topic Re: Wired Guest Access Guide Assistance / Discrepancy in Wireless

Wired Guest Access Guide Assistance / Discrepancy

Flambo — Mon, 05 Jul 2021 19:23:05 GMT

Wondering if anyone has any experience configuring wired guest access as per this link:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/wired-guest.html

There are a few restrictions, notably:

Every guest LAN has a unique name and this name cannot be shared with RLAN or WLAN.
Ensure that the Anchor VLAN ID and the wired VLAN ID configured on the Foreign controller is not the same

The article is a little confusing to me

As it details the access switch with a VLAN of 200.
The foreign controller "Configuring Foreign Controller with Open Authentication" step 6 configures the guest LAN profile with a wired VLAN of 25
The anchor controller 'Configuration Anchor Controller with Open Authentication" step 4, configures the VLAN ID 29

If I was going to try an interpret that based on the initial image at the top of the guide

The 'internet' on the anchor controller would be 29?
The VLAN on the access switches is 200
The VLAN on the foreign controller is 25, should this not be 200?

The idea is to bridge the internet VLAN to VLAN 200 on the access switches.

Guess the difference in VLANs is fitting the restriction about the Anchor and wired VLAN ID must be different, but its a little to different?

The other discrepancy is in the section "Configuring Foreign Controller with Open Authentication" step 6, which has:

guest-lan profile-name gstpro-1 1 wired-vlan 25

Later on when configuring the anchor controller 'Configuration Anchor Controller with Open Authentication" step 7, it has this which associates the mobility profile with the guest LAN:

But on the anchor controller the configuration is given below which is just referencing the name used for the mobility profile:

Device(config)#guest-lan profile-name testpro-2 1

Maybe the latter is correct, but not sure about the VLAN assignments.

Many thanks in advance.

Re: Wired Guest Access Guide Assistance / Discrepancy

Flambo — Mon, 10 Aug 2020 22:14:51 GMT

So close, I've replace the VLAN 200 with VLAN ID 555 and VLAN 25 on the foreign controller with 555 and now getting the following error on the foreign controller:

Aug 10 21:50:31.360: %MM_LOG-4-EXPORT_ANCHOR_DENY: Chassis 1 R0/0: mobilityd: Export anchor required, but received export anchor deny for: WLAN Profile: gstpro-1, Client MAC: 00:0c:29:0d:c6:1a, Error: Received export anchor deny - profile mismatch.

Aug 10 21:50:27.965: %CLIENT_ORCH_GUEST_LAN_LOG-7-CLIENT_RECEIVED: Chassis 1 R0/0: wncd: Wired Guest Client MAC: 000c.290d.c61a join request received on vlan 555 - interface GigabitEthernet3

On the Anchor controller I am getting the following logs:

Aug 10 21:50:31.356: %MMIF_LOG-4-ANCHOR_RESP_PROFILE_MISMATCH: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect, sending export anchor deny mismatch for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client mac: 00:0c:29:0d:c6:1a

Aug 10 21:50:31.344: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_MBSSID: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect (e.g.: wlan should be up, wlan profile name and policy profile name should match) for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a

Aug 10 21:50:31.343: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_WLAN_ID: Chassis 1 R0/0: wncd: Export anchor required but unable to get wlan id for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a

There is a few mistakes in the article, and some of the fine detail doesn't marry up hence causing issues.

I think the profiles need to match, then this is this requirement which contradicts it?

Every guest LAN has a unique name and this name cannot be shared with RLAN or WLAN.

Take a look at the commands from the article below:

Foreign Controller:

wireless profile policy testpro-1
mobility anchor 192.168.201.111 priority 1
no shutdown
exit
guest-lan profile-name gstpro-1 1 wired-vlan 25
no security web-auth
no shutdown
exit
wireless guest LAN map gstmap-1
guest-lan gstpro-1 policy testpro-1
exit

Anchor Controller:

wireless profile policy testpro-2
mobility anchor
vlan 29
no shutdown
exit
guest-lan profile-name testpro-2 1
client association limit
no security web-auth
no shutdown
exit

You see the second one (anchor controller) has a guest-lan name that matches the wireless profile policy name "testpro-2", whereas the other controller its called "gstpro-1".

Is this correct?