Wireless guest wlan and secured corporate wlan

I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
Lee

Hi stepehen
LWAPP also defines the tunneling mechanism for data traffic.
A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
Pls Refer the docu..
http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
Regds
Saji k.s

Similar Messages

  • Wireless Guest Network, iPADS and MAC Filteing

    Hello, I have a question regarding our wireless guest network and using iPADs
    Our wireless network consist of (3) 5508 WLC’s running 6.0.188. 2 internal WLC and 1 external anchor WLC for guest.  Presently we are only using one of the internal controllers for users the second is only used for fail over.  The anchor controller is set up as the DHCP server for guest. We also have a Cisco NAC Guest Server in the DMZ for guest authentication.
    We have (10) iPads that need Internet access though our guest portal. We do not want these iPADs to have to enter any credentials just pass through to the internet. We do not want any other device to be able to connect to this SSID.  Here’s my question; Getting to the Internet is no problem however when I try to set up a MAC filter just for these devices, they never receive an IP address and never get connected.  I have tried setting the filter on both the internal controller and the anchor controller identically and in about every combination I can think of.  Does anyone know how to set up a MAC filter on a guest network configured as per Cisco’s recommendation?  I also plan to use WPA2 and 802.1x once I get the MAC filter to work.  Any help would be appreciated.
    Thank You
    John

    Not all layer 2 and layer 3 security mechanisms are compatible. Refer to this doc
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080987b7c.shtml#matrix
    What security settings have you configured. The settings also need to be identical on both the internal and anchor controller.

  • Does WAP4410N support Wireless Guest access solution?

    Does the Linksys AP (WAP4410N) support Wireless Guest access solution?

    Hi - I've got a WAP4410N which I'd like to use to provide wireless guest access, and I've had a look through the configuration pages and manual, and understand:
    1) I've got to add a virtual SSID (although I'd like to know where the DHCP settings are as I don't believe the WAP4410N has DHCP capabilities)
    2) I need to ensure that traffic can't hop across the multiple SSIDs
    What I'd like to know is whether the WAP4410N can be set up to display a terms and conditions page which users have to "OK" or whether it can host a login page that can be administered by someone to allow access - kind of like hotels use to ensure that not everyone can automatically connect?  I don't mind if there has to be a secondary piece of software hosted on a server someone, but I'd like to prevent people from being able to automatically connect straight to our connection and would also like to limit them in some way, at very least the bandwidth that the connection allows, at best the sites they can visit too.
    Any thoughts greatly appreciated,
      Andy

  • Wireless guest-net IP before login

    We have a wireless guest net and we broadcast it thru-out our hospital.
    The problem is with all the IPAD's, IPHONE's, ADROIDS and such roaming
    around the hospital we are using all of our Class C IP addresses. Is there a way setup
    the WISM to keep the clients  from getting an IP before the client logins? 

    yea, i feel your pain ... We have 2000 guest daily here at our hospital and as you know people just walking by with wifi devices will get an IP.
    One way -- Don't broadcast your SSID. Clients would need to manually join your network and then get an IP.
    No other way around it in an open "hot spot" easy to access kinda way.
    Im sure thats not what you wanted to hear ...
    edit: Another way is to open a much larger scope. We have a /21 here and it works fine. We show as many as 3000 scopes out but normally only have 500 - 2000 users AT MAX ... We also shorten the DHCP scopes to 3 hours.

  • Configuring Airptort Extreme for Optimum Speed and security 802.11n

    Hello,
    I am running a Airport Extreme 802.11n with a Macbook Pro Core 2Duo, I would like to configure the Airport Extreme to run in the fastest and most secure mode.
    Since I plan on only running .N devices I do not need backwards compatibility with other wireless device.
    What advanced settings can I make to the Airport in order to achieve the best wireless transfer rates and security (including firewall security)
    Thank you so much in advance!
    -Noah

    Thanks so much for the response.
    In terms of the firewall test I was running it from
    my Macbook Pro core duo 2 via Wireless 5ghz 802.11N
    Airport Extreme connection, I ran the firewall test
    from the grc.com Guards up firewall test (Test all
    ports) it showed that my system was not fully
    stealthed and responded to pings. I am trying to
    figure out how to best secure my network, I currently
    have WPA2 with 25character letters and numbers set on
    the router, as well as having my MacbookPro firewall
    set to on.
    Any suggestions for this setup?
    Thanks again!
    Get an even better 63-character WPA "strong" passcode (Maximum WPA Security is 63 characters/504 bits)). See these sites for generating one:
    http://www.yellowpipe.com/yis/tools/WPA_key/generator.php
    http://www.speedguide.net/wlan_key.php

  • Can't get secure wlan to work with new guest wlan

    Dear Support,
    I'm having a nightmare! where I can seem to get either one wlan to work or the other but not both together.
    I posted previously and reconfigured as per the suggestion, however the problem I get is that the secure wlan client associates, then de-associates after roughly 30 seconds with both a guest (no security) and secure (eap using ms ias as radius server)
    my previous post is;
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcfe12
    and the log shows the following, obviously the client is set to connect automatically.
    *Mar 1 00:04:35.105: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:04:51.391: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000e.35f8
    .5d13 Associated KEY_MGMT[NONE]
    *Mar 1 00:04:51.506: %DOT11-4-MAXRETRIES: Packet to client 000e.35f8.5d13 reach
    ed max retries, removing the client
    *Mar 1 00:04:51.506: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 000e.35f8.5d13 Reason: Previous authentication no longer valid
    *Mar 1 00:05:15.176: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:05:32.703: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:05:58.780: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:06:16.141: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:06:40.759: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:06:58.145: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:07:00.560: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:07:18.020: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:07:43.902: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:08:01.254: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:08:16.172: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:08:16.737: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:08:37.397: %DOT11-6-ASSOC: Interface Dot11Radio0, Station AP-CDC#2 00
    13.cefd.48ca Associated KEY_MGMT[NONE]
    *Mar 1 00:08:54.732: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
    Station 0013.cefd.48ca Reason: Sending station has left the BSS
    *Mar 1 00:08:57.193: %DOT11-4-MAXRETRIES: Packet to client 0013.cefd.48ca reach
    ed max retries, removing the client
    Thanks in advance for your assistance.
    Any prompt reply will be greatfully received. I also rate responses.
    Thanks again, regards, Adrian

    Hi Ben,
    Please find attached AP config, I can access the switch at the moment, but the config is fairly basic, trunk port with two vlans and vlan 1 as the native.
    here's the ap config.
    AP-CDC#2#sh startup-config
    Using 2989 out of 32768 bytes
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname AP-CDC#2
    enable secret 5 $1$LQ1O$NKYZoYAeiahKw0805kLHg0
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    ip subnet-zero
    ip domain name wlan.internal
    aaa new-model
    aaa group server radius rad_eap
    server 10.10.10.2 auth-port 1645 acct-port 1646
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 vlan-name dmz vlan 2
    dot11 ssid Secure
    vlan 1
    authentication open eap eap_methods
    authentication network-eap eap_methods
    dot11 ssid Guest
    vlan 2
    authentication open
    guest-mode
    username Cisco password 7 062506324F41
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 1 mode wep mandatory
    ssid Secure
    ssid Guest
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    no preamble-short
    channel 2412
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.2
    encapsulation dot1Q 2
    no ip route-cache
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    bridge-group 2 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    hold-queue 160 in
    interface FastEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface FastEthernet0.2
    encapsulation dot1Q 2
    no ip route-cache
    bridge-group 2
    no bridge-group 2 source-learning
    bridge-group 2 spanning-disabled
    interface BVI1
    ip address 10.10.10.49 255.255.255.0
    no ip route-cache
    ip default-gateway 10.10.10.253
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.10.10.2 auth-port 1645 acct-port 1646 key 7 xyz
    radius-server vsa send accounting
    control-plane
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    AP-CDC#2#
    Thanks again, regards, Adrian

  • Guest WLAN and Web Auth?

    Hi Guys,
    Maybe someone can help me out?
    I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
    "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
    What I tried so far is..
    add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
    changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
    changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
    I've attached some screenshots of our configuration.

    Troubleshooting Web Authentication
    After you configure web authentication, if the feature does not work as expected, complete these
    troubleshooting steps:
    Check if the client gets an IP address. If not, users can uncheck
    DHCP Required
    on the WLAN and
    give the wireless client a static IP address. This assumes association with the access point. Refer to
    the
    IP addressing issues
    section of
    Troubleshooting Client Issues in the Cisco Unified Wireless
    Network for troubleshooting DHCP related issues
    1.
    On WLC versions earlier than 3.2.150.10, you must manually enter
    https://1.1.1.1/login.html
    in
    order to navigate to the web authentication window.
    The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
    connects to a WLAN configured for web authentication, the client obtains an IP address from the
    DHCP server. The user opens a web browser and enters a website address. The client then performs
    the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
    website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
    authentication login page.
    2.
    Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
    Windows, choose
    Start > Run
    , enter
    CMD
    in order to open a command window, and do a  nslookup
    www.cisco.com" and see if the IP address comes back.
    On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
    address comes back.
    If you believe the client is not getting DNS resolution, you can either:
    Enter either the IP address of the URL (for example, http://www.cisco.com is
    http://198.133.219.25)

    Try to directly reach the controller's webauth page with
    https:///login.html. Typically this is http://1.1.1.1/login.html.

    Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
    be a certificate problem. The controller, by default, uses a self−signed certificate and most web
    browsers warn against using them.
    3.
    For web authentication using customized web page, ensure that the HTML code for the customized
    web page is appropriate.
    You can download a sample Web Authentication script from Cisco Software Downloads. For
    example, for the 4400 controllers, choose
    Products > Wireless > Wireless LAN Controller >
    Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
    LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
    Bundle−1.0.1
    and download the
    webauth_bundle.zip
    file.
    These parameters are added to the URL when the user's Internet browser is redirected to the
    customized login page:
    4.
    ap_mac The MAC address of the access point to which the wireless user is associated.

    switch_url The URL of the controller to which the user credentials should be posted.

    redirect The URL to which the user is redirected after authentication is successful.

    statusCode The status code returned from the controller's web authentication server.

    wlan The WLAN SSID to which the wireless user is associated.

    These are the available status codes:
    Status Code 1: "You are already logged in. No further action is required on your part."

    Status Code 2: "You are not configured to authenticate against web portal. No further action
    is required on your part."

    Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
    already logged into the system?"

    Status Code 4: "You have been excluded."

    Status Code 5: "The User Name and Password combination you have entered is invalid.
    Please try again."

    All the files and pictures that need to appear on the Customized web page should be bundled into a
    .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
    login.html. You receive this error message if you do not include the login.html file:
    Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
    Authentication Configuration Example for more information on how to create a customized web
    authentication window.
    Note:
    Files that are large and files that have long names will result in an extraction error. It is
    recommended that pictures are in .jpg format.
    5.
    Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
    Other browsers may or may not work.
    6.
    Ensure that the
    Scripting
    option is not blocked on the client browser as the customized web page on
    the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
    7.
    Note:
    The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
    messages for the user.
    Note:
    If you browse to an
    https
    site, redirection does not work. Refer to Cisco bug ID CSCar04580
    (registered customers only) for more information.
    If you have a
    host name
    configured for the
    virtual interface
    of the WLC, make sure that the DNS
    resolution is available for the host name of the virtual interface.
    Note:
    Navigate to the
    Controller > Interfaces
    menu from the WLC GUI in order to assign a
    DNS
    hostname
    to the virtual interface.
    8.
    Sometimes the firewall installed on the client computer blocks the web authentication login page.
    Disable the firewall before you try to access the login page. The firewall can be enabled again once
    the web authentication is completed.
    9.
    Topology/solution firewall can be placed between the client and web−auth server, which depends on
    the network. As for each network design/solution implemented, the end user should make sure these
    ports are allowed on the network firewall.
    Protocol
    Port
    HTTP/HTTPS Traffic
    TCP port 80/443
    CAPWAP Data/Control Traffic
    UDP port 5247/5246
    LWAPP Data/Control Traffic
    (before rel 5.0)
    UDP port 12222/12223
    EOIP packets
    IP protocol 97
    Mobility
    UDP port 16666 (non
    secured) UDP port 16667
    (secured IPSEC tunnel)
    10.
    For web authentication to occur, the client should first associate to the appropriate WLAN on the
    WLC. Navigate to the
    Monitor > Clients
    menu on the WLC GUI in order to see if the client is
    associated to the WLC. Check if the client has a valid IP address.
    11.
    Disable the Proxy Settings on the client browser until web authentication is completed.
    12.
    The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
    RADIUS server for this to work. In order to check the status of client authentication, check the
    debugs and log messages from the RADIUS server. You can use the
    debug aaa all
    command on the
    WLC to view the debugs from the RADIUS server.
    13.
    Update the hardware driver on the computer to the latest code from manufacturer's website.
    14.
    Verify settings in the supplicant (program on laptop).
    15.
    When you use the Windows Zero Config supplicant built into Windows:
    Verify user has latest patches installed.

    Run debugs on supplicant.

    16.
    On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
    > Run > CMD:
    netsh ras set tracing eapol enable
    netsh ras set tracing rastls enable
    In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
    will be located in C:\Windows\tracing.
    17.
    If you still have no login web page, collect and analyze this output from a single client:
    debug client
    debug dhcp message enable
    18.
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
    If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
    Service Request Tool (registered customers only) in order to open a Service Request.
    debug pm ssh−appgw enable
    debug pm ssh−tcp enable
    debug pm rules enable
    debug emweb server enable
    debug pm ssh−engine enable packet

  • Guest WLAN and IP Address Exhaustion

    Does anybody know of a way to stop a DHCP Server from doling out IP addresses (and subsequently exhausting the DHCP Scope) prior to performing L3 Web Auth to the WLC?
    The problem arises when Students come into School with their iPhones and such like with the WLAN turned on which exhausts the current Guest WLAN DHCP Scope.  Subsequently when a valid Guest User comes along they are unable to obtain an IP.
    Many Thanks

    Hi,
    This is the challenge that we have with the Guest wireless access!! However, we can use WPA/WPA2-PSK along with the WEB-AUTH, SO that thew clients who provide the right PSK will only be able to grab the IP..
    Regards
    Surendra

  • Guest WLAN and a Office WLAN on 1242AG

    Hi All,
    I have managed to add two WLANS, one for the Office Wireless clients(Staff laptops) and another one for Guests. I have bassicaly created two SSIDs, one broadcasting, other one not(Staff one).
    The AP is a 1242AG and is going to connect to a Catalyst 3750 48T, which is connected to Cisco 877. How can I make the DHCP assignments to both Guest WLAN and Staff WLAN and also do I have to create trunk port in the Switch ( I am thinking like this as I got Two VLANs.)
    Does anyone know or got a sample running config ( in a Switch and in a similar AP)...really appriciate it. Time is running out for me!!!
    Reg
    ND

    Hi,
    here is a config example for exactly you are looking for:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
    HTH,
    Tiago

  • Guest LAN and WLAN on Controller

    Hi,
    While creating new ssid, i can see the option guest lan and wlan, whats the difference? which one is preffered?
    Thanks in advance..

    Hi,
    I remember answering this few days and also George joined the thread.. or max week back..
    Guest LAN WLAN =
    1> The clients connecting to the WLAN will have a time limit on the connectivity, for example you can configure the Guest WLAN for 24 hours or something which you want..
    2> I guess George pointed this in the previous thread.. Can be used for Wired Guest Users configuration as well , here is the link..
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
    WLAN =
    Just nothing but a SSID with security which doesnt have any time limit.
    which one is preffered? =
    Its your network and what ever meets your requirements you can use that.. however both of them does its job with different features involved.
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • Securing Guest Wlan

    I am trying to set up a WLAN with internal users and guest users.
    I have 2 ssid's one visible one hidden, the visible one is for guest use.
    Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?

    Hi
    Have you got separate vlans setup ie.
    vlan 10 = users
    vlan 11 = guest
    You would then hand out different IP address ranges for each vlan eg.
    vlan 10 = 192.168.5.0/24
    vlan 11 = 192.168.10.0/24
    Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets
    192.168.1.0/24
    192.168.2.0/24
    192.168.3.0/24
    Also assume you want to allow your guest users out to the Internet
    access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
    etc..
    int vlan 11
    ip access-group 101 in
    This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.
    HTH
    Jon

  • E4200 Wireless Guest and WEP connects, other security settings do not

    I have E4200 with fixed ip 192.168.1.2, DHCP off connected through LAN ports to FIOS ActionTec as 192.168.1.1.  When connecting through wireless network off the E4200, I can obtain and connect fine under Guest network and WEP security, but for any other security setting, WPA, WPA2, Mixed mode, etc.  I get the message "Aquiring network address" forever, and I never get a connection.  How do I troubleshoot?

    Is your FIOS ActionTec wired or wireless modem/router…. From where you are receiving the wireless signals to connect… Which operating System that you are running on the computer? It happens only to a specific computer or it happens to all the computers connected in the network?

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)

    Hello,
    I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
    All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
    But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
    I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
    Any ideas or advices?

    Hello,
    I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
    All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
    But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
    I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
    Any ideas or advices?

  • Wireless 5508 controller - Guest Wlan time of day restrictions ?

    Looking to add time of day restrictions to our Guest WLAN that is currently in its pilot phase.
    Is there a way to config time of day access to a WLAN ?
    Any help would be appreciated.
    Cheers
    Dave

    Dave,
    There is nothing in the controller that allows you to do this... However you can achive this in a few manners..
    1) Time ACL on the vlan. But your guest ssid will still be shown.
    2) If you have WCS you can schedule a WLAN enable/disable with a template. This is what some of my customers use. They will create a template that triggers at 6pm to disable the wlan and at 7am enable the wlan.
    I hope this helps.

Maybe you are looking for

  • Help required in connecting to Implicit SSL FTP server

    Hi, I am working on a scenario of File to Idoc. Here the File server (FTP server) is using the Implicit SSL protocol which is not supported by PI. Hence, we thought of using the scripts for this. Using Script we will move the file from the FTP server

  • OC4J Configuration - javax.naming.NameNotFoundException

    Here is a description of the problem we are having: The Problem      We have a remote client that wishes to invoke services that we are going to provide. These services will be accessible via a JNDI lookup from the client's JVM. The client, is operat

  • Mountain Lion OSX & How To Transfer iPhotos to Screensaver

    I found this site http://gigaom.com/apple/10-hidden-things-you-can-do-on-your-mac/ and in it it tells you (prettywell) how to use iphotos as screensavers. What I did was to >system preferences>Desktop & Screen Saver>Screen Saver>Slideshows on the lef

  • Root Components Insertion Not Processed

    HI , I am trying to import Solution from Microsoft Dynamics CRM 2015 On Prem to Microsoft Dynamics CRM 2015 online and I get solution failed saying "Root Components Insertion" not Processed. Have anybody encountered this issue ? Vilas Magar http://mi

  • Apple please read now

    i lost my book with all my info and now my apple account i cant use my 30$ on it, and i know passwork and user but i need to awnser secuirty things which i forgot please help