Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 2504 and SSO

Am running into a slight issue and was hoping someone could shed a light on this.

I am using a Cisco WLC 2504 wireless LAN controller to manage four (4) 1142 WAPs.  Everything works well and we have both authenticated users and a guest-wireless network as well.

However, we are implementing a web filerting solution (zScaler) which requires a GRE tunnel from our edge router (C2921) to their network.  Everything goes through this tunnel now.  Along with that we have SSO (single sign on) solution (OKTA) which requires all users to login using their AD accounts and they must also agree to our terms of Conditions.

So, my question is, how can I allow guest users to bypass this tunnel and not use an AD account to authenticate?

Here is one possible solution:

Place the guest users on a new VLAN and then route then through my ASA 5510 firewall through a new egress IP.  This new egress IP I can set up as an exception in the GRE tunnel. 

My problem is how do I configure guest users to be on a new VLAN through the WLC? 

And then how do I configure the ASA to route this VLAN over the new egress IP?

Thoughts?  Ideas?  am happy to provide config files if needed or to diagram further.

Thanks in advance.


  • Other Wireless - Mobility Subjects
New Member

WLC 2504 and SSO

One thing I forgot to mention; we are using an outside VoIP provider, and so we do VLAN tagging on all the single drops in each cubicle.  management would not let us separate out data phones lines from the computer drops.

We VLAN tag all data packets as VLAN 101 and then tag all VoIP packets as VLAN 200.  Am happy to set up another VLAN 100 as wireless, and then route them out our C3750G switches, but have never had to do this as well.


New Member

WLC 2504 and SSO

May have answered my own question...

Am going to burn an extra port on my WLC and plug it directly into my C5510 and use an extra IP as my egress.

Any suggestions on how to configure a new port on the WLC to be in a different subnet and then route guest-wireless over this port and then out a different egress IP on the firewall?  Am concerned that the egress IP will overlap the LAN Ip address subnet.


This widget could not be displayed.