Wireless Guest Users DHCP issue

Similar Messages

• WLC 2500 and WCCP for Wireless Guest Users

  Hi there
  I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
  Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.               
  You advice will be highly appreciated.
  Regards

  For guest wireless traffic redirect to proxy server
  https://supportforums.cisco.com/thread/2126486

• Wireless Guest Users once authenticated, are able to connect again after disconnection

                     Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?

  IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
  If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
  Sent from Cisco Technical Support iPhone App

• Wireless guest users are getting limited connectivity.

  Could anyone help please, I have a wireless guest solution consist of :
  WLC located internal in the network – all the AP are associated with that WLC-.
  Anchor WLC located in the DMZ . the guest SSID are tunneled from the internal WLC to the Anchor WLC, the DHCP service for guest users is on the Anchor WLC.
  NAC guest server to authenticate the guest users.
  The solution was working properly but now we have a problem that if any one tried to connect to the guest SSID if he is authorized or not , the user will get IP address from the DHCP pool and now as you know most of people has smart phones and they try to get internet access. Now only 5 or 6 people authenticated with NAC gest server and the DHCP pool become full because too many people tried to connect even they do not authenticate.
  so if any user trys to cnnect he will not get IP address from the anchor controller and getting limited connectivity.
  if I add static IP address on my Laptop , I will be redirected to the authentication page and can access normally.
  I am working in big environment 7,000 users so I can’t go with increasing the DHCP pool because the problem will not be solved.
  I hope if anyone can help in this case.
  Thanks in advance.

  This is a pitfall and raising  the eyebrows.. currently we do not have anyother option other than using a WPA-PSK + WEB AUTH
  that is..
  PSK will block the users to just grab an IP and sit!! , if the user enters a valid PSK, he will get the IP address and followed by the Web auth process!! this may help u as of now.. or just a work around.. to overcome the IP exhaustion..
  Please rasie a PER with your accounts team to raise the severity on this issue if u have the contract n all with us!!
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• 1801W wireless (guest access) config issues

  Trying to setup wireless on 1801w ISR.  Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
  Trying to setup wireless "guest" access with Internet access only (no access to LAN).
  Wireless will not come up.  Dot11Radios show "reset/down".
  Below is the wireless config and a couple of troubleshooting commands as well:
  dot11 ssid open
     vlan 2
     authentication open
  ====================================================
  !(Sets up DHCP and excluded addresses.)
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.16.25.1 172.16.25.99
  ip dhcp excluded-address 172.16.25.116 172.16.25.255
  ip dhcp pool open
     import all
     network 172.16.25.0 255.255.255.0
     default-router 172.16.25.1
     dns-server 4.2.2.1 4.2.2.1
     lease 3
  ====================================================
  (Turned on integrated routing and bridging.)
  bridge irb
  ====================================================
  (Wireless radio interface config.)
  interface Dot11Radio0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  ip route-cache flow
  encryption vlan 2 mode wep optional
  !---(SSID is given as "open")
  ssid open
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  description LAN
  ip address 192.168.0.100 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Vlan2
  description Wireless VLAN
  no ip address
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.25.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  bridge 1 protocol ieee
  bridge 1 route ip
  ====================================================
  Verifying...
  RTR#sho dot11 associations
  802.11 Client Stations on Dot11Radio1:
  802.11 Client Stations on Dot11Radio0:
  SSID [open] : DISABLED, not associated with a configured VLAN
  ====================================================
  RTR#sho ip int brief
  Dot11Radio0                unassigned      YES NVRAM  reset                 down
  Dot11Radio0.1             unassigned      YES unset  reset                 down
  Dot11Radio1                unassigned      YES NVRAM  reset                 down

  Your ssid is configured in vlan 2.
  But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
  That should allow the radio to broadcast ssid
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Wireless Guest Users Self Registration

  We are looking for a solution where for guest user self registration an email will be send to the employee/network admin for approval request before providing the network access to guest users.
  Please let me know if ISE is having this feature. Also let me know the other options.

  If you want to go through the process of having a employee or "sponsor" approve the account, why not just have the person who would be the appover create the account for the guest user and cut out the middle step? This is the process we have been using and so far so good!  If abuse is a concern we try to keep tabs on that by occasionally checking the logs in ISE to see if any one user is creating many account or consistantly has an account that may be for non work related functions.

• Wireless guest users cannot ping if ACL is applied

  Hi friends,
  This is the first time I am trying my hands on wireless gears. I have 2500 WLC and 1142 AP (which I converted from Standalone to LAP).
  I have a layer 3 POE switch where i am using port 1 for the WLC which is a trunk port.
  Port 2 is for the AP using access vlan 111
  Port 3 is trunk port going to a router where i am running dhcp server for the VLANs which are as follow:
  VLAN 110 -Corp Wireless (10.1.110.0/24)
  VLAN 111 - AP-Mgmt (10.1.111.0/24)
  VLAN 999 - Guest (10.1.101.0/24)
  I wanted to block the traffic from the Guest VLAN 999 but when i apply the ACL on the Guest Interface created on the WLC, I dont see any pings going across and neither I see any hit counts on the deny statement as if the ACL is never applied.
  Can some one guide me to the right direction if i am missing anything??
  Thanks,
  Mohit

  rdvorak wrote:Put the ACL on the WLAN not on the interface.
  But applying the ACL to the interface will affect all WLANs that utilize that interface!!!
  Rating useful replies is more useful than saying "Thank you"

• 2500 wireless guest anchor, dhcp performance

  Hello,
  I just read that starting from version 7.4, the 2500 controller can be used to terminate guest anchor tunnels.
  This is great news, but i have a question regaring the performance of the internal DHCP server when used in guest environments.
  Can it be used and if so, what is its performance ? (ie requests / second)
  regards,
  Geert

  Take a look at the data sheet and it will give you a general understanding of the max client count which is 500 and the throughput which is 500mbps unless you run 7.4 and have LAG enabled which gives you 1gig.  I would only use this for small installs and if its a pretty medium to large guest network, then stick with the 5508.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• SA 540 and DMZ Issue for Wireless Guest Access

  I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

  Hi,
  I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
  I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
  I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
  To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
  Firmware 1.0.39
  BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

• NAC guest user poster assesment.

  Dear all,
  Please assist me for NAC guest server poster assesment issue.
  Scenario is like we have NAC guest server and all wireless guest users authenticate through Guest Server.
  Its working fine.
  But customer  wants to apply poster assement on guest users through existing CAS and CAM.
  Guest_users-------AP-------WLC------- NAC_Guest_Server----------internet

  Thanks for reply.
  Actually in my network we have cas and cam integrate with WLC for internal users. Its working fine.No issue. Poster assesment and authentication working fine.
  We have also NGS server which is integrate with WLC for web authentication fow guest wireless users.
  It is also working fine.Authentication happened through NGS server succesfully.
  But now I wanted to force poster assesment for wireless guest users which are authenticated through NGS server.

• Wlc 5508 and wireless guest vlan

  Hi guys,
  I have a 5508 running(version 6).
  I have an adsl releasing public IP for guest users mapped into vlan 10.
  Now i want use this adsl only for wireless guest users
  how can i create an ssid and associate to vlan 10 without using ip address(dynamic interfaces requires an ip address,mask,defaul gateway,etcc..).
  Thx in advance.

  Hi,
  the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
  If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
  The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
  http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
  Hope this helps,
  Nicolas

• Wireless Guest Tracking

  I am looking for how to track the number of wireless guest users that have used wireless during a month. I see the enterprise guest management options but that is real overkill in this situation because I only have two 1200 series autonomous APs that we want to track guest usage on.

  If you are on the technical side of things you could modify the piece of code that I wrote for a WLC to create guest accounts.  I am currently working on logging of the users that are created with this code.  Then you could simply add up the users and and have date and times.  Find the code here: https://sourceforge.net/projects/simple-swag/   The original intention of the code was a simple way for administrators to provide simple Lobby Ambassidor like function to a simple web interface and then provide customized guest user instruction page.  In the background it uses ssh to talk to the controller and setup the account. Its written in PHP so feel free to try your hand at it.

• E4200 Wireless Guest Access issue

  Hello, I'm hoping someone can point me in the right direction. I have the wireless guest access set up in my E4200 flash to the latest firmware. 
  When I connect to the wireless guest network it comes up under the 192.168.33.xx IP address. I can connect fine but it never pops up the browser so that you can type in the guest password. I'm running Windows 7 but I've also noticed the exact same problem under XP.
  The only thing I can guess is the problem is that I have this acting like an access point and all DHCP requests go to my router. I've basically turned off DHCP on this and plugged the network connection into the switch on the back. 
  Any suggestions?
  Thanks
  Josh

  If I go to 192.168.33.1 it does pop up the browser but when I enter the password It just hangs. Not sure if it was connected or not. Is there no way to pop up the browser automatically?

• Wireless guest and HTTPS sites issue

  Dear all,
  I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
  http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
  could you please let me know what the fix is?
  Thanks,

  Thanks for the feedback, however I've added the 443 port and the traffic
  is still not redirected.
  AP Fallback ................................ Enable
  Web Auth Redirect Ports .................... 80,443
  Fast SSID Change ........................... Disabled
  802.3 Bridging ............................. Disable
  Any other suggestion?
  Thanks,
  Aziz

• SonicWALL = Guest Wireless, VLANs, and DHCP

  All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
  This topic first appeared in the Spiceworks Community

  Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
  This topic first appeared in the Spiceworks Community