Guest Wireless Network

Unanswered Question
Feb 7th, 2012
User Badges:


Is anyone aware of a way, "except for not broadcasting the SSID", to prevent clients from Inadvertently obtaining an IP address on a guest wireless network?

We are using two pair of 5508's for anchor controllers, and we're close to reaching our limit of 14k clients.  While researching, we've found a number of addresses that are being handed out, are mobile devices with their WIFI enabled, walking through our facilities, but not necassarily wanting to use the guest WIFI.

We would like to somehow not have the devices obtain an IP, unless they truly want to connect.  All I've been able to come up with is not to broadcast the SSID, which senior managment feels is not acceptable.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Stephen Rodriguez Tue, 02/07/2012 - 07:50
User Badges:
  • Purple, 4500 points or more

The other option would be to add a PSK to the WLAN.  This way you can still broadcast the SSID, but the client has to configure the PSK to be able to get on the network and get an IP address.


Michael Burk Tue, 02/07/2012 - 07:52
User Badges:

That's a really good question. I have the same concern at our orginazation.

What do you have your DHCP lease time set to? I don't know if that will help with actually associated clients but it will help if you are running out of IPs.

shane.clark2 Tue, 02/07/2012 - 08:04
User Badges:

Our lease time is set to 5 minutes, but we still have the issue.

Stephen, I was not aware that using a PSK would prevent users from getting an IP, I will see if this an acceptable solution.

Thank you

Stephen Rodriguez Tue, 02/07/2012 - 08:07
User Badges:
  • Purple, 4500 points or more

it does but it doesn't.

The PSK makes the cleint have to configure the PSK for the SSID to be able to connect.  BUt once it's configured unless they 'forget' the network, they will be able to get an address on next visit.


roboton666 Tue, 02/07/2012 - 22:16
User Badges:

Check out Web-Auth with Passthrough. You can use a local "Terms and Conditions" page that requires manual user intervention in order authenticate and get an IP.

This won't help with getting tons of unwanted associations, but it will reduce your DHCP load.

thomas03usmcsf Wed, 02/08/2012 - 18:30
User Badges:

You could also move your guest WLAN to a large chunk of private IP space and just NAT/PAT to a portion of your public IP space. This is how we solved our issue.

Sent from Cisco Technical Support iPhone App

m.gajsek Fri, 02/10/2012 - 03:39
User Badges:


you can on the create on WLC, a separate dummy L3 interface ( and a VLAN thet is not on Your LAN "3333") and WLAN with the name "1"

The DHCP is configured on 5508 with a lease of 240s.

The SSID appears first in the selection. and the clients will connect to the.

Your SSID can be broadcast and the user can select the need.



This Discussion



Trending Topics - Security & Network