Cisco :: WLC 2504 Interfaces And Guest Networks?
Jan 10, 2013
I installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
View 3 Replies
ADVERTISEMENT
Oct 26, 2012
I have WLC 2504 controller and six access points AIR-LAP1042N. I reading Cisco 2500 Series Wireless Controller Deployment Guide url...trying to set up along the lines.
It is also possible to have multiple AP-managers in a different subnet than the management interface. However, in this case, it is recommended that you disable the AP-manager from the management interface and create another AP-manager interface on different physical ports in a different subnet than the management interface. All multiple AP-managers in this scenario should be in the same subnet.
I maping management interface on physical port 1 and disabled ap-manager on it. Set up 192.168.7.0 subnet with non tagged vlan. This iface/port I want to use only for access to WLC web-interface. Then I create dynamic interface ‘dynamic1’, map him on port 2, enable ap-manager on him, and set up 192.168.110.0 subnet with vlan 10. Then I tryed map wlan1 to this iface, but I can’t because in the choice was only management iface to map wlan1.
There is three dynamic interfaces on same subnet and vlan, in example above. But when I try to add dynamic iface with the same vlan/subnet as an existing dynamic interface, I get an error, and can’t adding.
View 5 Replies
View Related
Mar 20, 2012
I've got a question concerning the configuration of multiple AP manager interfaces on -for example- a cisco WLC 2504. I've read the configuration guide but I'm not sure whether this is the way the protocol works. Say I want to distribute AP's (and traffic) across various AP Manager interfaces on the WLC. I would configure the following:
Create one management interface (which will automatically also be an AP-Manager interface)Configure 1 (or more) Seperate ap-manager interfaces, assign them to a port number, and select "Enable dynamic AP Management". VLAN ID's will be the same.Create a WLAN and configure it's interface to "management" Is it correct if I state that the LWAPP protocol takes care of the discovery from the Access Point and sends information about the available AP-manager interfaces back to the AP and the AP knows which ap-manager interfaces are available, connecting to the least loaded one?
View 3 Replies
View Related
Jan 21, 2013
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
View 5 Replies
View Related
Nov 28, 2012
Can I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
View 6 Replies
View Related
Nov 19, 2012
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
View 4 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 2 Replies
View Related
Sep 19, 2012
Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
View 5 Replies
View Related
Jan 28, 2013
I recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
View 8 Replies
View Related
Apr 3, 2012
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies
View Related
May 7, 2013
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies
View Related
Jul 19, 2010
We'll be implementing Cisco NAC guest server for Guest Wireless users, ( Model #3310), the question is do we need to configure separate physical interface for User authentication requests( from Wireless ) and a separate Interface for Guest server to talk to AD for SSO?
View 2 Replies
View Related
Feb 23, 2013
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
View 4 Replies
View Related
Jan 17, 2013
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
View 2 Replies
View Related
Sep 19, 2012
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
View 3 Replies
View Related
May 2, 2012
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies
View Related
Dec 10, 2012
I am trying to set up a vrf for guest networks and am having issues on one of the switches.A quick overview (since I dont really know what i am doing ) we have two sites that are connected via lanex. each site has a 3750. The only internet connectivity is the remote site (so all the users at the local site route out through the remote site to get to the internet)I need to make a guest network at the local site using our current infrastructure but it cannot have any access to our network resources.
I have created a vlan here (vl166) and on the remote switch
ip vrf TRAINING
didnt do any route distribution
then added "ip vrf forwarding TRAINTING" and readded the ip to the vlan interface
gave it an ip address of 172.16.166.1
did the exact same thing on the remote switch but with interface address of .2
enabled ospf on both switches.... router ospf 3 vrf TRAINING
I cant ping from one interface to the other... when I try pinging from the remote switch I get :
CISCO3750MCI-1#ping vrf TRAINING 172.16.166.1
% VRF does not have a usable source address
CISCO3750MCI-1#show ip vrf interfaces TRAINING
Interface IP-Address VRF Protocol
Vl16 172.16.16.2 TRAINING down
I cant see why the interface is down. Nothing in the logs (even when I do no shut... it just accepts the command but doesnt come up)
View 8 Replies
View Related
Dec 31, 2011
Having just installed the E1000 why have I got a public network address '####' which is security type WPA2 -PSK and also public network address '#### - Guest' which is security type - unsecured.Anyone can log onto either wireless network connection but only with the correct password.How do I remove the '####' address and also how do I make the '#### - Guest' address a secure one.
View 1 Replies
View Related
Jun 10, 2013
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
View 4 Replies
View Related
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Aug 18, 2011
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies
View Related
Jan 24, 2013
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
View 2 Replies
View Related
Mar 2, 2013
Why a 2504 Poe? If it can not be used for AP.
View 10 Replies
View Related
Jan 16, 2013
So I bought a 2504 AP. I also have some AIR-CAP3602I-A-K9. The WLC web interface sees them in the CDP neighbors. The devices get an ip address but I can't add them as access points. I think if I can do that I can get something simple going.
On the access points I get the stuff below. I didn't set it? At least not the
CISCO-CAPWAP-CONTROLLER
I'll be honest I've never set one of these up and I'm on a steep learning curve!
% Invalid input detected at '^' marker.
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:00:50.167: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.33.0.75,
mask 255.255.255.0, hostname APfc99.47c8.518a(code)
View 6 Replies
View Related
Feb 12, 2013
I've got router as vpn-concentrator which receives vpn site-to-site connections from 10 branches with cisco 881 and cisco 1941.I started cacti monitoring and found out that there are too many errors on interfaces.URL.
View 5 Replies
View Related
Mar 7, 2013
I have an ASA connected to 2 ISPs.I am using object tracking for the default route so only 1 path is used at a time. I have a L2L VPN setup going out interface A. I would like to configure a 2nd VPN going out interface B with identical parameters.
(ASA software 8.2)
crypto map PATH_A 1 match address outside_1_cryptomap
crypto map PATH_A 1 set peer 10.1.1.1
crypto map PATH_A 1 set transform-set ESP-AES-128-SHA
crypto map PATH_A 1 set security-association lifetime seconds 28800
crypto map PATH_A 1 set security-association lifetime kilobytes 4608000
crypto map PATH_A 1 set reverse-route
[code]....
View 2 Replies
View Related
Oct 8, 2012
We are using non-advertised IPs on many devices, but LMS is attempting to ping these addresses and setting off all sorts of security alarms. How to stop LMS 4.1 from pinging the interfaces? We don't even want LMS to do any fault monitoring so if that could be turned off, it would be even better.
View 1 Replies
View Related
Sep 30, 2011
I am trying to secure sub interfaces on a 2600 Router
interface FA0/1.1
No Access-group
Interface FA0/1.2
IP Access-group 110 out
Access-list 110 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
Access-list 110 permit ip any any
This works but it blocks traffic both ways I only want to block one, I dont want FA0/1.2 to be able to access FA0/1.1 but I want all traffic to be allowed to go the other way
View 2 Replies
View Related
May 11, 2013
I have a wireless controller that works perfect but because we have some new access-points 1602i that is only supported bij software version 7.4.100.0. So I need to upgrade the controller because I now have version 7.0.116.0. I have read in release notes of version 7.4.100.0 that I first need to upgrade to 7.0.240.0 to avoid losing those VLAN settings.
Note If you have VLAN support and VLAN mappings defined on H-REAP access points and are currently using a 7.0.x controller software release that is prior to 7.0.240.0, we recommend that you upgrade to the 7.0.240.0 release and then upgrade to 7.4.100.0 to avoid losing those VLAN settings.
But I also read something about Field Upgrade Software. If you are using a Cisco 2500 Series controller and you intend to use the Application Visibility and Control (AVC) and Net Flow protocol features, you must install Wireless LAN Controller Field Upgrade Software for Release 1.8.0.0-FUS. This is not required if you are using other controller hardware models. For more information, see [URL] .....
Here is the system information of my controller:
Manufacturer's Name.............................. Cisco Systems Inc.Product Name..................................... Cisco Controller Product Version.................................. 7.0.116.0Bootloader Version............................... 1.0.16Field Recovery Image Version..................... 1.0.0Firmware Version................................. PIC 16.0
Build Type....................................... DATA + WPS
System Name...................................... WIFI-WLC-01System Location.................................. System
[Code] ....
I was thinking of the following steps:
1. Backup the current config
2. Upgrade to version 7.0.240.0
3. Test and backup the config
4. Upgrade to version 7.4.100.0
5. Test and backup the config
6. Upgrade Field Upgrade Software 1.8.0.0
7. Test
View 3 Replies
View Related
May 24, 2012
I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server. All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server. The only thing that cannot ping the RADIUS server is the WLC itself. Nothing in the FW is blocking connectivity. [code]
View 11 Replies
View Related
Jan 22, 2013
I'm planning to upgrade our WLC 2504 from 7.2.111.3 to 7.4.100.0 but the cisco site says "WLC Version 7.4.100.0 will need Prime Infrastructure Version 1.3 to be managed, Version 1.3 is not yet available to download at this point of time" Is it something about NCS? we have only 1 cisco WLC 2504 and 6 1142APs.. Also let me know is it possible to go directly from 7.2 to 7.4 ?
View 8 Replies
View Related
