Multiple Guest VLANs and Shared WLC

Similar Messages

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• Guest VLAN and SSID with a DHCP router

  I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
  Does anyone have any insight on this, or another way to setup the guest VLAN?

  You can create a guest VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827

• Multiple iphoto libraries and sharing (Facebook & iCloud)

  Hi All,
  I have split my iPhoto library into two separate libraries - one for work photos, one for personal photos. This all works nicely and I'm happy with how it went.
  I have a question about sharing photos though...does the sharing I've set up with Facebook and iCloud photostreams travel "with" the library, or is that a higher level, "iPhoto wide" setting?
  For example, say in the formerly single library, I had shared a number of personal photos on Facebook and various shared photostreams. Now, in the new "work" library, I delete those photos. I saw the "update" wheel spinning beside the Facebook item in the sidebar when I did so. Should I have turned off sharing for the "work" library?
  I guess the question comes down to - does (or can) each iPhoto library have its own sharing settings?

  To answer my own question....
  With the "work" library open, I turned off my FB account. Tried opening up the "personal" library, and the FB account was not enabled. So the FB sharing is an "app wide" setting, not a "library level" setting. I turned it back on and I'm good to go. All the pics are still up on FB, and viewable from iPhoto, so I guess it's working fine.
  Seems a bit counter-intuitive to me...I would think that if you had multiple libraries for different people, you would want to be able to associate specific FB accounts with those libraries. I.e. Susie's FB account with Susie's library, Johnny's FB account with Johnny's library, etc.
  But perhaps that's where one would be better off having multiple user accounts on the Mac.

• Guest Vlan - WLC

  Hello
  Which tool can help in getting historical data for Guest VLAN configured on WLC. i.e
  How long the Guest was connected.
  How many times he was connected.
  traffic summary for each connection ( transferred / Received  size)
  Top 5 sites visited by Guest
  thanks
  CP

  Using WCS.. running the detailed client reports we will get these information..
  Regards
  Surendra

• Guest-vlan; catalyst 2960

  Hello,
  I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
  The IOS version (obtained trough: show version) is:
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  12.2(53)SE2           C2960S-UNIVERSALK9-M
  I am trying to configure the interface using the following commands:
  RAK-ASW01#configure
  Configuring from terminal, memory, or network [terminal]?
  Enter configuration commands, one per line.  End with CNTL/Z.
  RAK-ASW01(config)#interface gigabitEthernet 1/0/11
  RAK-ASW01(config-if)#switchport mode access
  RAK-ASW01(config-if)#dot1x port-control auto
  RAK-ASW01(config-if)#dot1x guest-vlan 17
  RAK-ASW01(config-if)#end
  the result is the following, as if the guest-vlan is not supported:
  RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
  Dot1x Info for GigabitEthernet1/0/11
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RAK-ASW01#
  similar result is obtained while trying to configure a auth-fail vlan.
  the full configuration file is attached.
  many thanks in advance,
  Alaeddine

  Hi,
  I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
  Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
  So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
  Thanks in advance,
  Alaeddine

• Wired guest vlan with ISE

  Hi all,
  For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
  Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
  Thanks
  Sent from Cisco Technical Support iPad App

  I will try to answer all of your quesitons:
  1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
            - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
  2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
            - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
  3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
            - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• Dot1x guest VLAN on 2960G

  Hi,
  I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
  The server is Juniper IC4500.
  Switch is 2960G, IOS 15.0(1)SE2
  the configuration:
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  dot1x system-auth-control
  dot1x test timeout 30
  dot1x guest-vlan supplicant
  dot1x critical eapol
  interface FastEthernet0/32
  switchport access vlan 28
  switchport mode access
  authentication event fail action authorize vlan 41
  authentication event server dead action authorize vlan 41
  authentication event server dead action authorize voice
  authentication event no-response action authorize vlan 41
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab
  authentication port-control auto
  authentication timer reauthenticate 300
  authentication violation protect
  mab eap
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x max-req 1
  dot1x max-reauth-req 1
  dot1x max-start 1
  spanning-tree portfast
  Anyone with experience on this pls help.
  Thanks,
  hoanghiep

  forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
  Ref:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875

• Guest network and multiple VLANs

  Hello all,
  I have installed a pair of 5508 controllers in our network. One controller sits inside the network and APs are configured to associate with that controller. The second controller sits on a DMZ interface off the ASA. I have a guest network configured and it works great. I would like to configure additional guest networks at remote locations. Each guest WLAN will have it's own SSID. Is it possible to map all of these to the same VLAN? Or do I need a seperate VLAN and subnet for each SSID.
  Thanks

  Scott,
  Thanks for the reply. I have created different SSIDs and mapped them to the same VLAN. Everything looks good but I'm getting some strange behaviors on the new SSIDs. It appears that users don't authenticate but I've verified the credentials quite a few times. I wanted to make sure that you could map multiple SSIDs to the same VLAN before I continued troubleshooting.

• 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

  Hi,
  I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  GUEST1: 10.9.65.0/24 – VLAN 11
  GUEST2: 10.9.66.0/24 – VLAN 12
  GUEST3: 10.9.67.0/24 – VLAN 13
  Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
  The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
  The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
  Interface vlan 11 – 10.9.65.1
  Interface vlan 12 – 10.9.66.1
  Interface vlan 13 – 10.9.67.1
  wgh-anchorwlc5760-primary#show ip interface brief
  Interface              IP-Address      OK? Method Status                Protocol
  Vlan1                  10.8.252.1      YES NVRAM  up                    up
  Vlan11                 10.9.65.1       YES manual up                    up
  Vlan12                 10.9.66.1       YES manual up                    up
  Vlan13                 10.9.67.1       YES manual up                    up
  GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
  Te1/0/1                unassigned      YES unset  up                    up
  Te1/0/2                10.8.253.1      YES NVRAM  up                    up
  Capwap0                unassigned      YES unset  up                    up
  If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
  If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
  If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
  Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
  anchorwlc5760-primary#show wireless client summary
  Number of Local Clients : 3
  MAC Address    AP Name                          WLAN State              Protocol
  04f7.e482.b21c N/A                              2    IPLEARN            Mobile
  bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
  a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
  However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
  I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
  My question is: Why clients are not able to ping their default gateway?
  I hope it makes sense.
  I appreciate any thoughts and help. Thanks in advance.
  Joana.

  Hi,
  I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
  I hope it helps.
  Joana.

• Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

  I have a general question about securing the guest WLAN in FlexConnect deployment -
  Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
  Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
  Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
  What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
  I would highly appraciate your input on this topic.
  Thank you.

  Yes, you're right.
  Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
  On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
  If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

• NAC Guest Server and WLC's

  Just wanted to know if this will work or not...
  I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• NAC Guest Server and Multiple Guest SSID's/Splashpages

  Hi All,
  If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
  I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
  TIA,
  Eoin.

  Hi Nicolas,
  Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
  Regards,
  Eoin.