Cisco WLC 2504 Guest WLAN Config?

I’m in the process of replacing our standalone Cisco Aironet 1130 APs with Aironet 1600 Series light weight APs and a 2504 WLC.  Our network setup consists of an Cisco ASA-5510 firewall and a handful of Catalyst 2960 and 2960G switches all on a single VLAN.

I setup 2 WLANs on the 2504.  The first is for our private network and uses WPA/WPA2 with TKIP, 802.1X Auth key management and uses Windows Server 2012 Network Policy Server RADIUS configuration—this WLAN works fine.  I’m having issues setting up a guest WLAN.  I don’t have any layer 3 switches on the network and we’re presently using a single VLAN.  I want to allow visitors access to the internet using the 2504s web authentication.  I have googled for the last couple of days and other than Cisco’s painfully overcomplicated (to me at least) “guides” have found little that’s been of use.  We’re a non-profit and don’t have the budget to purchase additional gear so I need to work with what I have.  

Is there any way to use the ASA to create a separate VLAN?  I’m a bit out of my depth here and while I can generally muddle my way through these types of config issues this one has me stumped.  Anyone have any suggestions on how best to proceed?

Thanks in advance -- Steve
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You can use a dedicated interface on the ASA for the guest WLAN.  You need to connect this interface directly to the WLC.

Turn off LAG on the WLC (if it is enabled) and create a new dynamic interface on the WLC for the guest WLAN.  Configure this interface's port number to match the connection to the ASA.

Configure the WLAN to use Layer3 Web-Auth and that's pretty-much it.

You can configure DHCP on the WLC or ASA.
SteveVAuthor Commented:
Thanks for the suggestions.  I created the interface on the ASA and set the guest interface on the WLC to use port 2 and confirmed LAG is disabled.  I have en Ethernet cable connected between port 2 on the WLC and the newley created guest_inside interface on the ASA.  I can ping the ASA guest_inside interface IP from the WLC and the WLC guest interface IP address from the ASA.  So far so good.

When I try to connect to the guest WLAN from a Windows 7 machine, I get a DHCP IP address from the WLC that falls within the range I specified in DHCP setup on the WLC.  However, I can't connect to the internet and I'm never served a web auth page on my browser.

I also tried connecting the guest WLAN from my android phone (Galaxy S3).  I can connect, get a valid IP, but can't get out to the internet.

Using the "Packet Tracer" tool on the ASA it appears I should be able to connect to ( from the DHCP issued ip address.

One odd thing: when I look at the wireless adapter properties on my windows 7 machine all values look fine except the "IPv4 Default Gateway" value which is blank.  

Any ideas?

Thanks -- Steve
Craig BeckCommented:
The gateway is likely the issue.

In order to see the login page you need to be able to resolve a URL's hostname and actually try to get to the URL via HTTP.  It's important to try HTTP and not HTTPS as HTTPS won't work.

Did you set a gateway address in the DHCP scope on the WLC?
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

SteveVAuthor Commented:
My thought as well regarding the gateway.    I'm only using http urls.

Regarding gateway address in DHCP scope settings on the WLC: I don't see a gateway setting on the DHCP scope settings page. The only settings are:

Pool Start Address  
Pool End Address  
Lease Time (seconds)  
Default Routers      
DNS Domain Name  
DNS Servers      
Netbios Name Servers      

I originally had Default Routers set to the default (3 text boxes all with entries).  On a whim I tried entering the IP address of the ASA's guest interface.  Now, when I look at the wireless adapter properties on my windows 7 machine, the gateway entry points to the ASA guest interface IP.  However, when I try browsing to I'm still getting a page not found error and no web auth page.

However, if I enter google's IP address (, I get the Cisco web auth page.  I'm using Layer 3 Web Policy>Passthrough>Email Input in the guest WLAN to simplify things and when I enter my email address, I get a "Connection Successful" web page but still can't get out to the web using urls or IP addresses.  Not being able to resolve seems to point to a dns server issue.  I've tried using our internal dns server IP and external public dns server IP addresses but it makes no difference.  Still, that doesn't explain why I can't get out using google's IP address.

Seems like it should be easier than this.  <Sigh>.  Any other ideas?

Thanks -- Steve
Craig BeckCommented:
So you're either not giving clients a DNS server via DHCP, or you are firewalling UDP/53 at the ASA.
SteveVAuthor Commented:
Just ran the "Packet Tracer" tool on the ASA:

Interface: guest_inside
Packet Type: UDP
Source IP: (DHCP issued IP address on the Windows 7 WiFi nic)
Destination IP:
Source Port: 53
Dest Port: 53

Results show that the packet is allowed.

Looking at the nic properties on the Windows 7 machine shows the same DNS server IPs that I have in set in the WLC DHCP scope settings.

Thanks -- Steve
Craig BeckCommented:
Ok so I just re-read the thread...

Have you configured NAT on the Guest subnet at the ASA?  If not you'll need to or you won't get anywhere.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveVAuthor Commented:
Yep, NAT config was the issue.  I'm embarrassed to say home many times this has bitten me in the hind quarters.  All working fine now.  Thanks for the help!

Craig BeckCommented:
No worries :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.