WLC+Anchor+Guest NAC

Hello all
I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
Sorry for the long post..
Raj

Greg
Thanks again.. that was useful too. One last query.. and this was grilling my head:
1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
Raj

Similar Messages

  • Guest Nac & WLC issues

    Hello,
    I have Guest Nac Appliance & WLC 5508, but I want to know,
    1.  IF CAN I USE THE SAME USERNAME AND PASWORD AUTHENTICATED IN GUEST NAC  IN 3 DEVICES? example: Lap Top, MAC, Iphone.
    2. How many usernames can be stored in Guest Nac: NAC3310-GUEST-K9??
    Thanks a lot

    Hi,
    1. Don't see a problem with that, or perhaps I'm not understanding the question right?
    2. No limit in the software, so as many as you like, until your database fills up your hard drive.
    Faisal

  • WLC based mobility-anchor guest access solution

    Hi everybody,
    My new setup with WLC baesed guest access solution is working well. I am using web based login authentication for wired & wireless solution. And everything is running through out the WLC. The WLC is granting access to is the internet for the guests. My question is how about printers and other devices that cannot make web based authentication. How can i get them to work in the same setup?
    best regards,
    Sahin

    For wired, you simply need to configure mac aut bypass on the printer switchports and point that to the ACS.
    If it's accepted, the port will go in the printer vlan, if not, you can chose the behavior (block access, put in another vlan, etc ...).
    For wireless, you need to enable "mac filtering" on the SSID, so it's best to create a separate SSID for the printers then because you want to authenticate those by mac address and you don't want that for the other clients probably.
    You can then also point the mac filtering towards ACS on the wlc.
    From there you can either have the macs stored locally on ACS or in your ACtive Directory or wherever you want.

  • 3850 as MC and 5508 as Anchor Guest

    Can i use a 5508 WLC with relase 7.4.121.0 as anchor guest for a 3850 configured as Mobility Controller?
    The Converged access (new mobility) is supported only in 7.3.112 or 7.5 and later relase, but i don't need to configure the 3850 as Mobility Agent.
    I need to configure the 3850 to connect to my anchor guest controller 5508 in DMZ.

    Hi
    You need to run 7.6.110.0 on your 5508 & enable "New Mobility" feature on your 5508 if you want to have Anchor-Foreign setup between 3850 & 5508.
     NB: 7.3.x & 7.5.x codes are differed & 7.4.x code does not support this "new mobility"
    HTH
    Rasika
    **** Pls rate all useful responses *****

  • Cisco Guest NAC access reports

    We have just deployed the Cisco Wireless Guest NAC sponsor server. We are running version 2.0.2. I have created different sponsor user groups and one of the groups allows full access to reporting and audit logs. All of the reports seem to be working properly except for the "Access Reports." There are user accounts that have been created and users have successfully logged in; however, the report always shows "No data" no matter what date range I choose. I have attached a screenshot.
    Additional information:
    Our DMZ controller is a Radius client to the NAC. This Cisco controller is running version 6.0.196. I have checked the firewall for any denied traffic from the NAC server to the DMZ controller and the communication is open. We allow port 1812 between the controller and NAC.

    FlexConnect with Split tunneling may work. 
    Read about this feature & see how that can be used in your branch setup. Here is the Ciscolive presentation slides the above came from.
    BRKEWN-2016: Architecting Network for Branch Offices with Cisco Unified Wireless 
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • 25 APs / Port Anchor WLC versus Guest WLC

    Greetings, first timer here.
    We're adding public internet access to our existing wireless network. We are using a 4402 WLC for our guest controller, and our secure WLC is a 4404.
    Cisco recommends placing a limit of 25 APs per distribution port, and we utilize that practice on our 4404. My question is, once we add the guest controller, which uses the same APs as the Anchor controller, do we have to re-apply the 25 AP/port rule to the guest controller?
    The 4404 obviously has 4 distribution ports giving a max of 100 APs, and the 4402 has 2 resulting in only 50 APs. We've got all of our APs covered by the best practice on the 4404, but would exceed that on the 4402.
    I thought that because the data is moving between the WLCs via the ether tunnel, I was covered by the 4404.
    Thoughts or suggestions?
    I can't seem to find anything in the white papers or best practices.
    Thanks to all
    Larry

    I have no factual information to back up what I am about to say and it may be partially incorrect, but this is how I always explained the process of guest anchoring:
    So the 25AP suggestion per interface I think is because of the fact that if you had more than 25 APs on one port, you could theoretically be over subscribing the bandwidth than the port could provide (25AP@40mbps = 1000mbps)....
    Anyhow, unless you plan on actually sending a gig worth of traffic to your Guest Controller, I don't think there is any real need to split your anchor. I'm pretty sure Guest Controllers are usually for internet access and 1Gb worth of internet bandwidth sure seems like alot to me..
    Also, I had always thought of the anchor tunnel similar in nature to an AP LWAPP tunnel. The controller that supports 25 APs is designed to support 25 LWAPP tunnels. The 50AP model, supports 50 LWAPP tunnels. This same logic could be applied to the WLAN Anchor tunnels. Think of each WLAN Anchor Tunnel as an AP connected to a controller.
    When a guest is anchored to the Public Controller, it isn't the AP that is tunneled there nor the client, it is the WLAN. So you could have 25 APs with the same guest WLAN, but really it is still just 1 WLAN anchored to the controller. If for some reason you wanted to do more than 25 different WLANs, then I would suggest splitting those WLANS between your interfaces...
    I think the bottom line though is that if you aren't worried about over-subscribing your interface on the anchor controller, there shouldn't be any concerns.

  • Anchor Guest controller and DHCP configuration

    I checked the cisco documentation about the DHCP configuration but I´m not 100%sure which DHCP server address I must use.
    I  used as example the scope 10.240.97.0/24 for our Guest Users. In this range are the DHCP scope and the Guest interface configured. For the management I used as example the range 10.240.96.0/24.Now I configured our Guest WLC and I insert on the Guest interface as Primary DHCP address the Guest interface address. After I applied I got the message I can´t use this DHCP address. Now I checked the cisco and found following description:
    “If DHCP services are to be implemented locally on the anchor controller, populate the primary DHCP server field with the management IP address of the controller"
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    ( DHCP proxy is on the Guest WLC  enabled ) .
    Thanks
    Al

    For Anchor you can use either internal or external dhcp server.
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    Yes. WLC forwards the unicast dhcp req to management ip for guest interface. All cpu generated traffic by default uses management interface as source address i.e., snmp, radius, ping...
    Is your question whether you need routing between guest and management interface.
    No, routing is not required in this case bcoz the interface residing on WLC's management. Also for proxy it uses the virtual ip address for dhcp instead of actual dhcp ip. And only wireless client can get ip from WLC's internal dhcp server.
    If you're using dhcp proxy on wlc and having external dhcp server on different vlan then yes you need routing between the two vlans.

  • WLC 5508 Guest termination Tunnel

    Hi to all,
    I've a question regarding Guest Wireless Access: can the WLC5508 do Guest Termination Tunnel as they do the WLC440X??? I suppose yes...or better say I hope yes ;-)
    What about the AP support? Can I mix as is possible with the 440X where the internal WLC are licensed for 50 AP and the external one for only 12???
    Thanks for a feedback!

    It sounds like you're running into the same project as me. I have all 4402's and was considering upgrading to a 5508 for our headquarters. This happens to be our guest anchor as well. To ensure that mobility will work, which is a requirement for guest, carefully read the version 6 release notes. In a nutshell though, I've found that this will work with 4.2 code and up to version 6 on a 5508. I'd check the release notes to be exactly sure of the 4.2 release though. 4.2.205.0 has been working well for me. I don't have our 5508 yet, but I'll provide an update once it gets here. In a perfect world, having the same version 6 release on the 4402's and the 5508 will ensure you don't have anchor / mobility problems.
    As far as the different AP licenses go on the controllers, this will only affect the size of the network you can have at each site (because it restricts the number of AP's, ie. 25 versus 12). You can definitely use guest on a 50 AP controller with a 12AP controller at the other site. They don't have to match...

  • Anchor Guest 3.2.171.6 Web Authentication page issue

    Hi folks,
    I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

    you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
    HTH,
    Steve

  • WLC Lobbyadmin Guest Process

    Hi all, I have recently setup a WLC 4402 with LWAPP 1242AG's. I have a guest SSID setup that gets fired straight out to the internet. I enabled the Lobbyadmin feature but would like to know how other people have handled getting reception to distribute the ID's.
    When they log in to create the ID and click generate password, the password pops up in a browser window that cannot be copied and pasted. This then relies on the receptionist typing this correctly on a form to hand over to the guest with their details.
    I have read elsewhere on this forum that a guy got a perl API to create guest accounts but I do not have the software development skills to make use of this. How do other people provide their guests with userid's and passwords?
    It would be nice to have a form that could be exported telling the user their userid, password and when it will expire.
    Cheers
    Brian

    Hi Brian.
    From what I've read on this forum, most people seem to do it via WCS. WCS adds cool features to the guest provisioning process such as being able to schedule the start and end dates of the guest's lifetime, perform some basic group management operations, add customer banners and, most importantly, being able to print or email the guest's logon details.
    On a grander scale than WCS, Cisco offers the NAC Guest appliance, which is probably the right way to go if you're going to offer guest access commercially or on a large scale (e.g. every employee being a guest administrator, such as happens at Cisco).
    Hope this helps.
    Regards,
    Justin

  • WLC for GUEST network hangs and requires restart

    I have a remote site customer that is getting support calls saying that guest users cannot login to the wireless "guest" network. When they try to access it, the browser hangs up when trying to load the redirect page.
    When they restart the controller, it begins working again. The WLC version is 5.0.148.0. Has anyone seen this issue? If not, what would be the best way to troubleshoot?
    Thanks for any help.

    5.0.148.0 has a lot of bugs, suggest you to keep on using 4.2.112 at this moment until the maintenance release of version 5 comes out. This is one of its bug: CSCsm98250.
    Symptom:
    Webauth and controller access via HTTP or telnet/SSH stop working.
    Conditions:
    After the controller was upgrade to 5.0, ramdomly webauth, and controller access via HTTP or telnet/SSH stop working.
    Workaround:
    Reboot controller.

  • Wlc 5508 : guest users to be configured only give access for internal SAP application

    Hi,
    I have one new requirement with one of the client.
    I have wlc 5508 with 6.0 firmware. I need to have one guest wlan which will have access only for internal SAP application.
    I have gone through cisco document for internet guest users , where web page will be redirected with user name and password once it is authenticated , we can access internet.
    Provided if we have access list configured in wlc ...  for internet access only /
    what about this mentioned scenario ?
    can anybody suggest on the same ?

    Hi Vinod,
    Go for the ACL on any Router or the switch.. i prefer not on the WLC..
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
    Here is the link as well to do it on the WLC
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml
    Lemme know if this answered ur question..
    Regards
    Surendra

  • WLC 2504, guest user life time

                       Hi ,
                        Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
                            any idea?
                        Thanks.

    Hi, no the limit is 30days if the user is created in the WLC.
    Info from the user guide = Range: 5 minutes to 30 days
    You'd configure a longer lifetime if you use the WCS/NCS.
    If you configure 90 days via the WCS/NCS you also see on the WLC 30days but the WCS/NCS will update this unitil the 90days are over.
    Kind regards,
    Ron

  • Pointing the Cisco 3850 as a Mobility Controller to a central 2504 WLC anchor

    There are multiple sites running 3850 as MA/MC with local Wireless access.
    There is a 2504 running at a central location setup with a SSID for Internet access. The 2504 is running on software 7.6.120.
    Can I setup a mobility anchor from the 3850 MC to the 2504 (with new Mobility enabled) to utilize the Internet Service ?
    Most documentation I read seem to suggest to have the 3850 setup as MA and use a 5760 as a MC.

    I tested the NME-AIR-WLC6-K9 (Software version 7.0.230) on a Cisco 2821 (I cannot find a spare Cisco SRE 300 ISM to test). It cannot connect to a Cisco 5508 (Software version 7.6.130) running New Mobility. I must turn off New Mobility on the Cisco 5508 before the anchor connection can be established
    This is expected as 7.0.x only support EoIP based tunnel for inter-WLC data traffic. Once you enable new mobility on 5508, these inter-controller Data tunneling based on UDP (16667) instead of EoIP.
    Unless both end configured for same tunneling method, it won't work. New mobility support in AireOS 7.6.x & 8.0.x as supported software version (it was supported 7.3.x & 7.5.x , but all those codes are deferred)
    HTH
    Rasika

Maybe you are looking for

  • MacBook Air with MiniDP as external monitor for 27" iMac

    Hi, I just found out, that the new iMacs can be used as external displays for MacBooks with MiniDP. Now I'm considering to buy an 27" iMac, but I've one question: As my MacBook Air is much slower than an iMac, I was wondering if I could get my MBA (o

  • Cannot connect to the iTunes Store because of an unknown error (-42408)

    Sometime - like about 3 times a week - when i sync my Ipod with itunes 9.0.3, I get a message saying that I am not authorised to play some songs on my iPod. I then have to authorise my computer for a previous apple ID. Usually, this authorisation fai

  • Problem deleting music on iOS 7

    I'm sure this question has been asked before, but i can't seem to find any information to help me. A while back I bought some music from the store which I don't want anymore and I had as a matter of fact deleted it from the iPhone, then when I update

  • SOLVED!!!!!!!!!Placing an Image in original login.jsp

    Hi all, I solved the problem of placing an image in original login.jsp Hope this will be usefull for all who will be trying to edit the original longi.jsp: ====>Place your image in the following folder: C:\installations\Oracle_Infra(Your oracle_home)

  • VBA code to connect Essbase from Excel

    Hi All, I need VBA code to connect & retrive the data from Essbase trough Excel sheet ....Please advise... Regards, Prabhas