Guest WLAN and IP Address Exhaustion

Does anybody know of a way to stop a DHCP Server from doling out IP addresses (and subsequently exhausting the DHCP Scope) prior to performing L3 Web Auth to the WLC?
The problem arises when Students come into School with their iPhones and such like with the WLAN turned on which exhausts the current Guest WLAN DHCP Scope. Subsequently when a valid Guest User comes along they are unable to obtain an IP.
Many Thanks

Hi,
This is the challenge that we have with the Guest wireless access!! However, we can use WPA/WPA2-PSK along with the WEB-AUTH, SO that thew clients who provide the right PSK will only be able to grab the IP..
Regards
Surendra

Similar Messages

Guest WLAN and a Office WLAN on 1242AG

Hi All,
I have managed to add two WLANS, one for the Office Wireless clients(Staff laptops) and another one for Guests. I have bassicaly created two SSIDs, one broadcasting, other one not(Staff one).
The AP is a 1242AG and is going to connect to a Catalyst 3750 48T, which is connected to Cisco 877. How can I make the DHCP assignments to both Guest WLAN and Staff WLAN and also do I have to create trunk port in the Switch ( I am thinking like this as I got Two VLANs.)
Does anyone know or got a sample running config ( in a Switch and in a similar AP)...really appriciate it. Time is running out for me!!!
Reg
ND

Hi,
here is a config example for exactly you are looking for:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
HTH,
Tiago

Guest WLAN and Web Auth?

Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.

Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet

Guest Anchor N+1: Multiple guest WLANs and Mobility List

Hi Experts,
We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
And between these two new anchor WLCs, do they need to add each other to Mobility List?
Or maybe I should ask first, does it matter if they are in the same mobility group or not?
Thanks
Cedar

N+1 for guest anchors isn't what N+1 was designed for. N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors. This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
Guest anchors should have a different mobility group name from the foreign WLC's. You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s). The redundant guest anchors do not need to have each other in the mobility group list.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)

Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices?

Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices?

Wireless guest wlan and secured corporate wlan

I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
Lee

Hi stepehen
LWAPP also defines the tunneling mechanism for data traffic.
A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
Pls Refer the docu..
http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
Regds
Saji k.s

Guest WLAN and VLAN out of 2811 w WLC module

Using a WLC 2006 or 4000 series, there is
no problem getting the traffic on a "guest WLAN" connected to a wired VLAN.
But, how to do that when one is using
a 2811 with a WLC module?
Now the "guest WLAN" connects internally
to the 2811 "interface wlan-controller 1/0" as a VLAN on a subinterface. I do not want the default GW for that VLAN within the 2811. Instead I just want to get it out at layer 2. Transparent bridging between a subinterface "int wlan-controller1/0.x" and "int fastethernet0/1.x" failed. Any ideas?

Try these links:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

HREAP, Local Switched WLAN and DHCP Address required

Hi All,
if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
Any Help Welcome.
Regards, Michael

I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

Guest Access and IP addressing usage

Hi there
Have a typical Guest set up, foreign WLC has a tunnel to a WLC in our DMZ (mobility anchor); client will get a web page, and sign on; and off to the Internet they go.
As we know, client needs an IP address first before it does anything, as the SSID is out there with no authentication. and the problem we are running into is, we are running out of IPs because we have a bunch of clients picking up IPs but then they are not moving towards authenticating (I suspect many clients simply scan for any open SSID and connect to it, thereby using up an IP. We clamped down DHCP Lease time to 30 mins, but this only helped to an extent.
Is there anything on the WLC or other wireless network devices that can limit this from happening? Is increasing the scope the only way to resolve this issue?
Many thanks in advance!

ha! No worries, girl in a tech world... used to it LOL
When we changed up this year (went from a private entity to being taken over by the 'mother ship' as I like to call it; they said '2012 is the Wireless Year, we want it everywhere to be able to be used by everyone; we want it easy, and we want to start employee BYOB (to which I grumbled a bit... but oh well) And now just got news we are taking another division on board, so that number I just gave you I say add another 10 or 15 to, not to mention a few WiSMs thrown in there. We were using Guest NAC, but then it was though to be easier using a shared ID/PW with it changing weekly, which currently I manage by pushing WCS jobs out each week; and future is to use an AD backend for that instead. And this is slightly off topic- but I also broadcast the SSID for the mother ship into our network and tunnel our WLC back to an anchor on their network so users can pick up IPs from there, and then our WLCs live in their radius server.
... Fun Stuff, eh?

Securing Guest Wlan

I am trying to set up a WLAN with internal users and guest users.
I have 2 ssid's one visible one hidden, the visible one is for guest use.
Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?

Hi
Have you got separate vlans setup ie.
vlan 10 = users
vlan 11 = guest
You would then hand out different IP address ranges for each vlan eg.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.10.0/24
Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Also assume you want to allow your guest users out to the Internet
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
etc..
int vlan 11
ip access-group 101 in
This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.
HTH
Jon

Guest wlan

Almost there.
Scenario:
2504 wlc
Aps 1140
Port 1 lan radius all ok
Port 2 defined for guest wlan directed attach no isp router dhcp
1 utp cable on router acquire ip address
On guest wlan no ip address is given i think i tried every combinations
Any help?
Sent from Cisco Technical Support iPhone App

Scott Fella wrote:How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE) What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)
Post the show WLAN for each of your WLAN's you have created.WLAN Identifier.................................. 3
Profile Name..................................... Guest WLan
Network Name (SSID).............................. WYguest
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
--More-- or (q)uit
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID     IP Address            Status
Sent from Cisco Technical Support iPhone App

Client unable to get IP address on guest wlan

Hi all, I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16.     I don't understand why I am seeing the dhcp request come from the internal vlan/wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this.
Thoughts?
Thanks,
Bryan
(Cisco Controller) >debug client 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 331,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 10.10.10.246, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 10.33.1.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 10.10.10.246, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 1, flags: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   requested ip: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*apfMsConnTask_1: Feb 25 00:49:35.320: Stats update: Non Zero value

One way to test also is to connect a laptop to a port assigned for the guest vlan. If the device gets an IP, then it's something on the WLC you have to configure. If the device doesn't, then it's a network issue or dhcp server issue.
Sent from Cisco Technical Support iPhone App

Guest anchor WLAN and DHCP

hi,
I am trying to setup a guest WLAN using a local controller and a controller in my DMZ using the mobility-anchor configuration.
Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
Local Controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest" - assigned it to the management interface.
Have tried the following with regards to DHCP on this WLAN.
     Set it to "override" and specified the DMZ controller's mangement interface
     Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
     Left DHCP server blank on the local controller's management interface
Setup the DMZ controller as the mobility anchor for the "guest" WLAN
DMZ controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest"
Created a dynamic interface called "guest" associated to the "guest" WLAN
Setup mobility anchor for the "guest" interface, mobility-anchor = local controller
Created an internal DHCP server scope and enabled it
Have tried the following with regards to DHCP on the "guest" WLAN
     Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
     Set DHCP to "assignment required" and specified the IP address of the controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
     Set DHCP to "override" and specified the DMZ controller's management interface IP
     Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
After all this, my client still cannot get an IP address via DHCP. I verfiied the client is associating to the AP.
Any help would be appreciated.
Thanks
Lee

on the DMZ controller, what is the output of a debug client < mac address of the client> You may also want to capture debug mobility handoff enable, from both WLC.
For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC. One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

Guest LAN and WLAN on Controller

Hi,
While creating new ssid, i can see the option guest lan and wlan, whats the difference? which one is preffered?
Thanks in advance..

Hi,
I remember answering this few days and also George joined the thread.. or max week back..
Guest LAN WLAN =
1> The clients connecting to the WLAN will have a time limit on the connectivity, for example you can configure the Guest WLAN for 24 hours or something which you want..
2> I guess George pointed this in the previous thread.. Can be used for Wired Guest Users configuration as well , here is the link..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
WLAN =
Just nothing but a SSID with security which doesnt have any time limit.
which one is preffered? =
Its your network and what ever meets your requirements you can use that.. however both of them does its job with different features involved.
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

RADIUS Bandwidth limit on guest WLAN

Hi Everyone,
I'm running a WLAN scenario which includes a WLC 5508 (7.0) and a bunch of CAPWAP access points. I just deployed a guest SSID that implements a RADIUS server (freeRadius) for authentication and accounting the guest users and everything works fine. However I need to limit the bandwidth on a per-user basis having different BW allocated on the users.
In other words:
SSID: "Guest-SSID" with web authentication
Users (download/upload bandwidth limit in kbps): user1 (512/512), user2 (1024/1024), user3 (512/2048)
When user1 connects, he will be able to download/upload at a 512 Kbps data rate, same as user2 with a d/u 1024 Kbps data rate. And user3 will be able to download at 512 Kbps and upload at 2048 Kbps. The 3 users will be connected on the same SSID: "Guest-SSID".
I've been searching and found that the WLC honors some Airespace attributes that may do the magic, however they are not documented anywhere else but the WLC Configuration Guide. I have modified the freeradius Airespace dictionary but when authenticating, when the RADIUS sends the accept message incluiding the attributes, the WLC shows attribute is considered as unknown, even though the conf. guide shows they must be supported.
I guess it may be caused by a wrong attribute name. Is there something else missing?
This is the WLC AAA debug detail:
(Cisco Controller) >*aaaQueueReader: Mar 19 18:35:08.705: AuthenticationRequest: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.705: Callback.....................................0x10770a64
*aaaQueueReader: Mar 19 18:35:08.706: protocolType.................................0x00000001
*aaaQueueReader: Mar 19 18:35:08.706: proxyState...................................F4:09:D8:20:11:2F-00:00
*aaaQueueReader: Mar 19 18:35:08.706: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 19 18:35:08.708: AuthorizationResponse: 0x13e25bb0
*radiusTransportThread: Mar 19 18:35:08.708: structureSize................................216
*radiusTransportThread: Mar 19 18:35:08.708: resultCode...................................0
*radiusTransportThread: Mar 19 18:35:08.708: protocolUsed.................................0x00000001
*radiusTransportThread: Mar 19 18:35:08.708: proxyState...................................F4:09:D8:20:11:2F-00:00
*radiusTransportThread: Mar 19 18:35:08.708: Packet contains 9 AVPs:
*radiusTransportThread: Mar 19 18:35:08.708: AVP[01] Unknown Airespace / Attribute 7..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[02] Unknown Airespace / Attribute 8..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[03] Unknown Airespace / Attribute 9..........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[04] Unknown Airespace / Attribute 10.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[05] Unknown Airespace / Attribute 11.........GRN-Test (8 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[06] Unknown Airespace / Attribute 13.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[07] Unknown Airespace / Attribute 14.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[08] Unknown Airespace / Attribute 15.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[09] Unknown Airespace / Attribute 16.........0x00000180 (384) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AccountingMessage Accounting Start: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.718: Packet contains 14 AVPs:
*aaaQueueReader: Mar 19 18:35:08.718: AVP[01] User-Name................................0x6173 (24947) (2 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[02] Nas-Port.................................0x0000001d (29) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[03] Nas-Ip-Address...........................0xc0a89605 (-1062693371) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[04] Framed-IP-Address........................0xc0a8967b (-1062693253) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[05] NAS-Identifier...........................WLC-CCIE (8 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[06] Airespace / WLAN-Identifier..............0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[07] Acct-Session-Id..........................550b5d2c/f4:09:d8:20:11:2f/2 (28 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[11] Tunnel-Group-Id..........................150 (3 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[13] Calling-Station-Id.......................192.168.150.123 (15 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[14] Called-Station-Id........................192.168.150.5 (13 bytes)
My Airespace dictionary:
VENDOR Airespace 14179
BEGIN-VENDOR Airespace
ATTRIBUTE Airespace-Wlan-Id 1 integer
ATTRIBUTE Airespace-QOS-Level 2 integer
ATTRIBUTE Airespace-DSCP 3 integer
ATTRIBUTE Airespace-8021p-Tag 4 integer
ATTRIBUTE Airespace-Interface-Name 5 string
ATTRIBUTE Airespace-ACL-Name 6 string
ATTRIBUTE Airespace-Data-Bandwidth-Average-Contract 7 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract 8 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract 9 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract 10 integer
ATTRIBUTE Airespace-Guest-Role-Name 11 string
ATTRIBUTE Airespaces-Data-Bandwidth-Average-Contract-Upstream 13 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract-Upstream 14 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract-Upstream 15 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream 16 integer
VALUE Airespace-QOS-Level Bronze 3
VALUE Airespace-QOS-Level Silver 0
VALUE Airespace-QOS-Level Gold 1
VALUE Airespace-QOS-Level Platinum 2
END-VENDOR Airespace
This is the configuration guide I'm using:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/configuration/guide/wlc_cg70MR1/cg_security_sol.html#pgfId-1457964
Table 6-5.
Any help will be really apreciated!
Regards!
Jonathan S.

If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a “guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth associated to that role is enforced for the guest user after authentication completes successfully.

Guest WLAN and IP Address Exhaustion

Similar Messages

Maybe you are looking for