Guest access and VPN client sessions

liamwalk1971 · ‎11-29-2011

Hi,

We have implemented a Guest WLAN using a 4402 controller residing in our internet facing DMZ environment. EoIP tunnel forwards traffic from internal controllers to DMZ anchor. The service works well and is very popular with third party contractors working onsite. Authentication for guest is via a Cisco Guest NAC server.

We have had a few issues with contractors attempting to establish client VPN access to their parent company. Are there any known issues with this type of guest connection?

Many thanks

Scott Fella · ‎11-29-2011

Liam,

As long as you are opening up the ports for VPN on the FW, you should be fine. I have never had any issues with various type of VPN clients using wireless guest (webauth). Are you sure that the users have successfully authenticated? Also did you increase the session timeout or disabled it. This will force webauth users to log back in which might be an issue also.

-Scott
*** Please rate helpful posts ***

liamwalk1971 · ‎11-29-2011

Hi Scott,

My understanding is that all traffic is tunnelled through the EoIP tunnel, and therefore there is no need to specify ipsec ports on our firewall. Is this not correct?

Scott Fella · ‎11-29-2011

Correct... I have clients that put rules in the FW for guest traffic not allowing VPN, that's why I ask.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

weterry · ‎11-29-2011

What code version?

There have been numerous bugs with pptp not working so if you aren't up to date on code, it wouldn't surprise me if that is your problem.

Scott Fella · ‎11-29-2011

Can you provide us with what code versions are affected?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

weterry · ‎11-29-2011

I thought there was one in mid-6.0 code.... but can't seem to find bug ID so I may be mistaken

CSCsx20559 PPTP not working through WLC - Exists in 5.2.157.0 5.2.178.0 resolved in 5.2.193 / 6.0

CSCtc78925 PPTP not connecting through IOS based AP - Autonomous - One of the biggest issues with 12.4(21a)JA01 (resolved in whatever IOS code came after JA01.

It also looks like there is an even older bug but I can't make out wlc version of code.

It may not even be an issue for this case. Just something to note.

Scott Fella · ‎11-29-2011

Thanks for the version! I was worried it was on the 6.x:)

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

liamwalk1971 · ‎11-29-2011

Hi,

The version of code on the corporate network controllers (2 x WiSM) and DMZ Anchor Point controllers (2 x 4402) is 7.0.98.0.

If there are any recommendations on required code level, please let me know.

Many thanks

weterry · ‎11-29-2011

Nothing specific to this issue comes to mind as far as 7.0 goes.

I saw a few TAC cases complain about guest + vpn, all of which were firewall limitations (except I think 1 was a bandwidth contract issue).

Are you doing rate limiting with bandwidth contracts? That wouldn't prevent a vpn though, it would just potentially cause vpn disconnects due to over subscription.....

So unless bandwidth contracts are in place, I'm leaning back to Scott's post. I assume you have a firewall between your Anchor WLC and the internet..... perhaps the firewall is eating that packets? Specifically, you mention your anchor is in the DMZ.... I hear DMZ used loosely, sometimes it means completely on the other side of the firewal, some times it means a virtual zone within the firewal (port 1 trust, port 2 untrust, port 3 dmz) so traffic would still go thorugh the firewall from DMZ to untrust to get to internet....

liamwalk1971 · ‎11-29-2011

Hi,

Yes, I just checked the fw rules and although we allow all tcp/udp access outbound, I am thinking we also need to enable IPSec-ESP protocol 50 also.

Many thanks