Wired Guest Access

Hi!
I enabled Wired Guest Access to connect Wired Ethernet Users to WLC. It doesn't explained on user guide how WLC does? If WLC strips 802.3 frame and encapsultes it with 802.11 or not. Any way, I couldn't redirect the ethernet flux to WLC and then to the external controller authenticator (Captive portal authentication).  Need a help!
Cheers!

In order to provide the wired guest access, the designated ports in the layer-2 access layer switch need to be configured on the guest VLAN by the administrator. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller. The local controller tunnels the guest traffic across a EoIP tunnel to a DMZ Anchor controller. This solution requires at least two controllers.
Here is the URL for the Wired Guest Access using Cisco WLAN Controllers Configuration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#ancwlan

Similar Messages

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Anyone seen strange behavior with wired guest access on WLAN Controller?

    Cisco Doc ID 99470 spells out how to deploy wired guest access over wireless LAN Controllers.
    That said, everything has been up and working for almost a year.  Guest wireless uses anchor controller in DMZ - no issues.
    Recently configured two wired ports for wired guest networking.  The desktops get the correct IP address via DHCP.  A wireless client (on the table right next to the wired clients) on the guest wireless gets an IP address as expected as well.
    Open a continuous ping to the gateway 172.16.16.1 on all three machines.
    The two desktops will ping for a few minutes and then stop for 30 seconds or longer.  Wireless client will keep its connection.  (you might think it would be the other way around)
    I understand there is a 65,535 second inactivity timeout, but I am only sitting here for minutes, not 18 hours when this happens.
    On the wired desktops, you have to bring up a browser and log back in just as you do on a wireless client ever few minutes.  After debugging the client, I found a "failed to find scb" message in the output.
    The other trick here is that the wired clients are miles away from where I can actually get on the CLI of the controller.  This makes it difficult to run a debug and bring up a browser since I am not local to the machines when running debugs.
    Has anyone ever see this behavior?  Has anyone see the "failed to find scb" message?
    Thanks in advance!
    Succ
    essfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 tokenID = 5
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef Set bi-dir guest tunn
    el for 00:25:b3:ce:cb:ef as in Export Foreign role
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 Added NPU ent
    ry of type 1, dtlFlags 0x4
    *spamReceiveTask: Dec 30 11:34:54.569: CCKM: Send CCKM cache entry
    FP08:(33207772)[cmdSendNodeInfo:3787]failed to find scb 0023.2422.c6eb
    *mmListen: Dec 30 11:35:58.539: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi
    le Station: (callerId: 73) in 1 seconds
    *mmListen: Dec 30 11:35:59.471: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi

    I found it in the document
    B.1 How Logout Works
    The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
    The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
    Well, I havn't got that far in the document:)
    Thanks a lot for your help.
    -Wei

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Ask the Experts: Wired Guest Access

    Sharath K.P.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
    Remember to use the rating system to let Sharath know if you have received an adequate response. 
    Sharath might not be able to answer each question due to the volume expected during this event.
    Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
    through January 27, 2012. Visit this forum often to view responses to your questions and the questions
    of other community members.

    Hi Daniel ,
    Wonderful observation and great question .
    Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    Two separate solutions are available to the customers:
    A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
    Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
    So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
    I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
    We have already opened a bug for the same (Little late though )
    BUG ID :CSCtw44999
    The WLC Config Guide should clarify our support for redundancy options for wired guest
    Symptom:
    Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results.
    Some of the other tthat changes we will be making as a part of doc correction would be
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
    1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
    2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
    "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results."
    3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
    Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
    Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
    Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
    00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
    I hope the above explanation could clarify your doubts to certain extent and also keep you
    informed on Cisco's  roadmap on this feature .
    Regards ,
    Sharath K.P.

  • 2106 and Wired Guest Access

    Hi,
    It seems that the 2100 models do not support wired guest access. I wondered if the following work around might work?
    We are using a 2106 with a wireless guest network anchored to a 5508.
    Would it be possible to configure an Autonomous AP in WGB mode and configure it to connect to the visitor wlan?
    Would wired clients then be able to connect through the autonmous AP and use web authentication?
    Cheers

    I opened a TAC with Cisco.
    Here was the repsonse.
    Unfortunately this is not a supported feature , please have a look at the following
    ·         These lightweight features are supported for use with a workgroup bridge:
    – Guest N+1 redundancy
    – Local EAP
    ·         These lightweight features are not supported for use with a workgroup bridge:
    – Cisco Centralized Key Management (CCKM)
    – Hybrid REAP
    – Idle timeout
    – Web authentication
    Note If a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the exclusion list, and all of the workgroup bridge wired clients are deleted.
    So it is not possible. Just thought I'd share this in case anyone else came across the same issue.

  • WIRED GUEST ACCESS WLC 5508

    Hi Guys, 
    I've just set up a wired guest access for my HQ but I'm wondering if it is possible to do the same in a branch office because We do not have another controller in this site, could this be accomplished using the wlc of the hq?
    Any ideas please.
    Regards
    Oscar

    If you have L2 communication between HQ &  BR, this is possible (then you can extend your wired user vlan to your WLC).
    Otherwise you have to have a WLC at your branch as well.
    http://mrncciew.com/2013/03/26/wired-guest-access/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Wired guest access support on SRE G2

    I have been trying to find info on support for wired guest access on SRE wireless module. Is it supported? Also, does 2100 wlc support it? I am running into sizing issues as I am seeing in documentation that it is supported on WiSM, 4400 (end of life), 5500, and 3750G (end of life). So, Am I only left with 5500? These are bunch of branch offices and do not know if having 5500 in each site is financially feasible. There is a requirement to have all these networks separate so we cannnot share controllers. Thank you in advance.

    It's more like "all WLCs support what is in config guide unless stated otherwise".
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
    the Cisco 2100 Series enables administrators to  securely manage WLANs and mobility services, such as enhanced security,  voice, guest access, and location services."
    It says nowhere that the SRE can't do wired/wireless. So it does the same as other WLCs from that point of view

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • Wired guest access - Unable to access network

    Hello,
    I've configured two WLC's with the exact same config one of them has working Wired guest network the other one does not.
    The only difference in the two I know of is that the one that does not work is connected to a Cisco 3550 switch, the one that works is connected to a Cisco 7600.
    The problem is when I connect a computer to the wired guest network I am able to get an IP address from the Internal DHCP server but unable to access the network.
    I've tried pinging the gateway's IP and I get no answer.
    The Port-channel interface has the correct VLans and the vlans exist on all switches.
    If anyone see an error there or might have an idea why this is not working I would appreciate the feedback.
    Config follows below..
    regards,
    Gk

    (Cisco Controller) >show running-config
    802.11a cac voice tspec-inactivity-timeout ignore
    802.11a cac voice stream-size 84000 max-streams 2
    802.11b cac voice tspec-inactivity-timeout ignore
    802.11b cac voice stream-size 84000 max-streams 2
    location rssi-half-life tags 0
    location rssi-half-life client 0
    location rssi-half-life rogue-aps 0
    location expiry tags 5
    location expiry client 5
    location expiry calibrating-client 5
    location expiry rogue-aps 5
    Cisco Public Safety is not allowed to set in thisdomain
    ap syslog host global 255.255.255.255
    auth-list ap-policy ssc enable
    custom-web ext-webserver add 1 217.28.176.114
    dhcp create-scope guestnetwork
    dhcp address-pool guestnetwork 192.168.34.2 192.168.34.200
    dhcp default-router guestnetwork 192.168.34.254
    dhcp enable guestnetwork
    dhcp dns-servers guestnetwork 212.30.200.200 212.30.200.199
    dhcp network guestnetwork 192.168.34.0 255.255.255.0
    local-auth method fast server-key *****
    interface create guestnetwork 331
    interface create guestnetwork-wired 332
    interface address ap-manager 10.255.255.90 255.255.255.248 10.255.255.94
    interface address dynamic-interface guestnetwork 192.168.34.1 255.255.255.0 192.168.34.254
    interface address dynamic-interface guestnetwork-wired 192.168.35.1 255.255.255.0 192.168.35.254
    interface address management 10.255.255.89 255.255.255.248 10.255.255.94
    interface address service-port 10.60.4.200 255.255.255.0
    interface address virtual 1.1.1.1
    interface dhcp ap-manager primary 10.255.255.89
    interface dhcp dynamic-interface guestnetwork primary 10.255.255.89
    interface dhcp management primary 10.255.255.89
    interface dhcp service-port disable
    interface vlan ap-manager 226
    interface vlan guestnetwork 331
    interface vlan guestnetwork-wired 332
    interface vlan management 226
    interface port ap-manager 29
    interface port guestnetwork 29
    interface port guestnetwork-wired 29
    interface port management 29
    lag enable
    load-balancing window 5
    mesh security eap
    mgmtuser add root **** read-write
    mobility group domain XXXXXXX
    mobility symmetric-tunneling enable
    network otap-mode disable
    network rf-network-name XXXXXXX
    radius acct add 1 XXXXXXX 1813 ascii ****
    radius auth add 1 XXXXXXX 1812 ascii ****
    radius auth management 1 disable
    spanningtree port mode off 1
    spanningtree port mode off 2
    sysname XXXXXXX
    time ntp interval 3600
    time ntp server 1 XXXXXXX
    wlan create 1 hotspot hotspot
    guest-lan create 1 hotspot-wired
    wlan interface 1 guestnetwork
    guest-lan interface 1 guestnetwork
    wlan custom-web webauth-type external 1
    wlan custom-web ext-webauth-url https://XXXXXXX
    wlan session-timeout 1 disable
    wlan wmm allow 1
    wlan wmm allow 18
    wlan security wpa disable 1
    wlan security wpa disable 18
    wlan radius_server auth add 1 1
    wlan radius_server acct add 1 1
    guest-lan radius_server auth add 1 1
    guest-lan radius_server acct add 1 1
    wlan dhcp_server 1 0.0.0.0 required required
    wlan enable 1
    guest-lan enable 1

  • Preauth ACL for Wired guest not working

    Hi Guys,
    I have 5508 wireless lan controller running code 7.2. We recently implemented Wired guest access on the WLC and configured necessary changes on the switch. We also have wireless guest profile as well configured on the WLC. We have some people who usually use Jabber client for video conferencing so what we have done is we have configured a preauth acl so that if any users connect to the wireless guest profile they automatically connect to the Jabber server without going through the Web auth. We have applied the same ACL in the Wired guest profile as well but the problem is that Jabber is not able to connect unless we manually go through web browser and then authenticate, but it is working normally for wireless guest access without the web authentication. Let me know if this is some kind of bug or a known issue which can fixed in some way. Thanks in advance
    - Krishna

    Krishna:
    Can you please confirm if other type of traffic (other than jabber traffic) is allowed by the pre-auth ACL?
    try - for testing - to allow traffic -by same ACL -  to some other destination and try via normal user to ping to open whatever session with that destination.
    let me know if that works or not.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Wired Guest in 5.x 4402 - Does it Work???

    Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
    Thanks for all responses....

    Armonk-
    See next post with attached .doc
    This post was trimmed.
    4402 config
    -Ingress int
    Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
    Check the box that says Guest LAN
    This interface has no IP, it is Layer2 only!
    If there is an IP associated with this VLAN (anywhere), create another VLAN.
    -Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called “Egress” on the wireless, just interface. If you don't have one already, you need to create it
    Create a new interface , assign it a different VLAN <55> than your ingress interface
    Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
    I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
    Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
    If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
    Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
    -Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
    Start <192.168.100.100 > (same subnet as "egress")
    End <192.168.100.200>
    Network <192.168.100.0>
    Mask <255.255.255.0>
    Lease <86400>
    Default router <192.168.100.1> (same as your gateway above)
    This is really just an IP to route between VLANs, it may not exist yet
    Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
    You can route between VLANs (that's what I did) on your router
    DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
    Status = Enabled
    -WLAN
    Create a new WLAN, select Guest LAN as the type
    Ingress is a L2 VLAN
    Egress is a L3 VLAN or previously configured VLAN
    Security Tab, select Web Auth/Pass
    Advanced Tab, specify your DHCP
    Check override (required for external DHCP)
    Was not able to check DHCP Addr. Assignment = Required (bug?)
    General Tab, check status = Enabled
    Ignore the error; this is a bug!
    Core Switch configuration (these commands are in CatOS)
    Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
    You need to configure your core switch to allow VLAN traffic from your WLC interfaces
    VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
    # set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
    # set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
    If you already have a vlan for wireless guests this step is already done
    Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
    # set trunk 3/5 on dot1q - - - IOS will be different
    This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
    I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
    Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
    Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
    # set vlan 44 3/6 - - - IOS will be different
    It's possible you may also need to allow your egress VLAN depending on your setup
    Dumb switch
    Plug switch into the port specified

  • Guest Access in 4.2.112/130 code

    I've just upgraded our controllers from 4.1.185 to 4.2.130 and have noticed some new settings and features for Guest access, specifically on the interfaces and the wlans. Can some one point me to an updated guide on the explanation of these new additions and the recommend setup now? Until I see an explanation on paper so as I can fully understand it, I don't want to change my current setup. i.e. Guest Lan, Ingress Interface, Egress Interface.

    Here is an even better link:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    the nutshell....
    "A growing number of companies recognizes the need to provide Internet access to its customers, partners, and consultants when they visit their facilities. With the new Wired Guest Access feature support on the Cisco WLAN Controllers that uses Cisco Unified Wireless Software Release 4.2.61.0 and later, IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same wireless LAN controller.
    Guest users must be allowed to connect to designated Ethernet ports and access the guest network as configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect to the WLAN Controllers with the current guest access features. In addition, WCS, along with basic configuration and management of WLAN Controllers, provides enhanced guest user services. For customers who have already deployed or plan to deploy WLAN Controllers and WCS in their network, they can leverage the same infrastructure for wired guest access. This provides a unified wireless and wired guest access experience to the end users."

  • Maximum number of wired guest clients ??

    Does anybody knows which is the maximum number of simultaneous wired guest clients on a 5508? And in a 2112 controller?
    Wired clients count as wireless clients??
    What about anchoring limitations, what is the effect of wired guest clients on the anchor controller?

    2100 series WLC do not support Wired Guest Access.. 5500 wlc supports.. and i guess 5508 WLC can support max 150 simultaneous logins..
    Lemme know if this naswered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Wired Guest on Layer 3 network

    HI
    Per cco, http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42users.html#wpmkr1074101
    I have a WLC running 5.2.193.0 named WLC-CA1 as a foreign WLC which anchors to another WLC-CA2 at a diff site that holds the guest access meaning it goes through a trunk that has a vlan where my DSL/DHCP router resides
    I want both WIFI and Wired Guest access from WLC-CA1 assuming it anchors over to WLC-CA2. Guest Wifi works but Guest Wired doesn't. This is because I am on a Layer 3 topology so assume I have to be on Layer 2. Is there a way around this?
    Thx

    The VLAN that he wired guest users has to be a layer-2 vlan only.

Maybe you are looking for

  • When i plug my iPod in, it does not recognize it...HELP

    When i plug my iPod Nano 2nd Generation in to anything-AC adaptor or computer- it starts charging, then all of a sudden stops charging after about two seconds. When I plug it in to my computer, iTunes doesn't pop up like is used to. This started afte

  • Converting Excel or other data to J2ME database

    My freeware tool for converting Excel or other data to J2ME database http://translate.google.com/translate?hl=en&sl=ru&u=http://sss1024.googlepages.com/ Could anybody help me in testing?

  • Scsi controller

    Does the  HP Smart Array 6400 Controller work on Windows 7 64Bit? I would like to have 2 SCSI drives as boot Raid 0 if possible. Thanks.

  • Error Compiling Movie: Unknown Error +4k +Clip scale

    Just found an interesting issue, and solved it... thought I would share it with you guys as well. I received the Error Compiling Movie: Unknown Error when rendering a 1080 timeline with 4k footage all from RED. The whole timeline was "Scale to Frame

  • XY point control

    I'm controlling a 2 axis actuator system using LabVIEW. I'd like to use a front panel control to set both axis values with one mouse movement - like a 2D slider control. The user would click on a object and drag it with the mouse and the control term