Cisco :: WLC 5508 - Keeping Internal Users Off Guest Wireless
Mar 22, 2010
Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?
View 13 Replies
ADVERTISEMENT
Jan 23, 2012
I have multiple devices running on my home network. Every once in a while my wireless router starts playing up and I have to reset it.Whenever this happens, it changes the internal IP addresses of the devices. Is there a way to make the router keep the same internal ip address for each device? ie Laptop stays at 192.168.1.8I have a few forwarded ports for remote access to certain pieces of software, so each time the address changes, I have to go in and change these details, which is quite frustrating.
View 7 Replies
View Related
Feb 12, 2011
I have been testing WiFi devices such as the iPhones and iPads connectivity with the following setup:
1. 3502i AP
2. WLC 5508 SW 7.0.98
3. NGS
The i-devices have iOS v4.2
My goal is to have the guest user i-devices maintain the credentials (username and password) when they login again to the wireless network. Like if the device sleep, I think definitely they would loose those IP address issued by the DHCP. Once the guest user uses them again and connect them to the wireless network the user would not need to type-in those credentials on the Web Authentication page directed by the WLC.
The credentials are issued by the sponsor who created them on the NGS. It seems that there are WiFi problems with these i-devices. But somehow, I'm looking for a solution that would automated the logins like a checkbox if you want to be kept signed in, on Yahoo or Stay signed in for GMail.
View 6 Replies
View Related
Aug 20, 2012
I run a business and have customers who would like to use my wireless internet. I previously had a completely open network that I would allow them to use, until someone illegally downloaded a movie and got us in trouble. I would like to allow use of the network again, but limit activities like this. Basically, so they could only do basic web browsing, etc.
View 1 Replies
View Related
Mar 23, 2011
We have a guest wireless network using 1130AG Access Points. Is it possible to allow devices on this network access to an Internal IP? I know that kind of defeats the purpose on the guest network, but we'd like to give access to internal email to these devices. Currently this does not work because you cannot loop back into the network to gain access (out the firewall and right back in the same port).
View 5 Replies
View Related
Mar 18, 2012
Can we change the internal web authentication for guest network to use http instead of https?
View 3 Replies
View Related
May 7, 2013
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies
View Related
Feb 24, 2013
I have a cisco wlan controller (2100) running software 7.0.235.0. I have the internal private wlan running off of port 1 and that is working fine with an internal dhcp server.Is it possible to setup another ssid (guest) and have the interface directly linked to a static ip on the WAN and also use the built in cisco internal dhcp server?
View 4 Replies
View Related
Nov 29, 2011
I have been trying to create a Guest WLan on my 4402 WLC system and have found several confilcting documents explaining the procedure. During this process I have notices that although the current corp wireless works, there was never a virtual interface created for it. Instead it uses the same Wlan/Vlan as the ap manager and managemnt interfaces. Could this by why I cant seem to get the Guest access working? or is this not a problem after all since the wireless does work.
View 1 Replies
View Related
Sep 12, 2011
i have two WAP4410N wireless router. with software version (2.0.1.0) , here i have a problem on SSID broadcast and access.i have created Two ssid's WC72 and SREE with same security configuration WPA2-personalmixed . i cant see the broadcasted SSID of name SREE where i only view WC72 and get connected to it..
where i initially want is separate SSID and internal network access for internal employees and Guests (shouldn't connect to internal network).
View 9 Replies
View Related
Sep 19, 2012
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
View 3 Replies
View Related
Jan 25, 2011
A query here with regards to Wireless isolation between SSID and wireless isolation within SSID.If we have 2 SSID, eg. InternalSSID, GuestSSID on AP1.Both SSID are set to Enabled for isolation between SSID, and within SSID, that would mean all machines connected thro' this AP1, would be isolated from one another.
1) If there's 1 laptop that connects to another AP, lets call it AP2, (doesn't have isolation function) on ssid01. Would this laptop still be isolated from those that connects to the first AP?
2) If there are wired PCs connected to the router. And the 2 APs are connected to the same router. Would the machines connected thro' the AP1 on either InternalSSID, GuestSSID be able to access those wired PCs? (My assumption is yes.)
3) Is there a quick and efficient way to setup on WRVS4400N to isolate GuestSSID totally from InternalSSID, and wired PCs. InternalSSID and wired PCs should be allowed to 'see' one another.
The challenge here is that, the network points are all installed already. Both AP are connecting thro' 2 separate unmanaged switch together with a couple of other PCs. 1 Port on the unmanaged switch, each,connects to the router.
View 1 Replies
View Related
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
Sep 16, 2012
This is the first time I am trying my hands on wireless gears. I have 2500 WLC and 1142 AP (which I converted from Standalone to LAP).I have a layer 3 POE switch where i am using port 1 for the WLC which is a trunk port.
Port 2 is for the AP using access vlan 111
Port 3 is trunk port going to a router where i am running dhcp server for the VLANs which are as follow:
VLAN 110 -Corp Wireless (10.1.110.0/24)
VLAN 111 - AP-Mgmt (10.1.111.0/24)
VLAN 999 - Guest (10.1.101.0/24)
I wanted to block the traffic from the Guest VLAN 999 but when i apply the ACL on the Guest Interface created on the WLC, I dont see any pings going across and neither I see any hit counts on the deny statement as if the ACL is never applied.
View 4 Replies
View Related
Aug 22, 2011
The two controllers are having two internal DHCP servers with the same range in LAN (enx1,enx2). but i have specified which is primary DHCP server(enx3) in WLAN interface.
Now if a new user added into network, will he get IP address from primary dhcp(WLC) or AP connected WLC.
if two users connected to 2 diff AP's which are connected to 2 WLC will get the same IP address? since having same address pool configured.
View 11 Replies
View Related
Jun 28, 2012
We created the management interface, an internal DHCP scope in same subnet, and Two SSID tied to the same management interface:
- when we connect to the first SSID we have and IP address
- but when we connect to the secone SSID: impossible to get an ip address - auth and association are OK
View 11 Replies
View Related
May 7, 2012
I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. The setup is as follows:
- I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching. - I have an LWAP connected to the WLC in HREAP mode. - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server. - Only one scope for Guest Interface is setup on the WLC.
Problems:
1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the V LAN configured on the management interface.
************Output from the Controller********************
(Cisco Controller) >show sysinfo
Manufacturer's Name............. Cisco Systems Inc.Product Name................ Cisco Controller Product Version................. 7.0.116.0Bootloader Version................ 1.0.1Field Recovery Image Version..................... 6.0.182.0Firmware Version..... FPGA 1.3, Env 1.6, USB console 1.27Build Type.......... DATA + WPS + LDPE
[code]...
View 12 Replies
View Related
Jul 21, 2012
A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged: Internal DHCP Server.
The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
In this case, the APs will not be in the same subnet as the Managment Internet.Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)?
View 3 Replies
View Related
Jan 24, 2013
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
View 2 Replies
View Related
Jan 28, 2012
Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? install a secondary WLC in the DMZ and use anchor points. I only have one WLC
View 7 Replies
View Related
Jun 2, 2013
, I have a requirement by a customer that they will want to monitor the guest wireless access. Currently, we are proposing a Cisco Wireless Controller 5508 together with APs and the setup would be a dedicated VLAN for guest. I am wondering if Cisco ISE together with Cisco MSE would be sufficient?
Stuff to monitor and log are:
1. Guest username (I guess this would be self sponsored)
2. Company name
3. Websites accessed
4. Time, date and duration.
5. Logs are to be kept for 3 months at least.
View 3 Replies
View Related
Feb 3, 2013
I'm looking to implement guest WiFi access with web authentication on one of our 5508 WLC (currently deployed within a sandbox environment), but looking for some assistance. The WLC currently has a single connection from port 1 to the 'Test Site 2' switch. This is a dot1q trunk. On the WLC, the interface (for port 1) is configured as follows: [code] Currently, I have one WLAN configured with the profile name 'Guest Test 1', it's enabled and broadcasting the SSID. Security is L3 only with web authentication configured. The WLAN is configured to use the interface names "guest_wifi".
The issue is that when a client connects to the WLAN, it receives an IP address okay (10.99.254.x address), but doesn't seem to be able to contact the WLC to get the web authentication page. Eventually, the WLC terminates the connection due to an authentication failure.does it sound like I'm taking the correct approach here? The idea is that clients connect to the guest WLAN, which puts them on VLAN 99 and routes traffic through to the ASA and then onto the internet.
View 13 Replies
View Related
Jan 5, 2013
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
View 1 Replies
View Related
Dec 18, 2011
I am having an issue with internal and external clients. When we have the nat ip configured on the controller we cannot connect internal ap's at all. When we take the nat ip out it works fine. We are on code 7.0.220. I have tried the following command <config network ap-discovery nat-ip-only disable> and it did nothing.
View 1 Replies
View Related
Jun 2, 2013
We have a 5508 with 7.4.100.0 vor Internal APs and OEAPs. till now every thing is ok. Now we have to connect an AP (local) in a remote office, connected to the WLC by a VPN Tunnel. The problem is that the AP in the remote office uses the NAT Address to connect to the WLC, so the traffic goes over the Internet, not trough the VPN Tunnel. On the controller I have the following setting:
AP Discovery - NAT IP Only ................. Disabled
On the AP:
AP Link Latency.................................. Disabled
How to force the AP to use the internal IP Address of the WLC?
View 7 Replies
View Related
Sep 27, 2012
I recently installed 2 wlc 5508 with the latest software 7.3.101.0. I am not able to activate the Internal DHPC Server. The following message appears: "Error in setting dhcp scop leasetime".
View 5 Replies
View Related
Nov 20, 2011
I working with guest accounts on a WLC 5508.if there is possibilty to print out the account information directly from the controller. If possible how to print out this accounts ?
View 3 Replies
View Related
Jun 5, 2012
Where do you turn this option off? i have looked under security and did not see any thing.
View 1 Replies
View Related
Apr 11, 2012
I just got a new requirement for our wireless roll out and I need some help. Plan the best way to provide employee and guests wireless access w/ the guests separate from the production environment.
We have a 5508 controller w/ 1142 APs. I have two GBICs in the interfaces (only one is being used). I want to use a back haul connection for the guest access. I am having a hard time in visioning how to physically set up the cabling from the patch panel. Again, the requirement is to not allow guest users to connect to our production network but I still want/need to manage the AP. This will eventually need to be supported for remote sites tunneling back to the primary location.
View 7 Replies
View Related
Oct 28, 2011
I am running a 5508 WLC with 10 Access Point. we need to allow Internet Access to Guest. 10MB DSL Internet is dedicated for Guest. This link is terminated on a regular ADSL modem without being part of our network. We want all Guest Internet traffic to reach the ADSL Router. where should I create the Guest VLAN / where the DHCP for Guest users should be created. what is the best practise for similar setup.
Our Network is simple
ISP_Reuter-------ASA_Firewall--------------4505------------LAN-switch 2950
ADSL_modem------------ users connect via wireless but restricted to certain area only.
View 9 Replies
View Related
Oct 3, 2012
Could I setup wired guest Internet connection without layer 3 web authentication and how?I want guest users access Internet without going through web authentication.
View 2 Replies
View Related
Dec 30, 2012
We have Cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC. Now we want to segregate the traffic log GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ? Can i use one interface Cisco WLC 5508 and connect it to the firewall or any device ?
View 17 Replies
View Related
Dec 3, 2012
We are implementing a WLC infrastructure in our company following the below scenario:
- WLC 5508, OS 7.2
- APs AIR-LAP1142N-T-K9
- 3 Wlans (1Open w/ Web Auth, 1 WPA2 and 1 802.1x)
Issues:Everything seems to be fine, but some users loses connectivity (when connected to 802.1x network) at least 3 times by day.
- I cannot see anything at WLC logs concerning the association/deassociation of any of these users.
- Only strange line in the logs is "RADIUS server 172.21.44.50:1646 deactivated in global list" (authorization server config)
- Also I see some "Coverage hole pre alarm for client" but that doesn't look like a problem...
View 6 Replies
View Related
