WLC to ISE authentication for Guest

Similar Messages

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• Generate one time authentication for Guest on Cisco WLC

  Hi All
  Sorry for my question, because I just started to work with Cisco WLC.
  I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
  For Guest I used PSK with MAC-filtering.
  But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
  I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
  I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
  Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
  Regards
  Hai

  Hi Choudhary
  Thank you much for your information
  Could I reconfirm about my concern.
  With Cisco WLC, I can use WebAuth with Guest user only
  If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
  And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
  Regards
  Hai

• ISE : Authentication for IKEv2

  Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
  My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
  EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
  EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
  And is there possibly something else that I am missing which might be a solution to this design criteria ?

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• Local Authentication for Guest accounts created on WCS

  I'm not sure this is technically possible but I have a requirement to set up an SSID on a WLC whereby I can provision guest user accounts from the WCS and have the WLC / SSID authenticate against the guest account created on the WCS. The SSID would not be a web-auth / layer 3 auth model but preferably be able to utilise layer 2 authentication (802.1x) against the account within WCS. Can anyone tell me if this is actually possible?
  Thanks in advance for your help.
  Cheers
  Sent from Cisco Technical Support iPad App

  Ok then .. Sounds like you are already very fimilar with the wlc..
  Lets kick a few ideas around ..
  If you want to use WCS lobby then you cant use radius, becuase WCS will not update radius accounts. But you could use the WLC as a radius server and store the guest account(s) on the WLC. Gives you 802.1X security, WCS loddy admin access and your guest accounts. You can also expire the accounts as well. So you would move the control from radius to the wlc. You can also apply your qos / bandwidth.
  Another option would be to create radius accounts. Set up your guest wlan, point it to radius. You can still apply a global bandwith restriction within the qos profile on the wlc.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Authentication for Guest Access

  Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
  If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
  The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
  Appreciate your time.
  Brendan

  Brendan,
  Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
  The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
  Sent from Cisco Technical Support iPhone App

• ISE wireless web authentication for guest management not redirecting

  Hi forumers'
  I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
  Whilst on workstation it's working well.
  attach the snapshot of what happen on the iPhone.
  Any clue to torubleshoot? Thanks
  Noel

  Hi
  I still fail whilst i testing on my iPhone.
  I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
  My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
  So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
  Can please suggest more troubleshooting guide?
  Thanks
  This is how the outcome for the safari broswer
  Noel

• WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

  I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
  However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
  any examples on how to do this would be great.
  here is what i have for the dhcp scope:
  Dhcp Scope Info
  Scope: Guest.Data.DHCP
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
  Here is what i have for the wlan
  WLAN Identifier.................................. 2
  Network Name (SSID).............................. Guest.Data
  Status........................................... Disabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. Infinity
  Interface........................................ guest.data
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Enabled
  Quality of Service............................... Silver (best effort)
  WMM.............................................. Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  --More-- or (q)uit
  Radio Policy..................................... All
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  IP Security Passthru.......................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  Management Frame Protection................... E

  when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
  what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
  any other suggestions on guest vlans would be appricated....
  Tom
  Interface Name................................... wireless.guest.data
  IP Address....................................... 192.168.255.1
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 192.168.255.2
  VLAN............................................. 150
  Quarantine-vlan.................................. no
  Physical Port.................................... 2
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... No
  Scope: wireless.guest.data.dhcp.server
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

• 2504 WLC on edge network for guest wifi

  I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.
  I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.
  I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
  Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added
  ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
  I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
  I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.
  Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
  Thanks for any help you can provide.

  right, and how does a 'normal/current' user access the internet?  Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.
  if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC in a DMZ for guest access

  I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
  On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

  This should get you on the right track:
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
  Brad

• WLC 2504 - French characters for guest web login page

  Good day,
  I have recently installed a WLC 2504 and I have the following issue:
  When I modify the text for the web login page (Under security/Web Auth/Web Auth page), if I use french caracters such as (é, è, à, etc...) in the message body, it does not show up correctly on users computers. As we're a bilingual country, I must put a bilingual text message. Are there any settings or workaround out there to rectify this?
  We're on version 7.2.103.0
  Thanks,
  Eric

  Thanks Scott, I'll have a look at the documentation.
  Right after sending this post, I tried typing the actual HTML code for the character instead and it seems to be working. I'm curious about custom webauth page, we may be able to customize it more than we thought we could do.
  Cheers,
  Eric

• WLC 5508 AD authentication for management

  Hi,
  I was wondering if it is possible to set up a 5508 to authenticate to AD for management.  Currently, all of our Cisco devices authenticate to AD through NPS running on a windows 2008 server and if the server is unavailable, they failover to local authentication.  I'd like to do this on our new controller but I can't seem to find the correct info on how to do this, if it can.  All my searches result in instructions on how to authenticate wireless users.
  Thanks

  Yes, you can via NPS (Radius) which then ties into AD. Here is a Cisco exmaple document:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
  I hope this helps...

• ISE 1.2 Guest Access for EAP(Dot1x) Authentication

  Hi.
  I want to use encryption for guest access. 
  In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
  (Specification of the WLC) 
  When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
  (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
  If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
  (Because the account has been revoked) 
  I want to make even dot1x this environment. 
  However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
  In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
  (Status of the WLC remains "Auth Yes") 
  (Session of the ISE remains "Started") 
  Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
  Thank you.

  Note：
  Cisco ISE:Version1.2.0.899-8
  Cisco WLC(5508):Version 7.6.120

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.