Single Corporate SSID + Single Guest SSID across 200 sites over VPN with Flex Connect

Similar Messages

• AP1231G and guest ssid

  standalone AP1231G running c1200-k9w7-mx.123-8.JEC2 setup with internal SSID (VLAN 24)and guest SSID (VLAN 124). Here's the problem
  Both SSID picks up the native VLAN 1 dhcp address and not it's respective VLAN. I verify that dhcp server is working on vlan 24 and 124 on the switch but on the AP it always stays with Vlan 1. The AP can ping all vlan interface on the router. DHCP server hangs off the router.
  topology is 3725(with NMD-36-ESW port 2/2) trunk to AP. Below is the relevant configs:
  *************3725***************
  interface FastEthernet2/2
  switchport trunk native vlan 9
  switchport mode trunk
  interface Vlan1
  description Data
  ip address 10.7.1.254 255.255.255.0
  interface Vlan9
  description MANAGEMENT
  ip address 10.7.9.1 255.255.255.0
  ip helper-address 10.7.1.10
  ip helper-address 10.7.1.11
  interface Vlan24
  description WIRELESS
  ip address 10.7.24.1 255.255.255.0
  ip helper-address 10.7.1.10
  ip helper-address 10.7.1.11
  interface Vlan124
  description *****WIRELESS GUEST*****
  ip address 10.7.124.1 255.255.255.0
  ip helper-address 10.7.1.10
  ip helper-address 10.7.1.11
  **************AP CONFIGS***********
  aaa group server radius rad_eap
  server 10.0.21.121 auth-port 1812 acct-port 1813
  aaa group server radius rad_acct
  server 10.0.21.121 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa accounting network acct_methods start-stop group rad_acct
  dot11 vlan-name rms-guest vlan 124
  dot11 vlan-name wavenet vlan 24
  dot11 ssid rms-guest
  vlan 124
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii 7 <removed>
  dot11 ssid wavenet
  vlan 24
  authentication open eap eap_methods
  authentication network-eap eap_methods
  accounting acct_methods
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 124 mode ciphers tkip
  encryption vlan 24 mode wep mandatory
  broadcast-key vlan 124 change 360
  ssid rms-guest
  ssid wavenet
  interface Dot11Radio0.1
  description MANAGEMENT AND NATIVE
  encapsulation dot1Q 9 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.24
  description WAVENET SSID
  encapsulation dot1Q 24
  no ip route-cache
  bridge-group 24
  bridge-group 24 subscriber-loop-control
  bridge-group 24 block-unknown-source
  no bridge-group 24 source-learning
  no bridge-group 24 unicast-flooding
  bridge-group 24 spanning-disabled
  interface Dot11Radio0.124
  description RMS-GUEST SSID
  encapsulation dot1Q 124
  no ip route-cache
  bridge-group 124
  bridge-group 124 subscriber-loop-control
  bridge-group 124 block-unknown-source
  no bridge-group 124 source-learning
  no bridge-group 124 unicast-flooding
  bridge-group 124 spanning-disabled
  interface FastEthernet0.1
  description MANAGEMENT AND NATIVE
  encapsulation dot1Q 9 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.24
  description WAVENET SSID
  encapsulation dot1Q 24
  no ip route-cache
  bridge-group 24
  no bridge-group 24 source-learning
  bridge-group 24 spanning-disabled
  interface FastEthernet0.124
  description RMS-GUEST SSID
  encapsulation dot1Q 124
  no ip route-cache
  bridge-group 124
  no bridge-group 124 source-learning
  bridge-group 124 spanning-disabled
  interface BVI1
  ip address 10.7.9.10 255.255.255.0
  no ip route-cache
  ip default-gateway 10.7.9.1
  ip radius source-interface BVI1
  radius-server host 10.0.21.121 auth-port 1812 acct-port 1813 key 7 <removed>
  bridge 1 route ip

  Is it possible that you're VLAN hopping? VLAN 1 is normally the native VLAN, and you have VLAN 9 configured. Check your config carefully and make sure that your native VLAN on all your uplinks is consistent, assuming there are any uplinks. What you posted appears correct, though.
  Honestly, I don't see a problem with the configuration your posted. You might want to reset the device to factory defaults or upgrade the IOS to ensure it's not a bug.
  You aren't using dynamic VLAN assignment, are you?
  Let us know if you figure it out, I'm curious what's going on here :D

• Easiest way to isolate a guest SSID

  Is the easiest way to use a Guest SSID with Public Secure Packet Forwarding and VLAN?  I am unsure how to tie the PSPF and VLAN together on the AP and the Switch.  I just want the Guest network to have isolated IP's and access to the Internet, while the Work SSID has full intranet and internet access.  Could someone give me an example of both the AP and Switches config's?  Do I need to create a seperate bridge group?
  Site Layout
  Cisco 2602i AP's
  Catalyst 3560 Switches
  No WLC
  SSID#1  Guest
  SSID#2  Work
  2602 Config:
  dot11 ssid Work
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii 0 Passkey
  dot11 ssid Guest
     vlan 10
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii 0 Passkey
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid Guest
  ssid Work
  antenna gain 0
  stbc
  channel least-congested 2412 2437 2462
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding

  Ok so I will add under interface Dot11Radio 0:
  encryption mode ciphers aes-ccm
  encryption vlan 10 mode ciphers aes-ccm
  Then add from the Configure Terminal prompt:
  interface dot11radio0.10
  encapsulation dot1q 10
  bridge-group 10
  interface < ethernet > 0.10
  encapsulation dot1q 10
  bridge-group 10
  "Now for PSPF, are you looking to not let the 'guest' talk to each other, or do you not want them to talk to your 'work' ssid?"
  I would like the guests not talk to each other but have access to the internet while the Work SSID members have full access to their SSID members/internet/intranet.
  Can you give CLI examples for where the bridge-group group port-protected command goes and an example for the switch?  I am having a hard time visualizing what goes where.
  Also just verifying that this switch port configuration should be on each port going out to each AP and that there would be no further configuration needed.
  Thank you for your help!

• NAC Guest Server and Multiple Guest SSID's/Splashpages

  Hi All,
  If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
  I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
  TIA,
  Eoin.

  Hi Nicolas,
  Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
  Regards,
  Eoin.

• Flex Connect Across Multiple VLANS same SSID

  I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
  Example below:
  1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
  2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
  3) Client walks back to first AP and connectivity is restored
  Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.

  Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN.  The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x.  I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Guest SSID

  Hello
  i want to configure a guest SSID on WLC 4400 series
  but i want it to go direct to the internet i mean it can not use the corporate network (server and other applications)
  and i want layer 2 security on it WPA2
  as i know i need to configure a internal DHCP pool on the controller it self for the guest users vlan right?
  and map that to guest ssid.
  it is not web authentication so shall i need to configure any access list for this subnet or no need?
  any seggustion please
  many thanks in advance

  what you say if i hit my local DNS server ip addresses in DHCP pool or it is not really necessary?
  If you are going to use the wlc for dhcp for the guest users, you still need to create a dynamic interface to place the guest users on.  You also need to use the wlc managment ip address as your dhcp server ip address.
  i already configured it without firewall local DHCP for guest users vlan on wlc but my guest users can access to the application how i can avoid them?
  Configured what.... if you have created another subnet on your layer 3 switch and also created a layer 3 interface, then you are routing between the guest network and all your other netowrks.  You would need to create an access list (ACL) to prevent this.  You do have a layer 3 switch correct?
  also i can see virtual interface ip address as a DHCP ip address on client side which connected to guest ssid so what should i do any one has any idea?
  Don't worry about this... it is because you have dhcp proxy enabled.   If you diable dhcp proxy then users will see the ip of the dhcp server.
  So basically what equipment do you have.... a 4400WLC that connects to a layer 3 switch then to a router for internet?

• AIR-AP1142N-A-K9 configuration issue for guest ssid

  I'm trying to get the guest ssid working.  I was frustrated so saved my old config and wiped out everything on this AP.  Now my bvi1 does not come online.
  ap#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  BVI1                       192.168.2.249   YES NVRAM  down                  down    
  Dot11Radio0                unassigned      YES NVRAM  up                    up      
  Dot11Radio0.50             unassigned      YES unset  up                    up      
  Dot11Radio0.51             unassigned      YES unset  up                    up      
  Dot11Radio1                unassigned      YES NVRAM  administratively down down    
  GigabitEthernet0           unassigned      YES NVRAM  up                    up      
  GigabitEthernet0.50        unassigned      YES unset  up                    up      
  GigabitEthernet0.51        unassigned      YES unset  up                    up      
  ap#
  ap#sh int bvi
  *May  6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
  BVI1 is down, line protocol is down
    Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
    Internet address is 192.168.2.249/24
    MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       3 packets output, 180 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ap#
  I have a private vlan 50 and the public vlan 51.  The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
  I get this output when trying to connect with my cell phone. 
  *May  6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  *May  6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
  *May  6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
  SSID [PUBLIC] :
  MAC Address    IP address      Device        Name            Parent         State     
  847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc    
  ap#
  ap#show run
  Building configuration...
  Current configuration : 2746 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 syslog
  dot11 ssid PRIVATE
     vlan 50
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 01150F035E050E0A2D
  dot11 ssid PUBLIC
     vlan 51
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 045D02010A2F444B05
  username Admin privilege 15 password 7 0526071D3545175840
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 50 mode ciphers aes-ccm
   encryption vlan 51 mode ciphers aes-ccm
   encryption mode ciphers aes-ccm tkip
   ssid PRIVATE
   ssid PUBLIC
   antenna gain 0
   mbssid
   station-role root
  interface Dot11Radio0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   bridge-group 50 subscriber-loop-control
   bridge-group 50 block-unknown-source
   no bridge-group 50 source-learning
   no bridge-group 50 unicast-flooding
   bridge-group 50 spanning-disabled
  interface Dot11Radio0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   bridge-group 51 subscriber-loop-control
   bridge-group 51 block-unknown-source
   no bridge-group 51 source-learning
   no bridge-group 51 unicast-flooding
   bridge-group 51 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   dfs band 3 block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 50
   no bridge-group 50 source-learning
   bridge-group 50 spanning-disabled
  interface GigabitEthernet0.51
   encapsulation dot1Q 51
   no ip route-cache
   bridge-group 51
   no bridge-group 51 source-learning
   bridge-group 51 spanning-disabled
  interface BVI1
   ip address 192.168.2.249 255.255.255.0
   no ip route-cache
  ip default-gateway 192.168.2.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end      
  switch config:
  interface FastEthernet1/0/46
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 50
   switchport trunk allowed vlan 50,51
   switchport mode trunk

  Hi
  I know the bridge-group have to be identical to the sub interface number and vlan number
  This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
  It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
  http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

  Hi All,
  I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
  The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
  *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
  *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 49) in 28800 seconds
  *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
  *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
  *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
  *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
  *apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
    ACL Id = 255, Jumbo F
  *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 81, IPv6 intf id = 13
  *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
  *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
  *apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
  *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
  *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
  *osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
  *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
  *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
  *osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
  *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
  *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
  *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
  *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
  *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
  *pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

  #does the client at the remote site roams between AP that connects to different WLC?
  #type 9 is not good.
  *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  #Does your dhcp server getting hits.
  #Also, get debug dhcp message & packet.
  #Dhcp server is not responding.
  *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
  *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

• 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

  Hi,
  I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  GUEST1: 10.9.65.0/24 – VLAN 11
  GUEST2: 10.9.66.0/24 – VLAN 12
  GUEST3: 10.9.67.0/24 – VLAN 13
  Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
  The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
  The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
  Interface vlan 11 – 10.9.65.1
  Interface vlan 12 – 10.9.66.1
  Interface vlan 13 – 10.9.67.1
  wgh-anchorwlc5760-primary#show ip interface brief
  Interface              IP-Address      OK? Method Status                Protocol
  Vlan1                  10.8.252.1      YES NVRAM  up                    up
  Vlan11                 10.9.65.1       YES manual up                    up
  Vlan12                 10.9.66.1       YES manual up                    up
  Vlan13                 10.9.67.1       YES manual up                    up
  GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
  Te1/0/1                unassigned      YES unset  up                    up
  Te1/0/2                10.8.253.1      YES NVRAM  up                    up
  Capwap0                unassigned      YES unset  up                    up
  If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
  If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
  If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
  Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
  anchorwlc5760-primary#show wireless client summary
  Number of Local Clients : 3
  MAC Address    AP Name                          WLAN State              Protocol
  04f7.e482.b21c N/A                              2    IPLEARN            Mobile
  bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
  a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
  However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
  I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
  My question is: Why clients are not able to ping their default gateway?
  I hope it makes sense.
  I appreciate any thoughts and help. Thanks in advance.
  Joana.

  Hi,
  I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
  I hope it helps.
  Joana.

• WAP321 - Guest SSID not working

                     I have a WAP321 with 2 SSID's.  One is for local access and another for guest.  The WAP connects to a 3550 and it's port is set to
  description Cisco Wireless
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,20
  switchport mode trunk
  no ip address
  spanning-tree portfast
       My ASA 5505 is set with both VLANs and I'm using DHCP to dishout the guest IP.  MyWAP has both networks setup. VAP 0 is setup for VLAN 1 and VAP 1 is for VLAN 20.  Both are enabled.
  When connecting to my local wireless, I have no problem getting local access and Internet connection.  When I connect to Guest I get an IP from my ASA's DHCP, but I cannot ping my gateway, which is my ASA.  I know my guest VLAN is ok, because if I put a port on that VLAN, I can connect to the Internet.
  When I do packet captures from the WAP (Administration-Packet Capture), I can't see any ICMP attempts either from the eth0 or VAP 1.  When I capture my machines wireless interface I see ICMP attempts with no reposnds.  It makes me think I missed something in the WAP321 setup.
  Any ideas where to check?

  Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
  While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.
  With the WAP321, after trying a few different scenarios that didn’t work. I simply created two vlans, left the Untagged vlan as main vlan and changed the Management vlan to the second. I then attached the guest SSID to the Management VLAN. This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked normally.
  Now for some caveats:
  Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.
  Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
  Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)
  Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
  Not the very best solution, but the only workaround I can come up with for now.
  Thanks
  Eric Moyers    .:|:.:|:.
  Cisco Small Business US STAC Advanced Support Engineer
  Wireless Subject Matter Expert
  CCNA, CCNA-Wireless
  866-606-1866
  Mon - Fri 09:30 - 18:30 (UTC - 05:00)
  *Please rate the Post so other will know when an answer has been found.

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

  Hi Experts ,
  Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
  how about internet traffic for Guest SSID , which one will be recommanded :
  1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
  2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
  Thanks

  Hi George ,
  Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
  how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
  Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

• WLC user rate limit on guest ssid anchor controller

  Hi,
  I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
  We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
  Both the foreign and anchor controller are here at my location.
  I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
  As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
  We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
  I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
  So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
  Thanks guys!           
  Oh and here is my hardware & software levels.
  5508wlc - forgeign
  4402wlc - anchor
  Software Version
  7.0.230.0

  Amjad,
  Thank you for taking the time to respond as well as the document link.
  It was pretty clear on the steps and what it would impact.
  Two things that push me for a different solution (assuming their is one).
  Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
  As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
  #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
  The idea is to limit WAN utilization.
  #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
  Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
  ***One last question about this and any other changes***
  Will any change I make be on the "Foreign, Anchor" or both Controllers?

• E4200 Guest SSID Login page fails

  Config:
  Netgear ProSafe Gigabit Router is my DHCP Server -- The entire home net work is on the same subnet (192.168.15.xxx)
  Linksys E4200 configured as an access point ONLY -- wired connection -- static IP assigned -- DHCP server turned off
  Linksys WRT610N configured as an access point ONLY  -- wired connection -- static IP assigned -- DHCP server turned off
  3 -- 5 port gigabit switches
  1 -- 8 port gigabit switch
  No more than two switches between any two wired devices
  Both Linksys access points have the same SSID and WPA2 security phrase -- total of 4 radios
  Nonoverlapping channels are selected on both the 2.4Ghz and 5.0Ghz radio to minimize interference
  All computers are running Windows 7 Professional 64bit with all the latest updates
  Two iPhones and one iPad also access the network
  All LAN and WAN connectivity is working as designed
  Problem:
  guest SSID is turned on
  password is established
  All devices will connect to the guest SSID and the E4200 is assigning an ip address to the device in the 192.168.33.xxx range which is what it's supposed to do.
  When I open a web browser, I am not automatically redirected to the Cisco Login Page. If I enter 192.168.33.1 as the URL, the login screen is presented. I enter the password I have created in the guest admin page on the wireless guest tab.  I then see a blank page and a URL of 192.168.33.1/guestnetwork.asp. THIS IS WHERE I GET STUCK. THE ONLY WAY TO EVER SEE THE LOGIN PAGE AGAIN IS TO REBOOT THE E4200, otherwise you just get unable to connect messages when opening web browsers and the wireless status icon in the system tray shows a yellow exclamation mark.
  I successfully connect to the guest SSID but I do not get access to the internet. When I type ipconfig, I see that the DNS is set to 192.168.33.1 which does not exist on my network. I assume there's some internal NAT magic that is supposed to happen in the E4200 to bridge me over to my 192.168.15.xxx network but it doesn't seem to be happening.
  At the beginning of the call I specifically asked them if the E4200 must be the DHCP server in order for the guest SSID feature to work and they said no. 1.5 hours later they had no answers so they told me that it wasn't working because the E4200 was not the DHCP server. The documentation says nothing about a DHCP requirement for guest AP service. Linksys support further could not answer what you would do if you needed more than one AP with guest service enabled.
  It seems like this is a firmware issue but it may be the guest SSID service requires the E4200 to also act as the DHCP server. Can anyone shed any light on whether this is a bug or if the router/AP is working as designed?
  Thanks,
  (Mod note: Edited for guideline compliance.)

  Yes the E4200 must have DHCP turned on in order to pass out IP's to your Guest Network.  No DHCP, no Guest Network.

• Anchoring multiple Guest SSIDs to the same WLC

  Hi All,
  I've currently got a typical 'anchored' Guest WLAN solution where several WLCs tunnel guest traffic back to an isolated WLC for WebAuth - this all works fine using a mix of 5508 / 4400, all on v7.0.98.0 code.
  The question is, can I add a second Guest SSID to the estate and anchor it back to the same Guest Anchor WLC that I'm already using?
  I can't find anything to say it won't work and have found this that says it should, but none of this is very concrete...  Does anybody know of any better references and/or have you done this in the wild?
  https://supportforums.cisco.com/message/1276785
  Cheers,
  Richard

  Hi,
  yes it's totally ok.
  On the foreign, just create a second WLAN and anchor it to the other WLC. On the anchor, create the same second WLAN that you anchor to itself ...
  Nothing speciali in order to configure it.
  Nicolas
  ===
  Don't forget to rate answers that you find useful