Cisco :: 2504 WLC On Edge Network For Guest Wi-Fi?
Jan 21, 2013
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
I recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
I installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
Can I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
I have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
Region : Poland Model : TL-MR3220 Hardware Version : V1 Firmware Version : ISP : Bite
Router TL-MR3220 works well on 3G network, but is not works 2G (edge) network. 3G network is not suported in my location, only 2G. My modem is Huawei E 173. In location 2G network Router show: 3G/4G USB Modem: Unplugged.
What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
What's the least expensive way to enable Guest Network authentication in a network with WLC 4404 controllers and no WCS? Management would like guests to register with a valid email address and enter a 'password du jour' to keep unauthenticated users from chewing up bandwith with automatic connections.
Having an issue with a Cisco Linksys E1500 on a home network. The device has a feature to provide a guest wireless network but the guest network can't get to the internet. A wired connection is fine, as is the normal wireless network but not the guest. The cheesy thing is, that it doesn't list an option for what type of wireless security protocol you want on the guest network. I'm assuming that it uses the same security protocol that the normal wireless network uses, but who knowsEspecially weird is that it asks you what password you want on the guest network but then the guest network show to be insecure when you try to connectthought maybe it was something funky with some of my configurations so I went ahead and factory defaulted it and just set it up with an insecure network for both the normal and guest networks. This didn't solve it. The guest network still couldn't get to the internet. In fact, the guest network can't even ping the router.
I have two WLC 2504 controllers. These controllers are for two different buildings. But they share a VLAN, and network address range. How can I control the access points to the register selected only at a specific controller.
Example:
AP 1 -> WLC 1 AP 2 -> WLC 2 AP 3 -> WLC 1
Since the buildings also broadcast in different SSID. The two controllers are in a mobility group.
We are planning for a modest expansion of our wifi network. Here is what we currently have, and what we are doing:
-2 1100 B/G AP's; a "primary" and a repeater. Both have a single SSID.
-1 1142 B/G/N; autonomous, with a different SSID
What we would like to do:
-Purchase a 2504 WLC and two more AP. Looking at a 3602 simply for future growth, but are not sold on the idea of such an AP. Would consider two more 1142. At any rate, we are looking for two more AP.
-Still keep our current AP's in use.
-Is a 5 access point wifi network, all controlled by a 2504 feasible?
-Will our existing investment of older 1100's and the single 1142 play nice with eiither a pair of 3600 (or 3500 or even 1142)?
-Can we go to a single SSID using all of this equipment, and clients connect at whatever speed is possible with whatever AP they are joined with?
I am new in networking. All my knowledge is based on books and no real life experience.At my job I am required to set up the network and configure all apparatus I never worked,before with.We have regular cable internet in the office. Modem is connected to Apple router (time capsule). No trouble. Now we are getting fibre optic in the office. Mngmnt has abought the following Cisco:
Cisco Wireless Controller 2504 Cisco 3501 AP 802.11g/n Ctrlr based AP Cisco ASA 5510 Firewall appliance Cisco Power Injector AP3500 Series
i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) . the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID. i followed the procedure below to configure it:
-- creating user identity groups;
-- creating users and assigning them to the groups;
--- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
--- assigning the authorization profiles to the identity groups under access policies.
after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
Our current way of configuration for this is standalone ap's with multiple ssid's. The main network ssid's are on the 10.0.0.0 networks. The internet only ssid is on the 192.168.1.0 network. ( this is a wireless network only,no wired) They all get there dhcp address from a layer 3 switch. To prevent the wireless 192.168.1.0 intenet only network from getting to the 10.0.0.0 networks, we just put a simple source & destination deny acl on the in vlan interface of the 192.168.1.0 network on the layer 3 switch.Now that we are impementing a Cisco 2504 controller, the management and ap manger are both on the 10.0.0.0 network.( both on port 1 with dynamic ap manager enabled) I can setup as many ssid's on the 10.0.0.0 network and they all work fine. But when I setup the 192.168.1.0 internet only ssid it will not connect. I'm assuming that its because the 192.168.1.0 network or anyone trying to connect and use that network has to go through the controller located on the 10.0.0.0 network. I'm thinking that the acl on the vlan interafce is the problem.So, if I'm correct, what is the best way to setup a separate internet only network through the private networks?
When I click on Network, the only computer that shows up is mine. If I am hardwired then everything shows up (Servers, other workstations). Is this a problem with the radius server or something on the controller?
I have recently deployed a wireless network using a WLC 2504 with 21 Light APs. All seems fine except that Apple Devices drop their connections every 15 minutes or so. A couple of minutes later they can reconnect but obviously something is wrong.
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
My landlord downstairs has set up a guest network for me from his Netgear WGR614v10 so I can ditch my dsl and just pay him. First I tried using my Netgear WNR2000 router to act as a receiver (bridge?) but messed it up and couldn't even access the router config anymore, had reset to factory settings.I bought a Netgear WN311B PCI adapter, but I can not connect. My laptop works fine, and after a bit I got my nook to work. We've gone through having an open network with no encryption to currently trying with WPA2-PSK. If I try to connect with Win 7 it just says "Windows is unable to connect to network." Troubleshooting just says to restart the router. If I try NetGear's Smart Wizard it will detect the network fine in setup, and say the signal is at 79-80%.
But at the "Settings" tab, it just says "scanning" in the status bar, it always says channel 6, and shows signal at 1 dot. Window's network connections list it at "Good." I did very briefly get it to work when I first tried the new adapter. Windows even asked me what type of network this was (Home/Work/Public) but when I tried to open a web browser it was not working anymore.I don't think it's range as my laptop and nook work. I can get it to connect to my WNR2000 router, so I don't think it's necessarily the adapter
