Cisco FlexConnect flow for guest.

Similar Messages

• Cisco WLC Whitelist for Guest Access? and securing guest-access?

  Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
  Looking at a 5508 model at the moment
  Thanks

  Hello Stephen,
  Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
  I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
  For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
  The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
  So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
  Thanks!
  Chris Slater-Walker
  Senior System Analyst
  Nokia UK Ltd.

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Controllers in the same WISM module in the 6500, i'm trying to make one of them anchor controller for guest internet

  I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
  there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
  -if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
  - I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
  some one please advise
    vlan192   4/1 vlan 192              int g0/0 192.168.2.201
    6500 ----- switch ---- router---------  (outside)
      |         |   |
      |        DHCP server
     WLC

  A couple of questions, is VLAN 192 allowed across the trunk link to the wlc?  Do you have an interface tagged for vlan 192, with a valid address?  What is providing the DHCP?
  Cheers,
  Steve
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• ISE 1.3 Guest API - using custom fields for guest creation?

  I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
  Regards
  Jan

  Hi Johan,
  Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
  I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
  So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
  If you need some code examples, send me a pm and we can figure something out
  API Reference :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

• ISE Authentication cache in CWA for Guest

  Ciao,
  do you known how I can cache a guest authentication ? 
  For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login,  no authentication is required during the same days.
  Thanks

  You can find "Automatically register guest devices /Allow guests to register devices"  option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
  using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
  An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
  And you have "ActivatedGuest" option in 1.2

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Authentication for Guest Access

  Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
  If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
  The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
  Appreciate your time.
  Brendan

  Brendan,
  Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
  The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
  Sent from Cisco Technical Support iPhone App

• Wireless device can't get IP address for Guest network

  I have a wireless network setup at my main location.  The access points allow Internal and Guest access.  The Internal access uses DHCP from a Windows Server.  The Guest access looks like it uses DHCP from my ASA, I did not set this up originally.  My question is... I am installing a new WAP in a branch location.  I can get the Internal access to work because it uses the Windows Server DHCP.  I cannot figure out how to get the Guest access configured to use the DHCP from the ASA.  The ASA is on a DMZ.  Any help would be appreciated. 
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname WAPMadisonOffice
  logging rate-limit console 9
  enable secret 5 $1$f1/9$SWBosxmjEGfSW4U.t4FnW.
  no aaa new-model
  dot11 syslog
  dot11 vlan-name Internal vlan 141
  dot11 vlan-name Guest vlan 99
  dot11 ssid Bard
  vlan 141
  authentication open
  authentication key-management wpa
  mbssid guest-mode
  wpa-psk ascii 7 141500120D0A7B72757C31343017
  dot11 ssid Guest
  vlan 99
  authentication open
  authentication key-management wpa
  guest-mode
  mbssid guest-mode
  wpa-psk ascii 7 070D33554F07485C4646090D162E
  power inline negotiation prestandard source
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  encryption vlan 141 mode ciphers aes-ccm
  encryption vlan 99 mode ciphers aes-ccm
  ssid Internal
  ssid Guest
  antenna gain 0
  mbssid
  channel least-congested 2412 2437 2462
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.99
  encapsulation dot1Q 99
  no ip route-cache
  bridge-group 99
  bridge-group 99 subscriber-loop-control
  bridge-group 99 block-unknown-source
  no bridge-group 99 source-learning
  no bridge-group 99 unicast-flooding
  bridge-group 99 spanning-disabled
  interface Dot11Radio0.141
  encapsulation dot1Q 141
  no ip route-cache
  bridge-group 141
  bridge-group 141 subscriber-loop-control
  bridge-group 141 block-unknown-source
  no bridge-group 141 source-learning
  no bridge-group 141 unicast-flooding
  bridge-group 141 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.99
  encapsulation dot1Q 99
  no ip route-cache
  bridge-group 99
  no bridge-group 99 source-learning
  bridge-group 99 spanning-disabled
  interface GigabitEthernet0.141
  encapsulation dot1Q 141
  no ip route-cache
  bridge-group 141
  no bridge-group 141 source-learning
  bridge-group 141 spanning-disabled
  interface BVI1
  ip address 10.10.20.20 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.20.11
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  snmp-server community internal RO
  bridge 1 route ip
  bridge 141 protocol ieee
  bridge 99 protocol ieee
  line con 0
  logging synchronous level all
  login local
  line vty 0 4
  logging synchronous level all
  login local
  end

  Jennifer,
  The ASA is connected on this interface:
  interface GigabitEthernet1/0/2
  switchport trunk allowed vlan 1,10
  switchport mode trunk
  switchport priority extend trust
  mls qos trust dscp
  spanning-tree portfast
  and the Access Point, what interface?
  10.10.10.251 - IP of ASA?
  If you set vlan 99 in one interface and connect one computer do you get ip?
  I only see the interfaces 1/0/27 and 1/0/48 with access for guest vlan 99.
  Regards.

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• E2500 with multiple APs for guest access

  I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
  Jim

  Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
  So first of all remove all the networks from the preferred list of the computer and then try to connect.  

• Printing Solutions for Guest Wireless

  So this is something that has been bouncing around the forums for a year or two now.  I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
  The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
  The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group.  Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON" 
  Has anyone out there in the Community come up with any innovative approaches to this connundrum?  If so please join the conversation

  Hi, I've encountered the same issue. Did you find a solution?

• Web-redirect to external radius not wokring on some browsers for Guest SSID

  Hi,
  We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
  working browsers: IE9.0 and IE 11.0
  Non-working: Chrome all versions, Firefox all versions, Safari all versions.
  Can anyone provide some help if they have seen  this issue before.?

  You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.