Web Based Registration for Guest Wireless Access

Similar Messages

• Setting up webauth for guest wireless access

  Hi there,
  I'm trying to set up guest wireless access.  having no experience with this at all, I'm beginning to struggle.
  Equipment:
  2x 3850 stacked and acting as one switch running 03.06.00E
  4x 1602E AP's registered to the WLC running on the 3850
  The infrastructure is sound and corporate wireless access works ok.
  I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to;  So far my config looks like this (removed unnecessary parts for brevity);
  Building configuration...
  user-name test
   creation-time 1414684496
   privilege 0
   password 7 051F031C35
   type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
  aaa new-model
  aaa authentication login aaa_guest_webauth local
  aaa authentication login local_login local
  aaa authorization exec local_authorise local
  aaa authorization network guest_authorisation local
  aaa authorization credential-download default local
  aaa session-id common
  switch 1 provision ws-c3850-24t
  switch 2 provision ws-c3850-24t
  service-template webauth-global-inactive
   inactivity-timer 3600
  service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
  service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  spanning-tree mode pvst
  spanning-tree extend system-id
  hw-switch switch 1 logging onboard message level 3
  hw-switch switch 2 logging onboard message level 3
  parameter-map type webauth global
   virtual-ip ipv4 1.2.3.4
  parameter-map type webauth guest-webauth
   type webauth
   redirect on-success http://www.google.com
   banner text ^CC test text test ^C
   custom-page login device flash-1:login.html
   custom-page failure device flash-1:failed.html
  class-map match-any non-client-nrt-class
  policy-map port_child_policy
   class non-client-nrt-class
    bandwidth remaining ratio 10
  interface VlanXXX
   description "Guest-Access-VLAN"
   ip address 10.x.x.126 255.255.255.128
   ip helper-address x.x.x.x
   ip helper-address x.x.x.x
  line vty 0 4
   exec-timeout 7 0
   authorization exec local_authorise
   login authentication local_login
   transport input ssh
  line vty 5 15
   exec-timeout 7 0
   authorization exec local_authorise
   login authentication local_login
   transport input ssh
  wsma agent exec
   profile httplistener
   profile httpslistener
  wsma agent config
   profile httplistener
   profile httpslistener
  wsma agent filesys
   profile httplistener
   profile httpslistener
  wsma agent notify
   profile httplistener
   profile httpslistener
  wsma profile listener httplistener
   transport http
  wsma profile listener httpslistener
   transport https
  wireless mobility controller
  wlan Wireless-Guest-Access 24 wireless-guest
   client vlan Guest-Access-VLAN
   ip access-group GUEST-ACCESS
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth authentication-list aaa_guest_webauth
   security web-auth parameter-map guest-webauth
   session-timeout 1800
   no shutdown
  ap country GB
  ap group default-group
  ap group BUS-AP-Group
   wlan Wireless-Corporate-Access
    vlan BUS-CORP-DATA-VLAN
   wlan Wireless-Guest-Access
    vlan Guest-Access-VLAN
  end
  I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login' 
  I am under the impression that the way this should work is as follows;
  1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
  2. open browser on client and carry out name resolution 
  3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
  4. once three way handshake is completed client carries out an HTTP GET request
  5. WLC holds the response and redirects to the login page
  6. on successful login, original requested page is forwarded to client.
  I can't seem to get a response - even if I remove the ACL.
  Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
  Cheers

  also, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
  38725  -rw-        4265   Nov 4 2014 12:21:28 +00:00  webauth_login.html
  38726  -rw-        6937   Nov 4 2014 12:11:03 +00:00  webauth_aup.html
  38727  -rw-        1356   Nov 4 2014 12:11:30 +00:00  webauth_logout.html
  38728  -rw-         662   Nov 4 2014 12:11:43 +00:00  webauth_failed.html
  38729  -rw-         318   Nov 4 2014 12:11:58 +00:00  webauth_loginscript.js
  38731  -rw-       82940   Nov 4 2014 12:12:28 +00:00  web_auth_image.jpg
  CORE-SW01#sho run | s param
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   custom-page login device flash:webauth_login.html
   custom-page failure device flash:webauth_failed.html
  parameter-map type webauth guest-webauth
   type webauth
   custom-page login device flash:webauth_login.html
   custom-page failure device flash:webauth_failed.html
   security web-auth parameter-map guest-webauth
  CORE-SW01#

• Web Page for Guest Wireless

  Hi.
  I was wondering if someone could help me with the easiest way to set up a Web Page to control Guest Wireless access on Cisco AP 1130AG.
  I was using PEAP and Dot1x to Active Directory but the messing around required on some clients (namely XP and Vista) means it is not ideal for random and unexpected guests.
  How can I set up an Open Authentication method (or whatever I need) that then defaults to a web page or logon page for access to the network itself? I have seen this in other companies so it must be do-able.
  Just for information a standard WPA2 key for the SSID is insufficient as we want a logon page and user credentials that are changeable.
  I hope someone can help.

  Are you using the AP with a lightweight controller, or standalone (autonomous)?
  The lightweight controllers have this capability. Standalone APs do not.

• Printing Solutions for Guest Wireless

  So this is something that has been bouncing around the forums for a year or two now.  I have failed to come up with a "best-of-breed" approach that meets the strict security requirments of a government department.
  The scenario is this - the wireless platform is based around centralised Wism controllers in a datacentre and an anchor controller (for guest wireless) in a dmz, we have WCS to manage the components including the Lightweight Access-Points (mainly Cisco 1142N's) with a Cisco NGS to act as both hotspot and as the client credentials RADIUS authority. it works great except for printing which simply isn't currently an option.
  The solution services a wide number of geographic locations - all members of the one guest SSID and mobility group.  Since clients that connect to this are effectively DMZ'd and only able to connect to the internet, I am struggling to find a practical way to provide printing specific to each geographic site without going for a cloud service such as "Drop-box", or "PrinterON" 
  Has anyone out there in the Community come up with any innovative approaches to this connundrum?  If so please join the conversation

  Hi, I've encountered the same issue. Did you find a solution?

• Guest Wireless access over WAN

  Hello Everyone,
  We have around 45 remote location , all are connected with GRE Tunnels.
  44 location have there own WLC which are managed by NCS and ISE in HQ , All 44 location have Wireless access for Guest and INternal Staff.
  Now my Question is :
  One location(45th) have only 10 users and I dont want to put a WLC there.
  How can I provide the Guest wireless access on this location over WAN from HQ.
  We can buy APs.
  Please give me some ideas to solve this problem.
  Here I am attaching my default plan  :
  Thanks

  You just configure the access point in FlexConnect mode and then on the guest SSID you would central switch the WLAN. Central switching tunnels back traffic to the WLC and local switching drops traffic off at the local site. Here are some guides to look at.
  https://supportforums.cisco.com/docs/DOC-24082
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
  Sent from Cisco Technical Support iPhone App

• CBT or WEB based training for Cognos, ESSBASE or BO

  I'm looking for CBT or WEB based training for Cognos, ESSBASE or BO?
  thnx
  Endre

  Hello Jawahar,
  Thanks for your reply.
  Your right from 4.0 its a Promotion Management activity with LCM.
  Here my question is I'm not able to Access LCM thorogh Localhost:8080/BOE/LCM.
  Please anyone help me how to do rectify this.
  Thanks
  venkat

• To build web based application for taking backup

  Actually , I have prepared menu based scripts for taking backup.
  Now what i want to make is WEB BASED APPLICAATION for taking backup. My idea is to build the Web Pages which will call the scripts which i have already buit . But I don't know how through Web Pages I am able to go in the server and call the scripts .
  If anybody having any idea regarding this . Pls guide me I am very thankful to him/her.
  Thanx
  Waiting for valuable advice

  Dear Sandeep Saini,
  You may develop the web application is used SDK DI Server.
  Please refer to SDK help and sample for more information about DI Server.
  Best Regards
  Jane Jing
  SAP Business One Forum team

• Web based authentication for wired client, Crendentials submission failure.

  Hi,
  I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
  The problem i encountered is that my switch doesnt forward the client's password to the ACS.
  When the user validate his credentials on the login page only the login seems to be forwarded.
  The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
  the connection between aaa servers and the switch is working.
  You will find in attachements the running-config and the debug file.
  Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

  Well i took a look on your documents but i didnt find anything that helped me ;S.
  I'm still stucked on the same step.

• How to have a web-based interface for Lumira that also performs Ad-Hoc visualizations on data that should be loaded live from HANA.

  How to have a web-based interface for Lumira that also performs Ad-Hoc visualizations on data that should be loaded live from HANA. I have another tool that puts data into HANA, So don't want to reload this new data into Lumira every time I want to run a report.
  so do i  have the ability to create polished ad hoc dashboards, reports, infographics and storyboards Apart from Ad-Hoc reports, I also need a dashboard with some fixed reports that update with the live data.
  So please suggest me to accomplish this task.
  Thanks and regards
  Shashi kiran

  Please have a look at Ludek's document here which contains links: SAP Lumira Family Supported Versions Matrix
  Ludek has also attached the PAM's as zipped files; Lumira comes in many flavors so I encourage you to research options
  Also see this "HANA Live" document: [SAP HANA Academy] Visualized: Lumira & HANA

• Is there a way to access the web-based setup for my router if I cannot access the internet?

  Okay, I need to change the ip address settings on my router. I have a WRT54G Wireless router. I cannot access the internet on my computer connected to the router, and do not know how to change the router settings without accessing the web-based setup page. So, back to my question. Is there a way to access this page if I cannot connect to the internet?

  On the back of the router is a small reset switch. Using a paper clip or other small item, press the switch in and hold it for a few seconds. This will reset the router to the default IP address of 192.168.1.1. Enter that address in your web browser, and be sure your computer is attached to the router by an Ethernet cable. Don't attempt to do this using the wireless connection.
  Once you have reached the web configuration utility you can change the DHCP settings.
  To give your PC a static IP address you will need to open your network connections panel and, assuming your using Windows XP, make the changes from dynamic IP to static there.

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio

• ISE Custom AUP for Guest Wireless

  Hi All,
  I am trying to setup Guest wireless using Cisco ISE for the first time.  Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb.  Can anyone point me in the direction where I can do this?  The only alternative I can see is to create a new portal from scratch.
  Cheers
  Brian

  MultiPortal Configurations
  Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
  You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
  You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
  For Complete Configuration Guide, Please click on below link
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf

• ASA5510 base config for guest wireless network

  Hello
  I am partitioning off my guest wireless traffic out a new connection.
  I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
  AP - WISM - 5508 - FW - Cable link - Internet
  Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
  The external link will be via cable and I want to configure their static on my outside int,
  Where would be the best place to ratelimit the subnet(s)?
  sMc       

  ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
  These are router configurations and would not work on the ASA.  To do this the ACL config would need to look like this:
  access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
  access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
  access-group LAN in interface inside
  Keep in mind that you can change the ACL name (LAN) to anything you want it to be.  You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
  Also, to make sure this subnet has no access to inside services, what would be needed?
  Not exactly sure where you are going with this.  Is this subnet also located on the inside interface? or on a different interface?
  If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
  Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs.  If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
  Please remember to rate and select a correct answer

• Separate Internet service for Guest Wireless

  Hi all,
  I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
  In doing that what i was thinking would be the way:
  Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
  Let me know if i am on the right track or if i am missing something.
  Regards!

  Hi George,
  it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
  So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
  i hope the above answered your doubts. Cheers!

• My comapny has a web based portal for assigning work. Last week I lost the ability to connect to it through a tethered laptop using my Galaxy S5. It worked for the last several years using my drois phones. I can acess it from my home PC, through networked

  I can no longer access my company's web based portal through a tethered laptop. All other web pages work. Has anyone experienced anything like this? It's a verizon problem for sure since I can get to it from every other method...

  It could very well be Verizon where you're able to access from your home PC. But have you tried looking into the Laptops operating system Device Manager to see if that gives any indication of anything, like perhaps possible network driver update?