cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1489
Views
0
Helpful
17
Replies

guest wlan

goncalo.girao
Level 1
Level 1

Almost there.
Scenario:
2504 wlc
Aps 1140
Port 1 lan radius all ok
Port 2 defined for guest wlan directed attach no isp router dhcp

1 utp cable on router acquire ip address
On guest wlan no ip address is given i think i tried every combinations

Any help?

Sent from Cisco Technical Support iPhone App

1 Accepted Solution

Accepted Solutions

You need to do NAT no matter what... the WLC doesn't do NAT.  What I would do is:

  • Create an interface for your internal ssid
  • Create an interface for your guest ssid
  • Make port 1 primary for both interfaces
  • On the Internal interface, configure the primary dhcp to your internal dhcp
  • On the guest interface, configure the management ip of the WLC as the DHCP
  • Configure a DHCP scope on the WLC for the guest and make sure you use the ISP as the gateway
  • On your Internal SSID, map the internal interface
  • On the guest SSID, map the guest interface

That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

17 Replies 17

Scott Fella
Hall of Fame
Hall of Fame

This is how you need to setup your wlc. Port 1 is your internal so in the management interface and any dynamic interfaces for your internal you need to specify port 1 as primary and port 0 as backup. On the guest dynamic interface you need to specify port 2 as primary and port 0 as backup. Now your placing the traffic on the correct interfaces.

If your router in the guest side is the dhcp server, you need to either disable dhcp proxy in the wlc. Dhcp proxy is required if your using the wlc as a dhcp for any vlans you have defined on the wlc. From the wlc cli or GUI try to ping the guest gateway address.

Also always test with an open said to start with and also you can test using a wired device connected to the guest subnet to verify dhcp and Internet connectivity.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

goncalo.girao
Level 1
Level 1

That's my doubt. On port 1, is connected to my switching and consecutively to the main dhcp server. Can i have a different one on the second port? I see in debug that port 2 tries to reach the correct dhcp ( a new one assigned by my isp)

Ps yes all that you desvribed is configured, except the dhcp proxy option. I will disable it later when office

Sent from Cisco Technical Support iPhone App

So the way I explained is really the only way unless you just use port 1 and trunk that to your switch. Then connect your guest network into a clan in the switch and let your layer 3 do the routing. The wlc will not route and only bridge.

You might be better off using the wlc as the dhcp for the guest and stay with the design I mentioned earlier. Your guest router will need to nat though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

goncalo.girao
Level 1
Level 1

Hi

I dont have layer 3 on switching capabilities

So i have to route (we are doing routing no nat) on isp

I tried that option early (enable dhcp on wlc) bur for some unknown reason the wlan couldn't obtain a valid ip also

Will try tomorrow ty

Sent from Cisco Technical Support iPhone App

So, what are the steps to make DHCP work (only on this Guest WLan)?

Any helps? TY

Well how do you have it setup?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Well, right no i only have dhcp but isnt enabled. And the guest lan is also disabled and not broascasting ssid.

Sent from Cisco Technical Support iPhone App

How is the controller setup. You using LAG or not? How many ports on the wlc is connected to the switch? What is the ip of your dhcp server?

Post the show WLAN for each of your WLAN's you have created.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella wrote:

How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE)  What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)

Post the show WLAN for each of your WLAN's you have created.

WLAN Identifier.................................. 3

Profile Name..................................... Guest WLan

Network Name (SSID).............................. WYguest

Status........................................... Disabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

--More-- or (q)uit

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Disabled

--More-- or (q)uit

   Accounting.................................... Disabled

   Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Disabled

         PSK..................................... Enabled

         CCKM.................................... Disabled

         FT(802.11r)............................. Disabled

         FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

CCKM tsf Tolerance............................... 1000

--More-- or (q)uit

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   H-REAP Local Authentication................... Disabled

   H-REAP Learn IP Address....................... Enabled

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------



Sent from Cisco Technical Support iPhone App

Scott Fella
Hall of Fame
Hall of Fame

So you only have one ssid shown. If your placing your guest on the management interface, just make sure you add the dhcp on the management interface.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

But can I Have the 2 dhcp on different ports and/or interfaces? I dont want my LAN dhcp to gave ip addresses do Guest.

WLAN Identifier.................................. 4

Profile Name..................................... XXX

Network Name (SSID).............................. XXX

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 2

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

--More-- or (q)uit

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Drop

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Disabled

--More-- or (q)uit

   Accounting.................................... Disabled

   Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Enabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Disabled

         PSK..................................... Enabled

         CCKM.................................... Disabled

         FT(802.11r)............................. Disabled

         FT-PSK(802.11r)......................... Disabled

FT Reassociation Timeout......................... 20

FT Over-The-Air mode............................. Enabled

FT Over-The-Ds mode.............................. Enabled

CCKM tsf Tolerance............................... 1000

--More-- or (q)uit

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   H-REAP Local Authentication................... Disabled

   H-REAP Learn IP Address....................... Enabled

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

I Think the idea is doing NAT, shouldnt?

You need to do NAT no matter what... the WLC doesn't do NAT.  What I would do is:

  • Create an interface for your internal ssid
  • Create an interface for your guest ssid
  • Make port 1 primary for both interfaces
  • On the Internal interface, configure the primary dhcp to your internal dhcp
  • On the guest interface, configure the management ip of the WLC as the DHCP
  • Configure a DHCP scope on the WLC for the guest and make sure you use the ISP as the gateway
  • On your Internal SSID, map the internal interface
  • On the guest SSID, map the guest interface

That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella wrote:

You need to do NAT no matter what... the WLC doesn't do NAT.  What I would do is:

  • Create an interface for your internal ssid
  • Create an interface for your guest ssid
  • Make port 1 primary for both interfaces
  • On the Internal interface, configure the primary dhcp to your internal dhcp
  • On the guest interface, configure the management ip of the WLC as the DHCP - Cant do it -

"IP Information conflicts with another interface".

  • Configure a DHCP scope on the WLC for the guest and make sure you use the ISP as the gateway
  • On your Internal SSID, map the internal interface
  • On the guest SSID, map the guest interface

That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: