Guest WLAN setup

[SLMHC]

I need to create a guest WLAN on my Cisco 4402. More specifically I need to setup a guest vlan that the guest wlan will use. To complicate this even more I need guest vlans at 3 of my current corp. vlans.

I need to route the traffic on the guest wlan away from my corp network and out to the internet.

Any pointers on setting this up? If you require more specific info let me know.

-Dave

 

[Packet7]

Hello,

We took the same approach. Basically, we created three (3) VLANs (Private, Guest, and Mgt) at each office. We added two DHCP scopes (Private and Guest). The "Guest" DHCP scopes are assigned public DNS. We created an Access List that permits DHCP to our DHCP server and blocks all other internal traffic.

Regarding the Wireless portion, we configured two Dynamic Interfaces (Private_wvlan and Public_wvlan). We then created two WLAN's and bound them to the appropriate WLAN interfaces.

Our Guest Access is configured with Layer 3 Web Auth so that users are prompted for Authentication. We use Cisco ACS to authenticate into AD. Our Help Desk manages a guest wireless account that is given to the receptionist.

One of the issues we came across was related to DNS. The Web Auth page uses the virtual interface IP for redirection. If the wirless client's DNS request for their homepage fails, the auth page doesn't work. If you have any questions, let me know.

Rgds,

John

 

[kcbell]

Packet7:

Could you give a little more information of the following:

"Our Guest Access is configured with Layer 3 Web Auth so that users are prompted for Authentication. We use Cisco ACS to authenticate into AD. Our Help Desk manages a guest wireless account that is given to the receptionist."

I know how to do the ACS. I am using MAC authentication. When guest shows up, we give them the SSID then we look for the failed authentication then we added them into the ACS. It is a little slow but it does work. However, I would like to do the pre-configured approach then we can hand them their user name and password and let them know that their account will expire in (1) day for instance.

BTW, my guest network is a layer 2 network. It is logically separated from our business. I know I cannot use AD to autheneticate; that's why I am using MAC. However, what I want to know how to do the web page configuration then the user will see the authentication page or disclaimer page etc.

Thanks!

KC

 

[Packet7]

Hi,

Login to your WLC, click on WLANs, edit your Guest WLAN, under Security Policies, remove Layer 2 Security, under Layer 3 Security, leave drop-down to "none", check Web Policy, select Authentication.

In theory, you could create local account on your WLC. That way your Guests will only need the SSID, Username and Password. Since our Guest WLAN is isolated, we don't have encryption enabled. The SSID is broadcasted and free to use for all our guests. For those that don't have an account, they are unable to get past the login page. If they try to login, three failed attempts will add them to the exclusion list.

BTW, we also route all our guest wireless users our our DSL. This helps in the event our WLAN is comprised and they start to using it for sending SPAM. I wouldn't want to get black listed.

I hope this helps.

Rgds,

John

 

[SLMHC]

I have created a guet wlan to use the web auth to gain access to the wireless network. My issue is setting up the multiple vlans for each site, and then associating the guest vlans with the guest wlan. The remote sites are connected via 2MB SDSL and a point-2-point wireless link to a central cisco 2610 router.

Would you be able to post your config so I can see an example?

-Dave

 

[Packet7]

Hello,

Are you using Cisco Multilayer Switch or the 2610 to route your VLANs? Let me know.

Rgds,

John

 

[SLMHC]

We have a 2900 plugged into the 2610.

-Dave

 

[Packet7]

Hi Dave,

Do you have any VLAN's setup? I'm guessing your 2900 doesn't support inter vlan routing, so you will need to use the "router on a stick approach". This is documented on the Cisco site, but I could assist if needed. Let me know.

Rgds,

John

 

[SLMHC]

Yes we currently have a number of vlans setup to subnet our networks by site.
ie 10.1.1.1/24 - 10.2.1.1/24 etc

In the HP world there is something called tagging. You can tag a port with 1 or more vlans and both will the routed through that port, but traffic will be separated.

-Dave

 

[Packet7]

Hello,

I have yet to configure an HP switch. The Cisco recommendation is to configure the ports linked to the AP's as trunks. Do the HP's support 802.1q trunking?

Rgds,

John

 

[SLMHC]

I believe so. Don't quote me on it though!

what do i have to do to get this working on my 2610?

-Dave

 

[Packet7]

Hi,

Before we go down that road, how are you routing between VLAN's now?

Rgds,

John

 

[SLMHC]

Here is my running-config:


------------------ show version ------------------

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(6e), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 26-Apr-02 21:53 by yiyan
Image text-base: 0x80008088, data-base: 0x81063530

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 2 years, 23 weeks, 6 days, 1 hour, 38 minutes
System returned to ROM by power-on
System image file is "flash:c2600-is-mz.122-6e.bin"

cisco 2610 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
Processor board ID JAD050606MZ (2059443943)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


------------------ show running-config ------------------


Building configuration...

Current configuration : 3923 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
logging buffered 4096 debugging
enable password
!
ip subnet-zero
!
!
ip name-server 66.165.###.#
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0/0
description SLDHC LAN
ip address 10.1.1.254 255.255.255.0
ip helper-address 10.1.1.13
full-duplex
!
interface Ethernet0/0.2
description EXTENDED CARE LAN
encapsulation dot1Q 2
ip address 10.2.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.3
description COMMUNITY COUNSELLING LAN
encapsulation dot1Q 3
ip address 10.3.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.4
description TO 7TH AVE SITE
encapsulation dot1Q 4
ip address 10.227.236.1 255.255.255.224 secondary
ip address 10.4.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.5
description TO PLANNING OFFICE (A FRAME)
encapsulation dot1Q 5
ip address 10.5.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.6
description To 69 Front Street
encapsulation dot1Q 6
ip address 10.6.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.7
description to Hugh Allen Clinic
encapsulation dot1Q 7
ip address 10.7.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.8
description to Diabetes Clinic
encapsulation dot1Q 8
ip address 10.8.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.9
description test
encapsulation dot1Q 9
ip address 10.9.1.254 255.255.255.0
ip helper-address 10.1.1.13
!
interface Ethernet0/0.10
!
interface Ethernet0/0.100
description PIX FIREWALL FOR INTERNET ACCESS
encapsulation dot1Q 100
ip address 10.100.1.253 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 10.100.1.254
ip route 10.59.1.0 255.255.255.0 10.1.1.45
ip route 10.60.2.20 255.255.255.255 10.1.1.45
ip route 10.227.240.0 255.255.255.0 10.1.1.45
ip route 142.147.176.47 255.255.255.255 10.1.1.45
ip route 192.68.48.0 255.255.255.0 10.1.1.45
ip route 192.68.49.0 255.255.255.0 10.1.1.45
ip http server
ip pim bidir-enable
!
access-list 171 remark FIREWALL - MATCH NETBIOS
access-list 171 permit tcp any any eq 137
access-list 171 permit tcp any any eq 138
access-list 171 permit tcp any any eq 139
access-list 171 permit tcp any any eq 445
access-list 171 permit udp any any eq netbios-ns
access-list 171 permit udp any any eq netbios-dgm
access-list 171 permit udp any any eq netbios-ss
access-list 171 permit udp any any eq 445
access-list 171 permit tcp any eq 137 any
access-list 171 permit tcp any eq 138 any
access-list 171 permit tcp any eq 139 any
access-list 171 permit tcp any eq 445 any
access-list 171 permit udp any eq netbios-ns any
access-list 171 permit udp any eq netbios-dgm any
access-list 171 permit udp any eq netbios-ss any
access-list 171 permit udp any eq 445 any
access-list 171 permit tcp any any eq 5000
access-list 171 permit udp any any eq 5000
access-list 171 permit tcp any eq 5000 any
access-list 171 permit udp any eq 5000 any
access-list 171 permit tcp any eq 4000 any
access-list 171 permit udp any eq 4000 any
access-list 171 permit tcp any any eq 4000
access-list 171 permit udp any any eq 4000
access-list 199 deny icmp any any log
access-list 199 permit ip any any
route-map FILTER permit 10
match ip address 171
set interface Null0
!
route-map FILTER permit 20
!
snmp-server community RO
!
dial-peer cor custom
!
!
!
!
line con 0
password
login
line aux 0
line vty 0 4
exec-timeout 30 0
password
login
!
end


Does that help?

-Dave

 

[Packet7]

Hello,

Yes, it does. It appears your 2610 is configured with subinterfaces and 802.1q. You would take the same approach for your Wireless VLAN's. For example:

Note: you will need to specify the internal network(s) in ACL 112.

access-list 112 remark *** Allow wireless guests to pull DHCP from inside servers
access-list 112 permit udp any range bootps bootpc any range bootps bootpc log
access-list 112 deny ip any x.x.x.x x.x.x.x log
access-list 112 permit ip any any

interface Ethernet0/0.11
description Private WLAN
encapsulation dot1Q 11
ip address 10.11.1.254 255.255.255.0
ip helper-address 10.1.1.13

interface Ethernet0/0.12
description Guest WLAN
encapsulation dot1Q 12
ip address 10.12.1.254 255.255.255.0
ip access-group 112 in
ip helper-address 10.1.1.13

Once this is done, you will need to configure your HP ports, WLC, DHCP and routing (if needed). I hope this helps.

Rgds,

John

 

[brianinms]

You would be better served to merely run DHCP for the wireless clients on your router than permit access to your server.