. I want to read 60 frames per second, but my test.vi allows to read at least 20 to 30 fps (->33 - 50ms loop time), even when I do it in the easiest way (only the AVIread in the

  • How to Lock particular template for user editing.

    Hi Gurus, we have some templates created on top of infoset querrys to display the output in specific format. I want to lock particular templates for user modification. That means when the user is trying to change the template layout and try to save w

  • Repeating events slipped forward one day-version 3.02 Leopard

    I use repeating events to list birthdays. Suddenly I found that all my birthday events had slipped forward one day earlier. What causes this? How can I correct it? The events are wrong but iCal registers the correct day of the month and time zone.