Hi, Here is the config at my

reynour01 · ‎11-10-2014

Hi everybody!

I have a 4402 WLC and Cisco Aironet 1000 series APs. I would like to use the internal DHCP server to cater Guest users. The guest_vlan interface is configured as follows:

1. Interface name: guest_vlan

2. VLAN Identifier: 40

3. IP Address: 192.168.1.1; Netmask: 255.255.255.0; Gateway: 192.168.1.1

4. DHCP Server: 192.168.200.9---which is the management interface IP address.

The guest scope is configured as follows:

1. Scope name: Guest Scope

2. Pool Start Address: 192.168.1.2; Pool End Address: 192.168.1.254; Network: 192.168.1.0; Netmask: 255.255.255.0;

3. Default Routers: 192.168.1.1

4. No IPs were entered at the DNS and Netbios Name Servers.

My management interface is configured as follows:

1. VLAN Identifier: 0 ---which is the default setting.

2. IP address: 192.168.200.9; Netmask: 255.255.252.0; Gateway: 192.168.200.1

3. DHCP server: 192.168.200.11 ---which is our external DHCP server that caters to the corporate network.

I have configured a guest WLAN is pointed to the guest_vlan interface.

What happens is, the guest user obtains an IP address from the internal DHCP server. However, IT CANNOT ACCESS THE INTERNET.

What I want to configure is that:

1. The guest user will obtain its IP address from the Internal DHCP server.

2. After obtaining IP address, the guest user will be prompted to log in its user credentials.

3. The guest user can access the internet.

Kindly help me on this.

Many thanks and God bless.

Thomas McClintic · ‎11-10-2014

Greetings!

Can you please post the following to further review?

show wlan <id>

show dhcp detailed <scopename>

show interface detailed guest_vlan

Thanks

reynour01 · ‎11-10-2014

Hi TJ McClintic,

Thank you for the reply.

Here are your queries:

1. show wlan <id>

WLAN Identifier.................................. 4
Profile Name..................................... OSG_Cisco_Guest
Network Name (SSID).............................. OSG_Guest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
Interface........................................ guest_vlan
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Bronze (background)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
--More-- or (q)uit
IPv6 Support..................................... Disabled
Radio Policy..................................... All
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Disabled
                                                                Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
--More-- or (q)uit
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   Cranite Passthru.............................. Disabled
   Fortress Passthru............................. Disabled
   H-REAP Local Switching........................ Disabled
   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List
WLAN ID IP Address Status

2. show dhcp detailed <scopename>

Scope: OSG_Guest

Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.1.3
Pool End......................................... 192.168.1.254
Network.......................................... 192.168.1.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.1.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

3. show interface detailed guest_vlan

Interface Name................................... guest_vlan
MAC Address...................................... 00:1b:53:63:62:a3
IP Address....................................... 192.168.1.2
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.1.1
VLAN............................................. 40
Quarantine-vlan.................................. no
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 192.168.200.9
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No

reynour01 · ‎11-10-2014

The wireless devices is able to obtain ip addresses. However, it cannot connect to the internet.

What I want to implement is that:

Guest users will be get its IP address from the internal DHCP server.
Implement guest user logins thru web policy authentication and control bandwidth allocation.

Thanks.

Dhiresh Yadav · ‎11-10-2014

Hi,

You are getting the ip address with out any issue , Correct ?

For other issues:

> You can implement Guest web authentication page by configuring Layer 3 security on the Guest SSID. The database to authenticate can be Local controller or external radius server.

>The guest user can access the internet.To start with , your client should be in the RUN state before you start anything.Is this guest vlan able to ping the gateway which might be on the connected layer 3 switch. If yes , then try to ping some ip address of site like google.com. If that is also happening , then see if the client has DNS server to resolve the URLs.

> Bandwidth contracts can be defined under Wireless > QOS >roles and then apply to users defined in the local database or return as an radius attribute if you are using Radius.

Regards

Dhiresh

**Please rate helpful posts**

reynour01 · ‎11-10-2014

Hi Dhiresh,

Thanks for your comment.

Yes, the guest user can obtain an IP address. However, it was not able to connect to the internet. I have no idea where particularly is the problem.

I have posted below my configurations as requested by JC.

Thanks.

Dhiresh Yadav · ‎11-10-2014

Hi,

Again"To start with , your client should be in the RUN state before you start anything.Is this guest vlan able to ping the gateway which might be on the connected layer 3 switch. If yes , then try to ping some ip address of site like google.com. If that is also happening , then see if the client has DNS server to resolve the URLs."

I dont think you have DNS server , Then how you would go to Internet without typing the Public Ip address? To check , Go to command prompt of the laptop

C:\>nslookup
Default Server: dns-blr2.ABC.com
Address: 72.163.128.140

Are you able to get the DNSserver ip like this?

Regards

Dhiresh

**Please rate helpful posts**

reynour01 · ‎11-10-2014

Hi,

Here is the config at my guest scope:

show dhcp detailed <scopename>

Scope: OSG_Guest

Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.1.3
Pool End......................................... 192.168.1.254
Network.......................................... 192.168.1.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 192.168.1.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 192.168.200.17 192.168.200.27 192.168.200.16
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

Our router is at 192.168.200.1. I tried to supply it at the "Default Routers" section but I get this error: "Error in setting DHCP Scope Status - Network conflicts with Default Routers".

Management IP is 192.168.200.9/22

4402 WLC and Internal DHCP Server