WLC Guest Setup thru Palo Alto Firewall

We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
Thanks

Hi Rod
You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

Similar Messages

  • L2L vpn with Palo Alto Firewall

    I am setting up a l2l tunnel with a palo alto firewall and having trouble.  It is a fairly simple setup, we are encrypting public to public traffic for sftp upload from the asa side.  Here are the relevant parts of the config and various outputs...  Remote side admin states that phase 1 passes and we experience a timeout waiting for phase 2.  Any help would be appreciated.
    1.1.1.1 (customer2 destination address)
    1.1.1.2 (customer2 vpn gateway)
    2.2.2.0 (local public ip space)
    name 1.1.1.1 CustomerVPN2 description Customer VPN2
    access-list Inside_nat0_outbound extended permit ip 2.2.2.0 255.255.255.240 host CustomerVPN2
    access-list Outside_4_cryptomap extended permit ip 2.2.2.0 255.255.255.240 host CustomerVPN2
    crypto map Outside_map 4 match address Outside_4_cryptomap
    crypto map Outside_map 4 set connection-type originate-only
    crypto map Outside_map 4 set peer 1.1.1.2
    crypto map Outside_map 4 set transform-set ESP-AES-256-SHA
    crypto isakmp policy 50
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    tunnel-group 1.1.1.2 type ipsec-l2l
    tunnel-group 1.1.1.2 ipsec-attributes
    pre-shared-key *
    sh crypto isakmp (notice listed as type:user)
    8   IKE Peer: 1.1.1.2
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG2
    debug crypto ipsec (Looks like it tries all crypto maps except the relevant one)
    IPSEC(crypto_map_check): crypto map Outside_map 1 does not hole match for ACL Outside_1_cryptomap.
    IPSEC(crypto_map_check): crypto map Outside_map 2 does not hole match for ACL Outside_2_cryptomap.
    IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL Outside_3_cryptomap.
    IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL OO_temp_Outside_map3.
    and finally.
    Oct 03 10:39:09 [IKEv1]: IP = 1.1.1.2, Removing peer from peer table faile
    d, no match!
    Oct 03 10:39:09 [IKEv1]: IP = 1.1.1.2, Error: Unable to remove PeerTblEntr

    Thanks Lee and Manish
    I have no access to the palo alto logs.  I am working with the admin at the other end and this is what he said.  I used the real ip's because it was getting too confusing... 
    I figured out what is wrong.  It didn’t click at first but because my firewall uses “route-based” VPNs as opposed to the “policy-based” VPNs on an ASA, I need to specify a route for your source address(es) which is 66.x.x.48/28.  The issue with that is when my gateway tries to respond to your gateway IKE packets, it is trying to send it over the route that I specified, since 66.x.x.62 is included in this network, and the firewall tries to send the IKE response packets over the tunnel that doesn’t exist.  I changed the route to be 66.x.x.48/32 and it was successful with IKE phase 1 but fails on phase 2 because it is sourcing from 66.x.x.62/32.
    So long story short of what we need to do.  Either you need to NAT your internal address to a different public IP on that firewall or I can assign you a transit network IP (such as 192.168.74.55 or something) and you would NAT that internal address to that transit IP
    Not sure how to translate the traffic for this vpn without changing the global nat, it looks like policy nat is the solution.

  • Converting a Palo Alto Firewall to a Cisco ASA - recommendations?

    I've seen some tools for converting ASA's to PA... but not the other way around. Anyone come up with a good method? (scripts, tools, etc?)
    Thanks in advance!

    Hi,
    I couldn't find any. May be someone else has it but google didn't show up anything for me:) nor did internal search. I would suggest contacting your account team and see if they can assist you with migration.
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • Cisco 526 Wireless express controller and Guest setup

    We are going to implement a small (2-3 APs) wireless network and we wanted gust to have access too. My question is how do we implemetn the guest setup and separate that accessf rom our network. How does the 526 do it. Do we need a separate internet access for guest. Do we need separate vlan? Is it easy to setup using the 526?
    Thank you,
    Gilbert

    Thanks for the reply. I did see this before I just cannot understand how creating the guest vlan will segragate the guest connection from our network. I just need more explanation on how the guest connection would not be able to access our data network.

  • WLC Guest portal - External DNS issue

    I have an interesting behavior.  When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers.  So, I set the dhcp scope options to point to other DNS Servers.  When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
    I am not sure why this is happening.  The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
    I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.

    The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
    You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal.

  • Palo Alto NetConect not working in Mountain Lion, anyone else having this issue?

    I use Palo Alto NetConnect to access a VPN and it always worked fine with Mac OS X 10.6 & 10.7. I updated to Mountain Lion almost immediately after release and the client no longer connects. Is there anyone who has encountered an issue and knows how to fix it? Its very important for my daily use and without it I'll have to downgrade back to Lion.
    -Chris

    Hi 2themax11
    Still no update from PA Networks - it is like they are in total denial that Mountain Lion exists!
    The Cisco app works but only just and is very slow, i think that may be more to do with us than the use of the app. Bear in mind we used to use the Cisco service and so it is not something I had to set up from scratch but it is not something our network team are happy about as this service was buried and was not supposed to be supported any more.
    I am also using a Cisco SSL webvpn for accessing our intranet etc. it is a quicker fix for a few things. Like you I am now using 2 laptops...one is an old Dell...it is horrible!

  • Lumira Hands-On Workshop Coming Up in Palo Alto, USA - June 26th

    Hello  Everyone,
    Due to popular demand for a Lumira hands-on training, we are holding our next one in Palo Alto on June 26th!
    Workshop details and registration link are available here.
    Alternately, you can register by sending an email to [email protected] with the Subject Line – “Registration request for Lumira Workshop – June 26th“. 
    The workshop is free of cost and open to everyone interested. Please note that The is an on-premise workshop and a remote option is not available. We will be running out on capacity soon, hence reserve your spot today! Finally, please feel free to pass this along to anyone who might be interested.
    Cheers!
    Ruchi

    I took one of their classes in London and it was an excellent class - very hands on, 2 - 3 hrs of lecture a day, and lots of hardware, lab time!!!. I also saw an email from Jesse T who said he knows the instructor and said he was EXCELLENT. Jesse's response was in the ims-alias this morning I think. Trust me you wont regret it. Also I saw another email saying he is going to have a workshop in Europe, so if you are interested, let them know :-)

  • Palo Alto multiple ISP

    I have an in production Palo Alto 3050. I just got a secondary ISP, for free no less, from AT&T. I would like to send traffic from specific hosts over the secondary AT&T line.Steps so far:Current ISP gateway is 50.50.50.1 (example IP address)AT&T gateway is 100.100.100.1/24 (example IP address)I have created a zone for AT&T, I have connected the AT&T equipment to interface 1/12 and given 1/12 100.100.100.2/24. I have created a virtual router and added interface 1/12 to it and added a static route for 0.0.0.0/0 to 100.100.100.1. I have added a security policy for zone inside with my specific server's ip address. I created an ATT pat pool with source inside to destination ATT and my specific server's ip address. I created a PBF rule to send anything from my specific server's ip address out interface 1/12.For the life of me I cannot make...
    This topic first appeared in the Spiceworks Community

    Hello all hope everyone is having a good day. I'm having some issues with a loop in my script. I know I'm opening myself up here, but what is wrong with this picture?
    Powershell#Prompt for and validate existence of the old profile$Old = Read-Host "Please enter old profile name"$TestOld = Test-Path C:\Users\$oldDo{ If ($testold) { Write-Host "Profile exist" } Else { Write-Host "Profile doesn't exist" $Old = Read-host "Please enter a valid profile name" }}While ($testold -eq $false)What's happening is if the correct name is entered the rest of the script works. If the wrong name is entered it prompts for the correct one but the variable doesn't set. I've tried using clear-variable before prompting the second time but keep getting stuck in a loop.
    PowershellCleae-Variable $oldClear-Variable -Name old
    Those are the two ways I've tried. The...

  • Cisco ASA packet-tracer Palo Alto equivalent

    Hi All
    Does anyone know if the Palo Alto 3020 boxes have an equivalent feature to the Cisco ASA Packet-tracer ?
    many thanks

    I have used the "test security-policy-match" cli command which identifies the specific policy rule a source/destination traffic pair matches against.  You need to make sure you specify all fields (zone, src/dst network, protocol and ports.

  • WLC Guest Tunnel

    Hi,
    I've some questions about Guest Tunneling, since the docs on CCO is not so complete.
    Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.
    We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.
    The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?
    Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?
    What about the AP sice are setup like H-REAP Node with switch port as access?
    Many thanks for helping me find a solution

    Hi fella,
    Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:
    - My APs on different IP Subnet are configured as H-REAP nodes
    - my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching
    - my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC
    - the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs
    - the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs
    - the Guest WLAN will be anchored from the internal WLCs to the external one.
    So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.
    After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...
    Am I wrong with something?
    Thnxxxxx

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • WLC Guest Network DHCP run out of IPs??

    Hello,
    I have this guest wlan working with web authentication, as you may know in order to get authenticated you must have an IP address first then have a valid username and password. The problem is that if you don't have valid credentials you keep the IP address anyways.
    I'd like to know if there is a way to release the IPs that are not being used? The WLC is the DHCP server for this network.
    WLC4402
    6.0.202.0
    Thanks in advance!            

    That would be good, but right now there is not automated process to remove those clients.
    If you are good with scripting, you could setup a script to pull the clients list, then parse it based on the authentication.  Once you have that you can then do a client deauthenticate, and wipe the IP address lease as well.
    Unfortunately, I can't be too much help as I don't really know scripting.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • WLC Guest Wired Redundancy

    Is it possible to have WLC redundancy through wired guest interfaces?  We have two WLC anchors and I want to use them both for wired guests.  If they are both setup on the same wired guest VLAN will this work?

    They cannot.
    The "ingress" interface is the one that is capturing wired guest traffic (so your switchports have to be configured for that vlan). It has to be different on all controllers.
    What Stephen was raising is that anchors are not counted in this rule because they don't have ingress interfaces ...
    When you anchor a wired guest wlan, the foreign WLC has the ingress and the anchor WLC has the egress. So you can have multiple anchors.
    But every WLC having ingress interface should be in a different vlan.
    The reason for this is that, WLCs can't synch on who will capture the wired client traffic and it becomes a mess if they all answer to the client.
    Hope this clarifies.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • WLC Guest Account Configuration

    Hello,
    I have been trying to set up a guest WiFi network using a 2504 series WLC. I have configured the switch, the router, and the firewall for the IP Schema that I want to use for the guest network, but I am unable to get this process working. I have a CAPWAP configuration example that I followed as well as a LWAPP example. I don't have a LWAPP but I do have a CAPWAP. I want to breakdown my network into two separate networks: one for internal use and one for the guest. I am able to connect to the internal network correctly and can ping and gain access via the WAP after I completed my configurations, but I am not able to use the 10.0.0.0 network that I configured for the guest network. I can ping the default router address of 10.0.0.11 from the WLC. I also want to use web authentication as a way to set up the guest network for authentication and the virtual address of 1.1.1.1 does not appear as the authentication method.
    I would appreciate any help on this issue. I have been working on this issue for some time with no luck. Any suggestions on things I could try would be great.

    refer :
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html#proc

  • WLC guest wireless proxy script for Apple iPhone

    I have guest wireless setup on a 4402 WLC. I am using a wpad.dat (proxy.pac) proxy auto-config script to ensure guest traffic passes through a proxy. After a few attempts at creating a working proxy.pac file, Cisco TAC provided one that worked successfully for IE and Firefox (I realise only IE is offically supported by the WLC however my issue is not with an issue of browser-WLC compatibility).
    I am after a proxy.pac proxy auto-config file that will work with Apple iPhone Safari browser (the script below does not). Manually specifying the proxy is not an option as Sarafi on the iPhone does not allow "proxy exceptions" to be specified.
    The script I use which works fine with IE and Firefox is below:
    function FindProxyForURL(url, host)
    // variable strings to return
    var proxy_yes = "PROXY 10.23.16.20:80";
    var proxy_no = "DIRECT";
    if (shExpMatch(url, "http://1.1.1.1*")) { return proxy_no; }
    if (shExpMatch(url, "https://1.1.1.1*")) { return proxy_no; }
    // Proxy anything else
    return proxy_yes;

    Here is the Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.0
    http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html#wp1167844

Maybe you are looking for

  • If statement in jstl

    I am new to jstl and I wrote the code for editing the information and i want the visible checkbox is checked if in the database it is visible or not checked in the checkbox if it is invisible but not working help me guys <div> <span class="label">Vis

  • XI message status at Adapter engine level using a table (SAP table)

    Hello Experts, XI message status at Adapter engine level using a table (SAP table). We want to write a custom report using ABAP so Pls tell why the status u2018Holdingu2019 and u2018To be deliveredu2019 are present in message monitoring of RWB but no

  • HTTP error while sending SOAP request using wsdl file

    We created SOAP request using the wsdl file ; while sending SOAP request from Altova XMLSpy, we are getting the below error. HTTP error: could not post file Can you please explain how to resolve this issue Regards, Sanghamitra

  • EXS samples go crazy

    I have a sample cd with exs instruments and this is very weird when i load them, sampler asks to choose which sample folder i want to load but none of them are maching the instrument's name, though there are folders with such a name. lets say I want

  • ORA-16055: FAL request rejected

    hi all, I am getting the error "ORA-16055: FAL request rejected" in the alert log file , I dont know what is the reason behind this error , archivelog shipping in to the standby database is going good, but i am getting the above stated error. My mana