unified wireless guest access

ejlbarcelon · ‎12-16-2011

Hi I need help in configuring unified wireless guest access. i have followed the guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.

But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?

my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.

Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.

Can someone help point out my mistake.

Scott Fella · ‎12-16-2011

The interface for the foreign wlc should be set to management. You are tunneling traffic using the management ip. As long as the foreign wlc guest SSID is anchored to the anchor wlc and the anchor wlc SSID is anchored to itself you should be fine. It is important though that the SSIDs match identically except for the interface.

As long as the AP has joined the foreign wlc it doesn't really matter that it is in a different building. You can have that ap in local or hreap mode. A guest user who associates to that ap will get their ip from the guest anchor controller since the foreign wlc has an anchor built to the anchor wlc.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Stephen Rodriguez · ‎12-16-2011

to piggy back on Scott. On the inside WLC by telling the WLAN to use the management interface and anchoring to the DMZ, what you are telling the WLC to do is use the mobility tunnel as the logical interface for it to place the traffic. Not the physical interface.

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick · ‎12-16-2011

Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.

If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.

I know this becuase I seen this for my self when I had anchor issues.

I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.

Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

blakekrone · ‎12-16-2011

George is spot on with his comment. On the inside foreign controller it is wise to use a dummy non-routed network in case the tunnel breaks. If the tunnel goes down and DHCP required is not checked someone could by happen chance guess your static range for the management network and drop themselves on your internal network using open credentials. I always create a non-routed network that I put as the interface on the foreign controller.