Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Network

Hello All

Guest Network was working earlier, recently it doesnt seems to work with no changes on WLC. From any smartdevice and Windows Machine we can connect the Guest SSID but authentication page doesnt popups.

WLC 4400
software version   7.0.235.0

Any suggestion

thanks

Vishal

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Guest Network

You don't need an in and out... since this is your guest interface, just use the in:

interface Vlan15

description Guest_Network

ip address 192.168.1.254 255.255.255.0

ip access-group GUEST_DENY in

ip access-group GUEST_DENY out <-- remove

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
12 REPLIES
Hall of Fame Super Silver

Re: Guest Network

Hate to say this, but did you try to reboot the WLC? Also on the 4400, you might want to look at v7.0.240.0.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Network

Hello Scott

Rebooting didnt help but on upgrading to V 7.0.240.0 the Guest VLAN started working.

URL redirection stopped working. URL redirection entry - www.gmail.com

Guest users can browse internet but email download and other web apps doesnt work, i.e whatsapp,skype,gtalk

on the core there is vlan and acl

10.10.100.1 - local dns server


interface Vlan15
description Guest_Network
ip address 192.168.1.254 255.255.255.0
ip access-group GUEST_DENY in
ip access-group GUEST_DENY out

ip access-list extended GUEST_DENY
permit ip 192.168.1.0 0.0.0.255 host 10.10.100.1
deny   ip 192.168.1.0 0.0.0.255 10.10.100.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 172.20.40.0 0.0.1.255
permit ip any any   

appreicate some feedback

thanks in advance

cheers

Vishal

Hall of Fame Super Silver

Re: Guest Network

I would look to see if your ACL's are the issue.... if you remove the ACL's, does it work?  The WLC will not block any of that, so it leads me to believe that something on your ACL's or FW has changed.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
New Member

Guest Network

Scott removing the ACL  all works great.  what could be the issue on the ACL

In the ACL

Line 1 -  allowing guest vlan communication to local DNS server

Line 2 -  4 deny local network

Line 5 -  allow anything else

WLC====Catalyst6500====firewall=====Internet

I rechecked nothing changed on Firewall nor ACL on switch

cheers

Vishal

Hall of Fame Super Silver

Re: Guest Network

Well... ACL's have an implicit deny at the end. You need to make sure you are allowing everything that you want or else it will be denied. Log your ACL's and see which one is causing the issue.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Network

Hello Scott

my ACL >> permit ip any any in the end.

ip access-list extended GUEST_DENY

permit ip 192.168.1.0 0.0.0.255 host 10.10.100.1

deny   ip 192.168.1.0 0.0.0.255 10.10.100.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 172.20.40.0 0.0.1.255

permit ip any any 

I am trying to understand how others manage/configure  guest ACL and for URL redirection which interface in WLC needs to have Internet Access assuming the url redirection is www.yahoo.com

thanks again

Vishal

Hall of Fame Super Silver

Guest Network

You don't need an in and out... since this is your guest interface, just use the in:

interface Vlan15

description Guest_Network

ip address 192.168.1.254 255.255.255.0

ip access-group GUEST_DENY in

ip access-group GUEST_DENY out <-- remove

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
New Member

Guest Network

Scott ACL works now

One last info required - URL redirection not working. Redirection URL www.yahoo.com

Multiple interface are there on WLC which one to allow for internet access to send the redirection traffic to internet

Hall of Fame Super Silver

Re: Guest Network

Redirection before the user authenticated or after? If you have web policy enabled, any http site will be redirected to the splash page. If the users home page is https, it will fail. You can always redirect the user to a URL after they authenticate either globally on the WebAuth section or on the WLAN security tab you can override and enter it there.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Guest Network

Scott

Redirection after user authentication.

Security>Web Auth > redirection URL

URL redirection www.yahoo.com

Tested above and it doesnt work

Hall of Fame Super Silver

Re: Guest Network

So after the user authenticates, can you just type the URL for Google, Yahoo or CNN and can they access these sites? Is internet working after they authenticate?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Guest Network

325
Views
0
Helpful
12
Replies