Printing Solutions for Guest Wireless
So this is something that has been bouncing around the forums for a year or two now. I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group. Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON"
Has anyone out there in the Community come up with any innovative approaches to this connundrum? If so please join the conversation
Hi, I've encountered the same issue. Did you find a solution?
Similar Messages
-
Web Based Registration for Guest Wireless Access
I just started a project to make a guest wireless network available at every site in my enterprise. Guest wireless networks are currently available at some sites. Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution. All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points. What do I need to do/get in order to make this happen?
You should get a WLC and upgrade the 1240 and 1250 and replace the 1230's if they are in remote sites.
The WLC has a Webauth feature that is great. You can define users on the WLC also if you wish.
Guest access should always be open authentication with the use of a Webauth page. This makes it easy and you won't have to help manage guest access. Autonomous ap's and to have a splash page will require a 3rd party software or you can use a Cisco NAC guest server.
Search for Cisco Wireless Guest Access or Webauth and you will see many docs on this type of setup.
Sent from Cisco Technical Support iPhone App -
Setting up webauth for guest wireless access
Hi there,
I'm trying to set up guest wireless access. having no experience with this at all, I'm beginning to struggle.
Equipment:
2x 3850 stacked and acting as one switch running 03.06.00E
4x 1602E AP's registered to the WLC running on the 3850
The infrastructure is sound and corporate wireless access works ok.
I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to; So far my config looks like this (removed unnecessary parts for brevity);
Building configuration...
user-name test
creation-time 1414684496
privilege 0
password 7 051F031C35
type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
aaa new-model
aaa authentication login aaa_guest_webauth local
aaa authentication login local_login local
aaa authorization exec local_authorise local
aaa authorization network guest_authorisation local
aaa authorization credential-download default local
aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
parameter-map type webauth global
virtual-ip ipv4 1.2.3.4
parameter-map type webauth guest-webauth
type webauth
redirect on-success http://www.google.com
banner text ^CC test text test ^C
custom-page login device flash-1:login.html
custom-page failure device flash-1:failed.html
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface VlanXXX
description "Guest-Access-VLAN"
ip address 10.x.x.126 255.255.255.128
ip helper-address x.x.x.x
ip helper-address x.x.x.x
line vty 0 4
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
line vty 5 15
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
wireless mobility controller
wlan Wireless-Guest-Access 24 wireless-guest
client vlan Guest-Access-VLAN
ip access-group GUEST-ACCESS
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list aaa_guest_webauth
security web-auth parameter-map guest-webauth
session-timeout 1800
no shutdown
ap country GB
ap group default-group
ap group BUS-AP-Group
wlan Wireless-Corporate-Access
vlan BUS-CORP-DATA-VLAN
wlan Wireless-Guest-Access
vlan Guest-Access-VLAN
end
I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login'
I am under the impression that the way this should work is as follows;
1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
2. open browser on client and carry out name resolution
3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
4. once three way handshake is completed client carries out an HTTP GET request
5. WLC holds the response and redirects to the login page
6. on successful login, original requested page is forwarded to client.
I can't seem to get a response - even if I remove the ACL.
Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
Cheersalso, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
38725 -rw- 4265 Nov 4 2014 12:21:28 +00:00 webauth_login.html
38726 -rw- 6937 Nov 4 2014 12:11:03 +00:00 webauth_aup.html
38727 -rw- 1356 Nov 4 2014 12:11:30 +00:00 webauth_logout.html
38728 -rw- 662 Nov 4 2014 12:11:43 +00:00 webauth_failed.html
38729 -rw- 318 Nov 4 2014 12:11:58 +00:00 webauth_loginscript.js
38731 -rw- 82940 Nov 4 2014 12:12:28 +00:00 web_auth_image.jpg
CORE-SW01#sho run | s param
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
parameter-map type webauth guest-webauth
type webauth
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
security web-auth parameter-map guest-webauth
CORE-SW01# -
Hi.
I was wondering if someone could help me with the easiest way to set up a Web Page to control Guest Wireless access on Cisco AP 1130AG.
I was using PEAP and Dot1x to Active Directory but the messing around required on some clients (namely XP and Vista) means it is not ideal for random and unexpected guests.
How can I set up an Open Authentication method (or whatever I need) that then defaults to a web page or logon page for access to the network itself? I have seen this in other companies so it must be do-able.
Just for information a standard WPA2 key for the SSID is insufficient as we want a logon page and user credentials that are changeable.
I hope someone can help.Are you using the AP with a lightweight controller, or standalone (autonomous)?
The lightweight controllers have this capability. Standalone APs do not. -
ISE Custom AUP for Guest Wireless
Hi All,
I am trying to setup Guest wireless using Cisco ISE for the first time. Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb. Can anyone point me in the direction where I can do this? The only alternative I can see is to create a new portal from scratch.
Cheers
BrianMultiPortal Configurations
Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
For Complete Configuration Guide, Please click on below link
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf -
ASA5510 base config for guest wireless network
Hello
I am partitioning off my guest wireless traffic out a new connection.
I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
AP - WISM - 5508 - FW - Cable link - Internet
Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
The external link will be via cable and I want to configure their static on my outside int,
Where would be the best place to ratelimit the subnet(s)?
sMcip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
These are router configurations and would not work on the ASA. To do this the ACL config would need to look like this:
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
access-group LAN in interface inside
Keep in mind that you can change the ACL name (LAN) to anything you want it to be. You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
Also, to make sure this subnet has no access to inside services, what would be needed?
Not exactly sure where you are going with this. Is this subnet also located on the inside interface? or on a different interface?
If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs. If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
Please remember to rate and select a correct answer -
Separate Internet service for Guest Wireless
Hi all,
I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
In doing that what i was thinking would be the way:
Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
Let me know if i am on the right track or if i am missing something.
Regards!Hi George,
it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
i hope the above answered your doubts. Cheers! -
Mobile printing solutions for iPad
Hello I would like to see if anyone can help with this...We are trying to equip our service employees with printing capabilities while they are out in the field. I know that it seems that the best way to go is with utilizing the air print feature of the iPad, however looking at the supported printers (found on the apple website) i dont see any that seem all that "portable" in regards to size and weight. How are others handling their printing needs on the go?
Thank you very much!!
Clarklooking to do the same thing.
Thanks to all who contributed to this thread/
HP offers something called mobile printing solutions.
apparently at Kinkos and other selected locations, a person can send thier docs to be printed rom thie i pad.
i downloaded the HP mobile printing app, but the local Kinkos is some distance away, so i have not yet tried it.
Bersides, there would be a cost per page. for printing.
sending e mail attachments to companies with printing capabilities i have tried.
Staples offers this serivce, but I sent some docs and they had to be adjusted and modified by the Staples printing department to enable correct printing on a page, so that particular abenue may be out.
( i made the document using Noteworthy app and sent it to Dropbox and sent the resulting PDF from dropbox to Staples, who printed the test, but told me it requireed page modification..
I have no idea why as the page i had worked up into a PDF had a standard word processing format.
Thanks for all who contribute their time and experience in these forums
neophyte -
Hi
We are looking at placing iPads in our offices but need to understand the printing options available? I have a number of questions?
1/ Would I be able to print to a networked printer?
2/ what would be the best WIFI Printer available for extensive printing?
3/ Are there any other printing options available?
Thank you in advance!The roll over logs all have the same name exact the extension is .lo_ , So.. I'm not sure what you are looking for.
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ -
Printing solution for Color LaserJet 3600 & 2600 on new Apple hardware
This is a followup to my original thread that was archived:
http://discussions.apple.com/thread.jspa?threadID=2364735&tstart=0
I finally found a solution. HP owes me $20,000 in consulting fees.
To print to a LaserJet 3600 or 2600 from a newer Mac using 10.6, you must do the following:
Step 1: Install Foomatic HPIJS drivers
Step 2: Get an AirPort Express or equivalent print server (AirPort Extreme works as well, UFO or thin.)
Step 3: Connect the printer via USB to the print server, and connect it to your network
Step 4: Go to Print & Fax, then click the + button to add a printer
Step 5: Select HP Jetdirect - Socket for the protocol
Step 6: Enter the IP address of the printer server, followed by a colon and the port number (9100 or 9101)*, i.e. 1.2.3.4:9100
Step 7: Name the printer, then click on the Print using: drop down menu
Step 8: Select the Select Other Printer..., and choose the appropriate HPIJS driver.
* To determine the correct port, open Network Utility in the Utilities folder. Click on Port Scan. Type the IP address of your print server, then check the Only test ports between... and enter 9100 and 9101. It will report back the open TCP port.Unfortunately 10.6.3 did not fix the problem.
I've also, unfortunately, found out that the HPIJS will also eventually fail to print.
This is beyond frustrating since we invested several thousands of dollars in these printers and we can't use them. -
Best way to implement a print solution for a CF online store (at the store)
Hey everyone,
I have developed a CF web store for a client in which people order food items and then pay for it with integration with Authrorize.NET. The customer and the store gets an email of the order. We want to get away so that the email that gets to the sore owner is either automatically printed or that they get some notification that there is a new order there. I have tried some software such as Namtuk Autoprint but doesn't seem to work all the time for the store owner in that it prints sometimes. I am looking for other solutions people may have done or think can be done. I was looking into internet printers but i know nothing about how it works or to set one up.
thanksSo, I take it the ColdFusion server is not located at the store owner's place, because that would solve it easily.
Outlook, for one, can print emails as they arrive.
Thunderbird seems to lack such feature, and no luck with the plugins I guess.
Then there are several other client-side solutions as well, in addition to the one you mentioned.
Can't help you with any particular software I've tested, though.
-Fernis -
Printing solution for KDE?
I just wondered if anybody had a good work around for the print dialog problems in KDE (and presumably QT apps generally). I guess some distros patch the sources but this seems to require recompiling QT which I'm not keen to do and the patches are for an older version anyway.
There are many references to the issue in both KDE and QT bug trackers e.g. https://bugs.kde.org/show_bug.cgi?id=180051.
Basically, the issue is that the print dialog seems to have two parts. One part reflects the CUPS configuration for the printer. As far as I can tell the purpose of this part of the dialog is to sow confusion among users but perhaps that is not actually intentional. It seems, in any case, to have no effect whatsoever.
The second part is some sort of QT print setup dialog. There are multiple issues with this. First, it is insensitive to the capabilities of the printer advertised by the PPD file via CUPS. So it doesn't matter whether the printer has fine-grained quality control in CUPS, it won't here. Likewise, it doesn't matter whether the printer can print colour or not, it will offer this option.
So the first issue is that some settings just cannot be set through the dialog.
The next issue is that this dialog uses defaults which do not depend on the defaults configured via CUPS. For example, no physical printer I use has letter paper; all of these are configured in CUPS to default to A4. But the print dialog defaults to letter paper. Similarly, CUPS is set to default to duplex and greyscale but the dialog defaults to single-sided in colour. Most of the printers I use do not even offer colour. Some of them need quality settings adjusted to get good output and this can't even be done via the dialog.
This means that if I just print without reconfiguring via the dialog, I get "color, letter, single-sided" rather than "greyscale, A4, duplex, additional options".
Finally, the configuration isn't saved. It must be done not only for each session or each application but for every single job sent from a KDE application and any other application which hooks into the KDE print framework. Every single job. KDE offers a GUI alternative to the CUPS web interface but I'm not sure why since it has zero affect.
The result is obviously very irritating, time-consuming and wasteful of toner and trees.
I'm therefore wondering how other people manage this issue or whether any workarounds are available which do not involve patching and compiling QT source. Apart from the issue of having to do that and having to do it on every update, the available patch even if it worked for QT 4.8.0 doesn't actually fix most of the above problems. It would not, for example, pick up the A4 default or enable me to set different quality settings.
I'm wondering about trying to write some command line scripts but I'm not sure if this is the best solution so I'd like to know if better ones might be possible first. I'm not sure what the current best command line print command is although I figure that shouldn't be too hard to establish. But this would be very inconvenient for many applications. The only reason I'm considering it is because it wouldn't be too bad from Kile since the Konsole is right there anyway; and acroread doesn't rely on KDE for printing. Most of my printing is either kile -> okular -> print or acroread -> print. I'd still have issues with libreoffice, web browsers etc. so I'd rather find a more general solution if possible. (I know I can print to PDF and then print that but I might as well just go through the config unless I need quality settings in that case.)
Or should I just buy a pencil?!SteveK wrote:I just have the one printer, although I have set it up in 2 or 3 different KDE distros and I'm just using normal Arch packages here.
The reason I asked is because there are at least two patches available to fix the bug but they require compiling the whole of QT from source. Most distros, however, include these patches. So the fact that it works for you in another distro means nothing but the fact that it works for you in Arch is very, very interesting.
The KDE developers don't seem to expect it to work. Discussion at https://bugs.kde.org/show_bug.cgi?id=180051 reveals that they think that Arch are "douchebags" for not patching QT. (Please note that I am *not* endorsing this view as the bug thread on KDE should make clear.)
Unless, of course, they *are* patching it and something is weird about my config. How would I find that out?
Oh and just to clarify, today I re-checked changing paper type between A4/Letter and colours to greyscale/colour as default settings, rebooted and the print dialogue reflected those changes, along with the printed output. I have no idea why it works for some people and not others.
My print dialog doesn't even reflect it 30 seconds later, let alone after a reboot! (And I reboot quite often so it isn't the lack of rebooting, either.)
What about running from a terminal? Any related errors show up?
Sorry for being dumb. How would I run it from the terminal? Or what would I run? Do you just mean start e.g. okular from terminal? I don't get anything interesting:
okular <random-file>.pdf
okular(24864)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
okular(24864)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
okular(24864)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
okular(24864)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
okular(24864)/kdecore (KConfigSkeleton) KCoreConfigSkeleton::writeConfig:
okular(24864)/kdeui (kdelibs) KXMLGUIClient::~KXMLGUIClient: 0x8b9230 deleted without having been removed from the factory first. This will leak standalone popupmenus and could lead to crashes.
I didn't actually print as I'm not connected to a printer right now, but I opened the print dialog, selected a printer and examined both "properties" and "options". The "advanced" properties always shows the CUPS defaults but they have no effect on anything. The "options", as usual, defaulted to letter/singe-sided/color etc.
But perhaps that's not what you meant by "run from a terminal"? -
DHCP lease for Guest Wireless network
Is there a "rule-of-thumb" for the lease of DHCP on a guest or general use wireless network. The standard user is expected to be relatively transient. Thanks in advance for the comments / help.
I think ther no such rule of thumbs in a wireless network but the networks that incorporate large numbers of mobile devices, such as laptops and wireless telephony devices, should be configured with shorter DHCP lease times (for example, one day) to prevent depletion of DHCP-managed subnet addresses. Mobile devices typically use IP addresses for short increments of time and then might not request a DHCP renewal or new address for a long period of time. Longer lease times will tie up these IP addresses and prevent them from being reassigned even when they are no longer being used.
-
Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's
Our environment consists of about 7 Cisco 1231 Access Points. We have multiple SSID's including a Guest SSID for internet only access. All Ap's are in autonomous mode. We have a Cisco ASA5510 at the internet perimeter. I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy. Can I do anything with the ASA to dish out a page like this. I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much. I can add some text but it gets mixed in with all the other default text.
I am not seeing a way to do URL redirection inside of the 1231 AP's themselves. I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
Any ideas??Hi,
AFAIK. using Autonomous.. there is no way we can do that..
Regards
Surendra -
Is the c6180 printer able to print documents for ipad2?
i have a c6180 printer and can not print documents from apple ipad 2. is there any way to make them compatable?
If you do not have an ePrint-enabled printer, you will not be able to print from a mobile device using ePrint or AirPrint. However, HP does have a free mobile printing solution for HP wireless printers like the Photosmart C6180: HP iPrint Photo.
HP iPrint Photo can print .pdf, .txt, .jpg, .png, .tiff, and .bmp files stored on your iPhone, iPod Touch, or iPad.
Instructions on how to download HP iPrint can be found here:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02775166&cc=us&lc=en&dlc=en&product=1153494&tmp...
Thanks!
Tara
**Although I am an HP employee, I am speaking for myself and not for HP.
Maybe you are looking for
-
Excel Automation with Interop - Windows Service - Microsoft Excel cannot access the file
I have a windows console application, which automates Excel. In our scenario the application gets called from a Windows Service. If the console app is executed directly everything works fine. If the console app is executed through the Win Service, we
-
Unit Test Variable Substitution in PL/SQL User Vailidation code not running
Hi I am using new Unit Test Feature in SQL Developer 2.1.0.62. I have created a test implemented to test a function. The function has a VARCHAR2 parameter as input and returns a BINARY_INTEGER. I would like to perform 'Process Validation instead of s
-
Mail is now slow in deciding to send e mail...
Using 10.10.3, the latest version last week, I am seeing a distinct slowness when sending e mails. It used to be, press send and it flew away, now I press send and sit back and wait for it to wind itself up to send something. Once over this initial s
-
Server explorer 2.4.1 applicatio​n not responding
"open OPC project" button in Server Explorer 2.4.1 force to finish it with Windows Task Manager (end task), even after to reinstall (repair or remove-install again). It could be a problem with windows 2000?
-
What's the best way of adding a 300 page pdf for an internal ipad app so that the viewer can browse and go to different pages via a TOC? Thanks