Cisco :: 5508 / Easiest Method To Block Employees From Guest Network?
Jun 3, 2013
We have WCS and several WLCs (WISMv1, 5508, 4402) all running the 7.0.240.0 code. The "Guest" SSID is "garden-walled" from the corp LANs. We used to have web-auth page that required ID / PW. This became unreasonable as IT Dept was getting requests at all hours for immediate access from guest / resident family memebrs. So we changed the web-auth to remove the the ID / PW and just display corp policy and have to hit a "continue" button to gain access to Guest SSID. Healthcare staff on the floor are not tech-savvy enough to want to use or perform Hotel Ambassador functions.The issue now is that we have employees with smartphones, tablets and even personal laptops conecting the Guest SSID. Sr. Mgt wants to find a way to stop the abuse.I do not believe there is any perfect solution to prevent employees from gaining access, but have been asked to find a manageable method to deter most employees from connecting to the Guest network. Looked at seing up MAC filtering in WCS, it seems that you have to enter MACs that you *allow* on to the network - by default, other MACs are blocked. I would rather have the template block the MACs listed in the csv file and allow access as the default.. We have several SSIDs. Our corporate SSID uses 802.1x and we use Microsoft Server 2012 Network Policy Server (RADIUS) to pass user ID / PW to our AD for authentication. We do not have Cisco ACS. I am not sure if integrating RADIUS is the answer here either. I have had some webex sessions on ISE, NCS, and Prime infrastructure. We are only interested at the moment to monitor / control access to Guest. I have been told that ISE will have "sponsorship" functionality added in soon -- where user fills out info and ID / PW is sent via text or email to a cell phone or other device.
View 2 Replies
ADVERTISEMENT
Jun 19, 2012
For my company, I am running a Cisco 5508 WLC with a 4400 WLC as a guest anchor in our DMZ. There is a guest SSID and several business SSID's for internal equipment. Guest traffic should be tunneled out to the 4400 controller where [the client] gets its IP address and is sent out to the internet. No internal corporate access is possible. However, when I do a packet capture from my wired PC, I'm seeing traffic generated by different iPhones. It appears to be mostly IPv6 mDNS or ICMPv6 traffic. How would this traffic make it onto the corporate wired network, when it should be staying on the guest network? None of the iPhones have been setup on the business SSIDs, so I know it isn't legit traffic. Is there a setting in the WLC that will block this? Will an ACL work?
These are examples of some of the traffic that wireshark is capturing:
349 7.794875 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 253 Standard query response PTR, cache flush Tonyas-iPhone-2.local PTR, cache flush Tonyas-iPhone-2.local
356 7.802667 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QU" question ANY Tonyas-iPhone-2.local, "QU" question
361 7.806964 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QM" question ANY Tonyas-iPhone-2.local, "QM" question
Both controllers are running software version 6.0.196.0. I also have a WCS server running version 7.0.220.
View 3 Replies
View Related
Sep 12, 2011
i have two WAP4410N wireless router. with software version (2.0.1.0) , here i have a problem on SSID broadcast and access.i have created Two ssid's WC72 and SREE with same security configuration WPA2-personalmixed . i cant see the broadcasted SSID of name SREE where i only view WC72 and get connected to it..
where i initially want is separate SSID and internal network access for internal employees and Guests (shouldn't connect to internal network).
View 9 Replies
View Related
Oct 3, 2012
Could I setup wired guest Internet connection without layer 3 web authentication and how?I want guest users access Internet without going through web authentication.
View 2 Replies
View Related
Oct 30, 2012
As the title says, I would like to know what are some ways in which a group of computers on a network can be imaged at the same time over night. The reason this must be done is because in the training room at where I work, each different training session configures the computers differently, so it would be nice to have them all start off from the same point, rather than a new instructor having to learn all of what the previous instructors had done to the computers.I know some ways in how to image multiple computers. A little background on the environment:
About 15 computers connected a cross a network
Must be repeatable, and remain available (no dismantling)
Image will be Win7 32 bit, with applications already on it
Must be able to run, and complete over night
The image must be pushed out from one computer to all of the others
The OS of the computer doing the pushing can either be Win7 or XP
View 1 Replies
View Related
Dec 4, 2012
I setup a guest wired network on the WLC 5508 with 7.2.110. A postage machine can only be setup for static IP address over guest wired network. Is any one how to get it configure on the WLC 5508?
View 3 Replies
View Related
Nov 1, 2011
I have a client that has 3 AP541N's and they want to enable guest wireless access. However, their VOIP provider has their managed switches locked down so we can't add VLANs, etc.So I cannot touch the switch or router config on this LAN.
Looking into AP541N documentation I see VAPs mentioned, can I enable those and have secure guest wireless access with the same private IPs that the rest of the LAN use right now? (That is, the employees are 192.168.2.x and the guest wireless users would also be 192.168.2.x.)
Or do I need to do something else to properly enable guest wireless? Like add another piece of equipment? I did try to add a Cisco RVS4000 to the mix but it wouldn't pass the VLAN across the switches that I setup for the guest wireless SSID. goal is to leave the switch and router in place, and work with the AP541N's that I have and get secure guest wireless.
View 1 Replies
View Related
Jan 29, 2013
I am setting up a new Guest network with a captive portal and it seems to all work fine except when Apple devices go to sleep. When they come back on it isn't just a case of logging in again as it just indicates to the client that it is still connected and won't present the login page again. The Controller will show the client as auth required. So far the quickest way has been for me to delete the network on iPads and re-enter my settings or create a new profile on a Macbook and join again. I have also had some success when doing a manual DHCP refresh on my Macbook which sometimes seems to kick the Controller into action so it presents the login page to the client again. Whether it is related to the timers on the Controller (5508 running code 7.0.235.3) or - as I just read in another post by Leo - the 20 minute timeout that all Apple devices have built in to conserve battery life
View 3 Replies
View Related
Jan 24, 2013
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
View 2 Replies
View Related
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Jan 25, 2012
We currently tunnel guests to a 4402 that sits behind our firewall and it's been working well for a few years but I am aware that the 4402 is now EoL so I am exploring alternatives:
We also have several 5508s deployed and I'm wondering if - in any new guest access config - I can allocate one of its free h/w ports to connect to the firewall, even though the 5508 is configured to use LAG.
To put it another way can I configure a new port to a seperate VLAN and not be part of the the LAG'd ports or are you tied to having all ports acting as a group if LAG is switched on?
View 6 Replies
View Related
Aug 16, 2012
Is it possible to block outside P2P traffic on a guest wireless network using an ACL on the controller? I know we can do it our firewall
View 6 Replies
View Related
Jan 28, 2012
Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? install a secondary WLC in the DMZ and use anchor points. I only have one WLC
View 7 Replies
View Related
Jun 2, 2013
, I have a requirement by a customer that they will want to monitor the guest wireless access. Currently, we are proposing a Cisco Wireless Controller 5508 together with APs and the setup would be a dedicated VLAN for guest. I am wondering if Cisco ISE together with Cisco MSE would be sufficient?
Stuff to monitor and log are:
1. Guest username (I guess this would be self sponsored)
2. Company name
3. Websites accessed
4. Time, date and duration.
5. Logs are to be kept for 3 months at least.
View 3 Replies
View Related
Feb 14, 2012
Strange issue that our support staff is seeing on our guest WLAN. I have 2 wlans, 1 is production and authenticates our Domain controllers, this is working fine. The other is a wlan that has restricted access internally, I allow http, https and VPN access out only.
It appears that on the guest wlan, after random amount of time an established VPN connection using Cisco VPN client disconnects. Wireless connectivity doesnt appear to go down, just the vpn connection.
On this guest wlan, I have configured QOS bronze and I read a link where this may be affecting the UDP conversation between VPN client and end point.
View 10 Replies
View Related
Feb 3, 2013
I'm looking to implement guest WiFi access with web authentication on one of our 5508 WLC (currently deployed within a sandbox environment), but looking for some assistance. The WLC currently has a single connection from port 1 to the 'Test Site 2' switch. This is a dot1q trunk. On the WLC, the interface (for port 1) is configured as follows: [code] Currently, I have one WLAN configured with the profile name 'Guest Test 1', it's enabled and broadcasting the SSID. Security is L3 only with web authentication configured. The WLAN is configured to use the interface names "guest_wifi".
The issue is that when a client connects to the WLAN, it receives an IP address okay (10.99.254.x address), but doesn't seem to be able to contact the WLC to get the web authentication page. Eventually, the WLC terminates the connection due to an authentication failure.does it sound like I'm taking the correct approach here? The idea is that clients connect to the guest WLAN, which puts them on VLAN 99 and routes traffic through to the ASA and then onto the internet.
View 13 Replies
View Related
Feb 20, 2012
could i create new guest accounts via CLI? i know that via GUI with lobby embassador account i can create them. I have WLC 5508 (7.0.116).
View 7 Replies
View Related
Jul 26, 2011
I have the following
WCS: Version 7.0.164.3 and WLC 5508 Software Version7.0.116.0 And cannot import it. I have 2 more WLC 5508 (same version) already imported in WCS with no issue. Have run debug on the DMZ WLC and can see the snmp request coming through when I try to import it. Firewall rules are fine, ran a tcpdump and the WLC returns snmp values back. snmp credentials and routing is fine, can ping both in both ways.
Always comes up with the following error.
IP Address TypeStatus 203.14.70.91Failed to add device to WCS Reason: Object not found in device
View 2 Replies
View Related
Oct 25, 2012
I have a wireless network with LWAPPs and 1 WLC 5508. How to block communication between SSIDs (clients in different SSIDs bassically) and whether that is even possible from the controller? I'd like to mention that communication between clients whithin the same SSID is already blocked.
View 4 Replies
View Related
Apr 15, 2012
Why do need Cisco NAC guest server when we have WLC 5508 already configured. The Guest user access can be given by the WLC itself too. We can create users in WLC also and grant access to the user to access internet for specific time frame. My query is - what is so different in Cisco NGS that it is considered good in terms of Guest users access. What are the advatages of NGS.
View 4 Replies
View Related
Nov 20, 2011
I working with guest accounts on a WLC 5508.if there is possibilty to print out the account information directly from the controller. If possible how to print out this accounts ?
View 3 Replies
View Related
Jun 5, 2012
Where do you turn this option off? i have looked under security and did not see any thing.
View 1 Replies
View Related
Apr 2, 2012
I have a requirement to set up a guest SSID for contractor so that they can use the internet while in the office.
Security say that all traffic on this SSID should be isolated and directed straight to the firewall, with no chance of contamination into the company network infrastructure.
With the 5508, my understanding is using the setting up a guest account functionality built in will achieve this, but all traffic would end up at the wireless controller. How do I then put a direct forward for all traffic to the firewall which will only affect the guest traffic?
View 7 Replies
View Related
Feb 21, 2013
I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;everything is OK, except one thing: the Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my customer firewall and the DHCP parameters provided to the wireless Guest equipement connected on this VLAN include the public ISP DNS servers addresses, not the customer internal DNS serveurs addresses;this seems OK since the idea of this Guest SSID is to give a pure Internet access to the Guests, and no connection at all towards the customer internal servers;
the problem is that, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this internal DNS name by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;Apart from changing those DNS values in the DHCP server (the customer does not accept this solution), how could we solve this problem ?I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows : [code] but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
View 4 Replies
View Related
Apr 11, 2012
I just got a new requirement for our wireless roll out and I need some help. Plan the best way to provide employee and guests wireless access w/ the guests separate from the production environment.
We have a 5508 controller w/ 1142 APs. I have two GBICs in the interfaces (only one is being used). I want to use a back haul connection for the guest access. I am having a hard time in visioning how to physically set up the cabling from the patch panel. Again, the requirement is to not allow guest users to connect to our production network but I still want/need to manage the AP. This will eventually need to be supported for remote sites tunneling back to the primary location.
View 7 Replies
View Related
Sep 5, 2012
We are implementing a new corporate headquarters and have bought a Cisco 5508. I have two connections plugged into the 5508 in ports 1 and port 2. Port 1 is for all internally wireless networks and connects to our core 6500 and use an external DHCP server scopes. Port 2 is for our guest WLAN and connects directly to a public network switch in front of (outside) the firewall. For the guest network, I have setup a vlan on the controller for dhcp and the interface setup to that vlan and dhcp scope built on the controller. how or can I NAT the internally addressing for the guest network to the public IP address on the controller. Essentially I want to drop of guest network traffic outside the firewall and not have to deal with setting up the firewall for any aspect of guest network traffic.
View 1 Replies
View Related
Oct 28, 2011
I am running a 5508 WLC with 10 Access Point. we need to allow Internet Access to Guest. 10MB DSL Internet is dedicated for Guest. This link is terminated on a regular ADSL modem without being part of our network. We want all Guest Internet traffic to reach the ADSL Router. where should I create the Guest VLAN / where the DHCP for Guest users should be created. what is the best practise for similar setup.
Our Network is simple
ISP_Reuter-------ASA_Firewall--------------4505------------LAN-switch 2950
ADSL_modem------------ users connect via wireless but restricted to certain area only.
View 9 Replies
View Related
Dec 30, 2012
We have Cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC. Now we want to segregate the traffic log GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ? Can i use one interface Cisco WLC 5508 and connect it to the firewall or any device ?
View 17 Replies
View Related
Mar 22, 2012
how can I root my Toshiba thrive 31.5.003 without messing anything up cuz I'm tablet eleterate an its brand new
View 1 Replies
View Related
Dec 25, 2011
i see there is an option to "allow password change" or "force password change" for guest roles in the NGS. But when i created a guest account using this guest role, after webauthentication , there is no prompt to change password. Is this the intended behaviour or is there anything else that i need to configure. Looking at it, i am not sure how the NGS would allow a "guest user" to really overwrite the password by allowing password change. ? is that not a security risk as well for the NGS ? my setup has 5508 anchor controller and NGS communicating via RADIUS.
View 7 Replies
View Related
Nov 27, 2012
Guestconnect SSID configured on 5508 WLC with Pass through athentication (NAC guest server). No issue with Laptops and Iphone/Ipad ver 4and 5. Only Iphone Ver 6 users unable to access Guest connect .
View 9 Replies
View Related
Jun 6, 2013
We currently have ACS 5.4 and Cisco WLC 5508's deployed. We have wireless lobby admin accounts that can login and successfully create and modify guest wireless accounts. What we are trying to do, however, is give the lobby admins the ability to create wireless accounts with lifetimes longer than 30 days. Currently our setup will only allow the creation of permanent accounts (by entering all 0's in the lifetime fields) or accounts that last up to thirty days.
View 4 Replies
View Related
