Guest Vlan - WLC

Similar Messages

• Multiple Guest VLANs and Shared WLC

  Hi,
  I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
  I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
  Please advise how best I should implement this.
  many thanks
  Sankung   

  It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
  Then on the internal anchor the SSID to the same SSID in the DMZ
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

  I have a general question about securing the guest WLAN in FlexConnect deployment -
  Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
  Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
  Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
  What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
  I would highly appraciate your input on this topic.
  Thank you.

  Yes, you're right.
  Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
  On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
  If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

• Connect an AP to a Guest Anchor WLC?

  We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
  Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
  Thanks
  Sankung

  Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
  Sent from Cisco Technical Support iPhone App

• Guest VLAN cannot ping gateway

  Hi Sir,
       I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
       wat do you think is the problem? hope you could help on this.
  thanks.
  Regards,
  Neri

  Hi Neri
  The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
  When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
  It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
  Regards
  Roger

• Flexconnect on VRF guest vlan

  Hi all, I have a multi site customer with a vrf guest vlan in any site.
  Now I have to place a WLC on the HQ to manage all the wifi for HQ and other office, all the APs in the remote sites are in flexconnect mode.
  On the VLAN mapping for AP I set the correct guest vlan for every AP/site but the guest network over vrf seems not working properly.
  For the AP in the HQ if I turn off flexconnect and use the AP in local mode the vrf guest works well (using the internal DHCP of WLC).
  Anyone have tried a config like this?
  Thanks

  Cool, We fixed our DHCP issue it was related to how we had several APs advertising the SSID . One was transmitting at a higher power than the other/plus it had no DHCP -assigned ot the interface. The weaker transmitter did so it would ping pong to the stronger signal and back to the weaker .  LOL

• HQ and Remote Wired Guest VLAN

  Hello all,
  I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
  Each location has its own guest vlan.  On ISE the standard rule are:
  Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
  This rule is working good for HQ.
  Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
  This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
  with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
  Let me know if anyone has idea or have solved this problem.
  Thank you.

  Hi,
  You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
  Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Guest Vlan on umnaged network

  I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
  At the moment we have an unmanaged network so everything is using vlan1
  We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
   speed 100
   duplex full
   nameif inside
   security-level 100
   ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
  on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
  interface FastEthernet0/15
   switchport mode trunk
   switchport nonegotiate
   speed 100
   duplex full
  Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
  interface GigabitEthernet0/2
   description Netgear GS748T
   switchport trunk allowed vlan 1-4
   switchport mode trunk
   switchport nonegotiate
   speed 1000
   duplex full
   flowcontrol receive desired
  (There are some other vlans created, not sure what they are for yet, I'm new here!)
  We've just bought a Cisco WS-C3650-24PS - sw3
  I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
  I'm a beginner at this so the theory is there but not sure how to execute it!
  I'm thinking on the firewall fw1
  eth2
   speed 100
   duplex full
   nameif guest
   security-level 90
   ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
  on sw1 connect Gi0/2 to sw3 Gi1/1/1
  config to be
  switchport trunk allowed vlan 20
  switchport mode trunk
  switchport nonegotiate
  speed 1000
  duplex full
  sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
  So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
  And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
  Or if is the wrong way of doing it let me know a better solution
  Apologies in advanced if this is not making much sense!

  I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
  I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
  It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
  As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
  The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
  The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

• Mobility Group Requirements for Guest Anchor WLC

  Hello -
  I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
  I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
  To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
  Thanks
  Chuck

  Not only is it possible, I would recommend it. However, you may be confusing some concepts.
  The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
  The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
  If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
  Does that make sense?

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1X un-authenticated user and guest VLAN

  Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

  You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Dot1X guest vlan authentication issue..Real Challenge!!

  Hi Guys!
  I would really appreciate if some one could help me find lead on this issue...
  My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
  Scenario 1
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 1
  802.1X (Quarantine)= VLAN 20
  Non-802.1X (Guest) = UnAouthorized
  Conclusion
  802.1x authentication is working without the guest VLAN feature
  Scenario 2
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication event no-response action authorize vlan 30
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 30 GuestVlan
  802.1X (Quarantine)= VLAN 30 GuestVlan
  Non-802.1X = VLAN 30 GuestVlan
  Conclusion
  802.1X doesn't work after enabling Guest VLAN feature (no-response)
  Some important notes...
  1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
  so i can not test with any other IOS
  2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
  dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
  so even if you put old command syntax it will get change to new one...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
  Guys please help me.........

  Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
  When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
  Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3