topic Guest SSID in Wireless

Guest SSID

john smith — Sun, 04 Jul 2021 04:17:50 GMT

Hello

i want to configure a guest SSID on WLC 4400 series

but i want it to go direct to the internet i mean it can not use the corporate network (server and other applications)

and i want layer 2 security on it WPA2

as i know i need to configure a internal DHCP pool on the controller it self for the guest users vlan right?

and map that to guest ssid.

it is not web authentication so shall i need to configure any access list for this subnet or no need?

any seggustion please

many thanks in advance

Guest SSID

Viten Patel — Mon, 26 Dec 2011 13:43:52 GMT

you try can something like this:

WLC -- L2/L3 switch (with l2 vlan for guest traffic) -- firewall (Cisco ASA) -- Internet

once you create the guest ssid on the wlc and map it to a dynamic interface (say vlan 100). create a vlan 100 on the switches along the path between WLC and firewall. Make sure that vlan 100 is purely layer 2 along the path i.e there is not SVI interface on any of the switches. You can define the gateway for vlan 100 on the firewall and configure the firewall to route traffic for vlan 100 directly to the internet.

Guest SSID

john smith — Mon, 26 Dec 2011 19:18:42 GMT

what about if i configure a local DHCP pool for the guest users vlan and it will not go through virtual interface and will be isolated from he corporate network?

Guest SSID

Viten Patel — Mon, 26 Dec 2011 20:08:40 GMT

even if you create a local dhcp scope, you will still need to create a dynamic interface on the wlc to which you will tie/map the guest ssid

Guest SSID

john smith — Tue, 27 Dec 2011 16:54:21 GMT

yeah i am agree with you on this

can you please explain that how the guest users will go to the internet through virtual interface i mean how does this works and how guest users are not coming to corporate network like applications and printers etc etc?

Re: Guest SSID

Scott Fella — Tue, 27 Dec 2011 17:50:39 GMT

To add to Viten post, Viten explains that the guest SSID will be played on the dynamic interface you use for guest. Hen using the wlc as a dhcp server for guest users, the users will see the virtual ip as the dhcp sever. So this has really nothing to do with connectivity to the Internet. To prevent guest users from accessing your internal network, Viten explains that you need a L2 connection to your FW. This means no L3 interface for that guest subnet. With no L3 interface, guest gets pushed to the FW and not able to route internally.

Sent from Cisco Technical Support iPhone App

Guest SSID

john smith — Sat, 31 Dec 2011 08:21:19 GMT

thanks guys for your reply

but i have not any firewall in my network and i want to configure wlc as a dhcp server for guest users and to avoid them to access to the internal netwrok aplication and all our other servers

what you say if i hit my local DNS server ip addresses in DHCP pool or it is not really necessary?

i already configured it without firewall local DHCP for guest users vlan on wlc but my guest users can access to the application how i can avoid them?

also i can see virtual interface ip address as a DHCP ip address on client side which connected to guest ssid so what should i do any one has any idea?

many thanks

Guest SSID

Scott Fella — Sat, 31 Dec 2011 15:54:56 GMT

what you say if i hit my local DNS server ip addresses in DHCP pool or it is not really necessary?

If you are going to use the wlc for dhcp for the guest users, you still need to create a dynamic interface to place the guest users on. You also need to use the wlc managment ip address as your dhcp server ip address.

i already configured it without firewall local DHCP for guest users vlan on wlc but my guest users can access to the application how i can avoid them?

Configured what.... if you have created another subnet on your layer 3 switch and also created a layer 3 interface, then you are routing between the guest network and all your other netowrks. You would need to create an access list (ACL) to prevent this. You do have a layer 3 switch correct?

also i can see virtual interface ip address as a DHCP ip address on client side which connected to guest ssid so what should i do any one has any idea?

Don't worry about this... it is because you have dhcp proxy enabled. If you diable dhcp proxy then users will see the ip of the dhcp server.

So basically what equipment do you have.... a 4400WLC that connects to a layer 3 switch then to a router for internet?

Guest SSID

john smith — Sat, 31 Dec 2011 16:51:55 GMT

thanks for your reply Fella

yes i have wism card in 6500 series switch and i have configured the same guest user vlans on that switch too but also i configured the same vlans on WLC locally too and DHCP as well and configured controllers mgmt ip in dhcp server ip address place in wlan advance tab

but as i guess ACL we creat to give access to applications to our guest vlan users if we configure local DHCP for them what you say about this ? or can we configure ACL to avoide them to go to applications ?

So basically what equipment do you have.... a 4400WLC that connects to a layer 3 switch then to a router for internet?

Ans:

i have wism in 6500 series switch and switch is conected to core switch and core is connected to our main office via layer 3 link OSPF.

any idea please?

Re: Guest SSID

Scott Fella — Sat, 31 Dec 2011 17:05:06 GMT

Okay so you need to create an acl on the guest layer 3 interface to deny traffic to your internal networks. You can still use the wlc for dhcp for the guest. This doesn't matter if you do the dhcp in the wlc, switch or internal dhcp server. You still need to create an acl.

Thanks,

Scott Fella

Sent from my iPhone

Re: Guest SSID

Scott Fella — Sat, 31 Dec 2011 23:18:05 GMT

If you want to create an ACL on the WLC, here is a link. I suggest doing ti on the L3... works better:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807ce372.shtml

Re: Guest SSID

john smith — Sun, 01 Jan 2012 20:18:41 GMT

thanks for your replyy fella

i configured acl with but i donot know may be i configured wrong i can still acces other server from guest ssid

i want to configure it to use only our external local DNS server for internet only whil all the other accesses i want to block them

DHCP will be at controller the sane i want to use that

please tell me how i can deny these all accesses and only alow acces to DNS ?

many thanks

Re: Guest SSID

Viten Patel — Sun, 01 Jan 2012 20:34:57 GMT

Waseem,

I think its time for a TAC case.

thanks.

Re: Guest SSID

john smith — Mon, 09 Jan 2012 20:33:04 GMT

Thanks for your all reply scott

but unfortunately still i did not solve this issue please help me on this?

i have one vlan subnet 10.135.104.0/24 for guest users

External DHCP for this vlan 10.5.2.22

External local DNS server 10.5.2.23

i want to allow them to use only internet like HTTP only

but they will get ip from external DHCP *** here please advise me what is good to use external or local DHCP server?

for DNS this is only external i have they should use that one

i have not any firewall in my network

i know the solution is only to configure ACL on WLC

but i don't know how to configure it, i followed one doc. but failed to configure it

i mentioned my vlan ip above please tell me how i can configure ACL for that in order to give only internet access to that WLAN's users step by step.

many thanks in advance

Re: Guest SSID

George Stefanick — Tue, 10 Jan 2012 05:54:01 GMT

You can configure a typical ACL on the SVI interface of GUEST. Thus allowing you to manage what goes where.