Guest WLAN setup?

We have just set up a WLAN. We have a 4402 controller and 1131AG access points.
We have a lot of consultants, guests, presenters, etc. roll through who need Internet access. I'd like to setup a WLAN that is seperate from our production network and gets them to the Internet.
I have a DMZ I could set up for this use, but I'm wondering how best to set up the guest WLAN.
Our network is not currently configured for VLANs, so the production WLAN is not configured for VLAN.
Any ideas greatly appreciated.

hi Fella,
i am very much interested in doin the same thing ans i think your suggestion could help solve my problem,but i don really understand part of what u are saying.
say i create native vlan for management and ap-managers and use port one for that particular vlan.
the create a guset vlan anf have it passing through port 2 all the way to the DMZ.is that what you are saying ??
my current situation is that i have two vlans,vlan 1 which has the corporate wlan and vlan 4 which was created for guests all the vlans are allowed to pass through port 1.my problem is that guests clients cannot get dhcp addresses from the scope that i create either in the controller or in the switch.It only gets addresses from the vlan 1,which is on the corporate network.and on the other side if i create another native vlan for the corporate wlan the aps are not able to register with the controller.how do i get around this ?

Similar Messages

  • Client unable to get IP address on guest wlan

    Hi all,  I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding.  Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses.  If I give the client a static IP they are able to communicate across the wlan okay.
    It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only.  The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
    Here is a debug client for a machine connected to the guest vlan (vlan 33).  The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16.     I don't understand why I am seeing the dhcp request come from the internal vlan/wlan first and it gets an IP address on this network.  I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this.  
    Thoughts? 
    Thanks,
    Bryan
    (Cisco Controller) >debug client 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
    *DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
    *DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
    *DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 331,vlan 1, port 13, encap 0xec00)
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.10.10.165
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 10.10.10.246,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246  rcvd server id: 10.10.10.246
    *DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.33.1.1
    *DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 10.10.10.246,  giaddr: 10.33.0.1
    *DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246  rcvd server id: 10.10.10.246
    *DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 1, flags: 0
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   requested ip: 10.10.10.165
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246  rcvd server id: 10.10.10.246
    *DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 1, port 13, encap 0xec00)
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246  rcvd server id: 10.10.10.246
    *DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   chaddr: 8c:2d:aa:36:ca:a3
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   siaddr: 0.0.0.0,  giaddr: 10.33.0.1
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP   server id: 10.10.10.246  rcvd server id: 10.10.10.246
    *DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
    *apfMsConnTask_1: Feb 25 00:49:35.320: Stats update: Non Zero value

    One way to test also is to connect a laptop to a port assigned for the guest vlan. If the device gets an IP, then it's something on the WLC you have to configure. If the device doesn't, then it's a network issue or dhcp server issue.
    Sent from Cisco Technical Support iPhone App

  • Guest wlan design questions

    I need to setup a guest wlan on a single 5508 controller. Currently all of my ap's are in h-reap mode and all in remote buildings connected via a high speed wireless wan.
    The guest network could consist of 500 users in the near future, so i'm wondering what is the best way to configure the guest wlan so I don't have one big broadcast domain across my entire network?

    Ok. I already have my ap's in ap groups (per building) and I have different vlans in each building with the same ssid company wide. I'm doing this via h-reap.
    My question is how do I accomplish the same thing with the guest wlan, but without h-reap. Or do i use h-reap and just setup acl's to block the traffic? But then does web authentication work the same?
    The confusion for me comes in at the controller level with the guest-wlan interface I created having to be attached to a vlan. Is this not needed to do web authentication?
    Thanks,
    Dan.

  • Using AD to authenticate BYOD users on Guest WLAN

    First off, I have several WLANs -- one is a "Guest" that is anchored to our corporate WiSMv1 running 7.0.240.0 code.  We have many 5508s running 8.0.100.0 -- the "guest" is tunneled back to the core WiSMv1.   Right now, the Guest splashes a web page that a user just has to click through to get n the Guest WLAN.  I currently have a production WLAN set up to use 802.1x and pass credentials through Win 2012R2 NPS (Radius) so that our employees can log on using their AD credentials.
    We are looking to avoid the complexity and cost of ISE.   We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller.  Behind the scene, we will load these credentials into an AD OU.   The bottom of this web page will be the fields for the user to enter the ID / PW which in turn will be validated to the AD. 
    I can't mess with the current Guest "anchored" in the corporate WiSM.   We already have a custom web page and it appears you can only have one.  So I was thinking of setting it up at one of the remote 5508 sites....  I can download a custom web page there and I believe I can still use the "management" interface to grab IPs out of the Guest Subnet that resides in our HQ.  
    My uncertainty revolves around the WLC / WLAN setup to use AD (via Radius if necessary) to validate the user -- and since it is BYOD, I have no idea what the client device will be and do not want the user to be required to do any setup.
    I have gone through a lot of docs --- many talk about ISE.  Others are really old -- and of course there is difference between WLC web pages simply due to the 8.0 code on the 5508s!
    I am hoping this is a fairly straight forward setup.  
    TIA - Perry

    Hi,
    Your starting 3 Paragraphs say that you want to modify Guest page only.But after that You talk about the BYOD.BYOD involves device registration , supplicant provisioning etc and is entirely for different use. If you think , you are asking about that , Please go through this Tech-Talk by me to understand BYOD (Video as well Brief note )along with PPT having all the required configuration on WLC side,AD side,CA server and ISE side.
    "We want to build a basic self-subscription process.  I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call.  Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller. "
    If the requirement is the above i.e display Phone number which user would call to get credentials , it can be done via simply modifying the HTML web-page to show that number and load in to the WLC or else host that page on some external server.Infact , you can modify the Internal web page of the WLC via Security>Web-authentciation and write a header and message to be displayed on the web-page which WLC displays which can have your Mobile number to call.Once credentials are submitted , WLCcan do radius authentication.
    Also 8.0 simply brings Redirection over HTTPS feature in to the WLC and there is no change in anything else i.e the concept via which web-authentciation/works.
    Regards
    Dhiresh
    **Please rate helpful posts**

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Guest WLAN Spalsh page to external URL

    Hi, I want to setup a webpage for my guest network (no authentication) users. When the client connects to the open guest network and upon opening a browser they would be directed to a survey that I would like them to take, if they don't want to take it they can begin browsing to other sites without issue. How do I do this on a my 5508 WLC?

    You mean in the WLAN config? If so, that didn't work either.
    To recap where I am at now I have my WLAN setup with just passthrough.
    Then under security Web auth > web login page I have it set as
    Unfortunatlly, I still cannot leave the External Webauth URL empty
    With the above setup, the client after connecting to the WLAN has the browser auto launch and appears to direct to the redirect site, however the page just refreshes and does not load. Long URL with domain.com/blah blah blah/1.1.1.1 virtual interface of the WLC.
    Message was edited by: Andrew Schulz

  • Guest wlan

    Almost there.
    Scenario:
    2504 wlc
    Aps 1140
    Port 1 lan radius all ok
    Port 2 defined for guest wlan directed attach no isp router dhcp
    1 utp cable on router acquire ip address
    On guest wlan no ip address is given i think i tried every combinations
    Any help?
    Sent from Cisco Technical Support iPhone App

    Scott Fella wrote:How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE)  What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)
    Post the show WLAN for each of your WLAN's you have created.WLAN Identifier.................................. 3
    Profile Name..................................... Guest WLan
    Network Name (SSID).............................. WYguest
    Status........................................... Disabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Disabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Disabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
    --More-- or (q)uit
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Enabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Disabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Enabled
    CCKM tsf Tolerance............................... 1000
    --More-- or (q)uit
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    Sent from Cisco Technical Support iPhone App

  • Securing Guest Wlan

    I am trying to set up a WLAN with internal users and guest users.
    I have 2 ssid's one visible one hidden, the visible one is for guest use.
    Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?

    Hi
    Have you got separate vlans setup ie.
    vlan 10 = users
    vlan 11 = guest
    You would then hand out different IP address ranges for each vlan eg.
    vlan 10 = 192.168.5.0/24
    vlan 11 = 192.168.10.0/24
    Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets
    192.168.1.0/24
    192.168.2.0/24
    192.168.3.0/24
    Also assume you want to allow your guest users out to the Internet
    access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
    etc..
    int vlan 11
    ip access-group 101 in
    This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.
    HTH
    Jon

  • RV320 Dual WLAN Setup

    Hello I bought an RV320 Router and a WAP371 AP. I am trying to setup my Network with a private LAN, and a private WLAN for the business as well as a Guest WLAN for customers.
    I am trying to setup 2 VLAN.
    VLAN1 (192.168.1.1 /24) : for managing the router
    VLAN20 (192.168.2.1 /24) : for my private network
    VLAN30 (192.168.3.1 .24) : for my guest network
    I do not want the router to broadcast DHCP to VLAN20 because I have a DHCP server already.
    The problem I am having is that I am not able to receive IP addresses on my Wireless clients.

    Hello edgard409,
    Thank you for using the Cisco Small Business Support Community!
    Would you be able to provide any additional information about your topology, including how you have your VLAN memberships configured on your RV320?
    In the meantime, I've also found a few articles in our Knowledge Base that will hopefully help guide you through the process of setting up the DHCP server on VLANs 1 and 30, and disabling it on 20 (located here), and on setting up your VLAN memberships (located here).
    I hope this helps you out, and if you experience further issues, please reply back and we'll do our best to find a solution to solve your problem! If this post resolves your issue, please remember to mark your question as resolved and rate to help other community members with similar issues. Thanks!
    Best,
    Gunner

  • Guest WLAN need to re-authenticate for each new tab

    Hi,
    We installed recently a new WLC 2504 with 22 AP's.
    We use web authentication for the guest WLAN.
    The porblem is : users can login and authenticate but whenever the open a new webbrowser tab they need to re-authenticate again.
    And this for each new tab they open.
    Anybody knows how to solve this?

    No, the user shouldn't have to reauthenticate for every tab they open, once the clients entry is built in the MSCB they should stay in a RUN state until either the reauth timer or the user idle timer expire.
    First I'd upgrade to 7.0.220.0 and see if that resolves the issue.  If it doens't get a TAC case open.
    Steve

  • Two different radius authentication methods on one guest wlan

    I would like to use two different radius servers to one guest wlan.
    One radius server is the Cisco NAC guest server, but I would like to use e.g. a RSA SecurID server as the second.
    If the user does not exsist on the NAC guest server, the wlc should check the RSA server.
    As I understand the servers mentioned under the layer 3 config tab on the wlan configuration tab is doing round-robin.
    Is there any way that I can implement this?
    Best regards,
    Steffen Lindemann

    Is there anything on the roadmap for the NAC guest server to use AD as an external database?
    It seems like it shouldn't be too difficult since the server is already using AD to map sponsor roles.
    We really would prefer to use a single SSID instead separate SSIDs for guest and domain accounts.
    Thanks in advance!

  • Guest WLAN and Web Auth?

    Hi Guys,
    Maybe someone can help me out?
    I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
    "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
    What I tried so far is..
    add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
    changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
    changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
    I've attached some screenshots of our configuration.

    Troubleshooting Web Authentication
    After you configure web authentication, if the feature does not work as expected, complete these
    troubleshooting steps:
    Check if the client gets an IP address. If not, users can uncheck
    DHCP Required
    on the WLAN and
    give the wireless client a static IP address. This assumes association with the access point. Refer to
    the
    IP addressing issues
    section of
    Troubleshooting Client Issues in the Cisco Unified Wireless
    Network for troubleshooting DHCP related issues
    1.
    On WLC versions earlier than 3.2.150.10, you must manually enter
    https://1.1.1.1/login.html
    in
    order to navigate to the web authentication window.
    The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
    connects to a WLAN configured for web authentication, the client obtains an IP address from the
    DHCP server. The user opens a web browser and enters a website address. The client then performs
    the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
    website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
    authentication login page.
    2.
    Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
    Windows, choose
    Start > Run
    , enter
    CMD
    in order to open a command window, and do a  nslookup
    www.cisco.com" and see if the IP address comes back.
    On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
    address comes back.
    If you believe the client is not getting DNS resolution, you can either:
    Enter either the IP address of the URL (for example, http://www.cisco.com is
    http://198.133.219.25)

    Try to directly reach the controller's webauth page with
    https:///login.html. Typically this is http://1.1.1.1/login.html.

    Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
    be a certificate problem. The controller, by default, uses a self−signed certificate and most web
    browsers warn against using them.
    3.
    For web authentication using customized web page, ensure that the HTML code for the customized
    web page is appropriate.
    You can download a sample Web Authentication script from Cisco Software Downloads. For
    example, for the 4400 controllers, choose
    Products > Wireless > Wireless LAN Controller >
    Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
    LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
    Bundle−1.0.1
    and download the
    webauth_bundle.zip
    file.
    These parameters are added to the URL when the user's Internet browser is redirected to the
    customized login page:
    4.
    ap_mac The MAC address of the access point to which the wireless user is associated.

    switch_url The URL of the controller to which the user credentials should be posted.

    redirect The URL to which the user is redirected after authentication is successful.

    statusCode The status code returned from the controller's web authentication server.

    wlan The WLAN SSID to which the wireless user is associated.

    These are the available status codes:
    Status Code 1: "You are already logged in. No further action is required on your part."

    Status Code 2: "You are not configured to authenticate against web portal. No further action
    is required on your part."

    Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
    already logged into the system?"

    Status Code 4: "You have been excluded."

    Status Code 5: "The User Name and Password combination you have entered is invalid.
    Please try again."

    All the files and pictures that need to appear on the Customized web page should be bundled into a
    .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
    login.html. You receive this error message if you do not include the login.html file:
    Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
    Authentication Configuration Example for more information on how to create a customized web
    authentication window.
    Note:
    Files that are large and files that have long names will result in an extraction error. It is
    recommended that pictures are in .jpg format.
    5.
    Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
    Other browsers may or may not work.
    6.
    Ensure that the
    Scripting
    option is not blocked on the client browser as the customized web page on
    the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
    7.
    Note:
    The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
    messages for the user.
    Note:
    If you browse to an
    https
    site, redirection does not work. Refer to Cisco bug ID CSCar04580
    (registered customers only) for more information.
    If you have a
    host name
    configured for the
    virtual interface
    of the WLC, make sure that the DNS
    resolution is available for the host name of the virtual interface.
    Note:
    Navigate to the
    Controller > Interfaces
    menu from the WLC GUI in order to assign a
    DNS
    hostname
    to the virtual interface.
    8.
    Sometimes the firewall installed on the client computer blocks the web authentication login page.
    Disable the firewall before you try to access the login page. The firewall can be enabled again once
    the web authentication is completed.
    9.
    Topology/solution firewall can be placed between the client and web−auth server, which depends on
    the network. As for each network design/solution implemented, the end user should make sure these
    ports are allowed on the network firewall.
    Protocol
    Port
    HTTP/HTTPS Traffic
    TCP port 80/443
    CAPWAP Data/Control Traffic
    UDP port 5247/5246
    LWAPP Data/Control Traffic
    (before rel 5.0)
    UDP port 12222/12223
    EOIP packets
    IP protocol 97
    Mobility
    UDP port 16666 (non
    secured) UDP port 16667
    (secured IPSEC tunnel)
    10.
    For web authentication to occur, the client should first associate to the appropriate WLAN on the
    WLC. Navigate to the
    Monitor > Clients
    menu on the WLC GUI in order to see if the client is
    associated to the WLC. Check if the client has a valid IP address.
    11.
    Disable the Proxy Settings on the client browser until web authentication is completed.
    12.
    The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
    RADIUS server for this to work. In order to check the status of client authentication, check the
    debugs and log messages from the RADIUS server. You can use the
    debug aaa all
    command on the
    WLC to view the debugs from the RADIUS server.
    13.
    Update the hardware driver on the computer to the latest code from manufacturer's website.
    14.
    Verify settings in the supplicant (program on laptop).
    15.
    When you use the Windows Zero Config supplicant built into Windows:
    Verify user has latest patches installed.

    Run debugs on supplicant.

    16.
    On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
    > Run > CMD:
    netsh ras set tracing eapol enable
    netsh ras set tracing rastls enable
    In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
    will be located in C:\Windows\tracing.
    17.
    If you still have no login web page, collect and analyze this output from a single client:
    debug client
    debug dhcp message enable
    18.
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
    If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
    Service Request Tool (registered customers only) in order to open a Service Request.
    debug pm ssh−appgw enable
    debug pm ssh−tcp enable
    debug pm rules enable
    debug emweb server enable
    debug pm ssh−engine enable packet

  • GUest WLAN with Anchor WLC - roaming problems

    Hello,
    my wireless network consists in 3 WLC 4402 which manage 40 APs.
    I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
    Everiting works fine but I have a problem:
    If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
    In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
    Thnks everybody

    Here are the output of show mobility summary.
    The last WLC is the anchor.
    WLC1
    Symmetric Mobility Tunneling (current) .......... Disabled
    Symmetric Mobility Tunneling (after reboot) ..... Disabled
    Mobility Protocol Port........................... 16666
    Mobility Security Mode........................... Disabled
    Default Mobility Domain.......................... mob1
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0x392f
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 2
    Mobility Control Message DSCP Value.............. 0
    Controllers configured in the Mobility Group
    MAC Address IP Address Group Name Multicast IP Sta
    tus
    00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
    00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
    WLC2
    Symmetric Mobility Tunneling (current) .......... Disabled
    Symmetric Mobility Tunneling (after reboot) ..... Disabled
    Mobility Protocol Port........................... 16666
    Mobility Security Mode........................... Disabled
    Default Mobility Domain.......................... mob1
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0x392f
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 2
    Mobility Control Message DSCP Value.............. 0
    Controllers configured in the Mobility Group
    MAC Address IP Address Group Name Multicast IP Sta
    tus
    00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
    00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
    WLC3
    Symmetric Mobility Tunneling (current) .......... Disabled
    Symmetric Mobility Tunneling (after reboot) ..... Disabled
    Mobility Protocol Port........................... 16666
    Mobility Security Mode........................... Disabled
    Default Mobility Domain.......................... mob1
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0x392f
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 2
    Mobility Control Message DSCP Value.............. 0
    Controllers configured in the Mobility Group
    MAC Address IP Address Group Name Multicast IP Sta
    tus
    00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
    00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
    WLCAnchor
    (Cisco Controller) >show mobility summary
    Symmetric Mobility Tunneling (current) .......... Disabled
    Symmetric Mobility Tunneling (after reboot) ..... Disabled
    Mobility Protocol Port........................... 16666
    Mobility Security Mode........................... Disabled
    Default Mobility Domain.......................... mob1
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0x392f
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 4
    Mobility Control Message DSCP Value.............. 0
    Controllers configured in the Mobility Group
    MAC Address IP Address Group Name Multicast IP Sta
    tus
    00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
    00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
    00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
    00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up

  • How to print guest WLAN account password?

    When a guest wlan user is created (by the LobbyAdmn function) there I get back a pop-up box with her autogenerated password. This is normally a rather complex password. Is there any way to print this with e.g. a label printer so that I can give it to people and wish them good luck rather than writing it down, making errors, joking about my hand writing etc. etc.. I think that looks rather unprofessional.

    Hi Joerg,
    This capability (sadly) is only available when creating Guest accounts
    using the WCS,as shown in the attached doc. With WCS you have the
    option to Print or email this info;
    http://cisco.biz/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html
    Cheers!
    Rob

  • Throttling Guest WLAN on WLC 8500

    What is the best practise to throttle the Guest WLAN, which is only used for Internet access?

    I agree with Steve.  The situation is really going to depend on your bandwidth and just how important you feel your guest traffic is.   You also have to run a higher version of code at least 7.4 to get more granular with limiting.
    But here's something to consider.  My deployments are pretty much a controller per facility.  I tend to bandwidth limit by (guest) SSID and just provide a 10mbps DOWN and 5mbps UP.  Of course depends on the size of the facility and the number of guests.  That said my guests users are typically email and browsers but there are more and more video streamers coming online but for now I use 10M and 5m and run about 300 connections with no problems.
    ***I don't like to modify the Qos profile and limit because that requires that you shut down the radios.  I like to modify the override section on the WLAN / Qos settings. 
    Good luck.

Maybe you are looking for