In this post we will learn how to implement wired guest access with only one WLC.
A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
Here is my Topology:
To provide the wired guest access, the ports in the Layer 2 access layer switch must be configured on the guest VLAN. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller.
description *** Wired Guest Access *** --> PC connected here
switchport access vlan 999
switchport mode access
interface range GigabitEthernet1/5-6
description *** WLC1 ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,17,999
switchport mode trunk
Channel-group 1 mode on
So let’s see the complete process. Mainly we need 5 steps to Configuring Wired Guest Access:
- Configure a dynamic interface (VLAN) for wired guest user access.(Ingress)
- Configure a normal dynamic interface in which we want to assign IP to guest.(Egress)
- Create a wired LAN for guest user access.
- Create a test users locally on WLC
Step1: Configure a dynamic interface for wired Guest user access (Ingress)
We don’t need any IP and gateway for this VLAN on switch or anywhere.
On WLC1, create a dynamic interface VLAN999.
Go to Controller > Interfaces
In the interface configuration page, check the “Guest LAN” box. As soon as we check this box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that “there will be client traffic coming from VLAN 999.
Step2: Configure a normal dynamic interface in which we want to assign IP to guest. (Egress)
Create another dynamic interface where the wired guest clients receive an IP address.
In this example we have VLAN 17 for clients to get IP address named as guest.
Step3: Create a wired LAN for guest user access.
Add a new WLAN: Type must be “Guest LAN”
WLAN > WLANs, and then Create New WLAN.
Enable the WLAN; map the ingress interface to the “vlan999” created in Step 1, and the egress interface to guest interface created in Step 2.
***Remember that Layer2 security is not supported in Wired LANs.
Then we will select layer 3 web authentications.
Here I am using Customized web auth.
Step 4: Create a local test user to testing.
Security > AAA > Local Net Users
That’s it for the configuration.
Step 5: Verification
Now we should connect a Laptop/PC to port Fa0/10 which is in VLAN 999 and see what happens there. I got the IP in VLAN17 (Guest interface): 192.168.17.5
If you have correct DNS resolution then a pop webpage will appear otherwise we have to manually open our WLC virtual interface (https://22.214.171.124/login.html). There we have to use the credential created in Step 4.