Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest access and VPN client sessions

Hi,

We have implemented a Guest WLAN using a 4402 controller residing  in our internet facing DMZ environment.  EoIP tunnel forwards traffic  from internal controllers to DMZ anchor.  The service works well and is  very popular with third party contractors working onsite.   Authentication for guest is via a Cisco Guest NAC server.

We have had a few issues with contractors attempting to establish client VPN access to their parent company.  Are there any known issues with this type of guest connection?

Many thanks

10 REPLIES
Hall of Fame Super Silver

Guest access and VPN client sessions

Liam,

As long as you are opening up the ports for VPN on the FW, you should be fine.  I have never had any issues with various type of VPN clients using wireless guest (webauth).  Are you sure that the users have successfully authenticated? Also did you increase the session timeout or disabled it.  This will force webauth users to log back in which might be an issue also.

-Scott
*** Please rate helpful posts ***
New Member

Guest access and VPN client sessions

Hi Scott,

My understanding is that all traffic is tunnelled through the EoIP tunnel, and therefore there is no need to specify ipsec ports on our firewall.  Is this not correct?

Hall of Fame Super Silver

Re: Guest access and VPN client sessions

Correct... I have clients that put rules in the FW for guest traffic not allowing VPN, that's why I ask.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Silver

Guest access and VPN client sessions

What code version?

There have been numerous bugs with pptp not working so if you aren't up to date on code, it wouldn't surprise me if that is your problem.

Hall of Fame Super Silver

Re: Guest access and VPN client sessions

Can you provide us with what code versions are affected?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Silver

Re: Guest access and VPN client sessions

I thought there was one in mid-6.0 code.... but can't seem to find bug ID so I may be mistaken

CSCsx20559    PPTP not working through WLC   - Exists in 5.2.157.0 5.2.178.0   resolved in 5.2.193 / 6.0

CSCtc78925    PPTP not connecting through IOS based AP - Autonomous - One of the biggest issues with 12.4(21a)JA01  (resolved in whatever IOS code came after JA01.

It also looks like there is an even older bug but I can't make out wlc version of code.

It may not even be an issue for this case.  Just something to note.

Hall of Fame Super Silver

Re: Guest access and VPN client sessions

Thanks for the version! I was worried it was on the 6.x:)

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest access and VPN client sessions

Hi,

The version of code on the corporate network controllers (2 x WiSM) and DMZ Anchor Point controllers (2 x 4402) is 7.0.98.0.

If there are any recommendations on required code level, please let me know.

Many thanks

Silver

Re: Guest access and VPN client sessions

Nothing specific to this issue comes to mind as far as 7.0 goes.

I saw a few TAC cases complain about guest + vpn,  all of which were firewall limitations (except I think 1 was a bandwidth contract issue). 

Are you doing rate limiting with bandwidth contracts?  That wouldn't prevent a vpn though, it would just potentially cause vpn disconnects due to over subscription.....

So unless bandwidth contracts are in place, I'm leaning back to Scott's post.   I assume you have a firewall between your Anchor WLC and the internet.....  perhaps the firewall is eating that packets?   Specifically, you mention your anchor is in the DMZ....  I hear DMZ used loosely, sometimes it means completely on the other side of the firewal, some times it means a virtual zone within the firewal (port 1 trust, port 2 untrust, port 3 dmz)  so traffic would still go thorugh the firewall from DMZ to untrust to get to internet....

New Member

Re: Guest access and VPN client sessions

Hi,

Yes, I just checked the fw rules and although we allow all tcp/udp access outbound, I am thinking we also need to enable IPSec-ESP protocol 50 also.

Many thanks

459
Views
0
Helpful
10
Replies