11-29-2011 09:33 AM - edited 07-03-2021 09:08 PM
Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?
Solved! Go to Solution.
12-01-2011 09:03 AM
Make sure the gigabit interfaces match.
Sent from my iPhone
12-01-2011 09:02 AM
You have one interface that is only allowing certain vlans and the other is not pruning.
Sent from my iPhone
12-01-2011 11:53 AM
Ok I removed the pruning statement from both the 5/5 interface and the port-channel-interface....I was in a meeting for the last 2 hours and was told that the wireless was going down every 15mins. I also noticed that all of my Ap's have moved to the non LAG Controller. Not sure if the mismatched pruning caused this or if there is something else wrong
12-01-2011 12:00 PM
Ok after making that change the Ap's all migrated back to the correct WLC. I think the "cycling" must have been the ap's trying to reconnect to the LAG controller and then failing because of the pruning and then switching back....guess Ill know in a half hour or so.
12-01-2011 03:14 PM
Robert,
Did you get it to work?
12-02-2011 05:56 AM
Yes I think it was the pruning on one port that was causing the issues. All Ap's are on the main WLC now and LAG is enabled and running. Now I have to create a dedicated DMZ and bring up the 2nd Controller in there to handle the Guest Wlan. Will keep you posted. Thanks again for your help, much appreciated.
12-02-2011 06:11 AM
Cool... Keep us posted in case you need help.
Sent from my iPhone
12-08-2011 02:09 PM
OK I now have the DMZ set up and a WLC in it. I created a guest WLAN on both controllers configured exactly dy the same and configured the DMZ as an anchor for the guest Wlan and the corp WLC as the foreign controller each in their own mobility group. I opened 16666 and 16667 to each contoller to the other.I also enabled Ether_IP both ways. Not sure its all correct though, when I open each mobility management on the controllers themselves under mobility groups, both controllers are listed but the other one always says "control path down". i.e on the DMZ controller the Corp controller shows "control path down" and vice versa.
It Actually seemed to be working there for a whil but now something is wrong. I suspect with the mobilty anchoring. I can attach to the guest network and it does redirect me to the login screen but after I log in I have access to the corp system still.
12-08-2011 02:13 PM
Robert,
If you have control path down, then its not working right. You are proably connecting to you foreign WLC and not to your anchor.
Can you post your shor run-conifg for both WLC's.
12-09-2011 06:40 AM
>OK I got rid of the control path down message and they are both up. The guest access is working except that I get an IP from the regular wireless network and can still see the local resources. I set up the internal dhcp server on the Guest access controller and created a scope within that range but clients are still getting corp wireless ip addys.
Having trouble trying to paste configs on this site.
12-09-2011 06:45 AM
Can you just attach the text file. I want to verify your SSID anchoring. Your foreign wlc (internal) guest SSID should be anchored to the guest wlc. The anchor wlc (dmz) guest SSID should be anchored to itself. Check that.
Sent from my iPhone
12-09-2011 06:45 AM
***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast 00:19:aa:72:2e:e0 10.192.60.44 Champion Corp 0.0.0.0 00:19:aa:72:39:80 10.100.100.20 DMZ 0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:19:aa:72:2e:e0 10.192.60.44 Champion Corp 0.0.0.0 Up 00:19:aa:72:39:80 10.100.100.20 DMZ 0.0.0.0 Up (Cisco Controller) >
12-09-2011 06:48 AM
So under the Guest WLan (advanced) on the Guest controller add the other controller as a foreign controller mapping ...correct?
12-09-2011 06:51 AM
No.. On the WLAN tab that list your SSIDs, there is a blue triangle all the way to the right of each SSID. Click on that for the guest SSID and then click mobility anchor. That is where you do the SSID anchoring.
Sent from Cisco Technical Support iPhone App
12-09-2011 06:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide