Virtual WLAN Controller Guest Anchor

We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.
I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and can anyone advise if thsi is a supprted deployment model.

Well you can use the vWLC to anchor to a 5508, but not the other way around. So if you use the DMZ 5508 for OfficeExtend, you will not be able to anchor the traffic back to the inside. Cisco doesn't support reverse anchoring for a Remote-LAN in OfficeExtend and requires you to actually have the OfficeExtend AP's connect to an inside WLC. In v7.0.x you were able to do this reverse anchor, but it was removed on later codes.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Cannot get Guest Services to Start on Virtual Domain Controller

    I'm running System Center 2012 SP1 Version 3.1.6018.0
    Guests all run Server 2008R2 SP1
    I'm having a weird issue when trying to install guests services on a domain controller. On all of the virtual machines of the host, when trying to deploy the guest agent, it fails on all machines with the same error:
    Error (2940)
    VMM is unable to complete the requested file transfer. The connection to the HTTP server XXXXXXX could not be established.
    Unknown error (0x80072ee2)
    Recommended Action
    Ensure that the HTTP service and/or the agent on the machine powstorehv1.gicw.org are installed and running and that a firewall is not blocking HTTP/HTTPS traffic on the configured port.
    I have confirmed that there is no firewall blocking the process so in order to bypass this, I decided to just install the guest agent manually. This worked on all of the virtual machines on the host except for the one that is a Domain Controller.
    At the point when it tries to start the service it gives me the following error:
    Service 'Microsoft System Center Virtual Machine Manager Guest Agent' (ScvmmGuestService) failed to start. Verify that you have sufficient privileges to start system services.
    I have tried with and without UAC enabled and I always run the MSI from an elevated command prompt. I've tried with and without MSIEXEC as well. I have Enterprise and Domain Admin privileges as well and have even tried with the domain administrator account.
    At this point I'm not sure why I do not have sufficient privileges to start the service on a Domain Controller but I do understand that permissions are different due to its nature.
    Any ideas around this either by installing through SCVMM or manually? Thank you in advance for your time!

    After a very painful 10g (EE) installation process
    i.e fixing all the following:<snip>
    Sat Jul 17 11:40:19 2004
    Errors in file
    /Users/oracle/admin/db01/bdump/db01_mman_4039.trc:
    ORA-07445: exception encountered: core dump [semop+8]
    [SIGFPE] [Invalid floating point operation]
    [0x41EDB3C] [] []
    Sat Jul 17 11:40:21 2004
    Errors in file
    /Users/oracle/admin/db01/bdump/db01_pmon_4037.trc:
    ORA-00822: MMAN process terminated with error
    Sat Jul 17 11:40:21 2004
    PMON: terminating instance due to error 822
    Instance terminated by PMON, pid = 4037==============================================> Any idea on what needs to be done to fix this error.
    I remember that i had the very same issue with the
    Oracle 9i R2 Developers release.
    Any help will be greatly appreciated.You mentioned the 9ir2 release. Do you still have any reference to the 9ir2 software in your environment ? With a little luck you have, and in that case it not so hard to find a solution ...
    Ronald.
    http://homepage.mac.com/ik_zelf/oracle

  • Guest access to the Internet with Guest Anchor Controller

    Hi;
    We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
    I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
    What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
    Thanks for the assistance!  Glenn Morrison

    you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
    HTH,
    Steve

  • Guest Anchor Controller

    Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor.  Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ.  I would welcome feedback on the validity & security of this alternate solution.
    Thanks.

    Hi Marvin,
    Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.
    Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.
    In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.
    I hope this helps.
    Does this make sense?

  • Sizing guest anchor controller

    40 locations, around 20-30 APs per location, 1 gig back from each site to the main site, minimizing cost. Trying to size the guest anchor controller. Redundancy is not required. As I understand correctly 4402/4404/5508 controller supports up to around 70 EOP tunnels. My limitation is bandwidth. Is it safe to say that if Internet bandwidth is <100Mbps, then 4402 will suffice? Only if Internet bandwidth was above >1Gbps when I'd need to go to 4404 (bandwidth is used twice, so 1Gbps guest traffic would result at approximately 2Gbps throughput)

    You could always port-channel a 4402 and use LAG on your anchor controller for 2gb.
    I use a 4402-12 for our anchor's as the BW is adequate, and AP license count is not a factor for anchors.

  • Multicasting with a guest anchor configuration.

    Hi All
    First time posting. :-)
    I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
    Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
    In case of Auto Anchor:
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
    Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
    Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
    Could someone advise?
    Thank you in advance!!

    Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
    http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
    Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
    A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
    unofortunately it seems that multicast over EoIP does not work.

  • Cisco LWAP & WLAN Controller Flexconnect Across HP Switches

    Hello All, I'm looking for a little guidance in making the needed routing and switching configuration changes on our Corporate Network to accomadate flex connect functionality for Cisco Lightweight Access Points (LWAPs).  The LWAPs that are currently configured on our network only work when our WLAN Controller is up and running and I need for them to be disconnectable so that we can move the WLAN Controller to our virtual co-lo.  It should be known that I inhereted this network from the previous admin and have been working hard to map everything out to the best of my ability.  Also, the WLAN controller is already operating in our production network so it limits my ability to do much testing. 
    Just FYI, I'm a new Systems Admin promoted from a Desktop Support role and have my CCENT (Currently working on CCNA & MCITP Server Admin) so I have some knowledge but it is limited on the networking and switching side of things.  Unfortunately, the Senior Systems Admin has even less knowledge of networking than me and I don't really have anyone to turn to which is why I'm posting here.  I would have utilized GNS to help me simulate the configuration however there are HP switches in the mix and no means of emulating them.
    -Relevant Device List-
    (CONSA251) Sonicwall  NSA 240 - 10.1.1.251
      Interface Information 
    Interface    IP Address    Description   
    X0  ->  LAN
      10.1.1.251   LAN Interface  
    X1  ->  WAN
      *************   Time Warner WAN  
    X2  ->  DMZ
      *************   DMZ Interface  
    X3  ->  WAN
      *************   Sprint WAN  
    X0-V20  ->  LAN
      10.1.101.1   Corporate WLAN  
    X0-V30  ->  LAN
      192.168.1.1   Guest WLAN 
    (CORT250) Cisco 3845 - 10.1.1.250
    (CO-WLAN-CTRLER) Cisco 5508 Wireless Controller - 10.1.1.2
    (COSW240) HP Procurve 4108GL - 10.1.1.240
    (COSW238) HP Procurve 2510B-24 - 10.1.20.238
    (CORP-AP-MIS) AIR-LAP1131AG-A-K9 - 10.1.1.79
    (COSW239) HP1810G-24 - No IP (Inaccesible but being replaced)
    I will now go on to explain our network topology as it pertains to the WAPs and WLAN Controller and how I believe it needs to be configured in order to operate from my perspective. 
    Our Corporate and Guest Wireless Access is provided via the Sonicwall CONSA251 through a connection from the X0 interface to HP Switch COSW239 which is then connected to WLAN Controller CO-WLAN-CTRLER as detailed below:
    Device - Interface Name/Port
    CONSA251 - X0
    COSW239  - 2
    COSW239  - 18,19
    CO-WLAN-CTRLER - 2,3
    The WLAN Controller currently communicates with all the LWAPs via Layer 3 TCP\IP as I understand it and then routes all DHCP requests and traffic destine for the 10.1.101.1 (corporate WLAN) and 192.168.1.1 (Guest WLAN) to the Sonicwall and vice versa.
    Now what I am trying to do is VLAN the LWAP CORP-AP-MIS across the HP Switches to the X0 interface on the Sonicwall NSA240 where it will be able to route traffic via VLAN 20 & 30.  The problem lies in my inexperience with HP VLAN configurations and how the ports need to be configured on each device so it can route traffic to the Sonicwall when the WLAN Controller is shutdown.
    The LWAP CORP-AP-MIS layer 2 trace to the WLAN Controller is as shown below:
    Device - Interface Name/Port
    CORP-AP-MIS -  FA/0
    COSW238     - 16
    COSW238     - 25
    COSW240     - B4
    COSW240     - H6
    CORT250     - GigabitEthernet0/0
    CORT250     - Se1/0
    CONSA251    - X0
    Now for all intesive purposes the Corporate Router CORT250 should probably be handling the routing for our Corporate and Guest Wireless network however that was not the way it was originally setup and I have to work with what was inhereted.  The Corporate Router CORT250 has a default route to the Sonicwall and the Sonicwall CONSA251 has all the routing already in place for the Corporate & Guest WLANs.
    What I would like to do is VLAN off the X0-V20&V30 accross multiple switches and switchports to each LWAP in our building.  I do have the LWAP I'm testing on configured with Flex Connect which I understand is required for it to be disconnectable.
    Any guidance on how I would go about configuring this accross devices would be appreciated.  I know there are some difference between HP and Cisco Switching terms and how tagging, untagging, and trunking works however I lack the experience to apply this in practice especially in a production environment. 
    I will be happy to provide any additional information or clarification that is needed.  Thank you in advance for the help.

    Just to add about the ISE... you can profile, but having only one ssid might or might not work in your situation.  Also if you end up with remote sites or ap's in h-reap mode, currently ISE cant do any profiling.  If you go with the 7500 or 5508/WiSM2, they don't really do an active-active or active backup. They are both up and you can split the load or put all ap's on one, its up to you.  I usually split the load just to make sure both are working.  I don't want to all of a sudden loose the primary and then find out my secondary/backup is not working.

  • Web Auth using 5760 Guest Anchor and ISE

    I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
    When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
    As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
    Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

    I hope this may help you
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Implementing Two Guest Anchor WLCs

    Hello -
    I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor. 
    I am looking to bring my current guest service onto the DMZ.  Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP.   We do not use our corporate internet service for guest.   In any event.  The DMZ design I am working on would include two WLCS sitting on our DMZ.  I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border.   Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border.   So I would need to configure both anchors on the guest WLAN of each WLC.   I'm just wondering if this is possible and if the failover will actually work.
    Any input is appreciated.   I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
    Thanks
    Chuck

    Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
    When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
    As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
    Does that answer your question?

  • !! Warning !! Guest anchor mobility fails in 5.0.48, Single Foreign

    Finally some 5.0 chat showing up so I'll add this nugget. All controllers migrated from 4.2 to 5.0.48. All site (foreign) controllers = MOBGRP-CORP, anchor controller in central dmz = MOBGRP-DMZ..
    Found that my first site where I implemented Guest via anchor mobility worked ok. Tried to bring up 2 new sites with their own foreign controller against same (working) anchor. NO GO. All debugs & shows indicate mobgroup, mobgroup anchor, etc all good. Debugs reveal mobility anchoring messages never being initated by foreign to anchor.
    Reviewed with TAC for 3 hours last night. Finally found a bugID that related against 5.0.48.
    Bottom line is that our site that was working had 2 foreign controllers. Site that wouldn't come up only had 1 foreign. Weird bug that if site has only 1 mobility member (beside anchor definition) then mob anchor plumbing messages won't exchange from foreign to anchor. Instead, debugs show foreign as anchor. Workaround = move anchor controller into same mobility group as the internal (foreign) controllers. All good now.
    Hope this helps someone avoid 3 hrs w/ TAC. (And I felt I had a GOOD tac guy).
    Now if I could just figure out how to have multiple profile/wlan definitions on anchor controller but have the same ssid on them all so that our guest ssid @ sites can be uniform. Currently won't let me define multiple wlans on anchor with same ssid, even if profile name is unique. Guess despite it not running APs it's still checking wlans for uniqueness. Not very 'enterprise' as we want to have each site a) Have standard guest ssid and b) Have their own IP address space for firewall log purposes, etc. A & B seemingly mutually exclusive in current situation, assuming central anchor controllers of course.

    Well I guess now I need to follow up on my own post. After moving dmz anchor controller into "internal' mobility group, we ran into some weird issues.
    1) New APs at the site we were bringing on were somehow getting joined up to another site's controller. Only thing in common between sites was mobgrp name and the fact that they both anchored guest to the same central anchor controller.
    2) At the new site, guest seemed to work OK now but we were experiencing problems with hosts on one of the controllers internal wlans. They were not getting IPs. Debugs revealed that foreign (site) controller was bringing up guest tunnel to itself for this local, non-anchored wlan.
    Opened another tac case. This tac engineer advises that while bug CSCsm71840 exists, the other engineer should not have told us the workaround was to put dmz anchor controller into internal mobility group. Rather, he advised, we should go into any controller (on dmz anchor end or internal foreign end) where there was only 1 controller in the mobility group and add a 'dummy' entry into the mobility group.
    We changed the dmz anchor back to his own mobility group and then made the dummy entries and the mobility anchor worked correctly & so far appears that previously problematic internal wlan also works correctly.
    This whole thing should make for some 'interesting' conversation with the BU shortly.

  • WLAN Controller Displays Interface IP in Web Authentication URL Instead of FQDN

    Hi,
    Can someone offer any help with the issue below please?
    I have a guest wlan configured on a Cisco 2106 WLAN controller. Guest users are redirected to a Web Authenticaion page when they try to access the internet through a web browser, and can only proceed by succesfully authenticating with the controller.
    The problem I have is that the guest users are presented with an SSL certficate error before they hit the web authentication page. I have installed an SSL certificate from Verisign on the controller, and have configured an FQDN for the interface that is used for the guest wlan. However, the certificate error still persists because when the user is re-redirected to the web auth page, the URL in the address bar is presented as the IP address of the interface instead of the FQDN, For example, when a user is redirected, the address bar in their web browser displays; https://1.1.1.5/ instead of https://guestwifi.domain.com/ The SSL certificate that is installed on the controller is securing the FQDN of the interface.
    I'm not sure if i'm missing something here, but i'm struggling to find how to get the FQDN to display instead of the IP.
    Thanks,
    Paul

    I'm not following what you mean when you sayd "FQDN for the interface that is used for the guest wlan"......
    I assume you configured the Virtual Interface  to have the dns entry as guestwifi.domain.com but clients are still being redirected to the virtual IP itself and not the dns name? 
    The only reason I can think of for that happening was if the WLC had not been rebooted since applying the DNS name to the Virtual Interface (it takes a reboot to modify client redirect stuff, the same goes for http vs https).
    so guestwifi.domain.com should have a DNS entry resolving to 1.1.1.5, that entry should be on your virtual interface, and upon reboot you should always redirect to guestwifi.domain.com unless you manually type https://1.1.1.5 in the browser.

  • WLAN Controller configuration help needed

    Hi,
    I need to configure AP with WLAN controller for guest access. we have 2 vlans. vlan 1 - guess vlan (internet only access) and vlan 2 - all access.
    while configuring wlan controller. which vlan should i configure as native vlan? I have radius server which would check health of the user and would direct wlan controller to put in user in vlan 1 or 2 depending on its credentials.
    please advise how to implement it. what would be initial steps.

    Hi,
    I have couple of doubts before going further for solution to implement ?
    What model of wlan controller & AP , you are using ?
    to configure the Controller , initially you need to configure the interface ( which are virtual ) .
    You need to connect controller to your existing LAN set-up may be one of the port of your core switch ............
    below are the interface which you need to configure in controller .......
    1) Management interface with IP ( which will be used to access your controller from lan ... ) this is ip should be able to ping from the network.
    2) AP manager IP ( this is again depend on model ) if it is 5500 , this is not required ..
    3) Virtual IP : this is should the IP address which is not at all there in your lan eq.1.1.1.1
    4) dynamic interface with IP : this is the interface which will map your vlan to WLAN
    once you create the mentioned interfaces , you need to create the wlan and map the above dynamic interface with respective wlan.if required you can configure the DHCP pool as well in controller for Wlan.
    let me know , whether this information helped  you ........................

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

Maybe you are looking for