guest auth. over flexconnect and dhcp server on WLC in centrall site.

christian.geissler · ‎03-06-2014

Will this be working?

I have a flex AP on branch where guest users should authenticate at WLC in central site and get dhcp adress also from WLC..

Is this possible?

regards

Chris

ermkgupta · ‎03-06-2014

Yes very well possible.

Sent from Cisco Technical Support Android App

christian.geissler · ‎03-06-2014

okay

how to do this? in my case it does not work, client does not get an IP from WLC...

Do i need sort of a dummy interface for this flexconnect WLAN?

regards

Stephen Rodriguez · ‎03-06-2014

Is the client traffic backhauled to the WLC? That's the only way that would work.

Normally the client will get DHCP from the local subnet if you are looking to keep the guest local.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

christian.geissler · ‎03-06-2014

okay

I have my DHCP on the WLC, but i have 2 scopes on the WLC, one for guest users at Central site, and one scope for the guest users at the branch site..

I have configured a "dummy" interface with IP Adresses from the branch guest site and mapped this to the WLAN ID but it does not changed anything..

Scott Fella · ‎03-07-2014

So you are using FlexConnect AP's and you guest SSID is locally switched and centrally switched and you want the WLC to hand out DHCP address to guest that are locally switched and centrally switched. The central switched works and the locally switched doesn't?

Make sure the interface has the WLC management IP address as the primary DHCP server. If both DHCP scopes are not working, then make sure that DHCP proxy is also enabled.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

David Watkins · ‎03-06-2014

You can still "local switch" the client data, yet "central process DHCP". On the WLAN you will want to select the option i the advanced tab to utilize "Central DHCP Processing"

The AP will forward the DHCP traffic back up to the WLC and once it passes through the DHCP_REQD state and the address is learned, the client will move on to locally switching its data traffic.

"When you enable this feature, the DHCP packets received from AP are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID"

In this case, the WLC will deliver the DHCP via bridged mode or DHCP proxy utilizing the mapped interface to the said Flex WLAN. You will want to ensure that the client obtains a usable address that will correspond with the network the client will be switching on locally at that site.

Ali Aqrabawi · ‎03-06-2014

hi.

can you share show wlan

Sent from Cisco Technical Support Android App

christian.geissler · ‎03-06-2014

Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... guest-branch

Network Name (SSID).............................. guest-branch

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status ....................... Disabled

DHCP ......................................... Disabled

HTTP ......................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... xxxx

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ guest-branch

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

--More-- or (q)uit

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... 802.11b and 802.11g only

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ Global Servers

Accounting.................................... Global Servers

Interim Update............................. Disabled

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

--More-- or (q)uit

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

WAPI.......................................... Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Enabled

IPv4 ACL........................................ Unconfigured

IPv6 ACL........................................ Unconfigured

Web-Auth Flex ACL............................... Unconfigured

Web Authentication server precedence:

1............................................... local

2............................................... radius

3............................................... ldap

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

--More-- or (q)uit

FlexConnect Local Switching................... Enabled

flexconnect Central Dhcp Flag................. Enabled

flexconnect nat-pat Flag...................... Disabled

flexconnect Dns Override Flag................. Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional but inactive (WPA2 not configured)

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

--More-- or (q)uit

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

(Cisco Controller) >

Ali Aqrabawi · ‎03-07-2014

--disable the local switching on the WLAN,

--configure the DHCP for guest-branch interface, either (local DHCP scope on the WLC with enabling the DHCP proxy and the DHCP server ip on the interface would be the mgmt interface of the WLC) or disable the DHCP proxy with external DHCP server.

--if you had already do the above and the clients still not getting ip address , share >debug client

Ali Aqrabawi · ‎03-08-2014

can you please confirm this:

you want the client to get ip address from the WLC ,

but do you want the clients to access only the local network ?

or the clients should access the local and central networks ?

christian.geissler · ‎03-10-2014

1. yes client ip from WLC at central site

2. client access both networks, but more local applications.

networks are connected via vpn and checkpoint firewalls

Ali Aqrabawi · ‎03-11-2014

so then you want the split tunnel feature ,

you can use the link below to help you configuring this :

http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html#split

this feature allow you to create flexconnect ACL and map this ACL with WLAN on specific AP ,

if the packet is permit according the ACL then this packet will switched localy , if not the packet will be forwarded centrally to the WLC.

i hope this will be useful

thank you

herve.leon · ‎02-16-2015

Hi Christian,

It's a long time this discussion has been opened.

Did you manage to get an IP address from the Local DHCP server (WLC) for guest users on branch ?

I'll be interested by your feedback

Regards,

Hervé