WiSM ::: secure guest-access

Similar Messages

• Secure Guest Access with AP541's

  My customer would like to have a secure guest wireless environment using AP541N's. When a guest laptop connects to the wireless I need the user to be redirected to a guest secure zone where they can only access the Internet after entering a password. I read in the AP541 docuemntation that this device is suitable for customers who plan to have secure guest access "in the future" - does this mean the feature is not available today but planned for the future ? If it is available today is there a config guide ?
  Thanks

  to George Stefanick
  Could you provide url of documentation how to implement third solution -
  Take one of the ports from the WLC and plug it into the FW,
  especialy configuration of WLC.

• Cisco WLC Whitelist for Guest Access? and securing guest-access?

  Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
  Looking at a 5508 model at the moment
  Thanks

  Hello Stephen,
  Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
  I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
  For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
  The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
  So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
  Thanks!
  Chris Slater-Walker
  Senior System Analyst
  Nokia UK Ltd.

• Guest access web authentication issue

  Hello experts-
  we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
  Has anybody any ideas?
  Thanks a lot, Martin

  First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

• Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

  I am not able to test this.
  Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3
  If so are there any problems that I should expect
  Mark

  Mark,
  I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.
  Hope this helps.

• How to create guest access in wireless by WISM and WCS and ACS?

  dear sir
  i neeed to know the steps of how we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?

  You need to define your requirements a little bit. The WLC can do WebAuth and an employee can access either the WLC or WCS to put in the username and password credentials, but you would need to figure out what's best for you.
  Here is a support doc that you can reference.
  https://supportforums.cisco.com/docs/DOC-13954
  Sent from Cisco Technical Support iPhone App

• Guest Access Security

  We have two wireless controllers in the DMZ that we use for guest access only. Right now the management, ap-management and dhcp addresses for users are all on the same IP segment. I know that's not the most secure way to deploy and wondered what the best practice is for this situation.
  Thanks!

  It would be better if you were to seperate out the guest users into their own wlan/vlan/subnet. Assuming that the dmz endpoint allows for multiple subnets and/or vlan/subintefaces (PIX or IOS) You could then drop the guests into a subnet that can only access the internet and not any other local networks. This can also be acheived or aided by ACLs the wlan(s) as well.

• Wired guest access support on SRE G2

  I have been trying to find info on support for wired guest access on SRE wireless module. Is it supported? Also, does 2100 wlc support it? I am running into sizing issues as I am seeing in documentation that it is supported on WiSM, 4400 (end of life), 5500, and 3750G (end of life). So, Am I only left with 5500? These are bunch of branch offices and do not know if having 5500 in each site is financially feasible. There is a requirement to have all these networks separate so we cannnot share controllers. Thank you in advance.

  It's more like "all WLCs support what is in config guide unless stated otherwise".
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
  the Cisco 2100 Series enables administrators to  securely manage WLANs and mobility services, such as enhanced security,  voice, guest access, and location services."
  It says nowhere that the SRE can't do wired/wireless. So it does the same as other WLCs from that point of view

• Wireless guest access

  Hi Guys, I have a wireless requirement from a customer and the customer is looking for the below: 1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected. 2. Customer is looking to add their own logo and change the formatting of the captive portal. Questions: 1. For email verification, does this feature come straight from the WLC standalone box or must ISE be purchased? 2. If the WLC is able to do this without ISE, any online guides that is able to do this? 3. For security reasons, am I able to limit the number of concurrent users using this captive portal? 4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal? 5. Can I customize the captive portal page on the WLC and how do I go about doing it?

  Hi Mohanak,
  It looks like the formatting ran out. Anyway, not sure if we are on the right topic here but let me get this straight. Customer has a Cisco 2504 Wireless LAN Controller. So, they would like to achieve the below features:
  1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected.
  2. Customer is looking to add their own logo and change the formatting of the captive portal.
  So, some of the questions I have are:
  Questions:
  1. There is a configuration on the WLC that allows guest users to login using email verification only. Does this feature come straight from the WLC standalone box or must ISE be purchased.
  2. If the WLC is able to do this without ISE, is the WLC able to check if the inputted field is a valid email? And can I configure in such a way a particular domain is allowed? (e.g. example.com is permitted but example.org and anything else is reject).
  3. For security reasons, am I able to limit the number of concurrent users using this captive portal?
  4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal?
  5. Can I customize the captive portal page on the WLC and how do I go about doing it?

• Wired guest access with 5508

  Hi
  I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
  VLAN 101 access points and 5508 management interface
  VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
  VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
  VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
  There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
  The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
  LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
  I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
  Thanks
  Pat

  Hi
  Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
  The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• Guest Access in 4.2.112/130 code

  I've just upgraded our controllers from 4.1.185 to 4.2.130 and have noticed some new settings and features for Guest access, specifically on the interfaces and the wlans. Can some one point me to an updated guide on the explanation of these new additions and the recommend setup now? Until I see an explanation on paper so as I can fully understand it, I don't want to change my current setup. i.e. Guest Lan, Ingress Interface, Egress Interface.

  Here is an even better link:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  the nutshell....
  "A growing number of companies recognizes the need to provide Internet access to its customers, partners, and consultants when they visit their facilities. With the new Wired Guest Access feature support on the Cisco WLAN Controllers that uses Cisco Unified Wireless Software Release 4.2.61.0 and later, IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same wireless LAN controller.
  Guest users must be allowed to connect to designated Ethernet ports and access the guest network as configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect to the WLAN Controllers with the current guest access features. In addition, WCS, along with basic configuration and management of WLAN Controllers, provides enhanced guest user services. For customers who have already deployed or plan to deploy WLAN Controllers and WCS in their network, they can leverage the same infrastructure for wired guest access. This provides a unified wireless and wired guest access experience to the end users."

• Guest Access with Inter-vlan Mobility

  I have a setup as follows
  Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.
  LWAPs connect to the data centres over a WAN.
  Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.
  Site1 has 40 APs and site2 has 10 APs.
  The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.
  Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.
  I would like to avoid creating a L2 link beween DCs if possible

  Thanks for looking
  (Cisco Controller) >show wlan 3
  WLAN Identifier.................................. 3
  Profile Name..................................... guest
  Network Name (SSID).............................. GUEST
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guest-vlan
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... 10.18.227.10
  DHCP Address Assignment Required................. Enabled
  --More-- or (q)uit
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11b and 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  --More-- or (q)uit
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Enabled
  ACL............................................. Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  --More-- or (q)uit
  Mobility Anchor List
  WLAN ID IP Address Status
  (Cisco Controller) >?
  (Cisco Controller) >show wln 3
  Incorrect usage. Use the '?' or key to list commands.
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show wlan 3
  WLAN Identifier.................................. 3
  Profile Name..................................... guest
  Network Name (SSID).............................. GUEST
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
  Number of Active Clients......................... 1
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guest-vlan
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... 10.253.128.10
  DHCP Address Assignment Required................. Enabled
  --More-- or (q)uit
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11b and 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  --More-- or (q)uit
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Enabled
  ACL............................................. Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  --More-- or (q)uit
  Mobility Anchor List
  WLAN ID IP Address Status
  (Cisco Controller) >?

• Guest access in bridge mode

  I want to set up a secure wireless network in our small office that will also allow clients to access the internet while in our waiting area. I also want to maintain our current wired network, which is connected to the internet through a Nortel router, connected to a DSL modem. Where would the Airport extreme be installed? - i.e., upstream or downstream from the router? Also, looking over Apple's network documentation, it appears that the Airport Extreme would be in Bridge mode when configured on an existing ethernet network with router, but the documentation is clear on the issue of setting up guest access in this kind of configuration.
  In case you have not guessed, I am not an IT guy, so will be grateful for any helpful suggestions

  Blind Lemon wrote:
  I want to set up a secure wireless network in our small office that will also allow clients to access the internet while in our waiting area. I also want to maintain our current wired network, which is connected to the internet through a Nortel router, connected to a DSL modem. Where would the Airport extreme be installed? - i.e., upstream or downstream from the router? Also, looking over Apple's network documentation, it appears that the Airport Extreme would be in Bridge mode when configured on an existing ethernet network with router, but the documentation is clear on the issue of setting up guest access in this kind of configuration.
  Guest access and bridge mode are incompatible on AirPort base stations. I'd connect an AirPort Extreme to your DSL modem, connect your wired network connections to the Ethernet ports of the AirPort Extreme, and take the Nortel router out of service. Depending on how many wired connections you need, you may also need an Ethernet switch. Besides the WAN port, an AirPort Extreme only has three available Ethernet ports.