Setup Guest access to WLAN

I have 8 Cisco 1230AP's providing access to my LAN for laptop users. The encryption is via WPA. I now need to setup unencrypted access to the internet for guests/visitors - keeping them away from my LAN and internal network. How can I do this? Do I just setup a 2nd SSID and allow access to be wide open or do I need to implement some type of VLAN? My switch is unmanaged and it is not a Cisco brand. Thanks for your help...

I saw your other post and you can ignore that, since you have an unmanaged switch. No matter what you do, all traffic will be dumped out the ap to you lan. This is due to the fact that you can't create a trunk between the ap and the switch which will allow you to have multiple vlans. If you only need guest access in a certain location, you can just add an access point and set that up to go out to a dsl or broadband connection.

Similar Messages

  • Guest access to WLAN.

    I have 8 Cisco 1230AP's providing access to my LAN for laptop users. The encryption is via WPA. I now need to setup unencrypted access to the internet for guests/visitors - keeping them away from my LAN and internal network. How can I do this? Thanks for your help...

    the only thing you can really do if your ap's are autonomous is to create another ssid and place that on a different vlan. Then you can use acl's to prevent guest subnet from accessing the internal network. Or you can place the guest user on that different vlan and then have a dsl connected to that subnet for guest users to use. That vlan will not have a layer 3 interface so it will be isolated from the rest of your network.

  • Anyone seen strange behavior with wired guest access on WLAN Controller?

    Cisco Doc ID 99470 spells out how to deploy wired guest access over wireless LAN Controllers.
    That said, everything has been up and working for almost a year.  Guest wireless uses anchor controller in DMZ - no issues.
    Recently configured two wired ports for wired guest networking.  The desktops get the correct IP address via DHCP.  A wireless client (on the table right next to the wired clients) on the guest wireless gets an IP address as expected as well.
    Open a continuous ping to the gateway 172.16.16.1 on all three machines.
    The two desktops will ping for a few minutes and then stop for 30 seconds or longer.  Wireless client will keep its connection.  (you might think it would be the other way around)
    I understand there is a 65,535 second inactivity timeout, but I am only sitting here for minutes, not 18 hours when this happens.
    On the wired desktops, you have to bring up a browser and log back in just as you do on a wireless client ever few minutes.  After debugging the client, I found a "failed to find scb" message in the output.
    The other trick here is that the wired clients are miles away from where I can actually get on the CLI of the controller.  This makes it difficult to run a debug and bring up a browser since I am not local to the machines when running debugs.
    Has anyone ever see this behavior?  Has anyone see the "failed to find scb" message?
    Thanks in advance!
    Succ
    essfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 tokenID = 5
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef Set bi-dir guest tunn
    el for 00:25:b3:ce:cb:ef as in Export Foreign role
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 Added NPU ent
    ry of type 1, dtlFlags 0x4
    *spamReceiveTask: Dec 30 11:34:54.569: CCKM: Send CCKM cache entry
    FP08:(33207772)[cmdSendNodeInfo:3787]failed to find scb 0023.2422.c6eb
    *mmListen: Dec 30 11:35:58.539: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi
    le Station: (callerId: 73) in 1 seconds
    *mmListen: Dec 30 11:35:59.471: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi

    I found it in the document
    B.1 How Logout Works
    The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
    The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
    Well, I havn't got that far in the document:)
    Thanks a lot for your help.
    -Wei

  • Extending a network and the new guest access feature

    Hi-
    Currently, I have 3 of the 802.11n Airport Extremes—One creating the network, and two extending the network.
    I would like to get the new feature that allows you to setup guest access---
    My question: Will I be able to purchase ONE of the new Airports, setup guest access and extend it using the older Airports, or will I have to buy three of the new Airports to make this work….
    Thanks for any help or advice!

    It would seem almost certain that the older AirPort Extreme base station (AEBS) would not extend both the normal network and the guest access network. You should be able to extend the normal network.

  • CPI 1.2 WLAN Guest Access, multiple account

    Hello All
    Is it possible with the CPI 1.2 built-in WLAN guest access functionality to create a WLAN guest account that can simultaneously by severall users?
    Or if that is the normal behaviour, is it possible to restrict one guest user to one computer?
    Thanks,
    Patrick

    To answer my own question, this is done under:
    Configure - Templates - Controller Template Launch Pad (if you are working with templates), then Security - User Login Policies and here it's the setting "Maximum Number of Concurrent Logins for a single user name". Set it to 0 for unlimited times the same username.
    Sadly that means that I can not restrict it per guest user, but only global.

  • BBSM and ISA for WLAN Guest Access

    We are considering the purchase of a BBSM to help provide wlan guest access to the Internet.
    I know that Micrsoft's ISA server is one component of the BBSM, but can anyone tell me:
    1) what version of ISA is implemented in BBSM?
    2) is the ISA compoenent at all customizable? That is, can I add poilicies to BBSM's ISA to restrict the Internet sites users can go to?
    Thanks very much.
    John

    I am not sure what version of ISA it is but from our experience you can not filter what addresses the user can go to. we have customised it some in that we forward all of the web traffic comming in to a web filter box and allow the filter box to block sites.

  • Would like to setup guest network apple airport extreme will only allow limited access

    imac 10.9.3 connected to internet with airport extreme /xfinity router trying to setup guest network can't connect to internet

    The guest network feature of the Apple routers will work correctly when the Apple device connects to a simple modem.......not a modem/router or gateway type of device.
    If the guest network feature is important to you, check with your Internet Service Provider to see if they can supply you with a simple modem......which will then allow the guest network feature to work correctly on your network.

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • Unified wireless guest access

    Hi I need help in configuring unified wireless guest access. i have followed the guide
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
    But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
    my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
    Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
    Can someone help point out my mistake.

    Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
    If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
    I know this becuase I seen this for my self when I had anchor issues.
    I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
    Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

  • Guest Access in 4.2.112/130 code

    I've just upgraded our controllers from 4.1.185 to 4.2.130 and have noticed some new settings and features for Guest access, specifically on the interfaces and the wlans. Can some one point me to an updated guide on the explanation of these new additions and the recommend setup now? Until I see an explanation on paper so as I can fully understand it, I don't want to change my current setup. i.e. Guest Lan, Ingress Interface, Egress Interface.

    Here is an even better link:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    the nutshell....
    "A growing number of companies recognizes the need to provide Internet access to its customers, partners, and consultants when they visit their facilities. With the new Wired Guest Access feature support on the Cisco WLAN Controllers that uses Cisco Unified Wireless Software Release 4.2.61.0 and later, IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same wireless LAN controller.
    Guest users must be allowed to connect to designated Ethernet ports and access the guest network as configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect to the WLAN Controllers with the current guest access features. In addition, WCS, along with basic configuration and management of WLAN Controllers, provides enhanced guest user services. For customers who have already deployed or plan to deploy WLAN Controllers and WCS in their network, they can leverage the same infrastructure for wired guest access. This provides a unified wireless and wired guest access experience to the end users."

  • Guest Access with Inter-vlan Mobility

    I have a setup as follows
    Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.
    LWAPs connect to the data centres over a WAN.
    Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.
    Site1 has 40 APs and site2 has 10 APs.
    The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.
    Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.
    I would like to avoid creating a L2 link beween DCs if possible

    Thanks for looking
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... guest
    Network Name (SSID).............................. GUEST
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
    NAC-State...................................... Disabled
    Quarantine VLAN................................ 0
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-vlan
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... 10.18.227.10
    DHCP Address Assignment Required................. Enabled
    --More-- or (q)uit
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    Authentication................................ Global Servers
    Accounting.................................... Global Servers
    Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
    --More-- or (q)uit
    802.11 Authentication:........................ Open System
    Static WEP Keys............................... Disabled
    802.1X........................................ Disabled
    Wi-Fi Protected Access (WPA/WPA2)............. Disabled
    CKIP ......................................... Disabled
    Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
    Web-Passthrough............................... Disabled
    Conditional Web Redirect...................... Disabled
    Splash-Page Web Redirect...................... Disabled
    Auto Anchor................................... Disabled
    H-REAP Local Switching........................ Disabled
    H-REAP Learn IP Address....................... Enabled
    Client MFP.................................... Optional but inactive (WPA2 not configured)
    Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    --More-- or (q)uit
    Mobility Anchor List
    WLAN ID IP Address Status
    (Cisco Controller) >?
    (Cisco Controller) >show wln 3
    Incorrect usage. Use the '?' or key to list commands.
    (Cisco Controller) >
    (Cisco Controller) >
    (Cisco Controller) >
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... guest
    Network Name (SSID).............................. GUEST
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
    NAC-State...................................... Disabled
    Quarantine VLAN................................ 0
    Number of Active Clients......................... 1
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-vlan
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... 10.253.128.10
    DHCP Address Assignment Required................. Enabled
    --More-- or (q)uit
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    Authentication................................ Global Servers
    Accounting.................................... Global Servers
    Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
    --More-- or (q)uit
    802.11 Authentication:........................ Open System
    Static WEP Keys............................... Disabled
    802.1X........................................ Disabled
    Wi-Fi Protected Access (WPA/WPA2)............. Disabled
    CKIP ......................................... Disabled
    Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
    Web-Passthrough............................... Disabled
    Conditional Web Redirect...................... Disabled
    Splash-Page Web Redirect...................... Disabled
    Auto Anchor................................... Disabled
    H-REAP Local Switching........................ Disabled
    H-REAP Learn IP Address....................... Enabled
    Client MFP.................................... Optional but inactive (WPA2 not configured)
    Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    --More-- or (q)uit
    Mobility Anchor List
    WLAN ID IP Address Status
    (Cisco Controller) >?

  • Any Best Practices for Guest Access?

    Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
    I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
    My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

    ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

  • Ask the Experts: Wired Guest Access

    Sharath K.P.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
    Remember to use the rating system to let Sharath know if you have received an adequate response. 
    Sharath might not be able to answer each question due to the volume expected during this event.
    Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
    through January 27, 2012. Visit this forum often to view responses to your questions and the questions
    of other community members.

    Hi Daniel ,
    Wonderful observation and great question .
    Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    Two separate solutions are available to the customers:
    A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
    Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
    So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
    I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
    We have already opened a bug for the same (Little late though )
    BUG ID :CSCtw44999
    The WLC Config Guide should clarify our support for redundancy options for wired guest
    Symptom:
    Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results.
    Some of the other tthat changes we will be making as a part of doc correction would be
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
    1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
    2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
    "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results."
    3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
    Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
    Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
    Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
    00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
    I hope the above explanation could clarify your doubts to certain extent and also keep you
    informed on Cisco's  roadmap on this feature .
    Regards ,
    Sharath K.P.

  • Guest Access Redirect accepting AD credentials

    I have a 2106 controller with a guest access SSID on a isolated vlan 192. The guest SSID is setup for webauth and redirects all traffic to the isolated vlan 192. There is a RADIUS server handling AD authentications on the native management vlan. The dhcp scope on the guest access (192) vlan resides on a watchguard firewall. When I connect to the guest SSID with a WLC resident account and password I am allowed internet access fine. When I use a AD account and password from the rest of the network I am also allowed on fine. Anyone seen this before? I should not be able to even to see the AD server from the isolated VLAN much less have the controller see it as a valid login. I get an IP address from the isolated vlan and I can not ping my protected (all other vlans) network. The problem is I can not monitor content easily or filter where my AD users are going if they connect to the guest SSID. Code is older version 4.0.217.0 and I will upgrade unit to 4.1.185 this week but I suspect the problem will still exist.

    I am posting this as I have found my problem. This is bug number CSCsh35098. In this bug the if the Web account for the local user fails then the authentication request will be forwarded to a RADIUS server if one is configured on the controller. It over rides the WLAN setting to not have a RADIUS authentication. The work around is to change the RADIUS authentication from PAP to CHAP or MD5-CHAP as this will not allow the RADIUS to authenticate.

  • Mesh Design Question -- Guest Access

    In reviewing all the documents concerning Mesh with the controllers and Guest access. I'm assuming the following, through a redirect on the WLAN controller we can have a guest client create an account and also have their credit card charged. We are getting ready to building an 80 radio 1522 mesh network using the 4400 WLC. Do we need the WCS program or is that over kill? And is my assumption on the guest portion correct?
    Thanks

    Although I have never tested this credit card stuff with the WLAN, however note that WCS is an optional software for extra managability (with some really good feauters). It is not required to run the WLAN setup.
    A tip for ur design of 80 radio network: while using 1522 mesh APs, you dont need a controller with a capacity of 80 APs. Actually you need lesser capacity. In design phase, while calculating WLC capacity, count RAPs as 1 and MAPs as 1/2. for example if you have 10 out of 80 APs as RAPs in ur design and remaining 70 as MAPs you actually need a controller with a capacity of (10x1)+(70x1/2)=45. so 4402 with 50 AP capacity will do the job.
    Please feel free to contact me if you wish any further discussion.
    Waqas Akhtar
    0092-333-4848579

Maybe you are looking for

  • My images in Photoshop CS5 show up black.?

    My images in Photoshop CS5 show up black.? CS5 and was working great yesterday..but today both all my images PSD, JPG show up black in the workspace. The image is only visible when I am moving the window around and it shows up in the layer window fin

  • IDoc PEXR2002

    How to activate iDoc PEXR2002..? The requirement is to develop a solution which will create Payment Manager transaction files in the SAP iDoc PEXR2002. how and where to start..?I am pretty new to the idoc's. Any help would be great..

  • Starting Apache

    Hi, new to Solaris 10 here. Been using linux for a year or so, and I always feel comfortable with webmin running. But I can't figure out how to start apache out of the box. Can anyone give me a quick pointer? ta. Dave

  • X-FI Xtreme Music: "Emulated" or W

    HI, I just recently bought Creative X-Fi Xtreme Music and I think I have a problem with it. Here is my problem: In some games (FEAR, Call of Duty) I cant choose EAX support in the sound options. On Dxdiag under the Sound tab it says the SB X-Fi Audio

  • Getting the Program Set Up Files

    Hello all, I currently have a number of Adobe CC programs installed on my computer but would like to retain the setup files for these programs. From what I understand, they are removed during the initial installation of the program. Is there a way fo