WLC/WCS Guest Access and Audit trail

Similar Messages

• WCS Guest Access

  Our current wirleess infrastructure consist of a WCS/WLC and AP's.
  We currently have guest access  and use the lobby ambassdor  feature on the WCS .The Guest users are currentlty created manually by the lobby ambassdor manually
  There was request that came internally to automate the entire process and reduces the time required to create the guest users .
  Our requirement would be to create a set of 50 users with random password created by the WCS  and then push this credentials to the WLC's .
  Our lobby ambassdor would take print out of these user/password details and put in an envelope  and give out to the guest users when requested.
  The users list will only  be valid for a day and for the next day we create another set of 50 users .
  The credentials should only be active for 3 hours  from the time they log in  which means if a user logins at 9 AM he session should only be active for 3 hours.
  Iam looking at insights on how we can acheive the same using WCS or any third paty guest access applications or i can also look at developing my own application with some kind of an API that can talk with WCS.
  TIA
  Sandeep

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Nicolas - You are right, all my requirements can be met by the NAC Guest server . I had been going through the documentation of this product for the past few days.
  Couple of thoughts   that came into my mind is that all the features that i was looking at is all software based , it has no dependency on hardware .
  Since we already use WCS for lobby ambassador, why did Cisco not integrate the same features on WCS and went and put it in the NAC .
  I agree there is a strong correlation between NAC and Guest access  But Iam not able to justify in getting a new product /Hardware for doing advanced Guest access .
  We bought the WCS primarily for the Guest access and guest account management and controller management was secondary .
  I don't understand Cisco strategy as to putting pieces of the same feature in multiple devices and customer having to purchase different hardware for the different features of the same technology.
  I understand that this is not a forum to comment but just thought of penning down my views .However i will have a talk with the Cisco SE on the same.
  Thanks for your help- Regards

• WCS Guest access account creation - options

  Hi,
  I'm looking in to different options for creating guest access accounts and need some help.  I'm new to the product and bascially have been asked if there are any other options that the Web GUI to create account.  We would like trigger the creation of an account using work flow.  Saw that there are We services availble with NAC but not sure how the products relate
  It's a new setup - so assume the latest verion of WCS is being used.
  Thanks
  Alex

  couple of thoughts as I'm going through the process of setting up guest access right now.
  1) use RADIUS and maintain the accounts through a RADIUS solution that provides the UI you desire.
  2) another thread somewhere here pointed to http://sourceforge.net/projects/simple-swag/ which is a web-based user account creator.
  3) use an external authentication page and perform the auth there.
  we don't require guests to have accounts but we do limit when it is available at our various locations.

• Using wliconsole's process instance monitoring and audit trail

  Hello,
  I have couple of questions about wliconsole's process monitoring capabilities to be able to use in real production environments.
  1. Is it possible to add some custom data to the Process Instance Summary table? For example, we would like to show the party that send the initial request, and some internal process type information.
  2. How can we achieve audit trail logging when we have several processes? For example, we have business processes that span over several wli-processes, and our process is split into several re-usable sub-processes. And the audit trail stops at the process boundaries. Finding the corresponding sub-processes is quite a challenge now.
  Thanks,
  Timo Lukumaa
  Reaktor Innovations www.ri.fi

  The WLI version we're about to use is 8.1 sp2.
  One question more:
  3. Is there somekind of metadata or resource directory in wliconsole or some place else?
  We're about use a SOA style architecture where re-usable business logic is modeled as web services.
  So we would like to have one place (a web page) where the available services could be seen and corresponding WSDLs and schemas downloaded.
  Or are we just looking at the wrong product? ;)
  Thanks,
  Timo

• WLC 5500 guest access logging

     Hello,
  In the ISE documentation is states that under a Guest_Activity report you must have guest access logging enabled on the NAD in the ISE network. My question is where do I enable  guest access logging in the WLC that is our NAD?

  Try under snmp configuration. There you can choose what traps to send. You can choose to send traps for auth clients.
  HTH
  Amjad

• WLC Wireless Guest Access

  Hi
  When a user attempts to connect to a WLC
  guest access SSID, does the web login page open up automatically?
  Also is the web login page "https" secure rather than "http" clear text
  Mark

  As long as the WLC can resolve the users home page, which is not an intranet site or https, then the user will get a certificate error page first in which he or she will have to accept. Then he or she will get the webauth page. To eliminate the certificate error page, you need to install a 3rd party certificate, one that is standard on the device trusted certificate store.

• Guest Access and IP addressing usage

  Hi there
  Have a typical Guest set up, foreign WLC has a tunnel to a WLC in our DMZ (mobility anchor); client  will get a web page, and sign on; and off to the Internet they go.
  As we know, client needs an IP address first before it does anything, as the SSID is out there with no authentication.   and the problem we are running into is, we are running out of IPs because we have a bunch of clients picking up IPs but then they are not moving towards authenticating (I suspect many clients simply scan for any open SSID and connect to it, thereby using up an IP.  We clamped down DHCP Lease time to 30 mins, but this only helped to an extent.
  Is there anything on the WLC or other wireless network devices that can limit this from happening? Is increasing the scope the only way to resolve this issue?
  Many thanks in advance!

  ha! No worries, girl in a tech world... used to it LOL
  When we changed up this year (went from a private entity to being taken over by the 'mother ship' as I like to call it; they said '2012 is the Wireless Year, we want it everywhere to be able to be used by everyone; we want it easy, and we want to start employee BYOB (to which I grumbled a bit... but oh well) And now just got news we are taking another division on board, so that number I just gave you I say add another 10 or 15 to, not to mention a few WiSMs thrown in there.  We were using Guest NAC,  but then it was though to be easier using a shared ID/PW with it changing weekly, which currently I manage by pushing WCS jobs out each week; and future is to use an AD backend for that instead. And this is slightly off topic- but I also broadcast the SSID for the mother ship into our network and tunnel our WLC back to an anchor on their network so users can pick up IPs from there, and then our WLCs live in their radius server.
  ... Fun Stuff, eh?

• WLC 2100 guest access with local web authentification

  Hello I tried to create a guest acces with local web authentification.
  My Laptop is connected to the Wlan but My Browser don't ask my login and password

  Please refer to the following links:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

• WLC 4400- Guest Access

  Hi Guys,
  I have a query , I understand the web authentication flow as explained in the below doc.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml,
  Its talking about to have a DNS server to be configured and this DNS ip will be allocated along with the DHCP response
  So can I have Public DNS directly assigned for the Guest users ? and I dont use a dedicated DNS for the Guest userr
  if possible where should be it configured in the WLC
  Thanks in Advance

  Hi Guys
  Today I tried this implemenation : but result falied
  On the guest controler I entered the public DNS ip addresss
  After adding it , it requested need to restar the sytem to take it in effect.
  my DHCP is on a server - under the DHCP pool I pointed the DNS is public DNS
  Result
  I was getting an ip address , and DNS also shows the public in the ipconfig /all out put
  But the webportal was getting redirected to my public DNS ip address in stead of 1.1.1.1
  Any idea , what could have went wrong.
  I am not sure if we have to configure on the internal controllers as well under the virtual interface
  Thanks

• H-Reap, Guest-Access and CAPWAP

  If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?
  I think so, but I'm not really shure.
  Sven

  Hi Sven,
  If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.
  If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.
  If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.
  Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.
  By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.
  You may find more information about the matter here:
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml
  Hope this is helpful.
  Amjad

• Guest Access and H-REAP

  I have 30 1242 LWAPPs on my network. Six of these are operating in H-REAP mode as they are outside of our main campus area in other states. We use two WLANs on our wireless network.
  One of the WLANs is for all company users and the other is a guest network run off our anchor controller in the DMZ. The 24 APs that are in local mode have very few issues, but more often than not, when someone tries to connect to my guest network on an AP that is running in H-REAP mode I have to reboot the AP in order to get them authenticated.
  This happens about 75% of the time. There are some cases when it just works and I have no issues, but those are few and far between.
  Does anyone have any idea why this may be occuring?

  Are you seeing any errors when the clients try to connect to the guest network? Does it happen with all the LAPs? We will need more information to troubleshoot this issue.

• SICF Services - All active services and audit trail

  We have upgraded one of our client environment from 4.7 to ECC 6.0 - Ehp4 and activated SICF services for Portal applications. We are using ESS, MSS, ECM and HR Admin for Portal and during setup we activated several services.
  I was wondering if their is any way to find out all activated services and we can audit who activated all services from backend from ERP 6.0.
  Thanks,
  Miral.

  As per SAP "Note 1555208 - ICF services become inactive after upgrade or SP update" we can find the list of active services along with path using the report RS_ICF_SERV_ADMIN_TASKS
  SA38 --> RS_ICF_SERV_ADMIN_TASKS --> Export of Active Services into CSV file
  Regards
  Bhagirath

• WLC and ISE guest access COA

  We are migrating to ISE for guest access and are having problems with the COA being delivered after a successful authentication.  ISE attempts to send it but nothing changes on the WLC.  The message in ISE is Dynamic Authorization failed and a message that ISE didn't receive a response from the NAD, verify communication.  What is odd is the original guest request comes in from the IP address of the service port on the WLC but anything doing with the COA is seen from the management.  I have both IP's defined for the device in ISE.  I am about to do a session reauthentication within ISE and the WLC applies the changes.  I have verified that RFC 3576 is enabled, but the show radius rfc3576 stats shows no values.  The WLC is running 7.6.130.  I have attempted to debug on the WLC side to see if the message is even being delivered but non the debugs i have attempted seem to offer any good information.
  Anyone have any suggestions?  
  Thanks,
  Joe

  Hi Joe,
  I dont really know what you are trying to do with the COA , as it is used in the CWA solution and BYOD solution as well. But even before trying that , I would advise you to go step by step and solve the n/w issue first. You are able to see the request from service port which should not happen because then the incoming/outgoing traffic takes different path. You must be facing this situation as you might have some network routes matching ISE subnet/Ip address in the GUI>Controller>Network routes as there is no need of those routes. If the service port needs to be used during controller down scenario then use a laptop in the same subnet of Service port ip and connect to the service port.
  Regards
  Dhiresh
  **Please rate helpful posts**

• WLC based mobility-anchor guest access solution

  Hi everybody,
  My new setup with WLC baesed guest access solution is working well. I am using web based login authentication for wired & wireless solution. And everything is running through out the WLC. The WLC is granting access to is the internet for the guests. My question is how about printers and other devices that cannot make web based authentication. How can i get them to work in the same setup?
  best regards,
  Sahin

  For wired, you simply need to configure mac aut bypass on the printer switchports and point that to the ACS.
  If it's accepted, the port will go in the printer vlan, if not, you can chose the behavior (block access, put in another vlan, etc ...).
  For wireless, you need to enable "mac filtering" on the SSID, so it's best to create a separate SSID for the printers then because you want to authenticate those by mac address and you don't want that for the other clients probably.
  You can then also point the mac filtering towards ACS on the wlc.
  From there you can either have the macs stored locally on ACS or in your ACtive Directory or wherever you want.

• Extending a network and the new guest access feature

  Hi-
  Currently, I have 3 of the 802.11n Airport Extremes—One creating the network, and two extending the network.
  I would like to get the new feature that allows you to setup guest access---
  My question: Will I be able to purchase ONE of the new Airports, setup guest access and extend it using the older Airports, or will I have to buy three of the new Airports to make this work….
  Thanks for any help or advice!

  It would seem almost certain that the older AirPort Extreme base station (AEBS) would not extend both the normal network and the guest access network. You should be able to extend the normal network.