Setting up webauth for guest wireless access
Hi there,
I'm trying to set up guest wireless access. having no experience with this at all, I'm beginning to struggle.
Equipment:
2x 3850 stacked and acting as one switch running 03.06.00E
4x 1602E AP's registered to the WLC running on the 3850
The infrastructure is sound and corporate wireless access works ok.
I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to; So far my config looks like this (removed unnecessary parts for brevity);
Building configuration...
user-name test
creation-time 1414684496
privilege 0
password 7 051F031C35
type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
aaa new-model
aaa authentication login aaa_guest_webauth local
aaa authentication login local_login local
aaa authorization exec local_authorise local
aaa authorization network guest_authorisation local
aaa authorization credential-download default local
aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
parameter-map type webauth global
virtual-ip ipv4 1.2.3.4
parameter-map type webauth guest-webauth
type webauth
redirect on-success http://www.google.com
banner text ^CC test text test ^C
custom-page login device flash-1:login.html
custom-page failure device flash-1:failed.html
class-map match-any non-client-nrt-class
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface VlanXXX
description "Guest-Access-VLAN"
ip address 10.x.x.126 255.255.255.128
ip helper-address x.x.x.x
ip helper-address x.x.x.x
line vty 0 4
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
line vty 5 15
exec-timeout 7 0
authorization exec local_authorise
login authentication local_login
transport input ssh
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
wireless mobility controller
wlan Wireless-Guest-Access 24 wireless-guest
client vlan Guest-Access-VLAN
ip access-group GUEST-ACCESS
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list aaa_guest_webauth
security web-auth parameter-map guest-webauth
session-timeout 1800
no shutdown
ap country GB
ap group default-group
ap group BUS-AP-Group
wlan Wireless-Corporate-Access
vlan BUS-CORP-DATA-VLAN
wlan Wireless-Guest-Access
vlan Guest-Access-VLAN
end
I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login'
I am under the impression that the way this should work is as follows;
1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
2. open browser on client and carry out name resolution
3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
4. once three way handshake is completed client carries out an HTTP GET request
5. WLC holds the response and redirects to the login page
6. on successful login, original requested page is forwarded to client.
I can't seem to get a response - even if I remove the ACL.
Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
Cheers
also, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
38725 -rw- 4265 Nov 4 2014 12:21:28 +00:00 webauth_login.html
38726 -rw- 6937 Nov 4 2014 12:11:03 +00:00 webauth_aup.html
38727 -rw- 1356 Nov 4 2014 12:11:30 +00:00 webauth_logout.html
38728 -rw- 662 Nov 4 2014 12:11:43 +00:00 webauth_failed.html
38729 -rw- 318 Nov 4 2014 12:11:58 +00:00 webauth_loginscript.js
38731 -rw- 82940 Nov 4 2014 12:12:28 +00:00 web_auth_image.jpg
CORE-SW01#sho run | s param
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
parameter-map type webauth guest-webauth
type webauth
custom-page login device flash:webauth_login.html
custom-page failure device flash:webauth_failed.html
security web-auth parameter-map guest-webauth
CORE-SW01#
Similar Messages
-
Web Based Registration for Guest Wireless Access
I just started a project to make a guest wireless network available at every site in my enterprise. Guest wireless networks are currently available at some sites. Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution. All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points. What do I need to do/get in order to make this happen?
You should get a WLC and upgrade the 1240 and 1250 and replace the 1230's if they are in remote sites.
The WLC has a Webauth feature that is great. You can define users on the WLC also if you wish.
Guest access should always be open authentication with the use of a Webauth page. This makes it easy and you won't have to help manage guest access. Autonomous ap's and to have a splash page will require a 3rd party software or you can use a Cisco NAC guest server.
Search for Cisco Wireless Guest Access or Webauth and you will see many docs on this type of setup.
Sent from Cisco Technical Support iPhone App -
Setting up WRVS4400N for switch & wireless access point
Howdy, first post here. What is the proper way to configure this device to act as a switch and wireless access point so I can connect it to a switch with router upstream? I have a DLink router that was easy: disable UPnP, disable DHCP, set an IP/Subnet, and it worked.
My main router has a subnet mask of 255.255.240.0 but in the WRVS4400N setup screen I only get a list box with a limited number of masks, all of which are 255.255.255.x. Is there any way to specify the 240?No. You cannot use a subnet mask larger then 255.255.255.0 on Linksys routers. They are only built to handle 255.255.255.0 and smaller. I guess they consider a LAN which requires a larger subnet, i.e. expects to run more then 253 networked devices requires a larger router.
The only thing you can do is to choose 255.255.255.0 and to pick an IP address which matches the IP address from which you expect to do the usual configuration work. If you use 10.0.0.0/255.255.240.0 but the computers which have to configure the router are all in 10.0.1.0/255.255.255.0 you can use that subnet. This works with computers even if they have a different subnet mask.
Of course, you can set any IP address you want, even one completely outside your normal LAN in order to "hide" the web interface from the normal LAN operation. The IP address of the router in your setup is irrelevant for the switching and wireless access. Both operate on ethernet/MAC addresses and the IP address of the router does not play any role there. If you use the 10 subnet mentioned before you could as well leave the router at 192.168.1.1/255.255.255.0. Whenever you have to access the web interface of the router you must temporarily set a static IP address inside 192.168.1.* on the computer... -
Hi.
I was wondering if someone could help me with the easiest way to set up a Web Page to control Guest Wireless access on Cisco AP 1130AG.
I was using PEAP and Dot1x to Active Directory but the messing around required on some clients (namely XP and Vista) means it is not ideal for random and unexpected guests.
How can I set up an Open Authentication method (or whatever I need) that then defaults to a web page or logon page for access to the network itself? I have seen this in other companies so it must be do-able.
Just for information a standard WPA2 key for the SSID is insufficient as we want a logon page and user credentials that are changeable.
I hope someone can help.Are you using the AP with a lightweight controller, or standalone (autonomous)?
The lightweight controllers have this capability. Standalone APs do not. -
Guest Wireless access over WAN
Hello Everyone,
We have around 45 remote location , all are connected with GRE Tunnels.
44 location have there own WLC which are managed by NCS and ISE in HQ , All 44 location have Wireless access for Guest and INternal Staff.
Now my Question is :
One location(45th) have only 10 users and I dont want to put a WLC there.
How can I provide the Guest wireless access on this location over WAN from HQ.
We can buy APs.
Please give me some ideas to solve this problem.
Here I am attaching my default plan :
ThanksYou just configure the access point in FlexConnect mode and then on the guest SSID you would central switch the WLAN. Central switching tunnels back traffic to the WLC and local switching drops traffic off at the local site. Here are some guides to look at.
https://supportforums.cisco.com/docs/DOC-24082
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
Sent from Cisco Technical Support iPhone App -
Printing Solutions for Guest Wireless
So this is something that has been bouncing around the forums for a year or two now. I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group. Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON"
Has anyone out there in the Community come up with any innovative approaches to this connundrum? If so please join the conversationHi, I've encountered the same issue. Did you find a solution?
-
Setting up 'guest' wireless access on a wireless router attached to our LAN
My organization purchased a Cisco Wireless-N Gigabit Security Router and asked me to configure it so that guests could access the internet (through our LAN) but not any of our LAN resources. According to the packaging, there is a "built-in wireless access point" with "secure guest access" but I cannot find the instructions on how to configure it anywhere in the 133-page administrator's guide that came with the unit. I thought I was familiar with WAP's even though I have never set one up from scratch before, and now I have a special one to set up. Any suggestions on how I get started? -Marty
Arthur,
Thank you for responding to my inquiry. I opened a case, and Small Business tech support told me what to do. What I needed to do was to establish a new SSID and a new VLAN, and disable security, enable VLAN isolation and allow it to broadcast. To my surprise, it allowed anyone with connect but only traverse our network to get to the internet w/o seeing any of our LAN resources. Which was exactly our goal.
Marty -
ISE Custom AUP for Guest Wireless
Hi All,
I am trying to setup Guest wireless using Cisco ISE for the first time. Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb. Can anyone point me in the direction where I can do this? The only alternative I can see is to create a new portal from scratch.
Cheers
BrianMultiPortal Configurations
Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
For Complete Configuration Guide, Please click on below link
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf -
Guest Wireless Access in Bridged Mode e4200v1
I have an e4200v1 in bridge mode (LAN IP 192.168.1.2) connected via its WAN port to a LAN port on the primary router at 192.168.1.1.
Guest Wireless works perfectly in Ver. 1.0.04 build 11 but not in Ver. 1.0..05 Build 7.
ANy ideas?I've tried searching the forums for the same concern. I found the following:
http://homecommunity.cisco.com/t5/Wireless-Routers/Guest-network-doesn-t-work-in-bridge-mode-on-E420... - the user herot80 provided steps on how did he the guest network working on his setup.
http://homecommunity.cisco.com/t5/Wireless-Routers/Linksys-EA4500-Bridged-Network-amp-Guest-Wireless... - user counsil suggested to make sure that NAT is on before setting the router to a bridge mode for the guest network to work. -
ASA5510 base config for guest wireless network
Hello
I am partitioning off my guest wireless traffic out a new connection.
I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
AP - WISM - 5508 - FW - Cable link - Internet
Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
The external link will be via cable and I want to configure their static on my outside int,
Where would be the best place to ratelimit the subnet(s)?
sMcip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
These are router configurations and would not work on the ASA. To do this the ACL config would need to look like this:
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
access-group LAN in interface inside
Keep in mind that you can change the ACL name (LAN) to anything you want it to be. You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
Also, to make sure this subnet has no access to inside services, what would be needed?
Not exactly sure where you are going with this. Is this subnet also located on the inside interface? or on a different interface?
If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs. If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
Please remember to rate and select a correct answer -
Set up time capsule as wireless access point
I am trying to set up my old apple time capsule as a wireless access point for my girlfriend. She is at college and the university does not permit routers, so I am trying to set the time capsule up so that is just takes the hardwired internet and allows wireless access to the internet so she can use her iPad and MacBook Air on the wireless instead of having to use a gigabit adapter to use the ethernet. The time capsule has the newest firmware and she is running mavericks which has the newest airport utility software. However I am not sure what settings to use to make this work. I am fairly intelligent when it comes to computers however I am not very skilled in networking. If anyone can help I would greatly appreciate it.
Thank you in advance!How old is the Time Capsule? Running what firmware?
You have a problem.. If you cannot use the TC in router mode, then you are going to have to use it in bridge.. and it then depends on if the Uni system will hand out mulitple IP addresses. .which I doubt. In the end you might be stuck.. and it is not possible really with any system..
Bridge normally requires that the TC take an IP address and then clients connecting to the TC wireless will also get IP addresses.. but if the uni system only hands out one address then the TC has already captured it and there are no more available.. but try that method first.. as it is the easiest.
If it fails there is a more complicated method.. where we can give the TC a separate static IP in a different IP range and the wireless will still be bridged.. so the MBA or the ipad can use the wireless.. but only one can ever be online at a time.
The only way around this is to use the TC as a router contra the rules in the uni.. although I would suggest the uni only cares if you break their system. Most people don't.. but I am unsure what happens if you do.
Ask their IT people how to use a wireless only device like ipad, when they only provide ethernet. You might find there already is a wireless internet system as well. -
Separate Internet service for Guest Wireless
Hi all,
I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
In doing that what i was thinking would be the way:
Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
Let me know if i am on the right track or if i am missing something.
Regards!Hi George,
it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
i hope the above answered your doubts. Cheers! -
Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's
Our environment consists of about 7 Cisco 1231 Access Points. We have multiple SSID's including a Guest SSID for internet only access. All Ap's are in autonomous mode. We have a Cisco ASA5510 at the internet perimeter. I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy. Can I do anything with the ASA to dish out a page like this. I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much. I can add some text but it gets mixed in with all the other default text.
I am not seeing a way to do URL redirection inside of the 1231 AP's themselves. I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
Any ideas??Hi,
AFAIK. using Autonomous.. there is no way we can do that..
Regards
Surendra -
Cisco Guest Wireless Access Solution - Local Printing
Hi,
Does Cisco have a solution that provides printing for a guest WLAN. Cisco Guest wireless deployment solutions recommend terminating the guest WLAN on an anchor controller in the DMZ which causes issues when needed to print locally as the print traffic will need to traverse the DMZ anchor controller causing excessive WAN link usage.
Is there a better solution to enable a guest WLAN to print locally?FlexConnect with Split tunneling may work.
Read about this feature & see how that can be used in your branch setup. Here is the Ciscolive presentation slides the above came from.
BRKEWN-2016: Architecting Network for Branch Offices with Cisco Unified Wireless
HTH
Rasika
**** Pls rate all useful responses **** -
Anyone know how to set up mac as a wireless access point?
thats pretty much my question, i wanna access the internet on my nintendo DS and Wii
Hello and Welcome to Apple Discussions.
Although I'm not familiar with the Nintendo DS you can use the iMac as a Wireless Access Point by going Apple Menu > System Preferences > Sharing > and selecting Share Connection from: popup menu: however you connect and the choose Airport to share to.
This article refers.
Merry Christmas
mrtotes
Maybe you are looking for
-
Smartview 11.1.2 - Planning and Excel formulas giving problems
Hi, I am using Smartview 11.1.2 with HP 11.1.2, when I open one webform done and in one cell I write =10 and after I write different number like 5, it's still with =10 so, has someone had problems with you start to use a formula in one cell and after
-
TS3899 how do I add more email message to my Iphone 5s?
I just purchased an Iphone 5s to replace my 4. I have a setting on my 4 that allows me to keep up to 1000 messages in each of my email boxes. The setting is under Settings, Mail, and then show. My new phone doesnt have this setting. Am I missing
-
I'm signed in to my account on my macbook air's apple store, but when I try to update any apps, it has a locked in apple store user which is not mine. I have no idea where this user came from, but I need to update my apps and get this user off my com
-
Configuration Problem for SAP XI 3.0 Demo Example Configuration
We try to configure the demo and everything works fine until chapter 4.1.2 Manual Editing (page 34). When trying to set the condition for the receiver determination XI_105 | FlightSeatAvailabilityQuery_Out by clicking in the condition column (poin
-
Hi, I am working on a scenario outbound from SAP Using Proxies : When I check SXMB_MONI in R/3 the message has the status Message Recorded(commit missing). Can any one help me on this . I guess we have to manage queues(SXMB_ADM).If so Please let me k