04-13-2013 11:50 AM - edited 07-03-2021 11:54 PM
Almost there.
Scenario:
2504 wlc
Aps 1140
Port 1 lan radius all ok
Port 2 defined for guest wlan directed attach no isp router dhcp
1 utp cable on router acquire ip address
On guest wlan no ip address is given i think i tried every combinations
Any help?
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
04-14-2013 12:51 PM
You need to do NAT no matter what... the WLC doesn't do NAT. What I would do is:
That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
04-13-2013 12:02 PM
This is how you need to setup your wlc. Port 1 is your internal so in the management interface and any dynamic interfaces for your internal you need to specify port 1 as primary and port 0 as backup. On the guest dynamic interface you need to specify port 2 as primary and port 0 as backup. Now your placing the traffic on the correct interfaces.
If your router in the guest side is the dhcp server, you need to either disable dhcp proxy in the wlc. Dhcp proxy is required if your using the wlc as a dhcp for any vlans you have defined on the wlc. From the wlc cli or GUI try to ping the guest gateway address.
Also always test with an open said to start with and also you can test using a wired device connected to the guest subnet to verify dhcp and Internet connectivity.
Sent from Cisco Technical Support iPhone App
04-13-2013 12:37 PM
That's my doubt. On port 1, is connected to my switching and consecutively to the main dhcp server. Can i have a different one on the second port? I see in debug that port 2 tries to reach the correct dhcp ( a new one assigned by my isp)
Ps yes all that you desvribed is configured, except the dhcp proxy option. I will disable it later when office
Sent from Cisco Technical Support iPhone App
04-13-2013 12:41 PM
So the way I explained is really the only way unless you just use port 1 and trunk that to your switch. Then connect your guest network into a clan in the switch and let your layer 3 do the routing. The wlc will not route and only bridge.
You might be better off using the wlc as the dhcp for the guest and stay with the design I mentioned earlier. Your guest router will need to nat though.
Sent from Cisco Technical Support iPhone App
04-13-2013 03:59 PM
Hi
I dont have layer 3 on switching capabilities
So i have to route (we are doing routing no nat) on isp
I tried that option early (enable dhcp on wlc) bur for some unknown reason the wlan couldn't obtain a valid ip also
Will try tomorrow ty
Sent from Cisco Technical Support iPhone App
04-14-2013 08:20 AM
So, what are the steps to make DHCP work (only on this Guest WLan)?
Any helps? TY
04-14-2013 08:34 AM
Well how do you have it setup?
Sent from Cisco Technical Support iPhone App
04-14-2013 09:13 AM
Well, right no i only have dhcp but isnt enabled. And the guest lan is also disabled and not broascasting ssid.
Sent from Cisco Technical Support iPhone App
04-14-2013 11:05 AM
How is the controller setup. You using LAG or not? How many ports on the wlc is connected to the switch? What is the ip of your dhcp server?
Post the show WLAN
Sent from Cisco Technical Support iPhone App
04-14-2013 11:20 AM
Scott Fella wrote:
How is the controller setup. You using LAG or not? (NO, it supports???) How many ports on the wlc is connected to the switch? (ONE) What is the ip of your dhcp server? (My lan dhcp - 192.168.2.a)
Post the show WLANfor each of your WLAN's you have created. WLAN Identifier.................................. 3
Profile Name..................................... Guest WLan
Network Name (SSID).............................. WYguest
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
Sent from Cisco Technical Support iPhone App
04-14-2013 11:52 AM
So you only have one ssid shown. If your placing your guest on the management interface, just make sure you add the dhcp on the management interface.
Sent from Cisco Technical Support iPhone App
04-14-2013 11:56 AM
But can I Have the 2 dhcp on different ports and/or interfaces? I dont want my LAN dhcp to gave ip addresses do Guest.
WLAN Identifier.................................. 4
Profile Name..................................... XXX
Network Name (SSID).............................. XXX
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
04-14-2013 12:09 PM
I Think the idea is doing NAT, shouldnt?
04-14-2013 12:51 PM
You need to do NAT no matter what... the WLC doesn't do NAT. What I would do is:
That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
04-14-2013 02:23 PM
Scott Fella wrote:
You need to do NAT no matter what... the WLC doesn't do NAT. What I would do is:
"IP Information conflicts with another interface".
That should do it... this way you use your internal dhcp for your internal users and the WLC for your guest.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide