Wired Guest on Layer 3 network

HI
Per cco, http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42users.html#wpmkr1074101
I have a WLC running 5.2.193.0 named WLC-CA1 as a foreign WLC which anchors to another WLC-CA2 at a diff site that holds the guest access meaning it goes through a trunk that has a vlan where my DSL/DHCP router resides
I want both WIFI and Wired Guest access from WLC-CA1 assuming it anchors over to WLC-CA2. Guest Wifi works but Guest Wired doesn't. This is because I am on a Layer 3 topology so assume I have to be on Layer 2. Is there a way around this?
Thx

The VLAN that he wired guest users has to be a layer-2 vlan only.

Similar Messages

  • Wired Guest Network

    To the forum,
    I am trying to create a guest wired network using my WLC 4402 (5.2.193.0). I have attached a diagram of basic lay out. I am using this document - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml - as a guide. The problem is I have a single WLC and not anchor in the DMZ. When I try to configure a ingress interface for the "WLAN" my only option is none.
    My plan is trunk the layer 2 link that terminates on my perimeter firewall with both VLAN 199 (Guest wireless) and VLAN 198 (Guest Wired).
    I would greatly appreciate any input or suggestions.
    Doug

    Doug,
    You must create a "guest LAN" layer 2 interface on the WLC.  This will be the ingress interface on the L2 vlan the wired guest will be in. Then the egress interface is going to be the L3 network those clients will actually have their IPs in.
    Lee

  • WLC - Layer 3 Wired guest lan ?

    Hello
    Has anyone been able to do this with a WLC, configuration guidlines say :"
    "Wired guest access ports must be in the same Layer 2 network as the foreign controller."
    Anyone know if Cisco is working on making this solution work on L3 aswell ?
    Regards,
    Gk

    Hi gudmundurk,
    I'm not sure if they would consider it worth developing as you would have to create a tunnel between the guest vlan's gateway and the subnet that the controller is on to keep your network secure anyway. Unless someone out there knows..........
    Regards
    Scott

  • Wired guest access - Unable to access network

    Hello,
    I've configured two WLC's with the exact same config one of them has working Wired guest network the other one does not.
    The only difference in the two I know of is that the one that does not work is connected to a Cisco 3550 switch, the one that works is connected to a Cisco 7600.
    The problem is when I connect a computer to the wired guest network I am able to get an IP address from the Internal DHCP server but unable to access the network.
    I've tried pinging the gateway's IP and I get no answer.
    The Port-channel interface has the correct VLans and the vlans exist on all switches.
    If anyone see an error there or might have an idea why this is not working I would appreciate the feedback.
    Config follows below..
    regards,
    Gk

    (Cisco Controller) >show running-config
    802.11a cac voice tspec-inactivity-timeout ignore
    802.11a cac voice stream-size 84000 max-streams 2
    802.11b cac voice tspec-inactivity-timeout ignore
    802.11b cac voice stream-size 84000 max-streams 2
    location rssi-half-life tags 0
    location rssi-half-life client 0
    location rssi-half-life rogue-aps 0
    location expiry tags 5
    location expiry client 5
    location expiry calibrating-client 5
    location expiry rogue-aps 5
    Cisco Public Safety is not allowed to set in thisdomain
    ap syslog host global 255.255.255.255
    auth-list ap-policy ssc enable
    custom-web ext-webserver add 1 217.28.176.114
    dhcp create-scope guestnetwork
    dhcp address-pool guestnetwork 192.168.34.2 192.168.34.200
    dhcp default-router guestnetwork 192.168.34.254
    dhcp enable guestnetwork
    dhcp dns-servers guestnetwork 212.30.200.200 212.30.200.199
    dhcp network guestnetwork 192.168.34.0 255.255.255.0
    local-auth method fast server-key *****
    interface create guestnetwork 331
    interface create guestnetwork-wired 332
    interface address ap-manager 10.255.255.90 255.255.255.248 10.255.255.94
    interface address dynamic-interface guestnetwork 192.168.34.1 255.255.255.0 192.168.34.254
    interface address dynamic-interface guestnetwork-wired 192.168.35.1 255.255.255.0 192.168.35.254
    interface address management 10.255.255.89 255.255.255.248 10.255.255.94
    interface address service-port 10.60.4.200 255.255.255.0
    interface address virtual 1.1.1.1
    interface dhcp ap-manager primary 10.255.255.89
    interface dhcp dynamic-interface guestnetwork primary 10.255.255.89
    interface dhcp management primary 10.255.255.89
    interface dhcp service-port disable
    interface vlan ap-manager 226
    interface vlan guestnetwork 331
    interface vlan guestnetwork-wired 332
    interface vlan management 226
    interface port ap-manager 29
    interface port guestnetwork 29
    interface port guestnetwork-wired 29
    interface port management 29
    lag enable
    load-balancing window 5
    mesh security eap
    mgmtuser add root **** read-write
    mobility group domain XXXXXXX
    mobility symmetric-tunneling enable
    network otap-mode disable
    network rf-network-name XXXXXXX
    radius acct add 1 XXXXXXX 1813 ascii ****
    radius auth add 1 XXXXXXX 1812 ascii ****
    radius auth management 1 disable
    spanningtree port mode off 1
    spanningtree port mode off 2
    sysname XXXXXXX
    time ntp interval 3600
    time ntp server 1 XXXXXXX
    wlan create 1 hotspot hotspot
    guest-lan create 1 hotspot-wired
    wlan interface 1 guestnetwork
    guest-lan interface 1 guestnetwork
    wlan custom-web webauth-type external 1
    wlan custom-web ext-webauth-url https://XXXXXXX
    wlan session-timeout 1 disable
    wlan wmm allow 1
    wlan wmm allow 18
    wlan security wpa disable 1
    wlan security wpa disable 18
    wlan radius_server auth add 1 1
    wlan radius_server acct add 1 1
    guest-lan radius_server auth add 1 1
    guest-lan radius_server acct add 1 1
    wlan dhcp_server 1 0.0.0.0 required required
    wlan enable 1
    guest-lan enable 1

  • Wired guest

    Respected members of this community... :) I need help.
    The last couple of days i spend implementing unified wireless at a customers site.
    We used the latest versions of the controller and WCS software.
    This new software offers a new feature, wired guest.
    Since we already implemented 802.1x with a guest VLAN on the wired network last year, we wanted to offer the guest access functionality on the wired LAN as well.
    So first we implemented wireless guest access, which worked fairly quickly.
    Then we added another interface on the controllers, which matched the already existing wired guest VLAN. First we wanted to use that VLAN for wireless guests as well as wired, but we found out that is not possible (so we created a new wireless guest VLAN). Then we added a new WLAN wich we marked for wired guest.
    Anyway, we followed the documentation and...could not get it to work.
    The network is a layer 3 routed network with 40 or so VLANs. The controllers are connected to the core switch (with nicely configured trunks), which does all the routing.
    DHCP is the first thing that didn't work. The interfaces we created on the controllers have the guest lan checkbox checked, ingress interface is the guest VLAN, egress interface is the mngt interface.
    The DHCP relay function did not work.
    DHCP will work with IP-helper configured on the VLAN interface on the core router, but this al goes outside of the controllers.
    This is by the way the major thing i do not understand. With wireless, all traffic goes via de controller through the LWAPP tunel. But with wired, my layer 2 VLAN ends on the core switch, not on the controller.
    So what should the default gateway be for that VLAN? The interface VLAN of the coreswitch or one of the controller IP adresses?
    Traffic should be directed to the controllers (i guess?) to enable them to catch HTTP and send the redirect to the webauth page.
    But if you set the default gateway to the controllers, DNS does not work because the controllers do not forward traffic untill after authentication, but for this to work, you need DNS for the client to start the HTTP session.
    Is there anyone out there who has this working, including DHCP?
    The customers network is flexible, we can build almost anything we want there, so iw we need to change something, we can.
    Wireless guest was no problem at all, and de data WLAN, including 802.1x, auth on AD and dynamic VLAN assignment worked perfectly. So we did get something to work actually... :)

    Does this help?
    <http://www.cisco.com/warp/public/102/wired_guest_access.pdf>
    Also keep in mind that the clients and the controller needs L2 adjacency (i.e. the Guest-VLANs would need to be trunked directly to the controller where you define the Guest-WLAN).
    I assume you have already deployed an anchor controller for wireless Guest traffic. So, the idea is to leverage the same EoIP tunnel infrastructure also for wired guest traffic. DHCP/DNS traffic should be blindly tunneled across this infrastructure, so your network services should be deployed in the anchor controller location (i.e. DMZ). Keep in mind again, that this design implements a logical L2 connection from the endpoints to the anchor controller.
    Hope this helps,

  • Wired Guest Using ISE Interface

    Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
    The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
    Thanks in advance!

    If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
    You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

  • Ask the Experts: Wired Guest Access

    Sharath K.P.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
    Remember to use the rating system to let Sharath know if you have received an adequate response. 
    Sharath might not be able to answer each question due to the volume expected during this event.
    Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
    through January 27, 2012. Visit this forum often to view responses to your questions and the questions
    of other community members.

    Hi Daniel ,
    Wonderful observation and great question .
    Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    Two separate solutions are available to the customers:
    A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
    Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
    So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
    I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
    We have already opened a bug for the same (Little late though )
    BUG ID :CSCtw44999
    The WLC Config Guide should clarify our support for redundancy options for wired guest
    Symptom:
    Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results.
    Some of the other tthat changes we will be making as a part of doc correction would be
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
    1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
    2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
    "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results."
    3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
    Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
    Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
    Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
    00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
    I hope the above explanation could clarify your doubts to certain extent and also keep you
    informed on Cisco's  roadmap on this feature .
    Regards ,
    Sharath K.P.

  • Wired Guest in 5.x 4402 - Does it Work???

    Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
    Thanks for all responses....

    Armonk-
    See next post with attached .doc
    This post was trimmed.
    4402 config
    -Ingress int
    Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
    Check the box that says Guest LAN
    This interface has no IP, it is Layer2 only!
    If there is an IP associated with this VLAN (anywhere), create another VLAN.
    -Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called “Egress” on the wireless, just interface. If you don't have one already, you need to create it
    Create a new interface , assign it a different VLAN <55> than your ingress interface
    Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
    I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
    Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
    If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
    Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
    -Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
    Start <192.168.100.100 > (same subnet as "egress")
    End <192.168.100.200>
    Network <192.168.100.0>
    Mask <255.255.255.0>
    Lease <86400>
    Default router <192.168.100.1> (same as your gateway above)
    This is really just an IP to route between VLANs, it may not exist yet
    Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
    You can route between VLANs (that's what I did) on your router
    DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
    Status = Enabled
    -WLAN
    Create a new WLAN, select Guest LAN as the type
    Ingress is a L2 VLAN
    Egress is a L3 VLAN or previously configured VLAN
    Security Tab, select Web Auth/Pass
    Advanced Tab, specify your DHCP
    Check override (required for external DHCP)
    Was not able to check DHCP Addr. Assignment = Required (bug?)
    General Tab, check status = Enabled
    Ignore the error; this is a bug!
    Core Switch configuration (these commands are in CatOS)
    Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
    You need to configure your core switch to allow VLAN traffic from your WLC interfaces
    VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
    # set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
    # set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
    If you already have a vlan for wireless guests this step is already done
    Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
    # set trunk 3/5 on dot1q - - - IOS will be different
    This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
    I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
    Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
    Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
    # set vlan 44 3/6 - - - IOS will be different
    It's possible you may also need to allow your egress VLAN depending on your setup
    Dumb switch
    Plug switch into the port specified

  • Cisco wired guest with one wlc

    Hello my name is Ivan
    I have a question:
    You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
    Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
    I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
    I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
    My deployment is to flex connect wireless authentication, and local switching center
    How I can do this?
    Thanks for your answers.

    Hi Scott, thanks for your answer:
    My scenary is:
    Site A Corporate
    WLC 5508 Flex Connect Central Auth + Local Switching
    1. int management:  vlan 10 - 10.1.1.2/24
    2. int virtual: 1.1.1.1
    3. wired-guest: vlan 30
    wlans:
    1. corporate - mapped to interface  management 802.1x wpa, 2pa2
    2. guest - mapped to interface management web auth
    3. wired-guest: web auth, ingress wired, egress management
    Cisco ACS v5.4
    Site B: Branch
    AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
    Switches Cisco,
    The branch have a router of internet to users guest.
    The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
    Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
    Please could you give and advice to resolv it?
    Regards for your answers.

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Wired Guest Access

    Hi!
    I enabled Wired Guest Access to connect Wired Ethernet Users to WLC. It doesn't explained on user guide how WLC does? If WLC strips 802.3 frame and encapsultes it with 802.11 or not. Any way, I couldn't redirect the ethernet flux to WLC and then to the external controller authenticator (Captive portal authentication).  Need a help!
    Cheers!

    In order to provide the wired guest access, the designated ports in the layer-2 access layer switch need to be configured on the guest VLAN by the administrator. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller. The local controller tunnels the guest traffic across a EoIP tunnel to a DMZ Anchor controller. This solution requires at least two controllers.
    Here is the URL for the Wired Guest Access using Cisco WLAN Controllers Configuration
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#ancwlan

  • Anyone seen strange behavior with wired guest access on WLAN Controller?

    Cisco Doc ID 99470 spells out how to deploy wired guest access over wireless LAN Controllers.
    That said, everything has been up and working for almost a year.  Guest wireless uses anchor controller in DMZ - no issues.
    Recently configured two wired ports for wired guest networking.  The desktops get the correct IP address via DHCP.  A wireless client (on the table right next to the wired clients) on the guest wireless gets an IP address as expected as well.
    Open a continuous ping to the gateway 172.16.16.1 on all three machines.
    The two desktops will ping for a few minutes and then stop for 30 seconds or longer.  Wireless client will keep its connection.  (you might think it would be the other way around)
    I understand there is a 65,535 second inactivity timeout, but I am only sitting here for minutes, not 18 hours when this happens.
    On the wired desktops, you have to bring up a browser and log back in just as you do on a wireless client ever few minutes.  After debugging the client, I found a "failed to find scb" message in the output.
    The other trick here is that the wired clients are miles away from where I can actually get on the CLI of the controller.  This makes it difficult to run a debug and bring up a browser since I am not local to the machines when running debugs.
    Has anyone ever see this behavior?  Has anyone see the "failed to find scb" message?
    Thanks in advance!
    Succ
    essfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 tokenID = 5
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef Set bi-dir guest tunn
    el for 00:25:b3:ce:cb:ef as in Export Foreign role
    *pemReceiveTask: Dec 30 11:33:15.735: 00:25:b3:ce:cb:ef 0.0.0.0 Added NPU ent
    ry of type 1, dtlFlags 0x4
    *spamReceiveTask: Dec 30 11:34:54.569: CCKM: Send CCKM cache entry
    FP08:(33207772)[cmdSendNodeInfo:3787]failed to find scb 0023.2422.c6eb
    *mmListen: Dec 30 11:35:58.539: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi
    le Station: (callerId: 73) in 1 seconds
    *mmListen: Dec 30 11:35:59.471: 00:25:b3:ce:cb:ef Scheduling deletion of Mobi

    I found it in the document
    B.1 How Logout Works
    The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout."
    The Access System sets an obSSOCookie for each user or application that accesses a resource protected by a WebGate. The obSSOCookie enables users to access resources that are protected by the Access System that have the same or a lower authentication level. Removing the ObSSOcookie causes the WebGate to log the user out and requires the user to re-authenticate the next time he or she requests a resource that is protected by the Access System.
    Well, I havn't got that far in the document:)
    Thanks a lot for your help.
    -Wei

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • 2106 and Wired Guest Access

    Hi,
    It seems that the 2100 models do not support wired guest access. I wondered if the following work around might work?
    We are using a 2106 with a wireless guest network anchored to a 5508.
    Would it be possible to configure an Autonomous AP in WGB mode and configure it to connect to the visitor wlan?
    Would wired clients then be able to connect through the autonmous AP and use web authentication?
    Cheers

    I opened a TAC with Cisco.
    Here was the repsonse.
    Unfortunately this is not a supported feature , please have a look at the following
    ·         These lightweight features are supported for use with a workgroup bridge:
    – Guest N+1 redundancy
    – Local EAP
    ·         These lightweight features are not supported for use with a workgroup bridge:
    – Cisco Centralized Key Management (CCKM)
    – Hybrid REAP
    – Idle timeout
    – Web authentication
    Note If a workgroup bridge associates to a web-authentication WLAN, the workgroup bridge is added to the exclusion list, and all of the workgroup bridge wired clients are deleted.
    So it is not possible. Just thought I'd share this in case anyone else came across the same issue.

  • Wired guest access support on SRE G2

    I have been trying to find info on support for wired guest access on SRE wireless module. Is it supported? Also, does 2100 wlc support it? I am running into sizing issues as I am seeing in documentation that it is supported on WiSM, 4400 (end of life), 5500, and 3750G (end of life). So, Am I only left with 5500? These are bunch of branch offices and do not know if having 5500 in each site is financially feasible. There is a requirement to have all these networks separate so we cannnot share controllers. Thank you in advance.

    It's more like "all WLCs support what is in config guide unless stated otherwise".
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
    the Cisco 2100 Series enables administrators to  securely manage WLANs and mobility services, such as enhanced security,  voice, guest access, and location services."
    It says nowhere that the SRE can't do wired/wireless. So it does the same as other WLCs from that point of view

Maybe you are looking for

  • How to flow the sales organisation from R/3 to CRM

    Hi, I have created a new Sales organisation, sales office in R/3 inaddition to existing sales organisations, and various sales offices. Now I want to flow the new sales org, and sales office to CRM. I thought in CRM using 'ppoma_crm' I can create a n

  • Reports 3.0 OLE 2 Objects

    Does anybody know if it is possible to display an OLE2 image over the web when compiling the report in .pdf format ? I know it is possible if you compile in .html format using the URL Link functionality, but the format quality ( e.g. fonts, tables, c

  • Audio playback stops short

    Has anyone had problems with audio playback in a previewed or published presentation where the playback stop short and advanced to the next slide?

  • Need help in CS3

    I'm trying to create a line of text (well, multiple lines of text) that will look like this:      1234567     Title......................$12.34 I've figured out how to get the tabs that I want, but can't figure out how to get the ".........." to show

  • About sequence

    hi i have at table column of "ID varchar2(30)". For this column i need to generate the primary key values like(su100,su101,su102,su103....). how to do this one