Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

5760 guest network not receiving IP address

 

I'm testing a pair of 5760s for a near-term production rollout.  I have the dot1x employee wlan working, but am having trouble with the guest web-auth wlan.  We have a foreign controller with connected APs and an anchor controller in the DMZ.  We're using an external redirect to the ISE guest portal.  ISE is working with our production equipment and hasn't been changed.  However, I'm not able to get an IP address assignment to test the ISE redirect.  When I remove all of the web-auth configuration, I'm getting an IP address without issues.  My configuration is attached below, and would appreciate an extra set of eyes.

!!!!!!!!!!!!
!! Anchor controller
!!!!!!!!!!!!
!
aaa group server radius ISE
 server name iseservername
aaa authentication login ISE-MethodList group ISE
!
parameter-map type webauth global
 type webauth
 virtual-ip ipv4 x.x.127.1 virtual-host guest-redirect.domain.com
!
parameter-map type webauth Guest-param-map
 type webauth
 redirect for-login https://guestportal.domain.com:8443/guestportal/portal.jsp
 redirect portal ipv4 x.x.164.35
!
ip access-list extended Guest-preauth
 permit udp any any eq domain
 permit udp any eq domain any
 permit udp any any range bootps bootpc
 permit tcp any any eq 8443
 permit tcp any any established
ip access-list extended Guest-redirect-acl
 permit tcp any any eq www
!
radius server iseservername
 address ipv4 x.x.164.35 auth-port 1812 acct-port 1813
 key [verysecretkey]
!
wlan Guest 1 Guest
 client vlan 330
 ip access-group web Guest-preauth
 mobility anchor
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list ISE-MethodList
 security web-auth parameter-map Guest-param-map
 no shutdown

!!!!!!!!!!!!!!!!
!! Foreign Controller
!!!!!!!!!!!!!!!!

wireless management interface Vlan60
!
wlan Guest 1 Guest 1
 client vlan 60
 mobility anchor x.x.60.160
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 no shutdown

 

4 REPLIES
VIP Purple

Have you tried this by

Have you tried this by enabling DHCP snooping for the vlan 330 on your 5760  & trust 5760 uplink ? In the below I have assume 10G port of 5760 is map to a etherchannel (Po1). Otherwise trust the physical interface.

ip dhcp snooping
ip dhcp snooping vlan 330

!

interface Port-channel x
 switchport trunk native vlan x
 switchport trunk allowed vlan x,y,z
 switchport mode trunk
 ip dhcp snooping trust

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

I haven't.  I had DHCP

I haven't.  I had DHCP snooping on the foreign controller for non-anchored WLANs, but was often not getting DHCP addresses, even though the config was right as far as the documentation was concerned.  So I pulled it off and started getting addresses.

Is there something missing or wrong in the above config?  I haven't imported a certificate yet, as I was going to work that piece once I had an IP address and could perform a redirect.  Is which cert you are using specified as a trustpoint in the non-global parameter-map?

VIP Purple

In my production 5760/3850

In my production 5760/3850 guest access set up, I have enabled DHCP snooping & things working fine. I am running 3.6E code & Clearpass is the guest portal & not ISE.

Regarding certification, this is what I have done

http://mrncciew.com/2014/07/30/5760-webauth-certificates/

Pls do not forget to rate our responses if you find it useful.

HTH

Rasika

Cisco Employee

Hi, You are using web-auth.

Hi,

 

You are using web-auth..So ip address should be with out any authentciation. Only thing coming in between is the Mobility tunnel to pick the ip address from Anchor controller. Is one of the 5760 Foreign and the other one Anchor ?

Verify Mobilty tunnel:

> sh wireless mobility summary

>show wireless client mac-address <MAC ADDR>  detail

> sh ip device tracking mac <mac-address>

> debug mobility handoff..on Anchor

 

Regards

Dhiresh

Please rate helpful posts

 

119
Views
0
Helpful
4
Replies
CreatePlease to create content