WLC4402 with Guest SSID WebPolicy Issues

Hi I have a WLC4402 with WLAN SSID Guest open authentication set to Webpolicy
Attached is the config, I have a lobbyadmin username that create users, my guest users are able to get IP but when they fireup their IE or Mozilla browsers, the cant get any ssl certs or redirected to the login splash page.
However when I reboot the wLC4402, the users are able to get the cert and redirected to splash page... The situation happens after 1 day and I need to reboot again...anyone can help me out? rebooting is not an option for me
regards

I imagine you have done, but be sure to provide DNS in your DHCP scope for the guest vlan.
regardsm

Similar Messages

  • Guest SSID not working

    Hi all, im trying to configure the MSM760 to work with Guest SSID via HTML authentication.im facing the problem that i can get IP address, i can ping to outside, but i cant open anything in the broswer, it seems there is DNS resolving issue.anyway.i have disconnected this controller from teaming yesterday, and the team works with two SSID's1. NPS SSID which is used for Domain users authentication2. HTML uses authentication  the NPS SSID was always ok, but the Guest was not working, and as i understand from some reading in here that the Guest SSID will not work properly in Teaming.so i disconnected this Controller and and changed the management IP address to new range. and started to test but i didnt get success with browsing.also the NPS authentication on it stopped and i cant get it to work. any advice? thanks in advance.

    FYI this is for HP wireless product and networking not support another company product. For that you need to go to their support site and ask for further help from them.

  • WLC2112 with Guest / Web-Auth and vlan

    Hi
    I'm trying to configure my WLC with guest SSID and vlan 10.
    The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
    Please help.
    Management IP Address 192.168.14.252
    Software Version 6.0.182.0
    Emergency Image Version
    I have tried with ver. 5.2 also -

    I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
    Don't know if that helps, or not.

  • Guest ssid with anchor controller and Web policy

    We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

    Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

  • Guest Network login issues with EA6300 (Linksys Smart Wi-Fi Router AC1200)

    I have a friend who runs a Bed and Breakfast, and she's having issues with guests being able to connect to the Guest network.  She bought this router at the recommendation of Best Buy's Geek Squad, after she had some issues with her previous model.  
    Everything is set up properly, the router seems to operate fine, especially with the normal network.  The guest network can be seen, with a decent amount of signal strength, but when people try and connect to the network, and try to use it, they're never prompted for the guest login screen.  
    I've been able to verify that it does indeed work - I helped set it up, but apparently there are several people using Android phones and tablets, and iPads that do not receive a prompt to enter the guest password and continue on.  
    Are there any manual addresses that can be input into a browser in order to access the guest login web screen?
    OR better yet... is there a way to assign the password to the guest SSID, much like a normal wireless access point, rather than allowing guests to connect to a password-promptless guest SSID and have to try and finagle the guest password screen to pop up?
    This is very frustrating, for both my friend who runs a business and myself who supports this.  Is the router faulty?  Is there a new firmware??  Any help would be appreciated.
    Solved!
    Go to Solution.

    Thanks for the feedback.  I was able to get the guest network working pretty much 100% this afternoon.  What I did was I reset the router to factory settings to give it the purest settings, then went through then updated the network names and passwords, so existing devices would automatically reconnect to the main network.
    I also made sure that all existing devices that were trying to connect to the guest had the guest network settings "forgotten" and purged from their devices cache.  When connecting again, the guest network immediately forwarded to the browser guest login.  The only issues I had were when a device still had the guest network stored.  Forgetting it and reconnecting from scratch worked.  
    I verified it on and iPhone, iPad, 2 Android phones, 2 Windows 8 computers, and 1 Windows 7 laptop.  Thanks for the suggestions.
    I definitely recommend resetting the router to factory settings (make a backup first though), and the make sure any problematic guest devices have any guest network saved data is purged from the device and then attempt a reconnect.

  • AIR-AP1142N-A-K9 configuration issue for guest ssid

    I'm trying to get the guest ssid working.  I was frustrated so saved my old config and wiped out everything on this AP.  Now my bvi1 does not come online.
    ap#sh ip int bri
    Interface                  IP-Address      OK? Method Status                Protocol
    BVI1                       192.168.2.249   YES NVRAM  down                  down    
    Dot11Radio0                unassigned      YES NVRAM  up                    up      
    Dot11Radio0.50             unassigned      YES unset  up                    up      
    Dot11Radio0.51             unassigned      YES unset  up                    up      
    Dot11Radio1                unassigned      YES NVRAM  administratively down down    
    GigabitEthernet0           unassigned      YES NVRAM  up                    up      
    GigabitEthernet0.50        unassigned      YES unset  up                    up      
    GigabitEthernet0.51        unassigned      YES unset  up                    up      
    ap#
    ap#sh int bvi
    *May  6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
    BVI1 is down, line protocol is down
      Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
      Internet address is 192.168.2.249/24
      MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input never, output never, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         0 packets input, 0 bytes, 0 no buffer
         Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         3 packets output, 180 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    ap#
    I have a private vlan 50 and the public vlan 51.  The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
    I get this output when trying to connect with my cell phone. 
    *May  6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
    *May  6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
    *May  6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
    *May  6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
    *May  6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
    *May  6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
    *May  6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
    *May  6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
    *May  6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
    *May  6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
    SSID [PUBLIC] :
    MAC Address    IP address      Device        Name            Parent         State     
    847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc    
    ap#
    ap#show run
    Building configuration...
    Current configuration : 2746 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    dot11 syslog
    dot11 ssid PRIVATE
       vlan 50
       authentication open
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 01150F035E050E0A2D
    dot11 ssid PUBLIC
       vlan 51
       authentication open
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 045D02010A2F444B05
    username Admin privilege 15 password 7 0526071D3545175840
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption vlan 50 mode ciphers aes-ccm
     encryption vlan 51 mode ciphers aes-ccm
     encryption mode ciphers aes-ccm tkip
     ssid PRIVATE
     ssid PUBLIC
     antenna gain 0
     mbssid
     station-role root
    interface Dot11Radio0.50
     encapsulation dot1Q 50 native
     no ip route-cache
     bridge-group 50
     bridge-group 50 subscriber-loop-control
     bridge-group 50 block-unknown-source
     no bridge-group 50 source-learning
     no bridge-group 50 unicast-flooding
     bridge-group 50 spanning-disabled
    interface Dot11Radio0.51
     encapsulation dot1Q 51
     no ip route-cache
     bridge-group 51
     bridge-group 51 subscriber-loop-control
     bridge-group 51 block-unknown-source
     no bridge-group 51 source-learning
     no bridge-group 51 unicast-flooding
     bridge-group 51 spanning-disabled
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     antenna gain 0
     dfs band 3 block
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     no keepalive
    interface GigabitEthernet0.50
     encapsulation dot1Q 50 native
     no ip route-cache
     bridge-group 50
     no bridge-group 50 source-learning
     bridge-group 50 spanning-disabled
    interface GigabitEthernet0.51
     encapsulation dot1Q 51
     no ip route-cache
     bridge-group 51
     no bridge-group 51 source-learning
     bridge-group 51 spanning-disabled
    interface BVI1
     ip address 192.168.2.249 255.255.255.0
     no ip route-cache
    ip default-gateway 192.168.2.1
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    bridge 1 route ip
    line con 0
    line vty 0 4
    end      
    switch config:
    interface FastEthernet1/0/46
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 50
     switchport trunk allowed vlan 50,51
     switchport mode trunk

    Hi
    I know the bridge-group have to be identical to the sub interface number and vlan number
    This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
    It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
    http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

    Hi,
    I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
    (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
    GUEST1: 10.9.65.0/24 – VLAN 11
    GUEST2: 10.9.66.0/24 – VLAN 12
    GUEST3: 10.9.67.0/24 – VLAN 13
    Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
    The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
    The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
    Interface vlan 11 – 10.9.65.1
    Interface vlan 12 – 10.9.66.1
    Interface vlan 13 – 10.9.67.1
    wgh-anchorwlc5760-primary#show ip interface brief
    Interface              IP-Address      OK? Method Status                Protocol
    Vlan1                  10.8.252.1      YES NVRAM  up                    up
    Vlan11                 10.9.65.1       YES manual up                    up
    Vlan12                 10.9.66.1       YES manual up                    up
    Vlan13                 10.9.67.1       YES manual up                    up
    GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
    Te1/0/1                unassigned      YES unset  up                    up
    Te1/0/2                10.8.253.1      YES NVRAM  up                    up
    Capwap0                unassigned      YES unset  up                    up
    If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
    If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
    If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
    Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
    anchorwlc5760-primary#show wireless client summary
    Number of Local Clients : 3
    MAC Address    AP Name                          WLAN State              Protocol
    04f7.e482.b21c N/A                              2    IPLEARN            Mobile
    bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
    a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
    However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
    I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
    My question is: Why clients are not able to ping their default gateway?
    I hope it makes sense.
    I appreciate any thoughts and help. Thanks in advance.
    Joana.

    Hi,
    I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
    (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
    The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
    I hope it helps.
    Joana.

  • Web redirecting issue when users reconnect guest ssid

    We are facing new issue on our controller for Guest SSID. This SSID used for Guest users and it is web base redirected to Aruba CPPM. First time web page redirects to controller virtual IP address and then Aruba CCPM.
    The scenario is as below
    - The user fills the form and gets redirected to a page where there is a login button which is grayed out till the sponsor approves the mail.
    -Once the sponsorer approves the mail, the login is highlighted and user connects to internet. 
    -Issue occurs when the user disconnects and connects to the SSID and tries to login again. There the user is redirected to controller management IP not on virtual IP.
    Controller Make Model:-5508
    IOS Version:- 7.5.102.0

    Well... you should upgrade to v7.6.110.0 as that code is deferred.  I don't know how you have your WLAN setup, is it use open and your using a pre-auth ACL?  Have you also posted in the AirHeads forum for suggestion?
    Post your show wlan <wlan ID>

  • WAP200 repeater issue with 2nd SSID

    I have a WAP200 AP configured with 2 SSID's.  The AP is configured to allow the use of repeaters and i have 2 other WAP200's acting as repeaters for each SSID.  The WAP200 repeater i have configured to repeat the signal for the 1st SSID works perfectly but i cannot pick up an IP address from the WAP200 repeater on the 2nd SSID and receive an error stating that there is limited connectivity.
    I have checked the configs on the repeaters and they are the same for their respective SSID's. Both repeaters were configured using the site survey option and the AP is configured with the repeaters SSID mac address, not its physical address. I have reset the 2nd repeater and re-configured it twice incase i missed something but still the same issue.  As soon as i switch off the 2nd repeater i am instantly connected to the 2nd SSID network albeit with reduced signal strength from the AP.
    Is there a limitation with the WAP200 that only allows the first SSID to be repeated?

    Hi Peter,
    Which firmware version are you using on the SRP547?
    If you haven't done so already, please grab the latest version from www.cisco.com/go/srp500.
    Andy

  • Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

    Hi All,
    I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
    The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 49) in 28800 seconds
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
    *apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
      ACL Id = 255, Jumbo F
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 81, IPv6 intf id = 13
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
    *apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
    *pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

    #does the client at the remote site roams between AP that connects to different WLC?
    #type 9 is not good.
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    #Does your dhcp server getting hits.
    #Also, get debug dhcp message & packet.
    #Dhcp server is not responding.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

  • E4200 Guest SSID Login page fails

    Config:
    Netgear ProSafe Gigabit Router is my DHCP Server -- The entire home net work is on the same subnet (192.168.15.xxx)
    Linksys E4200 configured as an access point ONLY -- wired connection -- static IP assigned -- DHCP server turned off
    Linksys WRT610N configured as an access point ONLY  -- wired connection -- static IP assigned -- DHCP server turned off
    3 -- 5 port gigabit switches
    1 -- 8 port gigabit switch
    No more than two switches between any two wired devices
    Both Linksys access points have the same SSID and WPA2 security phrase -- total of 4 radios
    Nonoverlapping channels are selected on both the 2.4Ghz and 5.0Ghz radio to minimize interference
    All computers are running Windows 7 Professional 64bit with all the latest updates
    Two iPhones and one iPad also access the network
    All LAN and WAN connectivity is working as designed
    Problem:
    guest SSID is turned on
    password is established
    All devices will connect to the guest SSID and the E4200 is assigning an ip address to the device in the 192.168.33.xxx range which is what it's supposed to do.
    When I open a web browser, I am not automatically redirected to the Cisco Login Page. If I enter 192.168.33.1 as the URL, the login screen is presented. I enter the password I have created in the guest admin page on the wireless guest tab.  I then see a blank page and a URL of 192.168.33.1/guestnetwork.asp. THIS IS WHERE I GET STUCK. THE ONLY WAY TO EVER SEE THE LOGIN PAGE AGAIN IS TO REBOOT THE E4200, otherwise you just get unable to connect messages when opening web browsers and the wireless status icon in the system tray shows a yellow exclamation mark.
    I successfully connect to the guest SSID but I do not get access to the internet. When I type ipconfig, I see that the DNS is set to 192.168.33.1 which does not exist on my network. I assume there's some internal NAT magic that is supposed to happen in the E4200 to bridge me over to my 192.168.15.xxx network but it doesn't seem to be happening.
    At the beginning of the call I specifically asked them if the E4200 must be the DHCP server in order for the guest SSID feature to work and they said no. 1.5 hours later they had no answers so they told me that it wasn't working because the E4200 was not the DHCP server. The documentation says nothing about a DHCP requirement for guest AP service. Linksys support further could not answer what you would do if you needed more than one AP with guest service enabled.
    It seems like this is a firmware issue but it may be the guest SSID service requires the E4200 to also act as the DHCP server. Can anyone shed any light on whether this is a bug or if the router/AP is working as designed?
    Thanks,
    (Mod note: Edited for guideline compliance.)

    Yes the E4200 must have DHCP turned on in order to pass out IP's to your Guest Network.  No DHCP, no Guest Network.

  • Web-redirect to external radius not wokring on some browsers for Guest SSID

    Hi,
    We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
    working browsers: IE9.0 and IE 11.0
    Non-working: Chrome all versions, Firefox all versions, Safari all versions.
    Can anyone provide some help if they have seen  this issue before.?

    You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.

  • Guest SSIDs

    I am planning to add a guest SSID to my wireless network. I currently have AP-1231g access points configured as wpa using private certificates and a RADIUS server for authentication. I have added the guest SSID and created a vlan for it. What I am trying to figure out is the best solution for DHCP. Currently my private network uses a Microsoft server for dhcp. Unfortunately I cannot re-number my LAN to carve out a subnet for my guest users. I do not want them to be able to browse my internal network nor do I wish to enter static addresses for them. My edge firewall is a Cisco ASA5550 and I have an open port there. Would it be possible to enable dhcp on that interface and assign it to the same vlan as the guest SSID? Would I encounter issues with the access points and two different dhcp servers?

    I have successfully configured the interface on the ASA for dhcp. When I connect directly to the interface I receive an ip address. I created a vlan on the 3500XL switch the access point is plugged into and made sure the SSID is associated with this vlan. I do not receive an ip address when I connect to the SSID. I suspect this is because I cannot figure out how to apply an ip helper address to the vlan I created on the 3500XL switch. The ports between the switches have been configured as trunk ports. I tried using the ip redirect on the access point itself but that failed as well. Any suggestions?

  • How do I change SSID setting? Getting message "using network with default ssid'

    Getting message "using network with default ssid'

    First, let's address the biggest issue, the version of Firefox you are using is extremely old, out of date and insecure. Please update to Firefox 33 ASAP ([[Update Firefox to the latest version]])
    After that, please give a bit more context on what exactly is going on. Keep in mind this is a Firefox support forum, we can't help you with Windows settings or setting up wireless networks.

  • WAP321 - Guest SSID not working

                       I have a WAP321 with 2 SSID's.  One is for local access and another for guest.  The WAP connects to a 3550 and it's port is set to
    description Cisco Wireless
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,20
    switchport mode trunk
    no ip address
    spanning-tree portfast
         My ASA 5505 is set with both VLANs and I'm using DHCP to dishout the guest IP.  MyWAP has both networks setup. VAP 0 is setup for VLAN 1 and VAP 1 is for VLAN 20.  Both are enabled.
    When connecting to my local wireless, I have no problem getting local access and Internet connection.  When I connect to Guest I get an IP from my ASA's DHCP, but I cannot ping my gateway, which is my ASA.  I know my guest VLAN is ok, because if I put a port on that VLAN, I can connect to the Internet.
    When I do packet captures from the WAP (Administration-Packet Capture), I can't see any ICMP attempts either from the eth0 or VAP 1.  When I capture my machines wireless interface I see ICMP attempts with no reposnds.  It makes me think I missed something in the WAP321 setup.
    Any ideas where to check?

    Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
    While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.
    With the WAP321, after trying a few different scenarios that didn’t work. I simply created two vlans, left the Untagged vlan as main vlan and changed the Management vlan to the second. I then attached the guest SSID to the Management VLAN. This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked normally.
    Now for some caveats:
    Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.
    Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
    Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)
    Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
    Not the very best solution, but the only workaround I can come up with for now.
    Thanks
    Eric Moyers    .:|:.:|:.
    Cisco Small Business US STAC Advanced Support Engineer
    Wireless Subject Matter Expert
    CCNA, CCNA-Wireless
    866-606-1866
    Mon - Fri 09:30 - 18:30 (UTC - 05:00)
    *Please rate the Post so other will know when an answer has been found.

Maybe you are looking for