Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1246
Views
0
Helpful
3
Replies

Guest and Corporate access on same AP with FlexConnect

tonymitchell
Level 1
Level 1

‎02-21-2013 11:00 AM - edited ‎07-03-2021 11:35 PM

Hi,

We have a 5508 WLC at our main site, with an 1141 AP at a remote site that is connected to the main site via an MPLS network. The AP is configured to use FlexConnect mode.

I have a guest WLAN configured with the following key attributes:

  • Seperate interface for guest access (VLAN'd)
  • ACL applied to the interface to restrict traffic to the internet only)
  • Web Authentication in use at L3 (no L2 auth)
  • Guest WLAN is a member of an AP group for the remote site

Guest access works fine... However, I also need to provide access to the corporate network (at the remote site). I've created a WLAN for corp access, and added it to the AP group which contains the guest WLAN.

Whilst guest access works fine and I can see the SSID for corp access, corp clients don't get an IP address from the local sites DHCP server (I've tried with and without DHCP override on the corp WLAN)... they just get an APIPA address (169.254.x.x).

If I remove the guest WLAN from the AP group, then corp access works fine (without DHCP override), and clients receive an IP address from the remote sites DHCP server.

I've also tried with the AP in LOCAL mode... but have the same issue.

Please help... this is driving me crazy!

Thanks in advance.

Tony

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎02-21-2013 12:43 PM

Well the question is, where is the guest getting their ip address from, local site or the central site? Is the guest being tunneled back to the WLC or not. If you want to add a Corp SSID and you want to place traffic local at that site, you need to do the following:

  1. Enable local switching on the WLAN SSID
  2. Make sure the AP is part of the correct AP Group. The interface in the AP Group does not matter if you are placing traffic locally at the remote site.
  3. On the AP that is in FlexConnect mode, you need to define the native vlan and the WLAN to vlan mapping
    1. Click on the FlexConnect tab on the AP
    2. Specify the native vlan for the AP, the AP is connected to a trunk port and hit apply
    3. Go back to the FlexConnect tab and select vlan mapping.
    4. In the vlan mapping, you can select the vlan id you want the traffic to be placed on the local side
  4. The vlan you place the Corpo users on, will need an ip helper address for dhcp.

That should do it.

Here is a link that explains FlexConnect and what you need to do.

https://supportforums.cisco.com/docs/DOC-24082

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

tonymitchell
Level 1
Level 1

‎02-21-2013 01:01 PM

Hi Scott,

Thanks (again) for your help.

Guest users are tunnelled back to the WLC, where they also get their IP address from. The interface has an access list configured, so that guests have no access to the corp network, only Internet addresses. Although FlexConnect is configured on the AP, it's disabled for the guest WLAN, and enabled for the corp WLAN as I do need corp users to be locally switched.

As per your advice, I'll look into configuring the native VLAN / WLAN to VLAN mapping and IP helper, and get back to you.

Thanks again for your help.
Tony




Sent from Cisco Technical Support iPhone App

0 Helpful

jrodriguez
Level 1
Level 1
In response to tonymitchell

‎02-21-2013 07:08 PM

Is Local Auth checked for FlexConnect?

If so uncheck and verify.

John R

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card