Limiting bandwidth for Guest WLAN in AP1300
Hi All,
Can I limit bandwith for guest in a wlan network with out Wlan controller? and of course, how can I do it?
thanks in advance
P.S.: I heard something about bronze profile in a wlan controller envoiroment, I need something like that but in an independent AP.
Sorry for my delay but I was outt of the office.
Could you show me how to do that?
thanks in advance
Similar Messages
-
How to limit bandwidth for guest per connection/user on 2504 WLC?
We have 2504 Controller with 24 AP's registered in a hotel and we would like to limit bandwidth per connection or per user.
I went to QOS Profiles > Bronze >
I do not see Per user Bandwidth Contracts(K)* instead I see WLAN QOS Parameters with below options.Hello
Our WLC model 5508, but there is confusion on difference between Override Per-User Bandwidth Contracts (kbps) vs Override Per-SSID Bandwidth Contracts (kbps)
Our requirement-
On Guest SSID - Each user / session should not exceed bandwidth more than 758kbps upstream/downstream
Only Guest users cannot login to multiple device with single userID - applicable only to Guest SSID other SSID should not get impacted.
hope to get some response
cheers
ST -
HOW TO CONFIGURE GUEST NETWORK AND LIMITE BANDWIDTH
Dear all,
Please help me how to configure internet access rule and limited the bandwidth for guest network via TMG Forefront 2010.
Thanks you & best regards,
Hung VietHi,
First you can create the new network set which is mapped to guest subnet, after that you can create access rule for this network set.
If you want to control bandwidth, you may need 3-party tool like this:http://www.bsplitter.com/
Best Regards
Quan Gu -
I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
-if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
- I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
some one please advise
vlan192 4/1 vlan 192 int g0/0 192.168.2.201
6500 ----- switch ---- router--------- (outside)
| | |
| DHCP server
WLCA couple of questions, is VLAN 192 allowed across the trunk link to the wlc? Do you have an interface tagged for vlan 192, with a valid address? What is providing the DHCP?
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)
Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices?Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices? -
I bought Photoshop 7, upgraded to CS2 then upgraded to CS3. I live in the country and have limited bandwidth for my internet, therefore, the cloud will not work and I must have a box version. In Jan Best Buy did work on my laptop and did not de-install CS3, now my desktop has died and believe CS3 on it is also gone. I have the serial numbers and can not find how to contact Adobe.
I only use it for photography and do not want CS6, so I need help, can anyone help me. Thanks a million.Why on Earth are you getting frustrated? ?? !!
You don't even need to "contact Adobe", unless you need to activate that old deleted version. You are entitled to two activations.
Just download the CS3 trial version and input your serial numbers (the installer might prompt you for the previous serial number since your CS3 probably has an update s/n).
Download CS3 products <=== click on link
Anytime you want to look for something on the Adobe site, just do a Google search and add "site:adobe.com" (without the quotes) at the end of the string of keywords, for instance, this what to type in Google to find the CS3 downloads:
download Photoshop cs3 site:adobe.com
Just change "CS3" for whatever version you want.
Using the Adobe web site search function is futile.
Now, if you had two activations already, just call customer service and they will deactivate one or both for you—after quickly verifying your registration.. No big deal.
Click on the link below, and after that click on "Still need Help? Contact us."
Then on the next page, click Chat
There is also a phone option.
http://helpx.adobe.com/contact.html?step=PHXS_downloading-installing-setting-up_licensing- activation -
Almost there.
Scenario:
2504 wlc
Aps 1140
Port 1 lan radius all ok
Port 2 defined for guest wlan directed attach no isp router dhcp
1 utp cable on router acquire ip address
On guest wlan no ip address is given i think i tried every combinations
Any help?
Sent from Cisco Technical Support iPhone AppScott Fella wrote:How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE) What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)
Post the show WLAN for each of your WLAN's you have created.WLAN Identifier.................................. 3
Profile Name..................................... Guest WLan
Network Name (SSID).............................. WYguest
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
Sent from Cisco Technical Support iPhone App -
RADIUS Bandwidth limit on guest WLAN
Hi Everyone,
I'm running a WLAN scenario which includes a WLC 5508 (7.0) and a bunch of CAPWAP access points. I just deployed a guest SSID that implements a RADIUS server (freeRadius) for authentication and accounting the guest users and everything works fine. However I need to limit the bandwidth on a per-user basis having different BW allocated on the users.
In other words:
SSID: "Guest-SSID" with web authentication
Users (download/upload bandwidth limit in kbps): user1 (512/512), user2 (1024/1024), user3 (512/2048)
When user1 connects, he will be able to download/upload at a 512 Kbps data rate, same as user2 with a d/u 1024 Kbps data rate. And user3 will be able to download at 512 Kbps and upload at 2048 Kbps. The 3 users will be connected on the same SSID: "Guest-SSID".
I've been searching and found that the WLC honors some Airespace attributes that may do the magic, however they are not documented anywhere else but the WLC Configuration Guide. I have modified the freeradius Airespace dictionary but when authenticating, when the RADIUS sends the accept message incluiding the attributes, the WLC shows attribute is considered as unknown, even though the conf. guide shows they must be supported.
I guess it may be caused by a wrong attribute name. Is there something else missing?
This is the WLC AAA debug detail:
(Cisco Controller) >*aaaQueueReader: Mar 19 18:35:08.705: AuthenticationRequest: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.705: Callback.....................................0x10770a64
*aaaQueueReader: Mar 19 18:35:08.706: protocolType.................................0x00000001
*aaaQueueReader: Mar 19 18:35:08.706: proxyState...................................F4:09:D8:20:11:2F-00:00
*aaaQueueReader: Mar 19 18:35:08.706: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 19 18:35:08.708: AuthorizationResponse: 0x13e25bb0
*radiusTransportThread: Mar 19 18:35:08.708: structureSize................................216
*radiusTransportThread: Mar 19 18:35:08.708: resultCode...................................0
*radiusTransportThread: Mar 19 18:35:08.708: protocolUsed.................................0x00000001
*radiusTransportThread: Mar 19 18:35:08.708: proxyState...................................F4:09:D8:20:11:2F-00:00
*radiusTransportThread: Mar 19 18:35:08.708: Packet contains 9 AVPs:
*radiusTransportThread: Mar 19 18:35:08.708: AVP[01] Unknown Airespace / Attribute 7..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[02] Unknown Airespace / Attribute 8..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[03] Unknown Airespace / Attribute 9..........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[04] Unknown Airespace / Attribute 10.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[05] Unknown Airespace / Attribute 11.........GRN-Test (8 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[06] Unknown Airespace / Attribute 13.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[07] Unknown Airespace / Attribute 14.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[08] Unknown Airespace / Attribute 15.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[09] Unknown Airespace / Attribute 16.........0x00000180 (384) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AccountingMessage Accounting Start: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.718: Packet contains 14 AVPs:
*aaaQueueReader: Mar 19 18:35:08.718: AVP[01] User-Name................................0x6173 (24947) (2 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[02] Nas-Port.................................0x0000001d (29) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[03] Nas-Ip-Address...........................0xc0a89605 (-1062693371) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[04] Framed-IP-Address........................0xc0a8967b (-1062693253) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[05] NAS-Identifier...........................WLC-CCIE (8 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[06] Airespace / WLAN-Identifier..............0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[07] Acct-Session-Id..........................550b5d2c/f4:09:d8:20:11:2f/2 (28 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[11] Tunnel-Group-Id..........................150 (3 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[13] Calling-Station-Id.......................192.168.150.123 (15 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[14] Called-Station-Id........................192.168.150.5 (13 bytes)
My Airespace dictionary:
VENDOR Airespace 14179
BEGIN-VENDOR Airespace
ATTRIBUTE Airespace-Wlan-Id 1 integer
ATTRIBUTE Airespace-QOS-Level 2 integer
ATTRIBUTE Airespace-DSCP 3 integer
ATTRIBUTE Airespace-8021p-Tag 4 integer
ATTRIBUTE Airespace-Interface-Name 5 string
ATTRIBUTE Airespace-ACL-Name 6 string
ATTRIBUTE Airespace-Data-Bandwidth-Average-Contract 7 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract 8 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract 9 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract 10 integer
ATTRIBUTE Airespace-Guest-Role-Name 11 string
ATTRIBUTE Airespaces-Data-Bandwidth-Average-Contract-Upstream 13 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract-Upstream 14 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract-Upstream 15 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream 16 integer
VALUE Airespace-QOS-Level Bronze 3
VALUE Airespace-QOS-Level Silver 0
VALUE Airespace-QOS-Level Gold 1
VALUE Airespace-QOS-Level Platinum 2
END-VENDOR Airespace
This is the configuration guide I'm using:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/configuration/guide/wlc_cg70MR1/cg_security_sol.html#pgfId-1457964
Table 6-5.
Any help will be really apreciated!
Regards!
Jonathan S.If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a “guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth associated to that role is enforced for the guest user after authentication completes successfully.
-
Guest WLAN need to re-authenticate for each new tab
Hi,
We installed recently a new WLC 2504 with 22 AP's.
We use web authentication for the guest WLAN.
The porblem is : users can login and authenticate but whenever the open a new webbrowser tab they need to re-authenticate again.
And this for each new tab they open.
Anybody knows how to solve this?No, the user shouldn't have to reauthenticate for every tab they open, once the clients entry is built in the MSCB they should stay in a RUN state until either the reauth timer or the user idle timer expire.
First I'd upgrade to 7.0.220.0 and see if that resolves the issue. If it doens't get a TAC case open.
Steve -
Throttling Guest WLAN on WLC 8500
What is the best practise to throttle the Guest WLAN, which is only used for Internet access?
I agree with Steve. The situation is really going to depend on your bandwidth and just how important you feel your guest traffic is. You also have to run a higher version of code at least 7.4 to get more granular with limiting.
But here's something to consider. My deployments are pretty much a controller per facility. I tend to bandwidth limit by (guest) SSID and just provide a 10mbps DOWN and 5mbps UP. Of course depends on the size of the facility and the number of guests. That said my guests users are typically email and browsers but there are more and more video streamers coming online but for now I use 10M and 5m and run about 300 connections with no problems.
***I don't like to modify the Qos profile and limit because that requires that you shut down the radios. I like to modify the override section on the WLAN / Qos settings.
Good luck. -
Using ISE for guest access together with anchor controller WLC in DMZ
Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
FrankSo i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node. -
Local Authentication for Guest accounts created on WCS
I'm not sure this is technically possible but I have a requirement to set up an SSID on a WLC whereby I can provision guest user accounts from the WCS and have the WLC / SSID authenticate against the guest account created on the WCS. The SSID would not be a web-auth / layer 3 auth model but preferably be able to utilise layer 2 authentication (802.1x) against the account within WCS. Can anyone tell me if this is actually possible?
Thanks in advance for your help.
Cheers
Sent from Cisco Technical Support iPad AppOk then .. Sounds like you are already very fimilar with the wlc..
Lets kick a few ideas around ..
If you want to use WCS lobby then you cant use radius, becuase WCS will not update radius accounts. But you could use the WLC as a radius server and store the guest account(s) on the WLC. Gives you 802.1X security, WCS loddy admin access and your guest accounts. You can also expire the accounts as well. So you would move the control from radius to the wlc. You can also apply your qos / bandwidth.
Another option would be to create radius accounts. Set up your guest wlan, point it to radius. You can still apply a global bandwith restriction within the qos profile on the wlc.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Guest Wlan multiple login with Cisco Identity Services Engine
Dear all,
I have been looking for some details with regards to multiple logins on Guest WLAN.
Currently my customer is facing the following problem
When a Guest Wlan user logs in, the same user could login again on the same time frame,
in other words guest Wlan user can login multiple times.
is this intentional or a bug on the ISE
product name : L-ISE-BSE-250=
any advice or any article related to this would really appreciate it
thanks in advance
LnacellotOk, Ranjane you took me back to 1900BC, had to dig the case up for you.
to be clear this is what customer wants
a guest user concurrently login from two devices at the same time
What he wants is: any given time Guest user should be only able to login once (Ex if you login to your PC and leave it logged on, then go to a another PC with same user you would be able to login – this need to be limited)
So under the User login Policy this should be able to limit to one login
you may want to check the concurrent session limit on the WLC: It is under Security > AAA > User Login Policies. There is a global number, that will limit the concurrent logins from a single user name.
hope it was useful
regards,
lancellot -
How do to set up time limits on a guest network
I have a new generation Airport Time Capsule and I have set up a Guest Network for my kids but I would like to set up time limits on the Guest Network also, is there a way to do it?
It is not possible to set up specific time limits for the Guest Network as a whole, but it is possible to set up individual time limits for each device that will be connecting to the Guest Network.....and, also the main network for that matter.
If you can provide us with some more specifics on what you are trying to accomplish, how many devices will be involved, etc.......that will help us craft our answer to provide accurate information.
Meanwhile, if you want to take a look at the general settings in Timed Access....
Open Macintosh HD > Applications > Utilities > AirPort Utility
Click on the Time Capsule icon, then click Edit
Click the Network tab at the top of the screen
Enter a check mark in the box next to Enable Timed Access
Click on the Timed Access button
Click Cancel to avoid making any changes to your current setup -
Client unable to get IP address on guest wlan
Hi all, I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this.
Thoughts?
Thanks,
Bryan
(Cisco Controller) >debug client 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 331,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP siaddr: 10.10.10.246, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 10.33.1.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP siaddr: 10.10.10.246, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 1, flags: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP requested ip: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*apfMsConnTask_1: Feb 25 00:49:35.320: Stats update: Non Zero valueOne way to test also is to connect a laptop to a port assigned for the guest vlan. If the device gets an IP, then it's something on the WLC you have to configure. If the device doesn't, then it's a network issue or dhcp server issue.
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
How to repair the Application Manager?
I installed the TCS 4, but the Adobe Application Manager refuses to start and prompts me to reinstall because it "is damaged". But even after installing the latest version available, the problem persists. What can I do? (Win7, VM) Any help appreciate
-
How do I upload a scanned picture to facebook?
How do I upload a scanned picture to facebook?
-
Getting Unicode Programs Error
I have declared global field as in one program as %count-mapl , i m copying the program to other server. It gives syntax error as "in unicode prgms character - cannot appear in names, as it does here in name %count-mapl" What does this means? Plea
-
Making changes in background color of COLUMNS
Hi, Does anyone know how we can make changes to the background color of the columns (it's navy blue by default), also how to change the colur and font of the alphabets in it. Thanks in advance,
-
Why can't i get the ipad to respond to touch
I can open a program OK but can't seem to be able to close. what am i doing wrong?