Multiple redirect URLs for mutliple guest VLANs

We are trying to implement 2 guest WLANs tunnneled to our DMZ and want to redirect users to 2 different URLs (one for each WLAN) when they click the "Accept" button. We are running 6.0.182 on the DMZ controllers and have a customized web passthrough page currently working for the 1st WLAN.
It appears that only 1 redirect URL can be configured via the command line (config custom-web redirectUrl), and we haven't had much luck modifying the web page for the 2nd WLAN to redirect correctly. Is this supported? Thanks

Since you are on version 6, the config guide mentions the following in Chapter 10 (and talks about how to do a "global override" per WLAN):
Assigning Login, Login Failure, and Logout Pages per WLAN
You can display different web authentication login, login failure, and logout pages to users per WLAN.
This feature enables user-specific web authentication pages to be displayed for a variety of network
users, such as guest users or employees within different departments of an organization.
Different login pages are available for all web authentication types (internal, external, and customized).
However, different login failure and logout pages can be specified only when you choose customized as
the web authentication type.

Similar Messages

Https redirection issue for Wireless Guest CWA - ISE 1.3

Our Setup is
ISE 1.3 (Patch level 2) running on ACS 1121
2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
Configured SSID Guest for Centralized web authentication with ISE.
We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
Please advice.

Hi Neno
They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

[iPhone] Multiple markers URL for Maps

Hi! Is there any way to send from your app multiple coordinates to the maps application so it would pin these multiple place?
With the openURL: method I've only been able to pin one place. Maybe I'm missing some URL parameter format or something like that.

Hi, I'm trying to do exactly that and it's not working.
What is the fully qualified URI, i.e. your {KML_FEED} in your url?
I tried every possible combination:
"file://localhost/private/var/mobile/Applications/.../tmp/myfile.kml"
"file:///private/var/mobile/Applications/.../tmp/myfile.kml"
"/private/var/mobile/Applications/.../tmp/myfile.kml"
etc...
And when creating the maps:// url, I also escape that file url but it still fails. How are you making it work? Thanks!

Authorization Failure Redirect URL in OAM

Hi,
From OAM policies i want to redirect a user to Authorization Failure page by configuring redirect URL for Authorization Failure. But user is always redirected to OAM operation error page (with an error message that URL .. has been denied for the user) in case of Authorization Failure..How to redirect the user to my AuthFail.html page ? I am able to redirect the user to AuthenticationFailure page incase of authentication failure..but not able to redirect in case of authorization failure..how to achieve this?
Thanks & Regards,
Srikanth

Hi,
I am new to OAM and facing the same error in Authz Rule. Did your issue get resolved?
When I tested the URL with access tester for authz failure scenario, I got Authorized Inconclusive.
I do understand if I mention the AuthFail.html in the redirection URL Authz Inconclusive, the user would be able to see the appropriate error page. But I wanted to understand the reason for authz getting into inconclusive condition. Can someone provide me clarity on this?
Thanks!

Guest VLAN cannot ping gateway

Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
Neri

Hi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger

802.1.x guest VLAN problem

Hi,
I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
I'm using XP sp2 with:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
cantModeDWORD Value = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
deDWORD Value = 0
Could someone give some help,please.
Thanks
BR

The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the users credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
*machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
*user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
*Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
Hope this helps.

Using a variable to insert into a URL for redirecting clients

I got a good one, can anyone help on this?
Using RoboHelp Version 8.02.208.
My company uses MicroStrategy to deploy several web-based data analysis products.
Each of these data products (there are 5) are deployed on different servers.
I have set up a single source WebHelp project and use build tags for product specific help output.
(I also have to modify the Start Page, TOC and Default Topic settings prior to generating each product help)
Everything on this works fine and is not a problem.
We have just implemented an Excel add-in for one of the products.
That add-in uses a locally installed CHM file for its help.
In order to provide customized help that can be updated without forcing the clients to reinstall the CHM help file locally, the source for the CHM file has one dummy topic. In that topic, I have used HTML code to redirect the client to the WebHelp for the product and have integrated the Excel add-in help to that product’s customized help. The result is that the CHM file is opened locally in the HTML help viewer. Inside the HTML help viewer window, I open the WebHelp.
The redirect HARD CODES the URL with the product specific server name and Start Page help topic.
That works fine and is not a problem for ONE PRODUCT.
We are in the process of adding this Excel add-in to other products.
Now here is where I cannot get this to work with my implementation.
The URL for each product is different and to make matters worse, the Start Page is different for each product as well.
So, I am working on options for implementation of multiple products and here is my question:
(1)    The following is an example of the redirect in the single topic of the CHM file:
<meta http-equiv="refresh" content="0;URL=https://server.com/ProductName/WebHelp/StartPage.htm#mergedProjects/ExcelPlugIn/ Overview.htm" />
(2)    The red portion of the URL above will need to be modified to support each individual product with a custom server, product name and start page HTM file name.
Is there a way to:
(1)    Add a variable in this HTML code
(2)    Once the product is identified, update the variable with the product specific URL content
(3)    Integrate the variable into the target URL of the HTML code that does the redirect
I think this is either not possible or more work than needed. My other option is to provide standalone Excel add-in help on a server and just have the Excel plug-in go to that (right now it is integrated into the product specific help and the client has access to the plug-in help AND the application help all at the same place).
Thanks to all in advance for any help/suggestions.
Michael F Weart
[email protected]

Thanks for the feedback - here is more informtion on the challenges of this implementation:
I can only distribute one CHM file to cover all 5 web-based products that can be accessed through the Excel plug-in.
Regardless of which of our 5 products is used to install the plug-in on the client's local hard drive, the same installer is used.
That one CHM file is installed locally on the client's hard drive.
(The out of the box CHM file for the plug-in only has general plug-in help content the locl install causes problems for updating the content).
We needed to be able to easily update the help without inconveniencing the clients.
So, I am not creating 5 different CHM files for each installer, since there is only one installer regardless of how many of the 5 products they have.
The plug-in has a server setting and web service setting for each product and the client must choose which they are accessing when they fire up the plug-in.
They may be accessing the plug-in for any of our 5 web-based products they have subscriptions for.
Which means, the one CHM file must be able to:
(1) determine the product they are accessing
(2) direct to one of the 5 servers with the online help.
Each of the 5 online helps are deployed on separate servers with different URL links (and the helps have all different URL links as well).
These online webhelp outputs have some identical content but also some customized content for the specific product they are actually accessing.
My original approach was pretty much the same as William's above. Have a variable in the CHM help, determine the server they are accessing from the plug-in and insert the customized portion of the URL to access the appropriate webhelp.
Keep the ideas/suggestions coming.
I also have a development person looking into how to update a variable on the CHM side to populate the URL.
Michael F Weart
[email protected]

Generic HTTP URL For Multiple Interfaces

Hi All,
Please suggest on the following requirement. I am using PI 7.31 Single stack (Java only version).
There are multiple HTTP to Proxy interfaces and each interface has different source structure.
The requirement is --- How to utilize a single HTTP URL for all the interfaces.
The major challenge is the source structure for all the interfaces is different.
Kindly Suggest....
Regards,
Nitin...

Hi Nitin,
One solution is to create one sender interface (with either multiple operation of each interface or having all structure in different node and optional occurrence), then use operation specific mapping.
refer the below example for multiple operation scenario
Setup Multiple Operations Scenario in ESR and ID
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90dcc6f4-0829-2d10-b0b2-c892473f1571?overridelayout=t…
regards,
Harish

Multiple Guest VLANs and Shared WLC

Hi,
I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
Please advise how best I should implement this.
many thanks
Sankung

It sounds like you already have this done. You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
Then on the internal anchor the SSID to the same SSID in the DMZ
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

"Redirection limit for this URL exceeded" can't open web page

hi,
I have portal 2005Q4 running with a gateway. I created a portlet based on the iframe provider. This portlet points to http://iisserver.
iisserver is a server on our LAN. When you go to http://iisserver, it automatically redirects you to http://iisserver/auth/login.aspx. But when I use the iframe portlet to access this server, I get the following error message "Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked" and nothing shows up. Of course cookies are not blocked.
So In the amconsole > service configuration > SRA config > gateway > URLs to which User Session Cookie is Forwarded, I added http://iisserver. Usually this solves this error message. But not today. So I replaced http://iisserver by http://iisserver/auth/. After this change I was able to see the redirection page but then the redirection failed with the same error message. And I still cannot see http://iisserver/auth/login.aspx in the portlet.
I hope someone can help

hi,
I have portal 2005Q4 running with a gateway. I created a portlet based on the iframe provider. This portlet points to http://iisserver.
iisserver is a server on our LAN. When you go to http://iisserver, it automatically redirects you to http://iisserver/auth/login.aspx. But when I use the iframe portlet to access this server, I get the following error message "Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked" and nothing shows up. Of course cookies are not blocked.
So In the amconsole > service configuration > SRA config > gateway > URLs to which User Session Cookie is Forwarded, I added http://iisserver. Usually this solves this error message. But not today. So I replaced http://iisserver by http://iisserver/auth/. After this change I was able to see the redirection page but then the redirection failed with the same error message. And I still cannot see http://iisserver/auth/login.aspx in the portlet.
I hope someone can help

One punch-out URL for multiple PO submissions

Hi,
One of our punch-out vendor has only 1 URL for multiple countries, where end-users have to choose the country from a drop-down list and they will have different PO submission address based on country.
The problem will be I can only have 1 Vendor number when I define OCI parameters. Considering one vendor can only have 1 PO submission address, I am worried how I can deal with other countries ?
Did any body got this issue before?
Thanks.

No body knows ??

Guest VLAN unable to get DHCP IP address from Anchor Controller

Hello everybody,
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
SSID Security etc all defaults and matching on both ends
Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
EoIP Tunnel Status: Up, UP - Both ends
Mping - OK
eping - OK
WLC Sofware Version on Local - 7.0.98.0
WLC Sofware Version on Local - 7.0.116.0
DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
Management IP Subnet on Local: 10.x.x.x
Management IP Subnet on Anchor: 172.x.x.x
The problem definition as follows:
When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
2. Similar debugs on the Anchor controller yields the following results;
Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
Thanks and Regards.

The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded.
For L3 security, configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
Thanks again very much for all your help.

Guest Vlan on umnaged network

I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
At the moment we have an unmanaged network so everything is using vlan1
We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
interface FastEthernet0/15
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
interface GigabitEthernet0/2
description Netgear GS748T
switchport trunk allowed vlan 1-4
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
flowcontrol receive desired
(There are some other vlans created, not sure what they are for yet, I'm new here!)
We've just bought a Cisco WS-C3650-24PS - sw3
I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
I'm a beginner at this so the theory is there but not sure how to execute it!
I'm thinking on the firewall fw1
eth2
speed 100
duplex full
nameif guest
security-level 90
ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
on sw1 connect Gi0/2 to sw3 Gi1/1/1
config to be
switchport trunk allowed vlan 20
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
Or if is the wrong way of doing it let me know a better solution
Apologies in advanced if this is not making much sense!

I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

Wlc 5508 and wireless guest vlan

Hi guys,
I have a 5508 running(version 6).
I have an adsl releasing public IP for guest users mapped into vlan 10.
Now i want use this adsl only for wireless guest users
how can i create an ssid and associate to vlan 10 without using ip address(dynamic interfaces requires an ip address,mask,defaul gateway,etcc..).
Thx in advance.

Hi,
the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
Hope this helps,
Nicolas

Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

I have a general question about securing the guest WLAN in FlexConnect deployment -
Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
I would highly appraciate your input on this topic.
Thank you.

Yes, you're right.
Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

Multiple redirect URLs for mutliple guest VLANs

Similar Messages

Maybe you are looking for