Hello,
Could you please go to Controller ->Network -> IP routes and check if a default route is defined under Default Routes. If it is not please define a default route with the next hop the IP of your gateway switch. The controller should have an IP in the same subnet. Test if the guests client will be able to reach the internet.
If this is not working please provide more information about your setup:
How many ports of the controller are connected and which port numbers exactly (port 1 to 4 are in VLAN 1 Access Network, ports 5 and 6 are in VLAN 10 Internet Network)
How many IP addresses has the controller and on which interfaces? (Controller ->Network ->IP Interfaces)
What routes has the controller at the moment (Controller ->Network -> IP routes)
How exactly is DHCP configured on the controller -globally (Controller ->Network ->Address Allocation) and at the VSC level of the guest VSC, it is visible in the VSC menu in bottom right corner. You have the options DHCP server, DHCP relay and none. The global setting determines which setting can be used at the VSC level.
What is configured in the VSC menu under VSC Egress Mapping?
Are the guest clients getting IP addresses? In which subnet are getting an IP the guest clients?
Are the guest clients being redirected to the login page of the controller? If yes are they authenticated succesfully?
Hello,
Thanks for your answers!
When you enable the options Use controller for Authentication and Use Controller for Access Control you are actually changing the traffic flow of the wireless traffic.
Without "Use Controller for Access Control" the APs are directly bridging/switching the wireless traffic to your VLAN 101 (not passing through the controller). So the clients are able to get an IP in VLAN 101 and reach the gateway 192.168.101.1 at Layer 2. One drawback of this setup is that employees and guests are in the same network. Guest devices are a potential security risk, they can be infected and spread viruses and malware in your employee network or they can perform peer to peer attacks.
After you enable "Use Controller for Access Control" you are changing the traffic flow. Now the AP is encapuslating the wireless traffic of this VSC and tunneling it to the controller. Only when the traffic is tunneled to the controller, would the controller be able to intercept it and redirect the browser of the guest to its HTML login page.
But also another thing happens. The controller completely isolates the guest SSID from the rest of the network until the guests are authenticated. In order to achieve this the controller must use its own IP as default gateway of the guest clients. After a client is authenticated its traffic is routed, not simply switched to VLAN 101. This is different then in other WLAN controllers. That is the reason you need to have a default route on the controller. Otherwise the controller wouldnt know where to route the traffic destined to the internet.
Since the controller supports DHCP server functionality, you can also easily implement a different IP subnet for guests on the controller without the need to configure a separate VLAN on the switch. Simply enable DHCP server globally. In the global settings disable the option "Listen for DHCP requests on LAN port" in order to avoid givin IPs to other devices in VLAN 101.
Configure the DHCP scope with a unique IP range, not used elsewhere in your network. The controller will use the IP you configure in the DHCP range as Gateway as its own IP. The DHCP scope is either configured in the global settings (for the default VSC) or in the VSC menu. So the guest clients will be getting IP configuration from the controller and direct all their traffic to the gateway IP of the controller. The controller will authenticatedthe guest and after succesful login the traffic will be routed either to the next hop in the default route or to the next hop of the network defined under VSC egress mapping. Since you have a flat network, you leave VSC egress mapping at default which means the default route in the routing table will be used. SInce the controller will be routing and not switching to 192.168.101.1 there is no need to change anything on the switch.
Hello,
Here my answers:
So basically i will just enable dhcp server globally and disable the option "Listen for DHCP requests on LAN port. Will this affect the vlan 101 employee clients?
The DHCP server is by default available for the Access Network (ports 1-4) and for wireless clients in VSCs with Access Control enabled. So if VLAN 101 is connected to one of the ports 1 to 4 it could start providing IPs for VLAN 101 but you will disable it by unchecking "Listen for DHCP requests on LAN port/Access Network". The employee SSID doesnt have Access Control enabled so they will not get IPs from this scope.
Also, since employee ssid is working fine, there is already configured default route into the routing table in the controller?
As far as I understood for the employee SSID you have disabled "Use controller for authenication" and "Use controller for access control". With this setting the traffic doesnt go through the controller so the controller is not involved in the forwarding. The AP forwards it directly to VLAN 101 where you probably already have a DHCP server. The users are getting DHCP leases with the IP of the switch as default gateway. So they are directing all internet traffic to it.
Nothing to be configured on the lan or interent port?.. so i will just make a dhcp scope for the guest SSID that has html authentication?
On MSM720 the LAN port is called Access Network and the Internet Port, Internet Network. I used the terms interchangeably and this may be confusing for you. I guess you have configured the IP address 192.168.101.254 of the controller on one of this interfaces. If the IP is on the internet network you can enable NAT. This will make sure that the internet traffic has the source IP of the controller in VLAN 101 the switch can route return traffic back to the controller. If the IP is on the Access Network, you cannot enable NAT there, you will need a static route on the switch (or router device) pointing to the IP subnet of the DHCP scope ( I forgot about this in the previous post)
The guest solution of MSM has quite some specifics and now I am not sure if I wont miss anything else important if I make recommendation just based on verbal descriptions. If it is not working would be good if you can provide a backup of your configuration file.
Hello all,
Last week I was in communication with @NA08222 via private messages because I didnt want to expose his config file. I also provided some recommendations to him. Unfortunately I didnt get any feedback to the last recommendation, it was moving the IP address of the controller from the Access to the Internet network.
Hello @GroundFairy I am not sure about your involvement in this issue. Are you working together with NA08222?
I think I already explained what the setting "Use Controller for Access Control" is doing and why activating it requires the controller to be properly configured for routing.
If you need further assistance I would be thankful if you can provide an update here or via private message!