Is Guest VLAN configurable on the E-series WEB GUI yet

Similar Messages

• Display the workitem in Web GUI Homepage

  Hi Experts,
  How can I display the workitem in Web GUI Homepage?
  I created a workflow and it is sending a workitem but I can' see the workitem sent to my Web GUI homepage.
  Thanks in advance,
  james
  Moderator message: please have a look in the dedicated Workflow forum.
  Edited by: Thomas Zloch on Jan 20, 2011 3:55 PM

  Hi James,
  First of all, i would like to know whether you can see the workitem in SAP Business workplace (GUI) ?
  If yes, then you would find one of my article which would make an interesting reading and would help you in your query.
  [SAP Business Workplace Vs SAP CRM WebUI Worklist|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/b0c2ff2f-d6ef-2d10-5885-d989e034feac]
  Regards,
  Anand

• Route Guest VLAN directly to the internet

  All, I am wanting to create a guest SSID/VLAN that is redirected straight to the internet, without any access to our network? I know how to create a guest SSID/VLAN but dont know how to send all traffic on that VLAN directly to the internet? How would the client obtain a DHCP address if its on a VLAN seperate the network?

  Here is how I set up our wireless guest vlan:
  1. I use 802.1x with PEAP to authenticate guests against a MS RADIUS server. Once successful, the AP allows guest to broadcast DHCP request.
  2. My router forward the DHCP request to DHCP server which assign IP and necessary options to guests, using IP helper-address command.
  3. My router has access-lists to prevent guests from accessing any corporate IP addresses (allowing only DHCP broadcasts)
  4. A route-map is configured on the default router on the guest vlan so that it will route all traffic sourced from that vlan out to the Internet. I use "set IP default next-hop xxx.xxx.xxx.xxx" to route the traffic directly to our proxy server or firewall.
  This is not a very user-friendly setup on the client side, because I have to mannually configure guest laptops to do 802.1x w/ PEAP. Sometime it is a pain with work with so many different wireless cards/utilities.
  HTH,
  daniel

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• Guest-vlan; catalyst 2960

  Hello,
  I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
  The IOS version (obtained trough: show version) is:
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  12.2(53)SE2           C2960S-UNIVERSALK9-M
  I am trying to configure the interface using the following commands:
  RAK-ASW01#configure
  Configuring from terminal, memory, or network [terminal]?
  Enter configuration commands, one per line.  End with CNTL/Z.
  RAK-ASW01(config)#interface gigabitEthernet 1/0/11
  RAK-ASW01(config-if)#switchport mode access
  RAK-ASW01(config-if)#dot1x port-control auto
  RAK-ASW01(config-if)#dot1x guest-vlan 17
  RAK-ASW01(config-if)#end
  the result is the following, as if the guest-vlan is not supported:
  RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
  Dot1x Info for GigabitEthernet1/0/11
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RAK-ASW01#
  similar result is obtained while trying to configure a auth-fail vlan.
  the full configuration file is attached.
  many thanks in advance,
  Alaeddine

  Hi,
  I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
  Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
  So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
  Thanks in advance,
  Alaeddine

• Guest Vlan - WLC

  Hello
  Which tool can help in getting historical data for Guest VLAN configured on WLC. i.e
  How long the Guest was connected.
  How many times he was connected.
  traffic summary for each connection ( transferred / Received  size)
  Top 5 sites visited by Guest
  thanks
  CP

  Using WCS.. running the detailed client reports we will get these information..
  Regards
  Surendra

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• Multiple Guest VLANs and Shared WLC

  Hi,
  I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
  I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
  Please advise how best I should implement this.
  many thanks
  Sankung   

  It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
  Then on the internal anchor the SSID to the same SSID in the DMZ
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• FCoE Native VLAN Configuration

  Hi
  One question about FCoE Configuration
  Is better to permit the Native VLAN (FIP VLAN) in the allowed trunk vlans or just left it in the native vlan configuration
  Here the two choices showing my doubt
  VLAN 1197
  name FIP_VLAN
  VLAN 1198
  name FCOE_VLAN
  fcoe vsan XX
  01)
  interface EthernetX/X
  switchport
  switchport mode trunk
  switchport trunk native vlan 1197
  switchport trunk allowed vlan 1197,1198
  spanning-tree port type edge trunk
  or
  02)
  interface EthernetX/X
  switchport
  switchport mode trunk
  switchport trunk native vlan 1197
  switchport trunk allowed vlan 1198
  spanning-tree port type edge trunk

  Hi,
  Usually when you add it to the trunk as native, you don't to add again.  So, option-2
  HTH

• VLAN Configuration for Internal and Guest Wireless

  Hello,
  We are using the following hardware…
  SG300-52MP switch -- latest firmware
  ASA 5512-X firewall -- 9.1
  Aironet AP1131AG WAP
  We have the following networks…
  10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
  10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
  10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
  The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
  Relevant parts of the WAP configuration are…
  dot11 ssid GUEST
     vlan 6
  dot11 ssid SECURE
     vlan 1
  interface Dot11Radio0
  no ip address
  ssid GUEST
  ssid SECURE
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid GUEST
  ssid SECURE
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio1.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface FastEthernet0
  no ip address
  no ip route-cache
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface FastEthernet0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface BVI1
  ip address 10.252.4.4 255.255.255.0
  no ip route-cache
  ip default-gateway 10.252.4.1
  We can manage the WAP through it’s Internal IP address (10.252.4.4).
  And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]
  The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
  [Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 
  While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
  I have a feeling that I have configured the VLANs on the ports incorrectly.
  Relevant parts of the SG300 configuration are...
  v1.3.0.62 / R750_NIK_1_3_647_260
  vlan database
  vlan 3,6
  ip dhcp snooping
  ip dhcp relay address 10.252.4.1
  ip dhcp relay enable
  bonjour interface range vlan 1
  interface vlan 1
  ip address 10.252.4.2 255.255.255.0
  no ip address dhcp
  interface vlan 3
  name VOIP
  interface vlan 6
  name Guest
  interface gigabitethernet45 -- Access mode, Untagged VLAN6
  description ASA-Guest
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 6
  interface gigabitethernet46 -- Access mode, Untagged VLAN3
  description ASA-VOIP
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 3
  interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
  description WAP1
  switchport trunk allowed vlan add 6
  interface gigabitethernet48 -- Trunk mode
  description ASA-Internal
  ip dhcp snooping trust
  ip dhcp relay enable
  Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

  Welcome to the discussion area!
  +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
  I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
  This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
  FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

• Configuring Guest VLAN on AP541N and UC560

  I have a AP541N connected to a UC560.  We are currently configured for Wireless Voice and Data.  We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.  Any help would be appreciated.
  Additional Info:
  AP541N-K9-1.7(2)
  UC560  15.0(1)XA2, RELEASE SOFTWARE (fc2)
  CCA 3.0

  https://supportforums.cisco.com/docs/DOC-14855
  We are experincing the exact same problem in our lab.
  There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
  Hope this helps.
  Terry

• Configure the Guest to NOT see the login page?

  I'm trying to get my portal to allow the guest user to see their default community (as set inthe default subportal).
  I can't get it to do anything other than show the login screen.
  On a .Net portal, the n_config.xml seems to be the key file, but I can't figure out what it is looking for ... what are the possible values?
  In this context, what is a "space"? Is it a community ID, an activity space, or other?
  How are values configured? Replace the value="", or does it go between the propertie's tags? (<AllowGuestAccess value="1"></AllowGuestAccess>, or <AllowGuestAccess value="1">1</AllowGuestAccess>)
  <Authentication> <!-- Allow the Guest user to access the portal. If guest access is disallowed, the portal will always prompt for login information. --> <AllowGuestAccess value="1"></AllowGuestAccess> <!-- This is the password for the Guest user. --> <GuestPassword value=""></GuestPassword> <!-- If the guest user does not specify a space, the user will normally go to their default page. If this is 1, the guest user will go to the login page. --> <GuestRedirectToLogin value="1"></GuestRedirectToLogin> </Authentication>

  Hi Javier,
  You're right -- the Login space is always accessible if you type space=Login, even if you're using SSO and you follow all of developersupport's suggestions. Of course, you already have to be logged in to get there, so the risk is minimal, however, it allows you to "su" to another user (including Administrator) as long as you know the password.
  One of our customers thinks this is a major security hole and as a result, we've hacked the LoginView to automagically log you out and redirect you to a protected resource, which forces another SSO login. That's the only thing I could think to do to plug the hole. If any Plumtreevians are listening to this thread, it would be great to get a real fix for this into your next release.
  If anyone has any better suggestions, I'm all ears.
  Regards,
  Chris Bucchere | bdg | [email protected]| www.bdg-online.com

• WLC Guest Account Configuration

  Hello,
  I have been trying to set up a guest WiFi network using a 2504 series WLC. I have configured the switch, the router, and the firewall for the IP Schema that I want to use for the guest network, but I am unable to get this process working. I have a CAPWAP configuration example that I followed as well as a LWAPP example. I don't have a LWAPP but I do have a CAPWAP. I want to breakdown my network into two separate networks: one for internal use and one for the guest. I am able to connect to the internal network correctly and can ping and gain access via the WAP after I completed my configurations, but I am not able to use the 10.0.0.0 network that I configured for the guest network. I can ping the default router address of 10.0.0.11 from the WLC. I also want to use web authentication as a way to set up the guest network for authentication and the virtual address of 1.1.1.1 does not appear as the authentication method.
  I would appreciate any help on this issue. I have been working on this issue for some time with no luck. Any suggestions on things I could try would be great.

  refer :
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html#proc

• Guest VLAN unable to get DHCP IP address from Anchor Controller

  Hello everybody,
  In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
  SSID Name - guest
  Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
  Mobility Group: Same configs at both ends
  SSID Anchor : Anchor SSID on local and local SSID on Anchor.
  AP: CAPWAP 3502 Management Subnet
  SSID Security etc all defaults and matching on  both ends
  Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
  Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
  EoIP Tunnel Status: Up, UP - Both ends
  Mping - OK
  eping - OK
  WLC Sofware Version on Local - 7.0.98.0
  WLC Sofware Version on Local - 7.0.116.0
  DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
  Management IP Subnet on Local: 10.x.x.x
  Management IP Subnet on Anchor: 172.x.x.x
  The problem definition as follows:
  When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
  1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
  DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
  2. Similar debugs on the Anchor controller yields the following results;
  Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
  *apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
  Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
  Thanks and Regards.

  The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded. 
  For L3 security,  configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
  Thanks again very much for all your help.