Webproxy for guest access

Similar Messages

• 2504 with new-architecture enabled breaks MAC auth for guest access

  Hello,
  We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
  When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
  Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
  Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

  You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
  HTH
  Rasika

• E2500 with multiple APs for guest access

  I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
  Jim

  Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
  So first of all remove all the networks from the preferred list of the computer and then try to connect.  

• Snmp error for guest access ticket on two WLC

  Hi,
  I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
  Thks.

  The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
  The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
  For the configuration following URL may help you
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Advantages of using a seperate controller for guest access?

  Can someone give me a good reason to use a seperate controller in a DMZ for guest users versus just trunking a DMZ VLAN to the controller. Certainly it makes sense to have a guest controller when you DMZ is not accessable to the controller locations (or you have a bunch of remote locations, but only one internet connection), but in the event that the controllers are located in a place that it can hit the DMZ is there a good reason to use a guest controller.

  I'm not even sure if that is a good reason. You can alway trunk to another non-routed VLAN and stick a cable modem and firewall to give guest user access. I'm working with someone now that thinks this is the way to go, but I've got to add a 4402-12, a switch (need GB connectivity for the controller) at a minimum. Again, it would make perfect sense if the location of the internet was not in the same building.

• Any Best Practices for Guest Access?

  Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
  I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
  My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

  ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Authentication for Guest Access

  Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
  If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
  The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
  Appreciate your time.
  Brendan

  Brendan,
  Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
  The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
  Sent from Cisco Technical Support iPhone App

• Cisco WLC Whitelist for Guest Access? and securing guest-access?

  Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
  Looking at a 5508 model at the moment
  Thanks

  Hello Stephen,
  Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
  I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
  For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
  The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
  So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
  Thanks!
  Chris Slater-Walker
  Senior System Analyst
  Nokia UK Ltd.

• When ever i try to open safari on my ipad its ask for guest access what is that

  what is a guest access password?

  It means you are probably connected to a public wifi network that requires a password to access, i.e. a hotel, airport, coffeshop, etc.

• WLC in a DMZ for guest access

  I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
  On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

  This should get you on the right track:
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
  Brad

• RV082 - Vlans for guest access

  Hello,
  I have an RV082 router which supports port based VLANs.  I have a WAP that I want to use to provide guest internet access which cannot see our production vlan.  I plugged the WAP into port 8 and set the vlan for port 8 to vlan 2.  Here's the part where I'm confused.  I am unable to get an IP address when connecting to the WAP because our DHCP server is a windows box on vlan 1.  So, I tried using the DHCP relay option and entering the ip address of the windows box DHCP server.  I am still not able to retrieve an IP address when connecting to the WAP.  Someone mentioned setting up an ip helper address.  I connected to the CLI of the RV082 but could not figure out the syntax of how to set up the ip helper address.  Any help with any of this would be much appreciated.  I only have about a week to set this up so I have to figure something out.

  Mr. MacKay,
  Since the RV082 don't support vlan tagging, you could get a layer 3 switch and create the vlans there and setup a dhcp relay to a server for the vlan ip addresses.
  Then it would be just setting up static routes in the switch pointing to the router as the default gateway and finally doing routes back from the rv082 for the vlan you created.
  A quick solution would be get a wireless router and set it up by plugging the wan into your network and setting the lan on a totally different ip address scheme.  Then only allow access to the rv082 on that network and deny the rest of the network access to the guest and vice versa.
  Kind of a work around.
  The quickest fix would be getting a vlan aware router like rvs4000 or the wireless version wrvs4400n and if you need dual wan with vlans and wireless you could go with the sa520w.

• Email address required for guest access

  We have a guest network with a customized web page right now. When the user connects, it asks for their name and logs it to a RADIUS server. However, the user can leave this field blank and press enter to gain access. Is there some way to force a user to enter their name into this page before access can be granted? We don't want to enter a username for each user because there are too many. I found this page and this is what we want to happen (I can't figure out how to do it).
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  (figure 10-7)
  We would like a page like this, but the user MUST enter a name or email before proceeding. No password is required. Down the road, we will attempt to verify the email that they enter, however we are not worried about that now.
  Thanks

  This is how we have it setup. However, they don't have to enter anything, the entry field can be blank and they can still be granted access. All we want is for them to enter something in this field before they are allowed on.

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio