Guest wlan problem

akobwaycct · ‎02-22-2007

hi

i want to use web athentication for my guest wlan lan but when enable web policy the client cant get an ip address and i can no longer browse or ping the controller form my clients.my setup has only one cisco WLC 4402 and 19 1242 APs and a CISCO ACS SE 1112 which i am still struggling to set up

rlaplante · ‎02-22-2007

Can you post your config. Are you using PoE, Switch type you and config you are using. I have recently completed our install and worked through many issues.

akobwaycct · ‎02-22-2007

ok there is my config.yes am using PoE onyl for the APs.I have created a separate vlan for my guest network and mapped the vlan to my interface and my guest wlan on the controller WLC 4402.Tel me what config you really need.

Thanks for your reply.

interface config

Interface Name................................... btc_guest

IP Address....................................... 172.31.2.2

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 172.31.2.1

VLAN............................................. 4

Active Physical Port............................. 1

Primary Physical Port............................ 1

Backup Physical Port............................. 2

Primary DHCP Server.............................. 172.31.2.1

Secondary DHCP Server............................ Unconfigured

ACL.............................................. Unconfigured

AP Manager....................................... No

wlan config

(Cisco Controller) show>wlan 2

WLAN Identifier.................................. 2

Network Name (SSID).............................. BTC_guest

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. 1800 seconds

Interface........................................ btc_guest

DHCP Server...................................... Default

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

802.11e.......................................... Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Radio Policy..................................... 802.11B and 802.11G only

(Cisco Controller) show>wlan 1

WLAN Identifier.................................. 1

Network Name (SSID).............................. Kryptonite

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 5

Exclusionlist.................................... Disabled

Session Timeout.................................. 1800 seconds

Interface........................................ management

DHCP Server...................................... Default

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

802.11e.......................................... Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Radio Policy..................................... 802.11B and 802.11G only

Security

--More-- or (q)uit

rlaplante · ‎02-22-2007

Here is my example. Note that you are not defining a DHCP server. If the switch is VLAN'ed out correctly there must be a dhcp server on that subnet. I set up a DHCP server in the wireless controller for the guest network. Then override the dhcp server to point to the guest interface ip address. A dhcp server set in the interface applies to the AP's if they get dhcp and clients but only if they all on the same subnet. If that does not help let me know.

WLAN Identifier.................................. 2

Network Name (SSID).............................. Guest-Wireless

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Interface........................................ vlan99

WLAN ACL......................................... unconfigured

DHCP Server...................................... 192.168.130.10

DHCP Address Assignment Required................. Enabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

--More-- or (q)uit

Radio Policy..................................... All

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

L2TP.......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Enabled

ACL............................................. Unconfigured

Email Input..................................... Enabled

Auto Anchor................................... Disabled

Cranite Passthru.............................. Disabled

Fortress Passthru............................. Disabled

H-REAP Local Switching........................ Enabled

Management Frame Protection................... Enabled (Global MFP Disabled)

akobwaycct · ‎02-23-2007

ok am still struggling..did u create two separate vlans.i think i might have gone wrong by binding the corporate wlan to the management interface..is it ok or should i create a separate interface for it.

please give me a step by step of how you configured your ACS SE if you are using one am struggling to link the WLC 4402 to the ACS.

zhenningx · ‎02-23-2007

You configured 172.31.2.1 as the dhcp server. Are you using IOS router as the dhcp server? Can you make sure your guests can get IP when web policy is disabled?

Also I would move the business wlan interface to dynamic interface other than the management interface.

Zhenning

akobwaycct · ‎02-25-2007

yes am using the catalyt 6500 switch as my dhcp server,yes i do get an ip address when web policy is disabled..when i enable it i still get an ip address but then web policy does just work and i cant ping my default gateway

zhenningx · ‎02-26-2007

When web policy is disabled(open authentication), can you ping your default gateway? When web policy is enabled, can you successfully login through web auth? It might be something wrong with the authentication.

akobwaycct · ‎02-26-2007

yes when web auth is disabled i can ping my default gateway...no when i enable web policy i cant login successfully through web auth.

charlesdf22 · ‎02-26-2007

Which web auth are you using? Have you tried changing the different methods? What version of code are you running?