08-10-2020 09:01 AM - edited 07-05-2021 12:23 PM
i,
Wondering if anyone has any experience configuring wired guest access as per this link:
There are a few restrictions, notably:
The article is a little confusing to me
If I was going to try an interpret that based on the initial image at the top of the guide
The idea is to bridge the internet VLAN to VLAN 200 on the access switches.
Guess the difference in VLANs is fitting the restriction about the Anchor and wired VLAN ID must be different, but its a little to different?
The other discrepancy is in the section "Configuring Foreign Controller with Open Authentication" step 6, which has:
guest-lan profile-name gstpro-1 1 wired-vlan 25
Later on when configuring the anchor controller 'Configuration Anchor Controller with Open Authentication" step 7, it has this which associates the mobility profile with the guest LAN:
But on the anchor controller the configuration is given below which is just referencing the name used for the mobility profile:
Device(config)#guest-lan profile-name testpro-2 1
Maybe the latter is correct, but not sure about the VLAN assignments.
Many thanks in advance.
08-10-2020 03:14 PM - edited 08-10-2020 03:14 PM
So close, I've replace the VLAN 200 with VLAN ID 555 and VLAN 25 on the foreign controller with 555 and now getting the following error on the foreign controller:
Aug 10 21:50:31.360: %MM_LOG-4-EXPORT_ANCHOR_DENY: Chassis 1 R0/0: mobilityd: Export anchor required, but received export anchor deny for: WLAN Profile: gstpro-1, Client MAC: 00:0c:29:0d:c6:1a, Error: Received export anchor deny - profile mismatch. Aug 10 21:50:27.965: %CLIENT_ORCH_GUEST_LAN_LOG-7-CLIENT_RECEIVED: Chassis 1 R0/0: wncd: Wired Guest Client MAC: 000c.290d.c61a join request received on vlan 555 - interface GigabitEthernet3
On the Anchor controller I am getting the following logs:
Aug 10 21:50:31.356: %MMIF_LOG-4-ANCHOR_RESP_PROFILE_MISMATCH: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect, sending export anchor deny mismatch for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client mac: 00:0c:29:0d:c6:1a Aug 10 21:50:31.344: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_MBSSID: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect (e.g.: wlan should be up, wlan profile name and policy profile name should match) for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a Aug 10 21:50:31.343: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_WLAN_ID: Chassis 1 R0/0: wncd: Export anchor required but unable to get wlan id for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a
There is a few mistakes in the article, and some of the fine detail doesn't marry up hence causing issues.
I think the profiles need to match, then this is this requirement which contradicts it?
Every guest LAN has a unique name and this name cannot be shared with RLAN or WLAN.
Take a look at the commands from the article below:
Foreign Controller:
wireless profile policy testpro-1 mobility anchor 192.168.201.111 priority 1 no shutdown exit guest-lan profile-name gstpro-1 1 wired-vlan 25 no security web-auth no shutdown exit wireless guest LAN map gstmap-1 guest-lan gstpro-1 policy testpro-1 exit
Anchor Controller:
wireless profile policy testpro-2 mobility anchor vlan 29 no shutdown exit guest-lan profile-name testpro-2 1 client association limit no security web-auth no shutdown exit
You see the second one (anchor controller) has a guest-lan name that matches the wireless profile policy name "testpro-2", whereas the other controller its called "gstpro-1".
Is this correct?
08-10-2020 04:00 PM
So close, I've replace the VLAN 200 with VLAN ID 555 and VLAN 25 on the foreign controller with 555 and now getting the following error on the foreign controller:
Aug 10 21:50:31.360: %MM_LOG-4-EXPORT_ANCHOR_DENY: Chassis 1 R0/0: mobilityd: Export anchor required, but received export anchor deny for: WLAN Profile: gstpro-1, Client MAC: 00:0c:29:0d:c6:1a, Error: Received export anchor deny - profile mismatch. Aug 10 21:50:27.965: %CLIENT_ORCH_GUEST_LAN_LOG-7-CLIENT_RECEIVED: Chassis 1 R0/0: wncd: Wired Guest Client MAC: 000c.290d.c61a join request received on vlan 555 - interface GigabitEthernet3
On the Anchor controller I am getting the following logs:
Aug 10 21:50:31.356: %MMIF_LOG-4-ANCHOR_RESP_PROFILE_MISMATCH: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect, sending export anchor deny mismatch for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client mac: 00:0c:29:0d:c6:1a Aug 10 21:50:31.344: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_MBSSID: Chassis 1 R0/0: wncd: Export anchor required but config is incorrect (e.g.: wlan should be up, wlan profile name and policy profile name should match) for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a Aug 10 21:50:31.343: %CLIENT_ORCH_LOG-4-ANCHOR_INVALID_WLAN_ID: Chassis 1 R0/0: wncd: Export anchor required but unable to get wlan id for: Wlan-Profile: gstpro-1, Policy Profile: testpro-1, client MAC: 000c.290d.c61a
There is a few mistakes in the article, and some of the fine detail doesn't marry up hence causing issues.
I think the profiles need to match, then this is this requirement which contradicts it?
Every guest LAN has a unique name and this name cannot be shared with RLAN or WLAN.
Take a look at the commands from the article below:
Foreign Controller:
wireless profile policy testpro-1 mobility anchor 192.168.201.111 priority 1 no shutdown exit guest-lan profile-name gstpro-1 1 wired-vlan 25 no security web-auth no shutdown exit wireless guest LAN map gstmap-1 guest-lan gstpro-1 policy testpro-1 exit
Anchor Controller:
wireless profile policy testpro-2 mobility anchor vlan 29 no shutdown exit guest-lan profile-name testpro-2 1 client association limit no security web-auth no shutdown exit
You see the second one (anchor controller) has a guest-lan name that matches the wireless profile policy name "testpro-2", whereas the other controller its called "gstpro-1".
Is this correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide