create a Guest and employee wlan in cisco wireless Lan controller

Hi

I have a Cisco wireless controller 2106 and a couple of AP that are distributed in different regions, I currently  have a global SSID for all offices, they get the ip address via a dhcp pool configure in the local core switch. I need to create a new SSID for guest which will only have access to the internet and maintain the employee ssid. Any ideas how can I do this?

So far I have created 2 dynamic interfaces in the wlc with different Subnets, the port where the access point is connected to in the switch is configure to trunk 802.1q, and I have created the 2 DHCP pool on the local switch, when I try to connect Im no able to obtain an IP address on any of the 2 networks, and if I do i get an IP address of the management interface which is  VLAN 1.

Any help is greatly appreciated
sharonski12Asked:
Who is Participating?
 
fgasimzadeCommented:
Have you configured IP Helper address on wlc interfaces?

Take a look here as well

https://supportforums.cisco.com/thread/2104480
0
 
harbor235Commented:


You need to resolve the address issue as fqasimzade suggests, however I would look into dot1x to authenticate your non guest users to drop them off into a appropriate vlan and a guests into another.

Also, you should never use vlan 1, there are inherent security risks using that vlan

harbor235 ;}
0
 
sharonski12Author Commented:
yes I have configure the wlc with a different vlan and on different subnet and on port 2, but is still not working. Do i need to change the native vlan on the WLC? not sure what am i missing. Im not that familiar with the Cisco wireless controllers.

harbor235, yes was looking at the dot1x authentication but was also wondering is there isn't a option to do this within  the WLC and AP via  SSIDs? each SSID on a different VLAN?

Thanks
Sharon
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
sharonski12Author Commented:
yes I have configure the wlc with a different vlan and on different subnet and on port 2, but is still not working. Do i need to change the native vlan on the WLC? not sure what am i missing. Im not that familiar with the Cisco wireless controllers.

harbor235, yes was looking at the dot1x authentication but was also wondering is there isn't a option to do this within  the WLC and AP via  SSIDs? each SSID on a different VLAN?

Thanks!!
0
 
Craig BeckCommented:
You need to configure the VLAN ID on the Dynamic Interface you have configured for the Guest SSID.  If you're getting an IP address from VLAN1 I'd guess it's because you're not tagging the traffic from that interface.
0
 
sharonski12Author Commented:
@craigbeck, yes I have configure the VLAN ID for the dynamic interface but from some reason tagging is not working properly, I have the interface connected to the WLC configure as trunking as well as the interface connected to the AP.
0
 
Craig BeckCommented:
Ok if you're not doing anything with H-REAP on your APs you should configure the ports as access ports, not trunks.
0
 
sharonski12Author Commented:
Yes they are configured with hreap, have multiple AP on remote sites
0
 
Kenmcse1969Commented:
follow this guild on setting up H-REAP. Very good as I used it myself when I first setup an offside hub using H-Reap. Lets make sure your not missing anything.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

0
 
sharonski12Author Commented:
Ok I have been able to add a different vlan to the guest wireless so now i can separate the traffic, would you recommend me to create an subinterface on  the router just for this vlan so I can point the traffic out the internet via this sub-internet?
0
 
fgasimzadeCommented:
Yes, you would need some kind of default gateway for this subnet to access Internet
0
 
fgasimzadeCommented:
However, this sub-interface may allow inter-network communication between both subnets, so you would also need access-lists to block it
0
 
sharonski12Author Commented:
Can i use Vlan access list to eliminate the internetwork to the other VLAN instead creating the subinterface?
0
 
sharonski12Author Commented:
I was able to do it using trunking on the interface connected to the WLC, created the interface on the WLC with the subnet I needed, and created a DHCP scope on the switch for that subnet, then filter traffics using ACL and IP helper. Appreciated all your comments.
0
 
sharonski12Author Commented:
Not all comments help me get to the solution, I was able to start configuring with this infromation but needed more guidance. I ended up answering the question
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.