SA 540 and DMZ Issue for Wireless Guest Access

I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

Hi,
I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
Firmware 1.0.39
BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

Similar Messages

  • DMZ Anchor WLC setup for Wireless Guest Access

    I have the following setup.
    A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
    An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
    Both WLCs are running the same 4.2.176 code.
    DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
    I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
    The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
    1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
    What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
    Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
    In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
    2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
    3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
    4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
    Thanks.

    One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

  • Https redirection issue for Wireless Guest CWA - ISE 1.3

    Our Setup is
    ISE 1.3 (Patch level 2) running on ACS 1121
    2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
    Configured SSID Guest for Centralized web authentication with ISE.
    We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
    By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
    There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
    Please advice.

    Hi Neno
    They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
    So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
    Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • 1801W wireless (guest access) config issues

    Trying to setup wireless on 1801w ISR.  Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
    Trying to setup wireless "guest" access with Internet access only (no access to LAN).
    Wireless will not come up.  Dot11Radios show "reset/down".
    Below is the wireless config and a couple of troubleshooting commands as well:
    dot11 ssid open
       vlan 2
       authentication open
    ====================================================
    !(Sets up DHCP and excluded addresses.)
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.25.1 172.16.25.99
    ip dhcp excluded-address 172.16.25.116 172.16.25.255
    ip dhcp pool open
       import all
       network 172.16.25.0 255.255.255.0
       default-router 172.16.25.1
       dns-server 4.2.2.1 4.2.2.1
       lease 3
    ====================================================
    (Turned on integrated routing and bridging.)
    bridge irb
    ====================================================
    (Wireless radio interface config.)
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    encryption vlan 2 mode wep optional
    !---(SSID is given as "open")
    ssid open
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    description LAN
    ip address 192.168.0.100 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan2
    description Wireless VLAN
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.25.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    bridge 1 protocol ieee
    bridge 1 route ip
    ====================================================
    Verifying...
    RTR#sho dot11 associations
    802.11 Client Stations on Dot11Radio1:
    802.11 Client Stations on Dot11Radio0:
    SSID [open] : DISABLED, not associated with a configured VLAN
    ====================================================
    RTR#sho ip int brief
    Dot11Radio0                unassigned      YES NVRAM  reset                 down
    Dot11Radio0.1             unassigned      YES unset  reset                 down
    Dot11Radio1                unassigned      YES NVRAM  reset                 down

    Your ssid is configured in vlan 2.
    But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
    That should allow the radio to broadcast ssid
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • E4200 Wireless Guest Access issue

    Hello, I'm hoping someone can point me in the right direction. I have the wireless guest access set up in my E4200 flash to the latest firmware. 
    When I connect to the wireless guest network it comes up under the 192.168.33.xx IP address. I can connect fine but it never pops up the browser so that you can type in the guest password. I'm running Windows 7 but I've also noticed the exact same problem under XP.
    The only thing I can guess is the problem is that I have this acting like an access point and all DHCP requests go to my router. I've basically turned off DHCP on this and plugged the network connection into the switch on the back. 
    Any suggestions?
    Thanks
    Josh

    If I go to 192.168.33.1 it does pop up the browser but when I enter the password It just hangs. Not sure if it was connected or not. Is there no way to pop up the browser automatically?

  • Unified wireless guest access

    Hi I need help in configuring unified wireless guest access. i have followed the guide
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
    But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
    my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
    Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
    Can someone help point out my mistake.

    Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
    If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
    I know this becuase I seen this for my self when I had anchor issues.
    I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
    Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

  • Wireless guest access

    Hi Guys, I have a wireless requirement from a customer and the customer is looking for the below: 1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected. 2. Customer is looking to add their own logo and change the formatting of the captive portal. Questions: 1. For email verification, does this feature come straight from the WLC standalone box or must ISE be purchased? 2. If the WLC is able to do this without ISE, any online guides that is able to do this? 3. For security reasons, am I able to limit the number of concurrent users using this captive portal? 4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal? 5. Can I customize the captive portal page on the WLC and how do I go about doing it?

    Hi Mohanak,
    It looks like the formatting ran out. Anyway, not sure if we are on the right topic here but let me get this straight. Customer has a Cisco 2504 Wireless LAN Controller. So, they would like to achieve the below features:
    1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected.
    2. Customer is looking to add their own logo and change the formatting of the captive portal.
    So, some of the questions I have are:
    Questions:
    1. There is a configuration on the WLC that allows guest users to login using email verification only. Does this feature come straight from the WLC standalone box or must ISE be purchased.
    2. If the WLC is able to do this without ISE, is the WLC able to check if the inputted field is a valid email? And can I configure in such a way a particular domain is allowed? (e.g. example.com is permitted but example.org and anything else is reject).
    3. For security reasons, am I able to limit the number of concurrent users using this captive portal?
    4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal?
    5. Can I customize the captive portal page on the WLC and how do I go about doing it?

  • Does WAP4410N support Wireless Guest access solution?

    Does the Linksys AP (WAP4410N) support Wireless Guest access solution?

    Hi - I've got a WAP4410N which I'd like to use to provide wireless guest access, and I've had a look through the configuration pages and manual, and understand:
    1) I've got to add a virtual SSID (although I'd like to know where the DHCP settings are as I don't believe the WAP4410N has DHCP capabilities)
    2) I need to ensure that traffic can't hop across the multiple SSIDs
    What I'd like to know is whether the WAP4410N can be set up to display a terms and conditions page which users have to "OK" or whether it can host a login page that can be administered by someone to allow access - kind of like hotels use to ensure that not everyone can automatically connect?  I don't mind if there has to be a secondary piece of software hosted on a server someone, but I'd like to prevent people from being able to automatically connect straight to our connection and would also like to limit them in some way, at very least the bandwidth that the connection allows, at best the sites they can visit too.
    Any thoughts greatly appreciated,
      Andy

  • I was clsoing Word and suddenly everything on my desktop opened - I had to close each one and then a page requesting guest access to Cisco appeared. I cannot access any of my websites or bookmarks now. What do I do - or what did I do?

    I was closing Word, was on my desktop page when suddenly all my windows on the desktop opened at once. I had to close each one and then a page requesting guest access to Cisco appeared. It required a password ( ? ) which I do not have. Now I cannot access any of my webpages or bookmarks, including mail etc. I have no idea what I might have done to cause this problem. I am not particularly savvy and don't know where to begin.

    daveynielsen wrote:
    So my question is... if you took the time to read this.. why in the world did everything stop working with wi fi and out of nowhere asked me to use a blackberry data service plan?
    Because, without THE BlackBerry Data Plan, you will only have use of your WiFi HotSpot browser, and that is that. No email, none of the RIM data application features like AppWorld or the BlackBerry Facebook application.
    It worked at first, because you probably had leftover provisioning Service Books from the previous owner, I am guessing (you mentioned "checked with my seller).
    To me, seems be working as suspected.
    daveynielsen wrote:
    Well, naturally i figured everything else would work on a wif connection.. like the iphone. Even though you dont have the 3G data plan one can still access email, web, and aps.
    Not quite, you must still have a data plan for the iPhone.
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • WLC 2500 and WCCP for Wireless Guest Users

    Hi there
    I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
    Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.               
    You advice will be highly appreciated.
    Regards

    For guest wireless traffic redirect to proxy server
    https://supportforums.cisco.com/thread/2126486

  • Wireless 3850 and Web-Auth for Wireless clients

    Hi
    I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
    Internet is all tested and there is full IP connectivity.
    Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
    I am using local authentication for the guest users.
    When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
    Config below
    interface Vlan302
    description **** Wireless Guest ****
    ip address 10.145.224.161 255.255.255.224
    ip helper-address 10.144.214.134
    ip helper-address 172.17.2.56
    ip http server
    ip http secure server
    ip dhcp snooping
    wlan XXXXX 2 XXXXXX
    aaa-override
    accounting-list default
    client vlan 302
    ip flow monitor wireless-avc-basic input
    ip flow monitor wireless-avc-basic output
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list WEB_AUTH
    security ft
    security web-auth
    security web-auth authentication-list WEB_AUTH
    security web-auth parameter-map vit_web
    no shutdown
    parameter-map type webauth vit_web
    type webauth
    security web-auth parameter-map vit_web
    user-name Guest1
    creation-time 1390837878
    privilege 15
    password 7 022D0156060F1B351D
    type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
    user-name Guest2
    creation-time 1390838016
    privilege 15
    password 7 0724244143000D1145
    type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
    aaa new-model
    aaa authentication login WEB_AUTH local
    aaa authorization network WEB_AUTH local

    Hey Greg,
    Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
    parameter-map type webauth global
    type webauth
    virtual-ip ipv4 x.x.x.x wlc.whatever.org
    max-http-conns 50
    Also I had to enable http server in addition to secure server
    ip http server
    ip http secure-server
    Are you using a self signed cert?
    I saw windows clients take a long time to load the page when using a self signed cert.
    MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE  but I still have the problem.
    -Kyle

  • Configuring the iPhone and your environment for wireless corporate email

    I'm posting this as a top level thread, because I'm certain that there are others out there, who like me, are trying to figure this out.
    Configuring the iPhone for Enterprise Use
    With Apple’s release of the iPhone, IT organizations are presented with an interesting challenge. Senior execs, gadget heads, and technoratti are all flocking to this device, heralded as the be all and end all of smartphone telecommunications technology. As these devices begin to flood into our organizations, we are met with the challenge to ‘make it work’.
    After much explaining that the iPhone is not intended for Enterprise integration, and many discussions surrounding the technical feasibility of bringing said devices into the fold, and being the resident Mac and Linux head with an iPhone in hand, I decided to embark on the mission of making one ‘work’. I succeeded in part, however it’s not the kind of ‘work’ that is going to be viable for most end users.
    First of all, it’s important to understand that the email client for the iPhone is a modified version of Mac’s Mail program. Not the best client in the world, but it does support Exchange integration. It also does external email sources, such as Yahoo and gMail, very well. For my interest though, I’m focusing on the Exchange integration functionality, as that is just about everyone’s corporate standard.
    Bringing this task to fruition requires some understanding about the limitations of the iPhone, as well as some of its current quirks. Wireless802.11x, EDGE, VPN and Mail are all components necessary to provide a serviceable solution for mobile email access, and each of these things has some peculiarities that don’t appear to be fully worked out by Apple at this time.
    For instance, within my organization, we have a secured wireless connectivity option available within our building; however, the SSID of this network is not broadcast, for the obvious reasons. SO, connecting the iPhone to it is a manual process of defining the network, and automatic reconnection seems to be very hit or miss, so it becomes far less of an option for any form of direct network access to your Exchange environment. (As an example, I had to redefine that network, on the iPhone, at least half a dozen times during this process.)
    The other components have equally quirky issues, and I will discuss the how’s to get around them below.
    In coordinating this into a cohesive plan however, I will break this into three sections;
    1. Wireless and EDGE connectivity
    2. VPN access to your network
    3. Connecting to Exchange
    So, without further ado;
    Wireless and EDGE Connectivity
    The wireless capabilities of the iPhone are, on the surface at least, excellent. It connects seamlessly to unsecured networks, offers the option of prompted or unprompted automatic connectivity, and is capable of 802.11G performance. Not bad for such a small package. However, it is very limited in the forms of secure network access it supports. These are, to quote Apple’s website; (and my iPhone)
    WEP Password
    WEP hex or ASCII
    WPA (personal)
    WPA2 (personal)
    Now, due to the obvious security problems in implementing WEP security, it’s likely that any network you run into is going to be WPA or WPA2. The iPhone ONLY supports the personal versions of these protocols, so be aware of this going into the situation. If you’re not connecting to your work or school wireless, and you’re entering the information correctly, then it’s probably because they have the Enterprise version of one of the protocols enabled. If that is the case, then you’re either hunting for unsecured hotspots, or else depending on EDGE.
    In my case, I did have access to a WPA2 (Personal) enabled wireless signal to connect to my internal network. I thought my problem was half solved! I defined the connection, the wireless capability of the phone worked perfectly, and I was connected. I was wrong. Apparently, and judging from the Mac forums I’m not alone in this, the iPhone does not do a very good job of RE-connecting to a secured wireless network. It does an even worse job, when this is coupled with the fact that it doesn’t do a very good job reconnecting to a wireless network with an unpublished SSID.
    After much fiddling and research into this, I determined that this simply was not the way to go, and I abandoned the idea. I wasn’t about to compromise my network security in order to get this silly phone working! So, that left me with either unsecured WiFi, or EDGE.
    Either one of these connects pretty seamlessly, and gives me a relatively decent Internet connection. There are some issues being reported of the iPhone swapping between EDGE and WiFi for not apparent reason, but that said, it can still be made to work.
    Now that I had this connection outside of my network, I obviously had to consider options for getting a secured connection into my network, which of course leads us to;
    VPN Access Into Your Network
    Being that this device was touted as the ‘real internet’ I was very excited to see if I could achieve this connection through my SSL VPN appliance. To make a long story short, I could not. Because Apple’s idea of the ‘Real Internet’ apparently does not include those wacky concepts like Java support, this proved to be impossible. My Apple cohorts will scream that it does support JavaScript, but we all know that that and 2 bucks will get you a small coffee at Starbucks… and not much more.
    (The iPhone also does not support Flash, but that’s a topic for another conversation. I know, how could they leave that out? I’m amazed too, but then Steve Jobs always has been a bit too arrogant for his own good… I mean what does he expect, we’re all going to rewrite everything into QuickTime??? Please.)
    Since that option didn’t work, I was left with the wide selection of two possibilities provided within the iPhone software. Either, a PPTP or L2TP VPN tunnel.
    We went ahead and configured a PPTP connection on one of our Cisco routers in order to test this. It didn’t work. I couldn’t connect to it. Tried and tried. Nada. SOOOO, we said OK, and configured a L2TP connection on one of our Cisco routers, with similar results.
    Figuring that this was something in the config, we called Cisco, and did the technical support dance with them for several days, trying one thing after another to get this connection to actually work. Nothing helped, and it never worked using either protocol. Then, I noticed an obscure article somewhere on some website that said something to the effect that getting one of these tunnels to work from the iPhone to Cisco was nigh on impossible.
    About the same time, my senior network guy said screw it, let’s put this on a Microsoft server. And so we did. Now, this is interesting in it’s own right, because configuring out of the box L2TP or PPTP on a Microsoft server results in a default authentication method of Windows Authentication. This does not work for the iPhone, because it has no idea what to do with the Windows security token it receives. So, you authenticate, and then are immediately dropped due to an inability to communicate with the PPP server.
    Fortunately, we (as do most organizations) have a Radius server. We selected Radius authentication, configured both sides of the Radius authentication setup properly, and launched the PPTP tunnel…. AND…. EUREKA!!! The iPhone’s VPN software connected, authenticated, got an IP, and I was on the network! Well, no.
    After about 2 seconds, I realized that while I did indeed have a connection, I couldn’t do anything with it. Couldn’t even browse to an internal site via IP address. The connection was up, the connection was working, the connection was useless.
    So, we decided to give L2TP a shot. Configured it pretty much identically to the PPTP setup, used Radius, launched the iPhone client, and finally, after many days of screwing around, it worked. Now all I needed was to get my email working, so I started working on;
    Connecting to Exchange
    In the Mail program on the iPhone, the first time you launch it, you’re presented with the ability to configure an email source. However on subsequent or additional accounts, you must go under Settings, Mail to get to this functionality.
    Going into the Mail configuration, I selected an additional account, the account type is, of course, Exchange. The configuration components are pretty obvious, however some things of note are;
    Do NOT include your domain information in the User Name field
    For all Host Names, use the fully qualified domain name of the server, or else IP
    You WILL need to have SMTP enabled somewhere in order to send email
    Anyway, I set all this up, and nothing happened. It said that my server was not responding. Did a little research, and it turns out that the only way to connect to Exchange is through an IMAP4 connection, and just in case you didn’t know, IMAP4 is disabled by default, so you have to enable and configure it.
    Went onto the Exchange server, set the service to Auto, Started the listener, and finally, at long last, EUREKA! I finally had Corporate email on my iPhone, connecting securely, and not sending anything plain text anywhere. Hooray!
    Now for the problems with this solution;
    First of all, it depends upon VPN access into your environment, something that you may or may not be comfortable with. One good thing is that the iPhone does prompt for password to reconnect, and will tie the continuity of the VPN connection into the general phone lock security, such that an inability to provide the appropriate access code to a locked phone results in the VPN not being accessible.
    The VPN of course is dependant upon a reliable network connection. I’ve noticed that it’s somewhat graceful in switching between WiFi and EDGE, however it’s not totally graceful, and you can experience some hinky things, like being able to send and not receive, or the mail client saying ‘Connecting’ for about 5 minutes before it figures things out.
    The best cure for this is to simply stop and restart the VPN connection. Note that when you reconnect, the first attempt will prompt you for a numeric password, this is meaningless unless you have the device lock turned on. Just enter anything. (I think this is another bug) THEN it will re-prompt you for your real VPN password.
    This solution for email delivery is obviously dependant upon the VPN connection being active. I’ve noticed that at times the iPhone will disconnect the VPN (probably when service switching) and not bother to mention it. When that happens, of course the VPN must be restarted.
    For the lazy, this is an inconvenient solution because while it would appear that the iPhone will cache the VPN password, in fact it will not. That means that each re-launch requires that you re-enter your password. Not terrible for me, but I could see it being very tedious for the average corporate user.
    The OSX Mail client has several little deficiencies, which may or may not impact your use of the device in this manner. For instance, if you have subfolders defined for your inbox, and server side rules to move mail into them, then you will not see any synchronization of that mail until you actually select the subfolder. Also, since there is such poor management of attachments and downloads, moving anything around via email on this device is nigh on impossible.
    EDGE access to your corporate email, via a VPN, is a bit sloooooow. It works, it’s certainly fast enough for my purposes, but it’s not the slick quick access that we’ve all become accustomed to with Blackberry and Good devices. The lack of 3G support becomes a very noticeable shortcoming here.
    (Why Apply didn’t simply partner with Good Technologies to crank out a client for this thing, I’ll never understand, but I guess you can refer to my comment above about certain people’s arrogance.)
    The biggest problem of all of course is that it’s simply klugey. I hate klugey. But, with the capabilities at this device’s disposal, and given Apple’s ambitious, if a bit idiotic, stance that no third party will develop software for the iPhone, then this is about as good as it’s going to get for now.
    It is my understanding that overseas there is some initiative underway to provide a more seamless Visto or Synchronica integration for enterprise email. However, given Apple’s unbelievably restrictive agreement with ATT regarding this device and the OTA necessity of delivering the client, I seriously doubt if we’ll see this in the near future in the US.
    But I digress, so…
    In Conclusion
    This solution is not for the faint of heart, it doesn’t work all that well, and it has way too many moving parts that are subject to failure. However, I would say that this solution is serviceable for the corporate technology professional who needs email, and really, REALLY wants the other features of the iPhone. (ie, phone whores such as me.) It requires patience, it requires an understanding that this is not a 100% thing, and there definitely needs to be a prebuilt expectation that this device will not serve your email in anything approaching the manner to which you’ve become accustomed.
    As long as all of that is okay though, then go right ahead, set it up, and enjoy!
    The Short Version;
    (I put this at the end because I want everyone to feel my pain!)
    Wireless:
    Use unsecured wireless or EDGE. Secured wireless may be serviceable as long as the SSID is broadcast, but there are known issues with this.
    VPN:
    L2TP, shared secret, running on Microsoft server, with Radius. (May work elsewhere, but doesn’t seem to run on Cisco at all) Accounts enabled for external access.
    Exchange:
    Configure IMAP4 Virtual Server on your Exchange environment, ensure that you have some SMTP resource for outbound email, use fully qualified domain names for all servers (or IP) in the mail config and do not include any domain prefix or suffix for user accounts.
    The BIG Disclaimer at the End
    Please note that all of this is provided ‘as is’. It worked for me, and I hope it works for you. To my knowledge, it’s not endorsed by Apple, and I’m not in the business of providing support for this thing. If it breaks something, if it doesn’t work, or if you simply don’t like it or me, I don’t care. However, if you have a question, and I’m not busy, and I feel like answering, I may lend a hand. You can email me at
    Matthew dot Yotko at mac dot com
    Don’t be surprised or offended if I don’t answer. Also, understand that I don’t check this address every day… Maybe a couple times a week.
    Macbook Pro   Mac OS X (10.4.10)   iphone

    Thanks, now I understand why the wifi keeps dropping. On my personal wireless network, it also seems the distance from the access point is not good compared to my laptop. At work our network & exchange teams don't seem to have the desire to struggle with this "toy" until customers start forcing its adoption. I am using OWA and it works fine over EDGE. I will share your posting with them.
    Thank you again.
    Dell   Windows XP Pro

  • Best way for wireless guest authentication

    Hi
    Can anyone tell me what a good way to authenticate guest wireless in my workplace, we currently use mac auth and usernames in the controller, which is not Cisco.
    What solutions are out there for this, ie something separate to the controller like a radius or authentication server, we may want the guests to register themselves by providing there mobile number etc
    Any ideas?

    When you want to provide guest authentication and then you want certain fields for the user to enter, guest access is best when there is a portal page. When you want guest to enter information like cell number etc, then you either need to find a 3rd party captive portal software, or external webauth server or if you have Cisco wlc, you use ISE.
    Your final requirements will determine what solution can or can't work.
    Sent from Cisco Technical Support iPhone App

Maybe you are looking for

  • ChaRM: Error while releasing transport

    Hi Team, I have configured ChaRM in Sol Man (Sol Man 7.0 EHP1, SP24). When i try to release transport thro ChaRM, i am getting below error. No valid TM target found. Message number:/RTC/TMM00154 Your valuable inputs required Thanks Kumar

  • SQL - Rollback and Commit

    Hi, What exactly does Rollback do?  I know that COMMIT applies the changes to the database system.  The thing is, I've read that until commit is applied, the database in permanent storage is unchanged.  So what exactly does a ROLLBACK "roll back"?  D

  • Mobile data is disconnected and I can't turn it on

    Although my mobile data is "on" below it reads "disconnected" and when I'm away from wifi, I do not receive data.

  • How to avoid 'No Data Available' message in the Report

    Dear BI experts, We have created report (child report) in the Query designer and for some employees the report returns no data with a message 'No Data available' which is fine. But we have a requirement that this message should not appear. This is be

  • Safari power saver in an iMac

    I'm using an iMac , on safari I received a pop up message safari power saver - click to start Flash plug-in. In an iMac I don't have a battery but I've heard that I can reduce heat and fan operation Can someone explain me please what to do and how ?