Cisco FlexConnect flow for guest.
Hi all,
We are planning to upgrade our wireless infrastructure and I need some verification on the configuration. Our current setup is the following:
We have 2 WiSMs on the HO as active/backup and one 4400 series as an anchor. All access points are in HREAP with the interface configured as access (not trunk). It is local switching and central authentication.
We are planning to upgrade the wireless and instead of using anchor controller, we will use another interface on the 5508 controllers for the guest. This is a separate interface.
The question is: Can the guest traffic go thgouth the AP to the guest without re-configuring every AP to trunk?
TIA,
Nicos Nicolaides
Thank you,
So basically for everyone to understand the question in the future,
our setup has the controller on a layer 3 network,
we have multiple SSIDs (more than 2),
All of our APs are configured in access mode.
So you can configure each SSID to be either CAPWAP or FlexConnect right?
Similar Messages
-
Cisco WLC Whitelist for Guest Access? and securing guest-access?
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
Looking at a 5508 model at the moment
ThanksHello Stephen,
Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
Thanks!
Chris Slater-Walker
Senior System Analyst
Nokia UK Ltd. -
I want to integrate SMS gateway to Cisco ISE 1.2 and my question is
SMS notifications are supported for Guest self−registration Services ? or it should be done by SponsorI'm not sure I understand the question. Do you want to log in to the Sponsor Portal using AD credentials?
Create an Identity Source Sequence using AD as an Authentication Source. Go to Administration > Identity Management > Identity Source Sequences. Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings. Double-click Sponsor from the Left Menu and click Authentication Source. Choose the Identity Source Sequence. Click Save.
I hope this helps.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Generate one time authentication for Guest on Cisco WLC
Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
HaiHi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
-if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
- I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
some one please advise
vlan192 4/1 vlan 192 int g0/0 192.168.2.201
6500 ----- switch ---- router--------- (outside)
| | |
| DHCP server
WLCA couple of questions, is VLAN 192 allowed across the trunk link to the wlc? Do you have an interface tagged for vlan 192, with a valid address? What is providing the DHCP?
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
ISE 1.3 Guest API - using custom fields for guest creation?
I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
Regards
JanHi Johan,
Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
If you need some code examples, send me a pm and we can figure something out
API Reference :
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html -
ISE Authentication cache in CWA for Guest
Ciao,
do you known how I can cache a guest authentication ?
For example a Guest connect to guest SSID (open); authenticate using CWA (ISE and WLC). After that every time the guest logoff and login, no authentication is required during the same days.
ThanksYou can find "Automatically register guest devices /Allow guests to register devices" option here -> Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > Guest Device Registration Settings.
using this option -Automatically create an endpoint for the device from which the guest is accessing this portal. The endpoint will be added to the endpoint identity group specified for this portal and is subject to the identity group's purge policy.
An authorization rule can now be created to allow access to endpoints in that identity group, so that web authentication is no longer required.
And you have "ActivatedGuest" option in 1.2 -
Using ISE for guest access together with anchor controller WLC in DMZ
Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
FrankSo i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node. -
Authentication for Guest Access
Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
Appreciate your time.
BrendanBrendan,
Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
Sent from Cisco Technical Support iPhone App -
Wireless device can't get IP address for Guest network
I have a wireless network setup at my main location. The access points allow Internal and Guest access. The Internal access uses DHCP from a Windows Server. The Guest access looks like it uses DHCP from my ASA, I did not set this up originally. My question is... I am installing a new WAP in a branch location. I can get the Internal access to work because it uses the Windows Server DHCP. I cannot figure out how to get the Guest access configured to use the DHCP from the ASA. The ASA is on a DMZ. Any help would be appreciated.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname WAPMadisonOffice
logging rate-limit console 9
enable secret 5 $1$f1/9$SWBosxmjEGfSW4U.t4FnW.
no aaa new-model
dot11 syslog
dot11 vlan-name Internal vlan 141
dot11 vlan-name Guest vlan 99
dot11 ssid Bard
vlan 141
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 141500120D0A7B72757C31343017
dot11 ssid Guest
vlan 99
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 070D33554F07485C4646090D162E
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 141 mode ciphers aes-ccm
encryption vlan 99 mode ciphers aes-ccm
ssid Internal
ssid Guest
antenna gain 0
mbssid
channel least-congested 2412 2437 2462
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface Dot11Radio0.141
encapsulation dot1Q 141
no ip route-cache
bridge-group 141
bridge-group 141 subscriber-loop-control
bridge-group 141 block-unknown-source
no bridge-group 141 source-learning
no bridge-group 141 unicast-flooding
bridge-group 141 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface GigabitEthernet0.141
encapsulation dot1Q 141
no ip route-cache
bridge-group 141
no bridge-group 141 source-learning
bridge-group 141 spanning-disabled
interface BVI1
ip address 10.10.20.20 255.255.255.0
no ip route-cache
ip default-gateway 10.10.20.11
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community internal RO
bridge 1 route ip
bridge 141 protocol ieee
bridge 99 protocol ieee
line con 0
logging synchronous level all
login local
line vty 0 4
logging synchronous level all
login local
endJennifer,
The ASA is connected on this interface:
interface GigabitEthernet1/0/2
switchport trunk allowed vlan 1,10
switchport mode trunk
switchport priority extend trust
mls qos trust dscp
spanning-tree portfast
and the Access Point, what interface?
10.10.10.251 - IP of ASA?
If you set vlan 99 in one interface and connect one computer do you get ip?
I only see the interfaces 1/0/27 and 1/0/48 with access for guest vlan 99.
Regards. -
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
E2500 with multiple APs for guest access
I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
JimGuest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
So first of all remove all the networks from the preferred list of the computer and then try to connect. -
Printing Solutions for Guest Wireless
So this is something that has been bouncing around the forums for a year or two now. I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group. Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON"
Has anyone out there in the Community come up with any innovative approaches to this connundrum? If so please join the conversationHi, I've encountered the same issue. Did you find a solution?
-
Web-redirect to external radius not wokring on some browsers for Guest SSID
Hi,
We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
working browsers: IE9.0 and IE 11.0
Non-working: Chrome all versions, Firefox all versions, Safari all versions.
Can anyone provide some help if they have seen this issue before.?You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.
Maybe you are looking for
-
In Portal Content admin Role "Portal content" folder is not displaying
Hi, I created a user in EP and assign Only Content admin Role. But in portal content area "Portal content "folder is not displaying. Can someone help me the process steps to achieve it? Thanks, kundan
-
I've done this before, but now I can't even find an export function. I am on version 9.0.1 on Windows 7. Has this capability been eliminated? I don't want to sync, as I won't be using the old computer any more, and I don't want all of my information
-
When Importing from iPad my Aperture Library Destination Box is Grayed-out
Selecting Import from my iPad results in a list of all the images available for import. Great, except unlike when I import from CF cards I find the Destination drop down option list grayed-out within the Aperture Library tile of my Import Settings. W
-
Hi, Is there anyway we can rollback the business content? One of our new developers imported the business content and overwrote all the existing one(customized infoobject like 0materail,0mat_plant....)in Dev. I see something like "merge infoobject wi
-
India Witholding Tax - rounding rules
We have come across a legal requirement for our India branch where WHT should be rounded up. For example: Even if the witholding tax amount is Indian Rs. 10.01 this would get rounded off (up) to the next rupee to become Rs. 11.00. Also this is used f