Solved: 5508 WLC-Guest Wireless-Web Authentication

siddhartham · ‎09-17-2012

Is it possible to rename the default webauthentication URL from https://1.1.1.1/login.html to something like https://wlc/login.html. We are running on

7.0.98.0, is it possible to do http for web authentication and https for Mgmt access if we upgrade the controller software?

We configured our guest wireless with no layer 2 authetication so users can associate with an AP and get an ip adress but they can't go anywhere unless they have a valid username and password(web authentication) - does this affect the performance of an AP since there will be many people associated with each AP, is there any setting in the WLC to de associate a client from an AP if its idle for certain time.

Thanks

Siddhartha

George Stefanick · ‎09-17-2012

Hi,

No, by changing the 1.1.1.1 to a wlc/login.html opens you to a host of other issues. Is there a reason why you would want to do this?

If you upgrade to 7.2 code, it supports HTTPS on management and http for web. 7.0 doesnt support this.

No, the client will associate to the ap, grab and IP address and just sit there until either the controller kicks him off or the client walks away. No there is no setting that you can change without impacting something else. Again, not an issue.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella · ‎09-18-2012

Like George mentioned, that can't be changed in the wlc. The thing is, I believe if you have a trusted certificate and you also have a reverse lookup in dns that it will actually show the dns entry instead of the VIP address.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎09-18-2012

haha... well this is a question that everyone is asking. What you will see in the forum is that the Cisco recommended is 25 per AP. Now it varies on your applications and throughput required. Web and html only, you can have 50+. Video or huge uploads or downloads, you can have maybe around 4. Your gigabit or 10/100 port is your bottleneck, so you can decide how much oversubscribing you want.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

grabonlee · ‎09-18-2012

Hi Sid

You can limit what SSIDs are broadcast by an AP by creating the AP groups and assigning SSID you want for that group. For example the APs in the warehouse and office can be in separate AP groups and only the APs in the office will have the Guest SSID. To avoid unathorized Guest clients using up the dhcp scope, I suggest that you set the dhcp lease time to 30mins or less. However, on the guest SSID, the session timeout can be increased for authenticated guests, so that they do not keep logging back in after 30mins.

View solution in original post

Scott Fella · ‎09-18-2012

Here is a note:

The bandwidth contract feature is enhanced so that rate limits can be defined on both upstream and downstream traffic. Rate limits can be defined per SSID and/or specified as a maximum rate limit for all clients. These rate limits can be individually configured. This feature is supported on AP1140, AP1040, AP3500, AP3600, AP1250, and AP1260. In centrally switched WLANs, the downstream traffic is rate limited by the controller and the upstream is rate limited by the APs. In local switched WLANs, both upstream and downstream are traffic are rate limited by the APs.

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎09-17-2012

Hi,

No, by changing the 1.1.1.1 to a wlc/login.html opens you to a host of other issues. Is there a reason why you would want to do this?

If you upgrade to 7.2 code, it supports HTTPS on management and http for web. 7.0 doesnt support this.

No, the client will associate to the ap, grab and IP address and just sit there until either the controller kicks him off or the client walks away. No there is no setting that you can change without impacting something else. Again, not an issue.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎09-18-2012

Like George mentioned, that can't be changed in the wlc. The thing is, I believe if you have a trusted certificate and you also have a reverse lookup in dns that it will actually show the dns entry instead of the VIP address.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

siddhartham · ‎09-18-2012

Thanks George and Scott.

"No, by changing the 1.1.1.1 to a wlc/login.html opens you to a host of other issues. Is there a reason why you would want to do this?"

No special reason, just trying to find out.

"I believe if you have a trusted certificate and you also have a reverse lookup in dns that it will actually show the dns entry instead of the VIP address."

unfortunately using internal DNS servers is not an option for us. We are pointing all the guest users to public DNS server and can't access any of the internal resources (DNS or DHCP- controller is acting as a DHCP server for guests)

How many clients can associate with an access point whithout impacting its performance, is there a limit.

Siddhartha

Scott Fella · ‎09-18-2012

haha... well this is a question that everyone is asking. What you will see in the forum is that the Cisco recommended is 25 per AP. Now it varies on your applications and throughput required. Web and html only, you can have 50+. Video or huge uploads or downloads, you can have maybe around 4. Your gigabit or 10/100 port is your bottleneck, so you can decide how much oversubscribing you want.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

siddhartham · ‎09-18-2012

Thanks Scott, in our case the clients will associate with the access point and get an ip address but can't do anything unless they have a valid username and password(web auth).So for example there are 100 clients associated with an AP on Guest SSID but sitting idle since they don't have a valid username and password does this affect the lagitimate users on the other SSIDs?

and also is it possible to brodacst an SSID (Guest) through the access points at one lacation (office) and not through the APs at a different location (Warehouse), can we do this through WLC.

Siddhartha

grabonlee · ‎09-18-2012

Hi Sid

You can limit what SSIDs are broadcast by an AP by creating the AP groups and assigning SSID you want for that group. For example the APs in the warehouse and office can be in separate AP groups and only the APs in the office will have the Guest SSID. To avoid unathorized Guest clients using up the dhcp scope, I suggest that you set the dhcp lease time to 30mins or less. However, on the guest SSID, the session timeout can be increased for authenticated guests, so that they do not keep logging back in after 30mins.

Scott Fella · ‎09-18-2012

Osita is correct. The other thing you can do is set the QoS bandwidth policy to set the max downstream for guest. In 7.3 you can set both.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-18-2012

Here is a note:

The bandwidth contract feature is enhanced so that rate limits can be defined on both upstream and downstream traffic. Rate limits can be defined per SSID and/or specified as a maximum rate limit for all clients. These rate limits can be individually configured. This feature is supported on AP1140, AP1040, AP3500, AP3600, AP1250, and AP1260. In centrally switched WLANs, the downstream traffic is rate limited by the controller and the upstream is rate limited by the APs. In local switched WLANs, both upstream and downstream are traffic are rate limited by the APs.

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

siddhartham · ‎09-20-2012

Thasnk Osita and Scott.

I didn't know about the bandwidth contract feature, will check it out.

Siddhartha