- Preface
- Using the Command-Line Interface
- Preventing Unauthorized Access
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Wireless Guest Access
- Configuring Intrusion Detection System
- Index
- Finding Feature Information
- Prerequisites for Guest Access
- Restrictions for Guess Access
- Information about Wireless Guest Access
- Fast Secure Roaming
- How to Configure Guest Access
- Creating a Lobby Administrator Account
- Configuring Guest User Accounts
- Configuring Mobility Agent (MA)
- Configuring Mobility Controller
- Obtaining a Web Authentication Certificate
- Displaying a Web Authentication Certificate
- Choosing the Default Web Authentication Login Page
- Choosing a Customized Web Authentication Login Page from an External Web Server
- Assigning Login, Login Failure, and Logout Pages per WLAN
- Configuring AAA-Override
- Configuring Client Load Balancing
- Configuring Preauthentication ACL
- Configuring IOS ACL Definition
- Configuring Webpassthrough
- Configuration Examples for Guest Access
- Example: Creating a Lobby Ambassador Account
- Example: Obtaining Web Authentication Certificate
- Example: Displaying a Web Authentication Certificate
- Example: Configuring Guest User Accounts
- Example: Configuring Mobility Controller
- Example: Choosing the Default Web Authentication Login Page
- Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web Server
- Example: Assigning Login, Login Failure, and Logout Pages per WLAN
- Example: Configuring AAA-Override
- Example: Configuring Client Load Balancing
- Example: Configuring Preauthentication ACL
- Example: Configuring IOS ACL Definition
- Example: Configuring Webpassthrough
- Additional References for Guest Access
- Feature History and Information for Guest Access
Configuring Wireless Guest Access
- Finding Feature Information
- Prerequisites for Guest Access
- Restrictions for Guess Access
- Information about Wireless Guest Access
- Fast Secure Roaming
- How to Configure Guest Access
- Configuration Examples for Guest Access
- Additional References for Guest Access
- Feature History and Information for Guest Access
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Guest Access
Restrictions for Guess Access
Guest Controller functionality is not supported on the Catalyst 3850 switch whereas Catalyst 3850 can act as mobility agent.
Information about Wireless Guest Access
Ideally, the implementation of a wireless guest network uses as much of an enterprise’s existing wireless and wired infrastructure as possible to avoid the cost and complexity of building a physical overlay network. Assuming this is the case, the following additional elements and functions are needed:
- A dedicated guest WLAN/SSID—Implemented throughout the campus wireless network wherever guest access is required. A guest WLAN is identified by a WLAN with mobility anchor (Guest Controller) configured.
- Guest traffic segregation—Requires implementing Layer 2 or Layer 3 techniques across the campus network to restrict where guests are allowed to go.
- Access control—Involves using imbedded access control functionality within the campus network or implementing an external platform to control guest access to the Internet from the enterprise network.
- Guest user credential management—A process by which a sponsor or lobby administrator can create temporary credentials in behalf of a guest. This function might be resident within an access control platform or it might be a component of AAA or some other management system.
Fast Secure Roaming
Full L2 authentication must be avoided during roaming if the client uses the 802.11i WPA2, CCKM, 802.11r to achieve the full requirements of fast secure roaming. The PMK cache (802.11i, CCKM, and 802.11r) is used to authenticate and derive the keys for roaming clients to avoid full L2 authentication. This requires all Mobility Anchors (MA) and Mobility Controllers (MC) in the mobility group to have the same PMK cache values.
The session timeout defines when a PMK cache will expire. A PMK cache can also be deleted when a client fails to re-authenticate or when it is manually deleted them from the CLI. The deletion on the original controller or switch shall be propagated to other controllers or switches in the same mobility group.
How to Configure Guest Access
Creating a Lobby Administrator Account
1.
configure terminal
2.
user-name user-name
3.
type lobby-admin
4.
password 0 password
5.
end
6.
show running-config | section user-name (or) show running-config | section configured lobby admin username
DETAILED STEPS
Configuring Guest User Accounts
1.
configure terminal
2.
user-name user-name
3.
password unencrypted/hidden-password password
4.
type network-user description description guest-user lifetime
year 0-1 month 0-11 day 0-30 hour 0-23 minute 0-59 second 0-59
5.
end
6.
show aaa local netuser all
7.
show running-config | sectionuser-name
DETAILED STEPS
Configuring Mobility Agent (MA)
1.
configure terminal
2.
wireless mobility controller ipmc-ipaddress public-ip mc-publicipaddress
3.
wlan wlan-name wlan-id ssid
4.
client vlan idvlan-group name/vlan-id
5.
no security wpa
6.
mobility anchor ipaddress
7.
aaa-override
8.
no shutdown
9.
end
10.
show wireless mobility summary
11.
show wlan name wlan-name/id
DETAILED STEPS
Configuring Mobility Controller
Mobility Controller mode should be enabled using the wireless mobility controller command.
1.
configure terminal
2.
wireless mobility group member ip
ip-address
public-ip
ip-address
group
group-name
3.
wireless mobility
controller peer-group
peer-group-name
4.
wireless mobility controller
peer-group
peer-group-name
member ip
ipaddress
public-ip
ipaddress
5.
end
6.
show wireless mobility
summary
DETAILED STEPS
Obtaining a Web Authentication Certificate
1.
configure terminal
2.
crypto pki import trustpoint name pkcs12 tftp: passphrase
3.
end
4.
show crypto pki trustpoints cert
DETAILED STEPS
Displaying a Web Authentication Certificate
1.
show crypto ca certificate verb
DETAILED STEPS
Command or Action | Purpose |
---|
Choosing the Default Web Authentication Login Page
1.
configure terminal
2.
parameter-map type
webauth
parameter-map
name
3.
wlan
wlan-name
4.
shutdown
5.
security
web-auth
6.
security web-auth
authentication-list authentication list name
7.
security web-auth
parameter-map
parameter-map
name
8.
no shutdown
9.
end
10.
show running-config | section
wlan-name
11.
show running-config | section parameter-map type
webauth
parameter-map
DETAILED STEPS
Choosing a Customized Web Authentication Login Page from an External Web Server
1.
configure terminal
2.
parameter-map type webauth
global
3.
virtual-ip {ipv4 | ipv6}
ip-address
4.
parameter-map type
webauth
parameter-map
name
5.
type {authbypass | consent
| webauth | webconsent}
6.
redirect [for-login|on-success|on-failure]
URL
7.
redirect portal {ipv4 | ipv6}
ip-address
8.
end
9. show running-config | section parameter-map
DETAILED STEPS
Assigning Login, Login Failure, and Logout Pages per WLAN
1.
configure terminal
2.
parameter-map type webauth parameter-map-name
3.
custom-page login device html-filename
4.
custom-page login expired html-filename
5.
custom-page failure device html-filename
6.
custom-page success device html-filename
7.
end
8.
show running-config | section parameter-map type webauth parameter-map
DETAILED STEPS
Configuring AAA-Override
1.
configure terminal
2.
wlan wlan-name
3.
aaa-override
4.
end
5.
show running-config | section wlan-name
DETAILED STEPS
Configuring Client Load Balancing
1.
configure terminal
2.
wlan wlan-name
3.
shutdown
4.
mobility anchor ip-address1
5.
mobility anchor ip-address2
6.
no shutdown wlan
7.
end
8.
show running-config | section wlan-name
DETAILED STEPS
Configuring Preauthentication ACL
1.
configure terminal
2.
wlan wlan-name
3.
shutdown
4.
ip access-group web preauthrule
5.
no shutdown
6.
end
7.
show wlan name wlan-name
DETAILED STEPS
Configuring IOS ACL Definition
1.
configure terminal
2.
ip access-list extended access-list number
3.
permit udp any eq port number any
4.
end
5.
show access-lists ACL number
DETAILED STEPS
Configuring Webpassthrough
1.
configure terminal
2.
parameter-map type webauth parameter-map name
3.
type consent
4.
end
5.
show running-config | section parameter-map type webauth parameter-map
DETAILED STEPS
Configuration Examples for Guest Access
Example: Creating a Lobby Ambassador Account
Switch# configure terminal Switch(config)# user-name lobby Switch(config)# type lobby-admin Switch(config)# password 0 lobby Switch(config)# end Switch# show running-config | section lobby user-name lobby creation-time 1351118727 password 0 lobby type lobby-admin
Example: Obtaining Web Authentication Certificate
Switch# configure terminal Switch(config)# crypto pki import cert pkcs12 tftp://9.1.0.100/ldapserver-cert.p12 cisco Switch(config)# end Switch# show crypto pki trustpoints cert Trustpoint cert: Subject Name: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Serial Number (hex): 00 Certificate configured. Switch# show crypto pki certificates cert Certificate Status: Available Certificate Serial Number (hex): 04 Certificate Usage: General Purpose Issuer: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Subject: Name: ldapserver e=rkannajr@cisco.com cn=ldapserver ou=WNBU o=Cisco st=California c=US Validity Date: start date: 07:35:23 UTC Jan 31 2012 end date: 07:35:23 UTC Jan 28 2022 Associated Trustpoints: cert ldap12 Storage: nvram:rkannajrcisc#4.cer CA Certificate Status: Available Certificate Serial Number (hex): 00 Certificate Usage: General Purpose Issuer: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Subject: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Validity Date: start date: 07:27:56 UTC Jan 31 2012 end date: 07:27:56 UTC Jan 28 2022 Associated Trustpoints: cert ldap12 ldap Storage: nvram:rkannajrcisc#0CA.cer
Example: Displaying a Web Authentication Certificate
Switch# show crypto ca certificate verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2A9636AC00000000858B
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: WS-C3780-6DS-S-2037064C0E80
Serial Number: PID:WS-C3780-6DS-S SN:FOC1534X12Q
cn=WS-C3780-6DS-S-2037064C0E80
serialNumber=PID:WS-C3780-6DS-S SN:FOC1534X12Q
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 15:43:22 UTC Aug 21 2011
end date: 15:53:22 UTC Aug 21 2021
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: A310B856 A41565F1 1D9410B5 7284CB21
Fingerprint SHA1: 04F180F6 CA1A67AF 9D7F561A 2BB397A1 0F5EB3C9
X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
X509v3 Subject Key ID: B9EEB123 5A3764B4 5E9C54A7 46E6EECA 02D283F7
X509v3 Authority Key ID: D0C52226 AB4F4660 ECAE0591 C7DC5AD1 B047F76C
Authority Info Access:
Associated Trustpoints: CISCO_IDEVID_SUDI
Key Label: CISCO_IDEVID_SUDI
Example: Configuring Guest User Accounts
Switch# configure terminal Switch(config)# user-name guest Switch(config-user-name)# password 0 guest Switch(config-user-name)# type network-user description guest guest-user lifetime year 1 month 10 day 3 hour 1 minute 5 second 30 Switch(config-user-name)# end Switch# show aaa local netuser all User-Name : guest Type : guest Password : guest Is_passwd_encrypted : No Descriptio : guest Attribute-List : Not-Configured First-Login-Time : Not-Logged-In Num-Login : 0 Lifetime : 1 years 10 months 3 days 1 hours 5 mins 30 secs Start-Time : 20:47:37 chennai Dec 21 2012
Example: Configuring Mobility Controller
Switch# configure terminal Switch(config)# wireless mobility group member ip 27.0.0.1 public-ip 23.0.0.1 group test Switch(config)# wireless mobility controller peer-group pg Switch(config)# wireless mobility controller peer-group pg member ip 9.7.136.10 public-ip 9.7.136.10 Switch(config)# end Switch# show wireless mobility summary Mobility Controller Summary: Mobility Role : Mobility Controller Mobility Protocol Port : 16666 Mobility Group Name : default Mobility Oracle : Enabled DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 7 Mobility Domain Member Count : 3 Link Status is Control Link Status : Data Link Status Controllers configured in the Mobility Domain: IP Public IP Group Name Multicast IP Link Status ------------------------------------------------------------------------------- 9.9.9.2 - default 0.0.0.0 UP : UP 12.12.11.11 12.13.12.12 rasagna-grp DOWN : DOWN 27.0.0.1 23.0.0.1 test DOWN : DOWN Switch Peer Group Name : spg1 Switch Peer Group Member Count : 0 Bridge Domain ID : 0 Multicast IP Address : 0.0.0.0 Switch Peer Group Name : pg Switch Peer Group Member Count : 1 Bridge Domain ID : 0 Multicast IP Address : 0.0.0.0 IP Public IP Link Status -------------------------------------------------- 9.7.136.10 9.7.136.10 DOWN : DOWN
Example: Choosing the Default Web Authentication Login Page
Switch# configure terminal Switch(config)# parameter-map type webauth test This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue? [yes]: yes Switch(config)# wlan wlan50 Switch(config-wlan)# shutdown Switch(config-wlan)# security web-auth authentication-list test Switch(config-wlan)# security web-auth parameter-map test Switch(config-wlan)# no shutdown Switch(config-wlan)# end Switch# show running-config | section wlan50 wlan wlan50 50 wlan50 security wpa akm cckm security wpa wpa1 security wpa wpa1 ciphers aes security wpa wpa1 ciphers tkip security web-auth authentication-list test security web-auth parameter-map test session-timeout 1800 no shutdown Switch# show running-config | section parameter-map type webauth test parameter-map type webauth test type webauth
Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web Server
Switch# configure terminal Switch(config)# parameter-map type webauth global Switch(config-params-parameter-map)# virtual-ip ipv4 1.1.1.1 Switch(config-params-parameter-map)# parameter-map type webauth test Switch(config-params-parameter-map)# type webauth Switch(config-params-parameter-map)# redirect for-login http://9.1.0.100/login.html Switch(config-params-parameter-map)# redirect portal ipv4 9.1.0.100 Switch(config-params-parameter-map)# end Switch# show running-config | section parameter-map parameter-map type webauth global virtual-ip ipv4 1.1.1.1 parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100 security web-auth parameter-map rasagna-auth-map security web-auth parameter-map test
Example: Assigning Login, Login Failure, and Logout Pages per WLAN
Switch# configure terminal Switch(config)# parameter-map type webauth test Switch(config-params-parameter-map)# custom-page login device flash:loginsantosh.html Switch(config-params-parameter-map)# custom-page login expired device flash:loginexpire.html Switch(config-params-parameter-map)# custom-page failure device flash:loginfail.html Switch(config-params-parameter-map)# custom-page success device flash:loginsucess.html Switch(config-params-parameter-map)# end Switch# show running-config | section parameter-map type webauth test parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100 custom-page login device flash:loginsantosh.html custom-page success device flash:loginsucess.html custom-page failure device flash:loginfail.html custom-page login expired device flash:loginexpire.html
Example: Configuring AAA-Override
Switch# configure terminal Switch(config)# wlan fff Switch(config-wlan)# aaa-override Switch(config-wlan)# end Switch# show running-config | section fff wlan fff 44 fff aaa-override shutdown
Example: Configuring Client Load Balancing
Switch# configure terminal Switch(config)# wlan fff Switch(config-wlan)# shutdown Switch(config-wlan)# mobility anchor 9.7.136.15 Switch(config-wlan)# mobility anchor 9.7.136.16 Switch(config-wlan)# no shutdown wlan Switch(config-wlan)# end Switch# show running-config | section fff wlan fff 44 fff aaa-override shutdown
Example: Configuring Preauthentication ACL
Switch# configure terminal Switch(config)# wlan fff Switch(config-wlan)# shutdown Switch(config-wlan)# ip access-group web preauthrule Switch(config-wlan)# no shutdown Switch(config-wlan)# end Switch# show wlan name fff
Example: Configuring IOS ACL Definition
Switch# configure terminal Switch(config)# ip access-list extended 102 Switch(config-ext-nacl)# permit udp any eq 8080 any Switch(config-ext-nacl)# end Switch# show access-lists 102 Extended IP access list 102 10 permit udp any eq 8080 any
Example: Configuring Webpassthrough
Switch# configure terminal Switch(config)# parameter-map type webauth webparalocal Switch(config-params-parameter-map)# type consent Switch(config-params-parameter-map)# end Switch# show running-config | section parameter-map type webauth test parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100
Additional References for Guest Access
Related Documents
Related Topic | Document Title |
---|---|
Mobility CLI commands |
Mobility Command Reference, Cisco IOS XE 3SE (Cisco WLC 5700 Series) |
Mobility configuration |
Mobility Configuration Guide, Cisco IOS XE 3SE (Cisco WLC 5700 Series) |
Security CLI commands |
Security Command Reference, Cisco IOS Release 3SE (Cisco WLC 5700 Series) |
Configuring web-based authentication on the Catalyst 5700 Series Wireless Controller |
Security Configuration Guide, Cisco IOS Release 3SE (Cisco WLC 5700 Series) |
Wired guest access configuration and commands |
Identity Based Networking Services |
Standards and RFCs
Standard/RFC | Title |
---|---|
None | - |
MIBs
MIB | MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature History and Information for Guest Access
Releases |
Feature Information |
Cisco IOS XE Release 3.2SE | This feature was introduced. |