WLC 2504 - Seeing network devices and Guest accounts

tibetors · ‎10-11-2013

Hi,

I use a WLC CT 2504 in the office and I have two problems regarding device discovery within the network. I would appreciate if you could help me with these problems.

1. I want to see the network devices in the Network panel in Win 7. I can ping all the devices and even connect to them, but they are not listed under "Network". The problem doesn't happen when I connect to the network with an ethernet cable.

2. I've configured a guest user as described in the manual. I've opened a lobbyadmin account and added the guest user using that account. However, the problem is that when I log into the network using the guest user's username and password in the layer 3 web-authentication interface, it enables me to connect to the devices in the network. Isn't the reason behind guest accounts to prevent guests to access the network devices and only allow them internet access?

Best,

Tibet

Stephen Rodriguez · ‎10-11-2013

Hi,

So for the first question, microsoft still uses L2 protocols to discover resources and show them in the "Network", so make sure that you have broadcast forwarding enabled. This should let netbios flow and learn what all is out there.

For your second question, no that is not what the guest username/password is for. That is so that you can keep people out of your guest network. You still need to put an ACL up somewhere that disallows the guest subnet to reach the corporate subnet(s).

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

tibetors · ‎10-11-2013

Enabling broadcast forwarding worked like a charm.

However, can you please elaborate on your reply for the second question? I only have one SSID. DHCP is not enabled. The WLC gets the IP addresses from the DHCP server. Hence, the guests get their IP addresses with the same subnet as the corporate users. Is it possible to give IPs with different subnets to the guest users based on the username and password they use and put an ACL up for that subnet?

Richard Atkin · ‎10-11-2013

If you're limited to just using a single WLC, what you should do is create a Guest SSID and map that to a Guest VLAN, which you secure as you see fit. Then, when you create the Guest User credentials on the WLC, you can bind them to just that Guest WLAN. This will leave you with one SSID / VLAN for your Corporate Users and a separate SSID / VLAN for your Guest Users, which will give you the separation you need. It is not possible to perform dynamic VLAN /ACL assignment with your current setup.

tibetors · ‎10-12-2013

I am new to this. I understand what you mean, but cannot implement it. So I would appreciate if you could elaborate further. I've created a new vlan named vlan_guest. I am using port 2 for both management and vlan_guest. I assigned IPs with entirely different subnets to vlan_guest's interface, gateway and Primary DHCP server. I also created a guest WLAN and associated the vlan_guest interface with that WLAN. However, I cannot connect to the guest WLAN. The computers cannot discover the guest network (Cannot get correct IP addresses etc). My guess is that I have not set up the internal DHCP server. Is that so? What should I do?

Scott Fella · ‎10-12-2013

We need more detail like a drawing or something and also the show run-config from the cli of the WLC and also the switch port config that the WLC is connected to.

If your using port 2 for both management and guest, then that port has to be connected to a trunk port on the switch and the trunk port has to allow both the management and the guest vlan's. You also need to have a working vlan/subnet for both the management and the guest on your wired infrastructure. On the WLAN for the guest, you would map the ssid to the guest vlan. The guest interface as you described is using port 2 as the primary which the management is also using. I'm assuming yah you don't have ports 1,3&4 connected to the network.

The guest dynamic interface should have a valid IP address that is not used by any device or is not in the dhcp pool. This interface is used to bridge traffic to the guest subnet since the WLC isn't a router and doesn't do any routing or NAT.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

tibetors · ‎10-23-2013

I attached the network config that I want...

Basically, I want the WLC to assign 192.168.0.x IPs to office computers, which it does through the office WLAN. I also want to assign 10.0.0.x IPs to guests through the guest WLAN, which is connected to a different VLAN. I changed my mind and assigned VLANs to two different ports (Management is port 2, guest is port 1). They are connected to the same switch though.

The internal DHCP server works and the computers connected to the guest WLAN get 10.0.0.x IPs assigned by the WLC. However, for some reason, they do not recognize DNS and cannot connect to the network. Hence, I think that I am doing some of the config wrong. Could you help me with that?

tibetors · ‎10-23-2013

Also, here are my current configs:

Scott Fella · ‎10-23-2013

Well since you are using the WLC as a dhcp server for guest, you don't have any DNS servers defined. You need to define at least one DNS server like 4.4.4.4

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

tibetors · ‎10-23-2013

Well the computers that are connected to the office network (192.168.0.x) get their DNS servers automatically. Their primary DNS server is 192.168.0.7 (the IP address of the office server) and the other two are the ISP's DNS addresses. I tried inputting either of them for the "DNS Servers" in "DHCP Scope", but neither worked.

The problem now is that the computers on the guest network can discover the network and get their IP addresses and DNS servers, but still cannot have internet access.

Do you think that there is a problem with the routing? Is there any other mistakes in my config?