WLC Guest Tunnel

Hi,
I've some questions about Guest Tunneling, since the docs on CCO is not so complete.
Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.
We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.
The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?
Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?
What about the AP sice are setup like H-REAP Node with switch port as access?
Many thanks for helping me find a solution

Hi fella,
Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:
- My APs on different IP Subnet are configured as H-REAP nodes
- my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching
- my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC
- the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs
- the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs
- the Guest WLAN will be anchored from the internal WLCs to the external one.
So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.
After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...
Am I wrong with something?
Thnxxxxx

Similar Messages

  • WLC Guest Tunnel - client ip address problem

    I can't identify the real ip address from the local wlc if the client associated to the "guest-tunnel ssid", I can only see 0.0.0.0 from the local one. The real ip address appears only on the anchor wlc. Is it correct? And if there is any method that I can identify it from the local one?

    The "real ip" will only show up in the anchor wlc along with other client related info. Since the traffic is tunneled to the anchor, the foreign wlc will not have that info.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • WLC Guest portal - External DNS issue

    I have an interesting behavior.  When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers.  So, I set the dhcp scope options to point to other DNS Servers.  When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
    I am not sure why this is happening.  The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
    I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.

    The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
    You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal.

  • Guest tunneling security problem

    Hello,
    I configured guest tunneling between 5508 (internal LAN) and 2504 (DMZ) and it works perfectly. However when the tunnel is down guest users are 
    associated to the management interface on the 5508, I only have to configure an IP adress and a default gateway on a guest user to
    be routed on the internal network.....So, there is a security problem in my network architecture.  
    Do you have advice to avoid this problem ? 
    Best regards,
    Thib

    You can create  a "dummy/unrouted" interface on your 5508 & map that to guest SSID instead of management interface.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Guest tunnel/auto-anchor from 2100 to 4400 WLC

    We’d like to extend our current Guest LAN from a 4400 WLC in our data center to a 2100 WLC located at a remote facility. However, we cannot get the foreign controller to pass traffic to the anchor controller – or so it seems. The catch is that we’re not actually trying to extend the SSID itself to provide wireless access, but instead flub it so that we can provide local wired access tunneled to the Guest LAN on the anchor WLC. I’m not entirely sure if this is possible, because I’ve read that before the EoIP tunnel will come up a guest client must associate to the foreign WLC.
    We’ve followed the instructions we could find that go over setting up this type of scenario, but unfortunately they only cover setting up back-to-back 4400 controllers and as such, some functions described (notably being able to create a Guest LAN) are not possible on the 2100. We haven’t been able to find a clear and concise guide on the scenario we want to set up.
    Here’s some detail:
    Mobility group is up/up between both WLCs. Both WLCs are running 6.0.x code.
    Anchor WLC – 3750G-24WS-S25 (a 4400 WLC w/ integrated 3750G-24)
    Guest LAN WLAN “wired-guest” created; Ingress is “none” and Egress is our existing “dirtnet” – i.e. outside access. The “dirtnet” interface is *not* a Guest LAN interface. Mobility anchor is set as local.
    Remote WLC – WLC2106
    WLAN “wired-guest” created; Interface is “wired” w/ an IP address on the same subnet as the anchor “dirtnet” and associated with port 2. Mobility anchor is set to the anchor WLC and is up/up. I have a laptop connected to port 2 with a statically assigned IP address on the same subnet as “dirtnet.” I am able to ping the local port 2 address, but I can’t ping across the tunnel to the anchor WLC. I also cannot ping the anchor WLC "dirtnet" interface from the foreign WLC’s Ping tool.
    Are we missing something?

    Sean,
    Wired guest access is not supported on WLC2106.
    Reference:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#configs
    Please consider using a WISM, WLC4400, 3750 integrated WLC or a WLC5500

  • WLC 5508 tunneling issue

    Hi,
    I have a WLC 5508 connected in a hub and spoke topology. The WLC is located at the hub which is the main office. In one of the remote spoke locations I have five Access Points that are connected to the local LAN and the model for the APs is AIR-CAP3602I-E-K9. The APs are all connected to access ports on the switch in vlan 1. I have two WLAN configured on the controller. I have two interfaces configured on the controller. The management and the guest interface. WLAN 1 is associated with the management interface. In the WLAN 1 advanced setting the flex local switching option is enabled. WLAN 2 is associated with the guest interface and this interface is tunneling vlan 248 the guest vlan. The problem I am having is that the devices can not communicate with each other if they are connected to the wireless connection WLAN 2 which is the tunneled vlan.
    Example: The client would like to be able to connect his ipad to the apple tv for presentation. If I connect both devices to the WLAN 1 which is using flex local switching option they can communicate with no problem, but if the devices are connected to WLAN 2 the guest vlan they can't communicate with each other. Is it possible to get this to also work on WLAN 2 ?
    Note: Both WLAN types are WLAN and P2P Blocking Action is set to default (disabled).
    Does any one have any ideas what could be causing my issue?
    Thanks in advance for your help,

    Well since your talking about Apple TV, you need to look at this reference guide for Apple's bonjour. This will explain how to get it to work and the limitation when an AP is in local or FlexConnect mode. The bonjour just doesn't work as people think it should because they can get it to work with a linksys AP.
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
    Sent from Cisco Technical Support iPhone App

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • WLC Guest Setup thru Palo Alto Firewall

    We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
    Thanks

    Hi Rod
    You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
    I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
    I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
    Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
    Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

  • WLC Guest access Daily user/password

    Hi,
      I have a WLC 2100 and 1131 LAP's does anyone know whether it is possible to create a local net guest user that either has a changing daily password or whether it is possible to create multiple users that are only valid for a specific time period. Basically all i want to do is, once a month create new users or passwords for each day of the month and the credentials are only valid for that day.  I can see that i can time limit users but this would mean creating the user at midnight every day.
    Many Thanks

    Hi,
    Q1: it is possible to create a local net  guest user that either has a changing daily password?
    A1: No that is not possibe on WLC local guest users
    Q2: it is  possible to create multiple users that are only valid for a specific  time period?
    A2: Yes, you have lifetime per guest user that can be configured.
    For your requireent, You need to maybe have a look to other Guest appliance like the NAC Guest Server, or create the user DB on ACS Radius Server for time restrictions.
    Thx
    Serge

  • WLC Guest Access Randomly and Print

    Hi all, in my company have asked me a solution where automatically creates the guest account with username and password randomly. Is this solution possible to implement? With only the WLC?    p.s. you also know which models \ brands of printers allow you to press a button and print a receipt(with user\password) that can be integrated with the WLC??  Thank you.

    Hi Marco,
    WCS is software of license. right. But it is now being replaced by NCS; its elder brother, which is an appliance. I think WCS now is out of sale and NCS is what is available (not sure).
    No modifications need to be done on WLC. you only add the WLC to the WCS (or NCS). This needs correct SNMP information to be configured on both sides.
    If you have some programming experience you may implement the random username/password implementation yourself. Just capture the traffic when WCS send an SNMP packet to the WLCs to create the guest account. Whenever you want to create a user you specify same packet but change the usrename and the password and send the same packet to the WLC. Of course you need the sender IP address to the SNMP community list in the WLC.
    For the printer part it is a bit harder. your program should be integrated with the printer and prapare the layout that will be printed.
    HTH
    Amjad

  • WLC Guest Access Internet Routing

    Not sure if this the right forum, but i'm wondering if anyone can explain this.
    I have a trunk from the wlc to my router with one switch in between. 
    wlc---trunk----3560---trunk---2821
    The interface on the wlc and the 2821 both have an ip address and can ping each other.  When a wireless client connects to the guest network they cannot access the internet unless the 3560 switch has an ip address set on the vlan that is trunked from the wlc to the router
    wlc(vlan 825 - 10.7.200.2)----trunk-----3560(vlan 825 - 10.7.200.3)-----trunk-----2821(vlan825 - 10.7.200.1)
    The gateway for the clients is 10.7.200.1 which is the router.  If i take the ip address off of the vlan interface on the 3560 the trunk is still there, but the clients on the guest network cannot get through.  The gateway on the interface on the wlc is also set to 10.7.200.1
    Any ideas why I need that ip address on the 3560?
    Dan.

    Hi Dan,
    you may send the switch "show tech" and the WLC "show run-config" taken with the problematic config for a quick look.
    Regards,
    Federico

  • Guest Tunneling Problems

    Hi
    I was wondering if anybody could help me out here. I have been following the guidelines as per the WLC softweare configuration guide with regards to configuring the internal controller which is pretty straightforward. The mobility anchor is up with the DMZ controller however I am not sure what configuration is required on the DMZ controller itself with regards to DHCP and the Guest WLAN itself. To be honest the documentation is a bit skimpy to say the least.
    Any help would be greatly appreciated
    Cheers,
    Martin

    Martin,
    I share your frustrations with the documentation on the guest access. From what you stated you're having trouble with how guest access mobility is configured with respect to DHCP. Hope this helps.
    The first part is well documented. Setup a mobility group between the remote and DMZ controller. Make sure it's up. Now we'll move onto DHCP configuration.
    1) On the DMZ controller, configure a DHCP pool for the guest clients. Make sure you build a WLAN and bind it to the proper interface
    2) On the remote controller, under your "management" interface set the DHCP server to be the ip address of the management interface on the DMZ controller. Very important!
    3) Build the guest WLAN on the remote controller with the same configuration and bind it's interface to the management interface of the remote controller.
    Voila... all DHCP requests will now be forwarded to the DMZ anchor.
    Anything else I can help with let me know.
    -Mike
    http://cs-mars.blogspot.com

  • WLC Guest Internet - Wired Guest Question.

    We're currently not running a version on our WLC's that supports wired guests (4.1.185) but am evaluating upgrading to 4.2.112. What is the current limitation of wired guests? Is it 5, curious as to why this is if so. My question develops out of this in this scenerio:
    Our main campus is on LWAPP, our secondary campus is not at this point. So the secondary campus is running something different fro Guest access (Chillisoft). I'm curious if a backhaul a vlan over to the other campus that has the Cisco Guest Internet from the WLC and redistribute it from Campus2's core, then add the vlan to the AP's there how this would work out. I know I can get the vlan over there, that's simple and we do it for a few other things, but not sure how well it'd work out for this environment. I 'think' the only thing stopping me would be any wired user limitations, which am curious as to why there is if there is.

    There is no need to backhaul the VLAN from one campuis to other. Just configuring the same VLANs induvidually on the APs would do. Here is a deployment guide http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html for WLC.

  • WLC Guest WEB Authentification

    Hello,
    I would like to configure on a WLC 2504 Internet-Access for Guests through a web authentication.
    But I always find configuration instructions only describe the with the additional anchor WLC?
    This works but also without anchor WLC, right?
    Can anyone give a hint on where I find a manual for it (ideal for Release 7.4 or 7.5) to me.
    Thank you
    Alexander

    It does indeed. When I use the foreign controller for guest access, I often will use a 5508 in port mode (non lag) and break out a port for guest.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WLC Guest Network DHCP run out of IPs??

    Hello,
    I have this guest wlan working with web authentication, as you may know in order to get authenticated you must have an IP address first then have a valid username and password. The problem is that if you don't have valid credentials you keep the IP address anyways.
    I'd like to know if there is a way to release the IPs that are not being used? The WLC is the DHCP server for this network.
    WLC4402
    6.0.202.0
    Thanks in advance!            

    That would be good, but right now there is not automated process to remove those clients.
    If you are good with scripting, you could setup a script to pull the clients list, then parse it based on the authentication.  Once you have that you can then do a client deauthenticate, and wipe the IP address lease as well.
    Unfortunately, I can't be too much help as I don't really know scripting.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

Maybe you are looking for