Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco Guest Access Using WLC with Anchor setup – Release 7.0

     

     

    Introduction

    In this document Cisco TAC engineer "Varun Ajmani" has explained how to configure Wireless Guest Access with Anchor setup on release 7.0.

    The controller provides guest user access on WLANs for which we can use the foreign anchor controller setup. The Anchor controller can be put in Demilitarized Zone(DMZ) to segregate the traffic.

    More Information

    Cisco recommends the use of a controller dedicated to guest traffic. This controller is known as the guest anchor controller.

    The guest anchor controller is usually located in an unsecured network area, often called the demilitarized zone (DMZ). Other internal WLAN controllers from where the traffic originates are located in the enterprise LAN. An EoIP tunnel is established between the internal WLAN controllers and the guest anchor controller in order to ensure path isolation of guest traffic from enterprise data traffic. Path isolation is a critical security management feature for guest access. It ensures that security and quality of service (QoS) policies can be separate, and are differentiated between guest traffic and corporate or internal traffic.

    An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific guest anchor controller within the network. All traffic—both to and from a mapped WLAN—traverses a static EoIP tunnel that is established between a remote controller and the guest anchor controller.

    Using this technique, all associated guest traffic can be transported transparently across the enterprise network to a guest anchor controller that resides in the unsecured network area.

    Configuration

    Follow the steps below to achieve this:

    1. Create a WLAN on Foreign controller

    1.jpg

     

    2. Enable the WLAN and set the Layer 2 security to None.

     

    2.jpg

    3.jpg

     

    3. Set the layer 3 security to Web Policy where we get multiple options of choosing the type of authentication we want. In this document, we will focus on Web Authentication.

    4.jpg

     

    We can set the QOS to Bronze as it is the guest WLAN, however it depends on the requirement. Leave all the options to default.

    4. Setup the same WLAN on Anchor controller. Make sure the config matches exactly with the foreign controller.

    5. Now we need to setup the Mobility between the two controllers.

    Go to Foreign Controller -> Mobility Management -> Mobility groups

    Add the Anchor controller’s IP address, Burned in MAC Address (which can checked under Controller->Inventory) and the Mobility Domain Name

    5.jpg

     

    Repeat the same procedure for adding Foreign Controller on the Anchor controller. The mobility should come up within a minute.

    6.jpg

    6. We need to setup the auto anchoring for the SSID we created. Go to WLANs -> guestanchor WLAN and hover over the right blue arrow, click on Mobility Anchors.

    7.jpg

     

    The Anchor controller’s IP should show under the drop down of Switch IP Address (Anchor). Select that and hit Mobility Anchor Create.

    Whereas, on the Anchor controller, go to the same option under SSID and add local for auto anchoring.

     

    8.jpg

     

    9.jpg

     

    7. In case we want to use the Anchor controller as the DHCP server, we can create a DHCP scope under Controller -> Internal DHCP Server -> DHCP Scope.

    Make sure about the following options once we do that:

    DHCP server under the management interface/or the interface selected for guest anchor WLAN, should be set as the Anchor controller’s IP address

    DHCP proxy is enabled under Controller -> Advanced

    8. Create a user under Security -> Local Net users

     

    10.jpg

     

    9. We can use the Internal/External/Customized web auth page.

     

    11.jpg

     

    10. Now we’re done with the config and are ready to test the client.

     

    12.jpg

     

    Connect to the guestanchor WLAN

    Once you get an IP address, open a browser and type https://1.1.1.1/login.html

    Please note that 1.1.1.1 is the Virtual interface IP address and if you have the correct DNS entry in the DHCP server, you should be redirected to the login page

     

    13.jpg

    Enter the credentials and you should see the auth successful page.

     

    14.jpg

    Controller

    Total throughput and client limitations per guest anchor controller are as follows:

    • Cisco 2504 Wireless LAN Controller – 4 * 1 Gbps interfaces and 1000 guest clients
    • Cisco 5508 Wireless LAN Controller (WLC) – 8 Gbps and 7,000 guest clients
    • Cisco Catalyst 6500 Series Wireless Services Module (WiSM-2) – 20 Gbps and 15,000 clients
    • Cisco 8500 Wireless LAN Controller (WLC) – 10 Gbps and 64,000 clients

    Note: Cisco 7500 WLCs cannot be configured as a guest anchor controller.

     

    Additional Information

    Wireless Guest Access FAQ

    Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

    Comments
    New Member

    Vinay,

    I am very new to Cisco Wireless controllers.

    we can do the guest configuration with mobility anchor in a single stand alone Wireless controller.

    we have a stand alone Cisco 2504 WLC and 9 Numbers of AIR-AP3702i-UXK9, we want to configure the mobility anchor for guest users.

    is that possible? if yes please guide me a link to check the configuration.

    your help will be grateful for me.

    thanks,

    shihab

    Hall of Fame Super Silver

    Mobility anchor is only used if you have more than one controller. If you only have one 2504, then you will not be using this feature. You will just need to create your guest portal in that 2504.

    -Scott 

    *** Please rate helpful posts ***

    Vinay,

    Q1- If I use the 5520 controller, do I need to order an AP license or just the AIR-CT5520-K9 SKU?

    Q2- If I want to use the CMX capabilities in this scenario. Which controller will be responsible to communicate with CMX? The anchor controller or foreing?

    Thanks

    New Member

    Scott,

    Thanks for the information.

    shihab

    New Member

    Hi Scot,

    Can i create a mobility anchor between Cisco 5500 WLC with a 2504 controller. I already have  a 5500 in the network and would like to add 2504 as a guest. Would i need a downtime or a reboot.

    Hall of Fame Super Silver

    As long as the 2504 is on v7.4 or later, it can be used as an anchor. Now you need to look at the capabilities of the 2504 and make sure that you are not going to hit the max user the 2504 support as that would be the limitations on using a 2504 vs a 55xx.

    -Scott

    New Member

    Hi Scott,

    Thanks for getting back on the same.

    I have a 5500 in the production setup using subnets 10.1.0.0/22 and have AP's in place associated with this subnet. I have another network within the company using 10.10.0.0/22. We have a new requirement wherein a team wants the 10.10.0.0/22 to be used via the existing AP with another SSID. So we decided to go ahead with Anchor mobility controller. What all factors should i take into account before proceeding.

    Thanks for your help in advance.

    New Member

    Hello Vinay,

    thank you, very informative document.  Question, can the guest anchor provide Internet access to guests through an open wireless SSID, with web authentication access control for single users and Group users (like a classroom) ?

    thank you!