Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC 4402 separate guest traffic

Hi,

we have a Cisco WLC 4402. Currently we use Port 1 on WLC for management and for WLAN Dynamic interfaces to map.

There is a need from business to have guest wifi as well. I plan to do this with open wlan and web authentication and I want

to separate the guest wifi traffic from the other networks traffic with dedicated physycal port. On WLC 4402 I would

like to use port 2.

Here is a small diagram about the config:

 

USER<--->AP<--->SWITCH<--->WLC-port1<--->CORE-SWITCH<--->ENTERPRISE-LAN

USER<--->AP<--->SWITCH<--->WLC-port2<--->BORDER-SWITCH<--->FIREWALL<--->INTERNET

The problem:

Users can reach the web auth page of WLC and they start to authenticate.

I can see them in the log. But after authentication, users do not get the successfully authenticated page and the

internet connection does not work. (from Guest WLAN only internet traffic is allowed). In firewall logs I can see

that the traffic passes the firewall. I ran wireshark on users machine (what is connected to guest wlan) but

I cannot see any incomming traffic there... What can be the problem?

Additional info:

When I was checking the ARP entries on WLC I see that WLC sees the arp entries of firewall on port 2 but clients arp

entries are on port 1. Cannot be this the problem? if yes how to solve it? (I assigned port 2 to the dynamic interface of guest wlan).

see the attached image.

 

Thanks in advance,

 

Andras

 

 

 

 

 

4 REPLIES

Hi Andras,You have local

Hi Andras,

You have local authentication page? or the auth page is hosted on external web server? (if external server is used, try the local page and see if same problem still there).

Are you redirecting the clients to any website after authentication? if yes, what is the URL to which you direct them?

Do your clients use any proxy server on their browsers?

Make sure DNS is operational and can resolve URLs when clients connect and get IP addresses. (you may try that by the command nslookup <url> on windows machines).

I encourage you to read this doc. Maybe you can catch a problem in your scenario:

http://goo.gl/iHCHf8

 

HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Hi Amjad, Thank you for your

Hi Amjad,

 

Thank you for your reply. Let me answer you questions one by one:

 

1. I am using local authentication page onthe WLC.

2. I do not use redirect.

3. My clients do not use proxy server.

4. DNS resolution: good question I am going to check it.

 

Thanks for the link I will go through and tomorrow I will be onsite where this wifi lan is so I will have

real life experience what is happening there.

Do you think that the separation on the physicall interfaces can cause this problem?

 

Thanks,

Andras

New Member

Hi, just to let you know: The

Hi,

 

just to let you know:

 

The issue was solved. Because there is many parts between the user and the internet.

we started to track down every device configuration one by one and turned out that

there was a missing nat rule on the firewalls. When we fixed that the connection worked.

There is nothing related on which WLC port I see the devices.

 

Best Regards,

 

Andras

Cisco Employee

Guest WLAN and Internal WLAN

282
Views
0
Helpful
4
Replies
CreatePlease login to create content