Cisco Wireless :: WLC2504 - Can Internal Web Authentication Be Used For Guest Network

Mar 18, 2012

Can we change the internal web authentication for guest network to use http instead of https?

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 - Allowing Guest Wireless Network Access To Internal Subnets

Jan 23, 2012

We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520.  There are no routes for it to be allowed access to the internal subnets.  So it can only access the internet.  This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource.  Is that as clear as mud?
 
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require.  And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.

View 8 Replies View Related

Linksys Wireless Router :: EA4500 Guest Network Re-authentication Doesn't Work

Sep 15, 2012

I have successfully set up a guest network on my EA4500. Guest laptop associates with guest SSID just fine. Then via IE, it gets prompted for the guest password, which is entered and accepted just fine. At this point guest laptop is on the network.
 
BUT... at some point the guest laptop will need to reauthenticate (I don't know what the timeout is, but maybe one or two days?). Anyway, it's at this point that IE presents the guest network login page. But now after typing in the password, "enter" or clicking on the button does nothing. It looks like the guest web page doesn't get loaded properly or completely, so the reauthentication can't complete, therefore can't get to the internet. So, while in this state, I've also tried Firefox and Chrome, and same thing, no action when trying to submit the guest password. Tried rebooting guest laptop, and still same problem. Only thing I've found so far that works is to reboot the router. So I'm guessing there's a problem with the guest/web server on the router?? It's a real pain to have to reboot the router every day or two, when I've had other Linksys routers run for months without having to touch them.
 
I was running CCC 2.1.38 when I first noticed the problem. Since then I've downgraded to Classic 2.0.37, but it seems I still have the same problem. Again, I can connect & authenticate just fine initially, but when reprompted after some period of time, it doesn't work.
 
I've tried contacting Cisco support, but it looks like I'm at 91 days since purchase and thus outside of my 90-day complimentary support, so they happily provided me with the premium support options just to have the honor of talking with them. Guess I shouldn't have spent so much time trying to figure this out myself.

View 9 Replies View Related

Cisco :: ASA 5520 - Don't Allow Guest Traffic Access Internal Network

Feb 28, 2013

I have created a new sub-interface on our ASA 5520 for guest internet access.

My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.

The order of the rules I plan to setup on the guest interface inbound are:

#1. <rules to allow access to specific services in the dmz>

#2. <block any ip access to the entire private network ip address space>

#3. <permit ip any any>

#1. These rules will give access to the guest user to services located in the dmz

#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)

#3. This rule is to allow access to any other services i.e. the internet.

Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?

(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Guest Network Access To Internal Webserver

Dec 18, 2012

I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver.  (DMZ discussion aside)
 
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
 
Internally clients resolve our website to 192.168.40.40 and that part works as it should.  Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
 
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1.  However it seems traffic goes out and back in our outside interface and this connection never occurs.
 
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website.  Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ?  Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?

View 3 Replies View Related

Cisco :: Enable Guest Network Authentication In Network With WLC 4404 Controllers And No WCS?

Feb 18, 2013

What's the least expensive way to enable Guest Network authentication in a network with WLC 4404 controllers and no WCS? Management would like guests to register with a valid email address and enter a 'password du jour' to keep unauthenticated users from chewing up bandwith with automatic connections. 

View 4 Replies View Related

Cisco Wireless :: WLC2504 - Network Lan Sharing Not Working?

Oct 29, 2012

1) We have client setup, which has all PCs in Workkgroup , client has network sharing enable in LAN . Its work well in LAN , he don't have Local DNS , still he is able to ping or access sharing using device hostname

2) When Client moves into Wireless , he is not able to ping or access sharing using Hostname , but if  used the ip details he is able to ping and do sharing using IP address onlye.
 
My Wireless Setup has WLC2504 and LWAPP Access Points.

View 5 Replies View Related

Cisco Switching/Routing :: Catalyst 4506 / Routing For Internal And Guest Network

Dec 19, 2011

I am implementing a guest wireless network to work alongside my internal network. The guest network will use the existing switching network and will be separated by VLANs. I have the ASA set so that traffic can get to it and out to the Internet. I can set up a workstation on the same VLAN as my guest network and can route inside my network (strictly doing this for testing purposes). Where I am having problems is with the Catalyst 4506 switches and the ip routing. I had two separate "ip route" statements defined on my switches.
 
ip route 10.200.2.0 255.255.255.0 10.200.2.254
ip route 0.0.0.0 0.0.0.0 10.100.100.254
 
I have discovered that the traffic is always following the default route despite the fact that my IP address on my test workstation falls in the 10.200.2.x network.  I was looking at documentation and found that it is possible to set up policy-based routing on the core switches. Can you have two "ip route" statements defined like this to segreate traffic or do I have to use PBR for routing (or a combination) in this case? If I define PBR then how does that impact my existing routing? I need to make sure that I can still route the existing traffic while I'm configuring this change.

View 9 Replies View Related

Cisco :: 1130AG - Give Guest Wireless Access To Internal LAN

Mar 23, 2011

We have a guest wireless network using 1130AG Access Points.  Is it possible to allow devices on this network access to an Internal IP?  I know that kind of defeats the purpose on the guest network, but we'd like to give access to internal email to these devices.  Currently this does not work because you cannot loop back into the network to gain access (out the firewall and right back in the same port).

View 5 Replies View Related

Cisco :: WLC 5508 - Keeping Internal Users Off Guest Wireless

Mar 22, 2010

Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?

View 13 Replies View Related

Cisco Wireless :: 2100 No Internal DHCP Over Another (Guest) SSID / Interface

Feb 24, 2013

I have a cisco wlan controller (2100) running software 7.0.235.0. I have the internal private wlan running off of port 1 and that is working fine with an internal dhcp server.Is it possible to setup another ssid (guest) and have the interface directly linked to a static ip on the WAN and also use the built in cisco internal dhcp server?

View 4 Replies View Related

Cisco Wireless :: 4402 - No Internal Interface / How To Get Guest Access Working

Nov 29, 2011

I have been trying to create a Guest WLan on my 4402 WLC system and have found several confilcting documents explaining the procedure. During this process I have notices that although the current corp wireless works, there was never a virtual interface created for it. Instead it uses the same Wlan/Vlan as the ap manager and managemnt interfaces. Could this by why I cant seem to get the Guest access working? or is this not a problem after all since the wireless does work.

View 1 Replies View Related

Cisco Wireless :: WAP4410N Separate Access To Guest And Internal Employees

Sep 12, 2011

i have two WAP4410N wireless router. with software version (2.0.1.0) , here i have a problem on SSID broadcast and access.i have created Two ssid's WC72 and SREE with same security configuration WPA2-personalmixed . i cant see the broadcasted SSID of name SREE where i only view WC72 and get connected to it..
 
where i initially want is separate SSID and internal network access for internal employees and Guests (shouldn't connect to internal network).

View 9 Replies View Related

Cisco Wireless :: Setup WRVS4400N To Isolate Guest Totally From Internal SSID

Jan 25, 2011

A query here with regards to Wireless isolation between SSID and wireless isolation within SSID.If we have 2 SSID, eg. InternalSSID, GuestSSID on AP1.Both SSID are set to Enabled for isolation between SSID, and within SSID, that would mean all machines connected thro' this AP1, would be isolated from one another.
 
1) If there's 1 laptop that connects to another AP, lets call it AP2, (doesn't have isolation function) on ssid01. Would this laptop still be isolated from those that connects to the first AP?
 
2) If there are wired PCs connected to the router. And the 2 APs are connected to the same router. Would the machines connected thro' the AP1 on either InternalSSID, GuestSSID be able to access those wired PCs? (My assumption is yes.)
 
3) Is there a quick and efficient way to setup on WRVS4400N to isolate GuestSSID totally from InternalSSID, and wired PCs. InternalSSID and wired PCs should be allowed to 'see' one another.

The challenge here is that, the network points are all installed already. Both AP are connecting thro' 2 separate unmanaged switch together with a couple of other PCs. 1 Port on the unmanaged switch, each,connects to the router.

View 1 Replies View Related

Cisco Wireless :: AP541N-A-K9 Guest Access Authentication

Nov 12, 2012

I currently have two AP541N access points.  Both are configured for internal access and one unit is configured with a Guest VAP.  I want to configure the Guest VAP to redirect to an authentication page so that the user connecting has to log in to get internet access.  I'm fairly certain the AP541N doesn't offer this out of the box.  I know I can redirect, but what is needed to force a user to authenticate to gain internet access.  I want to find out what additional hardware/software I will need in order to create Guest Services of this VAP. 

View 1 Replies View Related

Cisco Wireless :: 1142 Disconnects Every 5 Minutes On Guest WLAN With Re-authentication

Jul 18, 2012

I have a strange situation on my guest wireless LAN.The guest WLAN is configured as an SSID "GUEST" on Cisco 1142 lightweight APs, with WiSM controller and WLC software version 7.0.230.0.
 
For simple Internet access using this SSID, we have a web policy, which causes a web page to be displayed when the user opens his/her browser, and on this web page, the user must click on an "Accept" button in order to accept the terms and conditions of use. Once the user accepts, the browser will then go to the web site which the user wishes to open. When using this mode of access, everything is fine.
 
However, there is also a pre-authentication ACL, which allows certain types of VPN traffic to reach the Internet without the user being required to accept terms and conditions. The ACL allows ESP, IKE (UDP/500), IKE over UDP (UDP/4500), DNS, HTTPS/SSL (TCP/443), DHCP client and server (UDP/67,68).The pre-auth ACL actually works as intended; and the ACL traffic is NOT allowed when the ACL is removed. This is exactly as it should be.
 
However, when using, for example, a VPN client such as the Cisco VPN client, or the Cisco AnyConnect client, via this guest SSID without user acceptance, the WLAN regularly and predictably stops passing traffic. This is 100% repeatable and predictable; it happens every 300 seconds, or possibly slightly longer. I have only used my PC clock to time it so the timing isn't all that accurate but I'm sure it's within a few seconds.
 
Given that the problem happens at the same time interval and is constant, I guessed there must be some configuration item which needs to be altered, but I've looked extensively at the controller GUI (we actually use WCS here) and I can't see anything that looks even remotely related to this.

View 5 Replies View Related

Linksys Wireless Router :: Guest / User Authentication E2000?

Jul 7, 2011

E2000 has the guest account feature.  Not sure if all guests shares the same login credentials.  I would like to have guests account use seperate logins.  Is this feature available?  Another thing, I read the manual and it is indicated that only up to 10 maximum guest acccounts is allowed.  I am looking for more than 10 - kinda like a hotspot software.
 
I've been looking everywhere.  I've seen hotspot system, ddwrt, chillspot, etc.  But it's complicated as firmware needed to be flashed.

View 1 Replies View Related

Linksys Wireless Router :: EA4500 Guest Network - Losing Guest Clients After About 24 Hours

Oct 17, 2012

Any problems with the guest network on the ea4500 with the cloud firmware?   I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest  password and nothing happens until you reboot the router. 

View 2 Replies View Related

Cisco VPN :: 3000 - Internal Authentication Server

Aug 19, 2012

Problem about authentication in VPN 3000 but until now I haven't had return on neither of the post maybe those I'm more clear than others.

I have a VPN 3000 with PPTP Tunnel VPN and the first authentication option is on Server Radius:
 
Configuration > System > Server > Authentication is firstly the Server Radius and after Internal ( Authentication on Base Group Internal )
 
But, when I configure a user in User Management > User  it isn't work. I think that authentication order is firstly Radius and if it don't find the second option is processed which ( this case ) is Internal server. but don't occour the error in log is:

44 04/20/2011 00:00:08.550 SEV=3 AUTH/5 RPT=137 187.55.63.215 Authentication rejected: Reason = Authentication failurehandle = 299, server = (none), user = x1, domain = <not specified>
 
46 04/20/2011 00:00:08.550 SEV=5 PPP/9 RPT=135 187.55.63.215 User [x1]disconnected.. failed authentication ( MSCHAP-V2 )
 
how is the behavior the VPN 3000 when the firstly server ( this case a Radius ) don't be find ?? the second it's processed ??

View 4 Replies View Related

Cisco :: Guest Authentication Using AP1200s

Aug 31, 2011

I am looking for a way, even something that might be EOS, that will allow autonomous AP1200s to force a user to enter a user name and password (or even just password) before allowing a user network access.  This is a hotel environment so even though the first client authenticates the process needs to be initiated again whenever a different laptop comes onto the network. 

View 14 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authentication MAB And Set Guest VLAN

Jul 13, 2011

is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly. I want to make MAB with known Devices (FAT-Clients, Notebooks,  Desktops, Printers) and unknown Devices.I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.Can I read the Geust-VLAN Value so that I can set this via ACS ?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Guest NAC Radius Authentication

Oct 31, 2010

For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
 
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles 
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"   
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
 
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
 
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"...  Not sure what else to try to get this to work...
 
here is a like to the document i'm following: URL
 
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: Can Use ACS 5.2 As Guest User Authentication Server?

Jun 5, 2012

Can use ACS 5.2 as Guest user authentication server?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5508 - NGS Guest Server Authentication Error

Apr 29, 2011

I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.
 
I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not work. I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.
 
1.) How can I figure out, if I will get the correct password from my WLC ? Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or how to get the received password from the chap challenge of the debug ?
 
2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius log file? Is it correct that the password in the debug file is empty ? raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "

View 3 Replies View Related

Cisco Wireless :: AP3502I-E-K9 Cannot Join WLC2504

May 23, 2013

I have WLC 2504 and AP3502I . AP can not join wireless controller .
 
*May 24 16:33:51.871: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 24 16:33:51.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 10.80.90.99 peer_port: 5246

[code].....

View 9 Replies View Related

Cisco Wireless :: WLC2504 Can't Create Interface On WLC Of Static IP

May 18, 2013

I need urgent support on creating SSID as layer 2.We have cisco WLC2504 and 1602i access point. In our network we have in gate for guest.I want to create one ssid and bind with vlan only. We can not creat interface on WLC b/c of static IP.

View 3 Replies View Related

Cisco Wireless :: How To Activate Mesh Software In WLC2504

Nov 9, 2011

I have two Wireless LAN Controllers 2504 and 8 APs 3502e. The WLCs are running software version 7.0.116.0. The problem is that I don't have the mesh option to configure indoor mesh inside the controller. In chapter 9 of Wireless LAN Controller Configuration Guide, Release 7.0.116.0 says that I have to go to Wireless Menu and select the AP. When I am inside the AP general page, the guide says I have to go to the Mesh tab, but that tab doesn't appear in the controller GUI. Do I have to use another image in the controller? Or do you have to use an special mesh code or something like that? Because in the download page of the controller it only appears the 7.0.116.0, two more new versions but there is nothing about mesh image.

View 5 Replies View Related

Cisco Wireless :: Aironet 1130 Can't Join WLC2504?

Aug 13, 2012

I have the problem that the AP1130 can not join to WLC2504.
 
Console Messages of AP1130:
  
*Aug 14 09:34:54.029: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 14 09:34:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.x.251 peer_port: 5246

[Code].....

View 10 Replies View Related

Cisco Wireless :: WLC2504 - WLAN With Win2k8 NSP Not Working

Jul 8, 2012

I am having issue with integrating WLC2504 with Win2k8 server NSP radius server.

View 3 Replies View Related

Cisco Wireless :: WLAN Support For WLC2504-25 License

Oct 25, 2011

I have few question with WLC 2504 with 25 License AP. Our customer have SSID around 30 SSID then, is it possible to create WLAN around 30 SSID on WLC 2504? becuase i had tried to do it on WLC4404-25 License that can do or create WLAN with 30 SSID.

View 12 Replies View Related

Cisco Wireless :: WLC2504 - Configure Clients To Access 802.1x?

Jul 4, 2012

configured Cisco 2504 WLC with 1142 Aps...  Guest wireless works fine
 
for the staff wireless I wanted to authenticate with 802.1x & Radius. So configured an external Radius server (Imprivata) and configured the 2504 Radius options for the extenal server.( Layer 2:  WPA2-AES & Auth Key Mgmt:  802.1x )
 
When I connect a client to this wireless, the authentication fails, I wonder whether it is because of the client side settings..
 
Which trusted Root Certification Authorities need to be checked?

View 3 Replies View Related

Cisco Wireless :: WLC2504 - Controllers Loses Current Time

Jan 22, 2013

Every time I power down my WLC2504 controller and then back up, the time reverts back to the year 2000.The APs can't join the controller, due to certificate errors, until I reset the clock.  This problem just started recently.

View 6 Replies View Related

Cisco Wireless :: Replace WLC2504 To WLC5508 Without Service Interruptions?

Mar 12, 2013

how can i replace my wlc2504 to a WLC5508 without disconnecting everybody, i have 3 SSID, on different VLAN.. I want the WLC5508 to be the main WLC, so i can remove the 2504 from the network. On the WLC5508, it will be the same configuration of the 2504. Is there a procedure or a wiki on such operation?

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved