Cisco :: 5508 WLC - VPN Disconnects From Wlan Guest
Feb 14, 2012
Strange issue that our support staff is seeing on our guest WLAN. I have 2 wlans, 1 is production and authenticates our Domain controllers, this is working fine. The other is a wlan that has restricted access internally, I allow http, https and VPN access out only.
It appears that on the guest wlan, after random amount of time an established VPN connection using Cisco VPN client disconnects. Wireless connectivity doesnt appear to go down, just the vpn connection.
On this guest wlan, I have configured QOS bronze and I read a link where this may be affecting the UDP conversation between VPN client and end point.
We have a strange problem. We have a WCS v.7.0.172 that controls our two WLC v.7.0.116 and we have also two "Anchor Controller" WLC v.7.0.116 for Guest Access.
We use the LAP1142N and every AP has two SSID's. One for internal data traffic and the other one for the guests.
Now the problem is, that even if we have internal and external user on the same AP, the guest users gets disconnected after a few time. Sometimes after 20 minutes, sometimes after 90 minutes...but the user is still working. It's really irregular.
I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.
We are implementing a new corporate headquarters and have bought a Cisco 5508. I have two connections plugged into the 5508 in ports 1 and port 2. Port 1 is for all internally wireless networks and connects to our core 6500 and use an external DHCP server scopes. Port 2 is for our guest WLAN and connects directly to a public network switch in front of (outside) the firewall. For the guest network, I have setup a vlan on the controller for dhcp and the interface setup to that vlan and dhcp scope built on the controller. how or can I NAT the internally addressing for the guest network to the public IP address on the controller. Essentially I want to drop of guest network traffic outside the firewall and not have to deal with setting up the firewall for any aspect of guest network traffic.
I've been asked to create 2 wireless networks for guest access. They are to be used by clients of 2 different companies and they have asked for the website of each company to automatically open as a landing page. e.g.
-WLAN1 - password is companyname1 - landing page = www.companyname1.com -WLAN2 - password is companyname2 - landing page = www.companyname2.com
Is this possible with our 5508 WLC? I have googled it and can see that you can set a web auth page but I need different landing pages depending on which WLAN is connected to.
We're looking at deploying both office extend and also a guest wlan. Both would require a WLC in the DMZ.My question is can one 5508 WLC be both a guest anchor and have office extend APs on it at the same time?
We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and is this a supported deployment model.
I want to setup a webpage for my guest network (no authentication) users. When the client connects to the open guest network and upon opening a browser they would be directed to a survey that I would like them to take, if they don't want to take it they can begin browsing to other sites without issue. How do I do this on a my 5508 WLC?
When a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
I have 2 5508s (foreign and anchor both running 7.2.110.0) with an open WLAN configured via mobility anchors. This configuration works and has no problems. My next task is to incorporate a webauth page (accept/reject) to present the clients with AUP information, etc. On the foreign controller I created a test WLAN (open) and setup webauth Passthrough using the Cisco webauthbundle (wap.html), this works as intended, no issues. However I am at a loss as to how to incorporate the webauth Passthrough functionality on the WLAN that is configured for the mobility anchor.
1 router 881w with a site-to-site VPN connected to a switch and a wireless which allows internal users to access the VPN via wireless (this is like a backup, if the switch fails, then they can use the wireless). Everything's working fine so far. Now I want to configure a second WLAN for guest but I'm not really sure if this configuration will work:
ROUTER:
ip dhcp excluded-address 192.168.100.1 192.168.100.200 ! ip dhcp pool GuestNetwork network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 dns-server 8.8.8.8
[code]....
If it's not clear I want that everyone that is connected to the guest WIFI receives an IP address from the range I wrote before and then goes directly to the internet.
I have my wlc 4400 configured with a secure wlan and a guest wlan. The guest wlan is switching traffic at the wlc to a separate guest-wlan interface. When a guest is associated and authenticated, they can access the management console of the wlc which is in a different subnet. As I understand, the wlc does not route traffic. So how could this be happening? the guest subnet and the subnet the wlc management interface is in are different and separated by a firewall. I have also tried applying access lists in the wlc to each interface without luck. How can i stop the wlc from providing access to guest wlan users?
Can I limit bandwith for guest in a wlan network with out Wlan controller? and of course, how can I do it?P.S.: I heard something about bronze profile in a wlan controller envoiroment, I need something like that but in an independent AP.
Older model Inspiron 1545' using the 1397 WLAN card. Has been working fine, until perhaps the past two weeks. Now it frequently drops out, requiring manual disconnect and reconnect. Tonight Internet very slow on that laptop.
There are other devices using the same wifi (including this iPad used to post this), which connect to the wifi and Internet no issue. To me, its pointing to the laptop - either the WLAN card itself, or something in the laptop starting to fail (the laptop does have issues restarting - where it won't do that unless left for say 30 mins).
I'm suspecting a recent windows update or mcafee security update - no other software has been installed or updated.
I've tried changing antenna setting from auto to aux with no change to the above. Have checked for newer drivers - the laptop reports the version we have is the latest ( from 2009) - although they are the windows driver. Running windows 7, 64 bit - as supplied by dell when laptop was brand new. should I give up on the 1397 card and use another USB wifi adapter ?
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
I tried to extend the Range of the Guest WLAN of the E2000 with several different Access Points vom TP-Link. (Last try: TL-WA901D) The Access Point recognises the WLAN and sometimes it has a connection for a short time. But then the whole WLAN is breaking down, sometimes the Router E200 hangs up, also with the LAN connections. The E200 is connected to a sky-DSL Router and works fine when no additional access point is connected. In the web-Interface of the E2000 I cant setup any specific Guest-WLAN settings.
I have a wrt54g router and would like to separate the WLAN clients from accessing computers and servers on the LAN... in other words I would like to make it a "guest" network. I've put the router in "router" mode instead of "gateway". I just want to be sure if that is the best thing I can do in terms of turning the wireless network into an isolated one.
Since the SW upgrade to version 7.3.101.0 (wlc 5508) i have the following issue. We have a W LAN with 802.1x (WPA2/AES) secured. Before the update the users need to enter user/ PW every time when they reconnect (W LAN switch off/ on again) to the W LAN. Now the users don`t need to enter user/ PW when they reconnect to the WLAN.
I could not find any setting on wlc to clear this issue.
We have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
Still Can't see the WLANs under the Flexconnect tab on the AP?
We are moving forward with a mobility project which requires our network to authenticate/authorize based on certificates.
WLAN_1 has 802.1x enabled passing the cert through to the MS CA which authorizes the cred, which in turn passes the AD creds of the user to the MS RADIUS server for authenticate/authorization.
Hardware: WLC 5508 running 7.2.110.0 3600 APs ACS 5.2 not used for AAA
1. As we turn up additional SSIDs, we need Mobile SSID to accept ONLY the Mobile Cert, our Internet SSID to only accept the Internal Cert and our GUEST SSID to deny ANY Cert issued by our CA.I know ISE makes this much easier, but I dont have it and need this to work as best we can until next fiscal cycle..
I've been asked to generate some report data on a specific WLAN, a limited access WLAN that was added recently. We need to be able to report on "Average and Peak Number of clients (Total)" and "Total Bytes Transferred (all APs)" on a per site basis. The sites involved mainly use 4402 and 5508 WLCs managed by our WCS server. Is there anything on WCS where we can easily get this information (on a monthly basis).
We currently tunnel guests to a 4402 that sits behind our firewall and it's been working well for a few years but I am aware that the 4402 is now EoL so I am exploring alternatives:
We also have several 5508s deployed and I'm wondering if - in any new guest access config - I can allocate one of its free h/w ports to connect to the firewall, even though the 5508 is configured to use LAG.
To put it another way can I configure a new port to a seperate VLAN and not be part of the the LAG'd ports or are you tied to having all ports acting as a group if LAG is switched on?
I have a WLC 5508 with half a dozen LAPs (AIR-CAP3502I-E-K9).They have been working but sometimes clients detect conectivity problems with the wlan.Here is the message log I can obtain from the controller:
I am trying to apply WLAN template from NCS to two WLCs 5508 and I receive this message."Another WLAN with same SSID and either WPA1/ WPA2/ WPA1+WPA2 is enabled. Please change the Layer 2 security policy."The template has layer 2 security with WPA+WPA2 enable and 802.1x.I have other WLAN template with other name and other SSID with the same security policies with no problem to apply.
I'm about to upgrade a 5508 controller so I can do the pre-download to the access points, but in every doc I find, it says to disable the WLAN's before upgrading. This makes no sense. I'm just moving code over, why do I have to disrupt my wireless network in order to move code?
I have one wlc 5508 running on latest IOS 7.116, there is one wlan abc which i have disable status and disable broadcast, but randomly still i can see from wlc dashboard there is one client connected to this wlan abc. The moment i check on the client details, there is no client connected to that wlan and when return to dashboard, no more client connected to that wlan abc.
We’ve recently installed a 5508 w LAN controller for my organization wireless network and each time devices connect to this wireless network they receive an ip conflict error. All devices conflict with the ip address of IP address 0.0.0.0 with mac address 00-00-00-00-00-00.
All devices event viewer has this TCP error: “The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address 00-00-00-00-00-00. Network operations on this system may be disrupted as a result.” We previously experienced the same ip conflict with 12000 w LAN network that he had used as proof of concept.
