WLC Guest Wired Redundancy

Is it possible to have WLC redundancy through wired guest interfaces?  We have two WLC anchors and I want to use them both for wired guests.  If they are both setup on the same wired guest VLAN will this work?

They cannot.
The "ingress" interface is the one that is capturing wired guest traffic (so your switchports have to be configured for that vlan). It has to be different on all controllers.
What Stephen was raising is that anchors are not counted in this rule because they don't have ingress interfaces ...
When you anchor a wired guest wlan, the foreign WLC has the ingress and the anchor WLC has the egress. So you can have multiple anchors.
But every WLC having ingress interface should be in a different vlan.
The reason for this is that, WLCs can't synch on who will capture the wired client traffic and it becomes a mess if they all answer to the client.
Hope this clarifies.
Nicolas
===
Don't forget to rate answers that you find useful

Similar Messages

  • Guest-wired access connections drop every 1- 2 minutes

    I have an interesting problem.
    My connections to the guest wired access drop consistanly every 1 -2 minutes. There are no drops in the mobility between the WiSM and the 4402 anchor in the DMZ.  DHCp is served from the 4402 DMZ controller as well as thier authentication.
    When a user connects to the guest wired access vlan some times they obtain a 169.X.X.X address and after several tries they get the proper 192.168.x.x addres. The user get thier IP address and get the redirect login. They maintain thier internet connection for only 1 - 2 minutes.
    DHCP on the 4402 is set for 4hours
    Any thoughts ?   
    Mike

    Ouch, the forums ate my formatting for that first post!
    Thanks for the reply Ray. I should mention that this is a shared house, not a family home, so I cannot always access the devices. I'm the one on the ethernet connection and I've gone into my ethernet adaptor's settings to change my IP address to a static number just below that of the DHCP range whilst leaving DHCP enabled for everyone else. After restarting my computer the connection's still dropping.
    Haven't had a chance to reset the hub yet, if that's necessary, as other people are using the connection at the moment.
    I do have the admin password for the hub but I'm under the impression a static IP address would have to be set from the devices themselves which I can't access - or can I use Home Network > Devices, check "Always use this IP address" then disable DHCP?

  • WLC Guest portal - External DNS issue

    I have an interesting behavior.  When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers.  So, I set the dhcp scope options to point to other DNS Servers.  When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
    I am not sure why this is happening.  The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
    I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.

    The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
    You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal.

  • Is it possible to make the ISE guest server redundant ?

    Hi,
    We've an ISE cluster of two ISE nodes.
    The ISE guest server works fine on the primairy ISE node.
    MAC address of the guest client is set in the map 'GuestDevices' after accepting the AUP policy.
    The the ISE sents the COA and the client authenticates again and is punt in the guest vlan.
    But when the primairy ISE is offline, I see the guest portal AUP page on the secondairy ISE node.
    I can accept the AUP policy, and I get an error message.
    On the secondairy ISE I see that the COA to the switch is sent, to clear the session to the primairy ISE....
    But the COA request should ask to clear the session to the secondairy ISE ( the primairy ISE is offline ).
    Should it be possible to configure the ISE guest functionality redundant in an ISE cluster?
    /SB

    The Guest portal can run on a node that assumes the Policy Services persona when the primary node with Administration persona is offline. However, it has the following restrictions:
    •Self registration is not allowed
    •Device Registration is not allowed
    •The AUP is shown at every login even if first login is selected
    •Change Password is not allowed and accounts are given access with the old password.
    •Maximum Failed Login is not be enforced
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1126706

  • WLC Guest Internet - Wired Guest Question.

    We're currently not running a version on our WLC's that supports wired guests (4.1.185) but am evaluating upgrading to 4.2.112. What is the current limitation of wired guests? Is it 5, curious as to why this is if so. My question develops out of this in this scenerio:
    Our main campus is on LWAPP, our secondary campus is not at this point. So the secondary campus is running something different fro Guest access (Chillisoft). I'm curious if a backhaul a vlan over to the other campus that has the Cisco Guest Internet from the WLC and redistribute it from Campus2's core, then add the vlan to the AP's there how this would work out. I know I can get the vlan over there, that's simple and we do it for a few other things, but not sure how well it'd work out for this environment. I 'think' the only thing stopping me would be any wired user limitations, which am curious as to why there is if there is.

    There is no need to backhaul the VLAN from one campuis to other. Just configuring the same VLANs induvidually on the APs would do. Here is a deployment guide http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html for WLC.

  • WLC Guest Tunnel

    Hi,
    I've some questions about Guest Tunneling, since the docs on CCO is not so complete.
    Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.
    We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.
    The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?
    Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?
    What about the AP sice are setup like H-REAP Node with switch port as access?
    Many thanks for helping me find a solution

    Hi fella,
    Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:
    - My APs on different IP Subnet are configured as H-REAP nodes
    - my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching
    - my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC
    - the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs
    - the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs
    - the Guest WLAN will be anchored from the internal WLCs to the external one.
    So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.
    After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...
    Am I wrong with something?
    Thnxxxxx

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • VWLC and Guest Wired

    Ciao,
    we are going to test the Guest capabilities of the vWLC (version 7.4.121.0) with no anchor.
    The WiFi Guest and authentication works well.
    The Wired Guest seems to have problems:
    - ip to client is assigned (ok)
    - then no packets seems to leave the vWLC (no dns request exit the vWLC for example) nor the auth page comes up
    For the last point I was on the ASA and no packets arrives.
    On vWLC: ingress interface is the L2 vlan, while the egress interface is the L3 vlan (with ASA as gateway)
    Any suggestion ?
    Cheers,
    L.

    Restrictions for Configuring Wired Guest Access
    Wired guest access interfaces must be tagged.
    Wired guest access ports must be in the same Layer 2 network as the foreign controller.
    Up to five wired guest access LANs can be configured on a controller. Also in a wired guest access LAN, multiple anchors are supported.
    Layer 3 web authentication and web passthrough are supported for wired guest access clients. Layer 2 security is not supported.
    Do not trunk a wired guest VLAN to multiple foreign controllers, as it might produce unpredictable results.

  • WLC Guest Setup thru Palo Alto Firewall

    We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
    Thanks

    Hi Rod
    You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
    I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
    I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
    Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
    Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

  • WLC Guest access Daily user/password

    Hi,
      I have a WLC 2100 and 1131 LAP's does anyone know whether it is possible to create a local net guest user that either has a changing daily password or whether it is possible to create multiple users that are only valid for a specific time period. Basically all i want to do is, once a month create new users or passwords for each day of the month and the credentials are only valid for that day.  I can see that i can time limit users but this would mean creating the user at midnight every day.
    Many Thanks

    Hi,
    Q1: it is possible to create a local net  guest user that either has a changing daily password?
    A1: No that is not possibe on WLC local guest users
    Q2: it is  possible to create multiple users that are only valid for a specific  time period?
    A2: Yes, you have lifetime per guest user that can be configured.
    For your requireent, You need to maybe have a look to other Guest appliance like the NAC Guest Server, or create the user DB on ACS Radius Server for time restrictions.
    Thx
    Serge

  • WLC Guest Access Randomly and Print

    Hi all, in my company have asked me a solution where automatically creates the guest account with username and password randomly. Is this solution possible to implement? With only the WLC?    p.s. you also know which models \ brands of printers allow you to press a button and print a receipt(with user\password) that can be integrated with the WLC??  Thank you.

    Hi Marco,
    WCS is software of license. right. But it is now being replaced by NCS; its elder brother, which is an appliance. I think WCS now is out of sale and NCS is what is available (not sure).
    No modifications need to be done on WLC. you only add the WLC to the WCS (or NCS). This needs correct SNMP information to be configured on both sides.
    If you have some programming experience you may implement the random username/password implementation yourself. Just capture the traffic when WCS send an SNMP packet to the WLCs to create the guest account. Whenever you want to create a user you specify same packet but change the usrename and the password and send the same packet to the WLC. Of course you need the sender IP address to the SNMP community list in the WLC.
    For the printer part it is a bit harder. your program should be integrated with the printer and prapare the layout that will be printed.
    HTH
    Amjad

  • WLC Guest Access Internet Routing

    Not sure if this the right forum, but i'm wondering if anyone can explain this.
    I have a trunk from the wlc to my router with one switch in between. 
    wlc---trunk----3560---trunk---2821
    The interface on the wlc and the 2821 both have an ip address and can ping each other.  When a wireless client connects to the guest network they cannot access the internet unless the 3560 switch has an ip address set on the vlan that is trunked from the wlc to the router
    wlc(vlan 825 - 10.7.200.2)----trunk-----3560(vlan 825 - 10.7.200.3)-----trunk-----2821(vlan825 - 10.7.200.1)
    The gateway for the clients is 10.7.200.1 which is the router.  If i take the ip address off of the vlan interface on the 3560 the trunk is still there, but the clients on the guest network cannot get through.  The gateway on the interface on the wlc is also set to 10.7.200.1
    Any ideas why I need that ip address on the 3560?
    Dan.

    Hi Dan,
    you may send the switch "show tech" and the WLC "show run-config" taken with the problematic config for a quick look.
    Regards,
    Federico

  • WLC Guest WEB Authentification

    Hello,
    I would like to configure on a WLC 2504 Internet-Access for Guests through a web authentication.
    But I always find configuration instructions only describe the with the additional anchor WLC?
    This works but also without anchor WLC, right?
    Can anyone give a hint on where I find a manual for it (ideal for Release 7.4 or 7.5) to me.
    Thank you
    Alexander

    It does indeed. When I use the foreign controller for guest access, I often will use a 5508 in port mode (non lag) and break out a port for guest.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WLC Guest Network DHCP run out of IPs??

    Hello,
    I have this guest wlan working with web authentication, as you may know in order to get authenticated you must have an IP address first then have a valid username and password. The problem is that if you don't have valid credentials you keep the IP address anyways.
    I'd like to know if there is a way to release the IPs that are not being used? The WLC is the DHCP server for this network.
    WLC4402
    6.0.202.0
    Thanks in advance!            

    That would be good, but right now there is not automated process to remove those clients.
    If you are good with scripting, you could setup a script to pull the clients list, then parse it based on the authentication.  Once you have that you can then do a client deauthenticate, and wipe the IP address lease as well.
    Unfortunately, I can't be too much help as I don't really know scripting.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • WLC - guest account multiple users

    Hi,
    I have been looking at guest access features of the WLC and I can see the ability to specificy an account duration as a Lobby Ambassador but does the WLC support multiple logins per guest account?
    I.e. I want to create a single guest account for use by 100 users. Is there any way to achieve this or would I need to create 100 individual guest user accounts?
    Many thanks,
    Paul.

    Paul,
    If you have WCS available, you can import a .csv file that contains the proper information for usernames/passwords:
    http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0temp.html#wp1102820
    Example file would look like:
    Username   Password   Profile     Description
      User1      Cisco      Any Profile Net User 1
      User2      Cisco                  Net User 2
      User3      Cisco      Internal    Net User 3
    The other option I can think of would be to build a list of command line configurations for the WLC, and manipulate the list with your already created usernames/passwords in a text editor. The command to configure a guest user on the WLC CLI is:
    config netuser add wlan userType [lifetime ] [description ]
    Thanks,
    -Patrick

Maybe you are looking for