Here's a quick rundown of how I'm set up, before I get to my question:
2 4404 WLC's
2 WLAN's - 1 private, 1 public Active Directory domain
The private network is for domain devices only. It authenticates using 802.1x and client certificates pushed through group policy. The public network is for staff and student owned devices (I work for a public school division), visitors, contractors, temporary employees, etc. Guest access is using web-auth - local for guest accounts, and then radius for users with domain credentials.
The public wlan is on it's own subnet at each site and is ACL'd off from the private network. It is basically internet-only, and is thoughrougly scrutinized by our content filter.
More and more staff are bringing in their own laptops and we have had requests to allow printing from these devices. We currently control printing through AD permissions on our wired network - preventing students from printing to say the high volume color printer in the office, etc.
My question is - what suggestions can anyone offer on how to set up a printer for the guest WLAN, and is there any way to control or regulate access to it?
My initial thought was to provide a printer that was connected to an access port for the guest WLAN's vlan. Guest users should be able to browse to it or add it in the printer control panel. Because it wouldn't be tied to a print server, it wouldn't be served up in a directory. We'd have to provide instruction on how to add it manually. I believe this would work, but would negate any ability to control access to it.
I'm running into the same issue, Rob. Similar setup - web authentication on the guest WLAN.
I tried using the pre-authentication ACL to allow the printers to talk to clients in a walled-garden approach, but that didn't seem to help. I think because the printers were not authenticated while the clients were. Anyway, that's one way that doesn't work in case anyone else attempts it.
Rob, were you ever able to get something in place? If so, can you describe what it looks like?
The best solution that I could come up with, and which has been backed by Cisco Advanced Services, is to create a separate SSID for the printers. It hasn't been fully tested with guest users, though - the network is being stood up hopefully today. I will post back to relay my experiences.
I was finally able to implement and test the solution last Friday, September 30. The network aspect worked as expected; no errors or problems there. The only piece that seems a little awkward is that users are required to install the print drivers still. This could be a problem for those users who are not technical or who lack administrative rights on their machine.
So, in theory it will work but we are still seeking solutions that would allow us to offer something a bit more seemless to our guest users.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...