Using ISE for guest access together with anchor controller WLC in DMZ

Similar Messages

• 2504 with new-architecture enabled breaks MAC auth for guest access

  Hello,
  We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
  When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
  Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
  Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

  You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
  HTH
  Rasika

• How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  The Guest Network function of the Time Capsule and AirPort Extreme cannot be enabled when the device is in Bridge Mode. Unfortunately, with another router...the Telus...upstream on your network, Bridge Mode is indicated as the correct setting for all other routers on the network.
  If you can replace the Telus gateway with a simple modem (that performs no routing functions), you should be able to configure either the Time Capsule or the AirPort Extreme....whichever is connected to the modem....to provide a Guest Network.

• Have used Firefox for over a year with no issues now can't access certain games......all else works, and the games can be accessed using Chrome and IE have run malware and still nothing

  So I have used Mozilla for a long time with no problems. All of a sudden I cannot access certain games on facebook. All else works. First uninstalled and reinstalled. Then ran malware program. Still nothing and the games work off IE and Google Chrome. I really like Firefox and would like to be able to go back to it

  So I have used Mozilla for a long time with no problems. All of a sudden I cannot access certain games on facebook. All else works. First uninstalled and reinstalled. Then ran malware program. Still nothing and the games work off IE and Google Chrome. I really like Firefox and would like to be able to go back to it

• HT1452 I have a Toshiba Canvio 1TB external hard drive on my Mac. I've used it for 4-5 months with no problems, but now cannot add to it (I use it mostly for photo storage) to it. I can still access information previously added. Ideas?

  I have a Toshiba Canvio 1TB external hard drive on my Mac. I've used it for 4-5 months with no problems, but now cannot add to it (I use it mostly for photo storage) to it. I can still access information previously added. Ideas?

  I cannot find this 300GB "Backup" in the Finder, only in the Storage info when I check "About This Mac".
  You are probably using Time Machine to backup your MacBook Pro, right? Then the additional 300 GB could be local Time Machine snapshots.  Time Machine will write the hourly backups to the free space on your hard disk, if the backup drive is temporarily not connected. You do not see these local backups in the Finder, and MacOS will delete them, when you make a regular backup to Time Machine, or when you need the space for other data.
  See Pondini's page for more explanation:   What are Local Snapshots?   http://pondini.org/TM/FAQ.html
  I have restarted my computer, but the information remains the same. How do I reclaim the use of the 300GB? Why is it showing up as "Backups" when it used to indicate "Photos"? Are my photos safe on the external drive?
  You have tested the library on the external drive, and so your photos are save there.  
  The local TimeMachine snapshot probably now contains a backup of the moved library.  Try, if connecting your Time Machine drive will reduce the size of your local Time Machine snapshots.

• E2500 with multiple APs for guest access

  I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
  Jim

  Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
  So first of all remove all the networks from the preferred list of the computer and then try to connect.  

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Snmp error for guest access ticket on two WLC

  Hi,
  I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
  Thks.

  The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
  The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
  For the configuration following URL may help you
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

• Problems using Anyconnect 3.x client together with Kaspersky AntiVirus

  We have Notebooks with Windows Vista - most of the notebooks have "Kaspersky Anti-Virus 6.0 für Windows Workstation" installed and some "Kaspersky Endpoint Security 8 für Windows".
  Anyconnect 2.5 works perfect on these notebooks.
  But when I upgrade anyconnect to version 3.0 or 3.1, I have the problem that all HTTP traffic is blocked - all other network traffic is still working.
  When I quit the Kaspersky client (or uninstall it), everything is working again - except that I have no working antivirus protection.
  Of course, I have tried different settings for the Kaspersky client (without success) and asked our Kaspersky support (who said that anyconnect is causing this problem and not Kaspersky).
  My first experience with a Windows 7 notebook is that this problem does not exist using Windows 7.
  So maybe the problem is caused by a strange combination of Windows Vista, Anyconnect 3.x and Kaspersky.
  Does anyone else has problems using Anyconnect 3.x client together with Kaspersky AntiVirus?
  Kind regards,
  Peter

  We've recently run into an issue related to this. We found that it was related somehow to Firefox. If one looks inside of
  /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/ there are symlinks to Firefox libraries:
  $ ls -lntotal 1800-rwxrwxr-x  1 0     80  891232 Aug  3  2012 Cisco AnyConnect Secure Mobility Clientlrwxr-xr-x  1 1001  80      60 Jun 13 15:57 libmozsqlite3.dylib -> /Applications/Firefox.app/Contents/MacOS/libmozsqlite3.dyliblrwxr-xr-x  1 1001  80      55 Jun 13 15:57 libnspr4.dylib -> /Applications/Firefox.app/Contents/MacOS/libnspr4.dyliblrwxr-xr-x  1 1001  80      54 Jun 13 15:57 libnss3.dylib -> /Applications/Firefox.app/Contents/MacOS/libnss3.dyliblrwxr-xr-x  1 1001  80      58 Jun 13 15:57 libnssutil3.dylib -> /Applications/Firefox.app/Contents/MacOS/libnssutil3.dyliblrwxr-xr-x  1 1001  80      54 Jun 13 15:57 libplc4.dylib -> /Applications/Firefox.app/Contents/MacOS/libplc4.dyliblrwxr-xr-x  1 1001  80      55 Jun 13 15:57 libplds4.dylib -> /Applications/Firefox.app/Contents/MacOS/libplds4.dyliblrwxr-xr-x  1 1001  80      58 Jun 13 15:57 libsoftokn3.dylib -> /Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib
  So as a simple confirmation we were able to remove Firefox and have AnyConnect connect fine. As a more permanent workaround we replaced the above symlinks with 0 byte files and we were able to have our cake (AnyConnect connecting) and eat it too (Firefox installed as well).

• HT3131 I purchased a sony 3d monitor and I am using it for my external display with my macbook pro.  We have followed the instructions but no display!!??  What do I do

  I purchased a sony 3d monitor and I am using it for my external display with my macbook pro.  We have followed the instructions but no display!!??  What do I do now

  We need more information if members of the forum are going to assist you.
  What instructions did you follow?
  How are you connecting your MBP to the Sony TV?
  Which model MBP do you have?

• Looking for an Access Point with 2 Ethernet ports and powered via PoE

  Hi Gurus,
  I am looking for an Access Point with 2 Ethernet ports and the access point can be powered via PoE. I have been assigned with a requirement where the rooms need to have access point as well as an Ethernet Cable provided from the Access Point as a backup for connectivity.
  The room only has one data cable coming from the main IT room as well does not have a spare power socket to power the Access Point. Will be good if it can be centrally controlled or controller based.
  Any recommendations?
  Regards
  J

  For the backup plan, the cheapest solution may be to just run a couple new cat5e drops to the room(est cost $250). If not then purchase a small Cisco POE switch for the room(est cost $2k). For wireless I would purchase a POE enabled Cisco AP. But you will need to verify the POE switch/blade you will be connecting the AP to can power the AP you buy. I got burned by that issue when we purchased some Cisco 1251 AP's with dual radios and they needed more power than our 4500 POE blades could handle. We were told we would need to purchase new 48 port 10/100/1000 blades or power injectors. Our Cisco sales vendor took the heat for that mistake.
  Posted by WebUser Steven Kinney from Cisco Support Community App

• Using Lightroom for Windows 8.1 with Epson Stylus Photo R3000 printer.

  Using Lightroom for Windows 8.1 with Epson Stylus Photo R3000 printer.  From PRINT section, if I click either "Page Setup" or "Printer" I get the Epson printer dialog box, drill down, change settings- so far so good.  When I'm finished with the settings and close the dialog box (hit OK) the print job starts immediately; I never get a chance to hit the Lightroom "Print" button.  Question: does this bypass any Lightroom processing or control of the print job?

  Even if I just click the Printer button to verify my settings I should then return to Lightroom, and then click Print to start the job.  This does not happen, the job starts as soon as I close the properties dialog box.  Again, is any Lightroom processing or control being bypassed because of this?

• API for setting Access points with PEAP programmatically

  Dear Godly developers,
  Would like to find out if there is any APIs for setting Access points with PEAP programmatically?
  Regards
  hAoZ

  Thanks for your response. We don't have the Wireless LAN Controller installed and have only configured directly through the AP's, which don't seem to have any configuration changes regarding Aironet IE's. Is there a config change that needs to be made just on the AP's? Or is the Wireless LAN Controller software necessary to make this change?
  Thanks again.

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Advantages of using a seperate controller for guest access?

  Can someone give me a good reason to use a seperate controller in a DMZ for guest users versus just trunking a DMZ VLAN to the controller. Certainly it makes sense to have a guest controller when you DMZ is not accessable to the controller locations (or you have a bunch of remote locations, but only one internet connection), but in the event that the controllers are located in a place that it can hit the DMZ is there a good reason to use a guest controller.

  I'm not even sure if that is a good reason. You can alway trunk to another non-routed VLAN and stick a cable modem and firewall to give guest user access. I'm working with someone now that thinks this is the way to go, but I've got to add a 4402-12, a switch (need GB connectivity for the controller) at a minimum. Again, it would make perfect sense if the location of the internet was not in the same building.