Local Authentication for Guest accounts created on WCS

Similar Messages

• WCS logs for Guest accounts

  Hello,
  Are there any logs on the WCS that can capture the MAC and IP address of a Guest client ?
  The idea is to have this information available in order to correlate it with the Web server logs. It seems that the WCS logs capture only the MAC address
  of a Guest client.
  Are you aware of any settings for any logs that would enable logging of both the IP and MAC address for guest accounts ?
  Thank you in advance
  Best Regards,Pan

  In 5.2 take a look at the guest user session report:
  http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2reps.html#wp1117029
  Guest User Sessions Report
  The Guest User Sessions report shows historical session data for a guest user such as amount of data passed, login and logout time, the guest IP address, and the guest MAC address.
  The session data is available (by default) for one month after the session event occurs. This data retention period is configurable from the WCS background task settings page.
  This report can be generated for guest users who are associated to controllers running software version 5.2 and above.

• Help with configuring AP-1240AG as local authenticator for EAP-FAST client

  Hi,
  I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  radius-server local
    eapfast authority id 0102030405060708090A0B0C0D0E0F10
    eapfast authority info lab
    eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
    user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
  Here is the Windows XP client configuration:
  Authentication: Open
  Encrpytion WEP
  Disable Cisco ccxV4 improvements
  username: georges
  password: georges
  Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
  *Mar  4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: ssid              [263] 19
  *Mar  4 01:16:56.701: RADIUS:    [lab_test]
  *Mar  4 01:16:56.701: RADIUS:   65                                               [e]
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: interface         [156] 4
  *Mar  4 01:16:56.701: RADIUS:   38 32                                            [82]
  *Mar  4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
  *Mar  4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
  *Mar  4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
  *Mar  4 01:16:56.702: RADIUS(00001F5C): sending
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
  It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
  Thanks

  Hi Stephen,
  I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
  Thanks for your help
  Stephane
  Here is the complete configuration:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Lab
  ip subnet-zero
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  power inline negotiation prestandard source
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid lab_test
  traffic-metrics aggregate-report
  speed basic-54.0
  no power client local
  channel 2462
  station-role root
  antenna receive right
  antenna transmit right
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  dfs band 3 block
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  channel dfs
  station-role root
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface BVI1
  ip address 10.5.104.22 255.255.255.0
  ip default-gateway 10.5.104.254
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    eapfast authority id 000102030405060708090A0B0C0D0E0F
    eapfast authority info LAB
    eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
    user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• Metadata refresh for Guest Account

  Hi All,
  Recently I faced a strange issue.
  I had some changes made at the back-end table data.
  When I logged in as Guest I saw the report reflecting the changes but when one another end user logged in,he was not able to see those changes in the report, Next day he was able to see the desired results.
  Pretty obvious the metadata was not refreshed.
  But why did it happened, how can metadata behave differently for Guest and other users.
  Can someone throw some light at the possible reasons for this issue.
  Is there some predefined mechanism for Cache maintenance for Guest account?
  Thanks in advance,
  Anurag

  Thanks for the response John, but how will one come to know if a old session id has been picked.
  This is something really serious as it may cause unupdated data to be displayed to the user.
  Any possible solutions to prevent this sort of issue from duplicating in future.
  Thanks in advance.
  Anurag

• How to change the picture for guest account that was created by "find my mac"? Is it possible to change the photo?

  I want to change the picture to my guest account that was created by "find my mac." I tried using the workspace type program but it did not recognize my guest account.  I am not sure what to do and need some help. Thanks!

  I don't think there is a straight-forward way to do this. However, if the guest account is bothering you, you can disable it from within the System Preferences.

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai

• Authentication for Guest Access

  Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
  If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
  The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
  Appreciate your time.
  Brendan

  Brendan,
  Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
  The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
  Sent from Cisco Technical Support iPhone App

• Cisco WLC local net user - guest account

  Hello,
  We have a 2504 Cisco WLC.  I am creating Local Net Users for one of the WLANs that uses Web Auth and the Local Database.
  My one question is, what does a "guest account" do differently than a non guest account besides the ability to create the lifetime of the account?  I mean, it seems both give access to the WLAN so I am failing to see the difference between the two.
  Any help is greatly appreciated.

  A guest acct can only login to a webauth WLAN. A normal netuser can login to any WLAN that you allow or all. Including 802.1x if that WLAN is allowed to chek the local db
  Steve
  Sent from Cisco Technical Support iPhone App

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Settings for guest account

  i admin some macs at the local university's art education. we've got six macs and 45 students. FCS, CS4 and PRO TOOLS, along with various open source software. for the upcoming semester, we've decided that each student is no longer allowed to store their files on the internal disks. the solution i was going for, was using the guest account. each student will no longer log into their account, but hook up their private external disk to save their files to.
  the problem is, i can't configure the looks and behaviors of the guest account. for example, i would like to add the app icons they'll be working with to the dock, i'd like to set the right clicking on the mighty mouse to be a secondary click, separate pro tools shortcuts from osx exposé/dashboard, change privileges to the shared folders etc.
  but every log out / log in, these settings are restored to a default.
  is there any way i can override this default?
  or is there a better way to organize this altogether?

  iColor wrote:
  that's great.
  it seems i cannot actually set all the preferences. like the obvious right secondary mouse click, appearance and energy saving. or could i, clicking 'preferences', then details' and adding something to the list?
  but dock customization is a 'start'.
  if i want to manage accounts on other macines on the local network, what do i enter instead of 'localhost'?
  I don't think you can do this at all unless you run OS X server. I could be wrong and the IP address of the remote computer might work but I never tried that myself.
  i recently bought apple remote desktop, - the workgroup manager seems to be a great addition to that. almost as it should be integrated in it.
  thank you again
  Message was edited by: V.K.

• Lobby Admin for guest account creation - Automation of account creation

  hello all,
  i'm sure the creation of guest accounts on the lobby admin page is a painful process for all involved - for us, it involves a process like this:
  visitor asks for wifi > receptionist phones IT > IT creates account> IT phones receptionist with login details.
  I would like to know whether it's possible to speed up this process either:
  1) receptionist is able to click a few buttons, type the name of a visitor (so we know who used particular the guest ID), then is able to generate an ID and password immediately, which can then be printed onto a ticket printer of some sort.
  2) visitor simply connects into the guest network, has to register (name and email) and automatically gets connected.
  are any of these possible? or any other option I could take?
  Thanks

  Why not just have the receptionist create the account via the Lobby Admin login?  The point of Lobby Admin is such that an elevated end-user (receptionist/security/etc) can log in to create a guest account without having to interact with an "admin".  There's no point in having your IT staff handle the Lobby Admin logins.
  Some of the other items you are asking for would be a better use-case with Cisco ISE solution.

• Set reverse scroll direction for guest account

  Is there a way to set the default scroll direction to reverse scrolling for the guest account?
  Thanks.

  No: all settings are restored to default when the guest logs out. But you could create a managed account for visitors, with suitable restrictions, then that would hold any setting you made. Of course its contents won't be deleted when they log out, which can be an advantage or a disadvantage depending on circumstances.

• Changed file viewing settings for Guest account, now iMac won't boot :(

  I'll start this off by mentioning that I'm not really a techie type person, but I'll do my best to describe what I did as accurately as possible. And I'm pretty good at following layman's terms troubleshooint advice!
  I recently decided to move my iMac into the living room of my apartment. I have never found the need to create a Guest account, but I figured it might be convenient for..well, a guest every now and then. But when I created the guest account I discovered very quickly that they would have access to all of my photos, documents, movies, etc. via the "view all documents" "view all photos" tabs on the left-hand side of the Finder window. I googled what to do and people were saying that it is best to change the viewing options of particular folders via the "get info" tab when you right-click on a folder. There were three categories, the first one I believe was Admin or the main user, the second is "wheel" and the third says "Everyone". I changed the "Everyone" access on the folders I wanted private from read-writable to "none". I left the "wheel" and "admin" categories alone. I also did this to the utilities folder, and the library under the assumption it would only affect guest access to these files, not admin access!
  Also, under the Account Preferences tab in the Apple menu I disabled the viewing of shared folders for the guest. I also disabled automatic login.
  Next thing I know, while I'm under the guest login trying to test out my security updates, I see I can't click on anything! Or open anything! I can't open the finder at all, I can't open the internet, I can't even get to the Apple drop-down menu. I couldn't even log out of guest. I had to turn off my computer without shutting it down. I turned it back on, and it went through the motions of booting up until the blue screen with the grey dashed loading circle (no beach ball, thank god). It acts like it will proceed beyond that point, the grey circle disappears for a moment, but then nothing happens and that process starts over. Like it's stuck and can't find it's own files. I also notice a tiny white square in the upper left-hand corner of the blue screen if that means anything.
  I don't know what the heck I did. I think I somehow managed to block my own admin access (is that even possible??).
  -Shayna

  You need to get the install discs, erase the hard drive, and reinstall all the software from scratch. When acquiring a used Mac there's no way to know what condition its software is in... there might be hacks, security holes, pirated software, keyloggers, credit card sniffers, or other even riskier stuff on it. Using a pre-owned Mac's software as-is is a Very High Security Risk. Your Mac's software is obviously distressed. What's more, you are not licensed to use any Apple software unless you own and are in possession of the install discs.
  Get the discs and reinstall. Apple will send you new ones that match your model for a small shipping fee. Call them and provide your Mac's serial number.