WLC Guest Internet - Wired Guest Question.

We're currently not running a version on our WLC's that supports wired guests (4.1.185) but am evaluating upgrading to 4.2.112. What is the current limitation of wired guests? Is it 5, curious as to why this is if so. My question develops out of this in this scenerio:
Our main campus is on LWAPP, our secondary campus is not at this point. So the secondary campus is running something different fro Guest access (Chillisoft). I'm curious if a backhaul a vlan over to the other campus that has the Cisco Guest Internet from the WLC and redistribute it from Campus2's core, then add the vlan to the AP's there how this would work out. I know I can get the vlan over there, that's simple and we do it for a few other things, but not sure how well it'd work out for this environment. I 'think' the only thing stopping me would be any wired user limitations, which am curious as to why there is if there is.

There is no need to backhaul the VLAN from one campuis to other. Just configuring the same VLANs induvidually on the APs would do. Here is a deployment guide http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html for WLC.

Similar Messages

  • WLC - Layer 3 Wired guest lan ?

    Hello
    Has anyone been able to do this with a WLC, configuration guidlines say :"
    "Wired guest access ports must be in the same Layer 2 network as the foreign controller."
    Anyone know if Cisco is working on making this solution work on L3 aswell ?
    Regards,
    Gk

    Hi gudmundurk,
    I'm not sure if they would consider it worth developing as you would have to create a tunnel between the guest vlan's gateway and the subnet that the controller is on to keep your network secure anyway. Unless someone out there knows..........
    Regards
    Scott

  • Wired guest access on WLC 4400 with SW 7.0.240.0

    Hello,
    after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
    wired guest access don't work anymore.
    All other things works fine, incl. WLAN guest access!
    When we try wired guest access, we get the web-authentication page and can log in.
    On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
    to RUN.
    But then there is no access to the internet.
    We tried also SW 7.0.250.0, same problem!
    Log Analysis on the WCS:
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
    Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
    Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
    Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
    Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
    Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
    Has someone a idea how to solve this problem?
    Regards
    Manfred

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Wired guest access with 5508

    Hi
    I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
    VLAN 101 access points and 5508 management interface
    VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
    VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
    VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
    There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
    The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
    LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
    I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
    Thanks
    Pat

    Hi
    Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
    The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

  • Wired guest lan authentication through NGS

    Hello Guys,
    We have 5508 controller running ver 7.2.110.0.We have configured wireless guest and wired guest WLAN profiles and assosicated necessary dynamic interfaces to it. The authentication for both wireless and wired guest is through Cisco NGS[NAC]. I have configured Webauth and added the server in the security tab for authentication. I have guest user accounts created in NGS, if I use wirless guest the auth works perfect. But the same credentials is not working with wired guest. Any advice on this issue would be really helpful
    Regards
    Krishna

    Hey Scott,
    Yes NGS is working as Radius. However I haven't checked on WLC neither NGS log to see if there is any but let me look into that. No other names also doesn't work. I did run a debug on WLC while the user was authenticating below is the output
    Output of debug for wireless user where I am getting Accept message for auth at the end
    User IP ADDR - 172.22.207.157
    *aaaQueueReader: Aug 20 09:44:29.940: 00:23:14:ec:3d:38 Successful transmission of Authentication Packet (id 190) to 194.156.169.111:1812, proxy state 00:23:14:ec:3d:38-00:01
    *aaaQueueReader: Aug 20 09:44:29.940: 00000000: 01 be 00 a2 cd 8f 91 44  a2 4f 85 f1 04 f7 14 9a  .......D.O......
    *aaaQueueReader: Aug 20 09:44:29.940: 00000010: d0 3e 42 94 01 1b 6d 61  68 65 62 6f 6f 62 2e 6b  .>B...maheboob.k
    *aaaQueueReader: Aug 20 09:44:29.940: 00000020: 68 61 6e 40 61 6d 61 64  65 75 73 2e 63 6f 6d 02  [email protected].
    *aaaQueueReader: Aug 20 09:44:29.940: 00000030: 12 34 fc 96 01 47 ed 5e  d3 8d 08 4e 72 ce 1d b5  .4...G.^...Nr...
    *aaaQueueReader: Aug 20 09:44:29.940: 00000040: da 06 06 00 00 00 01 04  06 ac 16 cf 83 05 06 00  ................
    *aaaQueueReader: Aug 20 09:44:29.940: 00000050: 00 00 0d 20 0b 42 4c 52  57 4c 43 4f 30 31 3d 06  .....BLRWLCO01=.
    *aaaQueueReader: Aug 20 09:44:29.940: 00000060: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Aug 20 09:44:29.940: 00000070: 1f 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 35 37  ..172.22.207.157
    *aaaQueueReader: Aug 20 09:44:29.940: 00000080: 1e 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 33 31  ..172.22.207.131
    *aaaQueueReader: Aug 20 09:44:29.940: 00000090: 50 12 ef 00 53 8b 39 31  14 93 b3 82 1c f5 b5 51  P...S.91.......Q
    *aaaQueueReader: Aug 20 09:44:29.940: 000000a0: 82 45                                             .E
    *radiusTransportThread: Aug 20 09:44:30.516: 00000000: 02 be 00 1a 0c 8e d4 54  91 55 d6 ae b2 91 05 6e  .......T.U.....n
    *radiusTransportThread: Aug 20 09:44:30.516: 00000010: 93 f9 4b 7e 1b 06 00 21  70 70                    ..K~...!pp
    *radiusTransportThread: Aug 20 09:44:30.517: ****Enter processIncomingMessages: response code=2
    *radiusTransportThread: Aug 20 09:44:30.517: ****Enter processRadiusResponse: response code=2
    *radiusTransportThread: Aug 20 09:44:30.517: 00:23:14:ec:3d:38 Access-Accept received from RADIUS server 194.156.169.111 for mobile 00:23:14:ec:3d:38 receiveId = 0
    But for wired user below is the output
    User IP ADDR - 172.22.207.151
    5.338: 00:26:b9:e0:36:a6 Successful transmission of Authentication Packet (id 188) to 194.156.169.111:1812, proxy state 00:26:b9:e0:36:a6-00:01
    *aaaQueueReader: Aug 20 09:35:15.338: 00000000: 01 bc 00 a2 2c fe c1 97  a7 d1 25 a0 59 34 89 38  ....,.....%.Y4.8
    *aaaQueueReader: Aug 20 09:35:15.338: 00000010: c1 be 59 f3 01 1b 6d 61  68 65 62 6f 6f 62 2e 6b  ..Y...maheboob.k
    *aaaQueueReader: Aug 20 09:35:15.338: 00000020: 68 61 6e 40 61 6d 61 64  65 75 73 2e 63 6f 6d 02  [email protected].
    *aaaQueueReader: Aug 20 09:35:15.338: 00000030: 12 37 c7 5c 52 27 41 5b  0d 60 98 70 76 3b b3 ba  .7.\R'A[.`.pv;..
    *aaaQueueReader: Aug 20 09:35:15.338: 00000040: f5 06 06 00 00 00 01 04  06 ac 16 cd 74 05 06 00  ............t...
    *aaaQueueReader: Aug 20 09:35:15.338: 00000050: 00 00 0d 20 0b 42 4c 52  57 4c 43 4f 30 31 3d 06  .....BLRWLCO01=.
    *aaaQueueReader: Aug 20 09:35:15.338: 00000060: 00 00 00 0f 1a 0c 00 00  37 63 01 06 00 00 02 02  ........7c......
    *aaaQueueReader: Aug 20 09:35:15.338: 00000070: 1f 10 31 37 32 2e 32 32  2e 32 30 37 2e 31 35 31  ..172.22.207.151
    *aaaQueueReader: Aug 20 09:35:15.338: 00000080: 1e 10 31 37 32 2e 32 32  2e 32 30 35 2e 31 31 36  ..172.22.205.116
    *aaaQueueReader: Aug 20 09:35:15.338: 00000090: 50 12 36 60 54 47 0b 84  02 5c 0b da 19 a1 05 eb  P.6`TG...\......
    *aaaQueueReader: Aug 20 09:35:15.338: 000000a0: af 2b                                             .+
    *aaaQueueReader: Aug 20 09:35:17.053: AuthenticationRequest: 0x2ab12b50

  • Cisco wired guest with one wlc

    Hello my name is Ivan
    I have a question:
    You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
    Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
    I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
    I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
    My deployment is to flex connect wireless authentication, and local switching center
    How I can do this?
    Thanks for your answers.

    Hi Scott, thanks for your answer:
    My scenary is:
    Site A Corporate
    WLC 5508 Flex Connect Central Auth + Local Switching
    1. int management:  vlan 10 - 10.1.1.2/24
    2. int virtual: 1.1.1.1
    3. wired-guest: vlan 30
    wlans:
    1. corporate - mapped to interface  management 802.1x wpa, 2pa2
    2. guest - mapped to interface management web auth
    3. wired-guest: web auth, ingress wired, egress management
    Cisco ACS v5.4
    Site B: Branch
    AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
    Switches Cisco,
    The branch have a router of internet to users guest.
    The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
    Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
    Please could you give and advice to resolv it?
    Regards for your answers.

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • WIRED GUEST ACCESS WLC 5508

    Hi Guys, 
    I've just set up a wired guest access for my HQ but I'm wondering if it is possible to do the same in a branch office because We do not have another controller in this site, could this be accomplished using the wlc of the hq?
    Any ideas please.
    Regards
    Oscar

    If you have L2 communication between HQ &  BR, this is possible (then you can extend your wired user vlan to your WLC).
    Otherwise you have to have a WLC at your branch as well.
    http://mrncciew.com/2013/03/26/wired-guest-access/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Wireless Guest Internet Only Access

    We just got our 4402 WLC with 1131ag access points up and running. We would now like to set up guest access with only internet access. Our vendor has suggested setting up a dmz on our checkpoint firewall and have it do dhcp and then setting up a wlan on our controller for the guest access. My question is: what do I need to do on the switch side to set this up? Is is just as simple as creating a vlan and giving it an ip address in the dmz range? Or is there another way of setting up internet only guest access?
    Any suggestions would be appreciated.
    Thanks in advance.
    Jeff

    It depends if all you are wanting to do is Internet-only on you controller. If thats it, then you can place your controller in a dmz. Have a device handout the dhcp information to your clients. Set your controller for layer-3 mode. Have your APs connect to your controller (make sure you have the correct ports allowed through your firewall between the APs and the controller). I would recommend placing the APs on a seperate VLAN than other internal traffic with the appropriate LWAPP options configured in the DHCP scope.
    The clients will then associate to the SSID you have setup. They will pull an IP address from the DMZ.
    A few years ago on my first LWAPP deployment, I did this setup and it worked perfectly. I would also recommend having the DHCP server in the DMZ assaign an IP address that is not routable in your internal network. That way, if somebody makes a mistake and their is leakage, the traffic can't be routed anywhere since the source IP address of the wireless client isnt routable. You can use this DMZ controller access for Internet only which can also be used by internal people to VPN back to you internal network if you have that permitted.
    If however, you are planning to do both direct connection to your internal network and an internet-only connection (two different SSIDs) the best way is to get a small controller for your DMZ (like a 4402-12) and a larger controller for internal (4402-25 or 4404-100). Have your DMZ controller be a guest internet controller that is setup as the guest "anchor". There are lots of docs on the Cisco web site. This solution works great. I use a 4402-12 as a DMZ anchor and have about 20 4404-100s that are anchored to it.

  • Maximum number of wired guest clients ??

    Does anybody knows which is the maximum number of simultaneous wired guest clients on a 5508? And in a 2112 controller?
    Wired clients count as wireless clients??
    What about anchoring limitations, what is the effect of wired guest clients on the anchor controller?

    2100 series WLC do not support Wired Guest Access.. 5500 wlc supports.. and i guess 5508 WLC can support max 150 simultaneous logins..
    Lemme know if this naswered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Ask the Experts: Wired Guest Access

    Sharath K.P.
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
    Remember to use the rating system to let Sharath know if you have received an adequate response. 
    Sharath might not be able to answer each question due to the volume expected during this event.
    Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
    through January 27, 2012. Visit this forum often to view responses to your questions and the questions
    of other community members.

    Hi Daniel ,
    Wonderful observation and great question .
    Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
    Two separate solutions are available to the customers:
    A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
    Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
    So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
    I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
    We have already opened a bug for the same (Little late though )
    BUG ID :CSCtw44999
    The WLC Config Guide should clarify our support for redundancy options for wired guest
    Symptom:
    Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results.
    Some of the other tthat changes we will be making as a part of doc correction would be
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
    1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
    2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
    "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
    generate unpredictable results."
    3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
    Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
    Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
    Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
    00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
    I hope the above explanation could clarify your doubts to certain extent and also keep you
    informed on Cisco's  roadmap on this feature .
    Regards ,
    Sharath K.P.

  • Guest Internet access in the Enterprise

    We have set up guest internet access in our enterprise using GRE tunneling with a PIX. I'm trying to determine the best way to do authentication for users on this guest network.
    I think I can do RADIUS (using ACS) with the PIX as an NAS. Question is can I use a different type of server (such as MS IAS)? Can I use either one to utilize an existing MS Active Directory database?
    If I use radius on the pix for authentication, a login prompt pops up when a user tries to use the web. Is there a way to redirect users to a web page first and have the login embedded on the page? This is done in hotels now and I don't know if there's a Cisco solution for this.

    The following documents lists all the supported Databases,
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm

  • Guest Internet Access

    Hi
    Looking for input on Guest Vlan subject.
    How can I avoid routing of Guess VLAN traffic to DATA VLAN, any traffic from Guest VLAN should be routed to Internet directly.
    Looking for similar setup as in Hotels, Guest are provided with username/password with time duration to access internet and limit the download speed.
    Do I need to create another SSID on the WLC and how the guest users will acquire ip, from WLC DHCP or Windows DHCP.
    If its Windows DHCP then Guest traffic reaches my Data VLAN
    Any Help

    We got WLC 4420 ----- Do you mean a 4402-xx
    AP 1200 series ( 5 in quantity )
    I am new to WLC, can you help me to understand
    How many SSID we can configure on WLC, does each ssid can have different config parameters.
    The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.
    can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )
    You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.
    For Guest SSID is it recommended to connect to a seprate port on WLC
    You have different options:
    You can use a guest anchor controller in you DMZ
    You can use one port on the WLC connected to your internal network and the other port to the DMZ
    You can trunk vlans and use ACL's to block guest traffic from inside networks.
    All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.
    Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )
    You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.
    http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208
    How to have bandwidth control on WLC, restrict users with bandwidth limit
    You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html
    http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ
    http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg
    Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.
    I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.

  • Load Balance guest Internet access via two different DMZ zones at two sites

    Hi Sir,
    My customer has the following unified wireless guest access requirement:
    - There are 2 internet links and dmz zones at two different locations, Site A and Site B
    - Data centre is at Site A
    - WiSM is proposed to be installed at the Cat 6500 in Site A
    - Lightweight AP are distributed across Site A, Site B and other branches
    - Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
    My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
    Thanks for your help
    Delon

    You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

  • Preauth ACL for Wired guest not working

    Hi Guys,
    I have 5508 wireless lan controller running code 7.2. We recently implemented Wired guest access on the WLC and configured necessary changes on the switch. We also have wireless guest profile as well configured on the WLC. We have some people who usually use Jabber client for video conferencing so what we have done is we have configured a preauth acl so that if any users connect to the wireless guest profile they automatically connect to the Jabber server without going through the Web auth. We have applied the same ACL in the Wired guest profile as well but the problem is that Jabber is not able to connect unless we manually go through web browser and then authenticate, but it is working normally for wireless guest access without the web authentication. Let me know if this is some kind of bug or a known issue which can fixed in some way. Thanks in advance
    - Krishna

    Krishna:
    Can you please confirm if other type of traffic (other than jabber traffic) is allowed by the pre-auth ACL?
    try - for testing - to allow traffic -by same ACL -  to some other destination and try via normal user to ping to open whatever session with that destination.
    let me know if that works or not.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

Maybe you are looking for

  • Travel adapter 220V to 110V

    I'm traveling to Mongolia with a 3GS and need to know if all I need is a simple plug adapter or whether I need a plug adapter and step-down voltage converter for my iPhone. I understand the concept of a plug adapter simply allowing a different plug t

  • Error in Loading 0MAT_PLANT

    Hello Gurus, We are getting th foll errors when loading for 0MAT_PLANT.  Record 20 :0PUR_GROUP : Data record 20 ('CEQP141527029-001 '): Version 'SSC ' does not exist Record 29 :0PUR_GROUP : Data record 29 ('CEQP26532110216VA02 '): Version 'VGK ' does

  • How to display from IPOD to TV

    Is there any way to display what I am looking at on my IPOD 4 to my TV. I have a cable that works fine for videos and music but it wont allow photos, documents or anything else to display. Is there an app I need to get or something? I was hoping the

  • Condition record number

    Hi All, I know the conditin type , application Sequential number of the condition, by this I went for finding out condition records in KONP table , here I could find out multiple condition records. How could I get exact one required. Regards, vinesh

  • Disable or uninstal HP ProtectTools security manager

    My fingerprint scanner has gone down. I assume it is a hardware issue as have gone through all HP recomendations to get it working at: http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&dlc=en&docname=c02519007&lc=en&jumpid=reg_r1002_us... but nothing