HREAP local switching with web auth

Similar Messages

• HREAP - Local switching

  Hi All,
  I have a working WLC with several HREAP AP's all Woking as they should, my question is what happens to dhcp requests when an AP is configured for HREAP local switching with no VLan support enabled ( connected to an access port not a trunk)? The local VLan has a dhcp helper address configured for an external DHCP server When a wireless client connects does all the traffic get dropped directly onto the local VLAN (in my case VLAN 10) or does any traffic transverse through the controller? I ask this because on the advanced setting page of the WLAN I have ticked DHCP REQ, how does the controller determine if the wireless client has a valid IP if the DHCP request is being supplied by the local VLAN.
  I was under the impression that the control and data planes are separated?
  Thanks in advance for any replies.
  Sent from Cisco Technical Support iPhone App

  You are correct, it gets dumpped on your vlan 10. As for your very specific question, thats a great question and I dont know that I have the anwser. Perhaps someone else like Steve, Leo or Scott can reply if they tested it.
  Im going to take a stab in the dark and say perhaps the ap makes sure it sees a dhcp req packet come in before it allows the client to get into the run state.
  OR, its doesnt work.
  OR, if that check box is marked, perhaps the ap relays some type of response back to the WCL ...
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• HREAP with web-auth (internal)

  I have a lwap at a remote site that is configured as HREAP so that it can continuously provide connectivity when the WLC is un-reachable.  I have two vlans on the lwap.  One is locally authenticated and locally switched for intranet connectivity.  The other is for internet connectivity and I wanted that one to be locally switched, but authenticate at the WLC.  When I configure the WLAN as HREAP - locally switched, it doesn't work.  If I configure the WLAN as non-HREAP it works.  Anyone know what the trick is to get this thing to work?  I want my internet wlan at that site to be locally switched but centraly authenticated.  My WLC only seems to have a selection for HREAP - Local switching, it doesn't have anything you would check to specify central authentication.
  My WLC (2106)  is version 6.0.182.0 and my lwap is an 1142n.
  Thanks!

  In the first document:
  Q. Can I do web authentication with Local switching?
  Yes, you can have an SSID with web−authentication enabled and drop the traffic locally after
  web−authentication. Web−authentication with Local switching works fine.
  1.  WLAN, (wlan you want to local switch), Advanced tab, click the "H-REAP Local Switching" checkbox.
  2.  Wireless, (click the h-reap modify), H-REAP tab, click "Vlan Support", Vlan Mappings button, then map the wlan to vlan you want to drop traffic onto.
  Also, for wan up/local switched wlans authentication still happens on the controller until the h-reap goes into wan down.  WLANs default to central switching, you have to define the ones which need to be locally switched as described above.

• WLC 4402 - only present guest with web auth page once every (x) days

  Hi all,
  I am looking to migrate our guest wireless from a third-party system to the WLC.  Currently, we change our guest password (WPA2 PSK) every (x) days.  Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept.  The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
  I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
  Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
  Thanks!
  -P

  Wait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers?  The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
  Thanks
  -P

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Auto login with web auth?

  I have a guest WLAN on a mobility anchor that uses web auth for access. There is a small set of local users, but the majority of the auth comes from a Radius server. Question is, can I setup some type of policy that will auto login users based on MAC address so they don't have to web authenticate?
  Thanks!
  Edit: I have seen where you can enable mac filtering on the WLAN and specify individual mac addresses to permit. This would work, but I still want web auth for the majority of users. Only a few users should be automatically connected. The rest should still authenticate via web auth.

  Well I have some fantastic news.... and then some horrible news at the same time...
  In 7.0.116.0 a new feature was introduced called web auth on mac-filter failure.  Basically it does exactly what I think you are asking. Right?   You mac filter your wlan, and then if anyone fails the mac filter, they can web authenticate. 
  Unfortunately, it doesn't work in an Anchored scenario  as the Mac filter is L2 performed on the Foreign WLC, and the Anchor does L3 with no knowledge the Foreign was good to bypass webauth....   CSCts54424 is tracking this behavior for Anchor scenario, but I don't think it is planned to go into 7.0......

• HREAP, Local Switched WLAN and DHCP Address required

  Hi All,
  if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
  Any Help Welcome.
  Regards, Michael

  I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• Windows 7 Clients Not Working With Web-Auth

  I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
  The login page is customised showing T's & C's with two buttons Except or Reject.
  Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
  Thanks in advance for any replies.
  Jay

  Nicolas,
  Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
  After doing a quick search on the net I found this.
  NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
  NCSI does this whether you are logged on or not.
  Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
  Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
  1.       Permit DNS resolution (UDP/53) to 213.199.181.90
  2.       Permit TCP port 80 to 131.107.255.255
  Jay

• Problem with Web Auth

  hi
  i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
  what could be wrong..i really need to authenticate using web auth.

  ok, SO this is what i need
  send me show custom-web details
  S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
  can you send me the screen shot of events
  Regards
  Seema

• HREAP - local switching & central authentication

  Should I trunk the port to the AP or not
  I have a WLC 5508 in the head office and have AP's in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local subnet at the remote site.
  Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different subnets?

  Thanks I thought that but was getting conflicting information on it.
  We also provide a guest access to remote sites that is tunnelled back to the wlc and then on to the DMZ. I guess this is not an issue when the Corporate access is configured for local break out?

• WLC 5508- how to setting up with Web auth with 2 profile

  Hi Guys,
  I wanted to control the 2 different profile to access internet with Cisco default landing page is that possible??
  Example:
  When connnected the SSID will redirect to Cisco landing pages
  Cisco landing pages will differentiate there is member or guess with the password key in.
  Member can access internet for 30 minute
  guess only can access internet for 15 minute

  Just some notes on WebAuth in the WLC. The timeout is specified per SSID so there would be no way to set a timeout unless you use a radius server and send a radius attribute to the WLC to set the session timeout.
  So we really need to know if you have a radius server, is the radius server tied to Active Directory or is the plan just using the WLC for everything.
  Sent from Cisco Technical Support iPhone App

• FlexConnect VLAN Central Switching and guest WEB Auth

  Hi,
  I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
  In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
  I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
  I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
  Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
  Hope some one can answer me.
  Thanks
  Aksel

  So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
  You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
  Here is a doc regarding AP Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Sent from Cisco Technical Support iPhone App

• Centralized Auth. / Local Switching - Common SSID

  Hi All,
  I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
  I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

  You're all correct except on the last part.
  what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
  Then only the APS at remote site you move to HREAP mode one by one.
  From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
  I hope this clarifies ?
  Nicolas
  ===
  Don't forget to rate answers that you find useful