web-auth SSID issue

Amjad Abdullah · ‎03-07-2012

Hello All,

I have SSID using web-auth with subnet /20.

The problem is that users are wasting my IP addresses because everyone connects will reserve an IP address for the leased period on DHCP (8 hours).

This will make utilization on DHCP scope reach like 90% although only about 1500 users are connected at a specific time.

We tried to reduce the lease time to 4 hours and the utilization is now about 70%.

I am thinking of a better solution (if it can be implemented) by putting the users in web-auth in VLAN X if they are not authenticated yet and put them in VLAN Y after they are authentiated.

I know this somehow can be done with dot1x WLANs via the radius server. but how can I do this on web-auth? can it be done?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎03-10-2012

Guys, no one to help on this?

Rating useful replies is more useful than saying "Thank you"

Scott Fella · ‎03-10-2012

You can do that using ISE, since ISE would host the splash page, but not with ACS, IAS or NPS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Amjad Abdullah · ‎03-14-2012

Scott: I should use ISE as a NAC server, right? or even if I have a NAC appliance this should work. am I right?
I never worked with a nac appliance but what I know that it is the one that hosts the auth page for you until you really authenticate. which is the same as you metnioned with ISE (which AFAIK combines features of ACS 5.x and NAC appliance).

This is not an option that I can take due lack of both ISE and NAC in my network.

Rating useful replies is more useful than saying "Thank you"

Scott Fella · ‎03-14-2012

It's something to look at since ISE will do NAC, ISE will not do tacacs though.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

aaroncoffman · ‎03-10-2012

Amjad,

This cannot be accomplished utilizing just RADIUS with web auth. Once the client reaches the web auth page they already have an IP address and once authentication is passed the controller doesn't have a way to have the client re-new it's IP address therefor changing VLANs wouldn't work.

I would consider taking a look at some different options regarding the design. What's the situation?

Is this an instance in which there is campus wide guest access and users can roam from one side to another on the same SSID without dead spots? Or could this be segregated into smaller pockets of different VLANs for guest access?

On average, how long are many of your guest users on site utilizing the wireless? Are there any changes that could be made due to that?

In the link below Carlo of New York University talks about how they reduced their DHCP lease time to 5 minutes because it worked for their situaiton. Look at 31:47

http://www.youtube.com/watch?v=I7V2p2Oa8Uo&feature=g-hist&context=G2a735dcAHTrjH0gA_AA

Regards,

Aaron

thomas03usmcsf · ‎03-10-2012

We always recommend putting your wireless users on private IP space and then NAT/PAT them to a range of public IP addresses. We usually NAT/PAT each /24 of private IP space to a single public IP. This has worked perfectly for us for the last five years with roughly 20k clients each day.

Sent from Cisco Technical Support iPhone App

George Stefanick · ‎03-11-2012

Thats always been an issue. Here are a few suggestions...

1) Dont broadcast your guest SSID. Give guest your SSID this way people passing by one just connect

2) I have our DHCP leases sent to 30 minutes.. We have 4,000-6,000 guest on our network. After going actual scans we really only have 400-500 actual guest are passing traffic. BTW I would NOT move your scope to 5 min leases.. Your server will get hammered!

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

blakekrone · ‎03-11-2012

have to disagree with George, I would not disable broadcast. The idea behind guest networks is to make it easy to connect to the wireless but introduce an authentication method to control access. If you don't broadcast users need to know how to manually add an SSID and there are issues with Microsoft clients not being able to connect. I would love to see that checkbox be removed.

I would do short lease times on a large subnet or use interface groups with small /24's.

Sent from Cisco Technical Support iPhone App

Amjad Abdullah · ‎03-14-2012

George:
Not broadcasting SSID is not an option. with 1k+ users you can not teach them all how to connect to a hidden SSID. Even if you tought them there will be more new people and visitors that will have no idea how to connect to internet. If every visitor will open a ticket to go to internet it will be a nightmare.

The DHCP guys are saying putting DHCP lease to 2 hours will affect it significantly. I think 5 minutes lease will put the whole server down.

Thanks for your suggestions.

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎03-14-2012

Thank you for all your suggestions guys.

My option to take was to decrease the DHCP lease to 1 hour or 2. However, DHCP admins are not agreeing on this. they say this is going to do much more traffic on DHCP server which already serves 15k+ users.

It was a very long discussion until they accepted reducing the lease from 8 hours to only 4 hours.

With 4 hours lease time the DHCP scope utilization somwhere around 60 - 75%. although the number of users does not exceed 100 at any given time during hte day (DHCP scope offers about 4k IP addresses).

I wonder that in DHCP implementation there should be release messages sent from client to DHCP server when it normally disconnects. right? isn't this benig implemented with clients? if I remember correctly DHCPRELEASE messages should be sent from client to DHCP server when a client disconnects. I know this is not a mandatory implementation but I wonder why vendors don't just implement it anyway so if the client disconnects normally it sends this release message and make the IP available for someone else?

Thanks a lot for all your suggestions.

Rating useful replies is more useful than saying "Thank you"