Managing User Accounts

Configuring Guest User Accounts

Guest Accounts

The controller can provide guest user access on WLANs for which you must create guest user accounts. Guest user accounts can be created by network administrators, or, if you would like a non-administrator to be able to create guest user accounts on demand, you can do so through a lobby administrator account. The lobby ambassador has limited configurration privileges and has access only to the web pages used to manage the guest user accounts.

The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

This section contains the following subsections:

Restrictions on Managing User Accounts

  • The local user database is limited to a maximum of 2048 entries, which is also the default value. This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.

  • For net user accounts or guest user accounts, the following special characters are allowed along with alphanumeric characters: ~, @, #, $, %, ^, &, (, ), !, _, -, `, ., [, ], =, +, *, :, ;, {, }, ,, /, and \.

Creating a Lobby Ambassador Account

Creating a Lobby Ambassador Account (GUI)

Procedure

Step 1

Choose Management > Local Management Users to open the Local Management Users page.

This page lists the names and access privileges of the local management users.

Note 
If you want to delete any of the user accounts from the controller, hover your cursor over the blue drop-down arrow and choose Remove. However, deleting the default administrative user prohibits both GUI and CLI access to the controller. Therefore, you must create a user with administrative privileges (ReadWrite) before you remove the default user.
Step 2

Click New to create a lobby ambassador account. The Local Management Users > New page appears.

Step 3

In the User Name text box, enter a username for the lobby ambassador account.

Note 
Management usernames must be unique because they are stored in a single database.
Step 4

In the Password and Confirm Password text boxes, enter a password for the lobby ambassador account.

Note 
Passwords are case sensitive. The settings for the management User Details parameters depends on the settings that you make in the Password Policy page. The following requirements are enforced on the password:

  • The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

  • No character in the password can be repeated more than three times consecutively.

  • The password should not contain a management username or the reverse letters of a username.

  • The password should not contain words like Cisco, oscic, admin, nimda, or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

  • If you want to downgrade from Release 8.6 to Release 8.5 or an earlier release, ensure that you have a management user account password that is less than or equal to 24 characters to be compatible with the earlier releases. Else, during the downgrade and before you can reboot the controller, you will be prompted with the following message:

    "Warning!!! Please Configure Mgmt user compatible with older release"
Step 5

Choose LobbyAdmin from the User Access Mode drop-down list. This option enables the lobby ambassador to create guest user accounts.

Note 
The ReadOnly option creates an account with read-only privileges, and the ReadWrite option creates an administrative account with both read and write privileges.
Step 6

Click Apply to commit your changes. The new lobby ambassador account appears in the list of local management users.

Step 7

Click Save Configuration to save your changes.

Creating a Lobby Ambassador Account (CLI)

Procedure

  • To create a lobby ambassador account use the following command:

    config mgmtuser add lobbyadmin_username lobbyadmin_pwd lobby-admin


    Note
    Replacing lobby-admin with read-only creates an account with read-only privileges. Replacing lobby-admin with read-write creates an administrative account with both read and write privileges.

Creating Guest User Accounts as a Lobby Ambassador (GUI)

Procedure

Step 1

Log into the controller as the lobby ambassador, using the username and password. The Lobby Ambassador Guest Management > Guest Users List page appears.

Step 2

Click New to create a guest user account. The Lobby Ambassador Guest Management > Guest Users List > New page appears.

Step 3

In the User Name text box, enter a name for the guest user. You can enter up to 24 characters.
Step 4

Perform one of the following:

  • If you want to generate an automatic password for this guest user, select the Generate Password check box. The generated password is entered automatically in the Password and Confirm Password text boxes.

  • If you want to create a password for this guest user, leave the Generate Password check box unselected and enter a password in both the Password and Confirm Password text boxes.

    Note 
    Passwords can contain up to 24 characters (Release 8.5 and earlier releases) and 127 characters (Release 8.6 and later releases) and are case sensitive.
Step 5

From the Lifetime drop-down lists, choose the amount of time (in days, hours, minutes, and seconds) that this guest user account is to remain active. A value of zero (0) for all four text boxes creates a permanent account.

Default: 1 day

Range: 5 minutes to 30 days

Note 
The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.
Note 
You can change a guest user account with a nonzero lifetime to another lifetime value at any time while the account is active. However, to make a guest user account permanent using the controller GUI, you must delete the account and create it again. If desired, you can use the config netuser lifetime user_name 0 command to make a guest user account permanent without deleting and recreating it.
Step 6

From the WLAN SSID drop-down list, choose the SSID that will be used by the guest user. The only WLANs that are listed are those WLANs for which Layer 3 web authentication has been configured.

Note 
We recommend that you create a specific guest WLAN to prevent any potential conflicts. If a guest account expires and it has a name conflict with an account on the RADIUS server and both are on the same WLAN, the users associated with both accounts are disassociated before the guest account is deleted.
Step 7

In the Description text box, enter a description of the guest user account. You can enter up to 32 characters.
Step 8

Click Apply to commit your changes. The new guest user account appears in the list of guest users on the Guest Users List page.

From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.

Step 9

Repeat this procedure to create any additional guest user accounts.

Viewing Guest User Accounts

Viewing the Guest Accounts (GUI)

Procedure

Choose Security > AAA > Local Net Users. The Local Net Users page appears.

From this page, you can see all of the local net user accounts (including guest user accounts) and can edit or remove them as desired. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.

Viewing the Guest Accounts (CLI)

Procedure

Command or Action Purpose

To see all of the local net user accounts (including guest user accounts) using the controller CLI, enter this command:

show netuser summary

Configuring Administrator Usernames and Passwords

Administrator Usernames and Passwords

You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information. This section provides instructions for initial configuration and for password recovery.

Configuring Usernames and Passwords (GUI)

Procedure

Step 1

Choose Management > Local Management Users.

Step 2

Click New.

Step 3

Enter the username and password, and confirm the password.

Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.

Step 4

Choose the User Access Mode as one of the following:

  • ReadOnly

  • ReadWrite

  • LobbyAdmin
Step 5

Click Apply.

Configuring Usernames and Passwords (CLI)

Procedure

Step 1

Configure a username and password by entering one of these commands:

  • config mgmtuser add username password read-write description —Creates a username-password pair with read-write privileges.

  • config mgmtuser add username password read-only description —Creates a username-password pair with read-only privileges.

    Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.

    Note 
    If you ever need to change the password for an existing username, enter the config mgmtuser password username new_password command.

  • config mgmtuser add username password lobby-admin description —Creates a username-password pair with Lobby Administrator privileges.

Step 2

List the configured users by entering this command:

show mgmtuser

Restoring Passwords

Before you begin

Ensure that you are accessing the controller CLI through the console port.

Procedure

Step 1

After the controller boots up, enter Restore-Password at the User prompt.

Note 
For security reasons, the text that you enter does not appear on the controller console.
Step 2

At the Enter User Name prompt, enter a new username.
Step 3

At the Enter Password prompt, enter a new password.
Step 4

At the Re-enter Password prompt, reenter the new password. The controller validates and stores your entries in the database.
Step 5

When the User prompt reappears, enter your new username.
Step 6

When the Password prompt appears, enter your new password. The controller logs you in with your new username and password.

Changing the Default Values for SNMP v3 Users

Information About Changing the Default Values for SNMP v3 Users

The controller uses a default value of “default” for the username, authentication password, and privacy password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco strongly advises that you change these values.


Note

SNMP v3 is time sensitive. Ensure that you configure the correct time and time zone on your controller.

Changing the SNMP v3 User Default Values (GUI)

Procedure

Step 1

Choose Management > SNMP > SNMP V3 Users to open the SNMP V3 Users page.

Step 2

If “default” appears in the User Name column, hover your cursor over the blue drop-down arrow for the desired user and choose Remove to delete this SNMP v3 user.

Step 3

Click New to add a new SNMP v3 user. The SNMP V3 Users > New page appears.

Step 4

In the User Profile Name text box, enter a unique name. Do not enter “default.”
Step 5

Choose Read Only or Read Write from the Access Mode drop-down list to specify the access level for this user. The default value is Read Only.

Step 6

From the Authentication Protocol drop-down list, choose the desired authentication method: None, HMAC-MD5 (Hashed Message Authentication Coding-Message Digest 5), or HMAC-SHA (Hashed Message Authentication Coding-Secure Hashing Algorithm). The default value is HMAC-SHA.

Step 7

In the Auth Password and Confirm Auth Password text boxes, enter the shared secret key to be used for authentication. You must enter at least 12 characters that include both letters and numbers.

Step 8

From the Privacy Protocol drop-down list, choose the desired encryption method: None, CBC-DES (Cipher Block Chaining-Digital Encryption Standard), or CFB-AES-128 (Cipher Feedback Mode-Advanced Encryption Standard-128). The default value is CFB-AES-128.

Note 

In order to configure CBC-DES or CFB-AES-128 encryption, you must have selected either HMAC-MD5 or HMAC-SHA as the authentication protocol in Step 6.

Step 9

In the Priv Password and Confirm Priv Password text boxes, enter the shared secret key to be used for encryption. You must enter at least 12 characters that include both letters and numbers.

Step 10

Click Apply.

Step 11

Click Save Configuration.

Step 12

Reboot the controller so that the SNMP v3 user that you added takes effect.

Changing the SNMP v3 User Default Values (CLI)

Procedure

Step 1

See the current list of SNMP v3 users for this controller by entering this command:

show snmpv3user

Step 2

If “default” appears in the SNMP v3 User Name column, enter this command to delete this user:

config snmp v3user delete username

The username parameter is the SNMP v3 username (in this case, “default”).

Step 3

Create a new SNMP v3 user by entering this command:

config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128} auth_key encrypt_key

where

  • username is the SNMP v3 username.

  • ro is read-only mode and rw is read-write mode.

  • none , hmacmd5 , and hmacsha are the authentication protocol options.

  • none , des , and aescfb128 are the privacy protocol options.

  • auth_key is the authentication shared secret key.

  • encrypt_key is the encryption shared secret key.

    Do not enter “default” for the username , auth_key , and encrypt_key parameters.

Step 4

Enter the save config command.

Step 5

Reboot the controller so that the SNMP v3 user that you added takes effect by entering reset system command.

Generating a Certificate Signing Request using OpenSSL

Procedure

Step 1

Install and open the OpenSSL application.

Step 2

Enter the command: 

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Generating the CSR by the controller itself will use a 2048-bit key size and the mximum ECDSA key size is 256 bits.

Note 
You must provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the controller. This name should exist in the DNS as well. Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect.

After you issue the command, you are prompted to enter information such as country name, state, city, and so on.

Information similar to the following appears: 


OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................................................................++++++
...................................................++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC
Organizational Unit Name (eg, section) []:CDE
Common Name (eg, YOUR name) []:XYZ.ABC
Email Address []:Test@abc.com


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Test123
An optional company name []:
OpenSSL>

After you provide all the required details two files are generated:

  • A new private key that includes the name mykey.pem

  • A CSR that includes the name myreq.pem

Step 3

Copy and paste the Certificate Signing Request (CSR) information into any CA enrollment tool. After you submit the CSR to a third party CA, the third party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate similar to the example above, you will receive the following three certificates from the CA:

  • Root certificate.pem

  • Intermediate certificate.pem

  • Device certificate.pem

Note 
Ensure that the certificate is Apache-compatible with SHA1 encryption.
Step 4

Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order: 


------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------
Step 5

Save the file as All-certs.pem.

Step 6

Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Step 7

Create the All-certs.pem and final.pem files by entering these commands: 


openssl> pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123
  
openssl> pkcs12 -in All-certs.p12 -out final.pem 
       -passin pass:check123 -passout pass:check123
final.pem is the file that we need to download to the controller.
Note 
You must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the controller. In the above example, the password that is configured for both the -passin and -passout parameters is check123.

What to do next

Download the final.pem file to the controller either using CLI or GUI.

Downloading Third-Party Certificate (GUI)

Procedure

Step 1

Copy the device certificate final.pem to the default directory on your TFTP server.

Step 2

Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.

Step 3

Check the Download SSL Certificate check box to view the Download SSL Certificate From Server parameters.

Step 4

In the Server IP Address text box, enter the IP address of the TFTP server.

Step 5

In the File Path text box, enter the directory path of the certificate.

Step 6

In the File Name text box, enter the name of the certificate.

Step 7

In the Certificate Password text box, enter the password to protect the certificate.

Step 8

Click Apply.

Step 9

After the download is complete, choose Commands > Reboot and click Save and Reboot.

Step 10

Click OK in order to confirm your decision to reboot the controller.

Downloading Third-Party Certificate (CLI)

Procedure

Step 1

Move the final.pem file to the default directory on your TFTP server. Change the download settings by entering the following commands: 

 
(Cisco Controller) > transfer download mode tftp
(Cisco Controller) > transfer download datatype webauthcert
(Cisco Controller) > transfer download serverip <TFTP server IP address>
(Cisco Controller) > transfer download path <absolute TFTP server path to the update file>
(Cisco Controller) > transfer download filename final.pem
Step 2

Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate. 


(Cisco Controller) > transfer download certpassword password
Note 
Ensure that the value for certpassword is the same as the -passout parameter when you generate a CSR.
Step 3

Start the certificate and key download by entering the this command:

transfer download start

Example:


(Cisco Controller) > transfer download start
 
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.77.244.196
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................./
TFTP Filename.................................... final.pem
 
This may take some time.
Are you sure you want to start? (y/N) y
 
TFTP EAP Dev cert transfer starting.
 
Certificate installed.
Reboot the switch to use new certificate.
Step 4

Reboot the controller.