Showing results for 
Search instead for 
Did you mean: 

Any Best Practices for Guest Access?

Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.

I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.

My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?


Accepted Solutions

Send it to

*** Please rate helpful posts ***

View solution in original post

Scott Fella
Hall of Fame Guru

Ah thanks thats the doc I was looking for. Still reading this but I am now wondering is it better to use a vlan configured on the core switch or to use a EoIP tunnel?

You would need to purchase another WLC and place that in the DMZ, but that would be what I would suggest. All comes down to money☺

*** Please rate helpful posts ***

Well we have (2) 4402's with not a whole lot of wireless traffic on them so that may be an option, I am assuming that you are talking about using EoIP here?

Yes.. But you will loose your redundancy then.

Sent from my iPhone

*** Please rate helpful posts ***

Something isn't right, Guest Wlan is not seeing dhcp server. I setup and tested the Vlan on the switch. Configured the Ap's switchport to a trunk and set up H-Reap on the Ap. Created a scope on the DHCP server but the clients cant get ip's. Any thoughts?

Did you map the ssid to the vlan on the h-reap ap?

*** Please rate helpful posts ***

Under H-Reap Config I enabled Vlans and assigned the Native Vlan ID of 99 which is the guest network. All the other networks are Vlan ID 1. It does show the locally switched Vlans box with each of them listed. I think thats what you were asking.

I do have a user who can connect but he is pulling an ip from the wrong network. he gets the internal web page on trying to connect to the internet but its not allowing the guest account to log in.

I had another thought, Since I have 2 ports on each WLC, (only 1 of which on each is used) Could I set up the 2nd port on the first WLC and dedicate it to the Guest Wlan? The Wlan is already anchored to the controller, If I set up the switchport as an access port for the 99 (guest) vlan might this work? I noticed that when I assogn the virtual interface "guest" to the Wlan I cannot enable ap-mgmt since they are both on the same port.

Perhaps a little off topic but another thing I had noticed was that there is no virtual interface created for the primary Wlan.  This system was put in place before my time here and as you can see I have a lot to learn bout it. But when I created the Guest Wlan virtual interface, I notices that the corporate Wlan was just mapped to the "management" interface. Gut in the documentation, it says it should be a virtual interface. I am afraid that if I change this I will likely cause more problems than it solves since the corp Wlan is currently working.

I have deleted the guest Wlan fronm the 2nd controller and mobility anchored the Wlan to the other controller.

I am currently at 60% memory utilization which is ok for now but would likely become a problem if I added the traffic together on a single WLC. So that is probably not an option after all. But I should still be able to do this using a Vlan on the switch correct?


Did you get this working?  If not, let me know how you have it setup.

*** Please rate helpful posts ***
Content for Community-Ad