cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
12
Helpful
24
Replies

Issues with 2106 and 1130AG LWAPP

jeff.velten
Level 1
Level 1

Hello all. I'm trying to do what I thought would be a simple config. 2 APs connected directly to a controller. The controller's 2 management interfaces are in our management VLAN (used for all switches, servers, etc), and I created a new VLAN for the APs and clients per this link: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml. However, I am unable to get the APs to join the controller. Controller was NIB before I configured, and the APs are also NIB with the default config.

24 Replies 24

Well, I managed to fix the DHCP issue. I had the DHCP override checked from when I was testing with the AP directly connected to the WLC. Now I need to figure the best way to route this guest VLAN directly to our firewall. Using a 2nd inside port on the firewall won't work, as the guest VLAN is part of our larger inside address block, and the firewall can't handle the routing.

Wireless LAN Controllers don't route (the exception is the management interface, and the 2106 doesn't have on of those.) All routing is via the default gateways. If you are on a SSID that is associated to a virtual interface called "DMZ", the traffic would route out the gateway for that interface. The gateway would then have to route that traffic on its merry way.

On a 2106 you can plug the one of the physical ports into a DMZ. You would create a virtual interface and add it to the physical port that is plugged into the DMZ. Connect an SSID to that virtual interface and off you go.

Swayatt is correct, but it is actually dynamic interfaces you would create. The virtual is used for other stuff.

-Scott
*** Please rate helpful posts ***

Thanks for the replies. I was able to get things working. I set up the APs (and dynamic interface on the WLC) in a 10.x.x.x block, and put them in a VLAN routed directly to the 2nd inside interface on the ASA via DG. Things seem to be working as hoped, when connected to the guest VLAN, I am unable to access anything on our private network.

Several of the posts in this thread have been very helpful. Is there any issue with scoring multiple posts in a thread?

Glad you got it working.... now you have to work on a custom WebAuth page for the guest and 3rd party cert.

-Scott
*** Please rate helpful posts ***

Actually, these APs will be implemented in an Emergency Operations Center in our Public Safety Building (I work for a county gov't). We were thinking about just running with no auth, just fine-tuning the radios so they don't bleed outside the EOC. If someone wants to try war-driving in a secure building also staffed by our Sheriff's Dept, more power to them. :)

But, I'm always open to suggestions...

That is a bad idea, especially if these APs are on the EOC network. WPA-PSK is so simple to do it isn't funny, and I asssume that since this is the EOC there is a domain controller in use for some of the apps that run. PEAP would be very easy to implement as well.

I've worked in a 911/EOC during a huricane and we had to support a bunch of folks that came in during the event that needed wireless. In that case it is easy to implement a temporary WPA-PSK SSID for the outside folks and take it back down during the emergency.

I must agree again. Since you are a government entity, being secure should be on the top of your list. you don't want to be on 60 minutes for being hacked. WPA2-PSK should be your minimum type of encryption. Turning down the power so the signal won't bleed out is not going to help. all they will need is a yagi antenna and sit far enogh away where they will not be caught. Wardrivers will post locations and encryption keys for anyone to use.

-Scott
*** Please rate helpful posts ***

Like I said, I'm open to suggestions. For now, we're going to go with WPA-TKIP-PSK, and web auth. One anomaly I've noticed with web auth: I can authenticate, then browse the web, but even if I close my browser, disconnect from the WLAN, and reconnect, I do not get prompted to authenticate again. Is this controlled separately from the WLAN session timeout setting?

You would have to be disconnected for more than 300 seconds (default) before the controller would think that you where gone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: