[Last Call] Learn how to a build a cloud-first strategyRegister Now


Cisco WLC 2504 Guest WLAN Config?

Posted on 2014-08-26
Medium Priority
Last Modified: 2014-08-29
I’m in the process of replacing our standalone Cisco Aironet 1130 APs with Aironet 1600 Series light weight APs and a 2504 WLC.  Our network setup consists of an Cisco ASA-5510 firewall and a handful of Catalyst 2960 and 2960G switches all on a single VLAN.

I setup 2 WLANs on the 2504.  The first is for our private network and uses WPA/WPA2 with TKIP, 802.1X Auth key management and uses Windows Server 2012 Network Policy Server RADIUS configuration—this WLAN works fine.  I’m having issues setting up a guest WLAN.  I don’t have any layer 3 switches on the network and we’re presently using a single VLAN.  I want to allow visitors access to the internet using the 2504s web authentication.  I have googled for the last couple of days and other than Cisco’s painfully overcomplicated (to me at least) “guides” have found little that’s been of use.  We’re a non-profit and don’t have the budget to purchase additional gear so I need to work with what I have.  

Is there any way to use the ASA to create a separate VLAN?  I’m a bit out of my depth here and while I can generally muddle my way through these types of config issues this one has me stumped.  Anyone have any suggestions on how best to proceed?

Thanks in advance -- Steve
Question by:SteveV
  • 5
  • 4
LVL 47

Expert Comment

by:Craig Beck
ID: 40287320
You can use a dedicated interface on the ASA for the guest WLAN.  You need to connect this interface directly to the WLC.

Turn off LAG on the WLC (if it is enabled) and create a new dynamic interface on the WLC for the guest WLAN.  Configure this interface's port number to match the connection to the ASA.

Configure the WLAN to use Layer3 Web-Auth and that's pretty-much it.

You can configure DHCP on the WLC or ASA.

Author Comment

ID: 40288528
Thanks for the suggestions.  I created the interface on the ASA and set the guest interface on the WLC to use port 2 and confirmed LAG is disabled.  I have en Ethernet cable connected between port 2 on the WLC and the newley created guest_inside interface on the ASA.  I can ping the ASA guest_inside interface IP from the WLC and the WLC guest interface IP address from the ASA.  So far so good.

When I try to connect to the guest WLAN from a Windows 7 machine, I get a DHCP IP address from the WLC that falls within the range I specified in DHCP setup on the WLC.  However, I can't connect to the internet and I'm never served a web auth page on my browser.

I also tried connecting the guest WLAN from my android phone (Galaxy S3).  I can connect, get a valid IP, but can't get out to the internet.

Using the "Packet Tracer" tool on the ASA it appears I should be able to connect to google.com ( from the DHCP issued ip address.

One odd thing: when I look at the wireless adapter properties on my windows 7 machine all values look fine except the "IPv4 Default Gateway" value which is blank.  

Any ideas?

Thanks -- Steve
LVL 47

Expert Comment

by:Craig Beck
ID: 40289397
The gateway is likely the issue.

In order to see the login page you need to be able to resolve a URL's hostname and actually try to get to the URL via HTTP.  It's important to try HTTP and not HTTPS as HTTPS won't work.

Did you set a gateway address in the DHCP scope on the WLC?
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  


Author Comment

ID: 40290636
My thought as well regarding the gateway.    I'm only using http urls.

Regarding gateway address in DHCP scope settings on the WLC: I don't see a gateway setting on the DHCP scope settings page. The only settings are:

Pool Start Address  
Pool End Address  
Lease Time (seconds)  
Default Routers      
DNS Domain Name  
DNS Servers      
Netbios Name Servers      

I originally had Default Routers set to the default (3 text boxes all with entries).  On a whim I tried entering the IP address of the ASA's guest interface.  Now, when I look at the wireless adapter properties on my windows 7 machine, the gateway entry points to the ASA guest interface IP.  However, when I try browsing to google.com I'm still getting a page not found error and no web auth page.

However, if I enter google's IP address (, I get the Cisco web auth page.  I'm using Layer 3 Web Policy>Passthrough>Email Input in the guest WLAN to simplify things and when I enter my email address, I get a "Connection Successful" web page but still can't get out to the web using urls or IP addresses.  Not being able to resolve google.com seems to point to a dns server issue.  I've tried using our internal dns server IP and external public dns server IP addresses but it makes no difference.  Still, that doesn't explain why I can't get out using google's IP address.

Seems like it should be easier than this.  <Sigh>.  Any other ideas?

Thanks -- Steve
LVL 47

Expert Comment

by:Craig Beck
ID: 40291184
So you're either not giving clients a DNS server via DHCP, or you are firewalling UDP/53 at the ASA.

Author Comment

ID: 40291331
Just ran the "Packet Tracer" tool on the ASA:

Interface: guest_inside
Packet Type: UDP
Source IP: (DHCP issued IP address on the Windows 7 WiFi nic)
Destination IP:
Source Port: 53
Dest Port: 53

Results show that the packet is allowed.

Looking at the nic properties on the Windows 7 machine shows the same DNS server IPs that I have in set in the WLC DHCP scope settings.

Thanks -- Steve
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 40291636
Ok so I just re-read the thread...

Have you configured NAT on the Guest subnet at the ASA?  If not you'll need to or you won't get anywhere.

Author Comment

ID: 40292692
Yep, NAT config was the issue.  I'm embarrassed to say home many times this has bitten me in the hind quarters.  All working fine now.  Thanks for the help!

LVL 47

Expert Comment

by:Craig Beck
ID: 40292770
No worries :-)

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month18 days, 7 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question