Guest Wireless Network

Hello,
Is anyone aware of a way, "except for not broadcasting the SSID", to prevent clients from Inadvertently obtaining an IP address on a guest wireless network?
We are using two pair of 5508's for anchor controllers, and we're close to reaching our limit of 14k clients.  While researching, we've found a number of addresses that are being handed out, are mobile devices with their WIFI enabled, walking through our facilities, but not necassarily wanting to use the guest WIFI.
We would like to somehow not have the devices obtain an IP, unless they truly want to connect.  All I've been able to come up with is not to broadcast the SSID, which senior managment feels is not acceptable.
Thanks

Hi,
you can on the create on WLC, a separate dummy L3 interface (192.168.250.0/24 and a VLAN thet is not on Your LAN "3333") and WLAN with the name "1"
The DHCP is configured on 5508 with a lease of 240s.
The SSID appears first in the selection. and the clients will connect to the.
Your SSID can be broadcast and the user can select the need.
miro

Similar Messages

  • Internal Corporate wireless and guest wireless network

    I need some technical information on hwo the wireless guest network is created on the Airport Extreme. We currently do not permit personal wireless devices to connect to our internal wireless network in order to protect out data. Several times users have presented us with justifiable business requests to have access to the wireless network from their own devices. We've been looking at using the Airport Extreme in order to do this, but we are bound by PCI (Payment Card Industry) requirements to keep our customer credit card data secure. PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?
    Two or three of these on each floor would fit our need for such access and keep out customer data secure.
    Thanks

    Welcome to the discussion area!
    +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
    I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
    This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
    FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

  • Guest Wireless Network Setup

    I got the task of setting up a Guest wireless network for one of our remote campuses. We already have some APs that are connecting to our WLC.
    The Enviroment:
    WLC Cisco 5500 is at our Corporate office. Connects to our Core Switch then to our Router
    Router connects to our remote campuses over mpls
    We currently already have APs at this campus that are connecting back to our WLC.
    We have a DSL line at the remote campus that we want this Guest wireless routed to.
    I have already created the guest network on the WLC and a guest VLAN on the Core switch
    My main question is how to configure the two routers for this and have this go out the DSL modem?
    Any help is very appreciated...

    That is fine. All you have to do is enable h-reap/FlexConnect local switching on the guest WLAN. Then change the mode on the AP to h-reap/FlexConnect and then the ap will reboot once it comes back up, you need to co figure the switch port as a dot1q trunk only allowing the vlans for the AP and guest. Set the native vlan on the trunk I the vlan the ap belongs on. On the h-reap ap, you will have another tab on the top for h-reap/FlexConnect. You enable vlan support and then put the vlan I'd the ap belongs on. Hit apply then go back to the h-reap/FlexConnect tab and click on vlan mapping. There you will see the guest SSID and then a box in which you can enter a vlan. That is where you will put your vlan for the guest. Now since this vlan your dsl is connected needs to reach all the AP's, you just need to create a layer 2 vlan and connect the dsl router to that. Users will get an ip from that dsl router etc.
    Sent from Cisco Technical Support iPhone App

  • ASA5510 base config for guest wireless network

    Hello
    I am partitioning off my guest wireless traffic out a new connection.
    I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
    AP - WISM - 5508 - FW - Cable link - Internet
    Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
    The external link will be via cable and I want to configure their static on my outside int,
    Where would be the best place to ratelimit the subnet(s)?
    sMc       

    ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
    These are router configurations and would not work on the ASA.  To do this the ACL config would need to look like this:
    access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
    access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
    access-group LAN in interface inside
    Keep in mind that you can change the ACL name (LAN) to anything you want it to be.  You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
    Also, to make sure this subnet has no access to inside services, what would be needed?
    Not exactly sure where you are going with this.  Is this subnet also located on the inside interface? or on a different interface?
    If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
    Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs.  If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
    Please remember to rate and select a correct answer

  • DHCP lease for Guest Wireless network

    Is there a "rule-of-thumb" for the lease of DHCP on a guest or general use wireless network. The standard user is expected to be relatively transient. Thanks in advance for the comments / help.

    I think ther no such rule of thumbs in a wireless network but the networks that incorporate large numbers of mobile devices, such as laptops and wireless telephony devices, should be configured with shorter DHCP lease times (for example, one day) to prevent depletion of DHCP-managed subnet addresses. Mobile devices typically use IP addresses for short increments of time and then might not request a DHCP renewal or new address for a long period of time. Longer lease times will tie up these IP addresses and prevent them from being reassigned even when they are no longer being used.

  • Multiple Airports with private and isolated guest wireless networks available from both

    Hi,
    I've been searching online for some equipment that can do what i want to do without going into the enterprise grade and spending $5000 on Cisco gear.
    Consider two locations approx 80m apart - Primary is a house, and secondary location is a garage. A Cat6 run exists between the two.
    The goal would be to have a wireless primary router in the house for wired and private wireless internet access, with an additional Guest wireless that is isolated from the private network that I can turn on and off if guests are coming over.
    In addition, the second location should also support both wired and wireless connections.
    It seems simple to me, one device in each location. The WAN port on the garage device would connect back to the house device. The two devices should be smart enough to know that one is extending the other. Someone on the guest wireless that is connected via the garage AP would not be able to see the wired devices even though it's traffic is going across the same wire back to the primary router.
    Can I do this without spending a fortune?
    Thanks

    Two Apple AirPorts would do most....but not all...of what you want.
    A few notes.....
    In order for the guest network feature to work correctly on an AirPort router, the "main" AirPort in the house must connect to a simple modem......not a modem/router or gateway device.  That is a deal killer for some users right there.
    When the guest network is activated in the garage, it must be activated for both AirPorts....house and garage.
    You could actiivate the guest network for the house and leave the guest network off in the garage if you wanted, no problem there.....but.....you could not activate the guest network in the garage without also activating it in the house first.
    "Guests" can only connect to the guest network using wireless. Up to you to decide if you want to leave the guest network open or use a password that would need to be used to connect to the network.
    But.....If "guests" had physical access to the AirPort in the garage....and they connected to one of the Ethernet ports on the AirPort in the garage, they would be connecting to your main or private network.
    So, if something like this was a concern, you would have to either hide the AirPort in the garage and trust that users would not find it....or....find some way to limit access to the back panel of the AirPort so that users could not connect to it using an Ethernet cable.
    If the features and installation limitations are acceptable, you could spend as little as $100 for each AirPort Express.
    If you wanted better performance from the AirPort in the house, you could use an AirPort Extreme there...about $200 and an AirPort Express in the garage.
    The deluxe option would be to use two AirPort Extremes.
    Finally, you would want to make sure that you understood the store's return policy before you buy.....in case something unexpected crops up, as can sometimes be the case.

  • Trouble connection to a guest wireless network

    I am having trouble connecting to the guest server at work.  I have tried to reset and reconnect without success, any advice?

    Describe exactly what you mean by "trouble connecting." What happens in vagueness, stays in vagueness...
    Many guest networks require a terms of service sign in on a web page before getting access.

  • Guest Wireless - procedures for support ??

    Hi
    We are just on the cusp of deploying Guest wireless for
    external non-employee visitors to our organisation, using WLC's and the lobby
    admin functionality. However the issue of support procedures for these guest
    devices is sticking.
    Our Desktop support dept will not support potential technically challenged
    guest user and his mis configured end device (for want of a better phrase......)
    Ourselves in networks by policy do not support end devices as such.
    We need a completely remote 'no-remote-human-presence' way to test a user
    attaching to a SSID, firing up a browser and authing thru the re-directed to
    web interface. Remoting to a PC attached to the remote secure wired network
    is NOT ideal as we will then be bridging secure wired corp and non-secure
    guest wireless (altho it may have to end up being a variation of that.)
    I would be interested to hear how people here troubleshoot their
    guest wireless service availability.
    thnks
    martyn

    We have no way of easily testing on-site availibility of our guest wireless network, but the guest wireless wlan is available in our office. So, if an issue arises, basic troubleshooting steps can be taken by trying to connect to the guest ssid from the office. Otherwise, you would have to get creative with something like you're talking about.

  • VLAN Configuration for Internal and Guest Wireless

    Hello,
    We are using the following hardware…
    SG300-52MP switch -- latest firmware
    ASA 5512-X firewall -- 9.1
    Aironet AP1131AG WAP
    We have the following networks…
    10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
    10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
    10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
    The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
    Relevant parts of the WAP configuration are…
    dot11 ssid GUEST
       vlan 6
    dot11 ssid SECURE
       vlan 1
    interface Dot11Radio0
    no ip address
    ssid GUEST
    ssid SECURE
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface Dot11Radio0.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface Dot11Radio1
    no ip address
    no ip route-cache
    ssid GUEST
    ssid SECURE
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface Dot11Radio1.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface FastEthernet0
    no ip address
    no ip route-cache
    interface FastEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface FastEthernet0.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface BVI1
    ip address 10.252.4.4 255.255.255.0
    no ip route-cache
    ip default-gateway 10.252.4.1
    We can manage the WAP through it’s Internal IP address (10.252.4.4).
    And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]
    The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
    [Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 
    While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
    I have a feeling that I have configured the VLANs on the ports incorrectly.
    Relevant parts of the SG300 configuration are...
    v1.3.0.62 / R750_NIK_1_3_647_260
    vlan database
    vlan 3,6
    ip dhcp snooping
    ip dhcp relay address 10.252.4.1
    ip dhcp relay enable
    bonjour interface range vlan 1
    interface vlan 1
    ip address 10.252.4.2 255.255.255.0
    no ip address dhcp
    interface vlan 3
    name VOIP
    interface vlan 6
    name Guest
    interface gigabitethernet45 -- Access mode, Untagged VLAN6
    description ASA-Guest
    ip dhcp snooping trust
    switchport mode access
    switchport access vlan 6
    interface gigabitethernet46 -- Access mode, Untagged VLAN3
    description ASA-VOIP
    ip dhcp snooping trust
    switchport mode access
    switchport access vlan 3
    interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
    description WAP1
    switchport trunk allowed vlan add 6
    interface gigabitethernet48 -- Trunk mode
    description ASA-Internal
    ip dhcp snooping trust
    ip dhcp relay enable
    Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

    Welcome to the discussion area!
    +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
    I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
    This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
    FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

  • Web Based Registration for Guest Wireless Access

    I just started a project to make a guest wireless network available at every site in my enterprise.  Guest wireless networks are currently available at some sites.  Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution.  All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points.  What do I need to do/get in order to make this happen?

    You should get a WLC and upgrade the 1240 and 1250 and replace the 1230's if they are in remote sites.
    The WLC has a Webauth feature that is great. You can define users on the WLC also if you wish.
    Guest access should always be open authentication with the use of a Webauth page. This makes it easy and you won't have to help manage guest access. Autonomous ap's and to have a splash page will require a 3rd party software or you can use a Cisco NAC guest server.
    Search for Cisco Wireless Guest Access or Webauth and you will see many docs on this type of setup.
    Sent from Cisco Technical Support iPhone App

  • Can't connect Airport Express to my main wireless network, just my guest account.

    I go to join my Airport Express to my wireless network so I can play music from Itunes to my sound system in my living room.  That is all I want to use it for at this point.  I pull up a list of the networks available, and my guest network shows up on the list, but my main network, which all my computers and Iphone is connected to, isn't on there.  I have a Linksys E3000 with a guest account set up trhough it.  Windows 7.  I called tech support and they said something about a hidden setting.  I went and checked and couldn't find anything about this.  Also, when people come over they can access my main wireless account with my password.

    Hi JWHITHAM and welcome to the forums!
    Have you tried manually adding your wireless network to the iPod touch? Mine does the same too sometimes and I just add it manually. So far it works.

  • How to set up guest wifi network on 1200 series APs with disclaimer web portal?

    I've been thinking about this one for awhile. I want to set up a guest wifi network without any security (AES / TKIP) that allows guests to connect. Ideally, their web browser would be redirected to a web portal containing legal disclaimers, and they would need to accept the terms and conditions to use the guest wifi. I would also like to have them be required to visit the web portal again every 8 hours after that to accept the terms and conditions again.
    I have a Cisco 1240AG access point already. What else do I need to make this work?

    I don't believe you can do this just with an AP running in autonomous mode you would need to have a WLC to configure the splash page.
    Have a look here:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049273
    Alternatively you can use software running on a PC/Server. Something like http://www.antamedia.com/hotspot/
    Hope that helps!
    Matty

  • How to use Airport Extreme to create a second wireless network with different IP addresses behind an existing modem/router?

    Hi,
    I have an existing modem/router from my ISP that does DHCP and NAT with base IP 192.168.1.1 distributed in the wireless network. I use this wireless network for our private devices. I could turn off the DHCP server in this first router, but there isn't a separate setting to turn off NAT.
    I want to connect my Airport Extreme (4th gen) to this existing router to create a separate wireless network for visiting guests, where IP addresses of 10.0.0.0 etc. are used. So I do not want to use the Airport Extreme in bridge mode, as I would like to keep the devices on the first network 'invisible' for those on the second network. (P.S. when connected in bridge mode, the Airport works well and can distribute a network with a different name from the first. It's just that I would feel more comfortable about our privacy if the Airport were to distribute a different IP range. False security, maybe?)
    I've tried doing this by 'Sharing a public IP address' in Airport Utility's Internet tab, leaving TCP/IP's setting to 'via DHCP', setting DHCP addresses to start with 10.0.0.2 up to 200 with all else blank, and not using a standard host nor NAT-PMP in the NAT tab.
    When I do this the Airport complains of a 'double NAT issue'. Internet connectivity seems to be OK, but when switching between the two networks on my Mac I get complaints about my IP address being in use by another device intermittently.
    Can anyone help in how to get the 'double NAT issue' resolved?
    Thanks!

    So if someone is connected to the modem/router network they will be able to see the HD I will have put in to the AirPort Extreme?
    As I said above.....since the modem/router and AirPort are bridged, devices on the modem/router wireless will be able to "see" devices on the AirPort wireless, and vice versa.....
    If they can see the HD connected to the AirPort Extreme, will they be able to access it
    Yes, unless you plan to password protect the drive connected to the AirPort Extreme.
    or will they still need the password needed to get onto the AirPort Extreme network?
    The modem/router and AirPort Extreme are bridged. They are on the same network. All devices are on the same network when the modem/router and AirPort are bridged. Not sure how else that I can say this.
    Also, because it is bridged, I shouldn't have any problems accessing the HD I will have connected to the AirPort Extreme from an external location?
    Accessing devices from a remote location is never easy....and a topic for a different post/discussion. If you have a "static" Internet IP address from your provider, and have all the details on how to forward ports on your modem/router, you are off to a good start.
    Apparently there is some addressing issues because devices can be seen as "Double IP" because the modem/router would have allocated IP's as well as the AirPort allocating IP's thus making connections slower until resolved
    When you "bridge", all IP addresses are issued by one device. There will be no conflicts on the network, since they are bridged.
    Once again, in very simple terms, you have two doors (access points) that open into the same room (network).  One "door" is the modem/router and the other "door" is the AirPort Extreme. They are on the same network....("room") because they are bridged.

  • How do I share files between two Macs on my wireless network?

    I have an iMac G4 and an ibook G3 on a wireless network. I have "file sharing" activated on both computers. (Also Appletalk, which may or may not be a misguided move, but I got the idea from OSX "Help.")
    When I try to get from either computer onto the other, my computer is recognized by name (another alternative is to log on as a "guest"). I'm prompted for a password. None of the passwords I use works. I've tried the administrative passwords for both computers.
    How do I get beyond this hurdle to share files? I've posted elsewhere to no avail. This must be an easy one. How do you share files between two macs on one network?

    Do your accounts on the machines have the same short name? It's an issue I've seen a few names.. one machine with bsmith, the other with bobsmith, but the long names for both being "Bob Smith". The login windows would confuse users because it showed their names, but because the short names didn't match, it wouldn't work.
    The password you should use is the administrative one, so I don't know why you're not having luck.

  • Guest Wireless Access in Bridged Mode e4200v1

    I have an e4200v1 in bridge mode (LAN IP 192.168.1.2) connected via its WAN port to a LAN port on the primary router at 192.168.1.1.
    Guest Wireless works perfectly in Ver. 1.0.04 build 11 but not in Ver. 1.0..05 Build 7.
    ANy ideas?

    I've tried searching the forums for the same concern. I found the following:
    http://homecommunity.cisco.com/t5/Wireless-Routers/Guest-network-doesn-t-work-in-bridge-mode-on-E420... -  the user herot80 provided steps on how did he the guest network working on his setup.
    http://homecommunity.cisco.com/t5/Wireless-Routers/Linksys-EA4500-Bridged-Network-amp-Guest-Wireless... -  user counsil suggested to make sure that NAT is on before setting the router to a bridge mode for the guest network to work.

Maybe you are looking for

  • Error when burning DVD RW (Error Code 0x8002006E)

    Works with DVD +R, -R, CDR... but it wont burn DVD+RW for some reason I had this problem 3 years ago when it refused to burn CDs, and I had my ODD replaced with one of these MATSHITA DVD-R   UJ-857E:   Firmware Revision:          ZF1E   Interconnect:

  • Ipad 1 does't synch with itunes when connected to power

    when I connect my ipad 1 to charge it does't synch with itunes. itunes finds the ipad over wifi but it doesn't synch.

  • Tab as export delimiter

    Is it possible to make the tab character the export delimiter for SQL Developer? If so, how? Thanks, Tracey I found it under: Preferences>Database>Worksheet Parameters>General Export Parameters: Column Delimiter Custom Export Delimiter [,] I just dow

  • Field Exit is not working in QA but working in Development Server....

    Hi friends,                      I have created Field Exit for data element EPOS_LGORT (Storage Location) .Which is using in ME21N transaction of MM. This Field Exit is proper   working in Development Server but after transport in QA it is not workin

  • Matcher replaceAll vs String replaceAll and + plus sign anomaly?

    I have code that is to highlight search terms found within a given string. I searched within a given string "Java, C++, C, etc." for the term "C++" and have really strange results. Below is a snippet. // Now the highlighting portion