Local Authentication for Guest accounts created on WCS
I'm not sure this is technically possible but I have a requirement to set up an SSID on a WLC whereby I can provision guest user accounts from the WCS and have the WLC / SSID authenticate against the guest account created on the WCS. The SSID would not be a web-auth / layer 3 auth model but preferably be able to utilise layer 2 authentication (802.1x) against the account within WCS. Can anyone tell me if this is actually possible?
Thanks in advance for your help.
Cheers
Sent from Cisco Technical Support iPad App
Ok then .. Sounds like you are already very fimilar with the wlc..
Lets kick a few ideas around ..
If you want to use WCS lobby then you cant use radius, becuase WCS will not update radius accounts. But you could use the WLC as a radius server and store the guest account(s) on the WLC. Gives you 802.1X security, WCS loddy admin access and your guest accounts. You can also expire the accounts as well. So you would move the control from radius to the wlc. You can also apply your qos / bandwidth.
Another option would be to create radius accounts. Set up your guest wlan, point it to radius. You can still apply a global bandwith restriction within the qos profile on the wlc.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Similar Messages
-
Hello,
Are there any logs on the WCS that can capture the MAC and IP address of a Guest client ?
The idea is to have this information available in order to correlate it with the Web server logs. It seems that the WCS logs capture only the MAC address
of a Guest client.
Are you aware of any settings for any logs that would enable logging of both the IP and MAC address for guest accounts ?
Thank you in advance
Best Regards,PanIn 5.2 take a look at the guest user session report:
http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2reps.html#wp1117029
Guest User Sessions Report
The Guest User Sessions report shows historical session data for a guest user such as amount of data passed, login and logout time, the guest IP address, and the guest MAC address.
The session data is available (by default) for one month after the session event occurs. This data retention period is configurable from the WCS background task settings page.
This report can be generated for guest users who are associated to controllers running software version 5.2 and above. -
Help with configuring AP-1240AG as local authenticator for EAP-FAST client
Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid [263] 19
*Mar 4 01:16:56.701: RADIUS: [lab_test]
*Mar 4 01:16:56.701: RADIUS: 65 [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface [156] 4
*Mar 4 01:16:56.701: RADIUS: 38 32 [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
ThanksHi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end -
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
Metadata refresh for Guest Account
Hi All,
Recently I faced a strange issue.
I had some changes made at the back-end table data.
When I logged in as Guest I saw the report reflecting the changes but when one another end user logged in,he was not able to see those changes in the report, Next day he was able to see the desired results.
Pretty obvious the metadata was not refreshed.
But why did it happened, how can metadata behave differently for Guest and other users.
Can someone throw some light at the possible reasons for this issue.
Is there some predefined mechanism for Cache maintenance for Guest account?
Thanks in advance,
AnuragThanks for the response John, but how will one come to know if a old session id has been picked.
This is something really serious as it may cause unupdated data to be displayed to the user.
Any possible solutions to prevent this sort of issue from duplicating in future.
Thanks in advance.
Anurag -
I want to change the picture to my guest account that was created by "find my mac." I tried using the workspace type program but it did not recognize my guest account. I am not sure what to do and need some help. Thanks!
I don't think there is a straight-forward way to do this. However, if the guest account is bothering you, you can disable it from within the System Preferences.
-
RADIUS Authentication for Guest users
Hi,
I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place. I would not like to setup RADIUS authentication via a Cisco NAC server. In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security. I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server. I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
Can anyone provide any details of what config is required?
Security Policy - Web-Auth
Security-> L2 - None
Security-> L3 - Authentication
Security-> AAA Servers - Auth and Acc server set
Many thanks
Liamyour setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
hope that helps -
Generate one time authentication for Guest on Cisco WLC
Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
HaiHi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai -
Authentication for Guest Access
Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
Appreciate your time.
BrendanBrendan,
Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
Sent from Cisco Technical Support iPhone App -
Cisco WLC local net user - guest account
Hello,
We have a 2504 Cisco WLC. I am creating Local Net Users for one of the WLANs that uses Web Auth and the Local Database.
My one question is, what does a "guest account" do differently than a non guest account besides the ability to create the lifetime of the account? I mean, it seems both give access to the WLAN so I am failing to see the difference between the two.
Any help is greatly appreciated.A guest acct can only login to a webauth WLAN. A normal netuser can login to any WLAN that you allow or all. Including 802.1x if that WLAN is allowed to chek the local db
Steve
Sent from Cisco Technical Support iPhone App -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
i admin some macs at the local university's art education. we've got six macs and 45 students. FCS, CS4 and PRO TOOLS, along with various open source software. for the upcoming semester, we've decided that each student is no longer allowed to store their files on the internal disks. the solution i was going for, was using the guest account. each student will no longer log into their account, but hook up their private external disk to save their files to.
the problem is, i can't configure the looks and behaviors of the guest account. for example, i would like to add the app icons they'll be working with to the dock, i'd like to set the right clicking on the mighty mouse to be a secondary click, separate pro tools shortcuts from osx exposé/dashboard, change privileges to the shared folders etc.
but every log out / log in, these settings are restored to a default.
is there any way i can override this default?
or is there a better way to organize this altogether?iColor wrote:
that's great.
it seems i cannot actually set all the preferences. like the obvious right secondary mouse click, appearance and energy saving. or could i, clicking 'preferences', then details' and adding something to the list?
but dock customization is a 'start'.
if i want to manage accounts on other macines on the local network, what do i enter instead of 'localhost'?
I don't think you can do this at all unless you run OS X server. I could be wrong and the IP address of the remote computer might work but I never tried that myself.
i recently bought apple remote desktop, - the workgroup manager seems to be a great addition to that. almost as it should be integrated in it.
thank you again
Message was edited by: V.K. -
Lobby Admin for guest account creation - Automation of account creation
hello all,
i'm sure the creation of guest accounts on the lobby admin page is a painful process for all involved - for us, it involves a process like this:
visitor asks for wifi > receptionist phones IT > IT creates account> IT phones receptionist with login details.
I would like to know whether it's possible to speed up this process either:
1) receptionist is able to click a few buttons, type the name of a visitor (so we know who used particular the guest ID), then is able to generate an ID and password immediately, which can then be printed onto a ticket printer of some sort.
2) visitor simply connects into the guest network, has to register (name and email) and automatically gets connected.
are any of these possible? or any other option I could take?
ThanksWhy not just have the receptionist create the account via the Lobby Admin login? The point of Lobby Admin is such that an elevated end-user (receptionist/security/etc) can log in to create a guest account without having to interact with an "admin". There's no point in having your IT staff handle the Lobby Admin logins.
Some of the other items you are asking for would be a better use-case with Cisco ISE solution. -
Set reverse scroll direction for guest account
Is there a way to set the default scroll direction to reverse scrolling for the guest account?
Thanks.No: all settings are restored to default when the guest logs out. But you could create a managed account for visitors, with suitable restrictions, then that would hold any setting you made. Of course its contents won't be deleted when they log out, which can be an advantage or a disadvantage depending on circumstances.
-
Changed file viewing settings for Guest account, now iMac won't boot :(
I'll start this off by mentioning that I'm not really a techie type person, but I'll do my best to describe what I did as accurately as possible. And I'm pretty good at following layman's terms troubleshooint advice!
I recently decided to move my iMac into the living room of my apartment. I have never found the need to create a Guest account, but I figured it might be convenient for..well, a guest every now and then. But when I created the guest account I discovered very quickly that they would have access to all of my photos, documents, movies, etc. via the "view all documents" "view all photos" tabs on the left-hand side of the Finder window. I googled what to do and people were saying that it is best to change the viewing options of particular folders via the "get info" tab when you right-click on a folder. There were three categories, the first one I believe was Admin or the main user, the second is "wheel" and the third says "Everyone". I changed the "Everyone" access on the folders I wanted private from read-writable to "none". I left the "wheel" and "admin" categories alone. I also did this to the utilities folder, and the library under the assumption it would only affect guest access to these files, not admin access!
Also, under the Account Preferences tab in the Apple menu I disabled the viewing of shared folders for the guest. I also disabled automatic login.
Next thing I know, while I'm under the guest login trying to test out my security updates, I see I can't click on anything! Or open anything! I can't open the finder at all, I can't open the internet, I can't even get to the Apple drop-down menu. I couldn't even log out of guest. I had to turn off my computer without shutting it down. I turned it back on, and it went through the motions of booting up until the blue screen with the grey dashed loading circle (no beach ball, thank god). It acts like it will proceed beyond that point, the grey circle disappears for a moment, but then nothing happens and that process starts over. Like it's stuck and can't find it's own files. I also notice a tiny white square in the upper left-hand corner of the blue screen if that means anything.
I don't know what the heck I did. I think I somehow managed to block my own admin access (is that even possible??).
-ShaynaYou need to get the install discs, erase the hard drive, and reinstall all the software from scratch. When acquiring a used Mac there's no way to know what condition its software is in... there might be hacks, security holes, pirated software, keyloggers, credit card sniffers, or other even riskier stuff on it. Using a pre-owned Mac's software as-is is a Very High Security Risk. Your Mac's software is obviously distressed. What's more, you are not licensed to use any Apple software unless you own and are in possession of the install discs.
Get the discs and reinstall. Apple will send you new ones that match your model for a small shipping fee. Call them and provide your Mac's serial number.
Maybe you are looking for
-
I am experiencing some difficulties and was hoping someone can help me. I am using Adobe Acrobat Professional 8.0 & LifeCycleDesigner 8.0 and have created a form (originally imported .pdf and created form fields). I have successfully imported data fr
-
I had been using Acrobat X up until a few days ago, editing scanned PDFs and such. But then my computer stopped opening the program. Thinking an update was in order I downloaded the new XI version. I am now stuck with a program which is asking for a
-
APEX report with Break columns and BI Publisher
I am having an issue with APEX and using column breaks when printing to BI publisher.. It seems that when you write an APEX report that breaks on the 1st or 1st and 2nd columns, the grouping shows nicely in APEX, but when BI Publisher gets the XML da
-
3.1.3 battery percent gone crazy
BRAND NEW 3GS 16 gig, version 3.1.2, 2 days old, IS NOT JAIL BROKEN!! HERE is what happens, I turn it off while battery at 25 percent, then power back on, shows 12 percent, and LOW BAT DISMISS window pops up. If I let it sit for 3 seconds, the percen
-
Hello Guys!! I need throw a WF step calling a function inside a Report. Actually i am using SWW_WI_ADMIN_EXECUTE, but don´t work correctly. I can use another one function or Object Class? Anybody can help me please? Thanks. Best Regards. Juliá