Wireless guest wlan and secured corporate wlan

Unanswered Question
Mar 5th, 2007

I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
amritpatek Fri, 03/09/2007 - 13:42

You could configure different SSID for group of access and different authentication mechanism for each SSID.

prakashj Sat, 03/10/2007 - 02:09

Hi lee,

Config 2 SSID.1 SSID will be for corporate and another one will be guest.

AP:dot11 ssid Corp


authentication open


AP:dot11 ssid Guest

vlan ---

authentication open


And make the corp SSID secured,Apply the WEP key to Dotinterface 0, apply the same to that SSID.

Create an access list which will block access guest N/W from secure WLAN,Apply the same to partcular S/W port.I hope this will help you.Pls rate the same


Saji k.s

eit-homing Mon, 03/12/2007 - 11:55

Thanks. But how would I prevent user configures their laptop to connect to the Guest ssid manually since the Guest ssid is wild open?

brent-miller Tue, 03/13/2007 - 10:14

Unless you want to do some sort of MAC address blocking or 802.1x authentication, you can't. A public access point is open to anyone, even those you want to have connect to the secure one. This is one of those things thats best handled by user training.

n.steffen Fri, 03/16/2007 - 03:25


i am new in wireless. my question is: does a accesspoint support only one LWAPP(tunnels)to a WLC?

thanks for answers

prakashj Mon, 03/19/2007 - 08:20

Hi stepehen

LWAPP also defines the tunneling mechanism for data traffic.

A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.

Pls Refer the docu..



Saji k.s

eastman.rivai Thu, 03/29/2007 - 09:12

just make sure that the secure ssid is on the top list of client preferred wireless network.

wiluszm Fri, 03/30/2007 - 13:15


Keep an eye out on my blog about secure guest access for enterprise wireless networking using WLCs. I'm working on a project like this right now and some configuration guidelines along with an overview are available here:



3iadministrator Tue, 04/24/2007 - 00:28


Create a dynamic interface,say GuestVLAN at your WLC and connect it to router or firewall.and have your router or firewall act as a DHCP for this GuestVLAN interface,eg. network.

Meanwhile you may use your Management interface subnet for your Internet Network. eg. network

hope this clear your doubt


This Discussion