Guest Splash Page with Cisco WLCs Help

Hi,
I need some guidance using Web Authentication / Web Pass-through to create a mandatory splash page that is presented to users of our guest WLAN.  Currently our guest WLAN is wide open, users connect and go straight through to get Internet Access. Here's what we'd like to accomplish.
1. Have the page hosted on an external web server (i.e not on the controller)
2. Present Terms of service
3.
 a. Present an optional field to enter an email address & date of birth (DOB) to opt in for marketing purposes
        OR
 b. Present a mandatory field to enter an email address with an optional check box and DOB to opt in for marketing (the idea behind option b, is that whether they opt in for marketing or not, we could still some how use the email as a username, but not require a password.  In the hopes of then using this as a unique identifier in the WLC for troubleshooting / reporting purposes)
4. At the very end, have an "I Agree" button
5. Re-direct to our copmany's public facing website
Our controllers are 5508s, running 7.4.121.0.  I more or less have an idea of how to accomplish this, but I've never used Web Auth / Web Passthrough with a Cisco Controller before, so I'm hoping someone can clear up a few things for me.
1. Am I correct that, when using an External server to host the login.html page, we must use Web Authentication, since Web Pass-through is only an option when using an Internal Page? Web Pass-through seems ideal for us, since we don't care about credentials, but from what I'm reading, it seems restricted to Internal (on the Controller) deployments only.
Based on these
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#passthrough
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html
2. If Web Pass-through is not an option when using an External deployment, is there any way we could use an email address as a username, but not require a password?  If not, is hiding the username/password fields in the html code of the splash page, and using a single pre-configured default username / password the only other option ? As described here: https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo
3. It sounds like SSL cert warnings may be an issue even if we use an External deployment, because the controller still acts as a middle man.  Is this correct, and is the best fix to install a valid 3rd party cert on the controller?
P.S. I’m aware of the Big Brother type things that can be done with Cisco MSE and Connected Mobile Experiences, as far as guest tracking / marketing / analytics go. However, that’s way more than we’re looking to do at this point.
Thanks in advance for any guidance you can provide!

Hello Jonathan,
The idea you have is fine, the only exception is the extra fields of information that you want to collect. From the WLC perspective this is not possible to gather.
The example given on https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo looks very interesting, and as long as the WLC receive the information it needs to authenticate the client, you can modify the HMTL code as you want. However, as somebody state on that post, Cisco provides the html example, but we do not really support the html content creation or modification.
Anyway below on answer #2 I am giving you an idea that could work (again Im not html expert I don't know if that could be achieved that way) maybe you can have a better idea.
To answer your queries:
1) The customized web-passthrough page can be hosted on an external Web Server.
When the pages are on an external webserver, the passthrough is still performed on the WLC, just the pages reside on the external server. It is a good idea to be sure that the pages come up ok on the external server without webauth involved since webauth will not work unless the external webserver works
2) We have examples of what HTML content a customized Web Passthrough page should include. If you add extra fields on the HTML code (like email address & date of birth), the WLC won't be able to handle this data and most probably you won't be able to gather this information from the WLC , unless you customize the web page in such way that it sends the fields email address & date of birth to another server (rather than to the WLC) to gather this information, but at the end what matter for the WLC is to receive the click on the "Accept" button to authenticate the client.
3) Regarding the certificate, there are two options, the cheapest and easiest is to disable HTTPS for web authentication. Then, your guests will open an HTTP web page, without having the certificate warning.
Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.
This link provides information about WebAuthentication on an External Web Server, however exactly the same applies for Web Passthrough:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
Also, you can download the WebAuthentication bundle, with the examples and some useful information about different customized web pages, it can be used as a template to build your page. Here you will see that Web Passthrough to an external server is indeed a valid option, when you download and unzip it, open the "readme.html"
https://software.cisco.com/download/release.html?mdfid=282600534&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Hope this helps

Similar Messages

  • Hellp on Nokia E61i associating with Cisco WLC 4402

    I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
    I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
    I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
    In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
    If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
    I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
    Pls. help to point me what I need to adjust to make it work. Thanks!

    Hello,
    CCKM Key Management mode on Nokia E61i phone can be used
    against Cisco LWAPP AP's with TKIP encryption
    Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
    On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
    Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
     802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
    - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
    - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
    - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
    - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
    Supported:
    - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
    - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
    Not supported:
    - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
    Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
    Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
     Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
    at least on LWAPP AP version 4.1.171.0.
     CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
    In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
    Layer 2 Security = WPA+WPA2
    WPA+WPA2 Parameters:
    -WPA Policy = enabled
    -WPA Encryption = TKIP enabled, AES disabled
    -WPA2 policy = disabled
    -Auth.Key Mgmt = CCKM
    Br,
    -Pasi-

  • Certificate based authentication with Cisco WLC and Juniper IC

    Hi
    I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
    I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
    My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
    i have also looked at this article :
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
    What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
    All your help is appreciated.

    Hi,
    Since you use an external radius server you don't have to worry for this.
    The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
    The doc you refer is only for Local Radius on WLC.
    Hope this helps
    Regards,
    Christos

  • Splash page with animated gif only question

    Hello all:
    I have a splash page (index.html) that is designed using an animated gif created in photoshop. The rest of my site is Css/XHTML, but has some divs containing animated gifs. I have two questions;
    1: By using only the animated gif on the splash page, am I limiting or hindering my SEO (google, microsoft, yahoo) ranking opportunities as there is no "content" on the page that the spiders/bots can see? I went ahead and included some "content" but hid it by coloring the type the same as the background color hoping that might do something, but obviously I'm a SEO newbie so any suggestions are more than welcomed. I will include the code at the end of this post, and my site is: http://reynolds-marketing.com.
    2. Is there a way to pre-load the animated gifs on my pages so that they play more smoothly and efficiently?
    TIA for any of your help. Murman
    The code for the splash page:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Reynolds Marketing - The Marketing Resource Source</title>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta name="description" content="Reynolds Marketing is a marketing services company offering a full spectrum of marketing services including: consultation, creative, production and logistical marketing services headquartered in Temecula, CA." />
    <meta name="keywords" content="Reynolds, Reynolds Marketing, marketing services company, marketing services agency, full spectrum of marketing services, full service marketing agency, marketing consultant, print creative, digital printing, offset printing, website design, website development, digital marketing, digital print on demand, DPOD,Video Production, Video Production, Direct Mail, Temecula, powerpoint presentations" />
    <link rel="shortcut icon" href="http://www.reynolds-marketing.com/favicon.ico"/>
    <!-- ImageReady Styles (index3.psd) -->
    <style type="text/css">
    <!--
    #index_ {
         position:relative;
         left:0px;
         top:0px;
         width:640px;
         height:480px;
         margin-left: auto;
         margin-right: auto;
    -->
    </style>
    <!-- End ImageReady Styles -->
    </head>
    <body bgcolor="#FFFFFF" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF" alink="#FFFFFF" id="index_" style="background-color:#FFFFFF;">
    <p>
      <!-- ImageReady Slices (index3.psd) -->
    <img src="images/index.gif" alt="" width="640" height="480" border="0" usemap="#indexMap" id="index" /></p>
    <p>Reynolds Marketing offers a full spectrum of marketing communications services including: consultation, creative, production and logistical marketing services located in Temecula, California. Our services include marketing consultation, press relations, public relations, copy writing, print creative, direct mail creative, video creative, web creative, interactive creative. Print production, direct mail, video production, web page creation and production. Digital print on demand, fulfillment services, powerpoint presentations, marketing communications, marketing communications conformance. To find out more about our services, please go to <a href="http://www.reynolds-marketing.com/who_we are.html">http://www.reynolds-marketing.com/who_we are.html</a> . </p>
    <p>Site map:<br />
      <a href="http://www.reynolds-marketing.com/index.html">http://www.reynolds-marketing.com/index.html</a><br />
      <a href="http://www.reynolds-marketing.com/who_we_are.html">http://www.reynolds-marketing.com/who_we_are.html</a><br />
      <a href="http://www.reynolds-marketing.com/contact_us.html">http://www.reynolds-marketing.com/contact_us.html</a><br />
      <a href="http://www.reynolds-marketing.com/what_we_do.html">http://www.reynolds-marketing.com/what_we_do.html</a><br />
      <a href="http://www.reynolds-marketing.com/services.html">http://www.reynolds-marketing.com/services.html</a><br />
      <a href="http://www.reynolds-marketing.com/clients.html">http://www.reynolds-marketing.com/clients.html</a><br />
      <a href="http://www.reynolds-marketing.com/projects.html">http://www.reynolds-marketing.com/projects.html</a><br />
      <a href="http://www.reynolds-marketing.com/news.html">http://www.reynolds-marketing.com/news.html</a></p>
    <p>
      <map name="indexMap" id="indexMap">
        <area shape="rect" coords="296,434,342,444" href="who_we_are.html" />
        <area shape="rect" coords="228,451,286,461" href="who_we_are.html" />
        <area shape="rect" coords="296,451,353,461" href="what_we_do.html" />
        <area shape="rect" coords="364,451,416,461" href="contact_us.html" />
      </map>
      <!-- End ImageReady Slices -->
      <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
      </script>
    </p>
    <script type="text/javascript">
    try {
    var pageTracker = _gat._getTracker("UA-8703884-1");
    pageTracker._trackPageview();
    } catch(err) {}</script>
    </body>
    </html>

    My guess is yes, but that is just my opinion.  I believe the text/background same color idea was really in vogue back in the late 90's and we all heard that it was the kiss of death for SEO that the SE's hated them so much you got de-listed, not sure if that is a fact or not.
    My bigger concern would be how many people you are losing by making them wait to get to where they want to go.  I have told many a client that in some sense, the interent is too big, you have too much competition and people have thin patience for things like splash pages.  The ooo and aaa effect of animated gifs is long dead...again, in my opinion.
    I dont know the answer to your load question...
    Gray

  • Using a swf splash page with muse

    Hi,
    I have a site that was done in Joomla and the start page is index.php, I created a swf that plays and animation and offers an "enter" button that tkaes you to the index.php. So when you go the the site the index.html plays the swf and then you click enter to get to the site... worked great.
    I wanted to get away from joomla with all my sites so I redid this in muse and guess what, I can't figure out how to get the splash page to work. Any ideas?
    The site is szemszem.com .... the original splash page is szemszem.com/index_old.html
    Thanks
    Mike

    Hi Mike
    I believe you have fixed the issue ??
    Thanks,
    Sanjit

  • Looking to insert a Splash page with Edge Animate than go to my home page?

    Please Help!

    In you Edge Animate file
    Click on Open Time line Actions.
    Click on the + sign on the top left
    Click  complete
    then paste this code in.
    < META http-equiv="refresh" content="10; URL=http://www.somesitename.com/home.html" >
    It should automatically move to the home page after a 10-second delay:
    Terry

  • Cisco 5508 Wireless Controller with Splash Page Disclaimer

    How do one configure a splash disclaimer page on a Cisco Wireless Controller 5508 with no authentication?
    Jimmy

    There are many options to you in this scenario, but if you're looking to simply provide a splash page via the WLC without interacting with any other web servers, you can configure Local Web Authentication (LWA) as seen in this configuration example.
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
    If you are not wanting the authentication, you can choose the "passthrough" method which will not require any credentials, only accepting an AUP or whatever you want.

  • Generate one time authentication for Guest on Cisco WLC

    Hi All
    Sorry for my question, because I just started to work with Cisco WLC.
    I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
    For Guest I used PSK with MAC-filtering.
    But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
    I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
    I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
    Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
    Regards
    Hai

    Hi Choudhary
    Thank you much for your information
    Could I reconfirm about my concern.
    With Cisco WLC, I can use WebAuth with Guest user only
    If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
    And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
    Regards
    Hai

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • Bonjour Discovery browser and cisco WLC mDNS

    Hello
    I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
    Multicast disabled on WLC
    wired vlan (with bonjour services) is trunked to WLC
    mdns profile configured and bonjour services are visible on WLC
    mdns profile applied to WLAN
    when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
    *Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
    *Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
    Is it possible to get Bonjour Discovery browser working with cisco WLC?
    thanks
    andy

    I have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc.  Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
    mDNS AP
    1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
    2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
    3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
    4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
    5. This  configuration also allows the user to specify the VLANs from which the  AP should snoop the mDNS advertisements from wired side. The maximum  number of VLANs that AP can snoop is 10.
    6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
    AP will send untagged packets when a query  is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN  information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
    7. If  the AP is in trunk mode, then the user has to configure the VLAN on the  controller on which AP would snoop & forward the mDNS packets. The  native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
    8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
    9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
    a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
    b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Splash page design in Ps CS6

    Hi,
    I'm using Ps CS6 and I designed a splash page with animation and sound but am not sure how to export it so it can be an actual intro page? Can this be done or should I have created it using Flash?
    Still learning...go easy on me...LOL
    Thanks, Lee

    If you are talking about a web page, then it's simply a terrible idea. There is nothing more off-putting than having to wait for the actual content to load and unnecessary fluff consuming your data quota on mobile devices. That and of course that especially in the latter case it will cause all sorts of technical issues. Flash is most definitely out of the questions as is loading arbitrary movie clips. If at all, this will have to be properly authored in Edge Animate or similar web-centric tools. Still, even then it will impact loading times and overall user experience and potentially bad Google ratings... Otherwise feel free to render whatever you have to an animated GIF or movie clip and integrate it into your web page, but you'll still have to learn web stuff to do it...
    Mylenium

  • Splash page and embedded custom fonts?

    Hi
    Just wondering how I tag/name a splash/intro page for a website? For example say you have: home (index), about, gallery, contact. For every page you have them tagged the same so they link within the site. How or what do you name the splash/intro page?
    Also, I have some custom fonts I want to use for my sites and am wondering how to embed them so they'll be seen on any browser? Is there a one for all code?
    Thanks,
    Lee

    The use of "splash pages" has fallen out of common use (really starting back in the 90's) and should be avoided for search engine optimization reasons.
    Don't waste the first page your viewer's see on a splash page with a big "whoopideedoo you found our site, look what I can do with javascript" type of effect/animation. The first page your viewers see should give them the info they need to make a decision on whether to keep clicking through your site. It's the most important page of your site, make sure it is full of relevant, keyword rich html text content. If you still want a big "rah-rah-sis-boom-bah" style effect for a first visit, put it in a modal window that shows on the viewer's first visit. Use javascript cookies to set it's css to display:none for future visits if you don't want it to pop up each time.

  • Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

    Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
    I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
    We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
    I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
    Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
    I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
    We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
    Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
    Any suggestions would be gratefully appreciated from the knowledgeable community.
    Cheers,
    Mike

    Hi Rasika,
    We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
    Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
    currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
    any suggestions,
    Thank you,
    Arjun

  • Cisco wired guest with one wlc

    Hello my name is Ivan
    I have a question:
    You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
    Only one (1) cisco wlc 5508 no settings for auto  anchor  or foreing controller, a cisco acs v5.4,  cisco switches, and access points.
    I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
    I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
    My deployment is to flex connect wireless authentication, and local switching center
    How I can do this?
    Thanks for your answers.

    Hi Scott, thanks for your answer:
    My scenary is:
    Site A Corporate
    WLC 5508 Flex Connect Central Auth + Local Switching
    1. int management:  vlan 10 - 10.1.1.2/24
    2. int virtual: 1.1.1.1
    3. wired-guest: vlan 30
    wlans:
    1. corporate - mapped to interface  management 802.1x wpa, 2pa2
    2. guest - mapped to interface management web auth
    3. wired-guest: web auth, ingress wired, egress management
    Cisco ACS v5.4
    Site B: Branch
    AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
    Switches Cisco,
    The branch have a router of internet to users guest.
    The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
    Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
    Please could you give and advice to resolv it?
    Regards for your answers.

  • Cisco ISE web auth Splash page

    Was wondering if the splash page offered by Cisco ISE can be customized, or if it's necessary to redirect to an External server?
    Currently using a downloaded web auth pass-through splash page setup for guest access on a 5508 WLC, but have been asked to move this feature off the WLC and onto the ISE and then customize the page with company logo's and a couple graphics.
    Is this possible?
    Thanks in advance...

    Yes, but you will definitely need ISE 1.3. When creating the guest portal in ISE you would select the "Hotspot Guest Portal" option. This allows guest users to just agree to an AUP (Acceptable Use Policy) and then get Wi-Fi access.
    And yes, you can also perform posture assessment:
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/118741-configure-ise-00.html#anc9
    Thank you for rating helpful posts!

Maybe you are looking for

  • Creating a Arabic PDF using SQR program

    Arabic display Hi All I am trying to create a PDF report via Peoplesoft SQR using SQRW command. I get the expected result if I choose LIS or HTML as my output. But in case of PDF, I am missing the Arabic words in my report.  Version of Adobe - 8. OS

  • How to create one master table and two detail for it

    I have one table , imagine it like mastertable( empid,deptid ); and two different tables like employeetable(empid ) , departmenttable ( deptid ).... I dont have any relation on database side. I need to create view link and ı need to use only one mast

  • Need to archive Oracle data into MS Access database

    Gurus, I've been tasked with archiving several large tables (10 million records) into an MS Access database. I'm looking through MS Access help guide which states that I can use the ODBC driver to create table, column definitions, and import data. Do

  • Large Inbound file

    The B2B fails to handle large size inbound documents. The SOA composite in EM console shows running status and waits for XML file from B2B. This happens whenever inbound x12 files size is greater than 3MB. The B2B converts X12 FILE to xml format of a

  • Uninstalling cs6 trial version

    uninstalling cs6, having issues uninstalling trial version.