Cisco Wireless :: 5508 - Multiple Web Authentication Pages
Jan 15, 2013
I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24 Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing) Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing) Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth) Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?
The users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.
I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread
I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 7.0.98.0). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
We just got a new 5508 wireless controller and the question we have is : can we get wireless users to authenticate to an Active Directory server to get access to the network? I know we can get the authentication done with an RSA server, but what about plain AD?
We are using WLC-5508 in our corporate. For authenication we have implemented ACS with LDAP configured as external user database. We can able to get authenicated for Web based authenication. When it is configured for EAP-FAST, authenitication is not happening.
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate.
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
Should I trunk the port to the AP or not. I have a WLC 5508 in the head office and have AP in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local sub net at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different sub nets?
My 5508 WLC which runs version 7.4 is configured as a DHCP server for the clients and here's my problem:
-One AP is attatched with an interface which has the vlan 10 and a ssid in AP groups
-One AP is attatched with another interface which has the vlan 20 and the same ssid in AP groups
And there are two DHCP pools in WLC, one is for vlan 10 and one is for vlan 20.For now, a PC accesses AP-1 and get an IP address from DHCP pool vlan 10, then I power off AP-1, then the client accesses AP-2 but still get the IP address from DHCP pool vlan10, i need to get the IP from DHCP VLAN20, what can i do now?
I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.
I have studied many guides but I can't find out if there is a down-side to setting the timeout this high.Could it result in slow roaming or re-authentication if there is a connection error? The customer have large areas with high client density and some outdoor areas with low client density.
Installed a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.
how to set WLC 5508 to allow single create web authentication user account to get connected in a same time. i found that i can use the same username and password combo to be login in 2 machine in the same time.
i have a problem with 1552E to register with 5508 WLC, and always got "AAA authentication error” in the WLC log, while AAA is not enabled. so my question is , do i need to add the MAC address to the WLC MAC filter list even if i not enable the AAA server in the WLC.
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
I am trying to come up with a wireless solution for a campus deployment. The campus has ten buildings currently using Autonomous APs and are currently converting to Dual 5508 Controller model.
I would like to have a separate AP Mgmt subnet in each building, so I will configure an ip helper on the SVI on this vlan to:
Option1 - Point to the Internet Router configured with DHCP Option 43 with the controller IP addresses Option 2 - Point to the Wireless LAN Controller itself.
Problem with Option 1 is that the Internet Router will now have to connect directly to the COE network to be able to route back to the AP mgmt subnets. So I would emply a VRF here to keep the separation.
Problem with option 2 is that there appears to only be one DHCP scope allowed on the controller. So this would mean a flat mgmt network across all buildings which I am trying to avoid. I know that after the AP joins the controller, I could change the IP and change the vlan on the port but this is not very neat.
So question is:
Is there a way of getting multiple DHCP pools on the controller?
We have 2 5508 WLC's on site (5508-1 & 5508-2) and at the completion of this project we will have around 150 access points. We are also using WCS. 5508-1 is set as the primary/master controller. 5508-2 is the secondary controller, serves as backup if/when 5508-1 fails. All LAPs connect to 5508-1 by default, so 5508-2 is basically sitting there doing nothing. Is this the best way to take advantage of the resources that are available? Would wireless clients see improved performance if the access points were split between the two controllers? If we do split LAPs between the controllers should I make sure that all of the LAPs on a particular floor are connected to the same controller or does that matter?
I have a 5508-WLC appliance and configured multiple ap-manager interfaces to balance the join request from LAPs and the load.I went to console port from some LAPs and saw that there was that balance among multiple ap manager interfaces (Dynamic AP Management Interfaces). Then we torn down one of the ap manager interfaces and confirmed that the LAPs were moved to next ap manager interface automatically.But the question here is, how can I verify which ap-manager interface was used for a LAP from the WLC via GUI or CLI ?? or how can I see the amount of APs joined using that ap manager interface from WLC ?
On a wlc 5508-7.0.116, can I set up 2 ssids that map to one wlan/vlan/subnet. I thought you could but I don't have the means to test without breaking production.
I'm trying to research the tunnel limits on a 5508 controller if you're terminating controllers to two different SSID's. For example. In my DMZ i have a GUEST SSID for contractors and guests and then I have another SSID used by employees so that tablet and mobile phone users can access the interenet. Because we don't trust any of these devices we have that SSID is termiated just as we do our GUEST SSID.
To reduce the number of anchor controllers I deploy, I wanted to start with one 5508 Controller. (then move up to about 3) This controller would have two SSID's, GUEST & MOBILE. On the Foreign controllers when I setup anchor tunneling I will be anchoring to the same controller however to two different SSID's.
Per the 5508 specs it supports 71 tunnels.
So my question to the group is, will the 5508 see this anchoring as one tunnel each? Or does it support 71 Tunnels per SSID?
