create a Guest and employee wlan in cisco wireless Lan controller

Hi

I have a Cisco wireless controller 2106 and a couple of AP that are distributed in different regions, I currently  have a global SSID for all offices, they get the ip address via a dhcp pool configure in the local core switch. I need to create a new SSID for guest which will only have access to the internet and maintain the employee ssid. Any ideas how can I do this?

So far I have created 2 dynamic interfaces in the wlc with different Subnets, the port where the access point is connected to in the switch is configure to trunk 802.1q, and I have created the 2 DHCP pool on the local switch, when I try to connect Im no able to obtain an IP address on any of the 2 networks, and if I do i get an IP address of the management interface which is  VLAN 1.

Any help is greatly appreciated
sharonski12Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fgasimzadeCommented:
Have you configured IP Helper address on wlc interfaces?

Take a look here as well

https://supportforums.cisco.com/thread/2104480
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harbor235Commented:


You need to resolve the address issue as fqasimzade suggests, however I would look into dot1x to authenticate your non guest users to drop them off into a appropriate vlan and a guests into another.

Also, you should never use vlan 1, there are inherent security risks using that vlan

harbor235 ;}
0
sharonski12Author Commented:
yes I have configure the wlc with a different vlan and on different subnet and on port 2, but is still not working. Do i need to change the native vlan on the WLC? not sure what am i missing. Im not that familiar with the Cisco wireless controllers.

harbor235, yes was looking at the dot1x authentication but was also wondering is there isn't a option to do this within  the WLC and AP via  SSIDs? each SSID on a different VLAN?

Thanks
Sharon
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

sharonski12Author Commented:
yes I have configure the wlc with a different vlan and on different subnet and on port 2, but is still not working. Do i need to change the native vlan on the WLC? not sure what am i missing. Im not that familiar with the Cisco wireless controllers.

harbor235, yes was looking at the dot1x authentication but was also wondering is there isn't a option to do this within  the WLC and AP via  SSIDs? each SSID on a different VLAN?

Thanks!!
0
Craig BeckCommented:
You need to configure the VLAN ID on the Dynamic Interface you have configured for the Guest SSID.  If you're getting an IP address from VLAN1 I'd guess it's because you're not tagging the traffic from that interface.
0
sharonski12Author Commented:
@craigbeck, yes I have configure the VLAN ID for the dynamic interface but from some reason tagging is not working properly, I have the interface connected to the WLC configure as trunking as well as the interface connected to the AP.
0
Craig BeckCommented:
Ok if you're not doing anything with H-REAP on your APs you should configure the ports as access ports, not trunks.
0
sharonski12Author Commented:
Yes they are configured with hreap, have multiple AP on remote sites
0
Kenmcse1969Commented:
follow this guild on setting up H-REAP. Very good as I used it myself when I first setup an offside hub using H-Reap. Lets make sure your not missing anything.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

0
sharonski12Author Commented:
Ok I have been able to add a different vlan to the guest wireless so now i can separate the traffic, would you recommend me to create an subinterface on  the router just for this vlan so I can point the traffic out the internet via this sub-internet?
0
fgasimzadeCommented:
Yes, you would need some kind of default gateway for this subnet to access Internet
0
fgasimzadeCommented:
However, this sub-interface may allow inter-network communication between both subnets, so you would also need access-lists to block it
0
sharonski12Author Commented:
Can i use Vlan access list to eliminate the internetwork to the other VLAN instead creating the subinterface?
0
sharonski12Author Commented:
I was able to do it using trunking on the interface connected to the WLC, created the interface on the WLC with the subnet I needed, and created a DHCP scope on the switch for that subnet, then filter traffics using ACL and IP helper. Appreciated all your comments.
0
sharonski12Author Commented:
Not all comments help me get to the solution, I was able to start configuring with this infromation but needed more guidance. I ended up answering the question
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.