Guest Vlan - WLC
Hello
Which tool can help in getting historical data for Guest VLAN configured on WLC. i.e
How long the Guest was connected.
How many times he was connected.
traffic summary for each connection ( transferred / Received size)
Top 5 sites visited by Guest
thanks
CP
Using WCS.. running the detailed client reports we will get these information..
Regards
Surendra
Similar Messages
-
Multiple Guest VLANs and Shared WLC
Hi,
I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
Please advise how best I should implement this.
many thanks
SankungIt sounds like you already have this done. You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
Then on the internal anchor the SSID to the same SSID in the DMZ
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Guest VLAN - FlexConnnect Central Switching vs Anchor WLC
I have a general question about securing the guest WLAN in FlexConnect deployment -
Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
I would highly appraciate your input on this topic.
Thank you.Yes, you're right.
Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors. -
Connect an AP to a Guest Anchor WLC?
We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
Thanks
SankungNot a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
Sent from Cisco Technical Support iPhone App -
Guest VLAN cannot ping gateway
Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
NeriHi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger -
Hi all, I have a multi site customer with a vrf guest vlan in any site.
Now I have to place a WLC on the HQ to manage all the wifi for HQ and other office, all the APs in the remote sites are in flexconnect mode.
On the VLAN mapping for AP I set the correct guest vlan for every AP/site but the guest network over vrf seems not working properly.
For the AP in the HQ if I turn off flexconnect and use the AP in local mode the vrf guest works well (using the internal DHCP of WLC).
Anyone have tried a config like this?
ThanksCool, We fixed our DHCP issue it was related to how we had several APs advertising the SSID . One was transmitting at a higher power than the other/plus it had no DHCP -assigned ot the interface. The weaker transmitter did so it would ping pong to the stronger signal and back to the weaker . LOL
-
HQ and Remote Wired Guest VLAN
Hello all,
I am having trouble to create a standard condition for Policy Authorization. Basically there are HQ and remote locations configure for guest access.
Each location has its own guest vlan. On ISE the standard rule are:
Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
This rule is working good for HQ.
Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
with internal users since the condition is Unknown OR MTL_Devices. There is no AND condition for this.
Let me know if anyone has idea or have solved this problem.
Thank you.Hi,
You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
Thanks,
Tarik Admani
*Please rate helpful posts* -
I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
At the moment we have an unmanaged network so everything is using vlan1
We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
interface FastEthernet0/15
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
interface GigabitEthernet0/2
description Netgear GS748T
switchport trunk allowed vlan 1-4
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
flowcontrol receive desired
(There are some other vlans created, not sure what they are for yet, I'm new here!)
We've just bought a Cisco WS-C3650-24PS - sw3
I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
I'm a beginner at this so the theory is there but not sure how to execute it!
I'm thinking on the firewall fw1
eth2
speed 100
duplex full
nameif guest
security-level 90
ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
on sw1 connect Gi0/2 to sw3 Gi1/1/1
config to be
switchport trunk allowed vlan 20
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
Or if is the wrong way of doing it let me know a better solution
Apologies in advanced if this is not making much sense!I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP. -
Mobility Group Requirements for Guest Anchor WLC
Hello -
I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups. However, I was told recently (without much detail) that this is possible. So I have set out to test this.
I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group. I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down. Each campus is it's own mobility group. In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu. This is because it's not in the same mobility group. So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
To me it doesn't seem possible without significant configuration changes. I don't want to reconfigure/recreate mobility groups.
Thanks
ChuckNot only is it possible, I would recommend it. However, you may be confusing some concepts.
The Mobility Group is different than the Mobility Domain. I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC, but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
Does that make sense? -
802.1x Auth-Fail VLAN and Guest-VLan not available
Hi Pros,
Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
I found this link on Cisco's site:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
EZVPN_Remote(config-if)#int vlan1
EZVPN_Remote(config-if)#dot1x ?
default Configure Dot1x with default values for this port
host-mode Set the Host mode for 802.1x on this interface
max-reauth-req Max No.of Reauthentication Attempts
max-req Max No.of Retries
pae Set 802.1x interface pae type
port-control set the port-control value
reauthentication Enable or Disable Reauthentication for this port
timeout Various Timeouts
Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
EZVPN_Remote#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 12-Jul-11 21:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
EZVPN_Remote uptime is 6 hours, 1 minute
System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
System restarted at 14:52:47 UTC Thu Oct 13 2011
System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
Processor board ID FTX153482GK
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO881-SEC-K9 xxxxxxxx
License Information for 'c880-data'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
Thanks in advance!Shamless bump...
-
802.1X un-authenticated user and guest VLAN
Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.
You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm -
802.1x Guest Vlan and Routed access layer design
Hi!
For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
Hope this helps, -
802.1X with Guest vlan support IOS version ???
I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
please reply to my question.Tkank for your help.
Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
ex) TW_14F_A_C2950_32.8#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
Model number: WS-C2950-24
please, reply for my question -
802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan
Hello,
i have tried to configure a dot1x based Authentication.
With an single host including guest-vlan, everything works fine.
But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
i have just tried so...
interface GigabitEthernet0/4
switchport access vlan 121
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 99
authentication event server dead action authorize vlan 121
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
authentication periodic
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
spanning-tree portfast
Thanks, for any possible solution!unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
What are using for a radius server? -
Dot1X guest vlan authentication issue..Real Challenge!!
Hi Guys!
I would really appreciate if some one could help me find lead on this issue...
My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
Scenario 1
interface GigabitEthernet3/0/42
switchport mode access
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 1
802.1X (Quarantine)= VLAN 20
Non-802.1X (Guest) = UnAouthorized
Conclusion
802.1x authentication is working without the guest VLAN feature
Scenario 2
interface GigabitEthernet3/0/42
switchport mode access
authentication event no-response action authorize vlan 30
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
spanning-tree portfast
Test Workstation behavior
802.1X (Corporate) = VLAN 30 GuestVlan
802.1X (Quarantine)= VLAN 30 GuestVlan
Non-802.1X = VLAN 30 GuestVlan
Conclusion
802.1X doesn't work after enabling Guest VLAN feature (no-response)
Some important notes...
1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
so i can not test with any other IOS
2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
so even if you put old command syntax it will get change to new one...
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
Guys please help me.........Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3
Maybe you are looking for
-
Problem in Chinese Language conversion
HI , I have some probelm in chinese language conversion. Scenario: 1.I am trying to send the saleorder details as a mail, from the output types of sale order. 2.The details of the related cutomer in sales order is maintained in chinese in (XD01) 3.Wh
-
The value should be set for Base image URL and Image file directory
Hi experts Now customer has the following issue. XML Publisher concurrent request, using RTF layout template with LOGO, does not generate the LOGO for Excel output. but in output formats PDF, it is shown normally. from the debug log, we can found the
-
Hi Experts, Below are the details the certification I have taken. Exam taken in Sep 2008 Exam name : 1z0-Oracle Database sql expert (9i) how can I get my certificate for this? Sorry for posting littile information, but this is all I had? Please let m
-
Hi, I am New to SQL database.can anybody explain me the Reorganization procedure for SQL database? Thanks in advance. Vinnu.
-
Photoshop CPU problem with my wife
Help! If you can... I have Windows XP, divided into two accounts, mine and my wife's. Yesterday morning, I used Photoshop 8.0 CE on "her side" to handle some big big (700MB - big for my PC) images. Because Photoshop kept being unable to resize etc. d