WAP321 and Guest VLAN

Similar Messages

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• 802.1X un-authenticated user and guest VLAN

  Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

  You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

• WLC 5508 integration with fortigate and Guest Vlan

  Hi
  I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
  And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
  Kindly what will be best solution.

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• Adding a guest VLAN to 1240s

  I have some Cisco 1240 Access Points which are not centrally managed.  I want to add 802.1Q trunking so as to be able to provision a guest VLAN.  But a trick is that these APs are in some very high ceilings.  I would like to provision the new trunking and guest VLAN without having to remove them from the ceiling.  Someone suggested I just make the native VLAN save as existing and make the port to which attaches a trunked port.  But when I did this I lost
  connectivity to the Access Point.  Access came back as soon as I made the switch port an access port.  Can someone suggest a recipe for how I can add the trunking and guest VLAN without having to get into the ceilings to remove them and configure them via console or other?  Thank you. 

  Stephen Rodriguez wrote:Create your config then tftp it to the start config. Then when you are ready reboot the AP and change the switch port. SteveSent from Cisco Technical Support iPhone App
  You can do that but you need to be careful because if there is something wrong with the config and you can't reach the AP then you can't correct the config via tftp back again and you have to unmount the AP.
  It is better you start doing the config with the easist AP to unmount from the ceiling.
  You need to configure sub-interfaces in your current AP to support multiple VLANs.
  Hope those links will help you:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  https://supportforums.cisco.com/docs/DOC-14496
  Amjad

• Trying to create guest network on wap321 and sg200-50p using VLAN

  I have a SG200-50P and a WAP321. I am trying to create a guest wireless network using a separate VLAN on the WAP321. I have the production traffic on VLAN 1 and the guest network is on VLAN 100.
  The WAP321 is plugged in to port 7 on the switch. It is configured as follows:
  Trunk Port, 1UP, 100T, Ingress filter enabled
  The DHCP server is on port 22 and is configured as follows:
  Trunk Port, 1UP, 100T, Ingress filter enabled
  The production wireless client is able to work fine on VLAN 1.
  When I try to connect a device using the Guest network, the DHCP request does not appear to ever make it to the DHCP server. If I separate the Production network off of VLAN 1 and change the Untagged VLAN ID to a different VLAN than 1 (Management VLAN ID), the same thing happens to the client when it tries to get an IP address from DHCP.
  What am I missing here?

  I have the VLANs configured on the WAP321. VLAN 1 is the Mgmt and general VLAN and the VLAN is configured for the Guest network. I did a Wireshark trace and for some reason the pakets for VLAN 100 (Guest network) on the WAP321 are not getting to the DHCP server. I see them on the WAP321 using the packet capture, but there is not any response to them. I do not see them coming in at the DHCP server.
  When I connect to the WAP321 using the production SSID I see the same ackets at the AP and also coming in to the DHCP server. That is why I am so confused. I can't figure out why they do not get to the server. I was wondering if I have something configured wrong on the SG200, but this is new territory for me and I do not know what I am missing. I have taken some screen shots of the SG and WAP config screens in case it might help.

• HQ and Remote Wired Guest VLAN

  Hello all,
  I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
  Each location has its own guest vlan.  On ISE the standard rule are:
  Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
  This rule is working good for HQ.
  Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
  This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
  with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
  Let me know if anyone has idea or have solved this problem.
  Thank you.

  Hi,
  You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
  Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• VLAN Configuration for Internal and Guest Wireless

  Hello,
  We are using the following hardware…
  SG300-52MP switch -- latest firmware
  ASA 5512-X firewall -- 9.1
  Aironet AP1131AG WAP
  We have the following networks…
  10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
  10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
  10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
  The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
  Relevant parts of the WAP configuration are…
  dot11 ssid GUEST
     vlan 6
  dot11 ssid SECURE
     vlan 1
  interface Dot11Radio0
  no ip address
  ssid GUEST
  ssid SECURE
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid GUEST
  ssid SECURE
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio1.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface FastEthernet0
  no ip address
  no ip route-cache
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  interface FastEthernet0.6
  encapsulation dot1Q 6
  no ip route-cache
  bridge-group 255
  interface BVI1
  ip address 10.252.4.4 255.255.255.0
  no ip route-cache
  ip default-gateway 10.252.4.1
  We can manage the WAP through it’s Internal IP address (10.252.4.4).
  And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]
  The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
  [Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 
  While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
  I have a feeling that I have configured the VLANs on the ports incorrectly.
  Relevant parts of the SG300 configuration are...
  v1.3.0.62 / R750_NIK_1_3_647_260
  vlan database
  vlan 3,6
  ip dhcp snooping
  ip dhcp relay address 10.252.4.1
  ip dhcp relay enable
  bonjour interface range vlan 1
  interface vlan 1
  ip address 10.252.4.2 255.255.255.0
  no ip address dhcp
  interface vlan 3
  name VOIP
  interface vlan 6
  name Guest
  interface gigabitethernet45 -- Access mode, Untagged VLAN6
  description ASA-Guest
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 6
  interface gigabitethernet46 -- Access mode, Untagged VLAN3
  description ASA-VOIP
  ip dhcp snooping trust
  switchport mode access
  switchport access vlan 3
  interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
  description WAP1
  switchport trunk allowed vlan add 6
  interface gigabitethernet48 -- Trunk mode
  description ASA-Internal
  ip dhcp snooping trust
  ip dhcp relay enable
  Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

  Welcome to the discussion area!
  +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
  I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
  This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
  FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

• Multiple Guest VLANs and Shared WLC

  Hi,
  I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
  I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
  Please advise how best I should implement this.
  many thanks
  Sankung   

  It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
  Then on the internal anchor the SSID to the same SSID in the DMZ
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• ISE Wired Guest + user without supplicant and dynamic vlan change

  Hi All,
  I have two issues:
  Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
  This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
  I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
  Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
  What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
  Is this possible if the guest doesnt have a supplicant?

  One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
  Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

• Configuring Guest VLAN on AP541N and UC560

  I have a AP541N connected to a UC560.  We are currently configured for Wireless Voice and Data.  We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.  Any help would be appreciated.
  Additional Info:
  AP541N-K9-1.7(2)
  UC560  15.0(1)XA2, RELEASE SOFTWARE (fc2)
  CCA 3.0

  https://supportforums.cisco.com/docs/DOC-14855
  We are experincing the exact same problem in our lab.
  There is no way with CCA that the VLANs can be secured. You have to use CLI, howerver once you choose to use CLI for configuration CCA may no longer be used.
  Hope this helps.
  Terry

• Guest VLAN and SSID with a DHCP router

  I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
  Does anyone have any insight on this, or another way to setup the guest VLAN?

  You can create a guest VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827