Wireless guest access

Hi Guys, I have a wireless requirement from a customer and the customer is looking for the below: 1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected. 2. Customer is looking to add their own logo and change the formatting of the captive portal. Questions: 1. For email verification, does this feature come straight from the WLC standalone box or must ISE be purchased? 2. If the WLC is able to do this without ISE, any online guides that is able to do this? 3. For security reasons, am I able to limit the number of concurrent users using this captive portal? 4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal? 5. Can I customize the captive portal page on the WLC and how do I go about doing it?

Hi Mohanak,
It looks like the formatting ran out. Anyway, not sure if we are on the right topic here but let me get this straight. Customer has a Cisco 2504 Wireless LAN Controller. So, they would like to achieve the below features:
1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected.
2. Customer is looking to add their own logo and change the formatting of the captive portal.
So, some of the questions I have are:
Questions:
1. There is a configuration on the WLC that allows guest users to login using email verification only. Does this feature come straight from the WLC standalone box or must ISE be purchased.
2. If the WLC is able to do this without ISE, is the WLC able to check if the inputted field is a valid email? And can I configure in such a way a particular domain is allowed? (e.g. example.com is permitted but example.org and anything else is reject).
3. For security reasons, am I able to limit the number of concurrent users using this captive portal?
4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal?
5. Can I customize the captive portal page on the WLC and how do I go about doing it?

Similar Messages

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • 1801W wireless (guest access) config issues

    Trying to setup wireless on 1801w ISR.  Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
    Trying to setup wireless "guest" access with Internet access only (no access to LAN).
    Wireless will not come up.  Dot11Radios show "reset/down".
    Below is the wireless config and a couple of troubleshooting commands as well:
    dot11 ssid open
       vlan 2
       authentication open
    ====================================================
    !(Sets up DHCP and excluded addresses.)
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.25.1 172.16.25.99
    ip dhcp excluded-address 172.16.25.116 172.16.25.255
    ip dhcp pool open
       import all
       network 172.16.25.0 255.255.255.0
       default-router 172.16.25.1
       dns-server 4.2.2.1 4.2.2.1
       lease 3
    ====================================================
    (Turned on integrated routing and bridging.)
    bridge irb
    ====================================================
    (Wireless radio interface config.)
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    encryption vlan 2 mode wep optional
    !---(SSID is given as "open")
    ssid open
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    description LAN
    ip address 192.168.0.100 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan2
    description Wireless VLAN
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.25.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    bridge 1 protocol ieee
    bridge 1 route ip
    ====================================================
    Verifying...
    RTR#sho dot11 associations
    802.11 Client Stations on Dot11Radio1:
    802.11 Client Stations on Dot11Radio0:
    SSID [open] : DISABLED, not associated with a configured VLAN
    ====================================================
    RTR#sho ip int brief
    Dot11Radio0                unassigned      YES NVRAM  reset                 down
    Dot11Radio0.1             unassigned      YES unset  reset                 down
    Dot11Radio1                unassigned      YES NVRAM  reset                 down

    Your ssid is configured in vlan 2.
    But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
    That should allow the radio to broadcast ssid
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • E4200 Wireless Guest Access issue

    Hello, I'm hoping someone can point me in the right direction. I have the wireless guest access set up in my E4200 flash to the latest firmware. 
    When I connect to the wireless guest network it comes up under the 192.168.33.xx IP address. I can connect fine but it never pops up the browser so that you can type in the guest password. I'm running Windows 7 but I've also noticed the exact same problem under XP.
    The only thing I can guess is the problem is that I have this acting like an access point and all DHCP requests go to my router. I've basically turned off DHCP on this and plugged the network connection into the switch on the back. 
    Any suggestions?
    Thanks
    Josh

    If I go to 192.168.33.1 it does pop up the browser but when I enter the password It just hangs. Not sure if it was connected or not. Is there no way to pop up the browser automatically?

  • Unified wireless guest access

    Hi I need help in configuring unified wireless guest access. i have followed the guide
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
    But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
    my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
    Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
    Can someone help point out my mistake.

    Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
    If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
    I know this becuase I seen this for my self when I had anchor issues.
    I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
    Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

  • Does WAP4410N support Wireless Guest access solution?

    Does the Linksys AP (WAP4410N) support Wireless Guest access solution?

    Hi - I've got a WAP4410N which I'd like to use to provide wireless guest access, and I've had a look through the configuration pages and manual, and understand:
    1) I've got to add a virtual SSID (although I'd like to know where the DHCP settings are as I don't believe the WAP4410N has DHCP capabilities)
    2) I need to ensure that traffic can't hop across the multiple SSIDs
    What I'd like to know is whether the WAP4410N can be set up to display a terms and conditions page which users have to "OK" or whether it can host a login page that can be administered by someone to allow access - kind of like hotels use to ensure that not everyone can automatically connect?  I don't mind if there has to be a secondary piece of software hosted on a server someone, but I'd like to prevent people from being able to automatically connect straight to our connection and would also like to limit them in some way, at very least the bandwidth that the connection allows, at best the sites they can visit too.
    Any thoughts greatly appreciated,
      Andy

  • SA 540 and DMZ Issue for Wireless Guest Access

    I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

    Hi,
    I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
    I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
    I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
    To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
    Firmware 1.0.39
    BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

  • Windows 7 and Wireless Guest Access

    Dear All, one of my Customers uses 4400 based Guest Access Solution with L3 Webauth. With XP everything works Fine. Since the Migration to Windows 7, Guest Access is not working correctly. It takes a long time to get an IP Address via DHCP, sometimes it idles to 169.xxx. If an IP Address is provided, the Redirect will not work. Has anybody seen similar Problems with Win7 or a Solution?
    Regards, Michael

    Found a solution for the "Boot Camp x64 is unsupported on this computer model" message. Here is the link: http://www.techulous.com/hardware/how-to-apple-boot-camp-64-bit-for-windows-7-on -unsupported-macs.html
    Everything works ( for ) now. Yay!

  • WLC Wireless Guest Access

    Hi
    When a user attempts to connect to a WLC
    guest access SSID, does the web login page open up automatically?
    Also is the web login page "https" secure rather than "http" clear text
    Mark

    As long as the WLC can resolve the users home page, which is not an intranet site or https, then the user will get a certificate error page first in which he or she will have to accept. Then he or she will get the webauth page. To eliminate the certificate error page, you need to install a 3rd party certificate, one that is standard on the device trusted certificate store.

  • Wireless guest access with Airspace

    I understand the Airspace products have some guest access capability built into them. I have a hotel customer that has the following requirments.
    First, he will have an AP in each conference room. He would have each AP set up with a different SSID. The guest username password used for logging in would be assigned to the SSID and be different for each conference room. I've been told this is not possible. While you can have more than one guest username/password they are not associated with any one AP or SSID.
    Secondly, he would also like to be able to control the amount of bandwidth each conference room/group is assigned.
    Can the Airspace stuff do this, or even something close to it?

    Yeah - no.
    The Airespace guest functionality is basic - you define an SSID which has 'WEb Auth' set on it, and users are prompted for a username/password that is auth'd against radius.
    The sort of granular stuff you are looking for isn't there - maybe look at BBSM or something similar, although I don't know how well that interfaces with AireSpace if at all..
    Regards
    Aaron
    Please rate helpful posts.

  • Wireless Guest Access through 4404, bandwidth limiting.

    We are currently running a Guest SSID on our network and pumping it out through a DSL line and it's working great. However, as we've expanded our LWAPP conversion and offering the Guest SSID to more area's, my DSL line has become very saturated and we're not in area that can get a bigger pipe. IS there a radius attribute that I can use through ACS that the 4404 controllers will recognize to limit the users bandwidth? In the past when using an opensource solution for guest access (ChiliServ and FreeRadius) I was able to use the WiSPr attributes:
    WISPr-Bandwidth-Max-Down
    WISPr-Bandwidth-Max-Up
    and it worked pretty well. What does one do in this case? I know I can pass Airespace attributes with ACS, but I don't see anything that will minimize bandwidth unless I'm just not understanding the QoS tagging.

    I am using webauth, but where does the role information go into the radius server, specifically ACS? In the document it states how to install the airspace vsa's. In ACS 4.2 I already have the airspace vsa's available i.e. airspace-qos-level. Is this the attribute that is needed to send the Role inforamtion? If not, can you please provide this attribute? That's all I'm looking for is as to what attribute is needed by the controller to receive the role information. from a per-user level or whatever. I do have the vsa's working since my original post and having upgraded the controller software (before it would stop sending traffic) so I can now pass the airspace-qos-level if this is the right attribute, but the most important thing about this attribute is that I only have Bronze to Uranium listed in ACS. If this is the attribute to send role information? How do I add more to this list as it is a drop down box not a text box where I can put in my own information.

  • DMZ Anchor WLC setup for Wireless Guest Access

    I have the following setup.
    A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
    An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
    Both WLCs are running the same 4.2.176 code.
    DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
    I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
    The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
    1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
    What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
    Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
    In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
    2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
    3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
    4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
    Thanks.

    One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

  • WCS Wireless Guest Access : Area, building restrictions don't work

    Hello,
    I use WCS to create guest accounts on a WLC4400 local database. Guest login works fine but i can login with any guest account on any campus, building, floor even if the account is apply only on one of those.
    i use a custome Web auth page, this is the cisco's exemple page with our logo.
    WLC44000 - 4.2.61.0
    WCS - 4.262.11
    WLAN Guest setup :
    Layer 3 security : none
    Web policy : authentication
    Over-ride global - config enable

    Yes exacly.
    Only one controller with 15 "campus" (business unit).
    AP are in HREAP (for corporate WLAN). of course (i know it's stupid) guest wlan is in a lwapp tunnel and wrong username or password don't works !

  • Enterprise Wireless Guest IP Address Management

    Hi
    We have requirement to deploy wireless guest access for the Enterprise.
    Would appreciate feedback as to wether to use internal DHCP which is  centrally managed or using WLC DHCP.
    Some Considerations
    1.     IP Address reporting historical on number of addresses used, this could be provided by the guest access server on users logged or can WLC
             provide historical IP address reporting
    2.     Centralised address configuration versus distributed on each controller.
    3.    Correlating guest user to IP address allocated, we need to use this for forensic identification of the IP address to the user as guest access will be authenticated via the Radius server and from there access the Internet via a transparent proxy. No requirement for second authentication when accessing the Internet.
    Any feedback on real world experiences would be greatly appreciated.
    Regards
    Bill

    Hi,
    The below doc is the design and deployment Guide for Guest access.. This is just like a bible!!
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
    Lemme know if this helps.. and please dont forget to rate the usefull posts!!
    Regards
    Surendra

Maybe you are looking for