I have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 RepliesMy customer has multiple sites, each with a 2504 WLC.A data center with a 5508 in the DMZ acting as Anchor for the remote sites.ACS 5.x and NCS Prime.All guest users will egress to the internet via a Vlan in the DMZ.Authentication is currently web-auth on the Anchor, but will move to NCS once that is fully deployed.
Is it possible to put a printer in each site for Guest WLAN users to use?
When I get the web authentication dialog from 1.1.1.1 it starts of with a certificate error. Is there a way to prevent this certificate error while using the self signed certificate? I have not been successful installing certificates on my WLC - problems with OpenSSL and others. Want to get this deployed but don't want users to have to encouter that error.
View 1 Replies View RelatedI have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
May I know, If there is a option on WLC…
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
View 1 Replies View RelatedCan I set up a guest wifi connection on my Cisco WLC 2504 if I already have WLANs set up inside my corporate network? I want to use port 4 and connect it directly to my ISP so that it is outside of the corporate network. I set up an interface with a valid IP from the ISP and created a "Contractor" WLAN to use that interface.
View 6 Replies View RelatedWe have bought an 2504 Wireless Controller and now i want to download the newest Software, actually the Wireless Controller runs release 7.2.103. In the download section from Cisco i've found two "latest versions" the 7.0 with release date from 11.09.2012 and the other 7.3 with the release date 30.08.2012.
Now I'm a bit confused about this, because the higher release has an lower release date : Can you tell me the difference between this versions? and which version i should install?
Just purchased a 2504 w/15 licenses and to run 10 - 2602i AP's. Code out of the box is 7.0.222.0 but when I go the support site I see 7.2, 7.3 and 7.4 all with relatively recent dates. I found I need 7.2.110.0 at a minimum to run the AP's. All the code versions say ED, which I thought was not final release versions.
View 1 Replies View RelatedI have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
I have a 2504 Controller (os version 7.0)with 7 access poins attached and with 2 vlans. one for regular users and another for gues users.
View 10 Replies View RelatedCant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
View 5 Replies View RelatedI recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies View RelatedI have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies View RelatedI recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
My customer need creates some separately web portal for some SSID (Guest and Staff), 01 web portal for Guest and 01 Web portal for Staff. Can WLC2504 can support this features ?
View 2 Replies View RelatedWhen a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
View 12 Replies View RelatedWe are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies View RelatedI run a business and have customers who would like to use my wireless internet. I previously had a completely open network that I would allow them to use, until someone illegally downloaded a movie and got us in trouble. I would like to allow use of the network again, but limit activities like this. Basically, so they could only do basic web browsing, etc.
View 1 Replies View RelatedWe have Wireless Setup and facing the latency issue for Wireless users , Wireless Controller is 2504 and AP are of 3600 Series .Even we stand below the AP , latency is in range of 19 to 20 ms , while client has Autonomous setup , so when he shifts the connectivity to Autonomous Setup he get latency is range 2 to 8 ms which is good then WLC setup...
While Testing We made the Single AP on which is integrated with WLC and check the Latency , but in these senario also it range from 19 to 20 ms ... ( Also sametime all Autonomous AP's were Off )
I am attaching the show techsupport to resolve the issue and tell me what fine tunning can be done to resolve the latency issue.
Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC
Is there any way to configure a wired guest network with a combination of 5508 and 2504 wireless controllers? I am aware that the 2504 does not have wired guest functionality, however is it possible to set up a wired guest on the 5508 and using mobility anchors, transmit the l2 information through eoip to communicate with the remote vlan?Home built NAC solution, using 802.1x authentication on switchports for public areas. If user is an employee, communicates with the supplicant on their machine, and places them on an internal vlan.If user is a guest, user fails 802.1x check and is placed on a "guest" vlan with an ACL and external DNS.If placed on the guest vlan, the user has to accept a terms of use form.This is working currently with our 5508s without any issue, however we have some remote offices we'd like to roll this out to that are using 2504 controllers. I'm hoping there's a way that I can use the 5508 as an anchor or vice versa to make this work.
View 1 Replies View RelatedHave a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?
View 13 Replies View RelatedI know that the recommendation from Cisco for the mobility anchor feature to work well is to use the same IOS version on the anchor WLC and local WLC controller. Now I´ll install on a new site a 5508 local WLC with a newer IOS version which is installed on the other controllers ( Guest and local ). Later I´ve planned to update also the other controllers to the same IOS version. Now my question is, must I upgrade all other controller at the same time ?
View 4 Replies View RelatedMy serial number on the E4200 starts with 01 - does that indicate it is a version 1? If not, how do I determine which version I have? Are there any software updates available? How do I disable my guest access?
View 1 Replies View RelatedThis is the first time I am trying my hands on wireless gears. I have 2500 WLC and 1142 AP (which I converted from Standalone to LAP).I have a layer 3 POE switch where i am using port 1 for the WLC which is a trunk port.
Port 2 is for the AP using access vlan 111
Port 3 is trunk port going to a router where i am running dhcp server for the VLANs which are as follow:
VLAN 110 -Corp Wireless (10.1.110.0/24)
VLAN 111 - AP-Mgmt (10.1.111.0/24)
VLAN 999 - Guest (10.1.101.0/24)
I wanted to block the traffic from the Guest VLAN 999 but when i apply the ACL on the Guest Interface created on the WLC, I dont see any pings going across and neither I see any hit counts on the deny statement as if the ACL is never applied.
I have some iPhone in my company and they connect to VPN through an ASA (version 8.0.4). The vpn connection use a certificate to validate that the device can connect. All my devices used the ASA IP address to connect, I decide to change that and use a name to connect ( DNS resolution made by the ISP), a generate a new certificate and made a new vpn connection profile. My PC, mac book pro can connect using the new connection, but my iPhone display the message : "Could not validate certificate". I've checked all the configuration and can't find where the difference between my two connection profile.
View 2 Replies View RelatedI installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
I have a 2504 WLC and x6 1142 AP's and currently have this working on our corporate network (still in test phase). So far so good and looking at authentication via radius next for this.
We have a separate ADSL connection that is external to the corporate network and what i would like to do is based on SSID (in this case i'll use "Guest Access") i would like any clients etc that visit to be able to connect to our wireless but not be able to connect to our corporate network.
I want to join the AIR-AP1121G-E-K9 LAP to an 2504 WLC with software release 7.4.x .In the compatibility matrix i saw that it's just possible if the WLC has the software version of 7.0.x.So my questions are:
1. Why it's needable to upgrade the WLC from 7.0.x to 7.4.x?
2. Is there any possibility to join the AP1121G to an 2504 WLC with 7.4.x version?
3. What's the difference between the releases 7.0.x and 7.4.x
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
We have a customer with ACS 4.2 Appliances who currently uses the Layer 3 web-redirect guest function to authenticate users against AD via ACS and LDAP to the AD, its a mixture of un-managed Windows, Mac & linux clients.
They want to move to an 802.1x solution.
Now MS-CHAPv2 is proably the obvoius choice (maybe it isnt considering Linux and MAC clients ... comments???). However the only option to integrate with AD is LDAP i.e remote agents or an upgrade to 5.x is out of the question.