Cisco Wireless :: 2504 - Guest Network Completely Isolated From LAN
Jan 28, 2013
I recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
View 8 Replies
ADVERTISEMENT
Apr 7, 2013
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies
View Related
Jan 21, 2013
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
View 5 Replies
View Related
Nov 19, 2012
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
View 4 Replies
View Related
Apr 9, 2013
my wireless connection gets lost intermitently. How can i fix this problem without paying too much to the service providers.
View 2 Replies
View Related
Nov 28, 2012
Can I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
View 6 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 2 Replies
View Related
Sep 19, 2012
Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
View 5 Replies
View Related
Apr 3, 2012
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies
View Related
May 7, 2013
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies
View Related
Feb 23, 2013
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
View 4 Replies
View Related
Jan 17, 2013
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
View 2 Replies
View Related
Sep 19, 2012
My customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
View 3 Replies
View Related
May 2, 2012
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies
View Related
Nov 24, 2011
Basically, the issue I am having is we have a class b network ID of 172.16. We had a new phone system installed last year which needed to be on an isolated network as our switches do not have QoS on them. Plus they are quite bad...
Some genius decided to use the same network ID on the new phone system as our current network but they are totally isolated networks.
This is where my laziness comes into play... We use a laptop connected to the phone system's network to connect to configure the phones etc but I would like to do this at my desk. So what I have done is configured a wireless access point on the phone systems network so I can connect to it on my laptop to theoretically make changes to the phone system on my PC, but also staying connected to our network for obvious reasons... I do have some networking knowledge, and I am assuming the routes are going to be completely wrong because of the same network ID issue not allowing me to connect to the phone system on my laptop. But I am not sure if I can add a static route to resolve this.
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
[Code]......
View 1 Replies
View Related
Jan 10, 2013
I installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
View 3 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Jun 10, 2013
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
View 4 Replies
View Related
Aug 24, 2011
I am using the RV220W with the latest firmware, I disabled all the four APs and also disabled the Radio, but the "Wireless" green light on the front panel still ON, why? How can I completely turn off the wireless?
Quoted from manual: WIRELESS—The Wireless light is green when the wireless module is enabled. The light is off when the wireless module is disabled.
Moreover I tried to disable the "Radio" while enabled one AP, I found that I can still connect to that AP, so what is the Radio's Enable/Disable used for?
View 16 Replies
View Related
Mar 11, 2011
Is there any way to add a printer to my computer that is on a completely different network? It's a small residential setup on both ends.
View 2 Replies
View Related
May 13, 2011
I had a network connection to the main family computer that just completely disappeared after I got back on it. It had been on all day because it was defragmenting, but a few minutes after I got back on it (I had just sat down in the chair and sent a couple messages on a chat I was in and dismissed an "Oh, Windows Media player found another WMP on main computer! Wooo!" notification) and then it was gone.
I assumed the internet had crashed so I gave it a couple hours, no internet. I stayed up longer waiting, writing, playing some games, but nothing. I didn't check the Network computers thing until now.
Usually even when the internet crashes the main computer still shows up in the computer list but it was just mine then. It seems like it totally dropped the connection and it can't find it again when I try to create a new one. It's not like I watch p~rn or download anything I'm not supposed to download so...
And the network icon doesn't have a big red no connection at all x - It's just the two computers, no world icon, no x. I've tried booting in safe mode with networking, nothing, 'netsh winsock reset catalog' + 'netsh int ip reset.log, nothing, create new connection, nothing, and repair memory problems, nothing. : Microsoft Security Essentials found no viruses after a full scan, and it had been updated hours before the internet had a tantrum. I recently uninstalled Malwarebytes because according to a friend its update crashed her computer so I have no other virus scanner to use.
Oh, I'm runnning a Windows Vista Home Premium. Mine is genuine, it came with the computer, but my father had the bright idea to use -my- Vista disc to install it on the main PC, so it's all 'rawr not genuine' though as far as I know, my father's W7 laptop is still running just dandy.
We use a D'Link router, and it's worked fine until now. I don't actually know how my computer is connected, I'm pretty sure it's hardwired to the modem or router, but my father's is wireless. I've been searching like mad for the router's wireless USB thing, but it seems to have walked out the door.
View 8 Replies
View Related
Mar 7, 2013
My Network is gone from my list of available networks on my MacBook. I use s NETGEAR router, my network name is simply "NETGEAR" i have never named it anything else since installing this over 4 years ago. I have unplugged the power cord, waiting several minutes before plugging it back in. Also tried unplugging both the cable and the power cord. The router has no small "pin hole" that i can see in order for me to try to re-set it this way. It has literally disappeared from my Mac. Do i need to re-install using my NETGEAR cd?
View 2 Replies
View Related
Aug 8, 2011
I'm on a home computer and we use a router to deliver internet connection to the multiple computers in our house.However, lately I have been noticing that occasionally one of the computer's, on the network, internet connection drops but yet all the other computers are still working fine with their internet connection. And the internet doesn't completely turn off, like there is no "X" on the two computer screens down below...it just loses its little globe icon...In order to get back the internet, you would have to basically disconnect from the internet connection network and then go back into it and it's back again.
I was wondering, because I'm starting to get suspicious, is it possible that somebody on the network in my house the deliberately found a way to turn of the internet access for one of the computers? I was alerted by checking different websites that it is possible that somebody on your own home network can "hack" into another computer, view its internet history, and even disable internet. How do I know this is happening for sure and take steps to stop it. I want to catch who is doing this because nobody is telling the truth .
View 5 Replies
View Related
Jan 24, 2012
II tried to make a wep password. and when i made one, i went on my laptop to try to find my network but my network name was completely gone from the list of available wifi networks i can connect to.
View 2 Replies
View Related
Jan 15, 2009
We have a new DCS-5220 that we're playing with, seeing what we can do with it, and have a number of questions as well as one possible bug to report. I was somewhat surprised when tier 3 support said this was the best place to cover them all - including the bug.We are using firmware version 1.02, which is what the camera came with.
In the webgui, under Configuration > Tools > System > "Turn off the LED indicator" this is completely ignored by the camera. The red power LED is always on, and the green status LED flashes as long as it has a network connection. This is clearly a bug.What is the root password?Is there a URL we can pole for a static image? (ie.url... which would trigger a snapshot every time the URL is requested)Are there any shell commands for motor control? If so, what are they?Is there a shell command to retrieve logged in users? If so, what is it?Is there a shell command for controlling the LED activity? It would be really nice if the status LED lit green when there was someone logged on to the webgui. Perhaps this is the intended activity, and it not doing so should be filed away as part of the above bug..
View 14 Replies
View Related
Aug 15, 2012
I have two WLC 2504 controllers. These controllers are for two different buildings. But they share a VLAN, and network address range. How can I control the access points to the register selected only at a specific controller.
Example:
AP 1 -> WLC 1
AP 2 -> WLC 2
AP 3 -> WLC 1
Since the buildings also broadcast in different SSID. The two controllers are in a mobility group.
View 4 Replies
View Related
Oct 29, 2012
Having an issue with a Cisco Linksys E1500 on a home network. The device has a feature to provide a guest wireless network but the guest network can't get to the internet. A wired connection is fine, as is the normal wireless network but not the guest. The cheesy thing is, that it doesn't list an option for what type of wireless security protocol you want on the guest network. I'm assuming that it uses the same security protocol that the normal wireless network uses, but who knowsEspecially weird is that it asks you what password you want on the guest network but then the guest network show to be insecure when you try to connectthought maybe it was something funky with some of my configurations so I went ahead and factory defaulted it and just set it up with an insecure network for both the normal and guest networks. This didn't solve it. The guest network still couldn't get to the internet. In fact, the guest network can't even ping the router.
View 1 Replies
View Related
Nov 29, 2012
Our current way of configuration for this is standalone ap's with multiple ssid's. The main network ssid's are on the 10.0.0.0 networks. The internet only ssid is on the 192.168.1.0 network. ( this is a wireless network only,no wired) They all get there dhcp address from a layer 3 switch. To prevent the wireless 192.168.1.0 intenet only network from getting to the 10.0.0.0 networks, we just put a simple source & destination deny acl on the in vlan interface of the 192.168.1.0 network on the layer 3 switch.Now that we are impementing a Cisco 2504 controller, the management and ap manger are both on the 10.0.0.0 network.( both on port 1 with dynamic ap manager enabled) I can setup as many ssid's on the 10.0.0.0 network and they all work fine. But when I setup the 192.168.1.0 internet only ssid it will not connect. I'm assuming that its because the 192.168.1.0 network or anyone trying to connect and use that network has to go through the controller located on the 10.0.0.0 network. I'm thinking that the acl on the vlan interafce is the problem.So, if I'm correct, what is the best way to setup a separate internet only network through the private networks?
View 7 Replies
View Related
Jun 16, 2013
Cisco 2504 wlc, 1142n ap, windows radius server.
When I click on Network, the only computer that shows up is mine. If I am hardwired then everything shows up (Servers, other workstations). Is this a problem with the radius server or something on the controller?
View 2 Replies
View Related
Jul 25, 2012
I have recently deployed a wireless network using a WLC 2504 with 21 Light APs. All seems fine except that Apple Devices drop their connections every 15 minutes or so. A couple of minutes later they can reconnect but obviously something is wrong.
View 2 Replies
View Related
Jan 18, 2012
I have a stack of 3750-X that are used to both switch traffic inside V LAN and also to route a couple of WAN ranges from our up link provider to the DMZ v LAN.Now I'd like to have a SVI Vlan1 with an IP in the "management v LAN", but I'd like that SVI not to be rout able.
More exactly :
- no traffic should ever exit that interface that's not the generated by the router itself (ssh/snmp/...)
- no incoming traffic on that interface should be forwarded anywhere
- I'd also like to have a different default gw to be used by traffic generated by the switch itself. (for eg, ssh traffic coming from any another sub net like 10.2.0.0/24 to the switch SVI Vlan1 ip 10.1.0.1/24 should be routed back through the Vlan1 gw and not through out up link ptp gateway)
I think I can achieve the first two with ACLs on the SVI. But not sure about the last one ...
View 4 Replies
View Related
May 30, 2012
I have an ASA that houses 11 VLANs, and I am trying to add a 12th.One of the VLANs is for PCs that have internet only access.The new VLAN will be similar, but for multifunction printers only.VLAN 99 is for internet only and works fine, I can ping the gateway of 10.99.3.33 from any PC in that VLAN.I am creating VLAN 98, modeling it after VLAN 99, and I cannot get a PC in the vlan to ping the gateway of10.98.3.17.Both switch and ASA show the new VLAN 98 as UP, switchport is UP/UP.I have deleted and recreated VLAN 98 a few times, but I cannot get a PC VLAN 98 connectivity.Once it is working on the core switch, I will add it to the trunk to the IDS switches. VTP is not in use, everything is manual. [code]
View 4 Replies
View Related
