02-22-2007 12:34 AM - edited 07-03-2021 01:40 PM
hi
i want to use web athentication for my guest wlan lan but when enable web policy the client cant get an ip address and i can no longer browse or ping the controller form my clients.my setup has only one cisco WLC 4402 and 19 1242 APs and a CISCO ACS SE 1112 which i am still struggling to set up
02-22-2007 07:32 AM
Can you post your config. Are you using PoE, Switch type you and config you are using. I have recently completed our install and worked through many issues.
02-22-2007 10:13 PM
ok there is my config.yes am using PoE onyl for the APs.I have created a separate vlan for my guest network and mapped the vlan to my interface and my guest wlan on the controller WLC 4402.Tel me what config you really need.
Thanks for your reply.
interface config
Interface Name................................... btc_guest
IP Address....................................... 172.31.2.2
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.31.2.1
VLAN............................................. 4
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. 2
Primary DHCP Server.............................. 172.31.2.1
Secondary DHCP Server............................ Unconfigured
ACL.............................................. Unconfigured
AP Manager....................................... No
wlan config
(Cisco Controller) show>wlan 2
WLAN Identifier.................................. 2
Network Name (SSID).............................. BTC_guest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
Interface........................................ btc_guest
DHCP Server...................................... Default
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
802.11e.......................................... Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Radio Policy..................................... 802.11B and 802.11G only
(Cisco Controller) show>wlan 1
WLAN Identifier.................................. 1
Network Name (SSID).............................. Kryptonite
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 5
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
Interface........................................ management
DHCP Server...................................... Default
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
802.11e.......................................... Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Radio Policy..................................... 802.11B and 802.11G only
Security
--More-- or (q)uit
02-22-2007 10:35 PM
Here is my example. Note that you are not defining a DHCP server. If the switch is VLAN'ed out correctly there must be a dhcp server on that subnet. I set up a DHCP server in the wireless controller for the guest network. Then override the dhcp server to point to the guest interface ip address. A dhcp server set in the interface applies to the AP's if they get dhcp and clients but only if they all on the same subnet. If that does not help let me know.
WLAN Identifier.................................. 2
Network Name (SSID).............................. Guest-Wireless
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ vlan99
WLAN ACL......................................... unconfigured
DHCP Server...................................... 192.168.130.10
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
--More-- or (q)uit
Radio Policy..................................... All
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
L2TP.......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Enabled
ACL............................................. Unconfigured
Email Input..................................... Enabled
Auto Anchor................................... Disabled
Cranite Passthru.............................. Disabled
Fortress Passthru............................. Disabled
H-REAP Local Switching........................ Enabled
Management Frame Protection................... Enabled (Global MFP Disabled)
02-23-2007 07:09 AM
ok am still struggling..did u create two separate vlans.i think i might have gone wrong by binding the corporate wlan to the management interface..is it ok or should i create a separate interface for it.
please give me a step by step of how you configured your ACS SE if you are using one am struggling to link the WLC 4402 to the ACS.
02-23-2007 02:07 PM
You configured 172.31.2.1 as the dhcp server. Are you using IOS router as the dhcp server? Can you make sure your guests can get IP when web policy is disabled?
Also I would move the business wlan interface to dynamic interface other than the management interface.
Zhenning
02-25-2007 09:22 PM
yes am using the catalyt 6500 switch as my dhcp server,yes i do get an ip address when web policy is disabled..when i enable it i still get an ip address but then web policy does just work and i cant ping my default gateway
02-26-2007 01:29 PM
When web policy is disabled(open authentication), can you ping your default gateway? When web policy is enabled, can you successfully login through web auth? It might be something wrong with the authentication.
02-26-2007 09:30 PM
yes when web auth is disabled i can ping my default gateway...no when i enable web policy i cant login successfully through web auth.
02-26-2007 08:19 PM
Which web auth are you using? Have you tried changing the different methods? What version of code are you running?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: