Step 1
|
In the Cisco DNA Center GUI, click the Menu icon () and choose .
|
Step 2
|
Under , click Guest to create a new SSID.
The Guest Wireless Network window appears.
|
Step 3
|
In the Wireless Network Name (SSID) field, enter a unique name for the guest SSID that you are creating.
The SSID name can contain up to 32 alphanumeric characters with leading spaces. All special characters except for < /.* and
trailing spaces are allowed.
The following combination of substring is not allowed: .*
|
Step 4
|
Under Type of Enterprise Network, click Voice and Data or Data Only. The selection type defines the quality of service that is provisioned on the wireless network.
If you select Voice and Data, the quality of service is optimized for voice and data traffic.
If you select Data Only option, the quality of service is optimized for wireless data traffic only.
|
Step 5
|
Configure wireless band preferences by selecting one of the Wireless Options:
-
Dual band operation (2.4 GHz and 5 GHz): The WLAN is created for both 2.4 GHz and 5 GHz. The band select is disabled by default.
-
Dual band operation with band select: The WLAN is created for 2.4 GHz and 5 GHz and band select is enabled.
-
5 GHz only: The WLAN is created for 5 GHz and band select is disabled.
-
2.4 GHz only: The WLAN is created for 2.4 GHz and band select is disabled.
|
Step 6
|
Under SSID STATE, configure the following:
-
Click the Admin Status button off, to disable the admin status.
-
Click the BROADCAST SSID button off, if you do not want the SSID to be visible to all wireless clients within the range. Turning off the Broadcast SSID hides the SSID from clients attempting to connect to this SSID, reducing unnecessary load on the wireless infrastructure.
|
Step 7
|
Under Level Of Security, configure the layer 2 and layer 3 security policies.
|
Step 8
|
Under L2 Security, set the encryption and authentication type for this network.
|
Step 9
|
Click the Enterprise, Personal, Open Secured, or Open radio button to configure the respective security authentication.
-
Enterprise: You can configure either WPA2 or WPA3 security authentication type by checking the respective check boxes. By default, the WPA2 check box is enabled.
Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with
Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Fast transition is applicable for enterprise WPA2 SSID.
WPA3 security authentication is the latest version of WPA which is a suite of protocols and technologies that provide authentication
and encryption for Wi-Fi networks. WPA3-Enterprise provides higher grade security protocols for sensitive data networks.
-
Personal: You can configure both WPA2 and WPA3 or configure WPA2 and WPA3 individually by checking the respective check boxes.
WPA3 personal security authentication brings better protection to individual users by providing more robust password-based
authentication. This makes the brute-force dictionary attack much more difficult and time-consuming.
Enter the passphrase key in the Pass Phrase field. This key is used as the pairwise master key (PMK) between the clients and the authentication server.
-
Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to associate with the open SSID. Associating secures the open SSID. You must have an
open SSID created before associating it with the open secured SSID.
Note
|
Fast Transition is not applicable for open-secured SSID.
|
-
Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.
|
Step 10
|
Under L3 Security, set the encryption and authentication type for this guest network: Web Policy or Open.
|
Step 11
|
The Open policy type provides no security. It allows any device to connect to the wireless network without any authentication.
|
Step 12
|
If you choose Web Policy, you need to configure one of the authentication servers: ISE Authentication, Web Authentication, or Web Passthrough.
The Web Policy encryption and authentication type provides a higher level of Layer 3 security.
-
For an External Web Authentication (EWA), click the Web Policy radio button as the level of security under L3 Security and Web Authentication External as the authentication server from the Authentication drop-down list.
-
For a Central Web Authentication (CWA), click the Web Policy as the level of security under L3 Security and ISE Authentication as the authentication server from the Authentication drop-down list.
|
Step 13
|
Under Authentication Server, you can configure the authentication server for the SSID.
|
Step 14
|
If you choose ISE Authentication, choose the type of portal you want to create from the WHAT KIND OF PORTAL ARE YOU CREATING TODAY ? drop-down list:
-
Self Registered: The guests are redirected to the Self-Registered Guest portal to register by providing information to automatically create
an account.
-
HotSpot: The guests can access the network without providing any credentials.
Choose where you want to redirect the guests after successful authentication from the WHERE WILL YOUR GUESTS REDIRECT AFTER SUCCESSFUL AUTHENTICATION ? drop-down list:
-
Success Page: The guests are redirected to an Authentication Success window.
-
Original URL: The guests are redirected to the URL they had originally requested.
-
Custom URL: The guests are redirected to the custom URL that is specified here. Enter a redirect URL in the Redirect URL field.
Now that you have created an SSID, you must associate it with a wireless profile. This profile helps you to construct a topology,
which is used to deploy devices on a site.
|
Step 15
|
If you choose Web Authentication or Web Passthrough, configure Internal or External authentication type.
Web authentication or Web Auth is a layer 3 security method that allows a client to pass Dynamic Host Configuration Protocol
(DHCP) and Domain Name System (DNS) traffic only until they have passed some form of authentication.
Web passthrough is a solution that is used for guest access and requires no authentication credentials. In web passthrough
authentication, wireless users are redirected to the usage policy page while trying to use the Internet for the first time.
After accepting the policy, users are allowed to browse the Internet.
-
If you choose Web Authentication Internal or Web Passthrough Internal from the Authentication Server drop-down list, then the page is reconstructed by the Cisco Wireless Controller.
-
If you choose Web Authentication External or Web Passthrough External from the Authentication Server drop-down list, then the client is redirected to the specified URL. You need to enter a redirect URL in the Web Auth Url field.
|
Step 16
|
Under TIMEOUT SETTINGS FOR SLEEPING CLIENTS, configure authentication for sleeping clients: Always authenticate or Authenticate after.
The clients with guest access that have had successful web authentication are allowed to sleep and wake up without having
to go through another authentication process through the login page. You can configure the duration for which the sleeping
clients are to be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes,
with the default being 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to
the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is lesser than the time configured
on the sleeping timer of the WLAN, then the lifetime of the client is used as the sleeping time.
-
Click the Always authenticate radio button to enable authentication for sleeping clients.
-
Click the Authenticate after radio button and enter the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary.
The valid range is 10 minutes to 43200 minutes and the default duration is 720 minutes.
|
Step 17
|
Click Show Advanced Settings to configure the following.
|
Step 18
|
Set Fast Transition (802.11r) to Enable, Adaptive, or Disable mode.
By default, Fast Transition (802.11r) is in Adaptive mode.
The 802.11r allows wireless clients to quickly roam from one AP to another AP. Fast transition ensures less disrupted connectivity
when a wireless client roams from one AP to another AP.
|
Step 19
|
Check the Over the DS check box to enable fast transition over a distributed system. This option is available only if the Fast Transition (802.11r) is in Adaptive or Enable mode.
By default, the Over the DS check box is enabled.
|
Step 20
|
Under 11k, check the Neighbor List check box to allow the 11k capable clients to request a neighbor report about the known neighboring APs that are candidates
for roaming.
To facilitate roaming, a 11k capable client that is associated with an AP sends a request to a list of neighboring APs. The
request is sent in the form of an 802.11 management frame, which is known as an action frame. The AP responds with a list
of neighbor APs on the same WLAN with their Wi-Fi channel numbers. The response is also an action frame. The client identifies
the AP candidates for next roam from the response frame.
|
Step 21
|
Check the Client Exclusion check box, and enter a value to set the client exclusion timer in the in (secs) field.
When a user fails to authenticate, the wireless controller excludes the client from connecting and is not allowed to connect to the network until the exclusion timer expires. By default,
the Client Exclusion is enabled with a timeout of 180 seconds. The range is 0 to 2147483647 seconds.
|
Step 22
|
Check the Session Timeout check box, and enter a value in seconds.
The session timeout is the maximum time for a client session to remain active before reauthorization. By default, the Session Timeout is enabled with a timeout of 1800 seconds. The range is 300 to 86400 seconds.
|
Step 23
|
Under MFP Client Protection, click one of the radio buttons: Optional, Required, and Disabled.
Management Frame Protection (MFP) increases the security of management frames. It provides security for the otherwise unprotected
and unencrypted 802.11 management messages that are passed between access points and clients. MFP provides both infrastructure
and client support.
By default, the Optional is selected. If you choose Required, the clients are allowed to associate only if the MFP is negotiated (that is, if WPA2 is configured on the wireless controller and the client supports CCXv5 MFP and is also configured for WPA2).
|
Step 24
|
Under 11k, check the Neighbor List check box to allow the 11k capable clients to request a neighbor report about the known neighboring APs that are candidates
for roaming.
To facilitate roaming, a 11k capable client that is associated with an AP sends request to a list of neighboring APs. The
request is sent in the form of an 802.11 management frame, which is known as an action frame. The AP responds with a list
of neighbor APs on the same WLAN with their Wi-Fi channel numbers. The response is also an action frame. The client identifies
the AP candidates for the next roam from the response frame.
|
Step 25
|
Under 11v BSS Transition Support, configure the following.
|
Step 26
|
Check the BSS Max Idle Service check box to set the idle period timer value. The idle period timer value is transmitted using the association and reassociation
response frame from APs to the client.
The BSS Max idle period is the timeframe during which an AP does not disassociate a client due to nonreceipt of frames from
the connected client.
|
Step 27
|
Check the Client User Idle Timeout check box and enter a value to configure the user idle timeout for a WLAN in the Client User Idle Timeout field.
If the data sent by the client is more than the threshold quota specified within the user idle timeout, then the client is
considered to be active and the wireless controller refreshes for another timeout period.
By default, the Client User Idle Timeout is enabled with a user idle timeout of 300 seconds.
|
Step 28
|
Check the Directed Multicast Service check box to enable the directed multicast service.
By default, the Directed Multicast Service is enabled. Using the Directed Multicast Service (DMS), the client requests APs to transmit the required multicast packets
as unicast frames. This allows clients to sleep for a longer time and save the battery power.
|
Step 29
|
Click Configure AAA to add and configure the AAA servers for guest wireless network SSID. For more information, see Configure AAA Server for a Guest Wireless Network.
|
Step 30
|
Click Next.
The Wireless Profiles window is displayed.
|
Step 31
|
If you do not have an existing wireless profile, in the Wireless Profiles window, click Add to create a new wireless profile.
|
Step 32
|
Enter a profile name in the Wireless Profile Name field.
|
Step 33
|
Specify whether the SSID is fabric or not by clicking the Yes or No radio button next to Fabric.
Fabric SSID is a wireless network, which is part of Software Defined-Access (SD-Access). SD-Access is a solution that automates
and simplifies configuration, policy, and troubleshooting of wired and wireless networks. With fabric SSID, it is mandatory
to have SDA. Nonfabric is a traditional wireless network that does not require SD-Access.
|
Step 34
|
If you want the guest SSID to be a guest anchor, click the Yes or No radio button next to Do you need a Guest Anchor for this guest SSID.
If you want your guest SSID to be a guest anchor, click Yes.
|
Step 35
|
From the Select Interface drop-down list, choose the interface or click + to create a new wireless interface.
This is the VLAN ID that is associated with the wireless interface.
|
Step 36
|
If you click No, enable the FlexConnect mode by checking the Flex Connect Local Switching check box. The selection of FlexConnect mode switches the traffic locally. Based on your configuration, the profile is applied
to a site and a flex group is created internally.
If you have enabled Flex Connect Local Switching for an SSID, then all APs on that particular floor where the network profile is mapped will switch to FlexConnect mode.
|
Step 37
|
In the Local to VLAN field, enter a value for the VLAN ID.
|
Step 38
|
To assign this profile to a site, click Sites.
|
Step 39
|
In the Sites window, check the check box next to the site to associate this profile and click OK.
You can either select a parent site or the individual sites. If you select a parent site, all children inherit their settings
from the parent site. You can uncheck the check box to deselect a site.
|
Step 40
|
Click + Add Model Config to attach a model config design to the wireless profile.
The Add Model Config window appears.
|
Step 41
|
From the Device Type(s) drop-down list, choose the device type.
You can either search for a device name by entering its name in the Search... field or expand Wireless Controller and select the device type.
|
Step 42
|
Under APPLICABILITY, from the Tags drop-down list, choose the applicable tags.
|
Step 43
|
Click Add.
|
Step 44
|
Click Save.
The created profile appears in the Wireless Profiles window.
|
Step 45
|
To associate the SSID to a wireless profile, in the Wireless Profiles window, check the Profile Name check box to associate the SSID; then, click Next.
The Portal Customization window appears, where you can assign the SSID to a guest portal.
|
Step 46
|
In the Portal Customization window, click Add to create the guest portal.
The Portal Builder window appears.
|
Step 47
|
Expand Page Content in the left menu to include various variables.
|
Step 48
|
Drag and drop variables into the portal template window and edit them.
-
The variables for the Login page are:
-
Access Code
-
Header Text
-
AUP
-
Text Fields
-
The variables for the Registration page are:
-
First Name
-
Last Name
-
Phone Number
-
Company
-
SMS Provider
-
Person being visited
-
Reason for a visit
-
Header text
-
User Name
-
Email Address
-
AUP
-
The variables for the Registration Success page are:
-
Account Created
-
Header texts
-
The variable for the Success page is: Text fields.
|
Step 49
|
To customize the default color scheme in the portal, expand Color in the left menu and change the color.
|
Step 50
|
To customize the font, expand Font in the left menu and change the font.
|
Step 51
|
Click Save.
The created portal appears in the Portal Customization window.
|
Step 52
|
Under Portals, click the radio button next to the Portal Name to assign the SSID to that guest portal.
|
Step 53
|
Click Finish.
|