Guest Tunneling Problems

Similar Messages

• Guest tunneling security problem

  Hello,
  I configured guest tunneling between 5508 (internal LAN) and 2504 (DMZ) and it works perfectly. However when the tunnel is down guest users are 
  associated to the management interface on the 5508, I only have to configure an IP adress and a default gateway on a guest user to
  be routed on the internal network.....So, there is a security problem in my network architecture.  
  Do you have advice to avoid this problem ? 
  Best regards,
  Thib

  You can create  a "dummy/unrouted" interface on your 5508 & map that to guest SSID instead of management interface.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC Guest Tunnel - client ip address problem

  I can't identify the real ip address from the local wlc if the client associated to the "guest-tunnel ssid", I can only see 0.0.0.0 from the local one. The real ip address appears only on the anchor wlc. Is it correct? And if there is any method that I can identify it from the local one?

  The "real ip" will only show up in the anchor wlc along with other client related info. Since the traffic is tunneled to the anchor, the foreign wlc will not have that info.
  Thanks,
  Scott Fella
  Sent from my iPhone

• WLC Guest Tunnel

  Hi,
  I've some questions about Guest Tunneling, since the docs on CCO is not so complete.
  Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.
  We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.
  The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?
  Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?
  What about the AP sice are setup like H-REAP Node with switch port as access?
  Many thanks for helping me find a solution

  Hi fella,
  Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:
  - My APs on different IP Subnet are configured as H-REAP nodes
  - my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching
  - my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC
  - the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs
  - the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs
  - the Guest WLAN will be anchored from the internal WLCs to the external one.
  So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.
  After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...
  Am I wrong with something?
  Thnxxxxx

• Anchor Eiop tunnel problem 5.2

  Hi,
  were using two dmz WLCs for "guest-Access" - one is designated for an Hotspot and one for a direct dmz access. The internal wlc uses the management-interface as interface in the wlan-config and the internal wlc has all accesspoints directly connected and have the same configuration as the dmz wlcs and both ssids are active. Between the inside and outside wlcs we have differend subnets routers and also checkpoint firewall clusters - but no NAT. All Wlcs are in the same mobility group.
  The problem is, that under some condition the mobility feature hangs up ! The internal WLC authenticates the client and give him full access (including IP) but the client can not ping or connect to any device behind the eiop tunnel.(in the DMZ) That problem occurs to both DMZ WLCs. On the wcs i can see that there was a short interrupt of the ancor-tunnels but the alarm disappears. While the client can't forward any traffic a debug mobility or an mobility ping works fine and shows no problems (a lot of keepalives from all wlcs)! The only way to get the tunnel working for traffic-forwarding is to reboot the external wlcs in the DMZ. Rebooting the internal won't help!
  Do you have any information or suggestion what can causes that kind of problem ? Is there any debug command wehere i can detect the problem ?
  Thanks, Dennis

  I am just wanting to verify that all controllers are on the same version of code. A mismatch between an older 5.1 controller or before my result in a problem establishing the tunnel because of the 2 different protocols being used to talk between the AP and the controllers. 5.1 and before is LWAPP 5.2 and later is CAPWAP I believe.

• VPN tunnel Problem

  Hi all ,
  I need create VPN tunnels between two  ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is  a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

  I hve allready configured following configuration.
  no crypto map newmap interface outside
  no crypto map newmap 171 set peer 195.11.199.144
  no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
  crypto map newmap 171 set peer 195.11.204.5
  isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
  clear crypto ipsec sa
  clear crypto isakmp sa
  crypto map newmap interface outside
  Setting were applied successfully however Still VPN tunnel is not been initiated.

• Tunneling Problem using HttpsUrlConnection

  Hi,
  I had gone through forums regarding this topic and still i am facing the same problem using the HttpsUrlConnection. We are working behind a proxy so we have to make a proxy authorization if we want to connect to a server in the internet.
  But in case of HttpUrlConnection, everything works
  fine. But if we do the same with a HttpsUrlConnection, the authentication fails. It throws an IOException
  with the message
  Unable to tunnel through 192.9.100.10:80.
  Proxy returns "HTTP/1.1 407 Proxy authentication required"
  Sample code as follows,
  The following code doesn't have any problem becos it works fine with HttpUrlConnection and also it is working without proxyserver for https as well.
  This is running under MSVM.
  I don't want to use SSLSocketFactory and i need to use following layout(i.e only with Httpsurlconnection)
  Is there any way to make work with proxyserver? Or can't we do this at all?
  System.setProperty("proxySet","true");
  System.setProperty("https.proxyHost","proxyIP");
  System.setProperty("https.proxyPort","80");
  OutputStream os = null;
  OutputStreamWriter osw = null;
  InputStream is = null;
  InputStreamReader isr = null;
  BufferedReader br = null;
  URL url;
  String line = null;
  System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  String login = proxyUserName+":"+proxyPassWord;
  String encodedLogin = new sun.misc.BASE64Encoder().encode(login.getBytes());
  url = new URL("https://www.verisign.com");
  HttpsURLConnection con = null;
  con =(HttpsURLConnection) url.openConnection();
  con.setRequestProperty("Proxy-Authorization", encodedLogin);
  con.setRequestMethod("GET");
  con.setDoOutput(true);
  con.setDoInput(true);
  con.setUseCaches(false);
  con.connect();
  os = con.getOutputStream();
  osw = new OutputStreamWriter(os);
  osw.write("SampleMsg");
  osw.flush();
  osw.close();
  is = con.getInputStream();
  isr = new InputStreamReader(is);
  br = new BufferedReader(isr);
  while ( (line = br.readLine()) != null)
       System.out.println("line: " + line);
  Can any one help me regarding this?I need a reply very urgently.
  Thanks,
  Prabhakaran R

  Hope this help.
  Note to change the properties to fit your system, and use the supported package ( JSSE, JRE1.5.......).
  You can use URLConnection for both HTTP or HTTPS protocol.
  import java.io.*;
  import java.net.*;
  import java.security.*;
  import java.util.*;
  import javax.net.ssl.*;
  public class testSSL9 {
  public testSSL9() {
  byte[] data = httpConnection();
  System.out.println(new String(data));
  public static void main(String[] args) {
  Properties sysprops = System.getProperties();
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // sysprops.put("java.protocol.handler.pkgs",
  // "com.sun.net.ssl.internal.www.protocol");
  sysprops.put("java.protocol.handler.pkgs",
  "javax.net.ssl.internal.www.protocol");
  sysprops.put("javax.net.ssl.trustStore",
  "D:/jdk1.4/jre/lib/security/cacerts");
  sysprops.put("javax.net.debug", "ssl,handshake,data,trustmanager");
  sysprops.put("https.proxyHost", "172.16.0.1");
  sysprops.put("https.proxyPort", "3128");
  sysprops.put("https.proxySet", "true");
  sysprops.put("http.proxyHost", "172.16.0.1");
  sysprops.put("http.proxyPort", "3128");
  sysprops.put("proxySet", "true");
  testSSL9 testSSL91 = new testSSL9();
  private byte[] httpConnection() {
  try {
  URL url = null;
  // String strurl = "https://www.verisign.com";
  String strurl = "https://central.sun.net";
  // String strurl = "http://www.yahoo.com"; --> use: HttpURLConnection
  url = new URL(strurl);
  HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
  HttpsURLConnection.setFollowRedirects(false);
  connection.setDoOutput(true);
  connection.setDoInput(true);
  connection.setUseCaches(false);
  connection.connect();
  InputStream stream = null;
  BufferedInputStream in = null;
  ByteArrayOutputStream bytearr = null;
  BufferedOutputStream out = null;
  try {
  stream = connection.getInputStream();
  in = new BufferedInputStream(stream);
  bytearr = new ByteArrayOutputStream();
  out = new BufferedOutputStream(bytearr);
  catch (Exception ex1) {
  System.out.println(ex1);
  System.out.println("Server reject connection...sory");
  int i = 0;
  while ( (i = in.read()) != -1) {
  out.write(i);
  out.flush();
  stream.close();
  in.close();
  bytearr.close();
  out.close();
  return bytearr.toByteArray();
  catch (Exception ex) {
  ex.printStackTrace();
  return null;
  }

• Oracle 9i Web Services Quickstart Install TCP tunneling problem

  When I try to run the OTNGUIDGenerator example using the TCP Tunneling portion of the Oracle 9i Web Services Quickstart
  Install I get this in the From localhost8900 tunnel window:
  <?xml version='1.0' encoding='UTF-8'?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:getGUID xmlns:ns1="oracle.otn.ws.emarket.OTNGUIDGenerator" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  </ns1:getGUID>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  I get this in the From 127.0.0.1:8888 window:
  HTTP/1.1 404 Not Found
  Date: Mon, 28 Oct 2002 20:38:06 GMT
  Server: Oracle9iAS (9.0.2.0.0) Containers for J2EE
  Content-Length: 171
  Connection: Close
  Content-Type: text/html
  <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resource /j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator not found on this server</BODY></HTML>
  This is my webservices stub
  public class OTNGUIDGeneratorStub
  /** public String endpoint = "http://otn.oracle.com/ws/oracle.otn.ws.emarket.OTNGUIDGenerator"; */
  public String endpoint = "http://127.0.0.1:8900/j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator";
  private OracleSOAPHTTPConnection m_httpConnection = null;
  public OTNGUIDGeneratorStub()
  System.setProperty("oracle.soap.transport.noHTTPClient", "true");
  m_httpConnection = new OracleSOAPHTTPConnection();
  Properties props = new Properties();
  /** props.put(OracleSOAPHTTPConnection.PROXY_AUTH_TYPE, "basic");
  props.put(OracleSOAPHTTPConnection.PROXY_HOST, "proxy.scott.af.mil");
  props.put(OracleSOAPHTTPConnection.PROXY_PORT, "375");
  props.put(OracleSOAPHTTPConnection.PROXY_USERNAME, "fowlerji");
  props.put(OracleSOAPHTTPConnection.PROXY_PASSWORD, "F1234567*g"); */
  m_httpConnection.setProperties(props);
  Not sure what to call the server - this works okay when I'm not using tunneling and using our proxy server??

  I think your problem is that you have a proxy user/password and the TCP Monitor (both the command line and built-in 9.0.3 version) do not support that - they only support specification of the proxy server itself :-(
  It is a feature request that I hope will make it into the late spring/early summer release of JDeveloper - I wrote it up as a request based on the number of folks who faced this issue with these tutorials.
  Mike.

• Guest Cert problems ISE and Anchor WLC

  I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
  Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
  In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
  1.1.1.1 is the Virtual interface of the Anchor WLC.
  How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
  My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
  Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
  https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

  I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
  This is when the problems started happening, I was using the default ISE Authorization profile
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
  The next step I tried was to change the Authorization Profile to
  (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
  cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
  I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
  I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
  Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

• ISE Guest User problem

  Hi Guys,
       I got a problem about Guest user after create guest account from ISE sponsor. When i try to login with guest user on Web authen (WLC) it show login error and the message on ISE is  Authentication failed                                                                                 : 24206 User disabled
  Failure Reason > Authentication Failure Code Lookup
  Failure Reason :
  24206 User disabled
  Description
  User marked disabled in Internal database.
  Resolution Steps
  Check whether the user account in Internal database is enabled
  I would like to know, how to enable the guest account? What i missed configuration?

  Hi dsdavid,
       Do you use ISE with WLC? If yes, you need to configure ISE as External Web Auth at WLC?
      WLC
      Security > Access Control List
            Allow traffic from Client to ISE
       * If you have firewall or ACL on Core switch between WLC and ISE, you have to allow traffic Client to ISE too.
      Security > Web Auth > External Web Auth
       Web Authentication Type : External
       Redirect URL after login : Up to you
       External Webauth URL : https://:8443/guestportal/Login.action
       WLAN > Security > Layer 3
       - Check Web Policy > Authentication
       - Pre-Auth ACL > Choose ACL which you pre-define at Security > Access Control List
       WLAN > AAA Servers
       - Choose Authentication Server as ISE
       WLAN > Advance
       - Check Allow AAA override

• Guest tunnel/auto-anchor from 2100 to 4400 WLC

  We’d like to extend our current Guest LAN from a 4400 WLC in our data center to a 2100 WLC located at a remote facility. However, we cannot get the foreign controller to pass traffic to the anchor controller – or so it seems. The catch is that we’re not actually trying to extend the SSID itself to provide wireless access, but instead flub it so that we can provide local wired access tunneled to the Guest LAN on the anchor WLC. I’m not entirely sure if this is possible, because I’ve read that before the EoIP tunnel will come up a guest client must associate to the foreign WLC.
  We’ve followed the instructions we could find that go over setting up this type of scenario, but unfortunately they only cover setting up back-to-back 4400 controllers and as such, some functions described (notably being able to create a Guest LAN) are not possible on the 2100. We haven’t been able to find a clear and concise guide on the scenario we want to set up.
  Here’s some detail:
  Mobility group is up/up between both WLCs. Both WLCs are running 6.0.x code.
  Anchor WLC – 3750G-24WS-S25 (a 4400 WLC w/ integrated 3750G-24)
  Guest LAN WLAN “wired-guest” created; Ingress is “none” and Egress is our existing “dirtnet” – i.e. outside access. The “dirtnet” interface is *not* a Guest LAN interface. Mobility anchor is set as local.
  Remote WLC – WLC2106
  WLAN “wired-guest” created; Interface is “wired” w/ an IP address on the same subnet as the anchor “dirtnet” and associated with port 2. Mobility anchor is set to the anchor WLC and is up/up. I have a laptop connected to port 2 with a statically assigned IP address on the same subnet as “dirtnet.” I am able to ping the local port 2 address, but I can’t ping across the tunnel to the anchor WLC. I also cannot ping the anchor WLC "dirtnet" interface from the foreign WLC’s Ping tool.
  Are we missing something?

  Sean,
  Wired guest access is not supported on WLC2106.
  Reference:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#configs
  Please consider using a WISM, WLC4400, 3750 integrated WLC or a WLC5500

• Guest login problem

  When trying to access public wifi hotspots, if the hotspot requires a login the consists of "accepting terms and conditions, blah blah" my login screen just stays white.  The phone keeps trying to gain access.  If I am using my macbook I can log in to the site with no problems.  It quickly brings up the login screen, I accept the conditions and start surfing.
  If the "guest wifi" doesn't require a login then the phone works fine.
  One of these sites is the hospital that I'm going to spend at least two weeks in starting Monday and I would love to use my iPhone and not bring my Macbook.

  Is it all sites that require login, or on one? I use a lot of sites that require login, and I do not have this problem. If it requires login normally the login screen appears when I first connect, but if it doesn't I open Safari and go to any bookmark and it appears.
  Go to Settings/Safari and make sure you have Javascript ON and Accept Cookies set to Always or From Visited. If they are already on try clearing cache and cookies.

• Virtual Box 4.0.8 Windows Host - Guest Additions problem

  Hi,
  I have installed Virtual Box 4.0.8 with host O/S Windows 7 Home Premium 64 bit Processor AMD Phenom II x6 and enabled the VT.
  I installed OEL 5.6 and 6.1 guests (both x86_64 version).
  But when I installed Guest Additions, nothing happened and only showing maximum resolution *1024x768.*
  I never had this problem before with my older machine and older version of Virtual Box.
  is this known issues? is this cause by the VT or conflict with the graphic card?
  Any advice appreciated
  thanks
  Lie

  This would be better addressed on the VirtualBox forum.   see https://www.virtualbox.org/

• Reverse SSH Tunnel problem?

  I'm trying to do a reverse SSH tunnel for a VNC project. I'm successful when I do it on a Linux box or Cygwin under Windows, but I'm having problems under Mac OS.
  Here's what I do:
  Terminal 1:
  ssh -nNTvvv -R 5500:localhost:5500 -l my_username myhost.com
  Then, to see what's going on, I run in terminal 2:
  nc -l -p 5500
  Then, in a third terminal, I ssh over to myhost.com, and telnet to localhost 5500.
  If I initiate this whole setup on other platforms, I can then type stuff in my in the third terminal and see it echoed happily in terminal 2.
  Under Mac OS, everything goes fine until I do the telnet on myhost.com. The diagnostic in terminal 1 is:
  debug1: channel 0: new [::1]
  debug1: confirm forwardeded-tcpip
  debug3: channel 0: waiting for connection
  debug1: channel 0: not connected: Connection refused
  It's not a firewall issue, as I can telnet directly to port 5500 on the Mac from myhost.com without any problem.
  Google gives me no help here. Any ideas?
  Thanks!
  12" G4 Powerbook   Mac OS X (10.4.8)  

  Figured it out - did a no ip ssh v 2 and hey presto started working

• Tunnel Problem

  I'm trying to simulate a tunnel through a service provider:
  I have 3 Routers, which are connected with static routes and are all pinging each other other through serial and fastethernet interfaces.
  Router 1 and Router 3 are acting as tunnel endpoints. Router 2 is service provider.
  Configurations:
  Router 1 Loopbacks:
  192.168.2.0
  192.168.3.0
  192.168.4.0
  Router 3 Loopbacks:
  192,168.13.0
  192.168.14.0
  Router 1 and 2: 192.168.8.1 255.255.255.252
  Rouer 2 and 3: 192.168.9.1 255.255.255.252
  Tunnel is: 10.40.40.1 on R1
                 10.40.40.2 on R3
  Router 1:
  Interface Tunnel 0
  Tunnel Source: 192.168.8.1
  Tunnel Destination: 192.168,9.2
  ip route 192.168.9.2 255.255.255.255 192.168.8.2
  router eigrp 1
  network 192.168.2.0
  network 192.168.3.0
  network 192.168.4.0
  Router 3:
  Interface Tunnel 0
  Tunnel Source: 192.168.9.2
  Tunnel Destination: 192.168.8.1
  ip route 192.168.8.1 255.255.255.255 192.168.9.1
  router eigrp 1
  network 192.168.13.0
  network 192.168.14.0
  After these configurations I see on both routers 1 and 3 the Tunnels are in up/up and I can ping 10.40.40.1 to 10.40.40.2, but no eigrp router are coming up, what is the problem ??? Is the source and destination ip addresses correct, are my ip route statics correct ?? Please help.
  Thanks,
  Sergei.
  After this configuration I see my Tunnel on both Roter

  Sergei,
  Add the tunnel network into your Router EIGRP 1 statements in router 1 & 3. I believe that should do the trick.
  router eigrp 1
  network 10.40.40.0