cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2210
Views
0
Helpful
12
Replies

WLC 2106 Only One user Authentication issue

netadmin2008
Level 1
Level 1

hi all,


I have a WLC 2106 and 1242AG.it's a hotspot configuration.

So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip (1.1.1.1) and my hotspot network range ip.

I set also a DHCP range for the hotspot network.

In Wlans tab, i set my hotspot wlan, with no layer 2 securirty and for layer 3, i set none for layer 3 security and i use web policy authentication.

I use local authentication and i created under security menu, under AAA tab, 3 local net users.


From pc number 1, i get ip from dhcp, and i have authentication web page, authetication is ok and i can surf on web.

From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.

when i try https:1.1.1.1/login.html, i have no answer.

And when user 1 is deauthenticated, the user 2 can surf on web.

So only one user can surf at the same time. not good for a Hotspot ...

Do you have a idea about this issue ...

thanks a lot.

12 Replies 12

dennischolmes
Level 7
Level 7

Is the AP plugged into the 2106 or a switch?

If plugged into the AP you are seeing a routing issue as this is not really best practice. I would run the management and ap manager on port 1 and connect that port to a switch. This is called appliance mode. To do otherwise will give you cpu and memory problems.

Scott Fella
Hall of Fame
Hall of Fame

Can you post your show run-config so we can see if you have an issue with the configuration?  I have the same setup at home with no issues at all.

-Scott
*** Please rate helpful posts ***

In fact,

i have 3 AP 1242AG , 1 WLC 2106, oand One Catalyst express 520.

I have configure on Catalyst 520 2 vlans ( administration and wifi hopspot)

Port 1/2/3 of catalyst are for AP with poe in vlan Administration, port 5 for WLC administration vlan.

Port 6/7/8 of catalyst are for WLC wifi hotspot network. 8 for WLC, 7 for DMZ interface of my internet firewall.

Port 1 of WLC is administration vlan for AP.

Port 3 of WLC is on Wifi hopspot vlan.

It's clear that I have miss something but i don't know what.

I try with radius server for authentication but it's the same thing.

I had configure the same configuration with AP1130 and the same WLC with radius server and OTP for another client and it's working fine...

I send you the running-config in few minutes ...

If it is an issue with your FW, what you can do is create another SSID and map that to you inside network. Setup the SSID for web-auth and see if both devices work fine.  You sure you have NAT configured for the Internet side?

-Scott
*** Please rate helpful posts ***

hi,

Yes i have nat on my external interface.
I have try with other wired clients network and all is ok for internet access.
I saw the address translation on firewall log.

I will try with an other SSID.

I made debug on WLC, and i didn't see aaa trafic from the second user. I saw only DHCP request.

I send the config.

Can you post your show run-config.... I think you posted the show running-config:)

Are you using one username password for each device or are you using different username and passwords.  Try to use one that works and verify under the WLC Security tab | User Login Policy, that you have that set to '0' for now.... '0' allows unlimited number of logins per username.

-Scott
*** Please rate helpful posts ***

netadmin2008
Level 1
Level 1

hi all,

This morning i changed my catalyst 520 express by a catalyts 2960G. And "OH my god", it's working very well, with many user in same time ...

So I took my catalyst 520 express and I  put it in the trash ..  the right place for this kind of switch ...

Thanks a lot for all.

best regards

netadmin2008
Level 1
Level 1

hi all,

just for a more  precise answer.

In fact it's working with the catalyst express 520. Yes i know i am not friendly with this kind of switch ...

On my catalyst express 520, i have 2 vlans. One for the management of the AP, the other for the hotspot.

On the switch 520, the port on hotspot vlan where WLC 2106 is pluged, must be in role "OTHER", "ROUTER" or "ACCESS POINT" for smartport configuration.

If not only one user can connect to hotspot !!!!!! ??????

thanks for all...

vinodjad1234
Level 2
Level 2

Hi,

How many local net users are created in AAA option ?

If you have created more than 1 .. please user another credentilas which you have created in WLC.

Please make sure you have specified time duration for surfing ............

It is a security problem with Cat 520 guys. I use the same switch here and access is controlled by use of smart port configurations. Unless you have the port configured to one of the multiuser roles you can not pass traffic back on the switch to more than one source address. Cat 520s are crap but they will work if you allow yourself the time to read the documentation on them.  Mine were part of a test and evaluation program we did for a school system years ago. They blow. I did find a way however to get to the cli on mine (yes they do have a cli) but I will have to look up the command for it from the web page to open up the web based dialogue box. Stay away from these things like the plague guys. They are a WLAN killer.

Vinay Sharma
Level 7
Level 7

Hello,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.

Thanks,

Vinay Sharma

Community Manager – Wireless

Thanks & Regards

Dear Sender,

The procedure to submit a request for Firewall Request has changed.

You have now to write your email to the following email address: FirewallManagement@gemalto.com

Do Not use anymore the previous email address: “FirewallRequests@gemalto.com”, as no Action/Result will happen.

Thank you for your attention,

Thank you to contact IT Support.”

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: