cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4008
Views
0
Helpful
13
Replies

guest auth. over flexconnect and dhcp server on WLC in centrall site.

Will this be working?

I have a flex AP on branch where guest users should authenticate at WLC in central site and get dhcp adress also from WLC..

Is this possible?

regards

Chris

13 Replies 13

ermkgupta
Level 1
Level 1

Yes very well possible.


Sent from Cisco Technical Support Android App

okay

how to do this? in my case it does not work, client does not get an IP from WLC...

Do i need sort of a dummy interface for this flexconnect WLAN?

regards

Is the client traffic backhauled to the WLC? That's the only way that would work.

Normally the client will get DHCP from the local subnet if you are looking to keep the guest local.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

okay

I have my DHCP on the WLC, but i have 2 scopes on the WLC, one for guest users at Central site, and one scope for the guest users at the branch site..

I have configured a "dummy" interface with IP Adresses from the branch guest site and mapped this to the WLAN ID but it does not changed anything..

So you are using FlexConnect AP's and you guest SSID is locally switched and centrally switched and you want the WLC to hand out DHCP address to guest that are locally switched and centrally switched. The central switched works and the locally switched doesn't?

Make sure the interface has the WLC management IP address as the primary DHCP server. If both DHCP scopes are not working, then make sure that DHCP proxy is also enabled.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

You can still "local switch" the client data, yet "central process DHCP".  On the WLAN you will want to select the option i the advanced tab to utilize "Central DHCP Processing"

The AP will forward the DHCP traffic back up to the WLC and once it passes through the DHCP_REQD state and the address is learned, the client will move on to locally switching its data traffic.

"When you enable this feature, the DHCP packets received from AP are  centrally switched to the controller and then forwarded to the  corresponding VLAN based on the AP and the SSID"

In this case, the WLC will deliver the DHCP via bridged mode or DHCP proxy utilizing the mapped interface to the said Flex WLAN.  You will want to ensure that the client obtains a usable address that will correspond with the network the client will be switching on locally at that site.

Ali Aqrabawi
Cisco Employee
Cisco Employee

hi.

can you share show wlan


Sent from Cisco Technical Support Android App

Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... guest-branch

Network Name (SSID).............................. guest-branch

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... xxxx

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ guest-branch

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

--More-- or (q)uit

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... 802.11b and 802.11g only

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Global Servers

   Accounting.................................... Global Servers

      Interim Update............................. Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

--More-- or (q)uit

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Disabled

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Enabled

        IPv4 ACL........................................ Unconfigured

        IPv6 ACL........................................ Unconfigured

        Web-Auth Flex ACL............................... Unconfigured

        Web Authentication server precedence:

        1............................................... local

        2............................................... radius

        3............................................... ldap

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

--More-- or (q)uit

   FlexConnect Local Switching................... Enabled

   flexconnect Central Dhcp Flag................. Enabled

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Enabled

   Client MFP.................................... Optional but inactive (WPA2 not configured)

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

--More-- or (q)uit

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

(Cisco Controller) >

--disable the local switching on the WLAN,

--configure the DHCP for guest-branch interface, either (local DHCP scope on the WLC with enabling the DHCP proxy and the DHCP server ip on the interface would be the mgmt interface of the WLC) or disable the DHCP proxy with external DHCP server.

--if you had already do the above and the clients still not getting ip address , share >debug client

Ali Aqrabawi
Cisco Employee
Cisco Employee

can you please confirm this:

you want the client to get ip address from the WLC ,

but do you want the clients to access only the local network ?

or the clients should access the local and central networks ?

​1. yes client ip from WLC at central site

​2. client access both networks, but more local applications.

​networks are connected via vpn and checkpoint firewalls

so then you want the split tunnel feature , 

 

you can use the link below to help you configuring this :

http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/112973-flex7500-wbc-guide-00.html#split

this feature allow you to create flexconnect ACL and map this ACL with WLAN on specific AP ,

if the packet is permit according the ACL then this packet will switched localy , if not the packet will be forwarded centrally to the WLC. 

 

i hope this will be useful 

 

thank you

herve.leon
Level 1
Level 1

Hi Christian,

It's a long time this discussion has been opened.

Did you manage to get an IP address from the  Local DHCP server (WLC) for guest users on branch ?

I'll be interested by your feedback

Regards,

 

Hervé

Review Cisco Networking for a $25 gift card