Guest Traffic Segregation without using Anchor Controller

Hi
I need help in calrifiing , is there any other option avaialble to segregate the guest traffic from CORP on internal WLC itself without using anchor controller ?

Well really can't tell you or else it would be a book. You either have use ACL's on your layer 3 to deny traffic from your guest subnet to your internal. Nothing has to change on the WLC. If you want to connect one port of the WLC to the DMZ, then disable LAG on the WLC and use port one as primary for the internal traffic which includes management and another port in the WLC as primary for the guest.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • WLC - Web Traffic redirection without using Web Auth?

    Hi there,
    I am in need of solution to integrate it to WLC where the Guest Users can use the wireless access and then be redirected to the company's website once they open a browser.
    This is where the guest users will no longer click any buttons (or accept any certificates). Once the browser is hit it will automatically go to the companys website.

    You can use pfsense or monowall (there are others, but these are the top two open source splash screen portals) or a commercial offering as the gateway
    pfsense is bsd based and has more features than monowall.  The splash can be http or https and is fully customizable.

  • Single 5508 traffic segregation options

    Hi,
    In looking over some design guides, I noticed for a multi-WLC environment, one can use an anchor controller in the dmz to segregate guest traffic, so the WLC(s) on the client's internal network terminate tunnels and then sends EoIP traffic to the anchor in the dmz for the guest traffic.
    For a single 5508, it appears there is no such option unless the multiple WLC ports could be used: some to terminate tunnels and then others to egress guest traffic out a different port connected to the dmz.
    I suspect that is not possible. Wondering what is possible when constrained by a single 5508 for guest traffic segregation. Thanks.

    #whether it is one internal to one guest or multiple internal to one guest the physical connection is always same.
    #only management interface of both internal & anchor needs to be talking physically irrespective of guest wlans getting tunnelled between that internal & anchor WLC, ofcoarse need a physical port configured for guest vlan at dmz.
    #For WLC(internal) without dmz-wlc you need one physical port mapped to that guest vlan, either you can use ACL on WLC or at firewall.

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • Wireless Guest Network using Cisco 4402 as an Anchor Controller

    Hello,
    We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
    Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
    This is basically the setup guide that we followed.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
    Thanks!

    Hi,
    Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
    This will help us as well..
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • Guest access to the Internet with Guest Anchor Controller

    Hi;
    We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
    I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
    What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
    Thanks for the assistance!  Glenn Morrison

    you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
    HTH,
    Steve

  • WLC user rate limit on guest ssid anchor controller

    Hi,
    I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
    We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
    Both the foreign and anchor controller are here at my location.
    I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
    As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
    We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
    I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
    So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
    Thanks guys!           
    Oh and here is my hardware & software levels.
    5508wlc - forgeign
    4402wlc - anchor
    Software Version
    7.0.230.0

    Amjad,
    Thank you for taking the time to respond as well as the document link.
    It was pretty clear on the steps and what it would impact.
    Two things that push me for a different solution (assuming their is one).
    Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
    As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
    #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
    The idea is to limit WAN utilization.
    #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
    Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
    ***One last question about this and any other changes***
    Will any change I make be on the "Foreign, Anchor" or both Controllers?

  • Sizing guest anchor controller

    40 locations, around 20-30 APs per location, 1 gig back from each site to the main site, minimizing cost. Trying to size the guest anchor controller. Redundancy is not required. As I understand correctly 4402/4404/5508 controller supports up to around 70 EOP tunnels. My limitation is bandwidth. Is it safe to say that if Internet bandwidth is <100Mbps, then 4402 will suffice? Only if Internet bandwidth was above >1Gbps when I'd need to go to 4404 (bandwidth is used twice, so 1Gbps guest traffic would result at approximately 2Gbps throughput)

    You could always port-channel a 4402 and use LAG on your anchor controller for 2gb.
    I use a 4402-12 for our anchor's as the BW is adequate, and AP license count is not a factor for anchors.

  • Guest ssid with anchor controller and Web policy

    We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

    Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

  • Guest Anchor Controller DNS issues

    Hi,
    I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
    The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
    Change required (which were attemped).
    1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
    2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
    Problems
    The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
    The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
    Diagnosis
    It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
    A reboot of the controller did not make any difference.
    Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
    Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
    We had to roll back the changes to the original configuration in order to bring the service back on-line.

    Hello Eoin
    Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
    laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
    Check the release notes for any bugs on this software:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
    Raj

  • Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

    Hi Experts ,
    Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
    how about internet traffic for Guest SSID , which one will be recommanded :
    1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
    2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
    Thanks

    Hi George ,
    Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
    how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
    Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

  • Guest Anchor Controller

    Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor.  Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ.  I would welcome feedback on the validity & security of this alternate solution.
    Thanks.

    Hi Marvin,
    Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.
    Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.
    In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.
    I hope this helps.
    Does this make sense?

  • Guest VLAN unable to get DHCP IP address from Anchor Controller

    Hello everybody,
    In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
    SSID Name - guest
    Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
    Mobility Group: Same configs at both ends
    SSID Anchor : Anchor SSID on local and local SSID on Anchor.
    AP: CAPWAP 3502 Management Subnet
    SSID Security etc all defaults and matching on  both ends
    Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
    Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
    EoIP Tunnel Status: Up, UP - Both ends
    Mping - OK
    eping - OK
    WLC Sofware Version on Local - 7.0.98.0
    WLC Sofware Version on Local - 7.0.116.0
    DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
    Management IP Subnet on Local: 10.x.x.x
    Management IP Subnet on Anchor: 172.x.x.x
    The problem definition as follows:
    When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
    1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
    DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
    2. Similar debugs on the Anchor controller yields the following results;
    Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
    Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
    Thanks and Regards.

    The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded. 
    For L3 security,  configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
    Thanks again very much for all your help.

  • Controllers in the same WISM module in the 6500, i'm trying to make one of them anchor controller for guest internet

    I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
    there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
    -if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
    - I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
    some one please advise
      vlan192   4/1 vlan 192              int g0/0 192.168.2.201
      6500 ----- switch ---- router---------  (outside)
        |         |   |
        |        DHCP server
       WLC

    A couple of questions, is VLAN 192 allowed across the trunk link to the wlc?  Do you have an interface tagged for vlan 192, with a valid address?  What is providing the DHCP?
    Cheers,
    Steve
    If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

  • AP Groups - Guest Access - Anchor Controller

    Need clarification - I think it does work
    Does the AP Group feature work with the anchor controller guest access feature
    SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
    ie
    Guests in Building 1
    SSID guest VLAN 10
    Guests in Building 2
    SSID guest VLAN 11
    Mark

    Hi,
    As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
    Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
    Kind regards
    Johan

Maybe you are looking for

  • How can I access file on a non-booting SSD with terminal?

    I have a new MacBook air that hangs on boot-up.  I can restore from a Time Machine back up, but it is a day old and I would like to recover work I did today off the hard drive before restoring, if possible.  Apple support tells me that this should be

  • Getting serial number is invalid when trying to install acrobat 9 pro

    Hello, I am getting a message stating that the serial number is invalid when trying to re-install adobe acrobat 9 pro on windows 8. adobe support confirmed that the srial number I am trying to us is valid though. any help is appreciated.

  • Which variable gives the Total Page Number in a report

    Which variable of Report can give me the total number of Pages. I want this information on first page itself. I want to refer this value in pl/sql thus i want to access the value programatically, and not just show in report as Page 1 of 10. Thanks, S

  • Sign with a smartcard

    hello, Following the migration of the acrobat reader version with the 11.0.9 release, we have seen a regression on the ability to sign a pdf document with an integrated smart card certificate. The 11.0.8 version allowed to do this. Are you aware of t

  • Problem - Create RESTFull Service Using SOA Suite

    Hello folks, I am facing an issue while trying to create a simple REST WS with JDev and SOA Suite 11g. I have tried with JDev 11115, what I get from that is when I call the service endpoint I get a null pointer exception, just as described here: http