Wireless guest users cannot ping if ACL is applied

Similar Messages

• WLC 2500 and WCCP for Wireless Guest Users

  Hi there
  I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
  Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.               
  You advice will be highly appreciated.
  Regards

  For guest wireless traffic redirect to proxy server
  https://supportforums.cisco.com/thread/2126486

• Wireless Guest Users once authenticated, are able to connect again after disconnection

                     Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?

  IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
  If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
  Sent from Cisco Technical Support iPhone App

• Guest VLAN cannot ping gateway

  Hi Sir,
       I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
       wat do you think is the problem? hope you could help on this.
  thanks.
  Regards,
  Neri

  Hi Neri
  The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
  When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
  It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
  Regards
  Roger

• Wireless guest users are getting limited connectivity.

  Could anyone help please, I have a wireless guest solution consist of :
  WLC located internal in the network – all the AP are associated with that WLC-.
  Anchor WLC located in the DMZ . the guest SSID are tunneled from the internal WLC to the Anchor WLC, the DHCP service for guest users is on the Anchor WLC.
  NAC guest server to authenticate the guest users.
  The solution was working properly but now we have a problem that if any one tried to connect to the guest SSID if he is authorized or not , the user will get IP address from the DHCP pool and now as you know most of people has smart phones and they try to get internet access. Now only 5 or 6 people authenticated with NAC gest server and the DHCP pool become full because too many people tried to connect even they do not authenticate.
  so if any user trys to cnnect he will not get IP address from the anchor controller and getting limited connectivity.
  if I add static IP address on my Laptop , I will be redirected to the authentication page and can access normally.
  I am working in big environment 7,000 users so I can’t go with increasing the DHCP pool because the problem will not be solved.
  I hope if anyone can help in this case.
  Thanks in advance.

  This is a pitfall and raising  the eyebrows.. currently we do not have anyother option other than using a WPA-PSK + WEB AUTH
  that is..
  PSK will block the users to just grab an IP and sit!! , if the user enters a valid PSK, he will get the IP address and followed by the Web auth process!! this may help u as of now.. or just a work around.. to overcome the IP exhaustion..
  Please rasie a PER with your accounts team to raise the severity on this issue if u have the contract n all with us!!
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• IPad guest users cannot see YouTube videos but Android devices can

  Hi all,
  I am in the process of moving a guest SSID from a local Wireless LAN Controller to it being anchored for security reasons to another WLC in the DMZ. I have created a test SSID which is anchored in the DMZ and have found that everything is working perfectly except for YouTube videos. While those guest users that are connected on Android devices can watch YouTube videos just fine, those connecting via iPads or iPhones are unable to watch these videos. Any ideas?
  Thank you in advance for your help.
  rgrds,
  inayat

  Hi George,
  Thank you for your reply.
  I did two packet captures: once with a working Android device and once with a failing iPad. There did not seem to be any difference in packet sizes when trying to download a YouTube video (both seemed to be around 1368 bytes per packet). The packet capture with the failing iPad showed a number of TCP resets and attempts to connect to 224.0.0.251 MDNS) - that seemed to be the only difference with the packet capture from the working Android device.
  What I did notice when looking at the existing local WLC (from where the iPads can successfully connect to YouTube - remember that they are failing when they are tunnelled to a test SSID in the DMZ) the local WLC contained a Layer 3 MGID for 224.0.0.251 with a number of users in that group which were iPad users. When I looked at the anchor WLC in the DMZ it did not have this MGID listed - or any other Layer 3 MGID for that matter.
  Your comments and ideas please!
  rgrds,
  inayat

• Guest users cannot see or connect to shares on Snow Leopard 10.6.1

  I recently upgraded to Snow Leopard from 10.5. After upgrading, users connecting as "guest" to my computer cannot see any of the shares (and therefore cannot connect to them).
  If I connect as my administrator user from another computer, I can see all the shares, as well as all the volumes.
  I have verified that the Guest Account is enabled (Allow guests to log in to this computer) in the Accounts preference pane, and of course File Sharing is turned on in the Sharing pane, and all the shares are listed with the correct permissions.
  This is a very strange and perplexing problem. Any help would be most appreciated!

  If they are connecting as a registered user they can see all the shares....but as a guest they cannot...I'm trying to find what might causes that problem....I really cannot think any logical reason... Everything in my options seems to be ok... So after the 10.6.2 update your problem solved ? I think that you were very lucky man...If you find any answer to that problem please let me know...
  Anyway,Thank you for your reply!

• With Timed Access List on, Guest users cannot access Guest network.

  I have a ABS with 7.5 version. In the Timed Access window i have default set to "no access". Then, all the computers that are allowed access to the main network are on the list. Then i have the main network hidden. My guest network is broadcasting but when a user tries to connect to it, they get a "Unable to connect". If I change the default access in Timed Access to "Everyday", users are then able to connect to the Guest network again.
  Obviously, this is a bug. I don't want people accessing the main network that aren't on the timed access list. However, I still want guest users to access the Guest Network.
  It looks to me that the Timed Access window is controlling the restriction of the Guest and Main network, when it should only be controlling the Main only.
  Hopefully, apple has noted this issue and will be fixed on the new update. If other people are experiencing this problem, Please let me know.
  -Ghost

  Apple just updated the airport to 7.5.1. But there is still a problem with the the guest network not allowing access. If the "Unlimited" is set to "No Access" in the access list it prevents anybody from accessing the guest network. It should only deny your Main wireless Network.
  In other words, the Access List is controlling the access for both wireless networks(Guest and Main network)
  Either apple needs to create two Access Lists, One for Main network, and One for guest network. Or just have to option to choose which Network you want to restrict leaving the second one open for all.
  -Ghost

• Wireless Guest Users DHCP issue

  Dear all
  We have 2 wism as well as Anchor controller
  Guest users are getting ip address from anchor controller.
  We had created DHCP scope on anchor controller itself.
  We had opened particular ports to communicate between guest controller and inside controller for EOIP tunneling to take place.
  Issue is that some times user is getting IP address in the range of AP management vlan.
  Do we require to open ports for bootpc and bootps as well or do we need to create dhcp scope in the switch.
  If any one has faced the above issue pls reply me at the earliest.
  Regards
  -Danish

  If the anchor goes down, or mobility fails, the user should never egress from the Foreign WLC (in my opinion). However, if you are saying that the user gets an IP from the MGMT Interface of the Foreign WLC (not the Anchor), then it is doing exactly what it shouldn't.
  What version of code is this?
  I've seen a lot of deployments implement a "dummy interface" on the Foreign WLC.  So a fake vlan/subnet is created on the WLC and mapped as the default interface for the Foreign's Guest WLAN.   In the event anchoring does fail and the client sticks to the foreign WLC this dummy interface would actually prevent the user from having network access.
  Are you seeing this often?

• Wireless Guest Users Self Registration

  We are looking for a solution where for guest user self registration an email will be send to the employee/network admin for approval request before providing the network access to guest users.
  Please let me know if ISE is having this feature. Also let me know the other options.

  If you want to go through the process of having a employee or "sponsor" approve the account, why not just have the person who would be the appover create the account for the guest user and cut out the middle step? This is the process we have been using and so far so good!  If abuse is a concern we try to keep tabs on that by occasionally checking the logs in ISE to see if any one user is creating many account or consistantly has an account that may be for non work related functions.

• Wlc 5508 and wireless guest vlan

  Hi guys,
  I have a 5508 running(version 6).
  I have an adsl releasing public IP for guest users mapped into vlan 10.
  Now i want use this adsl only for wireless guest users
  how can i create an ssid and associate to vlan 10 without using ip address(dynamic interfaces requires an ip address,mask,defaul gateway,etcc..).
  Thx in advance.

  Hi,
  the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
  If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
  The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
  http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
  Hope this helps,
  Nicolas

• SA 540 and DMZ Issue for Wireless Guest Access

  I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

  Hi,
  I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
  I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
  I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
  To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
  Firmware 1.0.39
  BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

• Wireless Guest Tracking

  I am looking for how to track the number of wireless guest users that have used wireless during a month. I see the enterprise guest management options but that is real overkill in this situation because I only have two 1200 series autonomous APs that we want to track guest usage on.

  If you are on the technical side of things you could modify the piece of code that I wrote for a WLC to create guest accounts.  I am currently working on logging of the users that are created with this code.  Then you could simply add up the users and and have date and times.  Find the code here: https://sourceforge.net/projects/simple-swag/   The original intention of the code was a simple way for administrators to provide simple Lobby Ambassidor like function to a simple web interface and then provide customized guest user instruction page.  In the background it uses ssh to talk to the controller and setup the account. Its written in PHP so feel free to try your hand at it.

• NAC guest user poster assesment.

  Dear all,
  Please assist me for NAC guest server poster assesment issue.
  Scenario is like we have NAC guest server and all wireless guest users authenticate through Guest Server.
  Its working fine.
  But customer  wants to apply poster assement on guest users through existing CAS and CAM.
  Guest_users-------AP-------WLC------- NAC_Guest_Server----------internet

  Thanks for reply.
  Actually in my network we have cas and cam integrate with WLC for internal users. Its working fine.No issue. Poster assesment and authentication working fine.
  We have also NGS server which is integrate with WLC for web authentication fow guest wireless users.
  It is also working fine.Authentication happened through NGS server succesfully.
  But now I wanted to force poster assesment for wireless guest users which are authenticated through NGS server.

• ISE 1.2 Guest portal user cannot change their passwords

  I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198)，Now we configured the CWA，Use guest portal as an employee and guest login url，We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .