WLC Guest Access Randomly and Print

Hi all, in my company have asked me a solution where automatically creates the guest account with username and password randomly. Is this solution possible to implement? With only the WLC?    p.s. you also know which models \ brands of printers allow you to press a button and print a receipt(with user\password) that can be integrated with the WLC??  Thank you.

Hi Marco,
WCS is software of license. right. But it is now being replaced by NCS; its elder brother, which is an appliance. I think WCS now is out of sale and NCS is what is available (not sure).
No modifications need to be done on WLC. you only add the WLC to the WCS (or NCS). This needs correct SNMP information to be configured on both sides.
If you have some programming experience you may implement the random username/password implementation yourself. Just capture the traffic when WCS send an SNMP packet to the WLCs to create the guest account. Whenever you want to create a user you specify same packet but change the usrename and the password and send the same packet to the WLC. Of course you need the sender IP address to the SNMP community list in the WLC.
For the printer part it is a bit harder. your program should be integrated with the printer and prapare the layout that will be printed.
HTH
Amjad

Similar Messages

  • Cisco WLC Whitelist for Guest Access? and securing guest-access?

    Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
    Looking at a 5508 model at the moment
    Thanks

    Hello Stephen,
    Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
    I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
    For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
    The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
    So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
    Thanks!
    Chris Slater-Walker
    Senior System Analyst
    Nokia UK Ltd.

  • WLC Guest Access Internet Routing

    Not sure if this the right forum, but i'm wondering if anyone can explain this.
    I have a trunk from the wlc to my router with one switch in between. 
    wlc---trunk----3560---trunk---2821
    The interface on the wlc and the 2821 both have an ip address and can ping each other.  When a wireless client connects to the guest network they cannot access the internet unless the 3560 switch has an ip address set on the vlan that is trunked from the wlc to the router
    wlc(vlan 825 - 10.7.200.2)----trunk-----3560(vlan 825 - 10.7.200.3)-----trunk-----2821(vlan825 - 10.7.200.1)
    The gateway for the clients is 10.7.200.1 which is the router.  If i take the ip address off of the vlan interface on the 3560 the trunk is still there, but the clients on the guest network cannot get through.  The gateway on the interface on the wlc is also set to 10.7.200.1
    Any ideas why I need that ip address on the 3560?
    Dan.

    Hi Dan,
    you may send the switch "show tech" and the WLC "show run-config" taken with the problematic config for a quick look.
    Regards,
    Federico

  • WLC Guest access to managment IP

    Hy! I've setup a Guest Wireless Acess using web auth. I've created a new dynamic interface with an IP range different from the one used in the production SSID.
    I've created a new VLAN in core switches (L2) and connected a Internet acess only router in the VLAN.
    The DHCP is handled by the WLC and is working fine. The network has the Internet Router as the Gateway.
    The issue is that from the wireless guest client I can ping the WLCs Management Interface (complete different network). I've accessed the Internet router and from there I can't reach the Management Interface. The good news is that even beeing able to reach the Management IP wireless guest can't access the controller, but still this is odd and raises all kind of questions about security.
    Has anyone experienced this same thing? Can anyone explain what is happening?
    Thanks,
    Tiago Molinos

    Well if you can ping the management interface of the wlc, then make sure you have management via wireless disabled. On you L3 interface, create some ACL's to deny guest network to your internal network.

  • WLC Guest access Daily user/password

    Hi,
      I have a WLC 2100 and 1131 LAP's does anyone know whether it is possible to create a local net guest user that either has a changing daily password or whether it is possible to create multiple users that are only valid for a specific time period. Basically all i want to do is, once a month create new users or passwords for each day of the month and the credentials are only valid for that day.  I can see that i can time limit users but this would mean creating the user at midnight every day.
    Many Thanks

    Hi,
    Q1: it is possible to create a local net  guest user that either has a changing daily password?
    A1: No that is not possibe on WLC local guest users
    Q2: it is  possible to create multiple users that are only valid for a specific  time period?
    A2: Yes, you have lifetime per guest user that can be configured.
    For your requireent, You need to maybe have a look to other Guest appliance like the NAC Guest Server, or create the user DB on ACS Radius Server for time restrictions.
    Thx
    Serge

  • WLC Wireless Guest Access

    Hi
    When a user attempts to connect to a WLC
    guest access SSID, does the web login page open up automatically?
    Also is the web login page "https" secure rather than "http" clear text
    Mark

    As long as the WLC can resolve the users home page, which is not an intranet site or https, then the user will get a certificate error page first in which he or she will have to accept. Then he or she will get the webauth page. To eliminate the certificate error page, you need to install a 3rd party certificate, one that is standard on the device trusted certificate store.

  • Guest Access with Inter-vlan Mobility

    I have a setup as follows
    Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.
    LWAPs connect to the data centres over a WAN.
    Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.
    Site1 has 40 APs and site2 has 10 APs.
    The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.
    Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.
    I would like to avoid creating a L2 link beween DCs if possible

    Thanks for looking
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... guest
    Network Name (SSID).............................. GUEST
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
    NAC-State...................................... Disabled
    Quarantine VLAN................................ 0
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-vlan
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... 10.18.227.10
    DHCP Address Assignment Required................. Enabled
    --More-- or (q)uit
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    Authentication................................ Global Servers
    Accounting.................................... Global Servers
    Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
    --More-- or (q)uit
    802.11 Authentication:........................ Open System
    Static WEP Keys............................... Disabled
    802.1X........................................ Disabled
    Wi-Fi Protected Access (WPA/WPA2)............. Disabled
    CKIP ......................................... Disabled
    Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
    Web-Passthrough............................... Disabled
    Conditional Web Redirect...................... Disabled
    Splash-Page Web Redirect...................... Disabled
    Auto Anchor................................... Disabled
    H-REAP Local Switching........................ Disabled
    H-REAP Learn IP Address....................... Enabled
    Client MFP.................................... Optional but inactive (WPA2 not configured)
    Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    --More-- or (q)uit
    Mobility Anchor List
    WLAN ID IP Address Status
    (Cisco Controller) >?
    (Cisco Controller) >show wln 3
    Incorrect usage. Use the '?' or key to list commands.
    (Cisco Controller) >
    (Cisco Controller) >
    (Cisco Controller) >
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... guest
    Network Name (SSID).............................. GUEST
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
    NAC-State...................................... Disabled
    Quarantine VLAN................................ 0
    Number of Active Clients......................... 1
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-vlan
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... 10.253.128.10
    DHCP Address Assignment Required................. Enabled
    --More-- or (q)uit
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    Authentication................................ Global Servers
    Accounting.................................... Global Servers
    Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
    --More-- or (q)uit
    802.11 Authentication:........................ Open System
    Static WEP Keys............................... Disabled
    802.1X........................................ Disabled
    Wi-Fi Protected Access (WPA/WPA2)............. Disabled
    CKIP ......................................... Disabled
    Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
    Web-Passthrough............................... Disabled
    Conditional Web Redirect...................... Disabled
    Splash-Page Web Redirect...................... Disabled
    Auto Anchor................................... Disabled
    H-REAP Local Switching........................ Disabled
    H-REAP Learn IP Address....................... Enabled
    Client MFP.................................... Optional but inactive (WPA2 not configured)
    Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    --More-- or (q)uit
    Mobility Anchor List
    WLAN ID IP Address Status
    (Cisco Controller) >?

  • E2500 with multiple APs for guest access

    I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
    Jim

    Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
    So first of all remove all the networks from the preferred list of the computer and then try to connect.  

  • WCS Guest access account creation - options

    Hi,
    I'm looking in to different options for creating guest access accounts and need some help.  I'm new to the product and bascially have been asked if there are any other options that the Web GUI to create account.  We would like trigger the creation of an account using work flow.  Saw that there are We services availble with NAC but not sure how the products relate
    It's a new setup - so assume the latest verion of WCS is being used.
    Thanks
    Alex

    couple of thoughts as I'm going through the process of setting up guest access right now.
    1) use RADIUS and maintain the accounts through a RADIUS solution that provides the UI you desire.
    2) another thread somewhere here pointed to http://sourceforge.net/projects/simple-swag/ which is a web-based user account creator.
    3) use an external authentication page and perform the auth there.
    we don't require guests to have accounts but we do limit when it is available at our various locations.

  • Wireless Guest Access through 4404, bandwidth limiting.

    We are currently running a Guest SSID on our network and pumping it out through a DSL line and it's working great. However, as we've expanded our LWAPP conversion and offering the Guest SSID to more area's, my DSL line has become very saturated and we're not in area that can get a bigger pipe. IS there a radius attribute that I can use through ACS that the 4404 controllers will recognize to limit the users bandwidth? In the past when using an opensource solution for guest access (ChiliServ and FreeRadius) I was able to use the WiSPr attributes:
    WISPr-Bandwidth-Max-Down
    WISPr-Bandwidth-Max-Up
    and it worked pretty well. What does one do in this case? I know I can pass Airespace attributes with ACS, but I don't see anything that will minimize bandwidth unless I'm just not understanding the QoS tagging.

    I am using webauth, but where does the role information go into the radius server, specifically ACS? In the document it states how to install the airspace vsa's. In ACS 4.2 I already have the airspace vsa's available i.e. airspace-qos-level. Is this the attribute that is needed to send the Role inforamtion? If not, can you please provide this attribute? That's all I'm looking for is as to what attribute is needed by the controller to receive the role information. from a per-user level or whatever. I do have the vsa's working since my original post and having upgraded the controller software (before it would stop sending traffic) so I can now pass the airspace-qos-level if this is the right attribute, but the most important thing about this attribute is that I only have Bronze to Uranium listed in ACS. If this is the attribute to send role information? How do I add more to this list as it is a drop down box not a text box where I can put in my own information.

  • ISE with CWA and wired guest access via WLC Anchor

    Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
    We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports.  I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan.  This Im sure i have done before.
    So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
    It comes out as:
    https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
    So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

    The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client.  So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

  • WLC and ISE guest access COA

    We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
    Anyone have any suggestions?  
    Thanks,
    Joe

    Hi Joe,
    I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
    Regards
    Dhiresh
    **Please rate helpful posts**

  • LWA Guest Access with ISE and WLC

    Hi guys,
    Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
    1. Guests try to connect wifi with SSID Guest
    2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
    3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
    https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
    4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
    5. After that the Guest Login Page will appear, and guests input their username and password.
    6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
    The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
    I know it happened when guests didn't have the WLC Login Page Certificate...
    My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
    Thx 4 your answer and sorry for my bad English....

    Thx for your reply Peter, your solution is right,
    i don't choose CWA, because their DNS is not stable...
    i've found the problem...
    the third-party CA is revoked, so there is no way it will success until it fixed...
    and there is no guarantee, they will fix it soon..
    so solution that we choose is by disable "HTTPS" on WLC...
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable".
    "config network web-auth secureweb disable"
    thank you all...

  • Configuring Guest Access using 2 LWAPs and 2504 WLC

    Please advise,
    I have 2 APs, Cisco Aironet 1040, and 2504 WLC.
    Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?

    Yes you can. You can have up to 16 SSIDs per AP, but not suggested to have all 16. You can either use one port on the 2504 for both SSID/vlan or specify which port is for corporate and which one is for guest.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

Maybe you are looking for

  • How to assign a printer to a script form

    Hi Experts, can any one of you help me in expaling thsi with code elaboratly. bcos i have seen some section scrren with requesting an output device. but the end user is always using a transaction  whre he can't give any printer name. see below. selec

  • XI - Closing request for each new coming file

    Hi all, I will receive files from XI system to BW (csv files). I have a scenario like this; each new file that has been received by Bw system (pushed by XI) has to be exactly one request in PSA. That means one file will be one request in PSA. There s

  • How to transfer data from ECC to CRM via IDocs (Clfmas01),

    Hi all, how to transfer data from ECC to CRM via IDocs (Clfmas01), that to material master data from ECC to Production master data in CRM.     Need Information regarding, how to upload file to CRM from ECC, through, IDocs......Plz help me... Edited b

  • Adjusting border size when printing

    I'm trying to print photos. Last time I did this, I could adjust the size of the image within the given paper size (4x6) with a simple slider control. This made the white border around the picture bigger or smaller accordingly. I'm not finding the sl

  • Y2K Info forum - Forte users in NZ/AUS please takenote

    Hi All, We're the distributors for Forte Software in Southern Africa. We'd like to set up a communication forum for any Y2K issues surfacing at midnight on 31/12/1999. Since NZ and AUS are at least 8 hours ahead of us, these are the Forte users we'd