I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 RepliesI have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies View RelatedI have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
Can I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
View 6 Replies View RelatedI have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
View 5 Replies View RelatedI recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies View RelatedIs it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies View RelatedI recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
View 2 Replies View RelatedMy customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies View RelatedIs there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies View RelatedI have an existing setup consisting of:
Windows Server - doing DHCP for private wired/wireless
Cisco 1141 Autonomous WAP with only private wireless access.
ASA 5505 (with very basic licensing)
HP switch
The customer wants to have guest WiFi.
The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA. Can the 1141 do DHCP for the guest WiFi? Or do I need to do it via the ASA?
I have a AP541N connected to a UC560. We are currently configured for Wireless Voice and Data. We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.
Additional Info: AP541N-K9-1.7(2)UC560 15.0(1)XA2, RELEASE SOFTWARE (fc2)CCA 3.0
I installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
Background: Cisco 4400 series WCS w/ Cisco 1142n LWAPs. Clients are HP Elitebook 2730p notebooks with Intel 5100 wifi chips.I was installing Dragon Dictate on several users tablets this weekend. I was ready for the 1 hour install. I noticed that one of the computers was done far quicker than I expected. The computer had a wired ethernet cable attached to it's docking station. The other 3 were accessing the network via the wireless. I did some checking on the WCS, and the other three notebooks were downloading files at a whopping 8 Mbps each. The server that they were. downloading from is attached via gigabit ethernet, and was little utilized. All three notebooks reported that they were connected ~80Mbps to our 2.4GHz N network. I'm willing to accept that wireless is going to be slower than wired, but this seems extreme. The three tablets were connected back to the same LWAP, which is connected to a gigabit switch. There were only three other people in the building at this time, so network congestion isn't an issue.
View 20 Replies View RelatedI recently bought a Cisco SRP527W and I'm trying to setup a second wireless network for guests.
I created a "guest" VLAN and I assigned the "guest" SSID which I have created.
I created a "guest" DHCP server and assigned it to the "guest" VLAN.
The "guest" SSID is set to broadcast and has WPA2 Personal (TKIP+AES) authentication. These are exactly the same settings I have for the "non-guest" WiFi.
However, I can't get my clients to connect to the network. The "guest" WiFi is visible and clients are prompted to enter the password but after that they end up with an APIPA address. When I move the "guest" SSID to VLAN1 (along with all the other networks) then it works absolutely fine.
I was just wondering if I'm simply missing something in the configuration ..
The device is running the latest firmware (1.01.24 (003) September 7, 2011)
DHCP server has DNS Proxy setting enabled and WAN Interface configured as "Default Route" (have basically replicated the same settings as VLAN1)
I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties tab. The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
From config guide: For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
Using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
I'm new to the Cisco WLCs and recently implemented a wireless infrastructure using a WLC 2100 with 1262 LWAPs. I have two of the 1262s plugged into ports 7/8 using crossover cables. They're functioning correctly with the exception of the inability SSH and send pings to the LWAPs behind the WLC. Is there anyway to ping/shh through the WLCs to the LWAPs behind it? I use an NMS (Nagios) to monitor the status of the LWAPs and it can't monitor them if it cannot ping them. Also, is there anyway to configure the WLC to monitor the status of LWAPs?
View 2 Replies View RelatedI have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same Internet connection.
I cannot get the guest access to access the Internet. It looks like my computer will go, but it just comes up saying no Internet access.All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the Internet.
2504 contrller with 1042N ap's. NPS and group policy (for computers) is setup. Certificates are setup.Logging on as a domain user I can connect to the wireless network but am only getting Internet access. I can not access any domain resources.DHCP is handled by a domain controller. I can ping servers and printers, but cannot access them. Can't map a drive, add a printer or access services on the network.
View 1 Replies View Relatedi have stand alone cisco 1130g ap ,and wlc 2504. wlc 2504 support this ap or not ?
View 3 Replies View RelatedWe have purchased Cisco 2504 Wireless Controller (One) and Ciscon 1042 Access Points (Five). At present I am going to use 3 access points only.I have attached a simple diagram of our office network. We have more than 30 VLANs configured in Core Switch, we are planning to give wifi access to only 3 VLANs.
1. VLAN 121 ( IP Segment - 10.52.121.0 /24)
2. VLAN 116 ( IP Segment - 10.52.116.0 /24)
3. VLAN 100 ( IP Segment - 192.168.100.0 /24) (Guest)
I would like to use LDAP or ACS for authentication purpose.
We have cisco 2504 controller and 1200 series access point.These are in India and country code is IN.When access point joins the controller , then in wireless>advanced , i see the two country code is already configured these are Sri Lnaka(LK) and Singpore (SG).I have disabled the radios and changed the country code to IN but after doing that Access point is not joining the controller and giving the duplicate error.
Then i have again set the country code to IN,LK and SG.I am able to see the LK and SG but In is not showing in drop down list.
Operationally everything is working fine.
Question about cisco 2504 wireless controller, is it support cisco 1552E outdoor access point? If NO provide me the correct series/model.
View 9 Replies View RelatedI have installed/setup a cisco 2504 wireless controller and 3 aironet 1142 access points using the basic config on a windows sbs 2008 domain, the problem is that the clients that are connected to the 2504 aint getting the there ip addr from the AD but from the wireless controller, and there cant reach the clients on wifi from the clients that are connected to lan, is there anyway that i cant change this so that a client on lan can see the client on wlan and vice versa.
View 5 Replies View RelatedWe have a 2504 Wireless Controller and it works great!We currently have 6 Access Points (Aironet 1252) connected.We just added the sixth one a few weeks ago and with a properly configured and fully functioning Wireless Controller, it was super easy.Now, I have been assigned to add another Access Point, but at a remote site.The plan is to have up to three or more APs at this remote location and we want them to talk back to the Wireless Controller.We have plenty of licences on our current Wireless Controller.Do do not want to spend the funds for another Wireless Controller and more licenses.
1. How does one manually add a Aironet 1252 to the 2504 Wireless Controller
2. If the AP is on a different subnet than the Wireless Controller, how does one get it registered?
3. The best for last: Can a Aironet 1252 talk to a 2504 Wireless Controller over a WAN link?
We are planning to setup a new WLAN using Cisco 2504 WLAN Controller and 1142N Access Point. Is it possible to create individual user accounts for the users those who all are connecting to this WLAN Network by using the 2504 WLAN Controller ?
View 1 Replies View Related