Wireless Access

Hello,

On our 3600 controller, I have connected two different network cables, connected to two different networks.

One on a physical network, let's say our company network, a 10Mb fibre network, i.e port 0/0 on the controller.

One on another physical network, this is a simple ADSL conenction, i.e. port 0/1.

This would be used to broadcast a guest network for non-authenticated users in our company.

The meaning I would like to do  this is,  that guests don't connect to our company network, and no security issues would arise from anyone using this guest network.

I've configured a VLAN to use this port 0/1 but it's not connecting to the ADSL router connected to this port.

I've placed an AP 105 to be in bridged mode, so authentication and DHCP and so on is taken care on the router which the AP is connected on.

Could it be that I need to configure another Default gateway, specifically for this second port?

So I can add a virtual route to this ADSL router?

I don't know if this is even a good setup to do this?

I would only like to make  sure that there is as less possible traffic on our company nw for guests?

Thanks and regards

Torenhof,

This can be done.  Does the ADSL cable modem already give out private ip addresses to clients?

Yes,

The ADSL router hands out private IP addresses.

Thanks for that answer.  Here is what to do:

If the ADSL router has a private ip address of 192.168.1.1, this is what you do:

- Create a VLAN and ip interface on the controller and give it an address in the same range as the ADSL router :

config t

vlan 1000

interface vlan 1000

ip address 192.168.1.250 255.255.255.0

- Chose a physical interface on the controller that you will connect the ADSL router to and assign it to that VLAN:

config t

interface gigabitethernet 1/3

switchport mode access

switchport access vlan 1000

- Make sure that the controller redirects users who connect to the captive portal to the private VLAN interface:

config t

ip cp-redirect-address 192.168.1.250

- Run the WLAN/LAN wizard and create a guest network on that VLAN:

Configuration> WLAN/LAN Wizard

Let us know how you do.

works like a charm.

Thank you very much.

I haven't used the captive portal, but only a WPA2/PSK with a passphrase.

Glad to hear you got it working!

Make sure you have unchecked the "inter-vlan routing" checkbox on the guest network IP address

all seems to work fine except I have some users that can connect to the wireless guest network, they get an correct IP address and so on, but they cant surf or do anything using this network.

It is a combination of devices that use this network: IPAD's, Android phones, laptops, ...

If I look on the controller I can see that they all get an correct IP address, but when I look to the debug output of a connected client, I get the following error msg:

MAC=44:a7:cf:c2:51:97 IP=192.168.1.3 User miss: ingress=0x12b4, VLAN=50

Could it be that the controller blocks these devices?

Because when they try to connect to the ADSL router directly, wireless, they can surf immediatly

Also, how can I disconnect a client that is using this guest_network from the controller or using CLI?

Thanks in advance for your answers

Are you using Captive Portal or do you just have an open network?

The user-miss just means a user who was not on the controller previously has been added.

To delete a user on the commandline, use "aaa user delete"

It's just an network with a WPA/2PSK

when they enter the correct PSK, they should be able to use the network.

It's weird that some devices have this issue and others don't

Can they ping their default gateway?  Can they do an "nslookup" and resolve addresses?  What role do they get when they connect via WPA2-PSK and what are the rules associated to them:

on the commandline do this:

show rights <role that users get>

(Aruba3600-MASTER) #show rights ROLE_GUEST_WLAN_ERE

Derived Role = 'ROLE_GUEST_WLAN_ERE'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 63/0
 Max Sessions = 65535


access-list List
----------------
Position  Name                Location
--------  ----                --------
1         POL_GUEST_WLAN_ERE

POL_GUEST_WLAN_ERE
------------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4

Expired Policies (due to time constraints) = 0

They can ping their Default gateway

the adress google.com is correctly resolved

Also when I check the roaming status, I see the following

roaming state: associated

and forward mode: bridge

Than I get the MAC address two times in the connected clients.

The mac address is associated twice, but what ip address does it have?

the device has two different IP addresses

One ip address is from the GUEST WLAN and the other one is from?

It seems that on the device concerned with these problems, there are two private IP addresses handed out.

One is coming from the ADSL router, but the other that is discovered on the controller is a Public IP address handed out by

an GPRS connection : 10.48.63.17

So could it be that this is conflicting and the controller thinks it's not ok to have this?

This is only with one device

the other device has two private IP addresses. in the 192.168.1.0 range

What you can do, is in the AAA profile that is attached to this WLAN, you can make sure that "enforce dhcp" is checked, and that will stop the GPRS address from being in there.  Go to Configuration> Security> Authentication.  Click on the AAA profile tab and find the one that is associated to your guest WLAN.  Make sure "enforce dhcp is checked".  Delete that client out of the table using the commandline and have it associate again.

Please also make sure that you do not have a DHCP pool on the controller giving out addresses, in addition to what the ADSL modem is giving out.

Ok enforcing DHCP on the AAA profile seem to be ok

Now the user can surf to the internet.

When I look to on the controller and to connected clients, I still see the public ip address of this device

They don't show anymore due to the enforce DHCP in the AAA role?

I must not forget to thank you a lot because it works fine for all devices now.

Do a "aaa user delete <public ip address>" and it will remove that individual entry.

ok, done.

Thank you again