RADIUS Bandwidth limit on guest WLAN
Hi Everyone,
I'm running a WLAN scenario which includes a WLC 5508 (7.0) and a bunch of CAPWAP access points. I just deployed a guest SSID that implements a RADIUS server (freeRadius) for authentication and accounting the guest users and everything works fine. However I need to limit the bandwidth on a per-user basis having different BW allocated on the users.
In other words:
SSID: "Guest-SSID" with web authentication
Users (download/upload bandwidth limit in kbps): user1 (512/512), user2 (1024/1024), user3 (512/2048)
When user1 connects, he will be able to download/upload at a 512 Kbps data rate, same as user2 with a d/u 1024 Kbps data rate. And user3 will be able to download at 512 Kbps and upload at 2048 Kbps. The 3 users will be connected on the same SSID: "Guest-SSID".
I've been searching and found that the WLC honors some Airespace attributes that may do the magic, however they are not documented anywhere else but the WLC Configuration Guide. I have modified the freeradius Airespace dictionary but when authenticating, when the RADIUS sends the accept message incluiding the attributes, the WLC shows attribute is considered as unknown, even though the conf. guide shows they must be supported.
I guess it may be caused by a wrong attribute name. Is there something else missing?
This is the WLC AAA debug detail:
(Cisco Controller) >*aaaQueueReader: Mar 19 18:35:08.705: AuthenticationRequest: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.705: Callback.....................................0x10770a64
*aaaQueueReader: Mar 19 18:35:08.706: protocolType.................................0x00000001
*aaaQueueReader: Mar 19 18:35:08.706: proxyState...................................F4:09:D8:20:11:2F-00:00
*aaaQueueReader: Mar 19 18:35:08.706: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 19 18:35:08.708: AuthorizationResponse: 0x13e25bb0
*radiusTransportThread: Mar 19 18:35:08.708: structureSize................................216
*radiusTransportThread: Mar 19 18:35:08.708: resultCode...................................0
*radiusTransportThread: Mar 19 18:35:08.708: protocolUsed.................................0x00000001
*radiusTransportThread: Mar 19 18:35:08.708: proxyState...................................F4:09:D8:20:11:2F-00:00
*radiusTransportThread: Mar 19 18:35:08.708: Packet contains 9 AVPs:
*radiusTransportThread: Mar 19 18:35:08.708: AVP[01] Unknown Airespace / Attribute 7..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[02] Unknown Airespace / Attribute 8..........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[03] Unknown Airespace / Attribute 9..........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[04] Unknown Airespace / Attribute 10.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[05] Unknown Airespace / Attribute 11.........GRN-Test (8 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[06] Unknown Airespace / Attribute 13.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[07] Unknown Airespace / Attribute 14.........0x00000100 (256) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[08] Unknown Airespace / Attribute 15.........0x00000180 (384) (4 bytes)
*radiusTransportThread: Mar 19 18:35:08.708: AVP[09] Unknown Airespace / Attribute 16.........0x00000180 (384) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AccountingMessage Accounting Start: 0x30b56248
*aaaQueueReader: Mar 19 18:35:08.718: Packet contains 14 AVPs:
*aaaQueueReader: Mar 19 18:35:08.718: AVP[01] User-Name................................0x6173 (24947) (2 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[02] Nas-Port.................................0x0000001d (29) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[03] Nas-Ip-Address...........................0xc0a89605 (-1062693371) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[04] Framed-IP-Address........................0xc0a8967b (-1062693253) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[05] NAS-Identifier...........................WLC-CCIE (8 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[06] Airespace / WLAN-Identifier..............0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[07] Acct-Session-Id..........................550b5d2c/f4:09:d8:20:11:2f/2 (28 bytes)
*aaaQueueReader: Mar 19 18:35:08.718: AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[11] Tunnel-Group-Id..........................150 (3 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[13] Calling-Station-Id.......................192.168.150.123 (15 bytes)
*aaaQueueReader: Mar 19 18:35:08.719: AVP[14] Called-Station-Id........................192.168.150.5 (13 bytes)
My Airespace dictionary:
VENDOR Airespace 14179
BEGIN-VENDOR Airespace
ATTRIBUTE Airespace-Wlan-Id 1 integer
ATTRIBUTE Airespace-QOS-Level 2 integer
ATTRIBUTE Airespace-DSCP 3 integer
ATTRIBUTE Airespace-8021p-Tag 4 integer
ATTRIBUTE Airespace-Interface-Name 5 string
ATTRIBUTE Airespace-ACL-Name 6 string
ATTRIBUTE Airespace-Data-Bandwidth-Average-Contract 7 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract 8 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract 9 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract 10 integer
ATTRIBUTE Airespace-Guest-Role-Name 11 string
ATTRIBUTE Airespaces-Data-Bandwidth-Average-Contract-Upstream 13 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Average-Contract-Upstream 14 integer
ATTRIBUTE Airespace-Data-Bandwidth-Burst-Contract-Upstream 15 integer
ATTRIBUTE Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream 16 integer
VALUE Airespace-QOS-Level Bronze 3
VALUE Airespace-QOS-Level Silver 0
VALUE Airespace-QOS-Level Gold 1
VALUE Airespace-QOS-Level Platinum 2
END-VENDOR Airespace
This is the configuration guide I'm using:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/configuration/guide/wlc_cg70MR1/cg_security_sol.html#pgfId-1457964
Table 6-5.
Any help will be really apreciated!
Regards!
Jonathan S.
If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a “guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth associated to that role is enforced for the guest user after authentication completes successfully.
Similar Messages
-
Two different radius authentication methods on one guest wlan
I would like to use two different radius servers to one guest wlan.
One radius server is the Cisco NAC guest server, but I would like to use e.g. a RSA SecurID server as the second.
If the user does not exsist on the NAC guest server, the wlc should check the RSA server.
As I understand the servers mentioned under the layer 3 config tab on the wlan configuration tab is doing round-robin.
Is there any way that I can implement this?
Best regards,
Steffen LindemannIs there anything on the roadmap for the NAC guest server to use AD as an external database?
It seems like it shouldn't be too difficult since the server is already using AD to map sponsor roles.
We really would prefer to use a single SSID instead separate SSIDs for guest and domain accounts.
Thanks in advance! -
Throttling Guest WLAN on WLC 8500
What is the best practise to throttle the Guest WLAN, which is only used for Internet access?
I agree with Steve. The situation is really going to depend on your bandwidth and just how important you feel your guest traffic is. You also have to run a higher version of code at least 7.4 to get more granular with limiting.
But here's something to consider. My deployments are pretty much a controller per facility. I tend to bandwidth limit by (guest) SSID and just provide a 10mbps DOWN and 5mbps UP. Of course depends on the size of the facility and the number of guests. That said my guests users are typically email and browsers but there are more and more video streamers coming online but for now I use 10M and 5m and run about 300 connections with no problems.
***I don't like to modify the Qos profile and limit because that requires that you shut down the radios. I like to modify the override section on the WLAN / Qos settings.
Good luck. -
Using AD to authenticate BYOD users on Guest WLAN
First off, I have several WLANs -- one is a "Guest" that is anchored to our corporate WiSMv1 running 7.0.240.0 code. We have many 5508s running 8.0.100.0 -- the "guest" is tunneled back to the core WiSMv1. Right now, the Guest splashes a web page that a user just has to click through to get n the Guest WLAN. I currently have a production WLAN set up to use 802.1x and pass credentials through Win 2012R2 NPS (Radius) so that our employees can log on using their AD credentials.
We are looking to avoid the complexity and cost of ISE. We want to build a basic self-subscription process. I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call. Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller. Behind the scene, we will load these credentials into an AD OU. The bottom of this web page will be the fields for the user to enter the ID / PW which in turn will be validated to the AD.
I can't mess with the current Guest "anchored" in the corporate WiSM. We already have a custom web page and it appears you can only have one. So I was thinking of setting it up at one of the remote 5508 sites.... I can download a custom web page there and I believe I can still use the "management" interface to grab IPs out of the Guest Subnet that resides in our HQ.
My uncertainty revolves around the WLC / WLAN setup to use AD (via Radius if necessary) to validate the user -- and since it is BYOD, I have no idea what the client device will be and do not want the user to be required to do any setup.
I have gone through a lot of docs --- many talk about ISE. Others are really old -- and of course there is difference between WLC web pages simply due to the 8.0 code on the 5508s!
I am hoping this is a fairly straight forward setup.
TIA - PerryHi,
Your starting 3 Paragraphs say that you want to modify Guest page only.But after that You talk about the BYOD.BYOD involves device registration , supplicant provisioning etc and is entirely for different use. If you think , you are asking about that , Please go through this Tech-Talk by me to understand BYOD (Video as well Brief note )along with PPT having all the required configuration on WLC side,AD side,CA server and ISE side.
"We want to build a basic self-subscription process. I'd like to set up a separate "test" Guest network that will splash a web page that will basically have 2 sections -- the top section will display a phone number for the user to call. Basically the system will generate a random ID/PW which will be spoken or sent in a text message to the caller. "
If the requirement is the above i.e display Phone number which user would call to get credentials , it can be done via simply modifying the HTML web-page to show that number and load in to the WLC or else host that page on some external server.Infact , you can modify the Internal web page of the WLC via Security>Web-authentciation and write a header and message to be displayed on the web-page which WLC displays which can have your Mobile number to call.Once credentials are submitted , WLCcan do radius authentication.
Also 8.0 simply brings Redirection over HTTPS feature in to the WLC and there is no change in anything else i.e the concept via which web-authentciation/works.
Regards
Dhiresh
**Please rate helpful posts** -
Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet -
Guest Wlan multiple login with Cisco Identity Services Engine
Dear all,
I have been looking for some details with regards to multiple logins on Guest WLAN.
Currently my customer is facing the following problem
When a Guest Wlan user logs in, the same user could login again on the same time frame,
in other words guest Wlan user can login multiple times.
is this intentional or a bug on the ISE
product name : L-ISE-BSE-250=
any advice or any article related to this would really appreciate it
thanks in advance
LnacellotOk, Ranjane you took me back to 1900BC, had to dig the case up for you.
to be clear this is what customer wants
a guest user concurrently login from two devices at the same time
What he wants is: any given time Guest user should be only able to login once (Ex if you login to your PC and leave it logged on, then go to a another PC with same user you would be able to login – this need to be limited)
So under the User login Policy this should be able to limit to one login
you may want to check the concurrent session limit on the WLC: It is under Security > AAA > User Login Policies. There is a global number, that will limit the concurrent logins from a single user name.
hope it was useful
regards,
lancellot -
Almost there.
Scenario:
2504 wlc
Aps 1140
Port 1 lan radius all ok
Port 2 defined for guest wlan directed attach no isp router dhcp
1 utp cable on router acquire ip address
On guest wlan no ip address is given i think i tried every combinations
Any help?
Sent from Cisco Technical Support iPhone AppScott Fella wrote:How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE) What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)
Post the show WLAN for each of your WLAN's you have created.WLAN Identifier.................................. 3
Profile Name..................................... Guest WLan
Network Name (SSID).............................. WYguest
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
Sent from Cisco Technical Support iPhone App -
GUEST WLANs ::: user self regsitration
I would like to share a few thoughts about guest WLAN access.
- if you have a lot of guests this means a lot of work in terms of account & password generation plus changing the credentials after a certain time.
Now you can offload this to lobbyadmin / "Ambassadors" but still it means work. Further on it is hard to do if you get 500 visitors. Is there any way of secure user sellf enrollment / self regiostration?
- normally, if you print the credentials on badges the credentials can be shared. Is there any way to do a mac locking in a way so that only the first MAC address which successfully loged on with this credentials can use them?
- Is there a thermal / label printer which would work with the WiSM so that the generated password can be printed on a small note/receipt once the lobbyadmin registered the guest?
Thanks,
--JoergHowdy,
We deployed Guest Internet Access (GIA) a year ago, before our LWAPP migration began across 30 hospital systems. Our business requirements were:
1) No charge to guests
2) Minimize have VS have not's issues (no using credit cards, etc for validation)
3) Centralized ISP(s)
4) Some form of self-reg as NONE of the hospitals wanted staff to have to do anything
We ended up doing an Advanced Services engagement with Cisco. Looked at BBSM & SSG. Settled on BBSM. GRE + VRF overlay network. The main part of the CAES engagement was to 'adapt' their existing custom 'sponsor' app to accomodate self-reg. Bottom line is we were underwhelmed with the sponsor app, although I heard @ Networkers last year from a Cisco internal IT manager that they've enhanced it considerably so YMMV.
We dropped the sponsor app & I dug in to the BBSM's SDK docs. I built a simple web form that folks get re-directed to in the BBSM's 'walled garden'. They choose Dr, Guest of Patient or business partner and based on this selection have to provide add'l info such as contact within our company. Bear in mind that there's no way to check any of this so we do have some 'donald ducks' show up in registration. Once they fill in the info, we replay their info & IP to them visually along w/ the AU policy. They click accept & it posts a string back to the BBSM that calls a pageset to initiate their session. For the doctors personal devices we BBSM auth them against radius so that they can use existing novell credentials & not have to 'sign up' each time.
This has worked pretty well for > 1yr. The BBSM unfortunately is not the most stable platform. Appliance, Win2k w/ MS ISA & some fancy cisco nat code is what it amounts to. I have 2 of them. One died already (HDD/controller) and both have had to be rebooted (hung) probably 5-6 times in 1yr.
Sooo. We are excited about GIA via LWAPP. Removes the complexities of the overlay network, gets rid of BBSMs (potentially) and has the capability to provide some redundancy where the BBSMs do not.
As far as self-reg under GIA-over-LWAPP... Since there is no way to enforce truthful registration, it is, in my opinion, of dubious value. Our previous 'extremest' security officer that insisted on it has left the building and I am exploring forgoing it completely with mgt as it's the one major complaint we get amongst otherwise raving reviews of the service (we survey the guests, etc).
One other complaint we've had is "We don't like having to (completely) re-register every 8 hours. Couldn't we just set up our own userid/password & reuse @ session expiry?"
Considering all of this, if push comes to shove & I'm forced to keep self reg as we migrate to LWAPP then here is my plan & what I think you'll want to explore:
1) Redirect the guest users to a (offbox) webform. Collect info including chosen userID/pass.
2) On post, write to sql backend. Mysql should work fine on the cheap.
3) Use ACS (or freeradius) to radius auth the user against this external (to ACS) database, just need a second or two delay to make sure form post data makes it into DB prior to posting url back to anchor controller.
Benefits:
1) Easier reporting then old reg form-post text file
2) Ability to do sql replication to alt datacenter where redundant anchors live
3) Upon user's session expiration, they can re-login using credentials they chose instead of having to completely re-register.
4) Radius server can still look @ novell via sldap for our docs.
Obviously you have to determine what the ultimate life of the user account in radius is before it's auto-purged.
Still have some details to flesh out but that should give you some ideas. Also, don't be afraid to survey your guests, even using free or cheap online survey tools (surveymonkey). Link to it @ top of selfreg form. Our users have NO problem filling out the survey & telling us what they like & don't. Good info.
Hope it helps. -
Hi,
I am testing guest wlan with foreign map feature.
I am not able to assign the client an IP address from the subnet mapped under wlan > foreign map (WLC specific subnet)
The debugs on the anchor show a DHCP relay been sent from the interface mapped on the wlan and not the interface mapped under the foreign map.
I tried to map the wlan on anchor WLC to the management interface and have dhcp scopes locally on the WLC. Still same result, it is trying to obtain an IP address from the management subnet. This was based on the example in the link below
http://wifinigel.blogspot.com/2011_08_01_archive.html
I am using WLC version 7.0.116.0 on foreign wlc and verson 7.2.110.0 on the anchor.
Any suggestions will be helpful.
Thanks
VikramRasikanayanajith,
Thanks for the reply. I just got off the phone with Cisco TAC and it looks like I am hitting bug CSCuh69558. I provided the config and debugs to TAC.
The bug has to do with having AAA Override configured on the WLAN Advanced tab and the RADIUS server not actually sending an interface attribute which is a common config in a BYOB WLAN controlled by ISE. The default interface configured on the WLAN is incorrectly used instead of the foreign map in this situation.
TAC also recommended upgrading away from the current version for the same reason you gave. I will be upgrading soon.
Thank you,
Mark -
Wireless bandwidth limit and billing system
Hello ,
We want to rent the internet access service to the houses which are provided to employees. That's why we need bandwidth limit and billing system solution. There will be also a guest users in the network. Could you give me an idea , is it possible to do that with Cisco wireless LAN controller devices , if it is possible how can it be done ?
Kind Regards...The WLC has no capabilities to either connect to a billing system or limit bandwidth to users depending on the users role. NAC Guest Server can do that for you, but it is pretty pricey. There are other 3rd party utilities out there that does HotSpot billing and bandwidth throttling. Wireless traffic from the WLC will flow into these server's or PC's depending on what you load the software on.
Just Google Hotspot or wireless billing:
http://www.antamedia.com/
http://www.alepo.com/hotspot-billing-software.shtml
http://www.logisense.com/hotspot_billing.html -
Client unable to get IP address on guest wlan
Hi all, I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this.
Thoughts?
Thanks,
Bryan
(Cisco Controller) >debug client 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.991: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:32.992: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 331,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP siaddr: 10.10.10.246, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.993: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 0
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:32.994: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 10.33.1.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP siaddr: 10.10.10.246, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:32.995: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREQUEST (1) (len 308,vlan 1, port 13, encap 0xec03)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 1, flags: 0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP requested ip: 10.10.10.165
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.997: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 1, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:33.998: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP received op BOOTREPLY (2) (len 308,vlan 33, port 13, encap 0xec00)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP processing DHCP NAK (6)
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP xid: 0xbcf5ea3c (3170232892), secs: 0, flags: 8000
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP chaddr: 8c:2d:aa:36:ca:a3
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP siaddr: 0.0.0.0, giaddr: 10.33.0.1
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP server id: 10.10.10.246 rcvd server id: 10.10.10.246
*DHCP Socket Task: Feb 25 00:49:34.000: 8c:2d:aa:36:ca:a3 DHCP successfully bridged packet to STA
*apfMsConnTask_1: Feb 25 00:49:35.320: Stats update: Non Zero valueOne way to test also is to connect a laptop to a port assigned for the guest vlan. If the device gets an IP, then it's something on the WLC you have to configure. If the device doesn't, then it's a network issue or dhcp server issue.
Sent from Cisco Technical Support iPhone App -
I need to setup a guest wlan on a single 5508 controller. Currently all of my ap's are in h-reap mode and all in remote buildings connected via a high speed wireless wan.
The guest network could consist of 500 users in the near future, so i'm wondering what is the best way to configure the guest wlan so I don't have one big broadcast domain across my entire network?Ok. I already have my ap's in ap groups (per building) and I have different vlans in each building with the same ssid company wide. I'm doing this via h-reap.
My question is how do I accomplish the same thing with the guest wlan, but without h-reap. Or do i use h-reap and just setup acl's to block the traffic? But then does web authentication work the same?
The confusion for me comes in at the controller level with the guest-wlan interface I created having to be attached to a vlan. Is this not needed to do web authentication?
Thanks,
Dan. -
What is Bandwidth Limit Exceeded error?
I was trying to go into "http://laparrillaonline.com/". Instead a window popped up stating " 509 Bandwidth Limit Exceeded and below it said:
The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later. Apache/1.3.39 Server at laparrillaonline.com Port 80
Is it my computer or his server that exceeded it?
Thank youThank you!! I went into Panic Mode after "....Limit Exceeded...". I feel foolish, and as my daughters would say: Duh....
-
Guest WLAN need to re-authenticate for each new tab
Hi,
We installed recently a new WLC 2504 with 22 AP's.
We use web authentication for the guest WLAN.
The porblem is : users can login and authenticate but whenever the open a new webbrowser tab they need to re-authenticate again.
And this for each new tab they open.
Anybody knows how to solve this?No, the user shouldn't have to reauthenticate for every tab they open, once the clients entry is built in the MSCB they should stay in a RUN state until either the reauth timer or the user idle timer expire.
First I'd upgrade to 7.0.220.0 and see if that resolves the issue. If it doens't get a TAC case open.
Steve -
GUest WLAN with Anchor WLC - roaming problems
Hello,
my wireless network consists in 3 WLC 4402 which manage 40 APs.
I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
Everiting works fine but I have a problem:
If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
Thnks everybodyHere are the output of show mobility summary.
The last WLC is the anchor.
WLC1
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
WLC2
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
WLC3
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
WLCAnchor
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 4
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
Maybe you are looking for
-
Even though I have checked "Automatically open all supported TIFF's" in Camera RAw Preferences - My tiff files do not open up in camera RAW. How can I correct the problem?
-
I dropped my new ipad and the screen is broken. The touch still works normally but the glass is cracked. Will the apple warranty cover this for free and if not how much would a repair or screen replacement cost? Tks
-
IMovie 06/ Sony HDR-HC 9 compatibility
My Sony HDR-HC9 works with iMovie 08, but not 06. My Sony DCR-TRV110E works with iMovie 06, but not 08. Can anyone explain ?
-
How do I get the color wheel to stop spinning?
how do I get the color wheel to stop spinning?
-
Hi, Is it possible to Add combo box in the existing field on User table form through UI API? I want to add combo box in UDT for selecting Item code. thanks in advance Denis