Guest Access WLC Help

jonathan.roberts · ‎01-18-2007

I have 2 WLc 4402. 1 Remote and 1 DMZ. I have read the deployment guide for guest access 20 times and still cannot get it to work. a couple answers that I don't see in the guide. 1. Do AP's need to be associated with the DMZ WLC? 2. Am I anchoring my management IP or a different Dynamic IP? I have verified with Eping and mping that the tunnels should be able to be created, how do I verify? An issue that concerns me is that I cannot ping (ICMP) my remote WLC mgmt interface from the DMZ WLC. I know I have connectivity because of eping, mping and https mgmt from the same subnet as the DMZ WLC MGMT Interface. should I be concerned about this? It could just be ICMP blocked at the FW.

I am trying no to open a support ticket as I am sure this is a simple issue. One of my problems is that my VLANs cannot be tagged because the DMZ VLAN does not reside on our core switches and hence I cannot do 802.1Q which is discussed on page 4 of the dep. guide. to get around this I configured IF/2 on my Remote WLC to an IP from my DMZ subnet? Is this ok, is it needed?

Summary Internal IF 1.1.1.1 for both WLC

remote WLC

MGMT = 10.160.24.30 IF/1

AP-MGMT = 10.160.24.31

Service = 192.168.0.10

guest = 10.160.80.16 IF/2

DMZ WLC

MGMT = 10.160.80.15

ap-mgmt = 10.160.24.33 (don't need?)

service = 192.168.0.10

internet = public IP to be natd by FW

I am a newbie to the Cisco WIFI world, but not to IT/networking.

Any help would be greatly appreciative

tekjansen101 · ‎05-07-2009

I believe you need to enable IP Protocol 1 (for ICMP) in order for ping to work ...

weterry · ‎05-08-2009

1. Do AP's need to be associated with the DMZ WLC?

a) No

2. Am I anchoring my management IP or a different Dynamic IP?

a) No IP gets anchored. You Anchor the WLAN on one controller to your DMZ. On the DMZ, you anchor that wlan to itself.

3) I have verified with Eping and mping that the tunnels should be able to be created, how do I verify?

a) from CLI: show mobility summary

This will should you if everything is UP, or if control/data path is down. EPING/MPING should verify this as well if they are successful.

I'm not sure what you mean about port 2. Are you placing a link straight out to your DMZ? Normally everything goes out the main interface and "routes" out to your dmz.

yueric · ‎06-29-2009

I had the same issue about guest DMZ controller , do I need to config same SSID on both of anchor and foreign controller ? I also need to use web-auth for wireless guest , which controller's SSID need to be configured web-auth ? By the way , I found a example on CCO , but only for "wired" ,

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml

anyone can provide me the example for "wireless gest tunneling " will be very appreciated.

wackerk24 · ‎07-04-2009

yueric,

1.do I need to config same SSID on both of anchor and foreign controller?

-Yes the wlan needs to be configured the exact same way on both the anchor and foreign controllers

2.which controller's SSID need to be configured web-auth?

-Both need to be configured the same way, so if you want to use web-auth you need to configure the anchor and foreign controller wlan to use web-auth.

HTH