This discussion is locked

Ask the Experts: Wired Guest Access

Unanswered Question
Jan 13th, 2012

Sharath K.P.

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.

Remember to use the rating system to let Sharath know if you have received an adequate response. 

Sharath might not be able to answer each question due to the volume expected during this event.
Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
through January 27, 2012.
Visit this forum often to view responses to your questions and the questions
of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (16 ratings)
Daniel Anderson Tue, 01/17/2012 - 03:02

Hi Sharath,

Thanks for opening up this forum, I have a question around having multiple LAN based WLCs, utilising an Anchor controller within a DMZ for Wired Guest connections.

Say we have 4 LAN based controllers, each with a Guest LAN configured utilising Vlan 111, this vlan is then trunked down to our User access switches, whereby we have a user machine connected into a switchport in vlan 111. When the client initially connects, traffic will be forwarded from the client on Vlan 111, and trunked across the network into one of the WLCs - If there are 4 WLCs configured with the Guest LAN, how is the decision made as to which WLC the client will connect too?Obviously, this connectivity all happens at Layer 2, but in my mind, there isn't any particular MAC address or IP address that could be used to base a load-balancing decision on.

I've looked within the Cisco documentation, and have not been able to find anything describing how the above works.

Appreciate your feedback


tdennehy Tue, 01/17/2012 - 10:35


I have been wondering the same exact thing.  At many of our sites, we have two 5508 series controllers, one being the primary and one being the secondary.  The controllers are both configured the same, however we put all the access points on one controller to avoid inter-controller roaming.  The secondary exists in case the primary fails.

The guest wired and wireless network is a Cisco textbook design.  I have noticed that wired clients often end up on the secondary controller.  I too am wondering how it works.

Thanks in Advance!

Stephen Rodriguez Tue, 01/17/2012 - 10:45

Helping Sharath out.

As it's a broadcast from the client, the first WLC to get the packet is the one that will respond.  that is the WLC the wired guest will associate with, and tunnel it's traffic to, if you are anchoring.


George Stefanick Tue, 01/17/2012 - 10:51

Steve I know you worked for Cisco TAC. What is your input about the round-robin ?

Sharath Kattema... Tue, 01/17/2012 - 18:22

Hi tdennehy ,

So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable

We have already opened a bug for the same (Little late though )

BUG ID :CSCtw44999

The WLC Config Guide should clarify our support for redundancy options for wired guest


Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
generate unpredictable results.

However what you see in you network ,where wired guest clients show up on the secondary WLC is
normal behavoiur .

Criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .

Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0) Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile  00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .


Sharath K.P.

tdennehy Wed, 01/18/2012 - 12:21


I am using the screenshot below for simplicity. A small campus with two 5508-500s in it, one is the primary and one is the secondary. The primary controller has all the APs on it, the secondary sits there with nothing, but configured the same, waiting for the primary to fail so it can take over. Each controller configured for three corporate WLANs and one guest WLAN.

Both controllers are configured for guest wireless just like the drawing depicts, with an anchor controller in the DMZ.

Both controllers are configured for guest wired as well. Does CSCtw44999 state that configuring both controllers for guest wired networking is not supported?

Thanks in advance,


George Stefanick Tue, 01/17/2012 - 10:45

I will wait for the response as well. However, I will comment in the mean time based on what I have experienced. If you have a foreign controller and she is anchored to 2 anchor controllers. The foreign controller will "round robin" these users wired or wireless.  That has been my experience.


User 1 --> Anchor 1

User 2 --> Anchor 2

User 3 --> Anchor 1

USer 4 -->Anchor 2

I asked TAC months ago if this could be changed and was told no. But there was a feature enhancement request in the furture.

Great question. Cant wait for a response as well.

Stephen Rodriguez Tue, 01/17/2012 - 10:48

With dual anchors, the 'internal/foreign' will round robin to the anchor.  but guest wired is a bit different.


George Stefanick Tue, 01/17/2012 - 10:52

Ok good to know... Is this "wired" side documeted anywhere ?

Sharath Kattema... Tue, 01/17/2012 - 18:26

HI George ,

Nice to work with you again

Yes when we have multiple anchor controller  the client load balancing is done in a 'ROUND ROBIN' way and  as you are aware we have opened a enhancement request for the same . We will work on other options we can provide and which would be feasible .

Your inputs in product feature enhancement is highly appreciated .

Regards ,

Sharath K.P.

Sharath Kattema... Tue, 01/17/2012 - 18:17

Hi Daniel ,

Wonderful observation and great question .

Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access

Two separate solutions are available to the customers:

  1. A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.

  2. Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.

So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable

I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .

We have already opened a bug for the same (Little late though )

BUG ID :CSCtw44999

The WLC Config Guide should clarify our support for redundancy options for wired guest


Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
generate unpredictable results.
Some of the other tthat changes we will be making as a part of doc correction would be

1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)

2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
"Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
generate unpredictable results."

3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.

Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .

Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile 
00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .

I hope the above explanation could clarify your doubts to certain extent and also keep you
informed on Cisco's  roadmap on this feature .

Regards ,
Sharath K.P.
tdennehy Wed, 01/18/2012 - 16:54


I am using the screenshot below for simplicity.  A small campus with two 5508-500s in it, one is the primary and one is the secondary.  The primary controller has all the APs on it, the secondary sits there with nothing, but configured the same, waiting for the primary to fail so it can take over.  Each controller configured for three corporate WLANs and one guest WLAN.

Both controllers are configured for guest wireless just like the drawing depicts, with an anchor controller in the DMZ.

Both controllers are configured for guest wired as well.  Does CSCtw44999 state that configuring both controllers for guest wired networking is not supported?

Thanks in advance,


Daniel Anderson Thu, 01/19/2012 - 01:26

That's the way I've understood, if you have multiple local controllers, then only one of the them should be configured (or at least be active) for the Guest Wired network.

The way we have our environment configured, is that we have the vlan used for the Guest Wired vlan trunked to all our local controllers, but only one has this network as active on the device - In the event that the active controller failed, then we could simply enable the Guest Wired network on another local controller.

Sharath Kattema... Fri, 01/20/2012 - 06:31

Hi Daniel ,

Yes it very common pracitse to have redudant WLC's with exact similar config's present .

Now regarding  you query of having the guest vlan  trunked  to multiple local controllers ,without activating guest LAN . on secondary controllers  ,this should work fine .(checking the previouis issues and after lab tetsing ).

We have had issues when guest LAN was active at multiple WLC's ,where in sometimes clients dsassociate and sometimes have DHCP issues as well .

Let me know if you need further insight into the issue .

Pleasure discussin tech with you

Regards ,

Sharath K.P

tdennehy Fri, 01/20/2012 - 07:24

That is the issue we are having. Each campus has two controllers with the same configs - with exception of the same dynamic ip addresses, of course. Guest wireless working fine, all other WLANs working fine. Primary controller handles all access points, secondary sits without any APs, waiting for primary to fail.

After we configured the wired guest solution on BOTH controllers (which are trunked to the same HSRP pair of core switches) we saw strange behavior on a few, but not all, of the wired guest users.

For instance, one campus has four wired guest users. Two of which appear to be working fine, however since they are guest kiosks, we don't really know for sure how well they work. The other two are in a library with constant use. The phones immediately started ringing because of these two machines.

The strange behavior we saw was mostly timeouts and deauths. The wired guest machine would work fine one day, and then the next it would require you to open a browser and login through the splash page over and over again. About every two or three minutes, or whenever you needed to go to the www. Almost as if the client was an 802.11 client and someone was sending you a deauth packet. Another thing we saw was time-outs to the gateway. I could set up a continuous ping to the gateway and it would randomly stop for about 90 seconds. Sometimes you would be required to log in again, sometimes not.

I thought at first it was the workstation image, so I booted to some Linux Live CDs and problem still existed. Replaced L1 items - patch cables, etc. Changed switchports, etc. Tried my laptop on the same ports, spoofing the MAC address of offending machines, still saw weird problems. We never did see DHCP issues, however. At least I didn't, anyway. During my troubleshooting, I had my laptop on the guest wireless sitting right next to the guest wired machines, and my laptop never had any issues like the guest wired machines.

Next step was I put two Linksys WUSB600N USB WLAN adapters on each machine, disabled the onboard gig card, and walked away. The machines have been fine ever since.

My next step is to find out the best way to disable the guest wired on the redundant controller, (but keep it configured) and develop a procedure for enabling it the day of a primary controller failure. But until then, the guest wired machines are going to stay wireless.

Sharath Kattema... Mon, 01/23/2012 - 09:46

Hi Tdennehy ,

Thanks for the detailed explanation ,Pleasure interacting with you

Is there a TAC case open on the issue mentioned above .

Currenlty are you in the testing phase ,I mean has the guest wired network been disabled on the WLC .If so please let me know the status . This should add to current work we  are doing in testing redundacny in wired guess networks .

Regarding 'procedure for enabling  guest wired network on the secondary WLC   the day of a primary controller failure' , I guess CSCtw44999   should answer all the question and documnet the various parameters that get broken  down .

Regards ,

Sharath K.P.

tdennehy Mon, 01/23/2012 - 13:01

SR 620223969

Sharath Kattema... Thu, 01/19/2012 - 11:20

Hi ,

Apologise for the confusion .

While  its a very comman practise  to have multiple foriegn WLC's ,offlate we have seen seem multiple issue's  reported TAC on the same .Hence the caveat has been open to test all possible breakdown with Wired guest access with multiple foriegn . We working on the same and update  you as soon as possible

But again the design you have mentioned is very commanly deployed and serving guest clients fine .

Regards ,

Sharath K.P.

tdennehy Fri, 01/27/2012 - 05:59


I created a network drawing showing you the way our deployment is configured.  This is really meant for everyone else reading this post, actually.

The way I understand it, the way we are configured below will not work because the guest wired solution is configured on both WLCs and of the edge switches are trunking all VLANs to the core, and the core is trunking the wired guest VLAN to both controllers.

We see strange behavior on the wired guest clients when configured like this.

Daniel Anderson Fri, 01/27/2012 - 06:49


From my understanding during the course of these conversations, the scenario you have isn't recommended from a Guest Wired perspective. Going from the post from Sharath K.P. from the 18th Jan, Cisco have created Bug

CSCtw44999 for this issue.

In your scenario, the easiest solution is to leave all the switch and WLC trunking in place, but simply shutdown the Guest Wired network on your Secondary WLAN Controller, all requests will only be responsed to by the Primary Controller. In the event of a failure to this device, then you'd simply need to enable the Guest Wired network on the Secondary controller - having left all the trunking configuration in place - Guest wired connections would start to use this device.

Your example is similar to how we had out Guest Wired network configured initially, but we also had issues with client connections dropping etc. I simply disabled the Guest Wired network on 3 of our 4 controllers.

tdennehy Fri, 01/27/2012 - 07:28


A picture is worth a thousand words in this case.  I too gather from the course of these conversations that our scenario is not supported/recommended when using the guest wired networking solution.

A lot of conversation has taken place here, and I am not sure how many people are following this thread.  I drew up the picture in hopes it would help everyone understand what scenario is not recommended.  From the docs it isn't quite clear what NOT to configure, and how.  The docs I have seen, anyway.  I skipped right over the 3750G part since I thought to myself, "we're not using that switch".

I sure hope the drawing is correct and that I got it right, and also hope it helps someone else!


Daniel Anderson Fri, 01/27/2012 - 07:42

It certainly is. Knowing this information would have saved me quite a lot of head scratching many months ago when trying to troubleshoot a similar scenario.

Sharath Kattema... Sat, 01/28/2012 - 17:49

Hi Daneil ,

Thanks for  the inputs in the discussion .

You are absolutely right in the above post .The easiest way get the network running  would be to disable the wired guest WLAN on the secondary controller .

Regards ,

Sharath K.P.

Sharath Kattema... Sat, 01/28/2012 - 17:46

Hi Tdennehy ,

Thanks a lot for creating such a detailed diagram and explaining the depolyment scnearios .

You are absolutely right in you understanding that currently  we are not recommeding any redundancy  for wired guest access as we have been  notified of  inconsistencies when deploying the same .

We have opened CSCtw44999 for the same and will be working on that .

You can also subscribe to the bug ,by clicking on my notification and setting up a group for the same in our bug toolkit link .

Regards ,

Sharath K.P.

jesstonybagasol Thu, 01/19/2012 - 17:28

Hello sharath,

I have some problem with my configuration. I have two Vlan 10 and Vlan 20 with 4pc's. I want that student vlan connot ping Faculty Vlan, but Fuculty can ping Student Vlan.

Thank you


Sharath Kattema... Fri, 01/20/2012 - 06:34

Hi Jess ,

I dont see any reference to Wired guest access in the diagram . Is it a WLC based deployment or is it regular  L2/L3 switching network .

Please provide me more details , I will answer your query .

Regards ,

Sharath K.P

jesstonybagasol Sat, 01/21/2012 - 07:10

Okey, just give me and idea in how to make that, PC1 cannot ping PC2 but, PC2 can ping PC1 how to configure this type of network.

I want Student PC cannot ping Faculty PC. but, Faculty can ping Student Pc

thank you...hope your reply.

ciscomoderator Mon, 01/23/2012 - 08:36

Hello Jess,

Thank you for your participation on this Ask the Expert Event.  Since the topic Sharath is covering is on Wireless Guest Access, he  can't answer your question on VLANs, I recommend you to post your  question at the LAN,   Switching and Routing to get a better opportunity to get your  question answered.

Kindest Regards,

Cisco Moderator Sat, 01/21/2012 - 06:49

Is there any way currently (or future road map) to have the ability to centralize guest wired access from a H-REAP AP across a layer 3 network?

tdennehy Sat, 01/21/2012 - 11:28


Can we use the following example to clarify your question?  (please modify as needed)

Let's say you have a controller with four WLANs.

#1 = "Jayhawk", which is centrally switched, and PEAP

#2 = "KU-Tickets", which is locally switched, and WPA-PSK for ticket scanners

#3 = "KU-Guest", which is a centrally switched guest network back to the anchor controller in the DMZ

#4 =  Wired guest network.  This is also centrally switched back to the anchor in the DMZ.. say VLAN 555

The H-REAP AP broadcasts three SSIDs:

One SSID is locally switched for whatever reason.

One SSID is centrally switched to the routed infrastructure.

The guest SSID is centrally switched, however the controller shoves it to the anchor in the DMZ.

The controller is tunneling VLAN 555 back to the DMZ controller. 

The guest wireless network uses an AUP webauth bundle on the Anchor controller.

Can we go from here with the discussion? Mon, 01/23/2012 - 13:08


It appears you are a Kansas fan and for that I am sorry

In your example I've got a single port at the remote branch office that I'd like to run through the centralized controller (say Vlan 555) as the Guest Wired LAN network and AUP Authentication.  Is this possible if the office is connected across a layer 3 network?  In other words I'd like Vlan 50 (Wired Guest Network that's Local at the branch) to be tunneled to the Wireless Controller for AUP agreement.

Make Sense?  Is this Possible?



Sharath Kattema... Wed, 01/25/2012 - 11:32

Hi Craig ,

Currently we are not supporting the feature you have requested .

Configuration Guidelines

Follow these guidelines before using wired guest access on your network:

Wired  guest access is supported only on the following controllers: 5500 and  4400 series controllers, the Cisco WiSM, and the Catalyst 3750G  Integrated Wireless LAN Controller Switch.

Wired guest access interfaces must be tagged.

Wired guest access ports must be in the same Layer 2 network as the foreign controller.

Up to five wired guest access LANs can be configured on a controller.

Layer 3 web authentication and web passthrough are supported for wired guest access clients. Layer 2 security is not supported.

Do  not attempt to trunk a guest VLAN on the Catalyst 3750G Integrated  Wireless LAN Controller Switch to multiple controllers. Redundancy  cannot be achieved by doing so.

Regards ,

Sharath K.P.

tdennehy Wed, 01/25/2012 - 15:31


This statement "Do not attempt to trunk a guest VLAN on the Catalyst 3750G Integrated

Wireless LAN Controller Switch to multiple controllers. Redundancy cannot be achieved by doing so."

What exactly is that saying?

Should that really read, "Do not attempt to trunk a guest VLAN on any Catalyst switch to multiple controllers. Redundancy cannot be achieved by doing so"?

I don't understand whtat the first statement says. If I did have a 3750G integrated switch, is it stating that you could not take two 3750G integrated switches and trunk them together for redundancy? If so, why does it specifically state the 3750G integrated swtich and not all switches in general.

Can you please clarify?

Thanks in advance!

Sharath Kattema... Sat, 01/28/2012 - 17:56

Hi Tdennehy ,

As we have discussed previously (Post on 17- Jan),one of the changes requested as per of fixing the statement CSCtw44999 is to correct this statement in the document .

Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
"Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
generate unpredictable results."

Regards ,

Sharath K.P.

Sharath Kattema... Mon, 01/23/2012 - 09:48

HI Criag ,

To answer the question , I will need more details on what kind of design you are trying to accomplish .

Can you add more details .

Regards ,

Sharath K.P

Sharath Kattema... Wed, 01/25/2012 - 11:29

Hi Craig .

We dont have this plan included in any of the future releases .

However we will take this as a ehancement request .Updates will follow

Regards ,

Sharath K.P.

Lisa Whitle Wed, 01/25/2012 - 09:20

Hello Sharath,

Is there a document with the specifications of the maximun number of guess access users that we support in the different WLC platforms and will also like to know how to manage the users from WCS?

- Lisa

tdennehy Wed, 01/25/2012 - 15:41

Something I have always wondered is along the same lines as what Lisa asked.

Is there a way to carve a guest anchor controller up so that each controller that tunnels their guest users to it gets a specific range of IP addresses?

Reason I'm asking is many organizations are seeing an exponential increase in the number of guest users. If there was a way to abandon "everyone gets an IP address from this one pool" and carve up the anchor in the DMZ so that each site/controller that tunneled to it gets a specific range of IP address, that would be an awesome document. I would love any suggestions anyone has...

Sharath Kattema... Thu, 01/26/2012 - 01:57

HI Tdennehy ,

You can check this link and let me know  if this  helps . 

In current WLC architecture, it is mandatory to  map the WLAN to an interface/VLAN. Default mapping is to management  interface. The limitation is that one WLAN can be mapped to a single  interface/VLAN. This limitation requires availability of a single large  subnet, in dense deployments, which might not be feasible for many  customers because of existing network design and IP subnet allocation in  their network. Existing features, such as AP Groups

and AAA override,  can help to some extent but cannot meet complete requirements and might  not be feasible in all kinds of customer deployments. This same  limitation also exists to the guest anchor setup where guest clients on  remote locations always get an IP address from a single subnet mapped to  the WLAN on anchor location. Also, the IP address assignment to  wireless guest clients is not dependent on foreign locations and all  guest clients on different foreign locations will receive an IP address  from the same subnet. Once again, this is not feasible for many  customers.

Integration of VLAN Pooling, or the VLAN Select feature, in the release provides a solution to this restriction where the WLAN  can be mapped to a single interface or multiple interfaces using  interface group. Wireless clients associating to this WLAN will receive  an IP address from a pool of subnets identified by the interfaces in  round robin fashion.

This flowchart illustrates the DHCP address selection when the round  robin mechanism is used in interface or interface group configuration:


Note: If the DHCP lease time is high, there is a possibility  of DHCP IP leakage if the clients frequently de-authenticates and  re-authenticates.

Note: With Inter-Release Controller Mobility (IRCM),  controllers in releases before cannot understand the VLAN list  payload. Therefore, sometimes a L3 mobility is performed where L2  mobility could have been done.

Note: If you want to downgrade from the release to a  previous release, make sure that all WLANs are mapped to interfaces and  not interface groups, and multicast interface is disabled.

Note: Cisco does not support an interface group being returned from AAA, only interface.

Note: Interfaces can be added to an interface group but cannot be deleted when it is mapped to the WLAN/AP Group.

Note: One VLAN or interface can be a part of many different interface groups.

The VLAN Select feature also extends current AP group and AAA  override architecture where AP groups and AAA override can override the  interface the WLAN is mapped to. This feature also provides the solution  to guest anchor restrictions where now wireless guest user on foreign  location can get an IP address from multiple subnets based on their  foreign locations/foreign controllers from same Anchor WLC.

This flowchart indicates WLAN selection when AP group and AAA  override are configured on the controller and WLAN has been mapped to an  Interface or Interface Groups:


Sharath Kattema... Thu, 01/26/2012 - 01:50

Hi Lisa ,

Welcome to the discussion .

The local database on the WLC stores entries for these items

  • Local management users (including lobby ambassadors)

  • Local network users (including guest users)

  • MAC filter entries

  • Exclusion list entries

  • Access point authorization list entries

The local user database is limited to a maximum of 2048 entries. The  valid range is 512 to 2048, and the default setting is 2048. Together  they cannot exceed the configured maximum value.

The database size can be configured using the WLC CLI or the GUI.

In order to configure the local database using the CLI, enter this command:

config database size


(Cisco Controller) >config database size ?

        Enter the maximum number of entries (512-2048).

Please save the configuration and reset the system ("reset system") for the change to take effect.

Regarding guest user management using WCS ,you can check this link .

Creating Guest User Accounts

You can use the Cisco Lobby Ambassador feature to create guest user  accounts in WCS. A guest network provided by an enterprise allows access  to the internet for a guest without compromising the security of the  host. The web authentication is provided with or without a supplicant or  client, so a guest needs to initiate a VPN tunnel to their desired  destinations.

The system administrator must first set up a lobby administrator  account, also known as a lobby ambassador account. A lobby ambassador  account has limited configuration privileges and only allows access to  the screens used to configure and manage guest user accounts. The lobby  administrator has no access to online help.

This account allows a non-administrator to create and manage guest user  accounts on WCS. The purpose of a guest user account is to provide a  user account for a limited amount of time. The lobby ambassador is able  to configure a specific time frame for the guest user account to be  active. After the specified time period, the guest user account  automatically expires. This section describes how a lobby ambassador can  create and manage guest user accounts on WCS.

Geza Makay Thu, 01/26/2012 - 19:58

Hi Sharath,

I hope this is the right place for this question as it is related to allow guest (i.e. limited) access to the network.

I have an SG300-20 here for testing (firmware:, boot version:, language version: English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).

The setup is the following: I have a no name access point plugged in to switch port gi1 (I know this discussion is about wired net, but from the switch's point of view it is a wired access). The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout  does not work.

Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would help me also if I could just remove an authenticated user from a port, but I did not find a command to do that.

As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all must reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.

So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?

I enclose the relevant part of the running config.

Thank you very much in advance.

Best regards,



interface range gi1-2

dot1x host-mode multi-sessions


vlan database

vlan 2-4


interface vlan 3

dot1x guest-vlan


dot1x system-auth-control

interface range gi1-2

dot1x reauthentication


interface range gi1-2

dot1x mac-authentication mac-only


interface range gi1-2

dot1x radius-attributes vlan


interface range gi1-2

dot1x guest-vlan enable


interface gigabitethernet1

dot1x port-control auto


interface gigabitethernet2

dot1x port-control auto


radius-server host key testing123 priority 1 usage dot1.x

aaa authentication dot1x default radius

Sharath Kattema... Sat, 01/28/2012 - 20:55

Hi Geza ,

Thanks for the update .

I think we could take this in our regular community QA section .

Wireless - Mobility

Security and Network Management

This section is dedicated to Wired guest access  on WLC .

Will be answered  accordingly

Regards ,

Sharath K.P.

Geza Makay Sat, 01/28/2012 - 21:16

Hi Sharath,

Thank you for the reply.

I did a post in the "Small Business Switches" section (, because it is not a problem with the wireless part (it was just easier for me to test it that way), but rather a problem of how the firmware handles radius reply attributes. But I am looking forward of any answers in any sections .

Best regards,



Login or Register to take actions

This Discussion

Posted January 13, 2012 at 1:08 PM
Updated January 17, 2012 at 10:52 AM

Related Content


Trending Topics - Security & Network