we have some WLCs running 5.1 in the internal LAN. Now we want enroll some SSIDs with DMZ Services such as Internet. Therefor we have an external WLC in the DMZ outside. What is the exactly way to configure a "Internet" SSID to the internal APs additionaly so that the internal WLC forwards that traffic to the external WLC which decrypts that in to "the internet" ? All WLCs are reachable, they all have the same Virtual IP and the Same RF and Mobility-Group-Name.
We also have a running WCS.
As i remember, there was some guest-wlan access in the older wlc versions. In the newer configuration guide is there only a LAN-Guest Access.
my problem is that i want to create a WLAN/SSID on an internal WLC for customers with WPA2 security. Therefor i have to configure a virtual interface with the same ip adress,a dynamic interface, a WLAN/SSID witch wpa on the anchor wlc behind the firewall. On the internal wlc where my aps are connected i want use that external SSID. So to get this ssid ancored (and use the EOIP tunnel) i have to configure one -mobility group -dynamic interface internal (with IP ? VLAN ?) -same SSID on the foreign wlc and my problem is now that the foreign hasn't the same physical vlan and subnet 'cos its in the inside network - so the communication works, the ancor process works also but the client can't communicate to the subnet where the anchor is connected. There is also a DHCP Problem for the clients. Symmetric tunnel is enabled - both wlcs have the same general config.
I found out, that the first WLC does the Layer2 Authentication with his Management-Adress as source and after that it pushes the client information to the anchor with the eoip tunnel and the ancor in the dmz accept that .. and thats where it ends. Sometimes DHCP work (DHCP is also in the DMZ Subnet) sometimes it does not work.. but my Problem is that there is no communication possible in the external DMZ Subnet...
Is that scenario generally possible ? In the guide the Wired Guest Access shows that situation but there is no vlan information, config information or other needed information to configure that scenario with wireless guest access and different vlans/subnets on the wlcs. There is also no information how to configure the dynamic interfaces..
The wlan configuration has to be exact. The foreign WLC (internal) will tunnel traffic out the management interface. So you do not need to create a dynamic interface on the foreign WLC. The anchor wlc will be anchored to the foreign wlc through its management interface and then either you can create a dynamic interface to dump the guest out onto the DMZ or just dump them out of the management interface in the DMZ. I usually wil create the DHCP on the anchor wlc, unless you have a dhcp server in the DMZ. No need to open another hole in the FW for dhcp.
Wired is different setup in general to wireless guest.... get the wireless guest going first and then the wired.
thanks ! I've configured the management-interface for the wlan ssid konfiguration and after a reboot of the wlc it works ! The documentation for that scenario isn't really good. It cost's me some time to find out that the first wlc does the authentication, the configuration of the ssids...
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...