Cisco :: 2504 WLC / 1142 APs - Guest And Secure Network
Nov 19, 2012
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
View 4 Replies
ADVERTISEMENT
Jan 21, 2013
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
View 5 Replies
View Related
Nov 2, 2012
I just installed my EA4500 router and it was amazingly simple. My only question is it shows two wireless connections available: The secured one I set up and the another network with the same name that says "guest" and is NOT secured. Is there a way to either disable the unsecured guest network or to secure the guest network?
View 2 Replies
View Related
Jan 28, 2013
I recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
View 8 Replies
View Related
Jan 27, 2013
I have a Cisco Aironet 1240AG Access Point and I am trying to setup a guest network that is secure and limited in bandwidth utilization. I see an option under security > SSID Manager on the web interface to select an interface of Radio0-802.11G, Radio1-802.11A or both. Can I put the guest network on the Radio1-802.11A and make it more secure/bandwidth limited or does this option not matter?
View 3 Replies
View Related
Mar 16, 2013
I have installed/setup a cisco 2504 wireless controller and 3 aironet 1142 access points using the basic config on a windows sbs 2008 domain, the problem is that the clients that are connected to the 2504 aint getting the there ip addr from the AD but from the wireless controller, and there cant reach the clients on wifi from the clients that are connected to lan, is there anyway that i cant change this so that a client on lan can see the client on wlan and vice versa.
View 5 Replies
View Related
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Jul 18, 2012
I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.
View 5 Replies
View Related
Apr 2, 2012
I have a requirement to set up a guest SSID for contractor so that they can use the internet while in the office.
Security say that all traffic on this SSID should be isolated and directed straight to the firewall, with no chance of contamination into the company network infrastructure.
With the 5508, my understanding is using the setting up a guest account functionality built in will achieve this, but all traffic would end up at the wireless controller. How do I then put a direct forward for all traffic to the firewall which will only affect the guest traffic?
View 7 Replies
View Related
Jan 10, 2013
I installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
View 3 Replies
View Related
Nov 28, 2012
Can I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
View 6 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 2 Replies
View Related
Nov 13, 2011
Purchased E4200 this week and did simple setup via CD setup (Cisco connect). Set up main name and password. Cisco Connect assigned "-guest" to end of main name for the guest account. Gave guest account its own password. Both main and guest accounts were broadcasting OK -- but guest account was not secure and could be accessed without password. (All software and firmware upgrades were done during initial setup).Reset the E4200 and restarted things from the CD setup. Created main account, main account password, and guest password again. In advanced settings, left basic wireless settings at initial settings, changed wireless secutiy to WPA2 Personal. Still having the guest account being broadcast in unlocked status. (Have turned off guest access for now until I can get password protection for it).
View 1 Replies
View Related
Sep 19, 2012
Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
View 5 Replies
View Related
Apr 3, 2012
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies
View Related
May 7, 2013
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies
View Related
Feb 23, 2013
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
View 4 Replies
View Related
Jan 17, 2013
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
View 2 Replies
View Related
Sep 19, 2012
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
View 3 Replies
View Related
Dec 31, 2011
Having just installed the E1000 why have I got a public network address '####' which is security type WPA2 -PSK and also public network address '#### - Guest' which is security type - unsecured.Anyone can log onto either wireless network connection but only with the correct password.How do I remove the '####' address and also how do I make the '#### - Guest' address a secure one.
View 1 Replies
View Related
May 2, 2012
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Jun 10, 2013
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
View 4 Replies
View Related
Apr 18, 2012
I've noticed that I've had to prime a lot of the 1142 devices. When attached to the network they not seem to find the controller. The subnet has the scope option and I have other 1142s working but recent ap's seem to not work unless primed.
View 3 Replies
View Related
Jul 12, 2011
When setting up my e1000 router for a secure domain it automatically opened a non secure one that my neighbors are using. How can I cancel it?
View 2 Replies
View Related
Oct 10, 2011
I have been involved in the Networking of a museum with a set of "Show" computers which display video, and for this reason cannot have anti virus installed becuase of the performace hit, and also the risk of pop-ups on the videos. They do however need to be connected to the internet as some are interactive and allow people to send simple emails, and they all need to allow remote support when things go wrong.It seems the networking was not thought out very well initially, and there is a single wireless router which serves the staff and public on a secured wireless network, but also serves the "Show" machines via a wired connection from one of its ports, which then connects to a master switch which serves the show machines.Now the wired and wireless is on the same network, and everything shares the same IP subnet (192.168.1.xxx), and this is not a good situation in terms of the securuty of the show machines on the wired network. So I need to work out a way to totally separate the wireless network (which will be very prone to people opening viruses in their emails etc), from the wired network (which will be the show machines which wont be touched by anyone).
I want to achieve this in the simplest and easiest way, and have been reading about the possibility of setting up a second wired router behind the current wireless one, with a different subnet IP address, to which the "Show" machines could be connected. The WAN port on this second router would connect to a LAN port on the wireless router, and thus the show machines could get their internet, but separated from the dangerous wireless network.Does this sound like a sensible start? Will the fact that the wired router (and show machines) are on a completely different subnet to the wireless router (and wireless devices), mean that the wired network will be protected? Or do I need to do more? And is this likely to work?
View 3 Replies
View Related
Apr 16, 2013
I have an iPad 4 (6.1.3) that won't connect to our Cisco 1142 APs. Full Cisco network; 3560 POE switches on edge and Cisco 6509 at the core.At first we looked at it as a wireless issue. No settings changes on the APs would allow the iPad connect. About 125 other iPads of various models worked fine. Took the offending iPad to McDonalds and it connects fine. Took the offending iPad to another school in our District and it connected and worked fine. Went back to the home school, still won't connect. Contacted Apple since iPad was under warranty, sent it to them and they ran diagnostics and it is fine.Is there anyway that the core switch is blocking the iPad client?
View 1 Replies
View Related
Feb 1, 2012
We have recently aquired a remote location which has a pre-existing flat network (172.16.X.X/16). Before we are able to convert them over to our new IP scheme, they have a need to have wireless connectivity on site. We have 4 1142's which I need to configure for them. I have experience configuring WLC's and autonomous AP's for networks with multiple vlans but have never configured AP's for a flat, single subnet network. I need to configure them for either guest access (internet only) or corporate access to network resources with radius authentication. Do I configure a native vlan as I would for a typical multi vlan network? Do I configure the switch port as an access port as opposed to a trunk beacause of the lack of layer 3? I basically need a sample configuration for this situation.
View 1 Replies
View Related
Mar 18, 2013
I have encountering a problem with a new installation at my clients side recently.We have a 5508 wlc and a bunch of Laps connected to it.Recently we associated a 1142ap to the same controller.The issue we are facing is that , the client laptops that are connected to THIS ap are showing maximum of only 54mbps in their network information dialogue box.Initially i couldn't understand why this could happen.But after a bit of research , i came to know that this could happen because of ``unticked`` data rates in the controller , or because of not using wpa2 with aes as the security standard for N-series access points.Now i have enabled all data rates in the High Throughput section as well as enabled the correct encryption standard.But still the issue persists.We have checked with multiple laptops , to rule out the possibility of a faulty n/w card
View 3 Replies
View Related
Mar 16, 2013
I want to know how can I secure the network, I would like to know a complete schema of the insfrastructure, in other words, how to build a network with 4 vlans, firewall? one vlan will be for admin area personal other vlan will be for wifi access secure with password, not everybody will have access to it the other vlan will be for a small personal with at least 20 people. What will be the proper way to build the topology from this hardware that I have shown or with a new hardware. If it is another hardware, what can I use to secure it with vlans ?? This is a small office branch network that as you can see, one switch is on the floor.
View 2 Replies
View Related
Dec 21, 2012
i just got a nergeard wireless but how to i set up secure network, user name & pswrd?
View 1 Replies
View Related
Apr 26, 2011
I was just wondering what the best way to secure my network would be. I was reading this article then the comments from others were saying that most of that info is laughable and really no good besides creating a password or encryption key. I have in the past had my wireless router set to not broadcast the SSID as well me creating my own SSID so it's not just Linksys or whatever and I had mac filtering enabled as well use WPA2 Personal and had a password. But I had some problems such as my Aunt's Laptop wouldn't connect unless I broadcasted the SSID and now my brother came back from Colorado and he said he never had any problems connecting to his friends Wireless network, I am assuming his friends was unsecured but here his Laptop won't stay connected unless I have an unsecured network so if I had it set to having a password it would connect but then disconnect after like 3 seconds but now it's staying connected but I have it completely unsecured. His drivers are completely updated from what I can tell.
His laptop is a Dell Inspiron 1500 series not sure exactly at the moment but I think it's the e1505. It's like 4 years old he got it in 2008 which when I was at dells website and typed in his service tag and found drivers the newest wireless card driver was from 2008. Anyways my router is a Linksys WRTU54G-TM Wireless G router with 2 phone ports. Anyways my network would consist of 2 Desktop PC's one running windows 7 1 running XP but both are right next to the router and are wired so nothing there then as for wireless there are 3 laptops at this time my brothers Dell E1505 I think (It Won't stay connected) and it runs Vista, my Dell Latitude C840 running XP (No problems)and an Acer extensa 4420 running XP (also no problems). Also my younger brothers friend comes over a lot and bring his Laptop which is an HP something running XP (no problems) Also we have a PS3, A Wii each have connected fine and possibly my brother from Colorado's Xbox 360. Also my younger brothers friend also brings his PS3 over and has no problems. There are also 3 ipod touches no problems either. We also have Ooma VOIP telephone service and that's just connected directly to the router
View 1 Replies
View Related
