I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
VLAN 101 access points and 5508 management interface
VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
Can you attach the show run-config from the WLC, and show tech from the switch?
Configs attached as requested. Actual VLANs used are (I was talking from memory yesterday) :
200 - connection to internet router
100 - access points and WLC manegemnet interface
101 - wireless guest egress
102 - wired guest egress
103 - wired guest ingress
Only port fa0/2 is setup for testing a wired guest client on the switch. The rest are setup for APs except for fa0/3 which is a temporary wired guest port until we fix this problem (ie it currently is just dumped on the same VLAN as teh internet router which will then do DHCP for it).
Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.
Thanks for the answer, unfortunatelly our connection is only L2 so it doesn't seem to be the same problem after all.
I will fiddle around a bit more with the dhcp settings because that is were I thing our problem lies.
Just one last question, when the guest client gets redirected to the WLC web page for authentication, can you check which IP is used? Is it the management IP of the WLC or the egress vlan IP ? I am asking because during the redirection it tries to open the WLC FQDN and I'm not sure if the DNS answers with the correct IP.
The quest portal uses an internal IP address that you set when configuring the WLC not it's managemnet IP. Usually it is 188.8.131.52 which is fine as it's only used by the WLC.
Ha, that was my problem, my DNS responded the wrong IP address so the web authentication page never opened.
Now I've set it to the virtual IP (184.108.40.206 also in this case) and it works.
Thanks for the tip.