WLC guest configuration

Similar Messages

• WLC Guest Tunnel

  Hi,
  I've some questions about Guest Tunneling, since the docs on CCO is not so complete.
  Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.
  We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.
  The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?
  Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?
  What about the AP sice are setup like H-REAP Node with switch port as access?
  Many thanks for helping me find a solution

  Hi fella,
  Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:
  - My APs on different IP Subnet are configured as H-REAP nodes
  - my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching
  - my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC
  - the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs
  - the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs
  - the Guest WLAN will be anchored from the internal WLCs to the external one.
  So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.
  After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...
  Am I wrong with something?
  Thnxxxxx

• WLC Guest portal - External DNS issue

  I have an interesting behavior.  When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers.  So, I set the dhcp scope options to point to other DNS Servers.  When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
  I am not sure why this is happening.  The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
  I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.

  The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
  You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal.

• WLC - Wlapp configurations problems

  Hello,
  I have connected the WCS to Wlc and WLC to AP
  after giving the WLC basic configurations and AP management ip add, still i can not see the AP from the controller.
  should I configure each ap manually and give it an ip add ? or it is enough to put the AP management ip add in the controller?

  If you can actually manage the WLC using the WCS, you can "force" the WCS to "discover" the AP attached to this WLC.
  Simply, in Controller tab, select your WLC and in the upper right list select "refresh config from controller" and GO, then WCS ask you if you want to keep the configuration of the WLC stored in WCS database or "refresh" it deleting the actual configuration; check delete and Go.
  Finally, You can review if the AP now is shown by the WCS or not.
  Best Regards.

• Guest configuration with WLC

  i am using WLC 4402 with firmware 5.1 and 1252 Access Point.
  i am in trouble to configure guest access with the WLC.
  i have configured interface in WLC under CONTROLLER->INTERFACES->GUEST.
  WHEN I SELECT THIS INTERFACE AS GUEST IT DOESN'T TAKE IP ADDRESS INFORMATION. IN THIS CASE I HAVE TO UNCHECK GUEST SELECTION BOX.
  AND I GOT DYNAMIC INTERFACE WITHOUT IP ADDRESS.
  AFTER DOING THIS I CREATE WLAN NAMED GUEST AND ENABLED IT.
  i have put guest interface as a ingress interface and management as egress interface and applied web auth successfully but still it is not showing me guest SSID when i try to search it.
  help me
  plz
  thanks

  Have you gone through these documents yet?
  Wired Guest Access using Cisco WLAN Controllers Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  Guest WLAN and Internal WLAN using WLCs Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
  Hope these will help you.

• WLC Guest Account Configuration

  Hello,
  I have been trying to set up a guest WiFi network using a 2504 series WLC. I have configured the switch, the router, and the firewall for the IP Schema that I want to use for the guest network, but I am unable to get this process working. I have a CAPWAP configuration example that I followed as well as a LWAPP example. I don't have a LWAPP but I do have a CAPWAP. I want to breakdown my network into two separate networks: one for internal use and one for the guest. I am able to connect to the internal network correctly and can ping and gain access via the WAP after I completed my configurations, but I am not able to use the 10.0.0.0 network that I configured for the guest network. I can ping the default router address of 10.0.0.11 from the WLC. I also want to use web authentication as a way to set up the guest network for authentication and the virtual address of 1.1.1.1 does not appear as the authentication method.
  I would appreciate any help on this issue. I have been working on this issue for some time with no luck. Any suggestions on things I could try would be great.

  refer :
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html#proc

• Cisco WLC 2125 configuration help

  So in a nutshell, from My computer I can ping all VLANS - everything seems to in workding order.
  when telnet to the HP 5406zl core routing switch I can ping all VLANs and other parts of the network
  But when logged into the Cisco wireless Lan Controller I cant ping VLAN 108 gateway IP (172.24.156.2 ) from the neighbour switch or other services on this VLAN
  for example cant ping the DHCP on this vlan from WLC.
  The neighbour switch can ping IP of the management interface created on the WLC
  WLC cant ping VLAN 108
  WLC can ping all other VLAN 102,104,106
  Not sure where the problem is ??
  Configure Dynamic Interfaces on the WLC for the Guest and Internal Users - DONE
  Create WLANs for the Guest and Internal Users - DONE
  Configure the 5406zl Layer 2/3 Switch Port that Connects to the WLC as Trunk Port allowing the relevant vlans i.e. management vlan, vlan 102 and Vlan 108 - DONE
  Configure the Switch Port that Connects to the AP to VLAN 102 - DONE
  configure virtual interface IP 1.1.1.1 - DONE
  Configure the Router for the WLANs - DONE
  LAP is registered to the WLC - DONE
  WLAN and SSID broadcast - OK

  Not at present it is not, the port on the 5406zl that the WLC is connected was setup as a trunk group and All VLAN tagged.  When I tried this I lost all connectivity to the WLC.  Is there something on the WLC that need changing also?.

• WLC Guest Setup thru Palo Alto Firewall

  We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
  Thanks

  Hi Rod
  You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
  I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
  I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
  Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
  Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

• WLC Guest access Daily user/password

  Hi,
    I have a WLC 2100 and 1131 LAP's does anyone know whether it is possible to create a local net guest user that either has a changing daily password or whether it is possible to create multiple users that are only valid for a specific time period. Basically all i want to do is, once a month create new users or passwords for each day of the month and the credentials are only valid for that day.  I can see that i can time limit users but this would mean creating the user at midnight every day.
  Many Thanks

  Hi,
  Q1: it is possible to create a local net  guest user that either has a changing daily password?
  A1: No that is not possibe on WLC local guest users
  Q2: it is  possible to create multiple users that are only valid for a specific  time period?
  A2: Yes, you have lifetime per guest user that can be configured.
  For your requireent, You need to maybe have a look to other Guest appliance like the NAC Guest Server, or create the user DB on ACS Radius Server for time restrictions.
  Thx
  Serge

• WLC Guest Access Randomly and Print

  Hi all, in my company have asked me a solution where automatically creates the guest account with username and password randomly. Is this solution possible to implement? With only the WLC?    p.s. you also know which models \ brands of printers allow you to press a button and print a receipt(with user\password) that can be integrated with the WLC??  Thank you.

  Hi Marco,
  WCS is software of license. right. But it is now being replaced by NCS; its elder brother, which is an appliance. I think WCS now is out of sale and NCS is what is available (not sure).
  No modifications need to be done on WLC. you only add the WLC to the WCS (or NCS). This needs correct SNMP information to be configured on both sides.
  If you have some programming experience you may implement the random username/password implementation yourself. Just capture the traffic when WCS send an SNMP packet to the WLCs to create the guest account. Whenever you want to create a user you specify same packet but change the usrename and the password and send the same packet to the WLC. Of course you need the sender IP address to the SNMP community list in the WLC.
  For the printer part it is a bit harder. your program should be integrated with the printer and prapare the layout that will be printed.
  HTH
  Amjad

• WLC Guest Internet - Wired Guest Question.

  We're currently not running a version on our WLC's that supports wired guests (4.1.185) but am evaluating upgrading to 4.2.112. What is the current limitation of wired guests? Is it 5, curious as to why this is if so. My question develops out of this in this scenerio:
  Our main campus is on LWAPP, our secondary campus is not at this point. So the secondary campus is running something different fro Guest access (Chillisoft). I'm curious if a backhaul a vlan over to the other campus that has the Cisco Guest Internet from the WLC and redistribute it from Campus2's core, then add the vlan to the AP's there how this would work out. I know I can get the vlan over there, that's simple and we do it for a few other things, but not sure how well it'd work out for this environment. I 'think' the only thing stopping me would be any wired user limitations, which am curious as to why there is if there is.

  There is no need to backhaul the VLAN from one campuis to other. Just configuring the same VLANs induvidually on the APs would do. Here is a deployment guide http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html for WLC.

• WLC Guest WEB Authentification

  Hello,
  I would like to configure on a WLC 2504 Internet-Access for Guests through a web authentication.
  But I always find configuration instructions only describe the with the additional anchor WLC?
  This works but also without anchor WLC, right?
  Can anyone give a hint on where I find a manual for it (ideal for Release 7.4 or 7.5) to me.
  Thank you
  Alexander

  It does indeed. When I use the foreign controller for guest access, I often will use a 5508 in port mode (non lag) and break out a port for guest.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC - guest account multiple users

  Hi,
  I have been looking at guest access features of the WLC and I can see the ability to specificy an account duration as a Lobby Ambassador but does the WLC support multiple logins per guest account?
  I.e. I want to create a single guest account for use by 100 users. Is there any way to achieve this or would I need to create 100 individual guest user accounts?
  Many thanks,
  Paul.

  Paul,
  If you have WCS available, you can import a .csv file that contains the proper information for usernames/passwords:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0temp.html#wp1102820
  Example file would look like:
  Username   Password   Profile     Description
    User1      Cisco      Any Profile Net User 1
    User2      Cisco                  Net User 2
    User3      Cisco      Internal    Net User 3
  The other option I can think of would be to build a list of command line configurations for the WLC, and manipulate the list with your already created usernames/passwords in a text editor. The command to configure a guest user on the WLC CLI is:
  config netuser add wlan userType [lifetime ] [description ]
  Thanks,
  -Patrick

• WLC 5508 Configuration

  Hi Team,
  Just i want to know below configuration are possible with WLC 5508.
  Can we define specific timing to keep an account enabled. For e.g. 9:00AM to 9:00 PM from <x> date to <y> date?
  -          Can we authenticate the “lobby admin” user through TACACS?
  -          Can we enforce password change for guest user when he login for the first time?
  Regards,
  Jana

  Can we define specific timing to keep an account enabled. For e.g. 9:00AM to 9:00 PM from date to date?
  ans:- Yes through if you integrate WLC through ISE then its possible:-
  Step 1 Choose Administration > Web Portal Management > Sponsor Group Policy.
  Step 2 Click the Action icon and choose an option.
  Step 3 Enter a name for the new policy.
  Step 4 Choose the identity group to be associated with the policy.
  Step 5 (Optional) Choose additional conditions by choosing one of these options:
  •Select Existing Condition from Library to choose an existing simple, compound, or time and date condition
  •Create New Condition to choose an attribute, operator, and value from the expression builder.
  Step 6 Choose the sponsor group to associate with this sponsor group policy.
  Step 7 Click Save.
  -          Can we authenticate the “lobby admin” user through TACACS?
  for this you need ACS as ISE dont suport TACACS right now.
  -          Can we enforce password change for guest user when he login for the first time?
  Yes through ISE its possible.

• WLC 5508 Configuration Query

  Hi Team,
  Just i want to know below configuration are possible with WLC 5508.
  Can  we define specific timing to keep an account enabled. For e.g. 9:00AM to 9:00 PM  from <x> date to <y> date?
  -          Can  we authenticate the “lobby admin” user through TACACS?
  -          Can  we enforce password change for guest user when he login for the first  time?
  Regards,
  Jana

  You can do this with Cisco's ISE, but not all just using the WLC lobby admin feature
  Can  we define specific timing to keep an account enabled. For e.g. 9:00AM to 9:00 PM  from date to date?
  > No... the lobby admin can create only from the start of the guest credential creation and can set how many days, hours, minutes, seconds, until that credential expires.
  -          Can  we authenticate the “lobby admin” user through TACACS?
  > Yes
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  -          Can  we enforce password change for guest user when he login for the first  time?
  > No you can't
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"