Secure and guest wlans on same ap ?

Similar Messages

• Cisco 851W - Internal WLAN and Guest WLAN

  I have a Cisco 851W Router, which has an IPSEC Tunnel back to my corporate office.
  I want to configure 2 WLANS, one for my internal network (vlan 1) which will have access to my corporate network, and one for guests which will just be for outbound internet access (http, https, ftp, sftp, etc ..).
  I have not been able to find any Cisco Documentation with how to accomplish. Can someone inform me where I can find this or supply me with some configuration examples?

  create 2 ip dhcp pools on the router for the 2 types of clients
  create  wlan for each type of client
  I'm assuming a wlc is involved, then hreap and allow both vlans, procedure will be slightly different for standalone
  acl by address to ban traffic from ipsec tunnel- easier on a WLC  interface than on the router, no wlc then on the router
  bob

• Can I have 2 routers with different security and broadcast modes off same modem?

  Hi
  Apologies for not being too technical.  The background is that I have a mac and a dell laptop, both of which used to work off a Linksys WRT54G wireless router even though both computers are set up for N routers.  I then bought a Logitech Squeezebox internet radio, again working off the Linksys G.  The security on all 3 was WEP.
  I was then advised to upgrade my router to N and change security to WPA.  I bought a Netgear WNR2000 N wireless router as the local shop did not have any linksys n routers.  I tried to set up the three devices to this router but it seems that the radio will only broadcast G and WEP security.
  It then appeared that I would have to downgrade the other two computers back to G and WEP also and when I did that the internet speed really slowed down.
  My query is this, can I set up the Netgear N to be linked to my modem and broadcasting at N and WPA, thus linking my computers at top speed, and then can I link my Linksys to my Netgear and have that broadcast a different network on G/WEP for my radio?  If I can or if there is a better solution could someone tell me in easy steps how to do it?
  Very much obliged.

  You don't have to downgrade your router. Just enable mixed mode so it will allow wireless N and G devices to connect to the router. However, it will share the same wireless security mode.
  With regards to your query, the answer is yes. You can setup two (2) wireless routers, one providing N and WPA while the other one providing G and WEP. It might be a little complicated though. You have to cascade the routers. Both should have different SSID and channel.
  Try this setup first before changing the wireless options.

• WCS and Guest IP addresses

  Hi,
  I have both corporate and guest WLANs available, the corporate infrastructure is 2 x WiSM modules with guest access via a 4402 anchort point controller.  When I view client connections in WCS, I see the DHCP address all corporate users have been allocated, but all guest users show up with IP address 0.0.0.0.  The guest users are allocated a DHCP address via a local pool defined on the anchor point controller.
  Is there any way I can see the IP address of each guest user?
  Many thanks
  Liam

  Hi,
  Clients get DHCP adderss no problem from local pool configured on anchor point controller.  The issue I am facing is that this IP information is not tunnelled through to WiSM module - if I check client details on anchor controller, it shows the IP address allocated to each user.  When I check same info on WiSM controller, it shows every IP address for guest access user as 0.0.0.0.
  For reporting and troubleshooting purposes I am wondering if the correct IP information can be shown.
  Regards
  Liam

• In MountainLion System Preferences, "iCloud", "Mail, Contacts, and Calenders", and "Software Update" all want to open in 32 bit mode.  Security and Privacy won't open either.

  As stated in the header,
  iCloud
  Mail, Contacts, and Calenders
  Software Update
  all want to open in 32 bit mode.  Then when System Preferences quits and relaunches IN 32 bit mode, I get a dialog box saying "You can't open (pick one) preferences because it doesn't work on an Intel-based Mac."  Moreover, Security and Privacy does the same thing only without the song and dance about quitting and reopening.
  Whaaaaat???!!!  I've never owned anything BUT an Intel Mac.
  The "open in 32 bit mode" is not, and has never been checked in "Get Info"
  I tried going to ~Library/Preferences and tossing all com.apple.system preferences files and rebooting.  No joy.
  It actually looks like some joker has included a bunch of PPC preference panes in my copy of MountainLion, except some of them are new to this OS.
  My hardware is a mid 2010 13" MacBook Pro with4 gb of RAM, and a 500 gb hard drive, in three seperate partitions, running three Mac operating systems, one at a time.  I have SnowLeopard in a small partition because I still have a few things that don't run in Lion/ML.  Lion is still my main use machine in the largest partition, and when ML came out, I redistributed most of the unused space into a 3rd partition into which I did a clean install of ML in it's own partition so I could work through the growing pains without compromising my main computer.  I'm glad I did it that way, but I DO want to get ML working properly, and I can't do that if I can't authorize third party software.  Gatekeeper is currently in the way, and I can't get it to move.

  I dunno, that doesn't make any sense to me.
  I just shut down and rebooted into the SnowLeopard partition and took a peek at the preference panes.  There are only 3 that run in 32 bit only.  They are all 3rd party, and none of the prefpanes are non Intel.  Like I said, I have never owned a PPC machine.  Anyhow, SnowLeopard doesn't even have an iCloud prefpane, or a combined mail, contacts, and calenders prefpane, and the ML security and privacy prefpane is all new as well.  The software update prefpane is Intel and 64 bit in both SnowLeopard and Lion.
  As to the triple boot, unless I'm totally mistaken, what I have here is, in essence, 3 seperate descrete computers in one box.  All using the same hardware. but one at a time.  I wouldn't know how to get more than one running at the same time, without using a virtual machine, even if I wanted to.  (Which I don't)  I do sometimes transfer files from one to another using the shared folder, but other than that, they do not interact.  How could ML system preferences be trying to launch prefpanes from a totally different machine?

• Wireless guest wlan and secured corporate wlan

  I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
  Lee

  Hi stepehen
  LWAPP also defines the tunneling mechanism for data traffic.
  A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
  Pls Refer the docu..
  http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
  Regds
  Saji k.s

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Can't get secure wlan to work with new guest wlan

  Dear Support,
  I'm having a nightmare! where I can seem to get either one wlan to work or the other but not both together.
  I posted previously and reconfigured as per the suggestion, however the problem I get is that the secure wlan client associates, then de-associates after roughly 30 seconds with both a guest (no security) and secure (eap using ms ias as radius server)
  my previous post is;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcfe12
  and the log shows the following, obviously the client is set to connect automatically.
  *Mar 1 00:04:35.105: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:04:51.391: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000e.35f8
  .5d13 Associated KEY_MGMT[NONE]
  *Mar 1 00:04:51.506: %DOT11-4-MAXRETRIES: Packet to client 000e.35f8.5d13 reach
  ed max retries, removing the client
  *Mar 1 00:04:51.506: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 000e.35f8.5d13 Reason: Previous authentication no longer valid
  *Mar 1 00:05:15.176: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:05:32.703: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:05:58.780: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:06:16.141: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:06:40.759: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:06:58.145: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:07:00.560: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:07:18.020: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:07:43.902: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:08:01.254: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:08:16.172: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:08:16.737: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:08:37.397: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
  13.cefd.48ca Associated KEY_MGMT[NONE]
  *Mar 1 00:08:54.732: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
  Station 0013.cefd.48ca Reason: Sending station has left the BSS
  *Mar 1 00:08:57.193: %DOT11-4-MAXRETRIES: Packet to client 0013.cefd.48ca reach
  ed max retries, removing the client
  Thanks in advance for your assistance.
  Any prompt reply will be greatfully received. I also rate responses.
  Thanks again, regards, Adrian

  Hi Ben,
  Please find attached AP config, I can access the switch at the moment, but the config is fairly basic, trunk port with two vlans and vlan 1 as the native.
  here's the ap config.
  AP-CDC#2#sh startup-config
  Using 2989 out of 32768 bytes
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP-CDC#2
  enable secret 5 $1$LQ1O$NKYZoYAeiahKw0805kLHg0
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
  ip subnet-zero
  ip domain name wlan.internal
  aaa new-model
  aaa group server radius rad_eap
  server 10.10.10.2 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 vlan-name dmz vlan 2
  dot11 ssid Secure
  vlan 1
  authentication open eap eap_methods
  authentication network-eap eap_methods
  dot11 ssid Guest
  vlan 2
  authentication open
  guest-mode
  username Cisco password 7 062506324F41
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode wep mandatory
  ssid Secure
  ssid Guest
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
  54.0
  no preamble-short
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 160 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 10.10.10.49 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.10.253
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.10.10.2 auth-port 1645 acct-port 1646 key 7 xyz
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  AP-CDC#2#
  Thanks again, regards, Adrian

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Everytime I try to pay with my cc on paypal, I enter all of my infor and after I press the "review and confirm" button the same page reopens but has erased only my cc #, exp date and security cvv number. What could be wrong?

  b.stats.paypal.com : server does not support RFC 5746, see CVE-2009-3555
  This appears on my error page everytime I try to use my credit card through paypal. I enter all of my info (billing, etc..) and after hitting the "review and confirm" button the same page reappears and has erased my cc number and leaving my name and billing info. What can I do to finish my transaction?

  The message about CVE-2009-3555 is meant for webmasters to make them aware that they need to fix their servers.<br />
  Firefox 3.6 versions can detect such a misconfiguration and displays a warning in the "Tools > Error Console".<br />
  * http://wiki.mozilla.org/Security:Renegotiation
  You may have a problem with the PayPal cookies.
  * "Remove the Cookies" from sites causing problems: Tools > Options > Privacy > Cookies: "Show Cookies"
  See also:
  * http://kb.mozillazine.org/Cookies#Removing_cookies
  * [[Cookies]]
  * [[Enabling and disabling cookies]]

• Guest WLAN and IP Address Exhaustion

  Does anybody know of a way to stop a DHCP Server from doling out IP addresses (and subsequently exhausting the DHCP Scope) prior to performing L3 Web Auth to the WLC?
  The problem arises when Students come into School with their iPhones and such like with the WLAN turned on which exhausts the current Guest WLAN DHCP Scope.  Subsequently when a valid Guest User comes along they are unable to obtain an IP.
  Many Thanks

  Hi,
  This is the challenge that we have with the Guest wireless access!! However, we can use WPA/WPA2-PSK along with the WEB-AUTH, SO that thew clients who provide the right PSK will only be able to grab the IP..
  Regards
  Surendra

• Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

• Guest and Internal WLAN

  Hi,
  Can you please suggest how to implement this set-up? Two wlan's to be created internal and guest, where guest will be directed to Internet only. WLC deployed on this set-up. Internal users must be authenticated, kindly suggest mechanism. can i do mac-address filter with WPA2 for internal? If i am to implement ACL preventing Guest to access Internal VLAN, would this work?

  Hey Joseph,
  Please find the steps below.
  1) Create seperate VLANs for Guests and Internal staff.
  2) You can use VACLs for blocking inter VLAN traffic from your L2 swithc or if ther is a router simple ACL would do the trick.
  3) You can setup a local AD server which can be used for authenticating internal staff
       (No need for guests to authenticate via this AD)
  There are many ways to achieve, I need the exact setup.
  The one that you have posted is ambiguous as it is unclear whether there is a router/L3 swithc between the WLC and ASA or ASA itself is acting as an L3 device and serving your routing purpose.
  Please rate helpful posts..
  Ameya

• Guest WLAN and a Office WLAN on 1242AG

  Hi All,
  I have managed to add two WLANS, one for the Office Wireless clients(Staff laptops) and another one for Guests. I have bassicaly created two SSIDs, one broadcasting, other one not(Staff one).
  The AP is a 1242AG and is going to connect to a Catalyst 3750 48T, which is connected to Cisco 877. How can I make the DHCP assignments to both Guest WLAN and Staff WLAN and also do I have to create trunk port in the Switch ( I am thinking like this as I got Two VLANs.)
  Does anyone know or got a sample running config ( in a Switch and in a similar AP)...really appriciate it. Time is running out for me!!!
  Reg
  ND

  Hi,
  here is a config example for exactly you are looking for:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
  HTH,
  Tiago

• How To: Setting up two WLANs (Private and Guest) - two distinct IP schemes.

  WLC 2504 running software version 7.4.100.0.
  Goal:
  Private WLAN to allow access to internal network
  Guest WLAN to allow access to web (in the DMZ)
  We currently have the wifi-network running and is servicing web access only.
  Any ideas on how best to go about this? There will be need to assign two different IPs to wireless clients depending on which WLAN they access.
  Thanks.

  Hello Daniel,
  So in order to segregate traffic based on the WLAN they are connecting to, you will first need to establish/create dynamic interfaces on your controller which will be 'mapped' to a specific SSID(ie. Private or Guest):
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_011111.html#ID594
  If you already have the dynamic interfaces in place, you simply just create the WLAN under WLANs > Create New > Go.  Once you apply, you will be sent to the 'General' section where you can apply the 'Interface' to the dynamic interface you created in which to put the client on. 
  Cheers,
  Erwin
  How helpful was I? Don't forget to rate me when you have the chance!