Cisco :: 5508 - Guest Wireless Traffic To Blue Coat Web Proxy
Jan 17, 2012
In my lab I have a Guest Wireless network setup and fully functional. Here is a brief diagram:
Client -> AP -> LAN switch and WLC-Foreign -> Core router -> DMZ switch and WLC-Anchor -> Edge Router -> Internet
I have NME for credential management on the LAN as well.The WLC-Foreign is a 5508.In my DMZ, I have two networks - 1 for normal DMZ management and 1 for Guest Wireless.
I now have to add a Blue Coat web proxy appliance into the DMZ and have Guest Wireless traffic pass through it. I have tried multiple scenarios including connecting the WLC-Anchor to the Blue Coat directly and making the Blue Coat the gateway for my Guest Wireless network. Any good design for the DMZ networks and/or routing to enable the Guest Wireless traffic to go to the Blue Coat and then out to the Internet?
View 11 Replies
ADVERTISEMENT
Sep 3, 2012
We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. What is the issue anything to be done with the patch upgrade or any issue with the packetshaper? [code]
View 3 Replies
View Related
Mar 1, 2013
We need to create Guest WLAN on WLC 5508 which will be used for internet access only. My questions are:
1. Is it possible to use our external web proxy server to authenticate users?
2. Can we also forward all traffic to the external web proxy to filter the websites that can be accessed (without configuring it on the browser)?
3. Can this be achieved using the L3 webauth?
Our topology:
WLC -- Switch -- ASA Firewall -- Internet -- External Web Proxy
We are using WLC as DHCP server for Guest WLAN with ASA Firewall as the gateway.
View 6 Replies
View Related
Dec 30, 2012
We have Cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC. Now we want to segregate the traffic log GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ? Can i use one interface Cisco WLC 5508 and connect it to the firewall or any device ?
View 17 Replies
View Related
Jun 19, 2012
For my company, I am running a Cisco 5508 WLC with a 4400 WLC as a guest anchor in our DMZ. There is a guest SSID and several business SSID's for internal equipment. Guest traffic should be tunneled out to the 4400 controller where [the client] gets its IP address and is sent out to the internet. No internal corporate access is possible. However, when I do a packet capture from my wired PC, I'm seeing traffic generated by different iPhones. It appears to be mostly IPv6 mDNS or ICMPv6 traffic. How would this traffic make it onto the corporate wired network, when it should be staying on the guest network? None of the iPhones have been setup on the business SSIDs, so I know it isn't legit traffic. Is there a setting in the WLC that will block this? Will an ACL work?
These are examples of some of the traffic that wireshark is capturing:
349 7.794875 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 253 Standard query response PTR, cache flush Tonyas-iPhone-2.local PTR, cache flush Tonyas-iPhone-2.local
356 7.802667 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QU" question ANY Tonyas-iPhone-2.local, "QU" question
361 7.806964 fe80::e77:1aff:fe3c:f81 ff02::fb MDNS 151 Standard query ANY Tonyas-iPhone-2.local, "QM" question ANY Tonyas-iPhone-2.local, "QM" question
Both controllers are running software version 6.0.196.0. I also have a WCS server running version 7.0.220.
View 3 Replies
View Related
Feb 19, 2013
After the upgrade of the WLC 5508 to version 7.4 the 1142 access-points LED blinking rapidly cycling through blue, green, and red. I found the following information to this behavior: "Access point location command invoked"
The configuration didn't change. How can I switch this function?
View 1 Replies
View Related
Jun 9, 2013
I have a lab network setup at my house with similar equipment to our office that I use for testing different features and functionality. Since I have had this installed (~ 2 years) I've had an intermittent but recurring problem with connectivity to various wireless devices that I have never been able to fully resolve.I have a 5508 Wireless controller with a handful of 3502i APs spread throughout my house. The controller is connected to a 3560X switch. And I have an ASA 5510 firewall as my Firewall/Internet Gateway. When I work from home I most often work from a desktop computer in my office and have a Windows RDP session to a laptop located in another room in my house on one of my monitors as a working space (I know this is weird but there is a good reason). This laptop is connected via WiFi at all times.Occasionally, I will lose connectivity to this laptop (or not be able to connect back to my desktop from it) and have to start an extended ping from the laptop to the desktop to re-establish connectivity. A while ago I performed some deeper analysis on what was happening and what I found is that when the connectivity breaks the problem is that the desktop is unable to resolve the MAC address of the laptop. It sends out ARP requests but never receives any reply back.
Why would the controller stop replying to ARP requests for the IP address of the laptop?If I log into the controller while this is happening it shows the laptop as a connected client, and has its IP address and MAC address listed fine in the clients section. In order to avoid getting up every time I need to reconnect, I normally hop to a system I control across one of my VPN tunnels via RDP, then connect BACK to the laptop and start the ping to re-establish connectivity back to my main desktop machine. This works because the firewalls ARP cache hasn't cleared yet. And then everything works fine again... unless I manually clear my ARP cache. Sometimes clearing the ARP cache will result in the exact same problem again and I will lose connection. Other times it seems to repopulate almost immediately and the connection doesn't drop.
A wireshark debug from the desktop reveals that ARP requests simply go out with no reply, confirming what is happening.As a note, I have set both the User Idle Timeout and the ARP timeout to 24 hours to try but this has not had any effect.This problem seems to go away and then come back. In fact, I havent been experiencing this issue for probably a couple months recently and then it just started again in the last few days which is why I am back to posting here. No changes to the network were made in the meantime that could account for this change in behavior. I am currently running version 7.2.111.3 but this behavior has persisted through at least four software upgrades so I don't think it's an issue with a specific version but I don't really know.I occasionally epxerience connectivity issues in my house to other devices as well that I use less often like a printer, network camera, apple tv so I now feel like these issues are likely all related.
View 5 Replies
View Related
Jan 24, 2013
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
View 2 Replies
View Related
Jan 28, 2012
Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? install a secondary WLC in the DMZ and use anchor points. I only have one WLC
View 7 Replies
View Related
Jun 2, 2013
, I have a requirement by a customer that they will want to monitor the guest wireless access. Currently, we are proposing a Cisco Wireless Controller 5508 together with APs and the setup would be a dedicated VLAN for guest. I am wondering if Cisco ISE together with Cisco MSE would be sufficient?
Stuff to monitor and log are:
1. Guest username (I guess this would be self sponsored)
2. Company name
3. Websites accessed
4. Time, date and duration.
5. Logs are to be kept for 3 months at least.
View 3 Replies
View Related
Feb 3, 2013
I'm looking to implement guest WiFi access with web authentication on one of our 5508 WLC (currently deployed within a sandbox environment), but looking for some assistance. The WLC currently has a single connection from port 1 to the 'Test Site 2' switch. This is a dot1q trunk. On the WLC, the interface (for port 1) is configured as follows: [code] Currently, I have one WLAN configured with the profile name 'Guest Test 1', it's enabled and broadcasting the SSID. Security is L3 only with web authentication configured. The WLAN is configured to use the interface names "guest_wifi".
The issue is that when a client connects to the WLAN, it receives an IP address okay (10.99.254.x address), but doesn't seem to be able to contact the WLC to get the web authentication page. Eventually, the WLC terminates the connection due to an authentication failure.does it sound like I'm taking the correct approach here? The idea is that clients connect to the guest WLAN, which puts them on VLAN 99 and routes traffic through to the ASA and then onto the internet.
View 13 Replies
View Related
Nov 20, 2011
I working with guest accounts on a WLC 5508.if there is possibilty to print out the account information directly from the controller. If possible how to print out this accounts ?
View 3 Replies
View Related
Jun 5, 2012
Where do you turn this option off? i have looked under security and did not see any thing.
View 1 Replies
View Related
Apr 11, 2012
I just got a new requirement for our wireless roll out and I need some help. Plan the best way to provide employee and guests wireless access w/ the guests separate from the production environment.
We have a 5508 controller w/ 1142 APs. I have two GBICs in the interfaces (only one is being used). I want to use a back haul connection for the guest access. I am having a hard time in visioning how to physically set up the cabling from the patch panel. Again, the requirement is to not allow guest users to connect to our production network but I still want/need to manage the AP. This will eventually need to be supported for remote sites tunneling back to the primary location.
View 7 Replies
View Related
Oct 28, 2011
I am running a 5508 WLC with 10 Access Point. we need to allow Internet Access to Guest. 10MB DSL Internet is dedicated for Guest. This link is terminated on a regular ADSL modem without being part of our network. We want all Guest Internet traffic to reach the ADSL Router. where should I create the Guest VLAN / where the DHCP for Guest users should be created. what is the best practise for similar setup.
Our Network is simple
ISP_Reuter-------ASA_Firewall--------------4505------------LAN-switch 2950
ADSL_modem------------ users connect via wireless but restricted to certain area only.
View 9 Replies
View Related
Oct 3, 2012
Could I setup wired guest Internet connection without layer 3 web authentication and how?I want guest users access Internet without going through web authentication.
View 2 Replies
View Related
Dec 25, 2011
i see there is an option to "allow password change" or "force password change" for guest roles in the NGS. But when i created a guest account using this guest role, after webauthentication , there is no prompt to change password. Is this the intended behaviour or is there anything else that i need to configure. Looking at it, i am not sure how the NGS would allow a "guest user" to really overwrite the password by allowing password change. ? is that not a security risk as well for the NGS ? my setup has 5508 anchor controller and NGS communicating via RADIUS.
View 7 Replies
View Related
Nov 27, 2012
Guestconnect SSID configured on 5508 WLC with Pass through athentication (NAC guest server). No issue with Laptops and Iphone/Ipad ver 4and 5. Only Iphone Ver 6 users unable to access Guest connect .
View 9 Replies
View Related
Jun 6, 2013
We currently have ACS 5.4 and Cisco WLC 5508's deployed. We have wireless lobby admin accounts that can login and successfully create and modify guest wireless accounts. What we are trying to do, however, is give the lobby admins the ability to create wireless accounts with lifetimes longer than 30 days. Currently our setup will only allow the creation of permanent accounts (by entering all 0's in the lifetime fields) or accounts that last up to thirty days.
View 4 Replies
View Related
Feb 23, 2012
In my Wireless network, I have two appliances WLC 5508 running version 7.0.116.0.I have a WCS running version 7.0.172.0, deployed on a windows 2003 server.I've imported the two WLCs in my WCS in order to centralize the monitoring and the configuration tasks.Now I'm facing an issue when I want to create a guest user from the WCS, rather than creating this user access on each WLC. The creation of the user account is working good, the replication is done on the both WLCs, but on one of my WLC the guest user account is deleted after one hour(around).On the second WLC, the same user account remains during all its life time.In attachment a screen shot of the advanced parameter of the guest user.You can see that the user was created on the both WLC but is only active on one ... and unfortunately the wrong because the AP is associated with the other WLC.
View 2 Replies
View Related
Dec 19, 2012
I've got a WLC5508 (7.0.116.0) that is managed by WCS (7.0.172.0). I set up another WLC5508 with the same code and managed by the same WCS. Now I'd like to export all the 800 guest user accounts with the passwords from the old WLC and import them into the new WLC.
View 10 Replies
View Related
Dec 5, 2011
I know that the recommendation from Cisco for the mobility anchor feature to work well is to use the same IOS version on the anchor WLC and local WLC controller. Now I´ll install on a new site a 5508 local WLC with a newer IOS version which is installed on the other controllers ( Guest and local ). Later I´ve planned to update also the other controllers to the same IOS version. Now my question is, must I upgrade all other controller at the same time ?
View 4 Replies
View Related
Mar 22, 2010
Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?
View 13 Replies
View Related
Nov 6, 2012
We currently have all of our foreign AP controllers on software version 7.0.116. This consists of a mixture of 4400 and 5508 WLC's. Our guest anchor is a 4402 on version 7.0.116. We are replacing the guest anchor with a 5508. We are also upgrading our 5508 wireless controllers to version 7.2 to support the 3600 series AP's. My question is what is the recommeded code that the anchor controller should be on? Should it also be upgraded to 7.2? If we upgrade the anchor controller to version 7.2, will this affect anchoring to 4400 series foreign controllers still on7.0.116?
View 9 Replies
View Related
Aug 1, 2012
I've been asked to create 2 wireless networks for guest access. They are to be used by clients of 2 different companies and they have asked for the website of each company to automatically open as a landing page. e.g.
-WLAN1 - password is companyname1 - landing page = www.companyname1.com
-WLAN2 - password is companyname2 - landing page = www.companyname2.com
Is this possible with our 5508 WLC? I have googled it and can see that you can set a web auth page but I need different landing pages depending on which WLAN is connected to.
View 11 Replies
View Related
Feb 28, 2013
i have two 5508 ver 7.3.0, one is the primary and one is the guest controller. mobility is up and running. i have an exising guest ssid working with wpa2-psk and web authentication and its working fine but i require a second guest ssid that only uses a wpa2-psk for ipod/ipads as i cant use passive client on primary controller. i presently have the one vlan range and dhcp setup on the guest controller to give addressing to either ssid. i know you can have multiple ssid setup on the guest controller but in other sites i have only had one guest connection comming from the primary controller, just a primary controller on each sites was only creating one link to the same guest controler.
View 3 Replies
View Related
Jul 10, 2011
which is the maximum number of simultaneous wired guest clients on a 5508? And in a 2112 controller?
Wired clients count as wireless clients??
What about anchoring limitations, what is the effect of wired guest clients on the anchor controller?
View 2 Replies
View Related
Aug 28, 2011
We're looking at deploying both office extend and also a guest wlan. Both would require a WLC in the DMZ.My question is can one 5508 WLC be both a guest anchor and have office extend APs on it at the same time?
View 2 Replies
View Related
Oct 2, 2011
Looking to add time of day restrictions to our Guest WLAN that is currently in its pilot phase.
Is there a way to config time of day access to a WLAN ?
View 7 Replies
View Related
Dec 4, 2012
I setup a guest wired network on the WLC 5508 with 7.2.110. A postage machine can only be setup for static IP address over guest wired network. Is any one how to get it configure on the WLC 5508?
View 3 Replies
View Related
Feb 14, 2013
I have two 5508 WLCs. Both have APs attached to them. If I create a guest account with the lobby administrator on one, will that user account be able to log in to the network if the client is attached to the ohter WLC? So far, I have found that I need to create the same user on both WLC's, in order to have the user login.
View 2 Replies
View Related
Feb 19, 2012
I have a 5508 WLC running 6.0.202.0. It functions as the Anchor Controller for the guest network. It sits in our Internet DMZ and is isolated from the rest of the network. It does not connect to AD, ACS, etc. The guest wireless WLAN is configured for Web Policy - Authentication. I have a customized login page. Credential management is done by WCS.
Users are connecting to the guest wireless network and entering their creds with no issues using mobile devices (iPad, etc). Then the mobile device goes to sleep / turns off and when they go to use it again, they have to type their creds in again. They dont like retyping their creds throughout the day.
good way mitigate the multiple logins? Something like a 'save password' option on the customized page?
View 5 Replies
View Related
Dec 6, 2012
We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and is this a supported deployment model.
View 2 Replies
View Related
