02-21-2014 04:36 AM - edited 07-05-2021 12:15 AM
I have a new wireless network with a foreign and anchor controller. The anchor sits in a DMZ with a PIX firewall that has a nat for my management interface for connectivity to the Internet. I want to use an external DHCP server for guest traffic and my OEAP connections coming in from the anchor controller that will connect to my foreign controller. I have mobility established between the two controllers, the wlans are identical, and my OEAP's are connected to the anchor controller.
My problem is when the guest traffic connects they are not getting an IP address, but I do see them getting on the anchor controller and debugs show they cannot get an IP. If I remove the mobility anchor from my guest WLAN I do get an IP. I have proxy enabled and have tried it with and without proxy. Im guessing since the PIX is not relaying my dhcp proxy and dropping the packets I need a firewall rule of sorts, but wanted to get advice from those who have experienced this before.
If I do need a firewall rule will it be to allow DHCP between the two controller management interfaces, or between the anchor and dhcp servers?
Thanks in advance for your help.
Solved! Go to Solution.
02-24-2014 04:31 AM
The thing is, one test I normally do is to make the anchor WLC do DHCP. If that fails, then most likely it's an issue in the WLC side, because if users get associated and tunneled back to the anchor, the anchor should hand out a DHCP address. Since this fails, I don't see how it can be the PIX.
Keep us posted.
Sent from Cisco Technical Support iPhone App
02-24-2014 04:35 AM
Good point Scott I will look at this more.
02-24-2014 04:43 AM
Just keep us posted. Your config on the WLAN looked fine so I don't see any issue there.
Sent from Cisco Technical Support iPhone App
02-24-2014 06:32 AM
I got the controller working with DHCP- stupid me did not have the helper-address on the foreign controller pointing to the anchor. After I added it I got an IP. Now go figure I have another problem I am not getting the web auth page. Fix one problem to face another.
02-24-2014 06:46 AM
That's usually an issue with DNS. Make sure the guest users have access to DNS.
Sent from Cisco Technical Support iPhone App
02-24-2014 07:15 AM
Bret,
An ip helper isn't required when you are tunneling the guest traffic to the anchor WLC. A guest client associates to an ssid from and AP that is joined to the foreign WLC. The foreign WLC then tunnels that traffic back to the guest anchor WLC and the guest WLC is the one that either hands out DHCP or forwards the dhcp request to the dhcp server.
The guest anchor is in the DMZ correct? Because if you set an ip helper on the internal network to point the the DMZ, it seems like the user is not being tunneled properly.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
02-24-2014 08:17 AM
I agree this is normally a DNS issue.
Here is how it works..
1.Client connects to guest
2.User opens a web page and goes to yahoo.com
3. The bowser sends yahoo.com to DNS
4. DNS sends the IP address back to the browser
5. The browser then tries to access yahoo.com by IP address
6. The WLC hijacks the request and redirect to AUP
Make sure your guest can access a DNS inside or outside .. If they cant, then no page redriect ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
02-24-2014 10:17 AM
Thanks George!
02-24-2014 10:22 AM
So working with my server guys we found in the logs the dhcp request is making it to the dhcp server, but the dhcp server is not making a reply. The thought is that the dhcp server can not respond to a dhcp request for a subnet that does not exist, this is becuase request is coming from a DMZ network that is not a valid dhcp scope. We are leaning towards an option 82 config and hoping this works. Any thoughts?
02-24-2014 10:39 AM
If your guest WLC is in the DMZ, then you can't use your internal DHCP server. You either need to use the anchor WLC or have a dhcp server in the DMZ. The DHCP server has to have viability to the guest subnet in order to issue dhcp addresses. Your best option is to use the guest anchor for dhcp to be honest.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
02-24-2014 12:31 PM
Agreed .. Dhcp on your anchor
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: