Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?
Solved! Go to Solution.
If you do not have a guest anchor WLC, then you need to create ACL's to prevent the guest to access your internal network.
Ah thanks thats the doc I was looking for. Still reading this but I am now wondering is it better to use a vlan configured on the core switch or to use a EoIP tunnel?
You would need to purchase another WLC and place that in the DMZ, but that would be what I would suggest. All comes down to money☺
Well we have (2) 4402's with not a whole lot of wireless traffic on them so that may be an option, I am assuming that you are talking about using EoIP here?
Something isn't right, Guest Wlan is not seeing dhcp server. I setup and tested the Vlan on the switch. Configured the Ap's switchport to a trunk and set up H-Reap on the Ap. Created a scope on the DHCP server but the clients cant get ip's. Any thoughts?
Under H-Reap Config I enabled Vlans and assigned the Native Vlan ID of 99 which is the guest network. All the other networks are Vlan ID 1. It does show the locally switched Vlans box with each of them listed. I think thats what you were asking.
I do have a user who can connect but he is pulling an ip from the wrong network. he gets the internal web page on trying to connect to the internet but its not allowing the guest account to log in.
I had another thought, Since I have 2 ports on each WLC, (only 1 of which on each is used) Could I set up the 2nd port on the first WLC and dedicate it to the Guest Wlan? The Wlan is already anchored to the controller, If I set up the switchport as an access port for the 99 (guest) vlan might this work? I noticed that when I assogn the virtual interface "guest" to the Wlan I cannot enable ap-mgmt since they are both on the same port.
Perhaps a little off topic but another thing I had noticed was that there is no virtual interface created for the primary Wlan. This system was put in place before my time here and as you can see I have a lot to learn bout it. But when I created the Guest Wlan virtual interface, I notices that the corporate Wlan was just mapped to the "management" interface. Gut in the documentation, it says it should be a virtual interface. I am afraid that if I change this I will likely cause more problems than it solves since the corp Wlan is currently working.
I am currently at 60% memory utilization which is ok for now but would likely become a problem if I added the traffic together on a single WLC. So that is probably not an option after all. But I should still be able to do this using a Vlan on the switch correct?