WAP321 - Captive portal in 2 different VLAN
Hi,
I have a Wap321 installed in my network. IP: 192.168.0.36 - VLAN 1
If I'm in the local area network, I do not have any problem to use the wireless.
I just added a guest VLAN for people who need Internet connection without LAN access. So I setup a second SSID and tag it with vlan 50. I can access to Internet. But If I want active the captive portal, I'm unable to access to it because the adress is in the VLAN 1 (or 192.168.0.36).
How I can setup my Wap321 to have the captive portal in the VLAN 50, not in the VLAN 1?
Thank you
Alex
Hello Alexandre,
If you have a router upstream, please make sure that you have enabled inter-vlan routing in there. Also, on the WAP321, please configure the router's VLAN 1 IP address as the default gateway. With these settings, you should be able to use Captive Portal for both VLAN 1 and VLAN 50.
Hope this helps.
Regards,
Nagaraja
Similar Messages
-
Cisco WAP321 Captive Portal Redirect
Hi I have setup a Cisco WAP321 as an Internet Cafe Captive Portal. When initially switched on clients connect and are redirected to the Log on page where they can add their name and tick to say they agree with the usage policy.
Works great, unfotunately the next day when the clients connect again they are never redirected to the logon page so cant access the internet.
I have tried putting in the redirect url and if i do that it works fine.
I have checked all my settings but cant find out why.
Anyone know why im not getting the redirect?
Thanks
DarrenHi Luis
Thanks for the reply. I have been reading up on possible issues and just need to clarify whether the Guest WIFI has to be on VAP0? I have it configured on VAP2 and as i said initially it works OK and gives me the Redirect.
My WAP321 is connected to a Cisco 887 Router with the Port set to Trunk and the VAP2 is set to Vlan2.
VLAN 1 set to 192.168.192.1 255.255.255.128 and VLAN2 set to 192.168.192.193 255.255.255.224. DHCP scope on the Router is from 192.168.192.194 to 192.168.192.220.
Im back on site again this morning and its working after a reset. Ill monitor over the next day or so and see what happens
Regards
Darren -
Captive Portal with two or more WAP321
Hello,
I plan to use the WAP321 as a WLAN Hotspot. But I need more than one AP. What is the Design for this?
Do I need to configure every WAP321 with the captive portal and the user need to re-login every time they roam to another WAP321?
Or can I redirect all WAP321 AP to one captive portal?
Thank for your support.
ChristianNicola,
It may be too late, but with the new version1.0.2.3 software you can create a cluster of up to 8 WAP321's in order to share one configuration. The feature is called Single Point. Here is a paper on the feature
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12237/ps12249/brochure_c02-717568.pdf -
Restric Access to Captive Portal after successfull authentication
I have setup a WAP321 with the captive portal activated.
2 WLAN networks defined, one for the Normal-user and 1 Guest-user access (with captive portal).
The WAP Management is on its own vlan (vlan 1 ) , network 10.0.0.0 /24
The Normal network has a different vlan (vlan 14) , network 192.168.14.0/24
Guest user(s) are on VLAN143 , 172.16.10.0 /24
So when a guest connects to the wap, the management interface is openend (10.0.0.x), after successfull authentication the user is redirected to a predefined site.
What i would like to establish is to make it impossible for the Guest-user(s) to access the management portal.
Defining an acl on the management portal is not possible as i would like to use any ip adres on the Normal Network (192.168.14.0/24).
unfortunally you can only define 5 Fixed ipaddresses and not a (sub)-network.
regards
eddyGood morning Mr. Mulder,
It it possible to set and access-list on your WAP321 that restrict access from users on the complete network 172.16.10.0/24.
Let me share with you the information found on guide me section on this forum about this topic.
I encourage you to make use of this useful tool if you have any other question about configuration on the future.
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=c1a32843a14846af8c20a91532c39d16_acl.xml&pid=4&fcid=&fpid=&slnid=6
Check the section 6, where you could set the configuration using the network 172.16.10.0/24 as source address and 10.0.0.0 /24 as destination.
hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Thank you
Diego Rodriguez.
Cisco network engineer -
WAP-321, Captive Portal and Wi-FI repeaters
Hi,
So I am currently deploying a Wi-Fi Network based around Cisco WAP-321. I use the CP function with a Radius server to authentify my users. So far so good, when a user connect to one of the AP and uses his credentials, he can login and access Internet without any trouble. But I also use some Wi-Fi repeaters (Netgear WN-1000RP) to extend the range of my wireless network in places I can't install an AP. The repeaters effectively extends the range of my network, and I can connect on them without any trouble when the CP is turned off. However, when I turn on the CP, I access the login web page and enter my credentials, but no matter what, I can't login while connected on the repeater. After some research, it looks like I have to manually enter the MAC address in the MAC trough list of the AP. Except such a feature doesn't seem to exist on the WAP-321. I have tried using WDS bridge and Workgroup bridge, but without success, since I think it's only compatible with WAP-321 and WAP-121 devices.
So I am kind of running out of ideas to make this work, and I would be very grateful if someone could help me out.
Thanks in advance, do not hesitate to ask me for more informations if needed.My name Eric Moyers. I am an Engineer in the Small Business Support Center.
I am sorry to hear that you are experiencing this issue.
While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.
With the WAP321, after trying a few different scenarios that didn’t work. I simply created two vlans, leave the Untagged vlan as main vlan and changed the Management vlan to the second. I then attached the guest SSID to the Management VLAN. This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked normally.
Now for some caveats:
Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.
Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)
Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
Not the very best solution, but the only workaround I can come up with for now.
Eric Moyers
.:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert
Please rate helpful Posts and Let others know when your Question has been answered. -
IOS 6 Wi-Fi Issue (Campus Captive Portal)
Hey there,
I know some of people facing Wi-Fi connection problems after iOS 6 update.
There are a lot of threads and solutions about this problem. But mine is bit different.
I have an iPad and after i update to iOS 6 there wasn't any issue about Wi-Fi connection.
I surfed all day long , upload and download many thing using my home Wi-Fi network.
Today I couldn't connect to my campus' Wi-Fi network. I turned on my phone's hotspot
and iPad connected to my phone's cellular based network just fine. I tried to connect directly with my phone to campus' network and my phone also connected just fine. When i searched the web i saw a lot of Wi-Fi issue thread about iOS 6. I have read all of them but my problem is bit different.
My campus' network is using a Captive Portal thing to get internet access. So you have to enter your user id and password after you connect wirelessly.
When i was using iOS 5.1.1 iPad was connecting to network automatically and waiting for me to open safari or chrome and enter my id and password.
But now after i joined to network a window pops up and and wants me to enter id and password (not an apple page, my own university page) and at the same time connection drops and wi-fi icon get lost so my log-in info can't send. I open and wi-fi panel and connect again and same thing occurs. Pop-up window and connection lost. This is a vicious cycle i think and everybody using iOS 6 in my campus facing same problem. iPhone iPad iPod Touch users can not connect because of this problem.
I have done everything that written about common Wi-Fi issue.
I am sorry about my broken English BTW.
Waiting for your help.If you experiencing the above subject heading, please read below
Go to Settings, General, About
Scroll down till you see Modem Firmware
Reply Back with your Modem Firmware
Modem Firmware: 04.12.02
Wireless Access Point Device: NetGear WG102 which is superceded by NetGear WG103.
I have Firmware 5.0 for this device
Also check your IOS Version and (BUILD)
If your Modem Firmware is LESS than the above, then you have the same problem as myself and many others with Wireless Connectivity issues to WAP's
It is my understanding, unless im proven wrong by anyone with my above findings, this can only be fixed by APPLE. I have reported this as a BUG
Please REPLY only to this thread if you're criteria is less than the MODEM FIRMWARE listed
Im checking to see if i can be proven wrong in my findings.
I have performed the below
Backup Phone
Factory Reset
Network Reset
Hard Reset
Soft Reset
Apply Store in Australia, Sydney CBD George St have tried the above with meand cant help either.
Apple support via the phone cant help. This problem has now been logged as a BUG for the time being. -
Auto pop-up for wispr in any captive portal won't work anymore
Hi all,
I really like the captive portal function. I am often at Starbucks, and I like the easy way to accept the user agreement.
But, since some weeks, the auto pop-up to see the captive portal won't show ... neither Starbucks nor somewhere else!
At Starbucks ....
1. I tried to delete the btopenzone WiFi (the provider for Starbucks free WiFi) but nothing changed.
2. I tried to set up another networking zone, won't help either.
3. I searched the web, but all I could see is, that there is not really a way to disable it (but changing the website in plist somewhere)....
4. I tried to find a way to just disable or enable it... but was not lucky
Hope anyone can help me, cause I really like the feature.
Thanks...
Michael.Hi DelBaero,
So, it sounds like push notifications are working intermittently. Take a look at the article linked below, not only does it give insight into how notifications work, it also provides some troubleshooting tips that should help.
iOS: Understanding notifications
http://support.apple.com/kb/ht3576
Troubleshooting notifications
Push notifications require an active Wi-Fi or cellular connection.
Note: Notifications use Wi-Fi only when a cellular connection is unavailable. Firewalls and proxy servers may affect your ability to receive notifications. For more information, see Unable to use Apple Push Notification service (APNs).
If you're not receiving notifications for a specific app, try these steps:
Verify that the app supports notifications.
After installing an app or restoring a backup to a different iOS device, open the app to begin receiving notifications. If the app requires entering or logging in to an account, you will need to do this before receiving notifications.
Check Settings > Notification Center to ensure that the app is configured for notifications. If notifications do not appear in the Notification Center, verify that the Notification Center setting for the app is enabled.
-Jason -
I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please adviceIn the same document you have
Wired NAD Interaction for Central WebAuth
If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
The Central WebAuth triggered by a MAB failure flow follows these steps:
1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
4. The client machine connects and the NAD initiates a MAB request.
5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
8. The gateway URL value with action CWA redirects to the guest portal login page.
9. The client enters the username and password and submits the login form.
10. The guest action server authenticates the user credentials provided.
11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. -
my customer is educational istitution,they have Cisco 1252 AP (autonomous).i want to setup a captive portal, i can build a linux based server..
they cannot spend much... is there a way out..
Thanks in advance
MakHi,
Setting a specific web page for the clients everytime when they connect to the AP is not possible
by using the AP only. AP only has the option to redirect all the client traffic to any other IP
on the network and thenfurther the device associated to that IP can provide the Web page for the
clients that will be displayed on their client screens. That device can be a
BBSM(Building Broadband Service Manager) or a Cisco NAC Appliance.
As per the below link, BBSM is out of sale:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5689/ps533/ps5463/prod_end-of-life_notice0900aecd805aeb23.html
In order to configure a SSID/VLAN to open a particular website when any user
connects to it, you need to connect a BBSM(Building Broadband Service
Manager) or a Cisco NAC Appliance to any one of the Access ports on the
switch which is a part of that VLAN. We can configure the BBSM device or the
NAC device to open a specific webpage and after that we can configure the AP
to forward all the packets coming from client connected to that specific
SSID/VLAN to the IP address of the BBSM server with the help of "IP
redirect" command we can configure on the AP. Here is a document for the
same:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuratio
n/guide/s34ssid.html#wp1049571
Here is an application note about the list of APs which support IP redirection
http://www.cisco.com/en/US/docs/wireless/technology/ip-redirect/technical/re
ference/ipredir.html
Most of the cases that we have seen on "IP redirection" go way back to when
BBSM was available. Nowadays, this is deployed using WLCs for the guest
access.
I hope the above answered your question.
Regards
Surendra -
Captive Portal with Wireless Mobility
Has anyone successfully configured a captive portal/proxy while maintaining their WDS infrastructure?
We're wanting to make users accept a user agreement before being able to progress to the outside world. We're currently using m0n0wall to accomplish this on our wired network, but with the interesting way that the wireless traffic actually enters the network through the tunnel/loopback int its creating some confusion for me.
Can it be as simple as changing the tunnel source to a VLAN instead of a loopback? Anyone have any insight?The Captive Portal is used to control what happens when an application request, layers 5-7, is redirected to Layer 3-4 (i.e. when the destination IP address or port number of a request from an application is changed, and the application layers in the protocol request still have the previous IP address or domain and port number encode in them). This is analogous to the Network Address Translation (NAT) function performed by a router.
http://www.cisco.com/en/US/tech/tk722/tk721/technologies_white_paper09186a00801a0c62.shtml -
Inquiry - Cisco Captive Portal without WLC
Hi
based on article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
Is it possible or how should I design captive portal without WLC.
In our organization, I have about 20 AP (various models) running on standalone with VLAN and ACS server for MAC authentication.
I have plan to create new VLAN just only for guest users to browse with username/password URL redirectiotion (without MAC authentication).
Seek your help.
Thank YouWithout a wlc you would need another solution to handle the portal piece.
Sent from Cisco Technical Support iPad App -
WRT54G Bridges, VPN's, Captive Portals, etc. (Advanced FAQ)
These questions are only in relation to the above Wireless Router (v6, FW-v1.02 [2010]) :
1. What is an Ethernet Bridge (the basic authoritative definition), and besides gaming, what are they generally used for in a business setting?
2. What are VPN settings in a Router used for, and can a VPN be configured on a remote PC without them?
3. Utilizing bridging, etc., can I utilize my WRT54G as a makeshift Range Expander as long as the primary router doesnt have WEP key requirements? The current WIFI doesnt reach my PC, so I thought I could configure my router midway in hopes of extending the other routers' signal, via some kind of bridging if necessary. Naturally, there would only be a wireless connection between routers.
4. How can I setup a simple Captive Portal on this router?
If more expedient, provide any definitive links to answer these questions, preferrably at Cisco sites. Thanks.Re 1. Where did you find this? The WRT is switch not a bridge. Technically, the switch does the same as the bridge, only better. It connects two or more ethernet segments and joins them into a single ethernet network.
Re 2. The VPN settings are used when you have VPN connections running through the router (i.e. not as endpoint). If it's possible to connect without them depends on the kind of VPN you are trying to establish. Some will work and some won't unless you have enabled the corresponding passthrough.
3. ethernet bridging and wireless bridging are completely different things. The WRT won't connect wirelessly to other routers.
4. You can't. -
Dual Band Concurrent AP with captive portal?
Hi, Was looking at purchasing WAP321 however after looking at the spec's I see it has not got concurrent dual band (2.45Ghz/5Ghz) is there any simular access points with dual band and captive portal?
Thank YouHi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
There is not an access point in the Small Business collection that has dual radio capability. The AP541 and WAP321 has dual band 2.4 and 5 ghz, but only one band at a time because they only have a single radio.
To find something with dual band, dual radio that can do 2.4 and 5 ghz at the same time you will have to look at Cisco Enterprise, AP1262N or 1142N for example.
Hope this helps.
Thanks
Eric Moyers
Cisco Network Advanced Support Engineer
SBSC Wireless and Surveillance SME
CCNA, CCNA-Wireless
1-866-606-1866
*Please rate Post so other will know when answer have been found. -
Automatic disconnection from AP when timed out (session or authentication) from captive portal
Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?
There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration Portal Profiles Local User Local Group Web Customization Profile Association Client Information
-
Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.
Hi All,
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
"The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
Any advice would be appreciated, just let me know what extra details to post if needed.
Many thanks,
Josh CampbellHi Joshua,
The below information could be located at
www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
False Captive Portal Detection
AnyConnect can falsely assume it is in a captive portal in the following situations.
•If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
•If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
There is also a bug filed for this. Just for your reference,
CSCud17825 - Anyconnect captive portal
Regards,
Srikanth K S.
Maybe you are looking for
-
Ok, so how do we determine if our E61 will work af...
I have just got my E61 (Code 0530151, FW 1.0610.04.04) from ebay India and last 2 days I have been reading all over the internet about the problems people have faced in upgrading using NSU. I beg someone from Nokia to help me (and I am sure many othe
-
Associating Development-plan with position
Hi. We are trying to implement the Development-plan sub-module in our system and thus we are new to the whole deal. We created a Development-plan using transaction "OOEC" and were able (we think...) to associate it to an employee, but what we realy w
-
My music works fine if i am only using Itunes & but ifi use it with AIM....
Then the sound gets messed up again... Is there a way to fix this? I alreadt tried the quixktime and 16 bit solution... Thats what fixed me music so that it isnt distorded when im on listening to Itunes 7....
-
OwnCloud Server 8.1 Released Today - Encryption, Performance, Service Packages
Hey Spiceheads....next week we've got another webinar (and these are always available on-demand following the event BTW), but this one is with the project lead of Sciebo--22 universities who are taking advantage of federated cloud sharing with ownClo
-
Cursor works when passing over a command without touching the Touchpad
The cursor on my iMac regularly engages by merely passing over a command without clicking the touch pad. All i can do is force stop the machine because the cursor performs unwanted commands before I can get the cursor to restart or Shut Down.