In this post we will see how to do a wired guest configuration via CLI. Here is the topology for this post.
These are the steps you need to do
1. Configure a wired guest vlan on 3750-d (vlan 49) & trunk it to 4402-d (foreign controller).
2. Configure a guest WLAN on 4402-d with egress interface as Mgmt & ingress as guest vlan (vlan 49). This WLAN should use Web Auth or Webpassthrough like normal wireless guest WLAN.
3. Configure the basic Mobility configuration on Anchor & foreign controllers (ie Mobility group name & add members to required group)
4. Configure Auto Anchor for guest-lan on foreign controller.
5. Configure the dynamic interface(vlan19) on Anchor Controller for wired guest. Ensure DHCP configs done on L3 switch.
6. Configure guest-lan on Anchor controller. Ingress interfaces should be “none” & egress interface should be vlan 19.
7. Configure Auto Anchor for the guest-lan on Anchor controller.
8. Test the wired guest connectivity.
First on 3750-d we will configure just layer2 vlan49 & trunk it to PortChannel 40 used for 4402-d.
3750-d(config)#vlan 49 3750-d(config-vlan)#exit 3750-d(config) ! 3750-d(config)#int po40 3750-d(config-if)#sw tr al vl ad 49
Now in 4402-d we will define the interface & Guest WLAN. Configuration option for guesl-lan you can do in a similar way like normal wlan. In this case you have to use “config guest-lan x ” CLI commands instead of “config wlan x “. In guest-lan you can only configure webauth or web-passthrough. In this example I will use web-passthrough option.
(4402-d) >config interface create vlan49 49 (4402-d) >config interface guest-lan ? <interface-name> Enter interface name. (4402-d) >config interface guest-lan vlan49 ? enable Enable Guest LAN vlan disable Disable Guest LAN vlan (4402-d) >config interface guest-lan vlan49 enable (4402-d) >config guest-lan ? aaa-override Configures user policy override via AAA on a Guest LAN. acl Specify a per-Guest-LAN ACL create Creates a WLAN. custom-web Configures the Web Authentication Page per Profile. delete Deletes a Guest LAN. dhcp_server Configures the Guest Lan's DHCP Server. disable Disables a Guest LAN. enable Enables a Guest LAN. exclusion-timeout Configures Exclusion-list timeout. exclusionlist Configures Exclusion-list timeout. ingress-interface Configures the Guest LAN's ingress interface. interface Configures the Guest LAN's interface. ldap Configures the Guest LAN's LDAP servers. max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan. mobility Configures the Inter-Switch Mobility Manager nac Configures NAC on wlan/guest-lan/remote-lan. qos Configures Quality of Service policy. radius_server Configures the Guest LAN's RADIUS Servers. roamed-voice-client Configure Voice Client Re-Anchor policy security Configures the security policy for a Guest LAN. session-timeout Configures client timeout. sip-cac Configure SIP CAC Failure policy. uapsd Configures UAPSD. webauth-exclude Enable/Disable WebAuth DHCP Server Exclusion ! (4402-d) >config guest-lan create ? <guest-lan-id> Enter Guest LAN Identifier between 1 and 5. (4402-d) >config guest-lan create 1 ? <name> Enter Profile Name up to 32 alphanumeric characters. (4402-d) >config guest-lan create 1 wired-guest (4402-d) >config guest-lan ingress-interface ? <guest-lan-id> Enter Guest LAN Identifier between 1 and 5. (4402-d) >config guest-lan ingress-interface 1 ? <interface-name/none> Enter the interface name upper case not supported. (4402-d) >config guest-lan ingress-interface 1 vlan49 (4402-d) >config guest-lan security ? web-auth Configures Web authentication. web-passthrough Configures Web Captive Portal with no authentication required. (4402-d) >config guest-lan security web-auth disable 1 WebAuth Successfully Disabled. (4402-d) >config guest-lan security web-passthrough ? acl Configures Access Control List. disable Disables Web Captive Portal with no authentication required. email-input Configures Web Captive Portal using email address. enable Enables Web Captive Portal with no authentication required. (4402-d) >config guest-lan security web-passthrough enable 1 (4402-d) >config guest-lan security web-passthrough email-input ? enable Enables Web Captive Portal using email address. disable Disables Web Captive Portal using email address. (4402-d) >config guest-lan security web-passthrough email-input enable ? <guest-lan-id> Enter Guest LAN Identifier between 1 and 5. (4402-d) >config guest-lan security web-passthrough email-input enable 1
Here is the advanced settings options you can change in “guest-lan” type.
If you check the WLC configuration you will see following lines in the config.Default config lines are highlighted in purple color
config interface create vlan49 49 config interface guest-lan vlan49 enable config interface vlan vlan49 49 config guest-lan create 1 wired-guest config guest-lan ingress-interface 1 vlan49 config guest-lan interface 1 management config guest-lan security web-auth disable 1 config guest-lan security web-passthrough email-input enable 1 config guest-lan security web-passthrough enable 1 config guest-lan exclusion-timeout 1 60 config guest-lan enable 1
Now we have to configure Mobility config on those two controller. We will add 4402-d into “MO” mobility group & 4402-c into “DMZ” mobility group. Will use unicast method for the simplicity.
(4402-d) >config mobility group domain MO (4402-d) >config mobility group member add 00:22:55:90:c9:60 192.168.10.33 DMZ (4402-c) >config mobility group domain DMZ (4402-c) >config mobility group member add 00:21:55:07:38:e0 192.168.40.44 MO
You can verify mobility status by “show mobility summary” command. Output should be similar to this.
(4402-d) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... MO Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0xe0a3 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:21:55:07:38:e0 192.168.40.44 MO 0.0.0.0 Up 00:22:55:90:c9:60 192.168.10.33 DMZ 0.0.0.0 Up
Then you can configure 4402-c as Mobility Anchor for this wired-guest LAN.
(4402-d) >config guest-lan disable 1
(4402-d) >config guest-lan mobility anchor add 1 192.168.10.33
(4402-d) >config guest-lan enable 1
Now we will configure the 4402-c. First you have to create an interface where wired guest can get an IP. we will use vlan19 for this & DHCP defined on 3750-b. Here is the interface configuration on WLC.
3750-b interface Vlan19 ip address 192.168.19.1 255.255.255.0 ! ip dhcp excluded-address 192.168.19.1 192.168.19.100 ! ip dhcp pool VLAN19 network 192.168.19.0 255.255.255.0 default-router 192.168.19.1 domain-name mrn.com ! interface Port-channel10 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 10-20,100,200 switchport mode trunk (4402-c) >config interface create vlan19 19 (4402-c) >config interface address dynamic-interface vlan19 192.168.19.30 255.255.255.0 192.168.19.1 (4402-c) >config interface dhcp dynamic-interface vlan19 primary 192.168.19.1
Now you can define the guest-lan with same settings you did on 4402-d. In this time egress interface should be vlan19 & ingress interface should be none. Remember that until you configure Mobility anchor you cannot enable this guest-lan. You can copy & past previous configs done on 4402-d with ingress interface & egress interface modification
config guest-lan create 1 wired-guest config guest-lan interface 1 vlan19 config guest-lan ingress-interface 1 none config guest-lan security web-auth disable 1 config guest-lan security web-passthrough email-input enable 1 config guest-lan security web-passthrough enable 1
Now before enabling this guest-lan you have to configure the mobility anchor.
(4402-c) >config guest-lan mobility anchor add 1 192.168.10.33 (4402-c) >config guest-lan enable 1
Now you are ready to test. You have to connect a wired PC to a vlan49 port on 3750-d & you should see that device get an IP from the range of 192.168.19.101-192.168.19.254.
Here is the “show client summary ” & “show client detail <mac-add>” command output on 4402-c where wired guest termination occurs. This is the output prior to user enter email on his browser
(4402-c) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:26:b9:9f:c9:0b 192.168.40.44 Associated 1 No 802.3 29 Yes (4402-c) >show client detail 00:26:b9:9f:c9:0b Client MAC Address............................... 00:26:b9:9f:c9:0b Client Username ................................. N/A Client State..................................... Associated Client NAC OOB State............................. Access guest-lan........................................ 1 IP Address....................................... 192.168.19.101 Session Timeout.................................. 0 QoS Level........................................ Silver Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 192.168.40.44 Security Policy Completed........................ No Policy Manager State............................. WEBAUTH_REQD Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Interface........................................ vlan19 VLAN............................................. 19 Quarantine VLAN.................................. 0 Access VLAN...................................... 19
This is the output once user enter the email address.
(4402-c) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:26:b9:9f:c9:0b 192.168.40.44 Associated 1 Yes 802.3 29 Yes (4402-c) >show client detail 00:26:b9:9f:c9:0b Client MAC Address............................... 00:26:b9:9f:c9:0b Client Username ................................. mrncciew@gmail.com Client State..................................... Associated Client NAC OOB State............................. Access guest-lan........................................ 1 IP Address....................................... 192.168.19.101 Session Timeout.................................. 0 QoS Level........................................ Silver Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 192.168.40.44 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Interface........................................ vlan19 VLAN............................................. 19 Quarantine VLAN.................................. 0 Access VLAN...................................... 19
You can see client get successfully authenticated & in “RUN” states. Here is the 4402-d ( Export Foreign controller) output
(4402-d) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:26:b9:9f:c9:0b N/A Associated 1 Yes 802.3 29 Yes (4402-d) >show client detail 00:26:b9:9f:c9:0b Client MAC Address............................... 00:26:b9:9f:c9:0b Client Username ................................. N/A Client State..................................... Associated Client NAC OOB State............................. Access guest-lan........................................ 1 IP Address....................................... Unknown Session Timeout.................................. 0 QoS Level........................................ Silver Supported Rates.................................. Mobility State................................... Export Foreign Mobility Anchor IP Address....................... 192.168.10.33 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Interface........................................ management VLAN............................................. 40 Quarantine VLAN.................................. 0 Access VLAN...................................... 40
Related Posts
1. Wired Guest Access (via GUI)
2. Mobility Config via CLI
3. Wireless Guest Config via CLI
4.
5.
mrn-cciew 